libtool.m4: error: problem compiling CXX test program
On a Suse9.3 I checked out ftp://ftp.freeradius.org/pub/radius/CVS-snapshots/freeradius-snapshot-20060308.tar.gz configure reports an error on that version: checking whether to build static libraries... yes^M configure: creating libtool^M appending configuration tag CXX to libtool^M checking whether the g++ linker (/usr/i586-suse-linux/bin/ld) supports shared libraries... yes^M libtool.m4: error: problem compiling CXX test program^M checking for g++ option to produce PIC... ^M Maybe this is the reason for failure, when make install comes to an end? ... chmod 644 /usr/local/libradius.a libtool: install: warning: remember to run `libtool --finish /usr/local/lib' rm -f /usr/local/lib/libradius-2.0.0-pre0.la; ln -s libradius.la /usr/local/lib/libradius-2.0.0-pre0.la ln: creating symbolic link `/usr/local/lib/libradius-2.0.0-pre0.la' to `libradius.la': No such file or directory gmake[4]: *** [install] Error 1 gmake[4]: Leaving directory `/home/freeradius-snapshot-20060308/src/lib' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/home/freeradius-snapshot-20060308/src' gmake[2]: *** [install] Error 2 gmake[2]: Leaving directory `/home/freeradius-snapshot-20060308/src' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/home/freeradius-snapshot-20060308' running libtool --finish /usr/local/lib' does not help and taking /usr/local/lib into LD_LIBRARY_PATH when starting radiusd does not either: LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib /usr/local/sbin/radiusd -AX /usr/local/sbin/radiusd: error while loading shared libraries: libradius-1.1.0-pre0.so: cannot open shared object file: No such file or directory Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql problem
On 3/16/06, Alan DeKok [EMAIL PROTECTED] wrote: Fabiano Rodrigo Boscatto [EMAIL PROTECTED] wrote: Hi there, i have freeradius working fine with mysql authentication. The problem is that the User-Password is stored in mysql table as clear text. Is there a way to crypt that? Change User-Password to Crypt-Password, and encrypt the password with the Unix crypt() tool. Then CHAP MS-CHAP stop working. If you want to encrypt the password with some kind of key, and then make the key available to FreeRADIUS too, that might be useful. Maybe. But it's not as useful as it might first look. You're better off controlling access to the entire MySQL DB, which contains a lot more security information than the clear-text password. Alan DeKok. And what I must to do if I want to use MD5 to store the passwords? Greets, Aitor -- ab. d88b. 8PYPY88 8|o||o|88 8'.88 8`._.' Y8. d/ `8b. dP .Y8b. d8:'`::88b d8 'Y88b :8P' :888 8a. : _a88P ._/Yaa_: .| 88P| \YP`| 8P `. / \.___.d|.' `--..__)P`._.' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius
Hello, Here is my question: i would like to créate a proxy freeradius. I have 3 forests, 3 data base for storing users. I want to know how to configure: 1. proxy freeradius with IAS in each forest, how to give to freeradius server the certificat stored in active directory? 2. Is it possible to configure proxy freeradius to forward requests directly to Active Directory without IAS (3 Active directory). Thank you very much for you answer. Have a good day. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help
Hello, Here is my question: i would like to créate a proxy freeradius. I have 3 forests, 3 data base for storing users. I want to know how to configure: 1. proxy freeradius with IAS in each forest, how to give to freeradius server the certificat stored in active directory? 2. Is it possible to configure proxy freeradius to forward requests directly to Active Directory without IAS (3 Active directory). Thank you very much for you answer. Have a good day. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Duplicate Attributes
Hi, I have installed free radius(lastest) on my machine and cannot seem to get it configured correctly. Initially there are duplicates in some dictionaries that I have commented out. However in radiusd.conf in the authorize section I need to comment out all of the items to get radisud to start. eg: dict_addvalue: Duplicate value name PAP for attribute Auth-Type After commenting out the items, if I try radtest it complains that there is no Auth-Type . ... modcall[authorize]: module files returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. I only really need CHAP and unix enabled. Any help would n\be appreciated. Thanks Grahame Jordan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ldap-Group AND EAP-TTLS/Ldap Question (Again)
