Re: reply-list fed by LDAP
Alan DeKok wrote: Florian Prester <[EMAIL PROTECTED]> wrote: Now. this LDAP-attribute (szUsesrId) is mapped by ldap.attrmap to User-ID, this Radius-attribute (User-ID) is speziufied as an reply-item in the users-file: Does the radius client understand it? If not, there's no point in putting it in LDAP, the dictionary, or in the "users" file. If User-Id is something you made up for your local system, it won't work. Ever. Unless you've written your own RADIUS client. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks for your answer, at last I figured it out too. :-) You all do a great job - thanks to all of you Florian Prester -- Dipl. Inf. Florian Prester Network Administration Regionales RechenZentrum Erlangen Universitaet Erlangen-Nuernberg Martensstr. 1 91052 Erlangen Germany Tel.: +499131 8527813 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ms-chap authentication with client tool?
comments INLINE Alan DeKok wrote: "DilipSimha.N.M" <[EMAIL PROTECTED]> wrote: is there any simple tool(other than jradius) which can be used as radius client and which can be used to test mschap authentication?? radclient should really be updated to support MS-CHAP. It's not hard. And it would be easier to do that than to write another client. if so, please give the packet contents for radius client and the users file check-items. src/tests/mschapv1 as u have specified in src/tests/README , that lines with #U shud go into users file. but in src/tests/mschapv1 u have given User-Password in clear text??? mschap has the advantage over chap, that it doesn't store passwords in clear-text in the users file. am i right Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple secrets for 0.0.0.0/0
Joe Maimon <[EMAIL PROTECTED]> wrote: > Dont know what his requirements are, but the ability to allow any client > in the world to authenticate to my server with any one of X secrets, > thereby allowing me to associate them to client Y as opposed to client Z > is very usefull wherever the IP address range describing the source > of client Y and client Z might overlap. Sure. But it's a fairly serious performance hit, and a bad idea from the security perspective. > This allows me to have specific configurations for this client, cancel > service to only one of the "entities" and to upgrade/change the secret > without requiring a flag-day event. Hmm... that sounds like it's worth doing. The only problem is that this will really work only for packets that contain Message-Authenticator. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User groups, HELP!!!
Ok, I found in database a table called usergroups, there are users and groupnames they belong to, what are these groups then? Cuz i thought this might have been those groups i assing in huntgroups like: Group=test How do i use huntgroups to controll users from different NASes(different IP)? For example i have 3 groups of users: test(192.168.4.23), test1(192.168.4.24), test2(192.168.4.25) How do i assign user to this groups, and how do i controll if for example user from test1 group tries to login from test2 ip, i cant let him in then. How do i do that, read tones of examples, i am tired of configuring it... View this message in context: Re: User groups, HELP!!! Sent from the FreeRadius - User forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple secrets for 0.0.0.0/0
Alan DeKok wrote: Joe Maimon <[EMAIL PROTECTED]> wrote: Whats wrong with trial and error? Yuck. Probably. It also opens the door to "any one of umpteen secrets". I would like to know what the underlying requirements are, as there's probably a better way of doing this. Dont know what his requirements are, but the ability to allow any client in the world to authenticate to my server with any one of X secrets, thereby allowing me to associate them to client Y as opposed to client Z is very usefull wherever the IP address range describing the source of client Y and client Z might overlap. The ip address range in question need not actually be 0/0. This allows me to have specific configurations for this client, cancel service to only one of the "entities" and to upgrade/change the secret without requiring a flag-day event. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW:
Hello, I have installed freeradius and get the next error rlm_preprocess: Error reading /etc/raddb/huntgroups radiusd.conf[971]: preprocess: Module instantiation failed. -rw-r--r-- 1 root root 1604 jun 23 2005 /etc/raddb/huntgroups What must I change?? Herman -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.14.25/247 - Release Date: 31-1-2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.14.25/247 - Release Date: 31-1-2006 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User groups, HELP!!!
"Vadimv82 (sent by Nabble.com)" <[EMAIL PROTECTED]> wrote: > test NAS-IP-Address == 192.168.4.23, NAS-Port-Id == 0-7 ^^^ What led you to believe that was accepted by the server? > Group = test Group is an attribute which looks users up in Unix groups (/etc/group). You CANNOT assign users to it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User groups, HELP!!!
