How to modify attribute by rlm_exec
Dear All, I want to set NAS-Port=100 to proxy request packet. In my test, if the receive packet has not NAS-Port attribute, It will successful. If it have, it will fail. The value will not modify. Can anyone told me how to modify attribute by rlm_exec module? Regards, Roger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
R: R: SQL.conf new query
I have append the query to the existing ones, but without it turns out to
you.
postauth_mac_query = INSERT into ${authcheck_table} (UserName,
Attribute, op, Value) VALUES ('%{SQL-User-Name}'', 'Calling-Station-Id',
':=', '%{Calling-Station-Id}')
postauth_query = INSERT into ${postauth_table} (id, user, pass,
reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}',
'%{reply:Packet-Type}', NOW())
in the log of start you come only loaded the postauth_query:
sql: group_membership_query = SELECT GroupName FROM usergroup WHERE
UserName='%{SQL-User-Name}'
sql: connect_failure_retry_delay = 60
sql: simul_count_query =
sql: simul_verify_query = SELECT RadAcctId, AcctSessionId, UserName,
NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol
FROM radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0
sql: postauth_table = radpostauth
sql: postauth_query = INSERT into radpostauth (id, user, pass, reply,
date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}',
'%{reply:Packet-Type}', NOW())
it does not appear and consequently it does not work: (
Solutions?
Regards
Inviato: giovedì 26 gennaio 2006 18.41
A: FreeRadius users mailing list
Oggetto: Re: R: SQL.conf new query
I would like to build a new query to insert
user's MAC address into radcheck table, as users log-out (accounting-stop
packet).
Just append the query to the existing ones.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SV: radkill and a small question about radwho
Torkel Mathisen [EMAIL PROTECTED] wrote: I read about the radkill program in the FAQ. However the link doesn't work so I was wondering if anyone had a new link to that program? google? Tried that. No luck. None of the links I found worked. Not the link in FAQ, not freshmeat.net and thats all i found. Also I got a simple question about radwho. It doesnt seem to output the last part of the AP ip-address: Because there's only so much room in that column. Ok. So its normal then. Just looked a bit strange to me. Couldn't see the whole ip-address. Guess I'll stick to radwho -r then. Regards, Torkel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
cisco nopassword username
hello, I'm working with Cisco 3745 router, and I'm trying to move local AAA to radius. Local username database looks like this: username user_a nopassword noescape username user_a autocommand connect hostname.. In radius I did this: user_a Auth-Type = Accept cisco-avpair = shell:autocmd=connect hostname., Fall-Through = 0 But it's no good. I need the router not to ask for password at all ! Is it possible with Cisco and freeradius ? regards Kuba - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems System Auth with FreeRadius (/etc/shadow)
Alan, The server is running as user radiusd and group root. Att, Nataniel Klug - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, January 26, 2006 8:26 PM Subject: Re: Problems System Auth with FreeRadius (/etc/shadow) Nataniel Klug [EMAIL PROTECTED] wrote: Now you have gived me a tip... At my Fedora there is no group shadow $ vi /etc/group add shadow ?? so I put radius to run as group root so it could read /etc/shadow only if I set +r to group at shadow files. It's usually better to *not* run the server as root. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems System Auth with FreeRadius (/etc/shadow)
Min, I have instaled FreeRadius from a RPM. I amd running FreeRadius as user radiusd and group root. Att, Nataniel Klug - Original Message - From: Min Qiu [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, January 26, 2006 7:16 PM Subject: RE: Problems System Auth with FreeRadius (/etc/shadow) You may read the doc wrong. The group you should look for is radiusd. When you create user radiusd, the group radiusd should also be created if you use adduser command to do the job. You don't what user radiusd belong to group root. Do chgrp radiusd /etc/shadow. Min -Original Message- From: [EMAIL PROTECTED] freeradius.org [mailto:freeradius-users-bounces+mqiu=globalinternetworking.co [EMAIL PROTECTED] On Behalf Of Nataniel Klug Sent: Thursday, January 26, 2006 3:57 PM To: FreeRadius users mailing list Subject: Re: Problems System Auth with FreeRadius (/etc/shadow) Alan, Now you have gived me a tip... At my Fedora there is no group shadow, so I put radius to run as group root so it could read /etc/shadow only if I set +r to group at shadow files. Att, Nataniel Klug - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, January 26, 2006 3:37 PM Subject: Re: Problems System Auth with FreeRadius (/etc/shadow) Nataniel Klug [EMAIL PROTECTED] wrote: I just have installed the package from Fedora Core 3, nothing else. Then look at the configuration file. See how it's different from what is shipped with FreeRADIUS. And setting a+rw on /etc/passwd and /etc/shadow is probaby the single worst thing you can do to your system. EVER. Rather than doing that, read raddb/radiusd.conf, it talks about issues with reading /etc/shadow, and describes suggested fixes won't destroy your system. Honestly, I don't understand why it's so hard to read the configuration files. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to start a session
Hi Alan, thanks a lot for the input. I already have the book now. Santy --- Alan DeKok [EMAIL PROTECTED] wrote: San [EMAIL PROTECTED] wrote: How can we measure the users usage. Where should I put the attribute session start and how i use the session stop. (what are the command?) But the O'Reilly RADIUS book and read it.. The answer to your question is too long to post here. I really lost in this part. Every documents that I can find only explain until authenticate and authorize between NAS and server. But after that I don't have clue. Because you appear to be writing a NAS. The documents don't tell you how to implement a NAS. For that, read the RFC's and the O'Reilly book. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AD ldap bind works with 1.01, fails with 1.04
I have no idea. I've looked, and can't see anything that would
affect that.
