Re: h323-return-code
"Guido" <[EMAIL PROTECTED]> wrote: > When response: Access Reject, I can't see any h323-return-code. Access-Reject packets are not allowed to contain any attributes. If you want to return an attribute, edit the source code. Alan De - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: Regular expression - Trying to rewrite User-Name
thanks for all you input so far, and i am still looking, trying to use the hint and huntgroup file for a work around so success yet. By the way i should mention the code worked perfectly well with redhat 9. [00-0423-236767-676752-6752-52] the first and the last octet works, its just {2} - {5} that acting up. additional information my auth-log file Packet-Type = Access-RequestThu May 11 18:33:02 2006 NAS-IP-Address = 1.5.1.32 User-Name = "00042367672f" User-Password = "00042367672f" Calling-Station-Id = "00042367672F" Called-Station-Id = "000B8602DD80" NAS-Port = 0 NAS-Port-Type = Wireless-802.11 Vendor-14823-Attr-5 = 0x4e5355 Vendor-14823-Attr-6 = 0x302e302e30 Client-IP-Address = 1.5.1.3 Debug output [EMAIL PROTECTED] done]# radiusd -d /etc/ciscoraddb/ -XStarting - reading configuration files ...reread_config: reading radiusd.confConfig: including file: /etc/ciscoraddb/clients.confConfig: including file: /etc/ciscoraddb/snmp.conf Config: including file: /etc/ciscoraddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/ciscoradius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/ciscoradius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1814 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/ciscoradius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/ciscoradiusd.pid" main: bind_address = 137.52.128.40 IP address [137.52.128.40] main: user = "nobody" main: group = "nobody" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 0 security: status_server = no main: debug_level = 0read_config_files: reading dictionary read_config_files: reading naslistUsing deprecated naslist file. Support for this will go away soon.read_config_files: reading clientsread_config_files: reading realmsThere appears to be another RADIUS server running on the authentication port 1814 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
h323-return-code
Hello everybody, I'm using freeradius 1.1.0. The issue is with h323-return-code and reject as response. When response: Access Accept all works fine, I can see h323-return-code, h323-credit-time. When response: Access Reject, I can't see any h323-return-code. The question is there are some to configure in radius.conf or mssqul.conf ? (Im using authorize_check_query and authorize_reply_query, with stores procedures both) Best Regards, Guido - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: Regular expression - Trying to rewrite User-Name
Zoltan Ori wrote: > On Thursday 11 May 2006 16:30, Dennis Skinner wrote: >> Are you responding to me? >> > Yes, he is. I was subtly suggesting he should include relevant text in his responses like I am doing. If someone searches the archives later, they have no context for his message. > Mr Porter has 0e353afe19xx coming in. I don't think he does. Hence my response and request for debug output. His regex won't do that and I don't know of anything else that would munge the username like that. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: Regular expression - Trying to rewrite User-Name
On Thursday 11 May 2006 16:30, Dennis Skinner wrote: > Damian Porter wrote: > > the user-name is coming to the radius process without any dashes and i > > want to add dashes to separate the octets. > > > > I have looked an that document and it does not offer a solution for the > > problem. > > Are you responding to me? > > 0e35-353afe-3afe19-fe19 has dashes. Either it came that way or your Yes, he is. Mr Porter has 0e353afe19xx coming in. He wants 0e-35-3a-f3-19-xx. His replacement is not working as he wishes. He is wanting ([a-z0-9]{2}) ... to break up the 12 character string into 6 groups of 2 and then insert dashes between them. I don't have the answer, but that is the problem as I see it. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regular expression - Trying to rewrite User-Name
On Thu, 2006-11-05 at 15:13 -0400, Damian Porter wrote: > > I have bee struggling with problem for a few days now. > > I use Centos 4.3 and freeradius 1.0.1. I am trying to rewrite a > username to include dashes. see my statement below in the rewrite > section. > >searchfor = "([a-z0-9]{2})([a-z0-9]{2})([a-z0-9]{2})([a- > z0-9]{2})([a-z0-9]{2})([a-z0-9]{2}) > replacewith = "%{1}-%{2}-%{3}-%{4}-%{5}-%{6}" > > this is the output that i am getting in my radius.log file. > Thu May 11 14:36:24 2006 : Info: rlm_sql_mysql: Starting connect to > MySQL server for #0 > Thu May 11 14:36:24 2006 : Info: rlm_sql_mysql: Starting connect to > MySQL server for #1 > Thu May 11 14:36:24 2006 : Info: rlm_sql_mysql: Starting connect to > MySQL server for #2 > Thu May 11 14:36:24 2006 : Info: rlm_sql_mysql: Starting connect to > MySQL server for #3 > Thu May 11 14:36:24 2006 : Info: rlm_sql_mysql: Starting connect to > MySQL server for #4 > Thu May 11 14:36:24 2006 : Info: Ready to process requests. > Thu May 11 14:36:39 2006 : Auth: Login incorrect: [0e35-353afe-3afe19- > fe19/NOPASSWORD] (from client$ > Thu May 11 14:38:49 2006 : Auth: Login incorrect: [13ce-ce20f9-20f949- > f949/NOPASSWORD] (from client$ > Thu May 11 14:38:56 2006 : Auth: Login incorrect: [0e35-353ad7-3ad71b- > d71b/NOPASSWORD] (from client$ > > > PS i have even gone as far as downloading regular expression programs > to check my code. If anybody has any suggestions or has encounted this > problem before let me know. I have no idea if that is supposed to work, but I noticed what appears to be a problem: 0e35-353ad7-3ad71b-d71b Can not be parsed with : ([a-z0-9]{2})([a-z0-9]{2})([a-z0-9]{2})([a-z0-9]{2})([a-z0-9]{2}) ([a-z0-9]{2}) Because ; 1) 0e35-353ad7-3ad71b-d71b is 24 charcters not 12 2) You have no provisions for '-' characters. So your search will not get a match. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: Regular expression - Trying to rewrite User-Name
