Re: dialup-admin problem
Mine too is FreeBSD 6.0 with Apache2.2.0 and php5.1 Dialup admin works
fine only one dialup menu option i.e "Statistics" when I click on it,
gives the error as follows;
Warning: mktime() expects parameter 1 to be long, string given in
/usr/home/httpd/baayu.com/dialbaayu/lib/functions.php3 on line 83
Warning: mktime() expects parameter 1 to be long, string given in
/usr/home/httpd/baayu.com/dialbaayu/lib/functions.php3 on line 83
==
On 1/24/2006, "Scott Miller" <[EMAIL PROTECTED]> wrote:
>I've found that my problem might be with Apache 2 and PHP 5 - does anyone
>else have dialup-admin running properly on Apache 2 and PHP 5? I'd hate to
>think I'd have to downgrade.
>
>Thanks,
>Scott
>
>
>- Original Message -
>From: "Scott Miller" <[EMAIL PROTECTED]>
>To: "FreeRadius users mailing list"
>Sent: Monday, January 23, 2006 1:03 PM
>Subject: dialup-admin problem
>
>
>> I've installed freeradius 1.1.0, went through all the tests and everything
>> (the tests) seems to be working fine there. My platform is:
>>
>> Fedora Core 4
>> Sendmail 8.13.4
>> Apache 2.0.54
>> MySQL 4.1.16
>> PHP 5.0.5-2.1
>> Freeradius 1.1.0
>>
>> I've also followed the instructions for the dialup-admin, and have run
>> into a problem. When I view servername.com/dialup-admin, I can see the
>> first page just fine, but when I click on any link on the left, the right
>> side just turns white - nothing displays. The "home" link brings me back
>> to the "A web based administration interface for the freeradius radius
>> server " page, but no other links seem to bring anyting up.
>>
>> Here's what I did:
>>
>> 1. Copied the directory dialup-admin to the /user/local/ directory
>> 2. In /var/www/html I created a simlink /user/local/dialup-admin/htdocs
>> named dialup-admin
>> ln -s /usr/local/dialup-admin/htdocs /var/www/html/dialup-admin
>> 3. Edited httpd.conf to the following
>>
>># Scott Added for freeradius dialup-admin
>>#LoadModule php4_module libexec/libphp4.so
>>#AddModule mod_php4.c
>>AddType application/x-httpd-php .php
>>AddType application/x-httpd-php .php3
>>
>> I had to comment out the fist two lines, because httpd kept failing and
>> producing the error: Apache 1.3 configuration directives found please read
>> /usr/share/doc/httpd-2.0.54/migration.html
>>
>> 4. I did not do: [1.3.2.2] Creating a more secure web interface. -
>> wanting to make it work first, then will start securing it.
>> 5. Created the 4 additional MySQL Databases according to the instructions
>> and all look fine.
>> 6. I then went through the general configuraiton options. I commented
>> out all LDAP options, and fixed the following:
>>
>>
>> general_prefered_lang: en
>> general_prefered_lang_name: English
>> general_charset: iso-8859-1
>> #general_decode_normal_attributes: yes
>> general_base_dir: /usr/local/dialup-admin
>> general_radiusd_base_dir: /usr/local/radiusd
>> general_use_session: no
>> general_most_recent_fl: 30
>> #general_strip_realms : yes
>> general_realm_delimiter: @
>> general_realm_format: suffix
>> general_show_user_password: yes
>> general_raddb_dir: %{general_radiusd_base_dir}/etc/raddb
>> general_ldap_attrmap: %{general_raddb_dir}/ldap.attrmap
>> #general_clients_conf: %{general_raddb_dir}/clients.conf
>> general_clients_conf: /usr/local/etc/raddb/clients.conf
>> general_sql_attrmap: %{general_base_dir}/conf/sql.attrmap
>> general_accounting_attrs_file: %{general_base_dir}/conf/accounting.attrs
>> general_extra_ldap_attrmap: %{general_base_dir}/conf/extra.ldap-attrmap
>> general_lib_type: sql
>> general_user_edit_attrs_file: %{general_base_dir}/conf/user_edit.attrs
>> general_sql_attrs_file: %{general_base_dir}/conf/sql.attrs
>> general_default_file: %{general_base_dir}/conf/default.vals
>> #general_ld_library_path: /usr/local/snmpd/lib
>> general_finger_type: snmp
>> general_nas_type: cisco
>> general_snmpfinger_bin: %{general_base_dir}/bin/snmpfinger
>> general_radclient_bin: %{general_radiusd_base_dir}/bin/radclient
>> general_test_account_login: test
>> general_test_account_password: testpass
>> general_radius_server: localhost
>> general_radius_server_port: 1812
>> general_radius_server_auth_proto: pap
>> general_radius_server_secret: commented-out
>> general_auth_request_file: %{general_base_dir}/conf/auth.request
>> general_encryption_method: crypt
>> general_accounting_info_order: desc
>> general_stats_use_totacct: no
>> general_restrict_badusers_access: no
>> INCLUDE: %{general_base_dir}/conf/naslist.conf
>> INCLUDE: %{general_base_dir}/conf/captions.conf
>> #ldap_server: ldap.%{general_domain}
>> #ldap_write_server: master.%{general_domain}
>> #ldap_base: dc=company,dc=com
>> #ldap_binddn: cn=Directory Manager
>> #ldap_bindpw: XXX
>> #ldap_default_new_entry_suffix: ou=dialup,ou=guests,%{ldap_base}
>> #ldap_default_dn: uid=default-dialup,%{ldap_base}
>>
Re: Freeradius and prepaid extension
Agus Supriyadi <[EMAIL PROTECTED]> wrote: > I've heared openradius can do that. But I don't know much about it. OpenRADIUS does prepaid, the web page gives sample configurations. But FreeRADIUS does prepaid, too. See the docs & sample files. No open source server I'm aware of implements the *3GPP2* prepaid extensions, as described in the documents mentioned in the original post. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and prepaid extension
2006/1/25, Alan DeKok <[EMAIL PROTECTED]>: deborah malka <[EMAIL PROTECTED]> wrote:> Do you know an open source radius server that implements them ? No. Alan DeKok.-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.htmlI've heared openradius can do that. But I don't know much about it.-- -BEGIN GEEK CODE BLOCK- Version: 3.1GCS d(-) s:- a--- C++(+++)$>$ UL$>$ P+? L++$>$ !E--- W++ !N !o !K-- w !O M !V PS PE !Y PGP t 5 X R tv b DI D G e h r y--END GEEK CODE BLOCK-- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy request problem
Hi all. I'm using FR on FC4 and FC2, MySQL and NTRADPING to test user AAA process. I wanna test user authentication for realm/proxy setup. There are some question: 1. Do i need to place the additional realm/proxy server section after the LOCAL or before it in proxy.conf? 2. I used IPAddrs instead of name.domain.com in there. does it have any effect on the proxying process? 3. is the order of clients in clients.conf matter for proxy setup?eg- localhost first and then the other realm IP (again I used IPAddrs instead of name) 4. What is the actual flow of proxy request in FR if i used MySQL instead of users file? user request->autho module->realm module->proxy.conf->remote poxy server->remote/proxy sql server->response->local server->users 5. how the server diferentiate proxy request from a local request for a user? from current local access server? situation: from NTradping using port 1814 ! sending authentication request with remote server's username, password which stored in remote server's sql. Database. is this possible? 6. When I rcvd this message from local server that suppose to send proxy request to the other realms/proxy: ::Ignoring request from unkwown home server 1a.1b.1c.1d what is the server doing? 7. Should I set 'no' to ignore_null and ignore_default at the suffix setting in radiusd.conf so it can pass the request other type of realm (because i used IP and not setting a name for all the proxy)? Thanks for any reply. Need an Idea to set and test proxy in-lab for now...if documentation available for such test or setup are most welcome. Rgds Do you Yahoo!? With a free 1 GB, there's more in store with Yahoo! Mail.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius Engineer (Full time position)
We have a Software Engineer -Radius position available. Any one interested can forward your resume to krishna_k_gutti at yahoo.comFunction DescriptionWe are looking for an experienced senior systems engineer to configure and manage our AAA (authentication, authorization, and accounting) system. Job responsibilities include configuring and maintaining our RADIUS servers, developing our mediation system, including translating session information into billable events.Candidates for this position should enjoy troubleshooting critical path systems and designing flexible solutions in a quickly evolving environment. Balancing short-term requests with long-term product requirements is required.Experience working in an organization providing AAA service, preferably an ISP or WISP, is a required.Application development in a UNIX/LINUX environment is required. This position requires expert-level Perl skills. V! ! ery strong SQL programming skills, including developing and optimizing stored procedures is required. The candidate should have extensive experience with XML including schema development.Required Experience and Skills· At least 3 years of AAA Server management, specifically using RADIUS, is required.· Experience processing AAA session data is required.· Expert level Perl skill is required.· PL/SQL experience is required.· Database engineering experience, including triggers, complex joins, and schema design. Perl:DBI/DBD experience.· Strong XML development experience including designing of DTDs and/or XML Schema.· Good software design skills including use of UML & Object-oriented design practices.· Ability to learn and contribute quickly, work independently. Experience leading other developers during the analysis, design, and execution phases of an engineering project is a big plus.· Experience with source control systems, such as CVS.· BS in Computer Science, or equivalent experience. Desired· Web application development experience.· Advanced Linux development skills including .rpm and kickstart configurations. Equal Oppurtunity Employer Do you Yahoo!? With a free 1 GB, there's more in store with Yahoo! Mail.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: logging to external syslog server?