Alan DeKok.
Hi Alan
Thanks for the reply. We ended up reverting the production box to FC3 and
1.01, only to have it fail with the same error!
I've since written a ldap module for each student campus/ou specifying it
down to ou to search in.
ldap Canberra {
snip
basedn = ou=students,ou=users,ou=signadou,dc=student(etc)
snip
}
and then added an entry for each in Authorize and Authenicate.
Why my test box with FC3/1.01 works and nothing else does is beyond me, but
this clunky option seems to work. It may be of interest to note that our
Student tree is native w2k3, while our staff tree is w2k.
I also found an entry on a forum that referred to having to change the
hueristic search value on the AD DC, I've pasted it below in the hope it
may help someone in the future with the same problem.
dmeehan at flcancer dot com
12-Aug-2004 04:26
If your having problems running LDAP searches on the base DC against Active
Directory 2k3, you need to set dsHeuristics to 002 in Active Directory.
This allows searches to function similar to how they did in Active
Directory 2k2. You can update dsHeuristics by launching ldp.exe goto
'connection' and create a new connection. Then goto bind and bind to your
ldap server. Next select the 'Browse' menu and choose 'modify'. The DN
*might* look like this:
CN=Directory Service,CN=Windows
NT,CN=Services,CN=Configuration,DC=mycompany,DC=com
Attribute is: dsHeuristics
Value is: 002
Set the operation to replace and you should be set.
This solves the 'Operations error' error that happens when attempting to
search without specifying an OU.
-d
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authenticating CHAP-Password to Pam (Kerberos 5 to AD)
Please tell me someone has fixed this problem.I'm trying to authenticate an Ascend MAX dial-up server back to Windows Active Directory. I am using a local unix group for authorization.I have Pam set up on my system and it uses Kerberos 5 to authenticate to AD just fine. But I'm getting:auth: type PAM Processing the authenticate section of radiusd.confmodcall: entering group authenticate for request 0rlm_pam: Attribute User-Password is required for authentication. Cannot use CHAP-Password. modcall[authenticate]: module pam returns invalid for request 0I did some checking and found this posting from 2003 basically saying it can't be done: http://www.mail-archive.com/freeradius-users@lists.cistron.nl/msg19439.htmlI do have other options other than the Windows Domain authentication, but I was not wanting to pursue them unless I had to.Has this been solved or am I SOL? Patrick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: VSA Problem
Thanks Guy, it was my mistake. I update the dictionary and i see the correct parameters. Romao. -Mensagem original-De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]Em nome de Guy DaviesEnviada em: quinta-feira, 26 de janeiro de 2006 17:59Para: FreeRadius users mailing listAssunto: Re: VSA ProblemHi Romao,What are you using to view the packet? Many packet analysis and RADIUS check tools require their own dictionary (e.g. NTRadPing). If this is the case and you've not updated the dictionary for that tool, then that's exactly what I'd expect you to see. Rgds,Guy On 26/01/06, Romao Izumi Ito [EMAIL PROTECTED] wrote: Hello, I'm working with Nortel Network Passport and I'm trying to configure a new dictionary on the freeradius. In the vendors doc we have following VSA and Vendor-ID: VENDOR nortel 562 ATTRIBUTE Passport-Command-Scope 200 integer nortel ATTRIBUTE Passport-Command-Impact 201 integer nortel ATTRIBUTE Passport-Customer-Identifier 202 integer nortel ATTRIBUTE Passport-Allowed-Access 203 integer nortel ATTRIBUTE Passport-AllowedOut-Access 204 integer nortel ATTRIBUTE Passport-Login-Directory 205 string nortel ATTRIBUTE Passport-Timeout-Protocol 206 integer nortel ATTRIBUTE Passport-Role 207 string nortel ... I configure the file dictionary.nortel in /etc/raddb and include it in dictionary file. Also I tried it in /usr/share/freeradius/. I added this attributes in the users file but when I look at the radius packet I see: Vendor Specific(26), Vendor: Undefined(562) Unknown Type(200), Value: Unknown Value type What am I doing wrong? Thank you, Romao. -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configuring free radius to use Active directory service
1. How to configure the freeradius1.0.5
version, to support Active
directory service for user authentication.