Damian Porter wrote: > the user-name is coming to the radius process without any dashes and i > want to add dashes to separate the octets. > > I have looked an that document and it does not offer a solution for the > problem. Are you responding to me? 0e35-353afe-3afe19-fe19 has dashes. Either it came that way or your regex works (at least partially). If it came that way, then your searchfor will never work because it is not expecting those dashes. If it didn't come that way, I'd be surprised because it doesn't look like your regex should do that. Try running the server in debug mode and send us the output. You may be surprised by what it tells you. As to the link, look again. It wasn't meant to fix your regex, it was meant to suggest an alternative way to do what you are doing (you still need to figure out the regex). It has instructions on how to rewrite a username using regex (exactly what you are trying to do) with just the hints file. It is a bit more elegant and will likely rewrite the username sooner in the processing, allowing you to use the new username in huntgroups, etc. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rm: Mysql 5.0 with freeradius 1.1.1
[EMAIL PROTECTED] wrote: > > Dear list: > > > I´m taking up again my work with freradius since two years ago. Now I´m > working over a RHE AS linux distribution box and working with a Mysql > 5.0. In this version the password hashing algorithm has changed and > differ from Mysql 3.x or 4.x. Then I´d like to know if freeradius engine > will work without problems with Mysql 5.0 or later. > Refer this article: First of all this would only affect the password in the sql.conf file. The article is referring to passwords that allow you to connect to the db, not passwords stored in the radcheck table (I hope you aren't using PASSWORD() on that table). I believe that FreeRADIUS uses the mysqlclient libs (hence mysql-devel is required to build it). So if the libs that radiusd is linked against support the new password format, then so should FreeRADIUS. Third, you can still use the old password format. Fourth, please avoid sending html to the list. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: Regular expression - Trying to rewrite User-Name
the user-name is coming to the radius process without any dashes and i want to add dashes to separate the octets. I have looked an that document and it does not offer a solution for the problem. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regular expression - Trying to rewrite User-Name
Damian Porter wrote: > > I have bee struggling with problem for a few days now. > > I use Centos 4.3 and freeradius 1.0.1. I am trying to rewrite a username > to include dashes. see my statement below in the rewrite section. > >searchfor = > "([a-z0-9]{2})([a-z0-9]{2})([a-z0-9]{2})([a-z0-9]{2})([a-z0-9]{2})([a-z0-9]{2}) > replacewith = "%{1}-%{2}-%{3}-%{4}-%{5}-%{6}" > > [0e35-353afe-3afe19-fe19/NOPASSWORD] (from client$ > Thu May 11 14:38:49 2006 : Auth: Login incorrect: > [13ce-ce20f9-20f949-f949/NOPASSWORD] (from client$ > Thu May 11 14:38:56 2006 : Auth: Login incorrect: > [0e35-353ad7-3ad71b-d71b/NOPASSWORD] (from client$ First of all you may want to look at this: http://wiki.freeradius.org/index.php/Adding%2C_Removing%2C_Modifying_Attributes_for_further_processing Next, the searchfor has no dashes in it, but the username does, so it will never match. Third, if the username is in hex, you only need a-f, not a-z. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Rm: Mysql 5.0 with freeradius 1.1.1
Dear list: I´m taking up again my work with freradius since two years ago. Now I´m working over a RHE AS linux distribution box and working with a Mysql 5.0. In this version the password hashing algorithm has changed and differ from Mysql 3.x or 4.x. Then I´d like to know if freeradius engine will work without problems with Mysql 5.0 or later. Refer this article: I´ll be very grateful with your comments. Thank you. Edu. Title: MySQL 3.23, 4.0, 4.1 Reference Manual :: 5.7.9.1 Implications of Password Hashing Changes for Application Programs :: DEVELOPER ZONE Login / Register MySQL.com Developer Zone Partners Online Shop Downloads Documentation Forums Lists Bugs Events User Groups Guilds Blogs Support Resources Books FAQ MySQL 3.23, 4.0, 4.1 Reference Manual :: 5 Database Administration :: 5.7 The MySQL Access Privilege System :: 5.7.9 Password Hashing as of MySQL 4.1 :: 5.7.9.1 Implications of Password Hashing Changes for Application Programs Overview MySQL Reference Manual 3.23, 4.0, 4.1 5.0 5.1 MaxDB Documentation Search the MySQL manual: the whole site Manual 3.23, 4.0, 4.1 Manual 5.0 Manual 5.1 MySQL 3.23, 4.0, 4.1 Reference Manual 5.7.9 Password Hashing as of MySQL 4.1 5.7.9.1 Implications of Password Hashing Changes for Application Programs 5.7.9.2 Password Hashing in MySQL 4.1.0 Get the MySQL Language Reference and MySQL Administrator's Guide from MySQL Press! Get Support with MySQL Network today! Order from our online shop and get technical support from MySQL engineers today. Get Support Now » Learn about new MySQL releases, technical articles, events and more. Subscribe to the monthly MySQL Newsletter! Previous / Next / Up / Table of Contents 5.7.9.1. Implications of Password Hashing Changes for Application Programs An upgrade to MySQL 4.1 can cause a compatibility issue for applications that use PASSWORD() to generate passwords for their own purposes. Applications really should not do this, because PASSWORD() should be used only to manage passwords for MySQL accounts. But some applications use PASSWORD() for their own purposes anyway. If you upgrade to 4.1 and run the server under conditions where it generates long password hashes, an application that uses PASSWORD() for its own passwords breaks. The recommended course of action is to modify the application to use another function, such as SHA1() or MD5(), to produce hashed values. If that is not possible, you can use the OLD_PASSWORD() function, which is provided to generate short hashes in the old format. But note that OLD_PASSWORD() may one day no longer be supported. If the server is running under circumstances where it generates short hashes, OLD_PASSWORD() is available but is equivalent to PASSWORD(). PHP programmers migrating their MySQL databases from version 4.0 or lower to version 4.1 or higher should see Section 17.3, âMySQL PHP APIâ. Previous / Next / Up / Table of Contents User Comments Add your own comment. Top / Previous / Next / Up / Table of Contents © 1995-2006 MySQL AB. All rights reserved. About MySQL Careers Site Map Contact Us Legal Privacy Policy Trademark Info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Regular expression - Trying to rewrite User-Name