Hi, Is there a way to use the Ldap-Group with EAP-TTLS authentication based on LDAP??? Ive set it up in my users file but It doesnt work as the group belonging is performed on the outer identity first Can I some way specify to check the group only for the tunnelled identity? Benoît Bianchi. Ingénieur Système CRI / ISTY Université de Versailles Saint Quentin en Yvelines - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help mixing proxied and non-proxied auth mechanisms
Geoff Silver wrote: DEFAULT My-Group != known, Auth-Type := Reject DEFAULT Auth-Type:=Accept, Huntgroup-Name==Office, Hint==Port-1812 Connect-Info=OFFICE_NET DEFAULT Huntgroup-Name==Office, Hint==Port-1645, Proxy-To-Realm := PROXY_GW Connect-Info=OFFICE_NET That will work for the simple case I provided, but my users file is actually a bit more complicated. There are multiple NAS-IP-Address and/or Huntgroups available, and not all users have access to all of them. The only thing guaranteed is that any user who *has* an entry actually has two, one with a Hint==Port-1645 and the other with Hint--Port-1812. Perhaps a better users file example would be: user01 Auth-Type:=Accept, NAS-IP-Address==10.1.2.3, Hint==Port-1812 user01 Auth-Type:=Accept, NAS-IP-Address==10.1.2.4, Hint==Port-1812 user01 NAS-IP-Address==10.1.2.3, Hint==Port-1645, Proxy-To-Realm:=PROXY_GW user02 Auth-Type:=Accept, NAS-IP-Address==10.1.2.3, Hint==Port-1812 user03 NAS-IP-Address==10.1.2.4, Hint==Port-1645, Proxy-To-Realm:=PROXY_GW Additionally, none of these folks have (or can have) /etc/passwd accounts on this system, so I'm not sure that rlm_passwd will work for me necessarily (plus, we're back to the not every user has access to every NAS/Huntgroup problem). rlm_passwd would be better named rlm_lookup or rlm_mapping or rlm_keyval. I use it very successfully after a hint from Alan to cut down combinatorial explosion: modules { passwd nas2kind { file = /etc/raddb/nas2kind format = *NAS-IP-Address:~NasKind } passwd user2group { file = /etc/raddb/user2group format = *User-Name:~Group } } authorize { preprocess nas2kind user2group users } /etc/nas2kind: 10.1.2.3:type1 10.1.2.4:type2 /etc/user2group: user01:nasgroup1-p1812 user01:nasgroup2-p1812 user01:nasgroup1 user02:nasgroup1-p1812 user03:nasgroup2-p1812 /etc/raddb/users: # Skip unknown users DEFAULT Group !* ANY, Auth-Type := Reject DEFAULT Group==nasgroup1-p1812, NasKind==type1, Hint==Port-1812, Auth-Type := Accept DEFAULT Group==nasgroup2-p1812, NasKind==type2, Hint==Port-1812, Auth-Type := Accept DEFAULT Group==nasgroup1, NasKind==type1, Hint==Port-1645, Proxy-To-Realm := PROXY_GW DEFAULT Group==nasgroup2, NasKind==type2, Hint==Port-1645, Proxy-To-Realm := PROXY_GW Hopefully that's clear. Note that the passwd instances are defined to add the values to the request (because it's hard to match on == for config/reply items in users) so you'll need to make sure those value names are in a local dictionary somewhere. Note also that the above is a literal translation of your most recent email - I believe in your original email you matched on Huntgroup-Name, in which case you can skip the NasKind mapping and simplify things somewhat. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Module not loading
I have something like this on 'radiusd.conf': ... modules{ ... pgping { } ... } ... Where 'rlm_pgping' is a module compiled and installed following the manual. My question is why does it not appear to load (i.e. not showing any messages with 'radiusd -X')? _the module code is on the end of the message_ I have other custom modules that works fine. Am I doing something wrong? On the other hand, I've been playing around with 'radiusd.conf' I've discovered that if I add some random module name in the module instantiation section, radiusd doesn't complain at all about it's non-existence! This is a little inconvenient. Thanks in advance, --- Tomás A. Rossi Ministerio de Economía Proyecto de Informática Buenos Aires, Argentina /* * rlm_pgping.c * * Este módulo se encarga de pinguear la base de datos primaria e informa si * la misma está caída (FAIL) o funcionando normalmente (OK). */ #include autoconf.h #include libradius.h #include stdio.h #include stdlib.h #include radiusd.h #include modules.h #include conffile.h #include libpq-fe.h /* * Estructura para la configuración del módulo. */ typedef struct rlm_pgping_t { char*host; char*dbname; char*user; char*password; char*port; int timeout; } rlm_pgping_t; /* * No hay parámetros de configuración. */ static CONF_PARSER module_config[] = { { string, PW_TYPE_STRING_PTR, offsetof(rlm_pgping_t,host), NULL, localhost }, { string, PW_TYPE_STRING_PTR, offsetof(rlm_pgping_t,dbname), NULL, }, { string, PW_TYPE_STRING_PTR, offsetof(rlm_pgping_t,user), NULL, }, { string, PW_TYPE_STRING_PTR, offsetof(rlm_pgping_t,password), NULL, }, { string, PW_TYPE_STRING_PTR, offsetof(rlm_pgping_t,port), NULL, }, { integer, PW_TYPE_INTEGER, offsetof(rlm_pgping_t,timeout), NULL, 30 }, { NULL, -1, 0, NULL, NULL } /* end the list */ }; static int mandar_pgping(void *inst, REQUEST *req) { char condata[256]; /* Buffer para guardar los datos de conexión. */ PGconn *con; /* Conexión a la base. */ DEBUG(PGPING: Empieza el modulo); /*req = req;*/ #define INST ((rlm_pgping_t *)inst) snprintf(condata, sizeof(condata)-1, host=%s port=%s dbname=%s user=%s password='%s' connect_timeout=%d, INST-host, INST-port, INST-dbname, INST-user, INST-password, INST-timeout); con = PQconnectdb(condata); DEBUG(Intentando conectar a la base primaria con datos de conexión: '%s', condata); if (PQstatus(con) == CONNECTION_BAD) { radlog(L_AUTH, Falló la conexión a la base primaria.); return RLM_MODULE_FAIL; } return RLM_MODULE_OK; } static int pgping_init(void) { return 0; } /* * Hay que leer los parámetros de configuración para la instancia. */ static int pgping_instantiate(CONF_SECTION *conf, void **instance) { rlm_pgping_t *conf_data; /* * Pedir memoria para los parámetros de configuración. */ conf_data = rad_malloc(sizeof(*conf_data)); if (!conf_data) { return RLM_MODULE_FAIL; } memset(conf_data, 0, sizeof(*conf_data)); /* * Si falla el parseo del archivo de configuración para el módulo, CHAU!. */ if (cf_section_parse(conf, conf_data, module_config) 0) { free(conf_data); return RLM_MODULE_FAIL; } *instance = conf_data; return RLM_MODULE_OK; } static int pgping_detach(void *inst) { free(INST-host); free(INST-port); free(INST-dbname); free(INST-user); free(INST-password); free(inst); return 0; } /* * The module name should be the only globally exported symbol. * That is, everything else should be 'static'. * * If the module needs to temporarily modify it's instantiation * data, the type should be changed to RLM_TYPE_THREAD_UNSAFE. * The server will then take care of ensuring that the module * is single-threaded. */ module_t rlm_pgping = { pgping, RLM_TYPE_THREAD_SAFE, /* type */ pgping_init,/* initialization */ pgping_instantiate, /* instantiation */ { mandar_pgping, /* authentication */ mandar_pgping, /* authorization */ mandar_pgping, /* preaccounting */ mandar_pgping, /* accounting */ NULL, /* checksimul */ NULL, /* pre-proxy */ NULL, /* post-proxy */ NULL/* post-auth */ }, pgping_detach, /* detach */ NULL, /* destroy */ }; - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Module not loading
Tomás A. Rossi escribió: I have something like this on 'radiusd.conf': ... modules{ ... pgping { } ... } ... Where 'rlm_pgping' is a module compiled and installed following the manual. My question is why does it not appear to load (i.e. not showing any messages with 'radiusd -X')? _the module code is on the end of the message_ I have other custom modules that works fine. Am I doing something wrong? On the other hand, I've been playing around with 'radiusd.conf' I've discovered that if I add some random module name in the module instantiation section, radiusd doesn't complain at all about it's non-existence! This is a little inconvenient. List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Sorry, I know what it was happening with the module. It seems that radiusd it doesn't take in account the instantiation of any module unless it is used in some other section (i.e. authorize). Though this behavior could be enhanced. Thanks --- Tomás A Rossi Ministerio de Economía Proyecto de Informática Buenos Aires, Argentina - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Working freeradius without shared secret!
