RE: free realm
thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dusty Doris Sent: maandag 20 februari 2006 6:27 To: FreeRadius users mailing list Subject: Re: free realm I'm looking for a solution to add a 'free' realm to my conf. The object is to always send an access-accept if freeradius receives a request from a NAS with username e.g. 'free/nonexistinguser/password' Is this possible with freeradius? thanks and have a nice week-end, Bart Sure. Read the users manpage (man 5 users) and the comments in the users file. Here are some hints. DEFAULT Realm == somerealm, Auth-Type := Accept or DEFAULT User-Name =~ [EMAIL PROTECTED]@somedomain$, Auth-Type := Accept or someusernameAuth-Type := Accept etc... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Managing connection on Freeradius
Alan, I am using version freeradius-1.0.1-1. I will try to update this software. Att, Nataniel Klug - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Sunday, February 19, 2006 3:06 PM Subject: Re: Managing connection on Freeradius Nataniel Klug [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] ~]# radzap -d /etc/raddb -p 1813 -r 127.0.0.1 '' nataniel Sun Feb 19 09:02:13 2006 : Info: Starting - reading configuration files ... Upgrade to 1.1.0. The version you're using doesn't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Thanks Alan
Or buy the coders a beer :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] dius.org] On Behalf Of Sean Sent: Tuesday, 14 February 2006 5:13 AM To: freeradius-users@lists.freeradius.org Subject: Thanks Alan On Mon, 2006-02-13 at 19:58 +0100, [EMAIL PROTECTED] wrote: Phil Mayers [EMAIL PROTECTED] wrote: Alan, in case anyone hasn't said it recently - you do an excellent job maintaining this project under difficult conditions. You have my and I suspect many other peoples sincere gratitude, and I can only hope it's as rewarding for you as it is helpful for us. Thanks. FreeRADIUS is being used as part of the core product in at least 3 startups I know of, and possibly as many as 5. It's at the point now where it's getting me more professional attention than my other work activities. Alan DeKok. Alan, I'd like to add my thanks also. FreeRadius is at the core of swarmhotspots.com and I'm amazed at the help and support that is available from you and the open source community. The best way to show your appreciation is to contribute something back. Regards, Sean http://swarmhotspots.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Log file format
We have some tools that currently run some statistics on the radius accounting file. Well, we currently use a different radius server. With that in mind the log format is different. Is there a way to modify the format of the accounting log format? -- Walter Reynolds University of Michigan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP iplanet
Hy all, Has someone used FreeRadius with a iplanet LDAP server? Thanks a lot - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
cisco pptp+mppe problems on ios 12.3T and later
hi, maybe one of the cisco users here on the list can help me. I want to run dialin vpdn on a cisco 1712, using pptp tunnels with mppe encryption and authenticate against freeradius 1.1.0 The strange thing is, my setup used to work just fine, until i tried to upgrade IOS from 12.2 to 12.3T or 12.4. in both trains ( 12.2) mppe suddenly fails to work. a normal, unencrypted pptp works. debug shows that cisco gets a radius reply with ms-chap mppe attributes, but seems to miss/misunderstand something. debug mppe says: MPPE: keying material missing from radius the relevant parts of my cisco config: aaa authentication login vpnauth group radius aaa authentication ppp default group radius local aaa authorization network default if-authenticated aaa authorization network vpnauth group radius vpdn enable vpdn multihop vpdn source-ip 217.196.69.198 vpdn logging vpdn logging user vpdn logging tunnel-drop vpdn session-limit 10 vpdn search-order multihop-hostname vpdn-group pptp ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 lcp renegotiation on-mismatch interface Virtual-Template1 ip unnumbered FastEthernet0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly peer default ip address pool vpnpool compress mppc ppp encrypt mppe auto ppp authentication ms-chap ms-chap-v2 ppp eap refuse callin radius-server host x.x.x.x auth-port 1812 acct-port 1813 key xxx radius-server authorization default Framed-Protocol ppp radius-server vsa send accounting radius-server vsa send authentication ... and from radiusd.conf: mschap { authtype = MS-CHAP use_mppe = yes require_encryption = no require_strong = no } i already tried to find information or to change some of the config settings, but no luck :( thanks in advance, jakob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bug #86?