For ldap .. we have rlm_ldap module to configure it.
Same kind of
configuration is there for ADS also ??
Sumithra;
that part is quite easy. Here's what I've just done;
ldap {
server = serverip
identity = full LDAP path to user
who will perform initial bind
password = their password
basedn = highest part of tree to start
searching from
filter = (sAMAccountname=%{Stripped-User-Name:-%{User-Name}})
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
}
authorize {
preprocess
suffix
auth_log
ldap
}
authenticate {
Auth-Type
PAP {
pap
}
Auth-Type
LDAP {
ldap
}
}
If you're wanting to search multiple trees, that's
another matter, but that should get you started.
See my earlier post about problems with W2k3 trees and their behaviour
with searches.
VLAN's I'll leave to someone who understands that
part of FR better.
Regards
Stephen Walsh
[EMAIL PROTECTED]
Client Support Officer (Technology)
Australian Catholic University (Limited)
PO Box 256, Dickson ACT 2602
Phone: +61 2 6209 1133
Fax: +61 2 6209 1179
Mobile: +61 419 496796
+
CRICOS Registration: 4G, 00112C, 00873F, 00885B
ABN 15 050 192 660
+
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program
Hi, Hope someone can help me to give me a more detailed explanation about Exec-Program. I see this in the acct_users file. DEFAULT Acct-Status-Type == Start Exec-Program = /path/to/exec/acct/start Do we have to make our own file for this Exec-Program or is there already one provided in the basic package? Or if not, can someone give me an example of this file? Sorry if i ask stupid favor, since I am still newbie in this field. Thanks a lot Priscilla __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RLM_LDAP INSTALL
Hy all I am going to install the rlm_ldap module in order to make some easy and simple tests. I am using: FreeRadius 1.0.5 Solaris 9 ** Which version of openldap do you recommend me to install? ** Is it necessary to install OpenSSL in order to do simple tests (not SSL connections)? ** And Cyrus SASL? Thanks in advance, Susana __ LLama Gratis a cualquier PC del Mundo. Llamadas a fijos y móviles desde 1 céntimo por minuto. http://es.voice.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SV: how to set crypted password in 'users' file?
Min Qiu [EMAIL PROTECTED] wrote: However, cut and past the crypted password from /etc/shadow to the entry failed: mqiuAuth-Type := Local, User-Password == $1$CWOjXm2v$dzjrc385t1iQXMN0 UseL Crypt-Password := $1$CWOjXm... I'm using PEAP/MS-CHAPv2 for authentication. In the users file I only got the login name and a clear-text password. I really want to start using Crypt-Password, but didn't quite get that to work. Do I understand it correctly you only need to take you standard unix password from /etc/shadow and use that in users with Crypt-Password? # more /etc/shadow tom:jYyrl:13112:: In users file I got: tom Crypt-Password := jYyrl I didn't get that to work. What am I missing here? Couldn't really find much info on it out there. This is the debug log I got: rad_recv: Access-Request packet from host 192.168.2.4:21654, id=120, length=126 User-Name = tom Framed-MTU = 1400 Called-Station-Id = 000e.8401.cd50 Calling-Station-Id = 0015.0015.adaa Message-Authenticator = 0xca4c7181b9338edb3e176297682f33f7 EAP-Message = 0x0201000801746f6d NAS-Port-Type = Wireless-802.11 NAS-Port = 268 Service-Type = Framed-User NAS-IP-Address = 192.168.2.4 NAS-Identifier = AP1100-D2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 16 modcall[authorize]: module preprocess returns ok for request 16 modcall[authorize]: module mschap returns noop for request 16 rlm_realm: No '@' in User-Name = tom, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 16 rlm_eap: EAP packet type response id 1 length 8 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 16 users: Matched entry tom at line 91 modcall[authorize]: module files returns ok for request 16 modcall: group authorize returns updated for request 16 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 16 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 16 modcall: group authenticate returns handled for request 16 Sending Access-Challenge of id 120 to 192.168.2.4:21654 EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0x01f769bbe79093c3c406a98a01294187 Finished request 16 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.2.4:21654, id=121, length=238 User-Name = tom Framed-MTU = 1400 Called-Station-Id = 000e.8401.cd50 Calling-Station-Id = 0015.0015.adaa Message-Authenticator = 0xcccf1d38bc8d263feddbb303acbdcb41 EAP-Message = 0x020200661900160301005b0157030143da12d4d113043b760adb7ce542b365f5d8 806e659d5eb591e677044dd072b03000390038003500160013000a00330032002f00 66000500040065006400630062006000150012000900140011000800030100 NAS-Port-Type = Wireless-802.11 NAS-Port = 268 State = 0x01f769bbe79093c3c406a98a01294187 Service-Type = Framed-User NAS-IP-Address = 192.168.2.4 NAS-Identifier = AP1100-D2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 17 modcall[authorize]: module preprocess returns ok for request 17 modcall[authorize]: module mschap returns noop for request 17 rlm_realm: No '@' in User-Name = tom, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 17 rlm_eap: EAP packet type response id 2 length 102 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 17 users: Matched entry tom at line 91 modcall[authorize]: module files returns ok for request 17 modcall: group authorize returns updated for request 17 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 17 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: TLS 1.0 Handshake [length 005b], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: TLS 1.0 Handshake [length 0654], Certificate TLS_accept:
Re: SV: how to set crypted password in 'users' file?