I tried to use huntgroups. Imagine i have users in group 'test', and they come from NAS Ip 192.168.4.23. I tried to put in huntgroups following: test NAS-IP-Address == 192.168.4.23, NAS-Port-Id == 0-7 Group = test But if any of this users come from other IP and from Test group, he goes through!!! And doesnt work. May be i undertsnad smth wrong. View this message in context: Re: User groups, HELP!!! Sent from the FreeRadius - User forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: User groups, HELP!!!
I tried to use huntgroups. Imagine i have users in group 'test', and they come from NAS Ip 192.168.4.23. I tried to put in huntgroups following: test NAS-IP-Address == 192.168.4.23, NAS-Port-Id == 0-7 Group = test But if any of this users come from other IP and from Test group, he goes through!!! And doesnt work. May be i undertsnad smth wrong. View this message in context: RE: User groups, HELP!!! Sent from the FreeRadius - User forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple secrets for 0.0.0.0/0
Joe Maimon <[EMAIL PROTECTED]> wrote: > Whats wrong with trial and error? Yuck. It also opens the door to "any one of umpteen secrets". I would like to know what the underlying requirements are, as there's probably a better way of doing this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple secrets for 0.0.0.0/0
Alan DeKok wrote: =?ISO-8859-1?Q?Te=F3filo_Ruiz_Su=E1rez?= <[EMAIL PROTECTED]> wrote: I'd like to declare two different secrets for my radius server listening on 0.0.0.0/0. No. It's impossible. And it makes no sense. How does the server decide which secret to use? Magic? Trial and error? Whats wrong with trial and error? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius - setting up
Timolthy Keithy <[EMAIL PROTECTED]> wrote: > Anyone has any info with step-by-step on how to build > the Freeradius from scratch please share or point to > where I can obtain those correct info, I would like to > set it to work with PEAP, LEAP, TLS, and TTLS. Perhaps you could explain the problems you're running into. Saying "it doesn't work" means that no one will be able to help you. Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius - setting up
Fedora Core 4 has prebuild rpm freeradius-1.0.4.-1.FC4.1 "yum install freeradius" will do it. Hope this will help, Min > -Original Message- > From: > [EMAIL PROTECTED] > freeradius.org > [mailto:freeradius-users-bounces+mqiu=globalinternetworking.co > [EMAIL PROTECTED] On Behalf Of Timolthy Keithy > Sent: Tuesday, January 31, 2006 4:19 PM > To: freeradius-users@lists.freeradius.org > Subject: FreeRadius - setting up > > > Hi, I am trying to build the FreeRadius under Fedora > Core 4, I found many info on how to buil FreeRadius on > the Internet, which includes freeradius.org, and I > tried several times and different info from websites > but still without luck. > > Anyone has any info with step-by-step on how to build > the Freeradius from scratch please share or point to > where I can obtain those correct info, I would like to > set it to work with PEAP, LEAP, TLS, and TTLS. > > FreeRadius 1.x and OpenSSL, etc... > > Very appreciated in advance, > > Timolthy > > > > __ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ms-chap authentication with client tool?
Patrick Bartkus wrote: You could try using the windows program NTRadPing from http://www.dialways.com/download/. It has a "CHAP" checkbox. CHAP and MS-CHAP are quite different. josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius - setting up
Hi, I am trying to build the FreeRadius under Fedora Core 4, I found many info on how to buil FreeRadius on the Internet, which includes freeradius.org, and I tried several times and different info from websites but still without luck. Anyone has any info with step-by-step on how to build the Freeradius from scratch please share or point to where I can obtain those correct info, I would like to set it to work with PEAP, LEAP, TLS, and TTLS. FreeRadius 1.x and OpenSSL, etc... Very appreciated in advance, Timolthy __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple secrets for 0.0.0.0/0
On 1/31/06, Benjamin Bennett <[EMAIL PROTECTED]> wrote: > yes, but that requires defining each client more precisely than /0. For > example x.x.x.x/32 and y.y.y.y/32. *oh* Ok, gotcha.. That didn't dawn on me as I specify each client individually.. Just feels more secure that way.. > His initial question seemed to imply belief that clients.conf determines > what addresses radiusd binds to, I think that's where the > misunderstanding is coming from. Yep.. That sounds about right.. > --ben -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple secrets for 0.0.0.0/0
