R: using scripts for sql.conf
Hi Hashim, please look at http://lists.freeradius.org/pipermail/freeradius-devel/2006-February/009440. html I've done it simply adding a call to a function defined on database (mySQL) in an existing query. Ragards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco aaa authorization network
Hello,
while migrating a NAS (Cisco AS5300) from TACACS+ to RADIUS I stumbled over
some peculiarities of the equipment.
When configuring with
aaa authentication network default group radius
aaa authorization network default group radius
and having a user logging in with PPP, it seems that the NAS expects some of
the Cisco-AVPairs, but I don't exactly know what to send him. Since I send
the wrong things, I'm in the situation that authentication succeeds
(Access-Accept), but subsequent authorization fails. I know this is slightly
off-topic for the list, sorry, but I'm really at the end of my knowledge
here, maybe someone has a clue.
The old TACACS+ config was
group = DialupUser {
maxsess = 2
service = ppp protocol = ip {}
service = ppp protocol = multilink {}
}
which I thought I could convert into the following entry in the users file
DEFAULT NAS-IP-Address == 158.64.2.6
Framed-Protocol := PPP,
Cisco-AVPair += "ppp:protocol=ip",
Cisco-AVPair += "ppp:protocol=multilink"
but either that was not sufficient and I need more Cisco-AVPairs or it's plain
wrong (the attributes get sent alright, it's just not what the NAS likes).
Instead of "ppp:" I also tried "lcp:" "ipcp:" and "network:". None of this
impresses the AS5300, and turning on debugging didn't reveal what he would
expect instead.
Can someone help out?
Greetings,
Stefan Winter
--
Stefan WINTER
Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de
la Recherche
Ingenieur Forschung & Entwicklung
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1
http://www.restena.lu Fax: +352 422473
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Tagged VSA
Title: Tagged VSA
We are using tagged VSA (i.e. SIP-From). I think, it isn't standard.
without the has_tag entry, behind the regarding attribute in the dictionary file, i see in Debug Mode:
SIP-From = "\001sip:[EMAIL PROTECTED]:5060"
SIP-From = "\002sip:[EMAIL PROTECTED]:5060"
With "has_tag" entry
SIP-From:1 = "sip:[EMAIL PROTECTED]:5060"
SIP-From:2 = "sip:[EMAIL PROTECTED]:5060"
Is it possible, to write the the two tagged attributes (with has_tag entry) in a mysql- database at all ?
If it is, how the variable ( %{SIP-From} ) in the sql.conf has to look like
Used version 1.0.2-5
regards,
Martin
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to disconnect user after quota given to him finishes ?
Dear all, I am using Freeradius(with mysql as database for users ) with Mikrotik as NAS. This for PPPOE users. I used Dialup Admin to manage freeradius. There is default package of 4hours/day but the users do not get disconnect after 4 hours. It just shows " Out of Quota". What needs to be done to automatically disconnect user after the daily quota is finished ? Hope to get help . Thanking you Rupesh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to disconnect user after quota given to him finishes ?
Rupesh Amatya wrote: Dear all, I am using Freeradius(with mysql as database for users ) with Mikrotik as NAS. This for PPPOE users. I used Dialup Admin to manage freeradius. There is default package of 4hours/day but the users do not get disconnect after 4 hours. It just shows " Out of Quota". What needs to be done to automatically disconnect user after the daily quota is finished ? There a few session attrbutes you could use for this. Session-Timeout is the first one that springs to mind. I don't know if the client will pay attention to it though. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Tagged VSA
Klier, Martin wrote:
> SIP-From:1 = "sip:[EMAIL PROTECTED]:5060"
> SIP-From:2 = "sip:[EMAIL PROTECTED]:5060"
>
> Is it possible, to write the the two tagged attributes (with has_tag
> entry) in a mysql- database at all ?
> If it is, how the variable ( %{SIP-From} ) in the sql.conf has to look like
> Used version 1.0.2-5
I think it should work with FreeRADIUS 1.1.0.
In the MySQL database:
Attribute op Value
SIP-From:1 := sip:[EMAIL PROTECTED]:5060
SIP-From:2 := sip:[EMAIL PROTECTED]:5060
--
Nicolas Baradakis
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAP credentials against AD?
Is it possible to authenticate PAP credentials from the NAS against a Windows domain using NTLM? I've tried using the mschap module, but it expects to see a Challenge that the NAS doesn't provide. thanks, josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP credentials against AD?