hi, the interesting part of the log posted is: rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 22 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for tom with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 22 modcall: group Auth-Type returns reject for request 22 rlm_eap: Freeing handler modcall[authenticate]: module eap returns reject for request 22 modcall: group authenticate returns reject for request 22 auth: Failed to validate the user. this would suggest that you havent configured the mschapv2 part correctly or that you havent defined a password attribute for 'tom' correctly in your users.conf file. have you defined a Crypt-Local eg (and I'm not going to be 100% accurate here because I havent had a setup done this way for a long time) USER Auth-Type := Crypt-Local, Password == CRYPTEDPASSWORD Alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and Subversion ???
Hi I would like to setup subversion and tortoiseSVNto use freeradius and am wondering ho to do this. I currently have Subversion setup with apache for authentication. Thank You, Frank Reiss - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and Subversion ???
http://www.freeradius.org/mod_auth_radius/ Frank Reiss wrote: Hi I would like to setup subversion and tortoiseSVN to use freeradius and am wondering ho to do this. I currently have Subversion setup with apache for authentication. Thank You, Frank Reiss - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian + Exec-Program = Zombie process
George Chelidze wrote: versions. Can I make some tests to narrow down the problem, or some other actions. Best Regards, George I suppose you could add some debug code to where you believe the calls to waitpid should be/are The way I read it, without threads it should be in src/main/radiusd.c:631 in cvs 20060124 Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SV: how to set crypted password in 'users' file?
Torkel Mathisen wrote: Min Qiu [EMAIL PROTECTED] wrote: However, cut and past the crypted password from /etc/shadow to the entry failed: mqiuAuth-Type := Local, User-Password == $1$CWOjXm2v$dzjrc385t1iQXMN0 UseL Crypt-Password := $1$CWOjXm... I'm using PEAP/MS-CHAPv2 for authentication. In the users file I only got the login name and a clear-text password. I really want to start using Crypt-Password, but didn't quite get that to work. You cannot use the unix crypt password value for the MS-CHAP algorithm. The MS-CHAP module requires either the MD4-based NT password hash, the plaintext password from which it can derive the NT has, or callout to Samba domain membership. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating CHAP-Password to Pam (Kerberos 5 to AD)
Patrick Bartkus wrote: Please tell me someone has fixed this problem. I'm trying to authenticate an Ascend MAX dial-up server back to Windows Active Directory. I am using a local unix group for authorization. I have Pam set up on my system and it uses Kerberos 5 to authenticate to AD just fine. But I'm getting: auth: type PAM Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_pam: Attribute User-Password is required for authentication. Cannot use CHAP-Password. modcall[authenticate]: module pam returns invalid for request 0 I did some checking and found this posting from 2003 basically saying it can't be done: http://www.mail-archive.com/freeradius-users@lists.cistron.nl/msg19439.html I do have other options other than the Windows Domain authentication, but I was not wanting to pursue them unless I had to. Has this been solved or am I SOL? It is not a code bug. It is a fundamental feature of the algorithm. It *cannot* be solved. You are, as you put it, SOL. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
R: R: SQL.conf new query
Thank you Alan for your reply.
As written by Paolo, we simply added a query (postauth_mac_query) to sql.conf file that gives back users MAC
address:
...
...
postauth_query
= INSERT into ${postauth_table} (id, user, pass,
reply, date) values ('', '%{User-Name}',
'%{User-Password:-Chap-Password}',
'%{reply:Packet-Type}', NOW())
postauth_mac_query = INSERT into
${authcheck_table} (UserName,
Attribute, op, Value) VALUES
('%{SQL-User-Name}'', 'Calling-Station-Id',
':=', '%{Calling-Station-Id}')
The query was build on the model of the postauth_query one, so no problems should arise about its syntax. In
fact, if we change the content of postauth_query with the one of post_mac_query,
it works fine (MAC address is inserted into radcheck table).
The problem is that it seems that freeRADIUS does not
recognize the new defined query (postauth_mac_query) in fact, looking at debug
output, we can see calls to all other queries but not to the new one.