On Tue, 2006-01-31 at 14:54 -0500, Jason Frisvold wrote: > On 1/31/06, Alan DeKok <[EMAIL PROTECTED]> wrote: > > =?ISO-8859-1?Q?Te=F3filo_Ruiz_Su=E1rez?= <[EMAIL PROTECTED]> wrote: > > > I'd like to declare two different secrets for my radius server listening > > > on 0.0.0.0/0. > > > > And it makes no sense. How does the server decide which secret to > > use? Magic? Trial and error? > > Er.. can't you assign a unique secret for each client? yes, but that requires defining each client more precisely than /0. For example x.x.x.x/32 and y.y.y.y/32. > Or am I misunderstanding his initial question? His initial question seemed to imply belief that clients.conf determines what addresses radiusd binds to, I think that's where the misunderstanding is coming from. --ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple secrets for 0.0.0.0/0
Jason Frisvold <[EMAIL PROTECTED]> wrote: > Or am I misunderstanding his initial question? It looked to me like he was asking how to configure clients of 0.0.0.0/0, with two different shared secrets. He even gave examples of the config, which reference the "client" entry. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple secrets for 0.0.0.0/0
On 1/31/06, Alan DeKok <[EMAIL PROTECTED]> wrote: > =?ISO-8859-1?Q?Te=F3filo_Ruiz_Su=E1rez?= <[EMAIL PROTECTED]> wrote: > > I'd like to declare two different secrets for my radius server listening > > on 0.0.0.0/0. > > And it makes no sense. How does the server decide which secret to > use? Magic? Trial and error? Er.. can't you assign a unique secret for each client? Or am I misunderstanding his initial question? > Alan DeKok. -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: User groups, HELP!!!
Use SQL groups based on huntgroups J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Vadimv82 (sent by Nabble.com) Verzonden: maandag 30 januari 2006 11:34 Aan: freeradius-users@lists.freeradius.org Onderwerp: User groups, HELP!!! Hello. I run FreeRadius with MySQL. And need help with authentification groups. Imagine i have many WiFi hot spots each with own NAS and IP. Any user can register and get a password and login, but he can only get access through certain NAS where he registered at, if he goes to another spot he cant login there with it. So i have to create access groups by NAS IP on Radius server, how do i do that? I tried to use huntgroups, but i dont really understand how they work. And i can't put every user into 'users' conf, cuz then every time somebody registeres i need to restart Radius server so it would reload 'users' conf. How can i do that? I need to create a group once for each Hot Spot, and then user registeres for access, he automaticaly gets a certain group status, and when he tries to login, radius server checks his NAS ip and his group, if they match, NAS gives him access to internet. Thank u, for ur help. Vadim. View this message in context: User groups, HELP!!! Sent from the FreeRadius - User forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New accounting database each month
Yes. I can do that for you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Capturing the inner authentication ID for Radius
"CHui" <[EMAIL PROTECTED]> wrote:
> What should I do to get the Tunnel user name only instead of both send as
> reply attribute "Class"?
Key off of the inner session to set Class.
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1
Class = "%{User-Name}",
...
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple secrets for 0.0.0.0/0
=?ISO-8859-1?Q?Te=F3filo_Ruiz_Su=E1rez?= <[EMAIL PROTECTED]> wrote: > I'd like to declare two different secrets for my radius server listening > on 0.0.0.0/0. No. It's impossible. And it makes no sense. How does the server decide which secret to use? Magic? Trial and error? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reply-list fed by LDAP
Florian Prester <[EMAIL PROTECTED]> wrote: > Now. this LDAP-attribute (szUsesrId) is mapped by ldap.attrmap to User-ID, > this Radius-attribute (User-ID) is speziufied as an reply-item in the > users-file: Does the radius client understand it? If not, there's no point in putting it in LDAP, the dictionary, or in the "users" file. If User-Id is something you made up for your local system, it won't work. Ever. Unless you've written your own RADIUS client. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting status type
Priscilla B <[EMAIL PROTECTED]> wrote: > just short question. Where should I put the > acct-status-type? > is it in users file? Huh? What are you trying to do? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ms-chap authentication with client tool?