Hi Josh,
nice to see you also on this list :-)
> Is it possible to authenticate PAP credentials from the NAS against a
> Windows domain using NTLM? I've tried using the mschap module, but it
> expects to see a Challenge that the NAS doesn't provide.
If you want to authenticate against AD and have PAP credentials available,
just treat the AD server like an LDAP server, i.e.: the ldap {} section is
for you. It will use the credentials to bind as the user to AD, and if that
succeeds the user is allowed in.
Greetings,
Stefan
--
Stefan WINTER
Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de
la Recherche
Ingenieur Forschung & Entwicklung
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1
http://www.restena.lu Fax: +352 422473
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP credentials against AD?
Hi Stefan,
We probably need a freeradius-eduroam list :-)
Is it possible to authenticate PAP credentials from the NAS against a
Windows domain using NTLM? I've tried using the mschap module, but it
expects to see a Challenge that the NAS doesn't provide.
If you want to authenticate against AD and have PAP credentials available,
just treat the AD server like an LDAP server, i.e.: the ldap {} section is
for you. It will use the credentials to bind as the user to AD, and if that
succeeds the user is allowed in.
I didn't realise that AD allowed authenticated binds from users by
default. Does it require some special tweaking? Our AD admin are *very*
cautious about who talks to it... (probably very sensible).
best regards, josh.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP credentials against AD?
Hi Josh,
So long as the user is a valid user, it can be used to do the bind,
AFAIK. I used to do this at the office. Our AD Admins created a
special account with a non-expiring password but no other special
privileges to authenticate the search/bind and that worked fine.
We used to use EAP-TTLS/PAP for wireless login. We also used the GINA
module in the 802.1x supplicant we had to authenticate prior to
completion of windows login so that login scripts worked properly too
:-)
Rgds,
Guy
On 15/02/06, Josh Howlett <[EMAIL PROTECTED]> wrote:
> Hi Stefan,
>
> We probably need a freeradius-eduroam list :-)
>
> >>Is it possible to authenticate PAP credentials from the NAS against a
> >>Windows domain using NTLM? I've tried using the mschap module, but it
> >>expects to see a Challenge that the NAS doesn't provide.
> >
> >
> > If you want to authenticate against AD and have PAP credentials available,
> > just treat the AD server like an LDAP server, i.e.: the ldap {} section is
> > for you. It will use the credentials to bind as the user to AD, and if that
> > succeeds the user is allowed in.
>
> I didn't realise that AD allowed authenticated binds from users by
> default. Does it require some special tweaking? Our AD admin are *very*
> cautious about who talks to it... (probably very sensible).
>
> best regards, josh.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
silently drop packet (access-request)
Alan DeKok wrote: > [snip] > So long as you're following the GPL, it's your business. [snip] > > If you want to control the server, you have source. You can edit it > yourself. > > The issue appears to be that you want the server to do something > special in your site, and you also want to force those patches back to > FreeRADIUS. That's a problem. [snip] > We'll accept patches that make sense, and which are useful to a wide > audience. If the patches you send in are useful only to you, then > they probably won't go in. Alan, thank you for the answers. This is a very reasonable approach. I'll try to do some work/coding now and then I'll get back here to continue arguments about what is useful to general FreeRADIUS audience and what is my whim :-) Thanks again! -- Andriy Gapon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Allowing Access based on Group Membership
After a bit of effort I have managed to get Wireless with WPA encryption
working with FreeRadius and an eDirectory LDAP Backend (using Universal
password). My last task is to allow Wireless authentication only to
members of a given LDAP Group. I seem to be having some issues though.