So the question is: how let freeRADIUS understand when
to call each single query defined into sql.conf file?
Any advice?
Regadrs,
Carlo
-Messaggio
originale-
Da: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Per conto di Paolo
Pellicori
Inviato: venerdì 27 gennaio 2006 10.12
A: 'FreeRadius users mailing list'
Oggetto: R: R: SQL.conf new query
I
have append the query to the existing ones, but without it turns out to
you.
postauth_mac_query = INSERT into ${authcheck_table} (UserName,
Attribute,
op, Value) VALUES ('%{SQL-User-Name}'', 'Calling-Station-Id',
':=',
'%{Calling-Station-Id}')
postauth_query
= INSERT into ${postauth_table} (id, user, pass,
reply,
date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}',
'%{reply:Packet-Type}',
NOW())
in
the log of start you come only loaded the postauth_query:
sql:
group_membership_query = SELECT GroupName FROM usergroup WHERE
UserName='%{SQL-User-Name}'
sql:
connect_failure_retry_delay = 60
sql:
simul_count_query =
sql:
simul_verify_query = SELECT RadAcctId, AcctSessionId, UserName,
NASIPAddress,
NASPortId, FramedIPAddress, CallingStationId, FramedProtocol
FROM
radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0
sql:
postauth_table = radpostauth
sql:
postauth_query = INSERT into radpostauth (id, user, pass, reply,
date)
values ('', '%{User-Name}', '%{User-Password:-Chap-Password}',
'%{reply:Packet-Type}',
NOW())
it
does not appear and consequently it does not work: (
Solutions?
Regards
Inviato:
giovedì 26 gennaio 2006 18.41
A:
FreeRadius users mailing list
Oggetto:
Re: R: SQL.conf new query
I would like to build a new query to insert
user's MAC address into radcheck table, as users log-out (accounting-stop
packet).
Just append the query to the existing ones.
Alan DeKok.
-
List
info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List
info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__
NOD32 1.1381 (20060126) Information __
This
message was checked by NOD32 antivirus system.
http://www.eset.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating CHAP-Password to Pam (Kerberos 5 to AD)
Phil, Thanks.In another thread I read, you wrote:---The MS-CHAP module requires either the MD4-based NT password hash, theplaintext password from which it can derive the NT has, or callout toSamba domain membership.---Does this mean that if I setup Samba on this box, get it to be a member of the domain exchanging Domain UIDs and passwords, I could then authenticate to Samba from my MS-CHAP-speaking NAS? BTW, for any non-native English speakers, if you want the definition of SOL, e-mail me privately and I'll explain.PatrickOn 1/27/06, Phil Mayers [EMAIL PROTECTED] wrote: Patrick Bartkus wrote: Has this been solved or am I SOL?It is not a code bug. It is a fundamental feature of the algorithm. It*cannot* be solved. You are, as you put it, SOL. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating CHAP-Password to Pam (Kerberos 5 to AD)
Patrick Bartkus [EMAIL PROTECTED] wrote: I'm trying to authenticate an Ascend MAX dial-up server back to Windows Active Directory. If the Access-Request contains CHAP, it's impossible. CHAP requires a clear-text password, which AD doesn't supply. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating CHAP-Password to Pam (Kerberos 5 to AD)
Patrick Bartkus wrote: Phil, Thanks. In another thread I read, you wrote: --- The MS-CHAP module requires either the MD4-based NT password hash, the plaintext password from which it can derive the NT has, or callout to Samba domain membership. --- Does this mean that if I setup Samba on this box, get it to be a member of the domain exchanging Domain UIDs and passwords, I could then authenticate to Samba from my MS-CHAP-speaking NAS? Yes. See the ntlm_auth option of the mschap module. You need winbind (and therefore Samba 3) but it's pretty trivial to setup. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating CHAP-Password to Pam (Kerberos 5 to AD)
Patrick Bartkus [EMAIL PROTECTED] wrote: Does this mean that if I setup Samba on this box, get it to be a member of the domain exchanging Domain UIDs and passwords, I could then authenticate to Samba from my MS-CHAP-speaking NAS? Possible. If it's an NT domain. If it's an Active Directory domain, then no, it's still impossible. Maybe Samba4 (when it's done) will allow this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: R: SQL.conf new query
Carlo Prestopino [EMAIL PROTECTED] wrote: The problem is that it seems that freeRADIUS does not recognize the new defined query (postauth_mac_query) in fact, looking at debug output, we can see calls to all other queries but not to the new one. The source code to the module contains the names of the queries it looks for in the configuration file. All other queries are ignored. If you want an additional query, edit the source code. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program