"DilipSimha.N.M" <[EMAIL PROTECTED]> wrote: > is there any simple tool(other than jradius) which can be used as radius > client and which can be used to test > mschap authentication?? radclient should really be updated to support MS-CHAP. It's not hard. And it would be easier to do that than to write another client. > if so, please give the packet contents for radius client and the users > file check-items. src/tests/mschapv1 Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Capturing the inner authentication ID for Radius
>"CHui" <[EMAIL PROTECTED]> wrote:
>> Although it seems to work for me, I am not sure about the use of
attribute
>> Class for tracking user ID would interfere with other operation (like the
> one attribute Class was originally designed for)?
>
> It was designed for local sites to do whatever they wanted. So you're
doing the right thing.
>
>> Also, the attribute Class is of type Octet. Does anyone know of a way to
>> convert it to text in SQL?
>
> Edit the dictionary, and change "octets" to "string".
>
> Alan DeKok.
Never thought of simply changing the attribute type in the dictionary file.
Works great. Thanks.
I use the "use_tunneled_reply = yes" in eap.conf to capture the user name
inside of the tunnel. I have observed that the Class attribute now
contained both the outer identity and the user name from inside the tunnel.
>From the debug output:
Sending Access-Accept of id 170 to 198.128.24.10:1645
Class = "SomeoneElse"
Cisco-AVPair = "ssid=CiscoTestAP"
Session-Timeout = 60
Class = "chui.guest"
MS-MPPE-Recv-Key = 0x...
MS-MPPE-Send-Key = 0x...
EAP-Message = 0x03070004
Message-Authenticator = 0x...
User-Name = "SomeoneElse"
Finished request 6
Going to the next request
Waking up in 6 seconds...
rad_recv: Accounting-Request packet from host 198.128.24.10:1646, id=112,
length=262
Acct-Session-Id = "06000204"
Called-Station-Id = "0014.a800.44c0"
Calling-Station-Id = "0002.2d27.05e2"
Cisco-AVPair = "ssid= CiscoTestAP"
Cisco-AVPair = "vlan-id=0"
Cisco-AVPair = "nas-location=unspecified"
User-Name = "SomeoneElse"
Cisco-AVPair = "connect-progress=Call Up"
Acct-Authentic = RADIUS
Acct-Status-Type = Start
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "708"
NAS-Port = 708
Class = "SomeoneElse"
Class = "chui.guest"
Service-Type = Framed-User
NAS-IP-Address = 198.128.24.10
Acct-Delay-Time = 0
In the users file, I have the default entry as follows:
DEFAULT
Class = "{User-Name}",
Fall-Through = No
What should I do to get the Tunnel user name only instead of both send as
reply attribute "Class"?
Thanks
Cedric
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error in make freeradius_1.1.0
Hi, > gmake[6]: Entering directory > `/u01/data/freeradius-1.1.0/src/modules/rlm_dbm' > /u01/data/freeradius-1.1.0/libtool --mode=link gcc rlm_dbm_parser.o > ../../lib/li > bradius.a -L/usr/lib -lssl -L/usr/lib -lcrypto -lnsl -lresolv -lpthread -l > gdbm > -o rlm_dbm_parser > gcc rlm_dbm_parser.o -o rlm_dbm_parser > ../../lib/libradius.a -L/usr/lib -lssl - > lcrypto -lnsl -lresolv -lpthread /usr/lib/libgdbm.so > ../../lib/libradius.a(radius.o)(.text+0x11): In function `make_secret': > /u01/data/freeradius-1.1.0/src/lib/radius.c:165: undefined reference to > `MD5Init wierd funkiness. looks like you're not picking up the local freeradius-devel/md5.h overrides (to avoid using a system libmd5). perhaps a result of the combination of options you have given the ./configure step? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New accounting database each month
You could create an external script. Probably will be easier than modifying the FreeRADIUS source. Keep radacct for the current table and create a script that copies that DB over to say "jan06_radacct". The script could be easily run from Cron. Eduardo Bejar wrote: Hi, Is there a way to configure freeradius to create a new MySQL accounting database each month? (in example: jan_06_radacct, feb_06_radacct, etc). The database should be created the first minute of the first day of each month. This is required for backup/database size. Thanks! Edo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Richard Marriner IIMaingear.Net Sr. Network Consultant I.T. Consulting [EMAIL PROTECTED] www.maingear.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ms-chap authentication with client tool?