How do I send radius logs to the local syslog server? The man page says the -l radiusd switch is deprecated and that you should see the log_dir configuration item in the radiusd.conf file. There is no 'log_dir' configuration item in the radiusd.conf file. There is a 'logdir' and a 'log_file'. I've tried setting those = to 'syslog' with no luck. I've tried adding a log_dir to radiusd.conf but that didn't work either. Thanks, Mark Alan DeKok wrote: > > You should configure your local syslog server to send the logs to a > remote syslog server. > > See "man syslog.conf" > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AD ldap bind works with 1.01, fails with 1.04
Alan; I've tested it further and you are right, the search isn't recursively entering the tree. What in the search changed between 1.01 (which works) and 1.04 (which returns errors when trying to enter the OU's)? If is possible to revert to the 1.01 search under 1.04? many thanks Stephen Walsh [EMAIL PROTECTED] Client Support Officer (Technology) Australian Catholic University (Limited) PO Box 256, Dickson ACT 2602 Phone: +61 2 6209 1133 Fax: +61 2 6209 1179 Mobile: +61 419 496796 + CRICOS Registration: 4G, 00112C, 00873F, 00885B ABN 15 050 192 660 + "Alan DeKok" <[EMAIL PROTECTED]> Sent by: To freeradius-users- FreeRadius users mailing list bounces+s.walsh=s <[EMAIL PROTECTED] ignadou.acu.edu.a org> [EMAIL PROTECTED] cc s.org Subject Re: AD ldap bind works with 1.01, 25/01/2006 04:16 fails with 1.04 AM Please respond to FreeRadius users mailing list Stephen Walsh <[EMAIL PROTECTED]> wrote: > ldap_search() failed: Operations error It's a combination of factors. What's happening is that your LDAP search isn't fully qualified, so when something isn't found in "students", AD returns a referral to "staff". OpenLDAP fails to use the authentication credentials for the referral that it was given for the original query. And lo, "operations error", which is such a useful message. It's a cross-domain referral problem. You have a "staff" domain, and a "student" domain, each of which trusts each other in AD. The solution is to fully qualify all of the queries so that AD doesn't return a referral. Usually adding "ou=people" (or something like that) will usually do the trick. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: logging to external syslog server?
Mark Tunnell <[EMAIL PROTECTED]> wrote: > Is it possible to configure freeradius to send its log files to a > remote syslog server? The only reference I've found at all to syslog > in the documentation is the deprecated radiusd switch -l, and that was > for a local syslog process. You should configure your local syslog server to send the logs to a remote syslog server. See "man syslog.conf" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and prepaid extension
deborah malka <[EMAIL PROTECTED]> wrote: > Do you know an open source radius server that implements them ? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RLM_perl and Cisco-AVPair
Alan Lumb wrote: Hi everyone. Im trying to get RLM_perl to respond with two Cisco-AVPair lines (what would usually be done with += in users) So try that with rlm_perl the server functions that update the list need to see the += operator. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
logging to external syslog server?
Is it possible to configure freeradius to send its log files to a remote syslog server? The only reference I've found at all to syslog in the documentation is the deprecated radiusd switch -l, and that was for a local syslog process. Thanks, Mark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RLM_perl and Cisco-AVPair
Hi everyone.
Im trying to get RLM_perl to respond with two Cisco-AVPair lines (what
would usually be done with += in users)
Unfortunately only the first seems to get sent back to the nas - debug
output follows
rlm_perl: Added pair Cisco-AVPair = ip:dns-servers=10.10.10.10 10.10.10.12
rlm_perl: Added pair Cisco-AVPair = ip:route=10.10.0.0 255.255.255.0
rlm_perl: Added pair Framed-IP-Address = 10.10.10.12
rlm_perl: Added pair Framed-IP-Netmask = 255.255.255.255
rlm_perl: Added pair Auth-Type = perl
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Auth-Type = System
modcall[authenticate]: module "perl" returns ok for request 25
modcall: group Auth-Type returns ok for request 25
Sending Access-Accept of id 56 to 127.0.0.1:34529
Cisco-AVPair = "ip:dns-servers=10.10.10.10 10.10.10.12"
Framed-IP-Address = 10.10.10.10
Framed-IP-Netmask = 255.255.255.255
Service-Type = Framed-User
As you can see, rlm_perl logs that it is adding the pair twice but only
the first is returned.
I've gone so far as to looking at the code for rlm_perl and it looks to me
like it should have worked from what i have done, the coder has asked for
a reference to an array.
my code basically does this
push(@avpairs,'ip:dns-servers=$dns1 $dns2');
push(@avpairs,"ip:route=$$thisroute{network} $$thisroute{subnet}");
$RAD_REPLY{'Cisco-AVPair'[EMAIL PROTECTED];
Anyone any ideas? Doesn't look like many people use rlm_perl yet
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and prepaid extension
Do you know an open source radius server that implements them ? I really need this !Thank you for advance,DeborahAlan DeKok <[EMAIL PROTECTED]> a écrit : deborah malka wrote:> I need a Radius server to perform prepaid VOIP telephony. For that the server must implement the RFCs 2865, 2866, 3539, and the extension for Prepaid follows the specifications : X.S0011-005-C and X.S0011-006-C.> > Does Freeradius implements all this ? FreeRADIUS doesn't do the 3GPPP or 3GPPP2 telephony. So far, therehasn't been much demand for it. Alan DeKok.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html=Déborah Malka Nouveau : téléphonez moins cher avec Yahoo! Messenger ! Découvez les tarifs exceptionnels pour appeler la France et l'international. Téléchargez la version beta.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AD ldap search works with 1.01, fails with 1.04
Thanks Alan; I think I understand what you mean, however each of our trees is sorted by campus, then OU, then users. Student | | |---Brisbane | |---Sydney1 | |---Sydney2 | |---Canberra | |--computers | |--Printers | |---users and the same for staff. What's the best way to format the baseDN to allow for recursive searches through each OU container. At the moment I have basedn= "ou=users,dc=student,dc=acu,dc=edu,dc=au", which is obviously wrong. Many thanks Stephen Walsh [EMAIL PROTECTED] Client Support Officer (Technology) Australian Catholic University (Limited) PO Box 256, Dickson ACT 2602 Phone: +61 2 6209 1133 Fax: +61 2 6209 1179 Mobile: +61 419 496796 + CRICOS Registration: 4G, 00112C, 00873F, 00885B ABN 15 050 192 660 + Stephen Walsh <[EMAIL PROTECTED]> wrote: > ldap_search() failed: Operations error It's a combination of factors. What's happening is that your LDAP search isn't fully qualified, so when something isn't found in "students", AD returns a referral to "staff". OpenLDAP fails to use the authentication credentials for the referral that it was given for the original query. And lo, "operations error", which is such a useful message. It's a cross-domain referral problem. You have a "staff" domain, and a "student" domain, each of which trusts each other in AD. The solution is to fully qualify all of the queries so that AD doesn't return a referral. Usually adding "ou=people" (or something like that) will usually do the trick. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS and Kerberos problem
Jakob Oestergaard <[EMAIL PROTECTED]> wrote: > The kerberos module complained that no "User-Password" was sent, and > therefore it couldn't try authenticating against the kerb. server. Because: a) the server got EAP, and you told it to do kerberos or b) the tunneled authentication protocol wasn't PAP. > If I ran with Auth-Type = EAP, then the TTLS encapsulated PAP messages > would be decoded correctly and I could see the supplied password in > clear text. So Kerberos should work, then. > If I ran with Auth-Type = Kerberos, only the User-Name would be > decoded, no User-Password. Huh? What do you mean by that? If you can see the clear-text password inside of the tunnel, then kerberos should work. Run it in debugging mode to see what it's doing. NOTHING else will solve the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and prepaid extension