Hi, everybode, I sent this same mesage last March 14. I NEED accept a NAS that is not sending the shared secret. Somebody can help me ? please, if not, somebody can tell me which part of source code must I modify? Thanks very much, Guido - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about processing multiple authorization sources
Hello, I am using FreeRADIUS 1.1.0 on FreeBSD 6.0 with Cisco Aironet 1200 WAPs. I need to be able to control which VLAN my users are assigned to, and it seems like this is accomplished by setting three RADIUS user attributes which control the assigned vlan after authentication. The problem is that my authorization/authentication source is an LDAP server, which I don't have any control over, that does not contain these attributes. Is it possible to have FreeRADIUS check a separate user database to provide the additional attributes? It seems like I could write a script to take the username, perform some database queries and return the appropriate information, but beyond that I don't know how to go about implementing such a solution. If it matters, I am currently using EAP-TTLS/PAP with SecureW2 and the aforementioned LDAP server. -Will -- Will Saxon Systems Programmer - Network Services University of Florida Department of Housing - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP authorization for EAP-TLS authentication
I'm trying to understand the relationship between the modules in the authorize {} and authenticate {} sections and how it relates to the directives defined in users. EAP-TLS works fine, but I can't seem to figure how to get make the ldap authorization reject a user. DEFAULT Auth-Type := eap, Autz-Type := ldap authorize{ preprocess ldap eap } authenticate { eap } ldap { server = our-server.itc.virginia.edu identity = uid=uva-all,ou=ITC-User,ou=It,o=University of Virginia,c=US password = our-password basedn = o=University of Virginia,c=US filter = (wirelessAccess=%{Stripped-User-Name:-%{User-Name}}) base_filter = (objectclass=Person) start_tls = no access_attr = wirelessAccess ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 access_attr_used_for_allow = yes } In the ldap server logs show multiple queries, which are not returning anything. This can be confirmed with: ldapsearch -b o=University of Virginia,c=US wirelessAccess=kmm6b wirelessAccess which returns nothing. If nothing is returned shouldn't the authorization fail? I'm missing something, hopefully not too obvious... Keith Moores mailto:[EMAIL PROTECTED] Network Systems ITC-Communications and Systems Division University of Virginia, ITC-2015 Ivy RdPhone (434) 924-0621 Box 400324, Charlottesville, VA 22904-4324 Fax(434) 982-4715 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Different source NAS for Differnet privilege Level
I am using freeradius rev 1.1.0 I have everything running great I am using AAA authorization on different Network Devices, Cisco Routers, Cisco Switches, Foundry Switches, Juniper FW's. I have setup VSA's to respond to the user to set their privilege level upon successful authentication, then the authorization portion actually sets the privilege level I need to have different privilege levels based upon which NAS they are coming from, eg... Connecting while on the Corporate Network privilege level = 8, same user Connecting thru IPass out of the office privilege level = 5. Any assistance with this would be greatly appreciated. Thank you in advance for your help Jeff Stout CCT - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate Attributes
Grahame Jordan [EMAIL PROTECTED] wrote: I have installed free radius(lastest) on my machine and cannot seem to get it configured correctly. Initially there are duplicates in some dictionaries that I have commented out. That only happens if you installed a new version of the server on a system where there was an older version (or another radius server) installed before. Ensure that the dictionary in /etc/raddb/dictionary points to the dictionaries that were installed with the latest version. The make install process DOES print out a large warning saying you should double-check the dictionaries. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ldap-Group AND EAP-TTLS/Ldap Question (Again)
=?iso-8859-1?Q?Beno=EEt_Bianchi?= [EMAIL PROTECTED] wrote: Is there a way to use the Ldap-Group with EAP-TTLS authentication based on LDAP??? Ive set it up in my users file but It doesnt work as the group belonging is performed on the outer identity first Can I some way specify to check the group only for the tunnelled identity? DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, LDAP-Group == ... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Module not loading
=?ISO-8859-1?Q?=22Tom=E1s_A=2E_Rossi=22?= [EMAIL PROTECTED] wrote: On the other hand, I've been playing around with 'radiusd.conf' I've discovered that if I add some random module name in the module instantiation section, radiusd doesn't complain at all about it's non-existence! This is a little inconvenient. It's a bug. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Module not loading
=?ISO-8859-1?Q?=22Tom=E1s_A=2E_Rossi=22?= [EMAIL PROTECTED] wrote: Sorry, I know what it was happening with the module. It seems that radiusd it doesn't take in account the instantiation of any module unless it is used in some other section (i.e. authorize). Though this behavior could be enhanced. To do what, exactly? The whol point of loading a module is to use it in a section (e.g. authorize). If you want to load it, but not use it, that doesn't make sense. The server will *not* be changed to load modules it's not going to use. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