You could try using the windows program NTRadPing from http://www.dialways.com/download/.It has a "CHAP" checkbox. HTH,Patrick On 1/31/06, Phil Mayers <[EMAIL PROTECTED]> wrote: DilipSimha.N.M wrote:> hi,>> is there any simple tool(other than jradius) which can be used as radius> client and which can be used to test> mschap authentication??> if so, please give the packet contents for radius client and the users > file check-items. 1. run FreeRadius in debugging mode 2. perform a successful MS-CHAP authentication with a "real" client 3. copy the following info from the FreeRadius debugging output: User-Name = "user"MS-CHAP-Challenge = 0xBYTESMS-CHAP2-Response = 0xBYTES 4. with that info, create a file containing a radius request:Service-Type = Framed-UserFramed-Protocol = PPP User-Name = "user"MS-CHAP-Challenge = 0xBYTESMS-CHAP2-Response = 0xBYTESCalling-Station-Id = "something"NAS-IP-Address = 192.168.1.2NAS-Port = 1 5. run the command "radclient -s -f $FILE $HOST auth $SECRET"The radius server will authenticate that request every time. Since thechallenge from a real NAS is essentially random there is only a low (but not zero) risk in having the info in a file.You may need to edit your users file to disable things such as IPaddress pool assignment or such, but it will basically work fine. Suchediting is dependent on your local configuration. -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error in make freeradius_1.1.0
Good day. I succesfully installed Freeradius_1.0.4 on Red Hat Enterprise Linux ES release 3 (Taroon Update 3) Kernel 2.4.21-20.ELsmp on an i686 It is work good. Now i want to install Freeradius_1.1.0 on the same server and got an error when do "make" My configure (the same was for Freeradius_1.0.4): ./configure --with-snmp \ --disable-rlm-perl \ --with-pam \ --with-rlm-pam \ --with-experimental-modules \ --with-oracle-home-dir=/u01/app/oracle/product/10.1.0/ \ --with-oracle-lib-dir=/u01/app/oracle/product/10.1.0/rdbms/demo/ \ --with-oracle-include-dir=/u01/app/oracle/product/10.1.0/rdbms/demo/ \ --with-openssl-includes=/usr/include/openssl \ --with-openssl-libraries=/usr/lib And the RESULTS of make #make ... ... gmake[6]: Entering directory `/u01/data/freeradius-1.1.0/src/modules/rlm_dbm' /u01/data/freeradius-1.1.0/libtool --mode=link gcc rlm_dbm_parser.o ../../lib/li bradius.a -L/usr/lib -lssl -L/usr/lib -lcrypto -lnsl -lresolv -lpthread -l gdbm -o rlm_dbm_parser gcc rlm_dbm_parser.o -o rlm_dbm_parser ../../lib/libradius.a -L/usr/lib -lssl - lcrypto -lnsl -lresolv -lpthread /usr/lib/libgdbm.so ../../lib/libradius.a(radius.o)(.text+0x11): In function `make_secret': /u01/data/freeradius-1.1.0/src/lib/radius.c:165: undefined reference to `MD5Init ' ../../lib/libradius.a(radius.o)(.text+0x1f):/u01/data/freeradius-1.1.0/src/l ib/r adius.c:166: undefined reference to `MD5Update' ../../lib/libradius.a(radius.o)(.text+0x3c):/u01/data/freeradius-1.1.0/src/l ib/r adius.c:167: undefined reference to `MD5Update' ../../lib/libradius.a(radius.o)(.text+0x47):/u01/data/freeradius-1.1.0/src/l ib/r adius.c:168: undefined reference to `MD5Final' ../../lib/libradius.a(radius.o)(.text+0xd6): In function `make_passwd': /u01/data/freeradius-1.1.0/src/lib/radius.c:204: undefined reference to `MD5Init ' ../../lib/libradius.a(radius.o)(.text+0xf1):/u01/data/freeradius-1.1.0/src/l ib/r adius.c:205: undefined reference to `MD5Update' ../../lib/libradius.a(radius.o)(.text+0x115):/u01/data/freeradius-1.1.0/src/ lib/ radius.c:211: undefined reference to `MD5Update' ../../lib/libradius.a(radius.o)(.text+0x153):/u01/data/freeradius-1.1.0/src/ lib/ radius.c:216: undefined reference to `MD5Update' ../../lib/libradius.a(radius.o)(.text+0x169):/u01/data/freeradius-1.1.0/src/ lib/ radius.c:221: undefined reference to `MD5Final' ../../lib/libradius.a(radius.o)(.text+0x2b8): In function `make_tunnel_passwd': /u01/data/freeradius-1.1.0/src/lib/radius.c:293: undefined reference to `MD5Init ' ../../lib/libradius.a(radius.o)(.text+0x2d8):/u01/data/freeradius-1.1.0/src/ lib/ radius.c:294: undefined reference to `MD5Update' ../../lib/libradius.a(radius.o)(.text+0x2f7):/u01/data/freeradius-1.1.0/src/ lib/ radius.c:297: undefined reference to `MD5Update' ../../lib/libradius.a(radius.o)(.text+0x30e):/u01/data/freeradius-1.1.0/src/ lib/ radius.c:298: undefined reference to `MD5Update' ../../lib/libradius.a(radius.o)(.text+0x34c):/u01/data/freeradius-1.1.0/src/ lib/ radius.c:303: undefined reference to `MD5Update' ../../lib/libradius.a(radius.o)(.text+0x362):/u01/data/freeradius-1.1.0/src/ lib/ radius.c:308: undefined reference to `MD5Final' ../../lib/libradius.a(radius.o)(.text+0x9af): In function `rad_sign': /u01/data/freeradius-1.1.0/src/lib/radius.c:819: undefined reference to `MD5Init ' ../../lib/libradius.a(radius.o)(.text+0x9c4):/u01/data/freeradius-1.1.0/src/ lib/ radius.c:820: undefined reference to `MD5Update' ../../lib/libradius.a(radius.o)(.text+0x9e7):/u01/data/freeradius-1.1.0/src/ lib/ radius.c:821: undefined reference to `MD5Update' ../../lib/libradius.a(radius.o)(.text+0x9f9):/u01/data/freeradius-1.1.0/src/ lib/ radius.c:822: undefined reference to `MD5Final' ../../lib/libradius.a(radius.o)(.text+0xccd): In function `calc_acctdigest': /u01/data/freeradius-1.1.0/src/lib/radius.c:954: undefined reference to `MD5Init ' ../../lib/libradius.a(radius.o)(.text+0xcdf):/u01/data/freeradius-1.1.0/src/ lib/ radius.c:955: undefined reference to `MD5Update' ../../lib/libradius.a(radius.o)(.text+0xcfc):/u01/data/freeradius-1.1.0/src/ lib/ radius.c:956: undefined reference to `MD5Update' ../../lib/libradius.a(radius.o)(.text+0xd08):/u01/data/freeradius-1.1.0/src/ lib/ radius.c:957: undefined reference to `MD5Final' ../../lib/libradius.a(radius.o)(.text+0xd79): In function `calc_replydigest': /u01/data/freeradius-1.1.0/src/lib/radius.c:993: undefined reference to `MD5Init ' ../../lib/libradius.a(radius.o)(.text+0xd8b):/u01/data/freeradius-1.1.0/src/ lib/ radius.c:994: undefined reference to `MD5Update' ../../lib/libradius.a(radius.o)(.text+0xda5):/u01/data/freeradius-1.1.0/src/ lib/ radius.c:995: undefined reference to `MD5Update' ../../lib/libradius.a(radius.o)(.text+0xdb1):/u01/data/freeradius-1.1.0/src/ lib/ radius.c:996: undefined reference to `MD5Final' ../../lib/libradius.a(hmac.o)(.text+0x86): In function `lrad_hmac_md5': /u01/data/freeradius-1.1.0/src/lib/hmac.c:93: undefined reference to `MD5Init' ../../lib/libradius.a(
New accounting database each month
Hi, Is there a way to configure freeradius to create a new MySQL accounting database each month? (in example: jan_06_radacct, feb_06_radacct, etc). The database should be created the first minute of the first day of each month. This is required for backup/database size. Thanks! Edo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Stop current session.
How to disconnect on SNMP current session on NAS if the user it is authorized and to be on-line. I think it it is possible to make 1. To use rlm_perl and in parameter acounting will specify a script which to disconnect on snmp session. Whether and there are still variants? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple secrets for 0.0.0.0/0
Hi.
I'd like to declare two different secrets for my radius server listening
on 0.0.0.0/0.
But if I declare two networks in the clients.conf file, like this:
client 0.0.0.0/0 {
secret = secret1
shortname = wildcard1
nastype = other
}
client 0.0.0.0/0 {
secret = secret2
shortname = wildcard2
nastype = other
}
The only secret that works is "secret2". Can I have two secrets for the
same "network"? even when it's the 0.0.0.0/0 one?