Hi, it seems like bug #86 didn't make it into 1.1. Any chance of seeing this somewhen in the 1.1 branch? I'd work on it myself, but the path Alan describes in the bug comment sounds somewhat like spanish to me (and the patch I provided in #203 seems not clean enough, even to myself in retrospective) :-) Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Migration. Please Help
Hy all,Sorry for the stupid question but I dont have any C/Unix knowledge.We have a FreeRadius Server running in a machine. It is using a custom module (in order to authenticate to an ldap server) developed two years ago called rlm_ldap2.Now I am going to install FreeRadius in another machine and I want to use that custom module. Is it neccesary to install OpenLdap before? or is it enough to copy my rlm_ldap2.so in the directorywith the other rlm_* libraries compiled during the FreeRadius installation?Thank you very muchRegards,Marta LLama Gratis a cualquier PC del Mundo.Llamadas a fijos y móviles desde 1 céntimo por minuto.http://es.voice.yahoo.com- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using multiple auth methods, ports
Hi Dusty, Yeah, I had considered running two radiusd instances, actually, but it felt less than ideal. Part of the problem is that our radius infrastructure is spread across two dozen servers around the world, and multiple radiusd's give us more moving parts (two /etc/raddb configs, two sets of users files, two daemons to worry about, etc). We have some tools to manage distribution of configs, users files, etc, but as-is they would probably require significant changes. Hopefully I can make freeradius do what I want... if not, I may end up taking your advice ;-) Thanks. Dusty Doris wrote: the request, which doesn't help me). The only thing the NAS can do that is helpful is send cert auth requests to a different UDP port than regular auth requests. Perhaps there are new features that can take care of this for you in one place, but if not, you can just run two radiusd instances. One for oldschool and one for cert. For example, say your raddb dir is in /etc/raddb now. You would create two subdirs of that directory mkdir /etc/raddb/oldschoool mkdir /etc/raddb/cert and perhaps for logging seperately as well mkdir /var/log/radius/oldschool mkdir /var/log/radius/cert cp all the files from raddb to the two directories. Modify the top of radiusd.conf to point to the new directories for raddbdir, confdir, logdir, etc.. Modify the listen or port arguments to make one listen on 1645 and the other on 1812. Then modify the rest of it, such as the users file, to do what you want for each seperate instance. Then modify your startup script to fire off two instances using the -d option, and make sure you get both instances as well no stop/restarts. eg: /pathto/radiusd -d /etc/raddb/oldschool /pathto/radiusd -d /etc/raddb/cert That will give you two seperate instances. One will be configured to only handle oldschool logins and the other to only handle certs. It will be another port/process you'll have to monitor, but it should give you what you want. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Log file format
Walter Reynolds [EMAIL PROTECTED] wrote: We have some tools that currently run some statistics on the radius accounting file. Well, we currently use a different radius server. With that in mind the log format is different. Is there a way to modify the format of the accounting log format? Which accounting log? The detail file? That's pretty much unchanged since the original Livingston format 13 years ago. Could you be more specific, and say what should be changed, and to what it should be changed? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bug #86?
Stefan Winter [EMAIL PROTECTED] wrote: it seems like bug #86 didn't make it into 1.1. Any chance of seeing this somewhen in the 1.1 branch? I don't see it as critical. You can always add a client 169.254.x.y, or 127.0.0.2, which will never show up in any IP packets. That will let the server start. And editing the config files is easier to do than changing the server source. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stale sessions problem
On 2/17/06, Georgi Alexandrov [EMAIL PROTECTED] wrote: Hello,I'm running freeradius 1.1.0 + mysql + dialupadmin on a linux 2.6 boxwith a pppoe-server runing on the same machine as nas.It works great ;-)But i have a problem with stalled sessions.I have set simultaneous use :=1. I have set sql in the session section in radiusd.conf.If a user that somehow failed network connectivity and failed to tellthe server account stop tries to reconnect back it won't let him because his previous session is stalled. I need a mechanism that will doa check upon connection if the session is stalled, delete it and let theuser in or if there is already a real user logged in deny the connecting one.I read from the mailing lists that radzap should do the job but i can'tseem to figure out how to integrate it in that setup (the man pageexplains only the syntax).I also use the ippool module to give (and it should return back too) ip addresses from a given pool range. I need to be sure that it will returnan ip to the pool if there's a stalled session detected by the neededmechanism.At the moment radwho and rlm_ippool_tool show about twice or more entries than the number actually used.Please advice ;-)--regards,Georgi AlexandrovKey Server = http://pgp.mit.edu/ :: KeyID = 37B4B3EEKey Fingerprint = E429 BF93 FA67 44E9 B7D4F89E F990 01C1 37B4 B3EE Alan? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Auth from LDAP, then add reply via SQL