Priscilla B [EMAIL PROTECTED] wrote: Do we have to make our own file for this Exec-Program Yes. It's a program, like a shell script. Or if not, can someone give me an example of this file? scripts/exec-program-wait Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AD ldap bind works with 1.01, fails with 1.04
Stephen Walsh [EMAIL PROTECTED] wrote: Thanks for the reply. We ended up reverting the production box to FC3 and 1.01, only to have it fail with the same error! I'm not surprised. I don't think it *ever* worked in 1.0.1. I also found an entry on a forum that referred to having to change the hueristic search value on the AD DC, I've pasted it below in the hope it may help someone in the future with the same problem. That helps a lot. I've added it to doc/rlm_ldap. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: simultaneous-use and stateless sessions in sql
Seferovic Edvin [EMAIL PROTECTED] wrote: but what if I only have session data in SQL? Write a shell script that runs SQL queries and builds the packets to send to radclient. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using stored procedures with freeradius
Murat Mığdısoğlu wrote: Hi all, I’m using freeradius with sybase using freetds and unixodbc. For some purposes, i had to use stored procedures and changed sql statements in sql.con to procedure calls like “EXEC -“. I have to question at this point 1) has anyone used this method before? 2) Examining my logs, i found that some sockets getting ‘Invalid cursor State’ error from unix-odbc driver in some cases and they don’t work anymore. What it can be? You should really address that on the db level. That is not a freeradius issue. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: R: SQL.conf new query
Would seperating the queries with a semicolon work, but keeping both
queries under postauth_query? SQL should distinguish it as a seperate
query. I haven't tried this so I am not sure if it would work or not.
How about something like this?
postauth_query = INSERT into ${postauth_table} (id, user, pass, reply,
date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}',
'%{reply:Packet-Type}', NOW()) ; INSERT into ${authcheck_table}
(UserName, Attribute, op, Value) VALUES ('%{SQL-User-Name}'',
'Calling-Station-Id', ':=', '%{Calling-Station-Id}')
It seems a lot easier than changing the source code and recompiling...
Hope this helps!
Richard
Carlo Prestopino wrote:
Thank you Alan for your reply.
As written by Paolo, we simply added a query (postauth_mac_query) to
sql.conf file that gives back user’s MAC address:
...
...
postauth_query = INSERT into ${postauth_table} (id, user, pass,
reply, date) values ('', '%{User-Name}',
'%{User-Password:-Chap-Password}',
'%{reply:Packet-Type}', NOW())
postauth_mac_query = INSERT into ${authcheck_table} (UserName,
Attribute, op, Value) VALUES ('%{SQL-User-Name}'', 'Calling-Station-Id',
':=', '%{Calling-Station-Id}')
The query was build on the model of the postauth_query one, so no
problems should arise about its syntax. In fact, if we change the
content of postauth_query with the one of post_mac_query, it works
fine (MAC address is inserted into radcheck table).
The problem is that it seems that freeRADIUS does not recognize the
new defined query (postauth_mac_query) in fact, looking at debug
output, we can see calls to all other queries but not to the new one.
So the question is: how let freeRADIUS understand when to call each
single query defined into sql.conf file?
Any advice?
Regadrs,
Carlo
-Messaggio originale-
Da:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Per conto di Paolo Pellicori
Inviato: venerdì 27 gennaio 2006 10.12
A: 'FreeRadius users mailing list'
Oggetto: R: R: SQL.conf new query
I have append the query to the existing ones, but without it turns out to
you.
postauth_mac_query = INSERT into ${authcheck_table} (UserName,
Attribute, op, Value) VALUES ('%{SQL-User-Name}'', 'Calling-Station-Id',
':=', '%{Calling-Station-Id}')
postauth_query = INSERT into ${postauth_table} (id, user, pass,
reply, date) values ('', '%{User-Name}',
'%{User-Password:-Chap-Password}',
'%{reply:Packet-Type}', NOW())
in the log of start you come only loaded the postauth_query:
sql: group_membership_query = SELECT GroupName FROM usergroup WHERE
UserName='%{SQL-User-Name}'
sql: connect_failure_retry_delay = 60
sql: simul_count_query =
sql: simul_verify_query = SELECT RadAcctId, AcctSessionId, UserName,
NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol
FROM radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0
sql: postauth_table = radpostauth
sql: postauth_query = INSERT into radpostauth (id, user, pass, reply,
date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}',
'%{reply:Packet-Type}', NOW())
it does not appear and consequently it does not work: (
Solutions?
Regards
Inviato: giovedì 26 gennaio 2006 18.41
A: FreeRadius users mailing list
Oggetto: Re: R: SQL.conf new query
I would like to build a new query to insert
user's MAC address into radcheck table, as users log-out (accounting-stop
packet).