Regards,
--
Teófilo Ruiz
FON - http://es.fon.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl
Check out http://www.activestate.com/ They have a couple of products that do what you want. Laker --- Chris Knipe <[EMAIL PROTECTED]> wrote: > Hi, > > Is there any way to get rlm_perl to work with binary > code, instead of > source? I currently have a perl script executing > via rlm_perl that does > some fancy stuff in authentication and accounting. > > Due to popular demand, I now have 3rd parties > interested in this code, but I > don't feel it is secure enough to provide these > vendors with the open source > perl code. > > I don't believe I can accomplish with rlm_exec what > I do in rlm_perl, so I'm > kinda hoping that someone would have a solution here > for me that would allow > rlm_perl (or a similar module perhaps), to execute > compiled code. > > Hope I make sense, and that someone can shed some > light and pointers for me. > > Thanks, > Chris. > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
R: R: R: SQL.conf new query
I’ve tried to insert a semicolon after the first query, but it didn’t work, so I’m trying to modify the source code. If I correctly understood, I have to modify the file rlm_sql, creating an entry also for the new defined query (e.g. mac_auth_query). May I use as sample postauth_query? Could you please give me some indication on how this file needs to be modified and if it is the only one that I need to change? Best regards, Carlo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ms-chap authentication with client tool?
DilipSimha.N.M wrote: hi, is there any simple tool(other than jradius) which can be used as radius client and which can be used to test mschap authentication?? if so, please give the packet contents for radius client and the users file check-items. 1. run FreeRadius in debugging mode 2. perform a successful MS-CHAP authentication with a "real" client 3. copy the following info from the FreeRadius debugging output: User-Name = "user" MS-CHAP-Challenge = 0xBYTES MS-CHAP2-Response = 0xBYTES 4. with that info, create a file containing a radius request: Service-Type = Framed-User Framed-Protocol = PPP User-Name = "user" MS-CHAP-Challenge = 0xBYTES MS-CHAP2-Response = 0xBYTES Calling-Station-Id = "something" NAS-IP-Address = 192.168.1.2 NAS-Port = 1 5. run the command "radclient -s -f $FILE $HOST auth $SECRET" The radius server will authenticate that request every time. Since the challenge from a real NAS is essentially random there is only a low (but not zero) risk in having the info in a file. You may need to edit your users file to disable things such as IP address pool assignment or such, but it will basically work fine. Such editing is dependent on your local configuration. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
reply-list fed by LDAP
Hello, I use freeradius 1.05 with LDAP. Now I do not use the RADIUS-LDAP-Schemata - because I think I do not need it, all teh required Information is provided by the Schema I use ( I think :-) ). Within the Schema I have an attribute szUserId which I want to return to the client. Now. this LDAP-attribute (szUsesrId) is mapped by ldap.attrmap to User-ID, this Radius-attribute (User-ID) is speziufied as an reply-item in the users-file: DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, User-ID = 576, Fall-Through = Yes But it does not get sent to the client. Now my question, WHY? Do I have to define the RADIUS-Attribute User-ID in the dictionary-file? If I do so, radiusd complaines this attribute is an check-item and no reply-item!?!?!? my Log: Tue Jan 31 12:22:12 2006 : Debug: Processing the authorize section of radiusd.conf Tue Jan 31 12:22:12 2006 : Debug: modcall: entering group authorize for request 0 Tue Jan 31 12:22:12 2006 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0 Tue Jan 31 12:22:12 2006 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 0 Tue Jan 31 12:22:12 2006 : Debug: modcall[authorize]: module "preprocess" returns ok for request 0 Tue Jan 31 12:22:12 2006 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 0 Tue Jan 31 12:22:12 2006 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 0 Tue Jan 31 12:22:12 2006 : Debug: modcall[authorize]: module "chap" returns noop for request 0 Tue Jan 31 12:22:12 2006 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 0 Tue Jan 31 12:22:12 2006 