RE: free realm

[Bart van Daal]

thanks! 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
On Behalf Of Dusty Doris
Sent: maandag 20 februari 2006 6:27
To: FreeRadius users mailing list
Subject: Re: free realm

 I'm looking for a solution to add a 'free' realm to my conf.
 The object is to always send an access-accept if freeradius receives a 
 request from a NAS with username e.g. 'free/nonexistinguser/password'

 Is this possible with freeradius?

 thanks and have a nice week-end,
 Bart

Sure.  Read the users manpage (man 5 users) and the comments in the users
file.  Here are some hints.

DEFAULT Realm == somerealm, Auth-Type := Accept

or

DEFAULT User-Name =~ [EMAIL PROTECTED]@somedomain$, Auth-Type := Accept

or

someusernameAuth-Type := Accept

etc...

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Managing connection on Freeradius

[Nataniel Klug]

Alan,

I am using version freeradius-1.0.1-1. I will try to update this software.

Att,

Nataniel Klug

- Original Message - 
From: Alan DeKok [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Sunday, February 19, 2006 3:06 PM
Subject: Re: Managing connection on Freeradius


 Nataniel Klug [EMAIL PROTECTED] wrote:
  [EMAIL PROTECTED] ~]# radzap -d /etc/raddb -p 1813 -r 127.0.0.1 '' nataniel
  Sun Feb 19 09:02:13 2006 : Info: Starting - reading configuration files
...

   Upgrade to 1.1.0.  The version you're using doesn't work.

   Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Thanks Alan

[Shane Hart]

Or buy the coders a beer :-) 

-Original Message-
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
dius.org] On Behalf Of Sean
Sent: Tuesday, 14 February 2006 5:13 AM
To: freeradius-users@lists.freeradius.org
Subject: Thanks Alan

On Mon, 2006-02-13 at 19:58 +0100,
[EMAIL PROTECTED] wrote:
 Phil Mayers [EMAIL PROTECTED] wrote:
  Alan, in case anyone hasn't said it recently - you do an excellent
 job
  maintaining this project under difficult conditions. You have my and
 I
  suspect many other peoples sincere gratitude, and I can only hope
 it's
  as rewarding for you as it is helpful for us.
 
   Thanks.
 
   FreeRADIUS is being used as part of the core product in at least 3 
 startups I know of, and possibly as many as 5.  It's at the point now 
 where it's getting me more professional attention than my other work 
 activities.
 
   Alan DeKok.

Alan, I'd like to add my thanks also. FreeRadius is at the core of
swarmhotspots.com and I'm amazed at the help and support that is
available from you and the open source community. 

The best way to show your appreciation is to contribute something back.

Regards,

Sean

http://swarmhotspots.com
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Log file format

[Walter Reynolds]

We have some tools that currently run some statistics on the radius 
accounting file.  Well, we currently use a different radius server.  With 
that in mind the log format is different.  Is there a way to modify the 
format of the accounting log format?




-- Walter Reynolds
   University of Michigan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

LDAP iplanet

[Rafael Roldán]

Hy all,

Has someone used FreeRadius with a iplanet LDAP server?

Thanks a lot

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

cisco pptp+mppe problems on ios 12.3T and later

[jakobp]

hi,

maybe one of the cisco users here on the list can help me.

I want to run dialin vpdn on a cisco 1712, using pptp tunnels with mppe 
encryption and authenticate against freeradius 1.1.0


The strange thing is, my setup used to work just fine, until i tried to 
upgrade IOS from 12.2 to 12.3T or 12.4. in both trains ( 12.2) mppe 
suddenly fails to work. a normal, unencrypted pptp works.


debug shows that cisco gets a radius reply with ms-chap mppe attributes, 
but seems to miss/misunderstand something. debug mppe says:

MPPE: keying material missing from radius

the relevant parts of my cisco config:

aaa authentication login vpnauth group radius
aaa authentication ppp default group radius local
aaa authorization network default if-authenticated
aaa authorization network vpnauth group radius

vpdn enable
vpdn multihop
vpdn source-ip 217.196.69.198
vpdn logging
vpdn logging user
vpdn logging tunnel-drop
vpdn session-limit 10
vpdn search-order multihop-hostname

vpdn-group pptp
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
 lcp renegotiation on-mismatch

interface Virtual-Template1
 ip unnumbered FastEthernet0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 peer default ip address pool vpnpool
 compress mppc
 ppp encrypt mppe auto
 ppp authentication ms-chap ms-chap-v2
 ppp eap refuse callin

radius-server host x.x.x.x auth-port 1812 acct-port 1813 key xxx
radius-server authorization default Framed-Protocol ppp
radius-server vsa send accounting
radius-server vsa send authentication


... and from radiusd.conf:
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = no
require_strong = no
}


i already tried to find information or to change some of the config 
settings, but no luck :(


thanks in advance,
jakob
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Bug #86?