Here is my ldap config in /etc/raddb/radiusd.conf:
ldap {
server = "ldap.pbu.edu"
identity = "cn=admin,o=PBU"
password = "password"
basedn = "o=PBU"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
start_tls = yes
tls_cacertfile = /etc/raddb/certs/rootder.b64
access_attr = "cn"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = nspmPassword
edir_account_policy_check=yes
groupname_attribute = cn
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
}
If I empty out /etc/raddb/users completely, authentication works. If I
put the following in users:
DEFAULT LDAP-Group == "Wireless", Auth-Type := Accept
Fall-Through = No
DEFAULT Auth-Type := Reject
and start freeradius with "radiusd -X -A" I get:
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'o=PBU'
radius_xlat: '(uid=jlee)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=PBU, with filter (uid=jlee)
rlm_ldap: ldap_release_conn: Release Id: 0
radius_xlat:
'(|(&(objectClass=GroupOfNames)(member=cn=jlee,o=PBU))(&(objectCla
ss=GroupOfUniqueNames)(uniquemember=cn=jlee,o=PBU)))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=PBU, with filter
(&(cn=Wireless)(|(&(objectClas
s=GroupOfNames)(member=cn=jlee,o=PBU))(&(objectClass=GroupOfUniqueNames)(uniquem
ember=cn=jlee,o=PBU
rlm_ldap::ldap_groupcmp: User found in group Wireless
rlm_ldap: ldap_release_conn: Release Id: 0
users: Matched entry DEFAULT at line 1
modcall[authorize]: module "files" returns ok for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for jlee
radius_xlat: '(uid=jlee)'
radius_xlat: 'o=PBU'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=PBU, with filter (uid=jlee)
rlm_ldap: checking if remote access for jlee is allowed by cn
rlm_ldap: Added the eDirectory password in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user jlee authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 1
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type Accept
rad_check_password: Auth-Type = Accept, accepting the user
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 1
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[post-auth]: module "ldap" returns ok for request 1
modcall: group post-auth returns ok for request 1
Sending Access-Accept of id 194 to 10.1.1.44:32769
Finished request 1
However, the wireless client never quite seems to finish associating. Any
ideas what I'm doing wrong here? What should the users file look like to
allow anyone who is a member of the Wireless LDAP group and deny everyone
else?
Jay Lee
--
Jay Lee
Network / Systems Administrator
Information Technology Dept.
Philadelphia Biblical University
--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: (no subject)
I have changed this
Result:
tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem"
tls: private_key_password = "SecretKeyPass77"
tls: dh_file = "/usr/local/etc/raddb/certs/dh"
tls: random_file = "/usr/local/etc/raddb/certs/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
rlm_eap_tls: Loading the certificate file as a chain
20988:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:632:Expec
ting: CERTIFICATE
20988:error:06065064:digital envelope routines:EVP_DecryptFinal:bad
decrypt:evp_
enc.c:438:
20988:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:421:
20988:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM
lib:ssl_rsa.c:
707:
rlm_eap_tls: Error reading private key file
rlm_eap: Failed to initialize type tls
radiusd.conf[10]: eap: Module instantiation failed.
radiusd.conf[1902] Unknown module "eap".
radiusd.conf[1849] Failed to parse authenticate section.
Greeting,
Herman
-Oorspronkelijk bericht-
Van: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Namens Phil Mayers
Verzonden: dinsdag 14 februari 2006 20:51
Aan: FreeRadius users mailing list
Onderwerp: Re: (no subject)
Herman Swensson wrote:
> tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
> tls: certificate_file = "(null)"
>
Note this, then:
>
> rlm_eap_tls: Loading the certificate file as a chain
>
> 20360:error:0200100E:system library:fopen:Bad
> address:bss_file.c:259:fopen('','r')
Set "certificate_file" in "eap.conf" correctly. It's empty, so it's failing.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 267.15.8/260 - Release Date: 14-2-2006
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 267.15.9/261 - Release Date: 15-2-2006
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple LDAP Search Bases - Per NAS
Hello all Is it possible to setup FreeRadius so that requests coming from a certain NAS will use a different search base than the default? For example: We have an ou=radius,dc=test,dc=com and we stick dsl users records in there. These user records have attributes that would be dsl specific like static IP addressing. We would like to be able to provide users with a backup dialup in case anything goes really wrong with our dsl service. Could we configure FreeRadius to look in a different ou, say ou=dialup,ou=radius,dc=test,dc=com, when it received an authentication request from the dialup NASes? Is this possible? We have also considered running two instances of FreeRadius, one on the higher ports and one on the lower, and then pointing the DSL customers to one and the dialup to another, but I would like to avoid this if there is a cleaner solution that I am not aware of. Our FreeRadius server is running Fedora Core 4 and FreeRadius 1.0.4 OpenLDAP is our LDAP backend. Thanks for any replies. -- "Microsoft is not the answer, it's the question. NO is the answer." Ben Plimpton Network Engineer [EMAIL PROTECTED] 970-963-SURF(7873) ext 5174 www.sopris.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allowing Access based on Group Membership