deborah malka <[EMAIL PROTECTED]> wrote: > I need a Radius server to perform prepaid VOIP telephony. For that the > server must implement the RFCs 2865, 2866, 3539, and the extension for > Prepaid follows the specifications : X.S0011-005-C and X.S0011-006-C. > > Does Freeradius implements all this ? FreeRADIUS doesn't do the 3GPPP or 3GPPP2 telephony. So far, there hasn't been much demand for it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS and Kerberos problem
Thanks a lot for the reply! On Tue, Jan 24, 2006 at 12:28:00PM -0500, Alan DeKok wrote: > Jakob Oestergaard <[EMAIL PROTECTED]> wrote again: > > If I put this in my users file, EAP-TTLS works and FreeRADIUS correctly > > sees the PAP password from the laptop: > > > > DEFAULT Auth-Type = EAP > > You don't need to do that. The server will figure it out on it's own. It seems to me that it doesn't - read on. > > > If I put this in my users file, Kerberos works but FreeRADIUS does not > > get the password from the notebook > > That's backwards. The notebook sends the password (maybe) to > FreeRADIUS. Ah yes - my bad > > > So, is there a way to tell FreeRADIUS to both use EAP *and* attempt > > Kerberos authentication when it actually has a password? > > Yes. Your configuration is correct. > > Try running the server in debugging mode (as suggested in the > README, FAQ, and INSTALL) to see why it's being rejected. I did - unfortunately I didn't save the log output and I don't have a laptop handy right now to retry - will fix... The kerberos module complained that no "User-Password" was sent, and therefore it couldn't try authenticating against the kerb. server. If I ran with Auth-Type = EAP, then the TTLS encapsulated PAP messages would be decoded correctly and I could see the supplied password in clear text. If I ran with Auth-Type = Kerberos, only the User-Name would be decoded, no User-Password. I can send proper logs tomorrow - in case the above doesn't ring any bells:) Thanks, -- / jakob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realm and users file.
On Monday 23 January 2006 20:37, User for Free Radius mail list wrote: > The result is domain2.net will Auth OK them but they cannot get on line > because domain1.com will reject them because of the "users" file. > > > How do I fix this problem? > > Thanks! > > Ken Running in debug mode should show you what is happening...have you done this? If you have and can't figure it out, post the debug output of an example where domain2.net auth fails so we can parse the output and hopefully determine what needs changed in your config. Kevin Bonner pgp0viD7DyQSj.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Restricting access to a NAS
I'm doing this with huntgroups J. > -Oorspronkelijk bericht- > Van: freeradius-users- > [EMAIL PROTECTED] > [mailto:freeradius-users- > [EMAIL PROTECTED] Namens Lewis > Bergman > Verzonden: dinsdag 24 januari 2006 18:01 > Aan: FreeRadius users mailing list > Onderwerp: Re: Restricting access to a NAS > > Laker Netman wrote: > > I have a Cisco 3660 router configured for dialup AAA > > through FR (1.0.5) to access our LAN. I also have the > > login to the router itself, for admin, authenticating > > through FR (MySQL backend). > > The same DB is used for all auth, so currently anyone > > with a dialup account could also telnet into the > > router. This leaves only my 'enable' password to > > prevent problems. > > I want to configure FR to eliminate this ability for > > all but a select group of users (admins). There are > > other devices I would like to add to the list later. > > I've been looking at huntgroups as the solution, but > > was unsure how (or if) this could be handled via sql > > rather than the users file. > > > > Is anyone doing this and could provide a sample config > > layout? > > > I am not currently doing this but plan to tackle it by using something > like a realm of admin when I do get to it. So a user needing admin privs > would have to log in like [EMAIL PROTECTED] to get access. > > -- > Lewis Bergman > Texas Communications > 4309 Maple St. > Abilene, TX 79602-8044 > Off. 325-691-1301 > Cell 325-439-0533 > fax 325-695-6841 > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restricting access to a NAS
On Tuesday 24 January 2006 11:24, Laker Netman wrote: > I have a Cisco 3660 router configured for dialup AAA > through FR (1.0.5) to access our LAN. I also have the > login to the router itself, for admin, authenticating > through FR (MySQL backend). > The same DB is used for all auth, so currently anyone > with a dialup account could also telnet into the > router. This leaves only my 'enable' password to > prevent problems. > I want to configure FR to eliminate this ability for > all but a select group of users (admins). There are > other devices I would like to add to the list later. > I've been looking at huntgroups as the solution, but > was unsure how (or if) this could be handled via sql > rather than the users file. > > Is anyone doing this and could provide a sample config > layout? > > Thx, > Laker Setup auth detail logs, or run in debug mode, to see what special attributes are sent when an admin logs into the router. With that info, setup a huntgroup that matches on all or a subset of those attributes and add that as a check item for your admin users. We specify the password for the admin user because we didn't want the admin passwords to be the same as the dialup passwords. An example of what we use is below. Kevin Bonner == huntgroups == admin Service-Type == Login-User, NAS-Port-Type == Virtual, Calling-Station-Id == "AAA.BBB.CCC.DDD" == end huntgroups == == users == DEFAULT Huntgroup-Name == "admin" Cisco-AVPair := "shell:priv-lvl=1", Fall-Through = 1 keb Huntgroup-Name == "admin", Crypt-Password == "..." ... more admin entries ... # reject all admin auth DEFAULT Huntgroup-Name == "admin", Auth-Type := Reject == end users == pgpBonQDi1CXG.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius and bind as a dynamic dns
Willem Pretorius wrote: Hi, Have anyone been able to use freeradius with mysql and a bind dns server to update a domain say "dynamic.com" everytime a user connects? I want to create a local ADSL dynamic dns service for all my adsl users, eg. if the login name is "companyX" with ip "165.146.165.78" I want to update the bind dns everytime a user connects, eg. "companyX.dynamic.com" Any Ideas? This is the "bash script glue" method http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg20828.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
REPOST: Realms and users file.
I'm sure someone can give me a quick answer to this problem. I have one
radius server that handles request in the form:
username
[EMAIL PROTECTED]
[EMAIL PROTECTED]
We this setup in our proxy.conf file:
realm domain1.com {
type= radius
authhost= LOCAL
accthost= LOCAL
}
realm domain2.net {
type= radius
authhost= server.domain2.net:1645
accthost= LOCAL
secret = **
}
And uses the "users" file for local stuff
Everything works fine except when the username at the realm domain2.net
server matches a name in the "users" file on the domain1.com server. We
have usernames on the domain1.com "users" file that reject:
uername Auth-Type := Reject
These users have DSL access but no phone line access and belong to the
domain1.com server. But once in a while they will have the same username
on each system.
The result is domain2.net will Auth OK them but they cannot get on line
because domain1.com will reject them because of the "users" file.
How do I fix this problem?
Thanks!