I have bee struggling with problem for a few days now. I use Centos 4.3 and freeradius 1.0.1. I am trying to rewrite a username to include dashes. see my statement below in the rewrite section. searchfor = "([a-z0-9]{2})([a-z0-9]{2})([a-z0-9]{2})([a-z0-9]{2})([a-z0-9]{2})([a-z0-9]{2}) replacewith = "%{1}-%{2}-%{3}-%{4}-%{5}-%{6}" this is the output that i am getting in my radius.log file. Thu May 11 14:36:24 2006 : Info: rlm_sql_mysql: Starting connect to MySQL server for #0Thu May 11 14:36:24 2006 : Info: rlm_sql_mysql: Starting connect to MySQL server for #1Thu May 11 14:36:24 2006 : Info: rlm_sql_mysql: Starting connect to MySQL server for #2 Thu May 11 14:36:24 2006 : Info: rlm_sql_mysql: Starting connect to MySQL server for #3Thu May 11 14:36:24 2006 : Info: rlm_sql_mysql: Starting connect to MySQL server for #4Thu May 11 14:36:24 2006 : Info: Ready to process requests. Thu May 11 14:36:39 2006 : Auth: Login incorrect: [0e35-353afe-3afe19-fe19/NOPASSWORD] (from client$Thu May 11 14:38:49 2006 : Auth: Login incorrect: [13ce-ce20f9-20f949-f949/NOPASSWORD] (from client$Thu May 11 14:38:56 2006 : Auth: Login incorrect: [0e35-353ad7-3ad71b-d71b/NOPASSWORD] (from client$ PS i have even gone as far as downloading regular _expression_ programs to check my code. If anybody has any suggestions or has encounted this problem before let me know. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Nested groups in ldap
I was wounding if there was a way for ldap to look into nested groups. I have enabled ldap groups, and I have a ldap group that contains another group, and I would like ldap to search with in that main group and nested group to see if a user belongs to either group. If anyone know how to do this with freeradius+ldap, please let me know. Thanks, Rob Kobiske - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius and MySQL
Hello Jeremy, PLEASE ! SPECIFY YOUR PROBLEM ! you have sent 2-3 comments to the mailing list and nobody ( besides Alan ) wanted to respond! Why? No needed information ( aka I have car, car has tires, but I cannot drive, why? ). You are using db. Okay. What DB? Firebird, MySql, MSSQL, Oracle? How does your config looks like? Send us the debug output of freeradius! We cannot help you without information ( or do you expect us to hack into your server to get some info about your config ?? ). Regards, Edvin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of Jeremy ohara Sent: Donnerstag, 11. Mai 2006 20:23 To: freeradius-users@lists.freeradius.org Subject: Freeradius and MySQL Hi there i have free radius updated on fedora. got a mysql database. but from what i'm noticing its not being check on the database. got dialupadmin installed and using that to put the accounts into the database. and have setup freeradisu with the db Jeremy This email has been scanned for Virus by MDaemon AntiVirus part of MDaemon. Updated daily to keep up-to-date with all new and old viruses. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strange error
Hi, > i tried ntradping it seems to work. but from what me and my friend are seing > its being stopped at the mysql database. we arent sure could you be more specific - ie send the output from FreeRADIUS in debug mode - radiusd -X you may, of course, obfuscate private words and bytes alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strange error
Jeremy ohara wrote: > i tried ntradping it seems to work. but from what me and my friend are > seing its being stopped at the mysql database. we arent sure > > have you delt with MYSQL much? > > Jeremy Jeremy, Have you read any of the docs included with the server? It says over and over and over again (as does this list) to run the server in debug mode. Please do that before posting again. radiusd -X read it. *all* of it. If you don't know what is wrong, go back to the initial config (ie w/o mysql) and make it work just using a simple entry in the users file. Then change as little as possible until you get to your desired config. FYI - Alan DeKok is the most familiar person in the world with FreeRADIUS. He is the primary developer. He also answers the vast majority of questions here on this list. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and MySQL
Hi there i have free radius updated on fedora. got a mysql database. but from what i'm noticing its not being check on the database. got dialupadmin installed and using that to put the accounts into the database. and have setup freeradisu with the db Jeremy This email has been scanned for Virus by MDaemon AntiVirus part of MDaemon. Updated daily to keep up-to-date with all new and old viruses. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strange error
"Jeremy ohara" <[EMAIL PROTECTED]> wrote: > i tried ntradping it seems to work. but from what me and my friend are seing > its being stopped at the mysql database. we arent sure Don't CC me on messages to the list. I get enough email already. And read the FAQ for how to debug the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Strange error
> how formilar are you with Freeradius? Uh... try reading the list for a while. Alan DeKok. HAHAHHA :) Sorry - I just couldn't help myself! For mailing-list-newbies: people that respond to your questions have more experience then you do and they are willing to help ( in most cases ). Nobody should attach a freeradius-CV when answering to the list! Yes - I have compiled freeradius at least 100 times ( in a row ;) ) and does that make me "familiar" with this software? Regards, Edvin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strange error
i tried ntradping it seems to work. but from what me and my friend are seing its being stopped at the mysql database. we arent sure have you delt with MYSQL much? Jeremy -Original Message-From: "Alan DeKok" <[EMAIL PROTECTED]>To: FreeRadius users mailing list Date: Thu, 11 May 2006 12:51:53 -0400Subject: Re: Strange error "Jeremy ohara" <[EMAIL PROTECTED]> wrote:> when i try to use a test radius program to test the radius to see if it > works i geot> > error: warning bad radius packet form host x.x.x.x: unknown packet code 100> > does anyone know what th is means? It means that the test client is not sending a normal RADIUS packet. Can you say what test client you're using? Alan DeKok.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This email has been scanned for Virus by MDaemon AntiVirus part of MDaemon. Updated daily to keep up-to-date with all new and old viruses. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strange error