[Stefan Winter]

Hi,

it seems like bug #86 didn't make it into 1.1. Any chance of seeing this 
somewhen in the 1.1 branch?
I'd work on it myself, but the path Alan describes in the bug comment sounds 
somewhat like spanish to me (and the patch I provided in #203 seems not clean 
enough, even to myself in retrospective) :-)

Greetings,

Stefan Winter

-- 
Stefan WINTER

Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingenieur Forschung  Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: [EMAIL PROTECTED]     Tel.:     +352 424409-1
http://www.restena.lu                Fax:      +352 422473

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Migration. Please Help

[Marta Lajas]

Hy all,Sorry for the stupid question but I dont have any C/Unix knowledge.We have a FreeRadius Server running in a machine. It is using a custom module (in order to authenticate to an ldap server) developed two years ago called rlm_ldap2.Now I am going to install FreeRadius in another machine and I want to use that custom module. Is it neccesary to install OpenLdap before? or is it enough to copy my rlm_ldap2.so in the directorywith the other rlm_* libraries compiled during the FreeRadius installation?Thank you very muchRegards,Marta
		LLama Gratis a cualquier PC del Mundo.Llamadas a fijos y móviles desde 1 céntimo por minuto.http://es.voice.yahoo.com- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using multiple auth methods, ports

[Geoff Silver]

Hi Dusty,

Yeah, I had considered running two radiusd instances, actually, but it 
felt less than ideal.  Part of the problem is that our radius 
infrastructure is spread across two dozen servers around the world, and 
multiple radiusd's give us more moving parts (two /etc/raddb configs, 
two sets of users files, two daemons to worry about, etc).  We have some 
tools to manage distribution of configs, users files, etc, but as-is 
they would probably require significant changes.  Hopefully I can make 
freeradius do what I want... if not, I may end up taking your advice 
;-)  Thanks.


Dusty Doris wrote:
the request, which doesn't help me).  The only thing the NAS can do 
that is
helpful is send cert auth requests to a different UDP port than 
regular

auth requests.


Perhaps there are new features that can take care of this for you in 
one place, but if not, you can just run two radiusd instances.  One 
for oldschool and one for cert.


For example, say your raddb dir is in /etc/raddb now.

You would create two subdirs of that directory

mkdir /etc/raddb/oldschoool
mkdir /etc/raddb/cert

and perhaps for logging seperately as well

mkdir /var/log/radius/oldschool
mkdir /var/log/radius/cert

cp all the files from raddb to the two directories.

Modify the top of radiusd.conf to point to the new directories for 
raddbdir, confdir, logdir, etc..  Modify the listen or port arguments 
to make one listen on 1645 and the other on 1812.


Then modify the rest of it, such as the users file, to do what you 
want for each seperate instance.


Then modify your startup script to fire off two instances using the -d 
option, and make sure you get both instances as well no stop/restarts.


eg:

/pathto/radiusd -d /etc/raddb/oldschool
/pathto/radiusd -d /etc/raddb/cert

That will give you two seperate instances.  One will be configured to 
only handle oldschool logins and the other to only handle certs.  It 
will be another port/process you'll have to monitor, but it should 
give you what you want.



- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Log file format

[Alan DeKok]

Walter Reynolds [EMAIL PROTECTED] wrote:
 We have some tools that currently run some statistics on the radius 
 accounting file.  Well, we currently use a different radius server.  With 
 that in mind the log format is different.  Is there a way to modify the 
 format of the accounting log format?

  Which accounting log?  The detail file?  That's pretty much
unchanged since the original Livingston format 13 years ago.

  Could you be more specific, and say what should be changed, and to
what it should be changed?

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Bug #86?

[Alan DeKok]

Stefan Winter [EMAIL PROTECTED] wrote:
 it seems like bug #86 didn't make it into 1.1. Any chance of seeing this 
 somewhen in the 1.1 branch?

  I don't see it as critical.

  You can always add a client 169.254.x.y, or 127.0.0.2, which will
never show up in any IP packets.  That will let the server start.

  And editing the config files is easier to do than changing the
server source.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Stale sessions problem

[Georgi Alexandrov]

On 2/17/06, Georgi Alexandrov [EMAIL PROTECTED] wrote:
Hello,I'm running freeradius 1.1.0 + mysql + dialupadmin on a linux 2.6 boxwith a pppoe-server runing on the same machine as nas.It works great ;-)But i have a problem with stalled sessions.I have set simultaneous use :=1.
I have set sql in the session section in radiusd.conf.If a user that somehow failed network connectivity and failed to tellthe server account stop tries to reconnect back it won't let him
because his previous session is stalled. I need a mechanism that will doa check upon connection if the session is stalled, delete it and let theuser in or if there is already a real user logged in deny the connecting
one.I read from the mailing lists that radzap should do the job but i can'tseem to figure out how to integrate it in that setup (the man pageexplains only the syntax).I also use the ippool module to give (and it should return back too) ip
addresses from a given pool range. I need to be sure that it will returnan ip to the pool if there's a stalled session detected by the neededmechanism.At the moment radwho and rlm_ippool_tool show about twice or more
entries than the number actually used.Please advice ;-)--regards,Georgi AlexandrovKey Server = http://pgp.mit.edu/ :: KeyID = 37B4B3EEKey Fingerprint = E429 BF93 FA67 44E9 B7D4F89E F990 01C1 37B4 B3EE
Alan?
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Auth from LDAP, then add reply via SQL

[Robert Myers]

I must be missing this in the documentation.