There are no DB handles to use
HiFolks,I have freebsd 4.10-RELEASE with mysql 4.1.1-alpha andfreeradius 1.1.0 Radiusgive me this error: There are no DB handles to use! what this error means ? radiusd -X ql: group_membership_query = "SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}'"sql: connect_failure_retry_delay = 60sql: simul_count_query = ""sql: simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0"sql: postauth_table = "radpostauth"sql: postauth_query = "INSERT into radpostauth (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW())"sql: safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linkedrlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radiusrlm_sql (sql): starting 0rlm_sql (sql): Attempting to connect rlm_sql_mysql #0rlm_sql_mysql: Starting connect to MySQL server for #0rlm_sql (sql): Connected new DB handle, #0rlm_sql (sql): starting 1rlm_sql (sql): Attempting to connect rlm_sql_mysql #1rlm_sql_mysql: Starting connect to MySQL server for #1rlm_sql (sql): Connected new DB handle, #1rlm_sql (sql): starting 2rlm_sql (sql): Attempting to connect rlm_sql_mysql #2rlm_sql_mysql: Starting connect to MySQL server for #2rlm_sql (sql): Connected new DB handle, #2rlm_sql (sql): starting 3rlm_sql (sql): Attempting to connect rlm_sql_mysql #3rlm_sql_mysql: Starting connect to MySQL server for #3rlm_sql (sql): Connected new DB handle, #3rlm_sql (sql): starting 4rlm_sql (sql): Attempting to connect rlm_sql_mysql #4rlm_sql_mysql: Starting connect to MySQL server for #4rlm_sql (sql): Connected new DB handle, #4Module: Instantiated sql (sql) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"Module: Instantiated acct_unique (acct_unique) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp"radutmp: username = "%{User-Name}"radutmp: case_sensitive = yesradutmp: check_with_nas = yesradutmp: perm = 384radutmp: callerid = yesModule: Instantiated radutmp (radutmp) Listening on authentication *:1845Listening on accounting *:1846Listening on proxy *:1847Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.11:2919, id=83, length=57 User-Name = "teste" User-Password = "teste" NAS-IP-Address = 192.168.1.11 NAS-Port = 0 Processing the authorize section of radiusd.confmodcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 rlm_realm: No '@' in User-Name = "teste", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Proxying request from user teste to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 0radius_xlat: 'teste'rlm_sql (sql): sql_set_user escaped user -- 'teste'radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'teste' ORDER BY id'rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 modcall[authorize]: module "sql" returns fail for request 0modcall: leaving group authorize (returns fail) for request 0Finished request 0 My mysql.log show only connections but querys no. What is the min System Requerements to freeradius work, mem andprocessor? Try toinstall a old version of radius? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Working freeradius without shared secret!
Guido [EMAIL PROTECTED] wrote: I NEED accept a NAS that is not sending the shared secret. I think you're confused. RADIUS doesn't work like that. Somebody can help me ? please, if not, somebody can tell me which part of source code must I modify? Could you describe in different words what you want to do? Little ASCII pictures and contents of packets would help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql problem
KNO [EMAIL PROTECTED] wrote: And what I must to do if I want to use MD5 to store the passwords? Source code modifications. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with secret
Guido [EMAIL PROTECTED] wrote: The problem is that Squire softswitch is not sending to freeradius the shared secret in request accounting. No, RADIUS doesn't work like that. So, I need accept accounting request from a NAS that does not send secret. I have no idea what this means. Perhaps you could try posting the error messages from the server? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Vendor Specific IDs
Before I start, let me just ask if there are any already created attributes that control bandwidth rates in the Tx and Rx directions which take a string as a value? I found USR-Initial-Tx-Link-Data-Rate and USR-Initial-Rx-Link-Data-Rate, but they take enumerated values that will not allow me to set up generic service rate (like 256Kbps or 1Mbps). I found a couple of other attributes that specific just Data-Rate, but I can't find any that do Rx and Tx data rates. So, barring the existence of already created attributes, I'd like to set up my own vendor specific attributes -- which leads me to my main question: How do I choose a number for the Vendor-Id? For instance, Bristol's vendor ID is: VENDOR Bristol 4363 Do we have to request these from somewhere? Or, can we just pick a free one? Our AS number from ARIN is free (11541); can I just use that? Also, I have a secondary question related to this. I am setting up some bandwidth limiting scripts on our router that will limit customers' bandwidth usage. The idea is to execute a script when they authenticate which receives the AVPs from the Access-Accept packet (which would include the above mentioned Rx and Tx data rates). The script would take those attributes and instate some tc and iptables rules to shape the customers' bandwidth. When the user logs off, or the AP notices the client is gone, the AP sends an Accounting-Stop record FreeRADIUS. FreeRADIUS would then execute a cleanup script which brings down the rules that the first script instated. So, my second question is: When FreeRADIUS calls that second script, can/does it send the original Access-Accept attributes to the cleanup script? Thanks for any and all help. Eliot Gable Certified Wireless Network Administrator (CWNA) Certified Wireless Security Professional (CWSP) Cisco Certified Network Associate (CCNA) CompTIA Security+ Certified CompTIA Network+ Certified Network and Systems Administrator Great Lakes Internet, Inc. 112 North Howard Croswell, MI 48422 (810) 679-3395 (877) 558-8324 Now offering Broadband Wireless Internet access in Croswell, Lexington, Brown City, Yale, and Sandusky. Call for details. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different source NAS for Differnet privilege Level