"Jay Lee" <[EMAIL PROTECTED]> wrote: > My last task is to allow Wireless authentication only to > members of a given LDAP Group. ... i.e. to reject wireless for everyone else. > If I empty out /etc/raddb/users completely, authentication works. If I > put the following in users: > > DEFAULT LDAP-Group == "Wireless", Auth-Type := Accept Then people in the wireless group don't have their passwords checked. > DEFAULT Auth-Type := Reject And everyone else gets rejected. > However, the wireless client never quite seems to finish associating. Any > ideas what I'm doing wrong here? What should the users file look like to > allow anyone who is a member of the Wireless LDAP group and deny everyone > else? DEFAULT LDAP-Group != "Wireless", Auth-Type := Reject That rejects everyone who isn't in wireless. As for the wireless people, their passwords should be checked using the normal process. You shouldn't have to do anything special there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco aaa authorization network
Stefan Winter <[EMAIL PROTECTED]> wrote: > while migrating a NAS (Cisco AS5300) from TACACS+ to RADIUS I stumbled over > some peculiarities of the equipment. ... The real solution, of course, is to update FreeRADIUS to use Tacacs+, too. But that may take a while. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pam_radius and Cisco ACS
I have been tasked with having all non windows devices on our network to authenticate against our Active Directory, which is the reason we are using Cisco ACS. ACS currently authenticates for all cisco devices against our AD, via the external windows database option. I am now trying to get pam_radius to do the same with ACS's radius. I have compiled pam_radius and it appears to be working as intended, however Cisco ACS reports "External DB User Invalid or bad password" anytime I try to use the same credentials that properly authenticate with ACS's tacacs on a linux or freebsd server. The username shows up properly on the ACS server, so I am assuming that the NAS is sending the proper username, but it appears that the password is not being sent correctly. I know the ACS server is trying to authenticate against AD because after so many tries the account get's locked out. Has anyone been able to accomplish what I am trying to do here? Any suggestions besides "lose ACS" to get this to work? Is there something I can pass to the pam_radius module to have it transmit the password the way the ACS server is expecting to see it? I appreciate any help or suggestions anyone can provide in advance. Thank you, Tom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius and Cisco ACS
Tom <[EMAIL PROTECTED]> wrote: > I have compiled pam_radius and it appears to be working as intended, > however Cisco ACS reports "External DB User Invalid or bad password" > anytime I try to use the same credentials that properly authenticate > with ACS's tacacs on a linux or freebsd server. The username shows up > properly on the ACS server, so I am assuming that the NAS is sending > the proper username, but it appears that the password is not being > sent correctly. I know the ACS server is trying to authenticate > against AD because after so many tries the account get's locked out. Is it a shared secret problem? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple LDAP Search Bases - Per NAS
Could we configure FreeRadius to look in a different ou, say
ou=dialup,ou=radius,dc=test,dc=com, when it received an authentication
request from the dialup NASes?
Try with huntgroups.
huntgroups file
dialup NAS-IP-Address == 1.1.1.1
dialup NAS-IP-Address == 1.1.1.2
adslNAS-IP-Address == 1.1.1.3
Then in your ldap section
basedn = "ou=%{Huntgroup-Name},ou=radius,dc=test,dc=com"
I think that should work, I'd give it a shot with radiusd -X to see.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (Cannot assign requested address) bind() failed
Hi sean,The problem already solved yet...it was just by unhashed the tun network at chilli conf...what a shame on me...thanks...by the way, what about the user's usage limiting?? :D regards,Sean <[EMAIL PROTECTED]> wrote: On Mon, 2006-02-13 at 12:08 +0100,[EMAIL PROTECTED] wrote:> Re: (Cannot assign requested address) bind() failedHi Tommy,If you are using DD-WRT you might be making a common mistake. It won'taccept a Web name for re-direction. You have to use an IP address. EG123.123.123.123/hotspotlogin.cgi/ It is also vital to put a / at the endof the address. I've written a tutorial that might help you athttp://swarmhotspots.com/faq.html and I also provide free FreeRadiustesting for Chillispot at http://swarmhotspots.com/Chilli-Test-AreaRegards,Sean Brackenhttp://swarmhotspots.com- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html What are the most popular cars? Find out at Yahoo! Autos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 1.1.0 and rlm_ldap
>From futhwo on Thu, 02 Feb 2006:
> ... All worked fine untill i upgraded FreeRADIUS form 1.0.5 to 1.1.0.