Ken
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS table
Yes, it is working fine, at least in freeradius 1.0.5. Read my comments here: http://lists.freeradius.org/mailman/htdig/freeradius-users/2005-October/047765.html Unfortunately every change in the nas_table requires a restart of the freeradius server. Would be nice to have something like a reload or so, or even an auto reload after the radius server did an insert or update. Gunther From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Santiago Balaguer GarcíaSent: Monday, January 23, 2006 4:47 AMTo: freeradius-users@lists.freeradius.orgSubject: NAS table Hi people, I am using freeradius as authentication service for two years. I use freeradius 1.0.4 in a Debian servers. My quiestion is I use clients.conf file for mu nas clients, however I read in the freeradius doc that this file can be supported in an database ( it is very useful for me because I have an administration web for control my radius accounts). I detect that I put 'readclients=yes ' in my postgres.conf file perhaps it works, but it is not works. So, What do I have to write in order to have all nas information in my database? Thanks, Santiago Éxitos, grandes clásicos y novedades. Un millón de canciones en MSN Music. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to control connection to LDAP
I have noticed that Radius connects to my LDAP server and maintains that connection open for many many hours for user lookups. Is there a way to have it connect only when a suer needs to authenticate? Are there pros/cons to doing something like that? Thanks! Tim Crouch Systems Administrator Campus Computing Services 903-566-7476 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Restricting access to a NAS
I'm able to make it work by using huntgroups admin NAS-IP-address =~ "^10\.1\.2\."# thanks a lot to Bjørn User-Name = admin1, User-Name = admin2, ... ... and users admin1 Auth-Type := Local, User-Password == "secret", Huntgroup-Name == "admin" ... I would asume that add a huntgroup in the check line would be the same with database backend. Can you post your solution once you make it work? Thanks, Min -Original Message- From: [EMAIL PROTECTED] on behalf of Lewis Bergman Sent: Tue 1/24/2006 12:01 PM To: FreeRadius users mailing list Subject: Re: Restricting access to a NAS Laker Netman wrote: > I have a Cisco 3660 router configured for dialup AAA > through FR (1.0.5) to access our LAN. I also have the > login to the router itself, for admin, authenticating > through FR (MySQL backend). > The same DB is used for all auth, so currently anyone > with a dialup account could also telnet into the > router. This leaves only my 'enable' password to > prevent problems. > I want to configure FR to eliminate this ability for > all but a select group of users (admins). There are > other devices I would like to add to the list later. > I've been looking at huntgroups as the solution, but > was unsure how (or if) this could be handled via sql > rather than the users file. > > Is anyone doing this and could provide a sample config > layout? > I am not currently doing this but plan to tackle it by using something like a realm of admin when I do get to it. So a user needing admin privs would have to log in like [EMAIL PROTECTED] to get access. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fw: Performance features of FreeRadius
Marta Lajas <[EMAIL PROTECTED]> wrote: > Why a million of users? Which are the problems that may appear? For one, you probably don't want to run only one server. If you have 100 users and your RADIUS machine dies, it's not a big deal. If you have a million users, it's much more of a problem. Also, at a million or so users, the load may get significant enough that you could need another machine. > Are you refering to a million of users simultaneously connected to the FR > server? No. RADIUS doesn't work like that. Users do *not* connect to the server. Ever. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius and bind as a dynamic dns
Willem Pretorius <[EMAIL PROTECTED]> wrote: > Have anyone been able to use freeradius with mysql and a bind dns server > to update a domain say "dynamic.com" everytime a user connects? Run an external shell script from the server when the user connects. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to log users in radutmp
"Torkel Mathisen" <[EMAIL PROTECTED]> wrote: > I don't have that radutmp file. > > How do I get freeradius to log users in that file? Make the NAS send data that FreeRADIUS can log. See the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS and Kerberos problem
Jakob Oestergaard <[EMAIL PROTECTED]> wrote again: > If I put this in my users file, EAP-TTLS works and FreeRADIUS correctly > sees the PAP password from the laptop: > > DEFAULT Auth-Type = EAP You don't need to do that. The server will figure it out on it's own. > If I put this in my users file, Kerberos works but FreeRADIUS does not > get the password from the notebook That's backwards. The notebook sends the password (maybe) to FreeRADIUS. > So, is there a way to tell FreeRADIUS to both use EAP *and* attempt > Kerberos authentication when it actually has a password? Yes. Your configuration is correct. Try running the server in debugging mode (as suggested in the README, FAQ, and INSTALL) to see why it's being rejected. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: questions about eap md5 authentication
"Robert WAKIM" <[EMAIL PROTECTED]> wrote: > Thanks for the answer. It works if I store the passwords in clear text > in the ldap database. > > What method should I use to store the passwords in md5? If you store the passwords as MD5 hashes in your database, then the only authentication methods that will work are PAP and EAP-TTLS with tunneled PAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: questions about eap md5 authentication
Phil Mayers <[EMAIL PROTECTED]> wrote:
> ...because it doesn't have the required info. Probably it should yell
> about needing the right kind of password, though how it's supposed to
> know the one you've given it is the wrong one I would have to think about.
In 1.x, the LDAP module puts the passwords into the User-Password
attribute. So the EAP-MD5 module believes that the clear-text
password is (in this case) "{MD5}..."
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems System Auth with FreeRadius (/etc/shadow)
"Nataniel Klug" <[EMAIL PROTECTED]> wrote: > [EMAIL PROTECTED] radius]# tail radius.log -n 2 > Tue Jan 24 01:24:02 2006 : Auth: rlm_unix: [nata]: invalid password Nice. Is there any particular reason you're refusing to run the server in debugging mode, as suggested in the README, FAQ, and INSTALL? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to start a session
San <[EMAIL PROTECTED]> wrote: > How can we measure the users usage. Where should I put > the attribute session start and how i use the session > stop. (what are the command?) But the O'Reilly RADIUS book and read it.. The answer to your question is too long to post here. > I really lost in this part. Every documents that I can > find only explain until authenticate and authorize > between NAS and server. But after that I don't have > clue. Because you appear to be writing a NAS. The documents don't tell you how to implement a NAS. For that, read the RFC's and the O'Reilly book. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RFC3576
"Chris Knipe" <[EMAIL PROTECTED]> wrote: > Uhm, any support for RFC3576, added or planned? radclient supports those packets. FreeRADIUS doesn't. Do you have suggestions for what FreeRADIUS is supposed to do when it gets those packets? I'm asking for *specific* details. i.e. as detailed as possible. The problem is none of the developers are sure how to implement it in a sane fashion in the server. Read RFC 3576. The recommended algorithm for dealing with those packets is a nightmare. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AD ldap bind works with 1.01, fails with 1.04
Stephen Walsh <[EMAIL PROTECTED]> wrote: > ldap_search() failed: Operations error It's a combination of factors. What's happening is that your LDAP search isn't fully qualified, so when something isn't found in "students", AD returns a referral to "staff". OpenLDAP fails to use the authentication credentials for the referral that it was given for the original query. And lo, "operations error", which is such a useful message. It's a cross-domain referral problem. You have a "staff" domain, and a "student" domain, each of which trusts each other in AD. The solution is to fully qualify all of the queries so that AD doesn't return a referral. Usually adding "ou=people" (or something like that) will usually do the trick. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and prepaid extension
Hello all,I have heard about Freeradius, that it is a very powerfull server. Thank you to all for the work you have done !! I need a Radius server to perform prepaid VOIP telephony. For that the server must implement the RFCs 2865, 2866, 3539, and the extension for Prepaid follows the specifications : X.S0011-005-C and X.S0011-006-C.Does Freeradius implements all this ? I need these informations, because I have to install a platform demo, so if someone can help me ... thank you so much by advance.Deborah =Déborah Malka Nouveau : téléphonez moins cher avec Yahoo! Messenger ! Découvez les tarifs exceptionnels pour appeler la France et l'international. Téléchargez la version beta.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup-admin problem
FreeBSD 6.0
Apache 2.2.0
PHP 5.1.1
FreeRadius 1.0.5
Dialup_admin works fine for me. It does appear to be a PHP problem.
Look at your apache logs and see what errors you are getting if any.
You might want to check the "error_reporting" setting in your php.ini,
make sure it is set to E_ALL so you can see what errors are occuring.
If this is not a production box you might even want to change
"display_errors" to On.
This should give you a couple more "hints" on where to go next.
Rich
Scott Miller wrote:
I've found that my problem might be with Apache 2 and PHP 5 - does
anyone else have dialup-admin running properly on Apache 2 and PHP 5?
I'd hate to think I'd have to downgrade.
Thanks,
Scott
- Original Message - From: "Scott Miller" <[EMAIL PROTECTED]>
To: "FreeRadius users mailing list"
Sent: Monday, January 23, 2006 1:03 PM
Subject: dialup-admin problem
I've installed freeradius 1.1.0, went through all the tests and
everything (the tests) seems to be working fine there. My platform is:
Fedora Core 4
Sendmail 8.13.4
Apache 2.0.54
MySQL 4.1.16
PHP 5.0.5-2.1
Freeradius 1.1.0
I've also followed the instructions for the dialup-admin, and have
run into a problem. When I view servername.com/dialup-admin, I can
see the first page just fine, but when I click on any link on the
left, the right side just turns white - nothing displays. The "home"
link brings me back to the "A web based administration interface for
the freeradius radius server " page, but no other links seem to bring
anyting up.