Just append the query to the existing ones.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
__ NOD32 1.1381 (20060126) Information __
This message was checked by NOD32 antivirus system.
http://www.eset.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Richard Marriner IIMaingear.Net
Sr. Network Consultant I.T. Consulting
[EMAIL PROTECTED] www.maingear.net
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP Machine Auth without NTLM or LDAP
Hello, I want to do machine auth with PEAP for my laptop before windows logon. I managed to do it with ntlm_auth before, but this time, I've another problem, there is no PDC. So, is it possible to use the users file instead like this: computer_name User-Password == (As far as I remember it was impossible...) Any suggestions ? Regards, Jeremy Cluzel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: R: SQL.conf new query
Rich Marriner [EMAIL PROTECTED] wrote: Would seperating the queries with a semicolon work, but keeping both queries under postauth_query? SQL should distinguish it as a seperate query. I haven't tried this so I am not sure if it would work or not. That's what I thought I suggested earlier. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Webserver System Hanging when trying to authenticate.
Hi, I have seen this problems a few time. I setup a Fedora Core 4 - Freeradius server with apache and when I try to login to the webserver it hangs the webserver. Note in this case the web server and Freeradius are on the same server. But I have also seen it where the web server and freeradius are on two different systems and the web server hangs. I have gotten it to work in the past by stopping the firewall on the radius server and authenticating and then restarting the firewall. And everything works for some reason. Which really seems strange. I am running Fedora Core Linux for the web servers. And Redhat ES4 Linux for the radius servers. I am wondering if this is a known problem and what is the resolution to the problem. Frank ReissImpeva Labs, Inc.Phone: 1-850-872-7099 COMPANY CONFIDENTIAL NOTICEThis electronic mail transmission and any accompanying documents containinformation belonging to the sender which may be company confidential and legallyprivileged. If you are not the intended recipient, any disclosure, copying,distribution or action taken in reliance on the message is strictlyprohibited. If you have received this message in error, please delete it.Thank You - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Capturing the inner authentication ID for Radius accounting
I have been looking for a way to maintain accurate wireless access and usage
information for security auditing purposes. The problem I have is that
wireless network users may choose to provide an alternative identity by
providing an outer identity in the supplicant software. Although the user
still need a legitimate user id/password to pass the EAP TTLS
authentication. So far I could not find a standard way to track the user
identity via Radius accounting records. I do manage to configure the
FreeRadius to send the inner authentication user ID to the Cisco Aironet
Access point (IOS 12.3(7)JA) using the Radius attribute Class (ID 25).
For example, in my users file, the following is configured for guest access:
DEFAULT Hint == guest
Auth-Type = sql,
Class = %{User-Name},
Session-Timeout = 3600,
Fall-Through = No
The actual user id used in the EAP-TTLS authentication is passed to the
Cisco Aironet AP via the Class attribute. I have observed that both the
Radius start and stop records sent by the Cisco Aironet AP contained the
Class attribute with the actual user's ID. The reason I chose the Class
attribute is that it is the only attribute honored by the Aironet AP in
Access-Accept message and also included in the radius accounting send by the
Aironet AP according to the Cisco IOS Software Config Guide for Aironet APs.
Although it seems to work for me, I am not sure about the use of attribute
Class for tracking user ID would interfere with other operation (like the
one attribute Class was originally designed for)?
Also, the attribute Class is of type Octet. Does anyone know of a way to
convert it to text in SQL? I would like to convert it to text before
writing it into the mySQL database, preferably by way of the
accounting_xx_query in the sql.conf file.
Thanks
Cedric
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error PROFIND request failed on'/' Error PROFIND of '/': 405 Method Not Allowed (http://192.168.1.75)
Hi When I try to open up the repository using TortoiseSVN Checkout I receive the following error messages: Error PROFIND request failed on'/' Error PROFIND of '/': 405 Method Not Allowed (http://192.168.1.75) What is causing the Error Message? and how do I correct it? Thank you, Frank Reiss - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Webserver System Hanging when trying to authenticate.