"Jeremy ohara" <[EMAIL PROTECTED]> wrote: > i'm using Radas. Never heard of it. This probably means it's market share is miniscule. i.e. no one else is using it. > how formilar are you with Freeradius? Uh... try reading the list for a while. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Solaris 8/SPARC - MySQL 5.0 NDB Cluster - Freeradius 1.1.1 with rlm_sqlippool module: 'radiusd' segmentation fault
"Robles Rodriguez,Alejandro" <[EMAIL PROTECTED]> wrote: > Well, I'm wondering if this is in a clustered configuration i.e. > multiple nodes handling the load and cooperating (sharing data such > as IP pools). Sharing data is harder. You're better off splitting the IP pools by server. The clients won't notice, or care. See: http://www.freeradius.org/testimonials.html > I'd really like o create some sort of standard architecture for > freeradius that can scale and is reliable and have it in a "real" > environment for a while for others to have confidence when making > this same decision that I'm about to make. Sounds good to me. Diagrams on the Wiki would be good. > I have compared my version with that of the CVS root and apart > form some small differences that I'll investigate further I noticed > that it has the same bug that I found. The problem is that I don't > know how to report it. bugs.freeradius.org. After looking at your proposed patch, I'm not sure it's much better. There are a number of cases where the function returns without calling "finish select", which can/will leak memory. > Also I think it'd be a good idea to back-port it to 1.1.x. Who > decides this and how do I express my interest? Do the work and send in the patch. If nothing else, it can go in as an "experimental" module, which means you can enable it in your local configuration. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius filters for ldap searching
The only way i got this to work, was seperate trees in ldap for each group. and then in your default line in your users file put the tree you want it to search for the group and nas definition. Message: 2 Date: Thu, 11 May 2006 12:52:47 +0300 From: Mircea Harapu <[EMAIL PROTECTED]> Subject: radius filters for ldap searching To: freeradius-users@lists.freeradius.org Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Hello, I'm using freeradius 1.0.4 with openldap 2.2.24 to authenticate users on cisco switches. Every switch belongs to a specific group and for every user I'm setting the groups he can access. I also use cisco avpairs for level privilege. So far , so good! The problems occured when I tried to make a user to have different level privileges on different switches . This is the profile I'm using : # test, radius, isp.ro dn: uid=test,ou=radius,dc=isp,dc=ro uid: test objectClass: radiusprofile cn: test userPassword:: xxx radiusGroupName: bucuresti radiusGroupName: valcea radiusServiceType: NAS-Prompt-User # bucuresti, test, radius, isp.ro dn: cn=bucuresti,uid=test,ou=radius,dc=isp,dc=ro uid: test objectClass: radiusprofile userPassword:: xxx radiusGroupName: bucuresti radiusServiceType: NAS-Prompt-User radiusCiscoLevel: "shell:priv-lvl=15" cn: bucuresti # valcea, test, radius, isp.ro dn: cn=valcea,uid=test,ou=radius,dc=isp,dc=ro uid: test objectClass: radiusprofile userPassword:: xxx radiusGroupName: valcea radiusServiceType: NAS-Prompt-User radiusCiscoLevel: "shell:priv-lvl=7" cn: valcea raddb/users # Switch 192.168.50.202 # Descriere test DEFAULT NAS-IP-Address == 192.168.50.202, Ldap-Group == bucuresti Fall-Through = no DEFAULT Auth-Type := Reject what I need is to filter the ldap search in authorize section based on GroupName and I don't know how. -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strange error
i'm using Radas. i'm just about to try ntradping how formilar are you with Freeradius? jeremy -Original Message-From: "Alan DeKok" <[EMAIL PROTECTED]>To: FreeRadius users mailing list Date: Thu, 11 May 2006 12:51:53 -0400Subject: Re: Strange error "Jeremy ohara" <[EMAIL PROTECTED]> wrote:> when i try to use a test radius program to test the radius to see if it > works i geot> > error: warning bad radius packet form host x.x.x.x: unknown packet code 100> > does anyone know what th is means? It means that the test client is not sending a normal RADIUS packet. Can you say what test client you're using? Alan DeKok.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This email has been scanned for Virus by MDaemon AntiVirus part of MDaemon. Updated daily to keep up-to-date with all new and old viruses. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PB with Accent in nspmPassword in request LDAP between FREE-RADIUS 1.0.5 (suse) and edirectory novell 6.5
[EMAIL PROTECTED] wrote: > Then the freeradius server compare this login / nspmPassword with the > login / password received first, it find differences and does not > authenticate the user. > I don?t know if the nspmPassword sent back by the Novell server is bad or > good because the ldap response is crypted (port 636). Edit rlm_ldap.c to print out the nspmPassword is receives. My tests with FreeRADIUS indicate that it supports UTF-8 just fine. So there should be no problems using characters with accents. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strange error
"Jeremy ohara" <[EMAIL PROTECTED]> wrote: > when i try to use a test radius program to test the radius to see if it > works i geot > > error: warning bad radius packet form host x.x.x.x: unknown packet code 100 > > does anyone know what th is means? It means that the test client is not sending a normal RADIUS packet. Can you say what test client you're using? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Strange error
Hi there i just setup freeradius with mysql when i try to use a test radius program to test the radius to see if it works i geot error: warning bad radius packet form host x.x.x.x: unknown packet code 100 does anyone know what th is means? jeremy This email has been scanned for Virus by MDaemon AntiVirus part of MDaemon. Updated daily to keep up-to-date with all new and old viruses. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS, MySQL and usergroups again