Here's what I did:
1. Copied the directory dialup-admin to the /user/local/ directory
2. In /var/www/html I created a simlink
/user/local/dialup-admin/htdocs named dialup-admin
ln -s /usr/local/dialup-admin/htdocs /var/www/html/dialup-admin
3. Edited httpd.conf to the following
# Scott Added for freeradius dialup-admin
#LoadModule php4_module libexec/libphp4.so
#AddModule mod_php4.c
AddType application/x-httpd-php .php
AddType application/x-httpd-php .php3
I had to comment out the fist two lines, because httpd kept failing
and producing the error: Apache 1.3 configuration directives found
please read /usr/share/doc/httpd-2.0.54/migration.html
4. I did not do: [1.3.2.2] Creating a more secure web interface. -
wanting to make it work first, then will start securing it.
5. Created the 4 additional MySQL Databases according to the
instructions and all look fine.
6. I then went through the general configuraiton options. I
commented out all LDAP options, and fixed the following:
general_prefered_lang: en
general_prefered_lang_name: English
general_charset: iso-8859-1
#general_decode_normal_attributes: yes
general_base_dir: /usr/local/dialup-admin
general_radiusd_base_dir: /usr/local/radiusd
general_use_session: no
general_most_recent_fl: 30
#general_strip_realms : yes
general_realm_delimiter: @
general_realm_format: suffix
general_show_user_password: yes
general_raddb_dir: %{general_radiusd_base_dir}/etc/raddb
general_ldap_attrmap: %{general_raddb_dir}/ldap.attrmap
#general_clients_conf: %{general_raddb_dir}/clients.conf
general_clients_conf: /usr/local/etc/raddb/clients.conf
general_sql_attrmap: %{general_base_dir}/conf/sql.attrmap
general_accounting_attrs_file: %{general_base_dir}/conf/accounting.attrs
general_extra_ldap_attrmap: %{general_base_dir}/conf/extra.ldap-attrmap
general_lib_type: sql
general_user_edit_attrs_file: %{general_base_dir}/conf/user_edit.attrs
general_sql_attrs_file: %{general_base_dir}/conf/sql.attrs
general_default_file: %{general_base_dir}/conf/default.vals
#general_ld_library_path: /usr/local/snmpd/lib
general_finger_type: snmp
general_nas_type: cisco
general_snmpfinger_bin: %{general_base_dir}/bin/snmpfinger
general_radclient_bin: %{general_radiusd_base_dir}/bin/radclient
general_test_account_login: test
general_test_account_password: testpass
general_radius_server: localhost
general_radius_server_port: 1812
general_radius_server_auth_proto: pap
general_radius_server_secret: commented-out
general_auth_request_file: %{general_base_dir}/conf/auth.request
general_encryption_method: crypt
general_accounting_info_order: desc
general_stats_use_totacct: no
general_restrict_badusers_access: no
INCLUDE: %{general_base_dir}/conf/naslist.conf
INCLUDE: %{general_base_dir}/conf/captions.conf
#ldap_server: ldap.%{general_domain}
#ldap_write_server: master.%{general_domain}
#ldap_base: dc=company,dc=com
#ldap_binddn: cn=Directory Manager
#ldap_bindpw: XXX
#ldap_default_new_entry_suffix: ou=dialup,ou=guests,%{ldap_base}
#ldap_default_dn: uid=default-dialup,%{ldap_base}
#ldap_regular_profile_attr: dialupregularprofile
#ldap_use_http_credentials: yes
#ldap_directory_manager: cn=Directory Manager
#ldap_map_to_directory_manager: admin
#ldap_debug: true
# Allow for defining the ldap filter used when searching for a user
# Variables supported:
# %u: username
# %U: username provided though http authentication
# %mu
Re: Restricting access to a NAS
Laker Netman wrote: I have a Cisco 3660 router configured for dialup AAA through FR (1.0.5) to access our LAN. I also have the login to the router itself, for admin, authenticating through FR (MySQL backend). The same DB is used for all auth, so currently anyone with a dialup account could also telnet into the router. This leaves only my 'enable' password to prevent problems. I want to configure FR to eliminate this ability for all but a select group of users (admins). There are other devices I would like to add to the list later. I've been looking at huntgroups as the solution, but was unsure how (or if) this could be handled via sql rather than the users file. Is anyone doing this and could provide a sample config layout? I am not currently doing this but plan to tackle it by using something like a realm of admin when I do get to it. So a user needing admin privs would have to log in like [EMAIL PROTECTED] to get access. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with EAP-TLS
dark0s dark0s <[EMAIL PROTECTED]> wrote: > Excuse me, but what is AEGIS protocol? > How can I disable the disable the binding of the > AEGIS Protocol of the network card? Please do not post off-topic messages to this list. There are other lists devoted to supplicant software. Supplicant questions should go there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with EAP-TLS
Can you explain me better what is AEGIS protocol? Because I cannot find it on the system. Yahoo! Mail: gratis 1GB per i messaggi, antispam, antivirus, POP3- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup-admin problem
I've found that my problem might be with Apache 2 and PHP 5 - does anyone
else have dialup-admin running properly on Apache 2 and PHP 5? I'd hate to
think I'd have to downgrade.
Thanks,
Scott
- Original Message -
From: "Scott Miller" <[EMAIL PROTECTED]>
To: "FreeRadius users mailing list"
Sent: Monday, January 23, 2006 1:03 PM
Subject: dialup-admin problem
I've installed freeradius 1.1.0, went through all the tests and everything
(the tests) seems to be working fine there. My platform is:
Fedora Core 4
Sendmail 8.13.4
Apache 2.0.54
MySQL 4.1.16
PHP 5.0.5-2.1
Freeradius 1.1.0
I've also followed the instructions for the dialup-admin, and have run
into a problem. When I view servername.com/dialup-admin, I can see the
first page just fine, but when I click on any link on the left, the right
side just turns white - nothing displays. The "home" link brings me back
to the "A web based administration interface for the freeradius radius
server " page, but no other links seem to bring anyting up.
Here's what I did:
1. Copied the directory dialup-admin to the /user/local/ directory
2. In /var/www/html I created a simlink /user/local/dialup-admin/htdocs
named dialup-admin
ln -s /usr/local/dialup-admin/htdocs /var/www/html/dialup-admin
3. Edited httpd.conf to the following
# Scott Added for freeradius dialup-admin
#LoadModule php4_module libexec/libphp4.so
#AddModule mod_php4.c
AddType application/x-httpd-php .php
AddType application/x-httpd-php .php3
I had to comment out the fist two lines, because httpd kept failing and
producing the error: Apache 1.3 configuration directives found please read
/usr/share/doc/httpd-2.0.54/migration.html
4. I did not do: [1.3.2.2] Creating a more secure web interface. -
wanting to make it work first, then will start securing it.
5. Created the 4 additional MySQL Databases according to the instructions
and all look fine.