Hi, I have seen this problems a few time. I setup a Fedora Core 4 - Freeradius server with apache and when I try to login to the webserver it hangs the webserver. Note in this case the web server and Freeradius are on the same server. But I have also seen it where the web server and freeradius are on two different systems and the web server hangs. I have gotten it to work in the past by stopping the firewall on the radius server and authenticating and then restarting the firewall. And everything works for some reason. Which really seems strange. I am running Fedora Core Linux for the web servers. And Redhat ES4 Linux for the radius servers. I am wondering if this is a known problem and what is the resolution to the problem. a quick idea is that the default firewall config is DROPing packets rather than rejecting them - which means that if it is not configured correctly, Apache will wait a long time while trying to authenticate (it'll be in a stuck state) for that thread. the fact that 'stopping the firewall, then restarting it after authentication is okay' screams out at me that you havent got your firewall to allow the required ports through - eg 1812,1813 and 1814 UDP (*NOT* TCP) Alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP Machine Auth without NTLM or LDAP
Jérémy Cluzel wrote: Hello, I want to do machine auth with PEAP for my laptop before windows logon. I managed to do it with ntlm_auth before, but this time, I've another problem, there is no PDC. If there is no PDC, there's no domain, so there *is* no machine account. You could use a machine certificate and EAP-TLS, but limitations of the winxp built in supplicant mean you'd have to also use EAP-TLS for the users as well. So, is it possible to use the users file instead like this: computer_name User-Password == (As far as I remember it was impossible...) It is, because there is only a machine account if there is a domain (in which case there is a PDC) Any suggestions ? Regards, Jeremy Cluzel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating CHAP-Password to Pam (Kerberos 5 to AD)
Alan DeKok wrote: Patrick Bartkus [EMAIL PROTECTED] wrote: Does this mean that if I setup Samba on this box, get it to be a member of the domain exchanging Domain UIDs and passwords, I could then authenticate to Samba from my MS-CHAP-speaking NAS? Possible. If it's an NT domain. If it's an Active Directory domain, then no, it's still impossible. Maybe Samba4 (when it's done) will allow this. I'm confused - I and many people are doing MS-CHAP to an AD domain with samba3, winbind and the ntlm_auth helper - what are you referring to that doesn't work that samba4 would change? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Capturing the inner authentication ID for Radius accounting
CHui [EMAIL PROTECTED] wrote: Although it seems to work for me, I am not sure about the use of attribute Class for tracking user ID would interfere with other operation (like the one attribute Class was originally designed for)? It was designed for local sites to do whatever they wanted. So you're doing the right thing. Also, the attribute Class is of type Octet. Does anyone know of a way to convert it to text in SQL? Edit the dictionary, and change octets to string. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error if running daemon
For now, run the server with radiusd -s, which means no threads. That should help. what's the efect if running the server with radiusd -s ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Assertion failed in request_list.c, line 1119
Both of these are if the queuing of the request failed; assertion should be true.no in log just Wed Jan 25 02:05:16 2006 : Error: Assertion failed in request_list.c, line 1119 and Freeradius is crash 'n down i'll try to gat some information by running in debug mode but in debug mode, everythink is OK. Is diferent proccess running di daemon mode and debug mode?Tanks..-- ~_|[]~ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: R: SQL.conf new query
That is what I thought but wasn't sure, I don't think the original poster realized this though. I was directing this mostly toward him. Thanks! Alan DeKok wrote: Rich Marriner [EMAIL PROTECTED] wrote: Would seperating the queries with a semicolon work, but keeping both queries under postauth_query? SQL should distinguish it as a seperate query. I haven't tried this so I am not sure if it would work or not. That's what I thought I suggested earlier. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating CHAP-Password to Pam (Kerberos 5 to AD)
Alan DeKok wrote: Phil Mayers [EMAIL PROTECTED] wrote: I'm confused - I and many people are doing MS-CHAP to an AD domain with samba3, winbind and the ntlm_auth helper - what are you referring to that doesn't work that samba4 would change? Yes, they're using the old-style NT4 logins. So MS-CHAP works. Ah I see. I had read the message differently - though the posters original question (and the subject line unhelpfully) was about CHAP his subsequent query referenced another thread and mentioned MS-CHAP. You're right that no current software can perform CHAP against AD except IAS running on a domain controller against accounts with reversible encryption enabled (see below). Samba4 *may* allow pulling clear-text passwords from AD, in which case CHAP will work, too. Why would samba4 be any different that samba3 in that regard? I assume we are talking about the same thing (samba as a member server with a real microsoft PDC) in which case the code that would need adding would be an API on the windows side - AD realms (in fact NT domains all the way back to NT4 IIRC) can already store the password in reversibly encrypted plaintext to support CHAP (only via IAS and only running on the physical PDC) or Digest MD5 on HTTP. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating CHAP-Password to Pam (Kerberos 5 to AD)
Phil Mayers [EMAIL PROTECTED] wrote: Why would samba4 be any different that samba3 in that regard? Because Samba4 will be a full-fledged AD domain member. Samba3 is a second-class citizen of an AD domain, as it implements NT domains. I assume we are talking about the same thing (samba as a member server with a real microsoft PDC) in which case the code that would need adding would be an API on the windows side - AD realms (in fact NT domains all the way back to NT4 IIRC) can already store the password in reversibly encrypted plaintext to support CHAP (only via IAS and only running on the physical PDC) or Digest MD5 on HTTP. Yes. And once Samba4 is a full-fledged member of an AD domain, the other AD servers will happily replicate data to it... including the clear-text password. Samba4 can then expose it in the userPassword field. The reason IAS works is that it does super-secret magic Microsoft calls that no one has figured out. If Samba4 is a member of the AD domain, it doesn't have to figure out those calls. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