Am Donnerstag, 11. Mai 2006 17:38 schrieb Christopher Carver: > If you want to use rlm_sql you do this with the tables radius.usergroup > and radius.radgroupcheck. In radius.radgroupcheck you'd have something > like this: > > ++---+---+++ > > | id | GroupName | Attribute | op | Value | > > ++---+---+++ > > | 1 | RASUser | Auth-Type | := | system | > > Then in radius.usergroup for each user you want in this group you'll > have a row like this: > > ++--+---+ > > | id | UserName | GroupName | > > ++--+---+ > > | 39747 | thisuser | RASUser| > > That pasted rather ugly, but I think you should get the point. Using > sql eliminates the need for the users file to be able to do what you > asked about. Let me know if this doesn't answer your question. > > Chris Carver Thanks for your answer. But I think this is not quite what I was looking for. I want to administer the passwords in MySQL, not in the system, so I need Auth-Type := Local. And this authenticates every user that is in the database, not only these in the specific group. I solved it adding DEFAULT Group !="RASUser", Auth-Type := Reject in my files. -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 pgpQQAJ9wQU6H.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL: Group membership test
Am Donnerstag, 11. Mai 2006 16:23 schrieb Bogdan Dumitriu - Technical Support Team: > You can create a group "deactivated" for the users you don't want to > allow to connect and set Auth-Type == Reject for that group. (...) > Thanks, > Bogdan. hi, Auth-Type == Reject was the right solution. But I use it a little bit different: DEFAULT Group != "RASUser", Auth-Type := Reject This seems to work, at least in the first tests ... -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 pgpFfT60MU4uA.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS, MySQL and usergroups again
If you want to use rlm_sql you do this with the tables radius.usergroup and radius.radgroupcheck. In radius.radgroupcheck you'd have something like this: ++---+---+++ | id | GroupName | Attribute | op | Value | ++---+---+++ | 1 | RASUser | Auth-Type | := | system | Then in radius.usergroup for each user you want in this group you'll have a row like this: ++--+---+ | id | UserName | GroupName | ++--+---+ | 39747 | thisuser | RASUser| That pasted rather ugly, but I think you should get the point. Using sql eliminates the need for the users file to be able to do what you asked about. Let me know if this doesn't answer your question. Chris Carver Pennswoods.Net Network Engineer Michael Schwartzkopff wrote: Hi, I want to authorize users according to the membership in a group. With Auth-Type=System it is easy: DEFAULT Auth-Type = System, Group == "RASUser" Is there any analogy to this setup in the sql module? Thanks for any help, I am quite desparate already ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Several passwords for a user
Hello, besides the comment of Alan D. I think you should have a damn good reason for entering more than one password for ONE user. Are you trying to make your system THAT complicated? Or are your users just stupid to remeber ( or even write down ) a given password? Regards, Edvin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of Alan DeKok Sent: Donnerstag, 11. Mai 2006 15:46 To: FreeRadius users mailing list Subject: Re: Several passwords for a user =?iso-8859-1?B?U2FudGlhZ28gQmFsYWd1ZXIgR2FyY+1h?= <[EMAIL PROTECTED]> wrote: > I use freeradius-1.1.0. Where is any problem an account has two or more > entries in radcheck table??? > > I use : >11:22:33:44:55:66 :='' >11:22:33:44:55:66 :=mypassword WHat are you trying to do? Those entries don't match anything in the FreeRADIUS documentation, and will *not* do anything useful. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MySQL: Group membership test
You can create a group "deactivated" for the users you don't want to allow to connect and set Auth-Type == Reject for that group. If you want to tie a group to a certain NAS you have to use huntgroups: TestNAS1NAS-IP-Address == xxx.xxx.xxx.xxx SQL-Group == dialup, SQL-Group == adsl It means that is the user is coming from this NAS it has to be a member of those groups. Otherwise auth fail. Is this what you are looking for? At least this is my set up. If you find a better way please let me know. Thanks, Bogdan. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ius.org] On Behalf Of Michael Schwartzkopff Sent: May 11, 2006 4:22 AM To: freeradius-users@lists.freeradius.org Subject: MySQL: Group membership test Hi, As a backend database to RADIUS I use MySQL. No I have a special problem: I want to autorize a user for a specific service only if the user is member of a specific group, say "RAS_User". This configuration is nescessary because this database is used also for other authentication/autorization. The documentation says, that the authcheck_table is beeing searched for the user and the reply items in the authrepl_table are returned for the user. I did not find any hint how to configure my freeradius that way, that the user is autorized to use the service only if he is member of a specific group. The groupcheck is only adds further attributes. In the ldap module f.i. I can use the "groupmembership_filter". Is there anything similar in the sql module? How can I configure freeradius or the sql module to test the group membership? Thanks for any help. -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS, MySQL and usergroups again
Hi, I want to authorize users according to the membership in a group. With Auth-Type=System it is easy: DEFAULT Auth-Type = System, Group == "RASUser" Is there any analogy to this setup in the sql module? Thanks for any help, I am quite desparate already ... -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 pgpU3e2uwUxB1.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Several passwords for a user
=?iso-8859-1?B?U2FudGlhZ28gQmFsYWd1ZXIgR2FyY+1h?= <[EMAIL PROTECTED]> wrote: > I use freeradius-1.1.0. Where is any problem an account has two or more > entries in radcheck table??? > > I use : >11:22:33:44:55:66 :='' >11:22:33:44:55:66 :=mypassword WHat are you trying to do? Those entries don't match anything in the FreeRADIUS documentation, and will *not* do anything useful. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP: what password backends can be used?