If I authenticate via the users file/LDAP/SQL , is there a way to add 
replies from the radcheck table in sql?


-Bob

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Auth from LDAP, then add reply via SQL

[Robert Myers]

Sorry, this would be the radreply table, not the radcheck table, as the 
radcheck is for checking attributes. :)


My bad. :)

-Bob

Robert Myers wrote:

I must be missing this in the documentation.

If I authenticate via the users file/LDAP/SQL , is there a way to add 
replies from the radcheck table in sql?


-Bob

- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: dictionary.cablelabs[168]: dict_addvalue: value name too long

[Ryan Melendez]

Hey Alan,

I don't have more than one version of freeradius running.  This was my
problem.

./configure
LDFLAGS=/path/to/openssl/
export LDFLAGS
make

I needed to set LDFLAGS _before_ ./configure.  This works well:

LDFLAGS=/path/to/openssl/
export LDFLAGS
./configure
make

Thanks,
Ryan

-Original Message-
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
org] On Behalf Of Alan DeKok
Sent: Thursday, February 16, 2006 4:24 PM
To: FreeRadius users mailing list
Subject: Re: dictionary.cablelabs[168]: dict_addvalue: value name too
long 

Ryan Melendez [EMAIL PROTECTED] wrote:
 I am using 1.1.0.  Sorry I left that out.

  That message isn't produced when running the stock 1.1.0.  What else
is going on in your machine?  Do you have multiple versions of
FreeRADIUS installed?

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

3Com Wireless 11g card

[Jefri bin Dahari]

Hi all,

I have set up wireless network using Cisco Aironet and authenticated using 
Freeradius through EAP TLS and PEAP. The system works fine with Centrino, 
Proxim and Dlink wireless card but not with 3Com wireless card. The card 
keep being authenticated eventhough Freeradius already sent Access-Accept 
packet. Can anybody help?


Thanks. 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Auth from LDAP, then add reply via SQL

[Robert Myers]

Well, I sorted my mistake.

What I was trying to do was, have a user in the 'users' file with a 
password set.  Then check the sql radreply table.  I'm guessing this 
won't work, as the sql tables mimic the users file, and are mutually 
exclusive.  And there really wouldn't be a need to have a user in the 
'users' file, as you could just put them in the radcheck table with the 
appropriate local password


I was able to authenticate via EAP, then from the radcheck table, find 
my user, then from the radreply table get the appropriate attributes.


-Bob

Robert Myers wrote:

I must be missing this in the documentation.

If I authenticate via the users file/LDAP/SQL , is there a way to add 
replies from the radcheck table in sql?


-Bob

- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

setting up on shared hosting webhost service

[eric]

1st: I'm a newb to freeradius - not to the world...
I have successfully installed freeradius with experiemental modules (for
using mysql) on a mandrake mandriva 10.2 machine on my local lan... I got
my scripts to work flawlessly... I uploaded my modified scripts to my
webhost and nothing...

I called my webhost (I am a reseller for them, and they are in my home
town) and talked them into installing freeradius onto the servers my sites
are located on. Shared webhost... I am not sure how they are limiting my
virtual host server to just the /home/myuserid/ directory but that is the
limnit of where I can see... I do not have root access, I can ssh, but
only to the /home/userid and down thru my individual accounts cpanels and
such...

I have modified clients.conf and sql.conf to appropriate settings - I
think... what am I missing? any ideas or tips I can relay to my webhost on
setting up freeradius? It is a bit difficult and burdomsome on my webhost
to have to physically modify or change the clients.conf each time I add a
new client or access point in my network, plus how do I ensure my radius
access to my localhost mysql databases within my hosting account are
talking to eachother? I think there are some issues connecting as the
radius server is installed on the webhost server - my personal site, abeit
has a private ip, actually runs from the /home/myuserid/public_html/ on
the server... further, some of the other domains I own or have sold and
set up corresponding dns and webhosting space with cpanels for on the same
server do not have private ip's (I can of course add them on to the
service I am buying from the webhost for a minimal fee) - but currently
they are shared ips... is there anyway to use freeradius on shared ips and
still be able to keep individual virtual hosts seperate? if I need
dedicated hosting and a box of my own to run this in the real world that
would just add several thousand dollars of cost to my overall deplopyment
and long term maintenance contracts in a co-lo somewhere... currently my
webhost's servers are at a co-lo in dallas...

ideas, tips and tricks to make it work are VERY welcomed...
thanks in advance - [EMAIL PROTECTED]
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html