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 0 Tue Jan 31 12:22:12 2006 : Debug: modcall[authorize]: module "mschap" returns noop for request 0 Tue Jan 31 12:22:12 2006 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 0 Tue Jan 31 12:22:12 2006 : Debug: rlm_realm: No '@' in User-Name = "sz148", looking up realm NULL Tue Jan 31 12:22:12 2006 : Debug: rlm_realm: No such realm "NULL" Tue Jan 31 12:22:12 2006 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 0 Tue Jan 31 12:22:12 2006 : Debug: modcall[authorize]: module "suffix" returns noop for request 0 Tue Jan 31 12:22:12 2006 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 0 Tue Jan 31 12:22:12 2006 : Debug: rlm_eap: No EAP-Message, not doing EAP Tue Jan 31 12:22:12 2006 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 0 Tue Jan 31 12:22:12 2006 : Debug: modcall[authorize]: module "eap" returns noop for request 0 Tue Jan 31 12:22:12 2006 : Debug: modsingle[authorize]: calling files (rlm_files) for request 0 Tue Jan 31 12:22:12 2006 : Debug: users: Matched entry DEFAULT at line 43 Tue Jan 31 12:22:12 2006 : Debug: users: Matched entry DEFAULT at line 50 Tue Jan 31 12:22:12 2006 : Debug: users: Matched entry DEFAULT at line 53 Tue Jan 31 12:22:12 2006 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 0 Tue Jan 31 12:22:12 2006 : Debug: modcall[authorize]: module "files" returns ok for request 0 Tue Jan 31 12:22:12 2006 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 0 Tue Jan 31 12:22:12 2006 : Debug: rlm_ldap: - authorize Tue Jan 31 12:22:12 2006 : Debug: rlm_ldap: performing user authorization for sz148 Tue Jan 31 12:22:12 2006 : Debug: radius_xlat: '(&(objectClass=szUser) (Userid=sz148))' Tue Jan 31 12:22:12 2006 : Debug: radius_xlat: 'ou=AAAuser,o=Domain ,c=DE' Tue Jan 31 12:22:12 2006 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Tue Jan 31 12:22:12 2006 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Tue Jan 31 12:22:12 2006 : Debug: rlm_ldap: attempting LDAP reconnection Tue Jan 31 12:22:12 2006 : Debug: rlm_ldap: (re)connect to xxx.xxx.xxx.xxx:400, authentication 0 Tue Jan 31 12:22:12 2006 : Debug: rlm_ldap: bind as cn=user,ou=allro,ou=AAAdsadm,o=doamin,c=DE/xxx to xxx.xxx.xxx.xxx:400 Tue Jan 31 12:22:12 2006 : Debug: rlm_ldap: waiting for bind result ... request 1 done Tue Jan 31 12:22:12 2006 : Debug: rlm_ldap: Bind was successful Tue Jan 31 12:22:12 2006 : Debug: rlm_ldap: performing search in ou=AAAuser,o=domain,c=DE, with filter (&(objectClass=szUser) (Userid=sz148)) request 2 done Tue Jan 31 12:22:12 2006 : Debug: rlm_ldap: checking if remote access for sz148 is allowed by uid Tue Jan 31 12:22:12 2006 : Debug: rlm_ldap: looking for check items in directory... Tue Jan 31 12:22:12 2006 : Debug: rlm_ldap: Adding unixPassword as Crypt-Password, value op=21 Tue Jan 31 12:22:12 2006 : Debug: rlm_ldap: Adding szVpnPassword as NT-Password, value op=21 Tue Jan 31 12:22:12 2006 : Debug: rlm_ldap: looking for reply items in directory... Tue Jan 31 12:22:12 2006 : Debug: rlm_ldap: Adding szIpAddres
Accounting status type
Hi, just short question. Where should I put the acct-status-type? is it in users file? Many thanks Priscilla __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ms-chap authentication with client tool?
hi, is there any simple tool(other than jradius) which can be used as radius client and which can be used to test mschap authentication?? if so, please give the packet contents for radius client and the users file check-items. --DilipSimha - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: why encryption schemes for pap
Hi, > why are encryption schemes for pap required? > > it is supposed to be clear-text under all circumstances right??? > > we can see in radiusd.conf.. > # PAP module to authenticate users based on their stored password ^^^ do you want to store the users passwords in plain text? many people dotn - thus, you can store them in crypt, md5 or sha1 forms instead within plain text files, database tables, or even unix passwd files. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl
On Monday 30 January 2006 19:06, Chris Knipe wrote: > Guess I could also use compiled libraries or something... You can write an module for perl writen with XS language see man perlxs -- Best Regards, Boian Jordanov SNE Orbitel - Next Generation Telecom tel. +359 2 4004 723 tel. +359 2 4004 002 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