Alain Fauconnet <[EMAIL PROTECTED]> wrote: > Then I must have missed it. I probably have searched for the wrong > keywords... yes, I see now in the FAQ, I should have searched for > "chap" and not "ms-chap" or "mschap". Sorry. You're not the first person to ask this question. Google should return a *lot* of answers. > This PPTP so encryption is MPPE. > When you configure a Windows client for a VPN (PPTP) > connection, if you enable encryption and allow anything but MS-CHAP > and MS-CHAP-V2, it says that if anything else is used (such as PAP), > encryption will be disabled. Ah. That would appear to be definitive, then. > Well, I've inherited this installation and the Radius service is used > for a dozen different things so I have to be very careful not to break > anything. Anyway why is PAM so evil by itself? I've been working with PAM for many years. I've never liked it. If nothing else, PAM isnt designed to be used in the way that FreeRADIUS is using it: one process doing many PAM authentications. It's meant to be used by "login", and similar programs. We've had problems in the past with PAM because of this. > OK, assuming I have a smbpasswd format file somewhere (not the case > now), I should configure the mschap *and* passwd modules, > uncommenting out: Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Several passwords for a user
Hi, I use freeradius-1.1.0. Where is any problem an account has two or more entries in radcheck table??? I use : 11:22:33:44:55:66 :='' 11:22:33:44:55:66 :=mypassword I change the op := instead of ==. Is there any problem??? _ Horóscopo, tarot, numerología... Escucha lo que te dicen los astros. http://astrocentro.msn.es/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting - FramedIPAddress - DHCP/IPPOOL
2006/5/10, Alan DeKok <[EMAIL PROTECTED]>: > We have to script the coordination between the DHCP server? Yes. For to be sure to understand ... There are scripts who permit to coordinate the AP information for accounting and the dialog dhcp client/server ... the AP can take the information of dhcp dialog ... Sorry if I say an error ... I have client wireless and wire ... What is it possible with the switch ? (cisco2950) Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting - FramedIPAddress - DHCP/IPPOOL
2006/5/10, Alan DeKok <[EMAIL PROTECTED]>: A well written DHCP server should be as flexible as FreeRADIUS, andallow you to write the IP to an SQL table. Unfortunately, there is no such DHCP server. I don't understand ... You want to say that it's necessary to devellop a better ippool/dhcp function in Freeradius ? Thanks for your answer now I am sure that it's impossible to use ippool with EAP Psymad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PB with Accent in nspmPassword in request LDAP between FREE-RADIUS 1.0.5 (suse) and edirectory novell 6.5
Hello, I apologize for the delay in this reply. My 802.1x client send a demand of authentification on the network. By means of ENTERASYS switch, the demand of authentification arrive at the radius server with login / password. The demand of authentification (login /password with accents) arrives correctly at the RADIUS server. To authenticate the user, the freeradius server send a LDAP request to the novell server (just with the user login) to ask it the nspmPassword. The NOVELL servers reply with ldap response containing the nspmPassword attribut. Then the freeradius server compare this login / nspmPassword with the login / password received first, it find differences and does not authenticate the user. I don’t know if the nspmPassword sent back by the Novell server is bad or good because the ldap response is crypted (port 636). The uncrypted mode is refused by the novell server. The debug mode of freeradius (radius-x -A) do not show the nspmPassword received by Freeradius. I used a free tool : LDAPbrowser. This tool send a ldap request containing a novell login / password and gets back a list of attributes. I made a success with a login and a password containing characters with accents. So the problem seems to be on the reception of the ldap request by the FREERADIUS server. To identify better the problem, have you some tests or debug command to help me? thank you in advance. Best regards Stephan "Alan DeKok" <[EMAIL PROTECTED]> Envoyé par : [EMAIL PROTECTED] 28/04/2006 17:09 Veuillez répondre à FreeRadius users mailing list A FreeRadius users mailing list cc Objet Re: PB with Accent in nspmPassword in request LDAP between FREE-RADIUS 1.0.5 (suse) and edirectory novell 6.5 [EMAIL PROTECTED] wrote: > On the other hand, if the user uses a password using characters with > accents, this solution does not work. > > I identified the problem in the LDAP request (ask nspmPassword) between > FREE-RADIUS 1.0.5 and the edirectory of novell 6.5. Can you show qhat the LDAP browser does, and what FreeRADIUS does? If we don't know what's going wrong, it's difficult to know what to fix. So far as I know, FreeRADIUS handles UTF-8 fine, so characters with accents should not be a problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Re: Privileged Login on CISCO using freeradius and MySQL [Virus checked]
Hi Alan, >> So the Cisco DOES receive the attributes in the reply packet, but obviously >> ignores them?? > >what does your CISCO IOS config look like for radius ? It appears that you may >only have the authentication line and not the authorization line...eg > >aaa new-model >aaa authentication login default radius local >aaa authorization exec default radius local Shame on me!! Seems I dont really understand how Cisco handles all this Authorization/Authentication :-(( Adding the "authorization"-line as you suggested did the job! (I assumed this would not be necessary since the Reply attribute would automatically put the user in privileged mode...) Thanks a lot for your help! thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius filters for ldap searching