6. I then went through the general configuraiton options. I commented
out all LDAP options, and fixed the following:
general_prefered_lang: en
general_prefered_lang_name: English
general_charset: iso-8859-1
#general_decode_normal_attributes: yes
general_base_dir: /usr/local/dialup-admin
general_radiusd_base_dir: /usr/local/radiusd
general_use_session: no
general_most_recent_fl: 30
#general_strip_realms : yes
general_realm_delimiter: @
general_realm_format: suffix
general_show_user_password: yes
general_raddb_dir: %{general_radiusd_base_dir}/etc/raddb
general_ldap_attrmap: %{general_raddb_dir}/ldap.attrmap
#general_clients_conf: %{general_raddb_dir}/clients.conf
general_clients_conf: /usr/local/etc/raddb/clients.conf
general_sql_attrmap: %{general_base_dir}/conf/sql.attrmap
general_accounting_attrs_file: %{general_base_dir}/conf/accounting.attrs
general_extra_ldap_attrmap: %{general_base_dir}/conf/extra.ldap-attrmap
general_lib_type: sql
general_user_edit_attrs_file: %{general_base_dir}/conf/user_edit.attrs
general_sql_attrs_file: %{general_base_dir}/conf/sql.attrs
general_default_file: %{general_base_dir}/conf/default.vals
#general_ld_library_path: /usr/local/snmpd/lib
general_finger_type: snmp
general_nas_type: cisco
general_snmpfinger_bin: %{general_base_dir}/bin/snmpfinger
general_radclient_bin: %{general_radiusd_base_dir}/bin/radclient
general_test_account_login: test
general_test_account_password: testpass
general_radius_server: localhost
general_radius_server_port: 1812
general_radius_server_auth_proto: pap
general_radius_server_secret: commented-out
general_auth_request_file: %{general_base_dir}/conf/auth.request
general_encryption_method: crypt
general_accounting_info_order: desc
general_stats_use_totacct: no
general_restrict_badusers_access: no
INCLUDE: %{general_base_dir}/conf/naslist.conf
INCLUDE: %{general_base_dir}/conf/captions.conf
#ldap_server: ldap.%{general_domain}
#ldap_write_server: master.%{general_domain}
#ldap_base: dc=company,dc=com
#ldap_binddn: cn=Directory Manager
#ldap_bindpw: XXX
#ldap_default_new_entry_suffix: ou=dialup,ou=guests,%{ldap_base}
#ldap_default_dn: uid=default-dialup,%{ldap_base}
#ldap_regular_profile_attr: dialupregularprofile
#ldap_use_http_credentials: yes
#ldap_directory_manager: cn=Directory Manager
#ldap_map_to_directory_manager: admin
#ldap_debug: true
# Allow for defining the ldap filter used when searching for a user
# Variables supported:
# %u: username
# %U: username provided though http authentication
# %mu: mappings for userdb
# %ma: mappings for accounting
#ldap_filter: (uid=%u)
#ldap_userdn: uid=%u,%{ldap_base}
sql_type: mysql
sql_server: localhost
sql_port: 3306
sql_username: xxx
sql_password: xxx
sql_database: radius
sql_accounting_table: radacct
sql_badusers_table: badusers
sql_check_table: radcheck
sql_reply_table: radreply
sql_user_info_table: userinfo
sql_groupcheck_table: radgroupcheck
sql_groupreply_table: radgroupreply
sql_usergroup_table: usergroup
sql_total_accounting_table: totacct
sql_nas_table:
Restricting access to a NAS
I have a Cisco 3660 router configured for dialup AAA through FR (1.0.5) to access our LAN. I also have the login to the router itself, for admin, authenticating through FR (MySQL backend). The same DB is used for all auth, so currently anyone with a dialup account could also telnet into the router. This leaves only my 'enable' password to prevent problems. I want to configure FR to eliminate this ability for all but a select group of users (admins). There are other devices I would like to add to the list later. I've been looking at huntgroups as the solution, but was unsure how (or if) this could be handled via sql rather than the users file. Is anyone doing this and could provide a sample config layout? Thx, Laker __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPOOL PROBLEM
Hy, Thanks Nicolas. Sorry, its the first time I work in a UNIX environment. In the configure output I obtained: configure: warning: silently not building rlm_ippool. configure: warning: FAILURE: rlm_ippool requires: libgdbm. After installing the package gdbm-1.8.3, which are the steps I have to follow in order to get rlm_ippool compiled? May I have to repeat all the steps of the installation ( $./configure -> $ make -> $ make install)? Or is there another way? Thank you very much, Rafa - Original Message - From: "Nicolas Baradakis" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Tuesday, January 24, 2006 2:01 PM Subject: Re: IPPOOL PROBLE > Rafael Roldán wrote: > > > But when I tried to test the ippool module I obtained a segmentation > > fault when I run radiusd. > > Please no HTML to the list. > > If you found a bug in FreeRADIUS, follow the instructions here: > http://freeradius.org/radiusd/doc/bugs > > > In my rlm_ippool directory I have: > > > > # pwd > > .../freeradius-1.0.5/src/modules/rlm_ippool > > # ls > > acconfig.h config.log configure.in Makefile.in rlm_ippool_tool.c > > config.h config.statusCVS rlm_ippool.c rlm_ippool_tool.pod > > config.h.in configureMakefile rlm_ippool_tool.8 > > # > > > > Has the rlm_ippool module compiled well? > > How can I resolve the problem? > > It looks like the rlm_ippool module was skipped, read the configure > output to find out why. > > -- > Nicolas Baradakis > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IC radius question
They seem very resistant to change to freeradius. They think that since the other portmasters are working fine, that it must be THIS portmaster causing their radius logs to fill with these strange messages: Check list does not match request list [USER] (from nas access-2#2/S99 cli 5094441590) Theyd prefer to try to find WHY they are getting this message. Id prefer that they switch to Freeradius. I am not certain that will fix their problem tho, so I would like to see if anyone ever got this error and what it may have been caused by. This error is occuring on an estimated 5% of their calls and on random users. Caller calls in, cant establish, the error occurs, they call back, same login, works fine, no error in the radius log. ~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~ Jake Messinger, VP. ph:713-772-6690 Visit: portmasters.com AMS, Inc. fx:713-774-3498 advmed.com 8300 Bissonnet #400[EMAIL PROTECTED] profjake.com Houston, Texas 77074 http://jakes.orghomestarrunner.com ICQ# 4403734YAHOO: prof_jakeAIM: profjake MSN: [EMAIL PROTECTED] Adjunct Professor University of Houston, CBA [EMAIL PROTECTED] ~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~ - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Monday, January 23, 2006 8:56 PM Subject: Re: IC radius question "Jake Messinger" <[EMAIL PROTECTED]> wrote: I know this is the freeradius forum but I thought Id ask here. I have a customer using icradius and they say that they cant easily switch to freeradius because of several python scripts written to work with icradius. They can switch to FreeRADIUS, which has a python module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Fw: Performance features of FreeRadius
Hy Alan, I am interested in the following statement: > And unless you have a million users, performance of the server isn't> really an issue. FreeRADIUS can handle multiple hundreds of thousands> of users on a commodity PC without any problems. Why a million of users? Which are the problems that may appear? Are you refering to a million of users simultaneously connected to the FR server? Thanks and regards, MartaRafael Roldán <[EMAIL PROTECTED]> escribió: - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]>To: "FreeRadius users mailing list" Sent: Friday, January 20, 2006 7:12 PMSubject: Re: Performance features of FreeRadius> Marta Lajas <[EMAIL PROTECTED]>wrote:> > I would like to know where I can find information about the> > performance features of the FreeRadius product.>> As in how well it performs? That depends on your system and database.>> The short answer is that FreeRADIUS will always be faster than the> database you use to store user configuration.>> And unless you have a million users, performance of the server isn't> really an issue. FreeRADIUS can handle multiple hundreds of thousands> of users on a commodity PC without any problems.>> Alan DeKok.>> -> List info/subscribe/unsubscribe? Seehttp://www.freeradius.org/list/users.html> LLama Gratis a cualquier PC del Mundo.Llamadas a fijos y móviles desde 1 céntimo por minuto.http://es.voice.yahoo.com- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IC radius question
Jake Messinger wrote: I know this is the freeradius forum but I thought Id ask here. I have a customer using icradius and they say that they cant easily switch to freeradius because of several python scripts written to work with icradius. Don't know anything about that error but if the python scripts look at the db they should be very easy to port. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: questions about eap md5 authentication
Robert WAKIM wrote: Thanks for the answer. It works if I store the passwords in clear text in the ldap database. What method should I use to store the passwords in md5? I don't think you use any challenge-response mechanisms with the passwords MD5 "crypt"ed. Some MD5-based challenge-response methods (such as Digest-MD5) can work if you store the derived HA1 value, which is different than the /etc/passwd-style MD5 "crypt" one-way. I would have to look at the EAP-MD5 mechanism RFC to see if that were true, but in any case when I glanced at the 1.0.5 sourcecode of rlm_eap_md5, *it* wasn't written to be able to make use of the HA1 as far as I could tell. If you store the ntPassword you can extract that into the NT-Password radius attribute and use MS-CHAP. Or, depending on what 802.1x supplicant you're using, you could use TTLS and PAP inner mechanism, and you can check PAP against any store/crypt. Note both the HA1 and NT hashes are plaintext-equivalent i.e. if you steal them it's just as good as having the password, so the security benefits of storing such a crypt rather than the plaintext are somewhat questionable IMHO. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using Freeradius and bind as a dynamic dns
Hi, Have anyone been able to use freeradius with mysql and a bind dns server to update a domain say "dynamic.com" everytime a user connects? I want to create a local ADSL dynamic dns service for all my adsl users, eg. if the login name is "companyX" with ip "165.146.165.78" I want to update the bind dns everytime a user connects, eg. "companyX.dynamic.com" Any Ideas? -- Regards Willem Pretorius I-Soft Internet Cape Town Tel: 0861-ISOFT-ADSL (021-421-2477) Fax: 0866 733 292 _/\\/¯¯\\/\\_ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with EAP-TLS
dark0s dark0s schrieb: > Excuse me, but what is AEGIS protocol? > How can I disable the disable the binding of the > AEGIS Protocol of the network card? > The AEGIS protocol is the broken supplicant of your wlan card. I have only an german windows so I can't tell you how the menu name is called in the English one. So go to your network environment with right mouse click on the desktop icon and select property's. Then select the connection of the wlan card. click right again and property's. now you can disable the AEGIS protocol. But only disable!! And not remove!!! smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS and Kerberos problem
Dear list,
I'm setting up FreeRADIUS so that I can authenticate WPA ("Enterprise")
from a Linksys access point against Kerberos (via. RADIUS).