Jeff Stout [EMAIL PROTECTED] wrote: I need to have different privilege levels based upon which NAS they are coming from, eg... Connecting while on the Corporate Network privilege level = 8, same user Connecting thru IPass out of the office privilege level = 5. Any assistance with this would be greatly appreciated. Key off of the Client-IP-Address, which is the IP of the NAS. You could use NAS-IP-Address or NAS-Identifier, but they are less reliable in proxy situations. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Assigning DNS servers
Hi I want to be able to assign DNS servers for each user to use as part of the users radius entry. If I use: MS-Primary-DNS-Server =ip address, MS-Secondary-DSN-Server=ip address For each users radius config will this work? These users are ADSL users using DSL modems and routers. Thanks Tony -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Module not loading
Alan DeKok escribió: =?ISO-8859-1?Q?=22Tom=E1s_A=2E_Rossi=22?= [EMAIL PROTECTED] wrote: On the other hand, I've been playing around with 'radiusd.conf' I've discovered that if I add some random module name in the module instantiation section, radiusd doesn't complain at all about it's non-existence! This is a little inconvenient. It's a bug. Is it fixed in a newer version? (I'm using 1.0.4) Regards, --- Tomás A Rossi Ministerio de Economía Proyecto de Informática Buenos Aires, Argentina - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius
[EMAIL PROTECTED] wrote: i would like to créate a proxy freeradius. I have 3 forests, 3 data base for storing users. I want to know how to configure: 1. proxy freeradius with IAS in each forest, how to give to freeradius server the certificat stored in active directory? Export it from AD and import it into FreeRADIUS. 2. Is it possible to configure proxy freeradius to forward requests directly to Active Directory without IAS (3 Active directory). No. Active Directory doesn't do RADIUS. What you *can* do is use ntlm_auth to allow FreeRADIUS to interact with AD. See radiusd.conf for details. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about processing multiple authorization sources
Will Saxon [EMAIL PROTECTED] wrote: Is it possible to have FreeRADIUS check a separate user database to provide the additional attributes? Like the users file? It seems like I could write a script to take the username, perform some database queries and return the appropriate information, but beyond that I don't know how to go about implementing such a solution. see scripts/exec-program-wait Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP authorization for EAP-TLS authentication
Keith Moores [EMAIL PROTECTED] wrote: I'm trying to understand the relationship between the modules in the authorize {} and authenticate {} sections and how it relates to the directives defined in users. The users file is just another authorization module. See also doc/aaa.txt EAP-TLS works fine, but I can't seem to figure how to get make the ldap authorization reject a user. See the ldap section of radiusd.conf. You can say user is not allowed for remote access In the ldap server logs show multiple queries, which are not returning anything. This can be confirmed with: ldapsearch -b o=University of Virginia,c=US wirelessAccess=kmm6b wirelessAccess which returns nothing. If nothing is returned shouldn't the authorization fail? No. Why would it? LDAP is just one possible database out of many. You may have some users in LDAP, and others in SQL. See doc/configurable_failover. You can configure the server to reject users if the LDAP module returns NOOP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Different source NAS for Differnet privilege Level
I think you can use radreply directive with your variable, if your NAS supports that. -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Jeff Stout Sent: Thursday, March 16, 2006 11:44 AM To: FreeRadius users mailing list Subject: Different source NAS for Differnet privilege Level I am using freeradius rev 1.1.0 I have everything running great I am using AAA authorization on different Network Devices, Cisco Routers, Cisco Switches, Foundry Switches, Juniper FW's. I have setup VSA's to respond to the user to set their privilege level upon successful authentication, then the authorization portion actually sets the privilege level I need to have different privilege levels based upon which NAS they are coming from, eg... Connecting while on the Corporate Network privilege level = 8, same user Connecting thru IPass out of the office privilege level = 5. Any assistance with this would be greatly appreciated. Thank you in advance for your help Jeff Stout CCT - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Module not loading