Hello, I'm using freeradius 1.0.4 with openldap 2.2.24 to authenticate users on cisco switches. Every switch belongs to a specific group and for every user I'm setting the groups he can access. I also use cisco avpairs for level privilege. So far , so good! The problems occured when I tried to make a user to have different level privileges on different switches . This is the profile I'm using : # test, radius, isp.ro dn: uid=test,ou=radius,dc=isp,dc=ro uid: test objectClass: radiusprofile cn: test userPassword:: xxx radiusGroupName: bucuresti radiusGroupName: valcea radiusServiceType: NAS-Prompt-User # bucuresti, test, radius, isp.ro dn: cn=bucuresti,uid=test,ou=radius,dc=isp,dc=ro uid: test objectClass: radiusprofile userPassword:: xxx radiusGroupName: bucuresti radiusServiceType: NAS-Prompt-User radiusCiscoLevel: "shell:priv-lvl=15" cn: bucuresti # valcea, test, radius, isp.ro dn: cn=valcea,uid=test,ou=radius,dc=isp,dc=ro uid: test objectClass: radiusprofile userPassword:: xxx radiusGroupName: valcea radiusServiceType: NAS-Prompt-User radiusCiscoLevel: "shell:priv-lvl=7" cn: valcea raddb/users # Switch 192.168.50.202 # Descriere test DEFAULT NAS-IP-Address == 192.168.50.202, Ldap-Group == bucuresti Fall-Through = no DEFAULT Auth-Type := Reject what I need is to filter the ldap search in authorize section based on GroupName and I don't know how. -- Mircea Harapu Abuse Engineer, RDS NOC in Bucharest t: 021-301.08.50f: 021-301.08.51 e: [EMAIL PROTECTED] w: www.rdslink.ro Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such a case, you should destroy this message and kindly notify the sender by reply e-mail. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Privileged Login on CISCO using freeradius and MySQL [Virus checked]
Hi, > So the Cisco DOES receive the attributes in the reply packet, but obviously > ignores them?? what does your CISCO IOS config look like for radius ? It appears that you may only have the authentication line and not the authorization line...eg aaa new-model aaa authentication login default radius local aaa authorization exec default radius local alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Privileged Login on CISCO using freeradius and MySQL [Virus checked]
Hi again, >The priv lvl I use in my users file is: > >Cisco-AVPair := "shell:priv-lvl=1" > >Debug output would help determine what isn't working. > >Kevin Bonner here is a debug from my radius-server: rad_recv: Access-Request packet from host 10.0.2.241:1645, id=9, length=76 NAS-IP-Address = 213.162.69.58 NAS-Port = 2 NAS-Port-Type = Virtual User-Name = "pudilt" Calling-Station-Id = "10.0.2.242" User-Password = "1234" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 Invalid operator for item Suffix: reverting to '==' Invalid operator for item Suffix: reverting to '==' Invalid operator for item Suffix: reverting to '==' modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 2 rlm_realm: No '@' in User-Name = "pudilt", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 radius_xlat: 'pudilt' rlm_sql (sql): sql_set_user escaped user --> 'pudilt' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'pudilt' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 1 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'pudilt' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'pudilt' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'pudilt' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 1 modcall[authorize]: module "sql" returns ok for request 2 modcall[authorize]: module "mschap" returns noop for request 2 modcall: leaving group authorize (returns ok) for request 2 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password matches local User-Password Login OK: [pudilt] (from client xdsl-ag-RouA port 2 cli 10.0.2.242) Sending Access-Accept of id 9 to 10.0.2.241 port 1645 Service-Type = NAS-Prompt-User Cisco-AVPair = "shell:priv-lvl=15" Login-Service = Telnet Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 9 with timestamp 44630dd5 Nothing to do. Sleeping until we see a request. And this is what I see on the Cisco: 02:52:14: AAA: parse name=tty2 idb type=-1 tty=-1 02:52:14: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0 02:52:14: AAA/MEMORY: create_user (0x62135CF4) user='' ruser='' port='tty2' rem_addr='10.0.2.242' authen_type=ASCII service=LOGIN priv=1 02:52:14: AAA/AUTHEN/START (728290868): port='tty2' list='adminauthenticate' action=LOGIN service=LOGIN 02:52:14: AAA/AUTHEN/START (728290868): found list adminauthenticate 02:52:14: AAA/AUTHEN/START (728290868): Method=radius (radius) 02:52:14: AAA/AUTHEN (728290868): status = GETUSER 02:52:17: AAA/AUTHEN/CONT (728290868): continue_login (user='(undef)') 02:52:17: AAA/AUTHEN (728290868): status = GETUSER 02:52:17: AAA/AUTHEN (728290868): Method=radius (radius) 02:52:17: AAA/AUTHEN (728290868): status = GETPASS 02:52:18: AAA/AUTHEN/CONT (728290868): continue_login (user='pudilt') 02:52:18: AAA/AUTHEN (728290868): status = GETPASS 02:52:18: AAA/AUTHEN (728290868): Method=radius (radius) 02:52:18: RADIUS: ustruct sharecount=1 02:52:18: RADIUS: Initial Transmit tty2 id 9 172.31.95.162:1812, Access-Request, len 76 02:52:18: Attribute 4 6 D5A2453A 02:52:18: Attribute 5 6 0002 02:52:18: Attribute 61 6 0005 02:52:18: Attribute 1 8 70756469 02:52:18: Attribute 31 12 31302E30 02:52:18: Attribute 2 18 C8B57C52 02:52:18: RADIUS: Received from id 9 172.31.95.162:1812, Access-Accept, len 57 02:52:18: Attribute 6 6 0007 02:52:18: Attribute 26 25 000901137368 02:52:18: Attribute 15 6 02:52:18: RADIUS: saved authorization data for user 62135CF4 at 6207B1DC 02:52:18: AAA/AUTHEN (728290868): status = PASS So the Cisco DOES receive the attributes in the reply packet, but obviously ignores them?? So now I dont know - is the problem on the NAS side, or is there a config failure on the radius-side (I do not blame freeradius - I know if its the radius, its a config mistake!) thank you thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: with_ntdomain_hack