> From there on i cannot authenticate because the Auth-Type attribute is no
more valorized to LDAP by the ldap module during authorize section.
> ...
> rlm_ldap: ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap" returns ok for request 0
> modcall: leaving group authorize (returns ok) for request 0
> auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
> ...
> So if the Auth-Type LDAP is no more defined,how can i perform authentication
against a LDAP server?
I noticed the same symptoms after upgrading 1.0.5 to 1.1.0.
Somehow the Auth-Type no longer had a value that would match
the Auth-Type LDAP {...} entry in the authenticate section,
even though the rlm_ldap successfully completed authorization.
ChangeLog didn't mention incompatibilities, debug log with -X
wasn't helpful, bug database turned out nothing, and mailing list
archive turned up similar futhwo's problem report with no replies.
Digging on rlm_ldap source and adding some debug printouts
revealed that the Auth-Type wasn't left undefined like the debug
message lead me to believe, but its value became the name
of a LDAP instance (I'm using two LDAP servers in redundant
radius group), which did not match the name of the
Auth-Type LDAP {} authenticate section.
In my case the solution was to replace the:
authenticate {
...
Auth-Type LDAP {...}
with:
authenticate {
...
Auth-Type ldap-instance1 { ldap-instance1 }
Auth-Type ldap-instance2 { ldap-instance2 }
I would guess that futhwo's problem has a similar solution,
perhaps replacing Auth-Type LDAP with Auth-Type ldap
or giving a name to an instance and using that in the authenticate section.
It would be helpful to document explicitly what comments in rlm_ldap.c
indicate:
* Module should default to LDAP authentication if no Auth-Type
* specified. Note that we do this ONLY if configured, AND we
* set the Auth-Type to our module name, which allows multiple
* ldap instances to work.
It wouldn't hurt if the inst->set_auth_type = 0
would be accompanied with a debug log entry,
and if the pairadd in:
if (inst->set_auth_type &&
(pairfind(*check_pairs, PW_AUTH_TYPE) == NULL) &&
request->password &&
(request->password->attribute == PW_USER_PASSWORD))
pairadd(check_pairs, pairmake("Auth-Type", inst->xlat_name,
T_OP_EQ));
would also log the inst->xlat_name.
But above all, please document incompatibilities between versions.
Mark
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius and Cisco ACS
No, the shared secret is correct, otherwise the ACS would show that as being the error and wouldn't be trying to authenticate the user against the windows AD. I thought this might have been the issue until I purposely used the wrong secret and there were different error's. On 2/15/06, Alan DeKok <[EMAIL PROTECTED]> wrote: > Tom <[EMAIL PROTECTED]> wrote: > > I have compiled pam_radius and it appears to be working as intended, > > however Cisco ACS reports "External DB User Invalid or bad password" > > anytime I try to use the same credentials that properly authenticate > > with ACS's tacacs on a linux or freebsd server. The username shows up > > properly on the ACS server, so I am assuming that the NAS is sending > > the proper username, but it appears that the password is not being > > sent correctly. I know the ACS server is trying to authenticate > > against AD because after so many tries the account get's locked out. > > Is it a shared secret problem? > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Thomas Jones Jr. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius and Cisco ACS
Tom <[EMAIL PROTECTED]> wrote: > No, the shared secret is correct, otherwise the ACS would show that as > being the error RADIUS doesn't work like that. If there's no Message-Authenticator in the packet (and pam_radius doesn't send one), then the server can't tell that the secret is wrong. It can guess, (e.g. the messages FreeRADIUS produces), but it has no way of knowing for sure. > I thought this might have been the issue until I purposely used the > wrong secret and there were different error's. If ACS can decode the password properly, then the shared secret is correct, and it *should* authenticate the user. If the shared secret is incorrect, then it will decode the password to random nonsense, and authentication will fail. RADIUS is really that simple. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
flat file user
Hi everyone,I have a question, have anyone of you using flat file for user database? If so, Can we use some script to update the content? If so do you guys have some examples?For example if i limited user A to use only 4 hours. and after he use 2 hours, and log out, I want to update the detail file, so user A data will become only 2 hours now. I know we can do that with sql and others . but how about flat file. Need a light here.thanks a lot Priscilla What are the most popular cars? Find out at Yahoo! Autos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