I can get FreeRADIUS to authenticate against Kerberos (using radtest),
and I can get FreeRADIUS to talk EPA-TTLS with the access point (or the
WIFI notebook actually).
However, I cannot get EPA-TTLS to work with Kerberos.
If I put this in my users file, EAP-TTLS works and FreeRADIUS correctly
sees the PAP password from the laptop:
DEFAULT Auth-Type = EAP
Fall-Through = 1
If I put this in my users file, Kerberos works but FreeRADIUS does not
get the password from the notebook and therefore the krb5 module won't
attempt authentication:
DEFAULT Auth-Type = Kerberos
So, is there a way to tell FreeRADIUS to both use EAP *and* attempt
Kerberos authentication when it actually has a password?
Any help will be much appreciated.
Thank you very much
--
/ jakob
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with EAP-TLS
Excuse me, but what is AEGIS protocol? How can I disable the disable the binding of the AEGIS Protocol of the network card? ___ Yahoo! Mail: gratis 1GB per i messaggi e allegati da 10MB http://mail.yahoo.it - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPOOL PROBLE
Rafael Roldán wrote: > But when I tried to test the ippool module I obtained a segmentation > fault when I run radiusd. Please no HTML to the list. If you found a bug in FreeRADIUS, follow the instructions here: http://freeradius.org/radiusd/doc/bugs > In my rlm_ippool directory I have: > > # pwd > .../freeradius-1.0.5/src/modules/rlm_ippool > # ls > acconfig.h config.log configure.in Makefile.in > rlm_ippool_tool.c > config.h config.statusCVS rlm_ippool.c > rlm_ippool_tool.pod > config.h.in configureMakefile > rlm_ippool_tool.8 > # > > Has the rlm_ippool module compiled well? > How can I resolve the problem? It looks like the rlm_ippool module was skipped, read the configure output to find out why. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to log users in radutmp
Hi I have a rather simple freeradius server. I run freeradius 1.0.5 on solaris 10 with PEAP/MS-CHAPv2 authentication through the users file. I want to see who's connected with radwho, but when I run that I only get: # radwho Radwho: Error reading /usr/local/var/log/radius/radutmp: No such file or directory I don't have that radutmp file. How do I get freeradius to log users in that file? Regards, Torkel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: questions about eap md5 authentication
>
> Robert WAKIM wrote:
> > rlm_ldap: checking if remote access for gab is allowed by
radiusFilterId
> > rlm_ldap: Added password {MD5}mmGCSLZNti0VswCgewBYCw== in check
items
>
> Nope. That won't work. EAP-MD5's MD5 algorithm needs the plaintext
> password so unless you can get that out of LDAP, you'll have to use
> another method.
Thanks for the answer. It works if I store the passwords in clear text
in the ldap database.
What method should I use to store the passwords in md5?
Regards,
--
M. Robert Wakim
Mind Technologies
24 rue Victor Hugo
94220 Charenton-Le-Pont
FRANCE
tel : +33 (0)1 41 79 09 40
Fax : +33 (0)1 43 68 80 32
Email: [EMAIL PROTECTED]
web : http://www.mind-techno.fr
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bug 314..
Rohaizam Abu Bakar wrote: > Which file i should fix? and what to add? You can manually fix 1.1.0 by removing these two lines in file src/modules/rlm_otp/otp_state.c: Index: src/modules/rlm_otp/otp_state.c === RCS file: /source/radiusd/src/modules/rlm_otp/otp_state.c,v retrieving revision 1.23.2.2 diff -u -r1.23.2.2 otp_state.c --- src/modules/rlm_otp/otp_state.c 10 Jan 2006 14:33:16 - 1.23.2.2 +++ src/modules/rlm_otp/otp_state.c 24 Jan 2006 11:13:16 - @@ -35,9 +35,7 @@ #include #include #include -#if defined(__linux__) || defined(__APPLE__) #include -#endif #include "otp.h" #include "otp_state.h" Nicolas Baradakis -- A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting annoying in email? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: questions about eap md5 authentication
Robert WAKIM wrote:
rlm_ldap: checking if remote access for gab is allowed by radiusFilterId
rlm_ldap: Added password {MD5}mmGCSLZNti0VswCgewBYCw== in check items
Nope. That won't work. EAP-MD5's MD5 algorithm needs the plaintext
password so unless you can get that out of LDAP, you'll have to use
another method.
rlm_eap: Request found, released from the list
rlm_eap: EAP/md5
rlm_eap: processing type md5
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 2
...because it doesn't have the required info. Probably it should yell
about needing the right kind of password, though how it's supposed to
know the one you've given it is the wrong one I would have to think about.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: username is blank in RadAcct table (ICRADIUS)
I know that this is FreeRadius forum, but since ICRadius forum is almost dead i thought someone can help me, here. It turns out this morning that I have over 1,800,000 records in my RadAcct table with blank username. Probably I am under attack. The record is so much different than regular user records authenticated through NAS server. In each record AcctSessionTime=1 No HTML please, quite aside from the off-topic. NASPortType Virtual AcctAuthentic local CalledStationId first 10 char of A.B.C.D AcctTerminateCause Lost-Carrier Service-Type NAS-Prompt-User NASPortId 122, 123 I've seen similar requests from our Ascend Max'es. They rather bizarrely send radius requests with weird parameters asking for things like routes, banner messages and so forth. Furthermore I found that unless you reject them outright the NAS will keep spamming you with them - I'm sure there's a way to turn it off, but I just ended up with this in my users' file: DEFAULT Service-Type == Outbound-User, User-Password := 'ascend', Auth-Type := Reject Fall-Through = No You also didn't say whether "A.B.C.D" was the IP of one of your NASes. In any case, you should use ethereal or something similar to capture the traffic and *LOOK* at it. HTH - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with EAP-TLS
dark0s dark0s schrieb:
> I have a Windows XP SP2 client, with winpcap 3.1 installed.
> I have downloaded wpa_supplicant 0.5.0, but the executable wpasvc.exe
> is not recognized by the system, is it possibile?
> After installing winpcap, what do I have to do?
>
>
>
>
> -
> Yahoo! Mail: gratis 1GB per i messaggi, antispam, antivirus, POP3
>
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
First you must get the device id of your WLAN card and disable the
supplicant that comes with the driver.
To get the Card ID run win_if_list that comes with the wpa_supplianct
package. To disable the driver supplicant disable the binding of the
AEGIS Protocol of the network card.