Chris Liles wrote: I hacked up the line to just say %{Stripped-User-Name} but that value must be null or something, because then ntlm_auth gets called with "--username=" Any thoughts as to why I can't get the DOMAIN\ stripped when calling ntlm_auth Although you've already solved it, FYI the reason this was failing is that Stripped-User-Name is only filled out by the "realm" module. You'd need to have added the "ntdomain" realm instance to authorize, and your NT domain as a local realm to proxy.conf But the solution you have found is the correct one - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL: Group membership test
Hi, As a backend database to RADIUS I use MySQL. No I have a special problem: I want to autorize a user for a specific service only if the user is member of a specific group, say "RAS_User". This configuration is nescessary because this database is used also for other authentication/autorization. The documentation says, that the authcheck_table is beeing searched for the user and the reply items in the authrepl_table are returned for the user. I did not find any hint how to configure my freeradius that way, that the user is autorized to use the service only if he is member of a specific group. The groupcheck is only adds further attributes. In the ldap module f.i. I can use the "groupmembership_filter". Is there anything similar in the sql module? How can I configure freeradius or the sql module to test the group membership? Thanks for any help. -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 pgptJIXIAsKcX.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP: what password backends can be used?
Thanks for your reply Alan, On Thu, May 11, 2006 at 01:53:10AM -0400, Alan DeKok wrote: > Alain Fauconnet <[EMAIL PROTECTED]> wrote: > > I've browsed the FAQs, the mailing list archives but I have failed to > > find a definite, clear answer to this: what kind of user/password > > back-end can work if one is to support MS-CHAP? > > I don't see why there was no clear answer. The answer has been > given many, many, times, and is always the same. MS-CHAP works with > clear-text passwords, or with NT-Passwords. Nothing else. Then I must have missed it. I probably have searched for the wrong keywords... yes, I see now in the FAQ, I should have searched for "chap" and not "ms-chap" or "mschap". Sorry. > > > I'm setting up a VPDN server on a Cisco AS5300 for Windows clients. It > > works fine if I use PAP and no encryption. If I want to use > > encryption, I need MS-CHAP, right? > > What kind of encryption do you mean? There are many kinds. This PPTP so encryption is MPPE. When you configure a Windows client for a VPN (PPTP) connection, if you enable encryption and allow anything but MS-CHAP and MS-CHAP-V2, it says that if anything else is used (such as PAP), encryption will be disabled. > > > Right now my FreeRADIUS server is configured to use PAM. > > Ugh. That's not nice. It's added complexity for no real benefit. > Well, I've inherited this installation and the Radius service is used for a dozen different things so I have to be very careful not to break anything. Anyway why is PAM so evil by itself? it adds a layer of abstraction and makes it a single place to tweak things if the authentication back-ends change. I understand that it defeats any requirement to access the cleartext passwords, though. > > The master source of authentication is /etc/passwd and /etc/shadow, > > so passwords are in MD5 format. > > MS-CHAP is impossible. Roger that :-) > > > Is there any way I can get FreeRADIUS to handle MS-CHAP authentication > > requests from the Cisco box in this context? (i'm kind of expecting a > > big "no" here, but I want to be sure) > > No. > > > If I'm not using Samba or a domain controller, do I need cleartext > > passwords to achieve this? where? in the "users" file only? > > The passwords can be obtained from any database. > > > In radiusd.conf, the "mschap" module has parameters for a Samba > > smpasswd format file or invoking ntlm_auth. If neither is set, where > > does it try to get the password from? I'm confused. > > The mschap module no longer supports smbpasswd files. > > The mschap module doesn't "try" to get the password. It just does > ms-chap authentication. Databases get the password, and add it to the > RADIUS request. See doc/aaa.txt OK, assuming I have a smbpasswd format file somewhere (not the case now), I should configure the mschap *and* passwd modules, uncommenting out: #passwd etc_smbpasswd { # filename = /etc/smbpasswd # format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::" # authtype = MS-CHAP # hashsize = 100 # ignorenislike = no # allowmultiplekeys = no #} is that correct? Greets, _Alain_ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html