Alan DeKok escribió: =?ISO-8859-1?Q?=22Tom=E1s_A=2E_Rossi=22?= [EMAIL PROTECTED] wrote: Sorry, I know what it was happening with the module. It seems that radiusd it doesn't take in account the instantiation of any module unless it is used in some other section (i.e. authorize). Though this behavior could be enhanced. To do what, exactly? The whol point of loading a module is to use it in a section (e.g. authorize). If you want to load it, but not use it, that doesn't make sense. The server will *not* be changed to load modules it's not going to use. That's not my point. I'm not trying to say that you should do that but rather to print some kind of message showing that the server has read the module instantiation. Note that I'm not being pretentious: you could warn the user with a message that the module will not be loaded since it's not used and *that* would be being pretentious. FreeRADIUS is a very nice product though I think at least you should concede me that it lacks of good documentation IMHO. I was trying to add a module not knowing of the above mentioned behavior. It results in only adding the entry inside the instantiation section and testing if 'radiusd -X' returned some message to give me a clue that the module instantiation was parsed at least. You'll surely think I'm a jerk (and I'm not saying the opposite :-P ), but I lose about an hour till I figured out what was the whole issue. Thanks for the answers, --- Tomás A Rossi Ministerio de Economía Proyecto de Informática Buenos Aires, Argentina - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with MD5 encrypted secret
Another question about secret... How can I configure freeradius to work with MD5 secret ? The secret now, is coming MD5 encrypted and I see the following error: ---rad_recv: Accounting-Request packet from host 192.168.1.12:1813, id=0, length=772 ---Received Accounting-Request packet from 192.168.1.12 with invalid signature! (Shared secret is incorrect.) ---Server rejecting request 11. Regards, Guido - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about processing multiple authorization sources
Replying to my own post... On Thu, 2006-03-16 at 11:25 -0500, Will Saxon wrote: Is it possible to have FreeRADIUS check a separate user database to provide the additional attributes? It seems like I could write a script to take the username, perform some database queries and return the appropriate information, but beyond that I don't know how to go about implementing such a solution. Nevermind, I have figured it out. You just have to set up the sql module and insert it after the ldap module in the authorize stanza. The user has to exist in the radcheck table and have the 3 attributes (tunnel-type, tunnel-medium-type and tunnel-private-group-id) set in the radreply table. -Will -- Will Saxon Systems Programmer - Network Services University of Florida Department of Housing - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Vendor Specific IDs
Eliot, Wireless and Server Administrator, Great Lakes Internet [EMAIL PROTECTED] wrote: Before I start, let me just ask if there are any already created attributes that control bandwidth rates in the Tx and Rx directions which take a string as a value? No. These are non-standard attributes, even if they might exist for a particular vendor. How do I choose a number for the Vendor-Id? www.iana.org. Apply for a Private Enterprise Code. Or, simply steal one from a company that doesn't exist, or doesn't use RADIUS. That works only if your attributes are *completely* local to your deployment. So, my second question is: When FreeRADIUS calls that second script, can/does it send the original Access-Accept attributes to the cleanup script? You'll have to keep track of them somewhere yourself. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Passing value of attribute set in acct_users
Can someone please tell me how I can reference a value I set in the acct_users file so that I can use it in attr_rewrite? Or can I not do so? Thanks Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assigning DNS servers
Tony You might want to look at using USR-Primary_DNS_Server and USR-Secondary_DNS_Server. I don't know how the modems will react with MS specific attributes but I'm sure there are others on the list with more experience who could tell you for sure. Ben On Thu, 2006-03-16 at 18:12 +, Tony Spencer wrote: Hi I want to be able to assign DNS servers for each user to use as part of the users radius entry. If I use: MS-Primary-DNS-Server =”ip address”, MS-Secondary-DSN-Server=”ip address For each users radius config will this work? These users are ADSL users using DSL modems and routers. Thanks Tony -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assigning DNS servers
Tony Spencer [EMAIL PROTECTED] wrote: I want to be able to assign DNS servers for each user to use as part of the users radius entry. Read your NAS documentation to see what attributes it needs. If it doesn't list DNS server attributes, then you can't send any, because it won't be looking for them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Module not loading
=?ISO-8859-1?Q?=22Tom=E1s_A=2E_Rossi=22?= [EMAIL PROTECTED] wrote: Is it fixed in a newer version? (I'm using 1.0.4) No idea, sorry. Alan DeKOk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about a configuration entry in the eap.conf file
Hello, I have a question about a configuration entry in the eap.conf file. What does the following entry mean: A list is maintained to correlate EAP-Response packets with EAP-Request packets. After a configurable length of time, entries in the list expire, and are deleted. timer_expire= 60 What will happen if I change the timer value? Thanks Terry Zarelli - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assigning DNS servers