Then you have to write an config file. Here is my sample(I use WPA2 and
EAP-TLS):
update_config=1
ctrl_interface=/var/run/wpa_supplicant
eapol_version=2
ap_scan=2
fast_reauth=1
network={
proto=RSN
pairwise=CCMP
ssid="your network SSID"
key_mgmt=WPA-EAP
identity="put here the text of the common name filed of the client cert"
ca_cert="ca.pem"
client_cert="client.crt"
private_key="client.key"
private_key_passwd="put here the secret of the client cert key"
eapol_flags=3
}
And to last build a simple cmd script that start's the hole. Here my script:
wpa_supplicant -c myconf.conf -i "put here your device id" -D ndis -dd
smime.p7s
Description: S/MIME Cryptographic Signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems System Auth with FreeRadius (/etc/shadow)
Hello, I am having a big problem with FreeRadius server. It doesnt authenticate my clients using /etc/shadow and /etc/passwd. When I try to use "radlogin" or "radtest" this are the messagens I get: === radlogin === [EMAIL PROTECTED] radius]# radlogin ($Id: radlogin.c,v 1.3 1997/12/29 23:07:25 lf Exp $) - Linux 2.6.13.4 (ns2.cnett.com.br) (port 0) - login: nata Password: RADIUS: Authentication failure local: Authentication failure [EMAIL PROTECTED] radius]# tail radius.log -n 2 Tue Jan 24 01:24:02 2006 : Auth: rlm_unix: [nata]: invalid password Tue Jan 24 01:24:02 2006 : Auth: Login incorrect: [nata/1234] (from client localhost port 0) === radtest === [EMAIL PROTECTED] radius]# radtest nata 1234 localhost:1812 0 local Sending Access-Request of id 126 to 127.0.0.1:1812 User-Name = "nata" User-Password = "1234" NAS-IP-Address = ns2.cnett.com.br NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=126, length=20 [EMAIL PROTECTED] radius]# tail -n 2 radius.log Tue Jan 24 01:26:41 2006 : Auth: rlm_unix: [nata]: invalid password Tue Jan 24 01:26:41 2006 : Auth: Login incorrect: [nata/1234] (from client localhost port 0) I tryed everything I know and it still not working. If I compile and install Cistron Radius it works just fine, but I dont want Cistron... freeradius-1.0.1-1 Fedora Core 3 - Kernel 2.6.13.4 (compiled from source) Waiting for help. Att, Nataniel Klug - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 9, Issue 83 (Away from the office)
I am away from the office, returning on the 30th of January 2006, if you have any urgent problems please forward them to SWRC IT ([EMAIL PROTECTED]). Or Call 9780 7314 . See you soon Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
questions about eap md5 authentication
Hi,
I'm pretty stuck in a radius/ldap 802.1x authentication.
During the authentication process the client (windows 2k through a e1
switch) sends the authentication using MD5-Challenge which is for what I
understand the easiest of all.
The FreeRadius server recevies everything but failed to authenticate the
user.
Here is the output
rad_recv: Access-Request packet from host 192.168.1.200:1056, id=37,
length=96
Message-Authenticator = 0xf44b1f115e9f9aa7d8026af7916c954f
User-Name = "gab"
NAS-IP-Address = 192.168.1.200
NAS-Port = 32
NAS-Port-Type = Ethernet
Calling-Station-Id = "00-E0-29-38-72-DB"
EAP-Message = 0x024801676162
Framed-MTU = 1000
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for gab
radius_xlat: '(uid=gab)'
radius_xlat: 'ou=radius, dc=fr'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to galilee.mind-techno.fr:389, authentication 0
rlm_ldap: bind as cn=emanager,ou=radius,dc=fr/socrate2803 to
galilee.mind-techno.fr:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=radius, dc=fr, with filter (uid=gab)
rlm_ldap: checking if remote access for gab is allowed by radiusFilterId
rlm_ldap: Added password {MD5}mmGCSLZNti0VswCgewBYCw== in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as User-Password, value { & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusFilterId as Filter-Id, value
Enterasys:version=1:policy=Enterprise User & op=11
rlm_ldap: user gab authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
rlm_eap: EAP packet type response id 64 length 8
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 37 to 192.168.1.200:1056
Filter-Id = "Enterasys:version=1:policy=Enterprise User"
EAP-Message = 0x014100160410f863dc8a4ae21123368575c7ac478f42
Message-Authenticator = 0x
State = 0x0d1c294f270f623665d377ff9b34eb92
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.200:1057, id=38,
length=96
Message-Authenticator = 0x5c5c8803ec4b135afc57ba4443c8f64f
User-Name = "gab"
NAS-IP-Address = 192.168.1.200
NAS-Port = 32
NAS-Port-Type = Ethernet
Calling-Station-Id = "00-E0-29-38-72-DB"
EAP-Message = 0x0242000801676162
Framed-MTU = 1000
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for gab
radius_xlat: '(uid=gab)'
radius_xlat: 'ou=radius, dc=fr'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=radius, dc=fr, with filter (uid=gab)
rlm_ldap: checking if remote access for gab is allowed by radiusFilterId
rlm_ldap: Added password {MD5}mmGCSLZNti0VswCgewBYCw== in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as User-Password, value { & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusFilterId as Filter-Id, value
Enterasys:version=1:policy=Enterprise User & op=11
rlm_ldap: user gab authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 1
rlm_eap: EAP packet type response id 66 length 8
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: EAP Identity
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
modcall[authenticate]: module "eap" returns handled for request 1
modcall: group authenticate returns handled for request 1
Sending Access-Challenge of id 38 to 192.168.1.200:1057
Filter-Id = "Enterasys:version=1:poli
Re: How to start a session
Ernesto, thanks a lot for quick reply. I have used the radtest command and I can get access accept successfully. What I don't know understand is the next step (after NAS authenticate and authorize). How can we measure the users usage. Where should I put the attribute session start and how i use the session stop. (what are the command?) Do I need to write external script to calculate this? The scenario is I want to know how big bandwith that used by users during the login time. I really lost in this part. Every documents that I can find only explain until authenticate and authorize between NAS and server. But after that I don't have clue. Hope you can understand and be patient with my very basic(amateur) questions. Best regards santy --- Ernesto Freyre Ramírez <[EMAIL PROTECTED]> wrote: > You must use radtest command > > type radtest at the command prompt and this will > give you hints about how to use it > Ernesto Freyre Ramírez > Jefe de Operaciones > Qnet > Soluciones Tecnológicas > Jr. Natalio Sánchez 220, Of. 401 - Lima 11 > Telf.: (511) 431-6565 Anexo 2245 > Fax: (511) 431-7113 > > Visítenos en: www.qnet.com.pe > > - Original Message - > From: San > To: FreeRadius users mailing list > Sent: Friday, January 20, 2006 8:35 AM > Subject: How to start a session > > > Dear All, > > I have implemented freeradius-1.0.5 in Redhat box. > And > I > have some questions about it. It have searched the > web > but still can't find a clue or i just missed it > :(. > Also my questions are: > > 1. How do we start the session? I have send the > request to the server and got access_accepted. And > as > I know the session is start after we send the > accounting_request and get response from the > server. > The problem is how to do that using command > prompt? My > Nas is Suse box (that should be fine right?). > > I use this command to send acct_request > echo "User-Name= Anna"| radclient 10.1.0.76 acct > -x > testing123 > Is that right? or is there any place I can refer > to > use the radclient command? > > 2. Do I need to write external script to run the > command? Because I want to use the session time > out > but seems still not working.(because I don't know > how > to start the session) > > 3. Where should I put the acc_type. Is it in > server > side or nas side? > > I really hope someone can help me (please...) > Thanks a lot in advance > Best Regards, > Santy > __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with EAP-TLS
I have a Windows XP SP2 client, with winpcap 3.1 installed. I have downloaded wpa_supplicant 0.5.0, but the executable wpasvc.exe is not recognized by the system, is it possibile? After installing winpcap, what do I have to do? Yahoo! Mail: gratis 1GB per i messaggi, antispam, antivirus, POP3- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with EAP-TLS
I have a Windows XP SP2 client, with winpcap 3.1 installed. I have downloaded wpa_supplicant 0.5.0, but the executable wpasvc.exe is not recognized by the system, is it possibile? After installing winpcap, what do I have to do? Yahoo! Mail: gratis 1GB per i messaggi, antispam, antivirus, POP3- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-address == "10.1.2.0/24" allowed?
"Min Qiu" <[EMAIL PROTECTED]> writes: > I would like to restrict user login by NAS-IP-address or > fqdn if possible. Therefore I can restrict user to login > a group of devices. > > user1 Auth-Type := Local, User-Password == "sceret", >NAS-IP-address =="10.1.2.0/24" Using a regexp is just as easy when you just need to restrict it on the byte boundaries: user1 Auth-Type := Local, User-Password == "sceret", NAS-IP-address =~ "^10\.1\.2\." Hmm, the manual says that the regex operators may only be applied to string attributes. But I believe it works on IP addresses too, doesn't it? You might want to check out "huntgroups" in any case. See doc/README and the sample raddb/huntgroups file. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