I must be missing this in the documentation. If I authenticate via the users file/LDAP/SQL , is there a way to add replies from the radcheck table in sql? -Bob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth from LDAP, then add reply via SQL
Sorry, this would be the radreply table, not the radcheck table, as the radcheck is for checking attributes. :) My bad. :) -Bob Robert Myers wrote: I must be missing this in the documentation. If I authenticate via the users file/LDAP/SQL , is there a way to add replies from the radcheck table in sql? -Bob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: dictionary.cablelabs[168]: dict_addvalue: value name too long
Hey Alan, I don't have more than one version of freeradius running. This was my problem. ./configure LDFLAGS=/path/to/openssl/ export LDFLAGS make I needed to set LDFLAGS _before_ ./configure. This works well: LDFLAGS=/path/to/openssl/ export LDFLAGS ./configure make Thanks, Ryan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] org] On Behalf Of Alan DeKok Sent: Thursday, February 16, 2006 4:24 PM To: FreeRadius users mailing list Subject: Re: dictionary.cablelabs[168]: dict_addvalue: value name too long Ryan Melendez [EMAIL PROTECTED] wrote: I am using 1.1.0. Sorry I left that out. That message isn't produced when running the stock 1.1.0. What else is going on in your machine? Do you have multiple versions of FreeRADIUS installed? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
3Com Wireless 11g card
Hi all, I have set up wireless network using Cisco Aironet and authenticated using Freeradius through EAP TLS and PEAP. The system works fine with Centrino, Proxim and Dlink wireless card but not with 3Com wireless card. The card keep being authenticated eventhough Freeradius already sent Access-Accept packet. Can anybody help? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth from LDAP, then add reply via SQL
Well, I sorted my mistake. What I was trying to do was, have a user in the 'users' file with a password set. Then check the sql radreply table. I'm guessing this won't work, as the sql tables mimic the users file, and are mutually exclusive. And there really wouldn't be a need to have a user in the 'users' file, as you could just put them in the radcheck table with the appropriate local password I was able to authenticate via EAP, then from the radcheck table, find my user, then from the radreply table get the appropriate attributes. -Bob Robert Myers wrote: I must be missing this in the documentation. If I authenticate via the users file/LDAP/SQL , is there a way to add replies from the radcheck table in sql? -Bob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
setting up on shared hosting webhost service
1st: I'm a newb to freeradius - not to the world... I have successfully installed freeradius with experiemental modules (for using mysql) on a mandrake mandriva 10.2 machine on my local lan... I got my scripts to work flawlessly... I uploaded my modified scripts to my webhost and nothing... I called my webhost (I am a reseller for them, and they are in my home town) and talked them into installing freeradius onto the servers my sites are located on. Shared webhost... I am not sure how they are limiting my virtual host server to just the /home/myuserid/ directory but that is the limnit of where I can see... I do not have root access, I can ssh, but only to the /home/userid and down thru my individual accounts cpanels and such... I have modified clients.conf and sql.conf to appropriate settings - I think... what am I missing? any ideas or tips I can relay to my webhost on setting up freeradius? It is a bit difficult and burdomsome on my webhost to have to physically modify or change the clients.conf each time I add a new client or access point in my network, plus how do I ensure my radius access to my localhost mysql databases within my hosting account are talking to eachother? I think there are some issues connecting as the radius server is installed on the webhost server - my personal site, abeit has a private ip, actually runs from the /home/myuserid/public_html/ on the server... further, some of the other domains I own or have sold and set up corresponding dns and webhosting space with cpanels for on the same server do not have private ip's (I can of course add them on to the service I am buying from the webhost for a minimal fee) - but currently they are shared ips... is there anyway to use freeradius on shared ips and still be able to keep individual virtual hosts seperate? if I need dedicated hosting and a box of my own to run this in the real world that would just add several thousand dollars of cost to my overall deplopyment and long term maintenance contracts in a co-lo somewhere... currently my webhost's servers are at a co-lo in dallas... ideas, tips and tricks to make it work are VERY welcomed... thanks in advance - [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html