On Thu 16 Mar 2006 20:12, Tony Spencer wrote: Hi I want to be able to assign DNS servers for each user to use as part of the users radius entry. If I use: MS-Primary-DNS-Server =ip address, MS-Secondary-DSN-Server=ip address For each users radius config will this work? Yes, as long as your NAS supports these attributes. (Most do) -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpu1gRQZuQH9.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with MD5 encrypted secret
Guido [EMAIL PROTECTED] wrote: ---Received Accounting-Request packet from 192.168.1.12 with invalid signature! (Shared secret is incorrect.) The shared secret is wrong. You did not type it in correctly. How can I configure freeradius to work with MD5 secret ? The secret now, is coming MD5 encrypted and I see the following error: RADIUS doesn't work like that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Module not loading
=?ISO-8859-1?Q?=22Tom=E1s_A=2E_Rossi=22?= [EMAIL PROTECTED] wrote: That's not my point. I'm not trying to say that you should do that but rather to print some kind of message showing that the server has read the module instantiation. Why? It doesn't, in fact, read the module instantiation because it doesn't even look for it, because the module isn't being used. FreeRADIUS is a very nice product though I think at least you should concede me that it lacks of good documentation IMHO. You're joking, right? Have you ever tried to use a *commercial* server? Many of those make our documentation look world-leading. I was trying to add a module not knowing of the above mentioned behavior. No. You were trying to add a module without telling the server to use it, and you were surprised that the server didn't use it. If the server *had* printed out the message you wanted, odds are that your next question would be why doesn't the server use the module when I send it a packet? I listed it in the instantiate section! Yes, we've been through this dicussion before with other people. You're not the first to run into this. And the end result of what you want is an endless series of messages explaining why the server isn't doing what you think it's doing. It's a lot easier to have the server to print out what is *is* doing, and then tell people to read the documentation to see why it isn't doing what they expect. Usually, their expectations are wrong, and the documentation contains the information to correct the expectation. It results in only adding the entry inside the instantiation section and testing if 'radiusd -X' returned some message to give me a clue that the module instantiation was parsed at least. And what did you expect the server would do after that? You still haven't answered that question. So you're not explaining what you thought was going on, or what you were trying to do. You're just complaining that the server isn't doing what you want. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius Mysql initial install
All, I appreciate the help you have given me on this and I am pretty sure I am like one or two changes off the correct path. When I do the radtest, it always tells me that: [EMAIL PROTECTED] ~]# radtest atkinsd x lhost 1645 Sending Access-Request of id 168 to 127.0.0.1 port 1812 User-Name = atkinsd User-Password = x NAS-IP-Address = 255.255.255.255 NAS-Port = 1645 Re-sending Access-Request of id 168 to 127.0.0.1 port 1812 User-Name = atkinsd User-Password = x NAS-IP-Address = 255.255.255.255 NAS-Port = 1645 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=168, length=20 rad_decode: Received Access-Reject packet from client 127.0.0.1 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) I have checked and double checked the shared secret in Users, sql.conf, radiusd.conf. Any ideas? Thanks again - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl segfault
I've applied the patch you provided and freeradius starts up without issue now. Thanks for your help it's much appreciated. On Tue, 2006-03-14 at 12:04 +0200, Boian Jordanov wrote: On Tuesday 14 March 2006 02:08, Grant Zanetti wrote: On Mon, 2006-03-13 at 11:48 +0200, Boian Jordanov wrote: On Friday 10 March 2006 00:39, Grant Zanetti wrote: In addition to this I have done a manual compile (non-package) and have a better back trace perhaps: Which version of libperl ? libperl5.8 (5.8.8-2). libperl is package installed. Freeradius is now manually compiled. Apply this patch to freeradius-1.1.0 rlm_perl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Mysql initial install
Atkins, Dwane P [EMAIL PROTECTED] wrote: rad_decode: Received Access-Reject packet from client 127.0.0.1 port 1812 with invalid signature (err=3D2)! (Shared secret is incorrect.) I have checked and double checked the shared secret in Users, sql.conf, radiusd.conf. There are no shared secrets in any of those files. Try reading clients.conf Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Mysql initial install
I thought shared secret was in clients.conf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Assigning DNS servers
I'm using a Cisco 7204VXR to do the authentication. It seems it doesn't pass these attributes. Debugging radius and AAA authentication shows all the other attributes it's passing. Anyone using a Cisco to do radius authentication and assign DNS servers? Thanks Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of Peter Nixon Sent: 16 March 2006 21:45 To: FreeRadius users mailing list Subject: Re: Assigning DNS servers On Thu 16 Mar 2006 20:12, Tony Spencer wrote: Hi I want to be able to assign DNS servers for each user to use as part of the users radius entry. If I use: MS-Primary-DNS-Server =ip address, MS-Secondary-DSN-Server=ip address For each users radius config will this work? Yes, as long as your NAS supports these attributes. (Most do) -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html