date:20060511

"Guido" <[EMAIL PROTECTED]> wrote:
> When response: Access Reject, I can't see any h323-return-code.

  Access-Reject packets are not allowed to contain any attributes.

  If you want to return an attribute, edit the source code.

  Alan De
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Fwd: Regular expression - Trying to rewrite User-Name

2006-05-11 Thread Damian Porter

thanks for all you input so far, and i am still looking, trying to use the hint and huntgroup file for a work around so success yet. By the way i should mention the code worked perfectly well with redhat 9.
 
[00-0423-236767-676752-6752-52]
 
the first and the last octet works, its just {2} - {5} that acting up. 
 
additional information my auth-log file
 
Packet-Type = Access-RequestThu May 11 18:33:02 2006    NAS-IP-Address = 1.5.1.32    User-Name = "00042367672f"    User-Password = "00042367672f"
    Calling-Station-Id = "00042367672F"    Called-Station-Id = "000B8602DD80"    NAS-Port = 0    NAS-Port-Type = Wireless-802.11       Vendor-14823-Attr-5 = 0x4e5355   
    Vendor-14823-Attr-6 = 0x302e302e30    Client-IP-Address = 1.5.1.3
 
 
Debug output
 
[EMAIL PROTECTED] done]# radiusd -d /etc/ciscoraddb/ -XStarting - reading configuration files ...reread_config:  reading radiusd.confConfig:   including file: /etc/ciscoraddb/clients.confConfig:   including file: /etc/ciscoraddb/snmp.conf
Config:   including file: /etc/ciscoraddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/ciscoradius" main: libdir = "/usr/lib"
 main: radacctdir = "/var/log/ciscoradius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0
 main: port = 1814 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/ciscoradius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = no
 main: pidfile = "/var/run/radiusd/ciscoradiusd.pid" main: bind_address = 137.52.128.40 IP address [137.52.128.40] main: user = "nobody"
 main: group = "nobody" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no"
 main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 0 security: status_server = no main: debug_level = 0read_config_files:  reading dictionary
read_config_files:  reading naslistUsing deprecated naslist file.  Support for this will go away soon.read_config_files:  reading clientsread_config_files:  reading realmsThere appears to be another RADIUS server running on the authentication port 1814

 
 
 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

h323-return-code

2006-05-11 Thread Guido

Hello everybody, I'm using freeradius 1.1.0. The issue is with 
h323-return-code and reject as response.


When response: Access Accept all works fine, I can see h323-return-code, 
h323-credit-time.


When response: Access Reject, I can't see any h323-return-code.

The question is there are some to configure in radius.conf or mssqul.conf ? 
(Im using  authorize_check_query and authorize_reply_query, with stores 
procedures both)



Best Regards,

Guido 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Fwd: Regular expression - Trying to rewrite User-Name

Zoltan Ori wrote:
> On Thursday 11 May 2006 16:30, Dennis Skinner wrote:
>> Are you responding to me?
>>
> Yes, he is. 

I was subtly suggesting he should include relevant text in his responses
like I am doing.  If someone searches the archives later, they have no
context for his message.

> Mr Porter has 0e353afe19xx coming in. 

I don't think he does.  Hence my response and request for debug output.
 His regex won't do that and I don't know of anything else that would
munge the username like that.

-- 
Dennis Skinner
Systems Administrator
BlueFrog Internet
http://www.bluefrog.com
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Fwd: Regular expression - Trying to rewrite User-Name

2006-05-11 Thread Zoltan Ori

On Thursday 11 May 2006 16:30, Dennis Skinner wrote:
> Damian Porter wrote:
> > the user-name is coming to the radius process without any dashes and i
> > want to add dashes to separate the octets.
> >
> > I have looked an that document and it does not offer a solution for the
> > problem.
>
> Are you responding to me?
>
> 0e35-353afe-3afe19-fe19 has dashes.  Either it came that way or your

Yes, he is. Mr Porter has 0e353afe19xx coming in. He wants 0e-35-3a-f3-19-xx. 
His replacement is not working as he wishes. He is wanting ([a-z0-9]{2}) ... 
to break up the 12 character string into 6 groups of 2 and then insert dashes 
between them.

I don't have the answer, but that is the problem as I see it.

Zoltan Ori

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Regular expression - Trying to rewrite User-Name

2006-05-11 Thread Guy Fraser

On Thu, 2006-11-05 at 15:13 -0400, Damian Porter wrote:
>  
> I have bee struggling with problem for a few days now.
>  
> I use Centos 4.3 and freeradius 1.0.1. I am trying to rewrite a
> username to include dashes. see my statement below in the rewrite
> section.
>  
>searchfor = "([a-z0-9]{2})([a-z0-9]{2})([a-z0-9]{2})([a-
> z0-9]{2})([a-z0-9]{2})([a-z0-9]{2})
> replacewith = "%{1}-%{2}-%{3}-%{4}-%{5}-%{6}"  
>  
> this is the output that i am getting in my radius.log file. 
> Thu May 11 14:36:24 2006 : Info: rlm_sql_mysql: Starting connect to
> MySQL server for #0
> Thu May 11 14:36:24 2006 : Info: rlm_sql_mysql: Starting connect to
> MySQL server for #1
> Thu May 11 14:36:24 2006 : Info: rlm_sql_mysql: Starting connect to
> MySQL server for #2 
> Thu May 11 14:36:24 2006 : Info: rlm_sql_mysql: Starting connect to
> MySQL server for #3
> Thu May 11 14:36:24 2006 : Info: rlm_sql_mysql: Starting connect to
> MySQL server for #4
> Thu May 11 14:36:24 2006 : Info: Ready to process requests. 
> Thu May 11 14:36:39 2006 : Auth: Login incorrect: [0e35-353afe-3afe19-
> fe19/NOPASSWORD] (from client$
> Thu May 11 14:38:49 2006 : Auth: Login incorrect: [13ce-ce20f9-20f949-
> f949/NOPASSWORD] (from client$
> Thu May 11 14:38:56 2006 : Auth: Login incorrect: [0e35-353ad7-3ad71b-
> d71b/NOPASSWORD] (from client$ 
>  
>  
> PS i have even gone as far as downloading regular expression programs
> to check my code. If anybody has any suggestions or has encounted this
> problem before let me know.

I have no idea if that is supposed to work, but I noticed what appears 
to be a problem:

0e35-353ad7-3ad71b-d71b

Can not be parsed with :

([a-z0-9]{2})([a-z0-9]{2})([a-z0-9]{2})([a-z0-9]{2})([a-z0-9]{2})
([a-z0-9]{2})

Because ;
1) 0e35-353ad7-3ad71b-d71b is 24 charcters not 12
2) You have no provisions for '-' characters.

So your search will not get a match.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Fwd: Regular expression - Trying to rewrite User-Name

Damian Porter wrote:
> the user-name is coming to the radius process without any dashes and i
> want to add dashes to separate the octets.
>  
> I have looked an that document and it does not offer a solution for the
> problem.

Are you responding to me?

0e35-353afe-3afe19-fe19 has dashes.  Either it came that way or your
regex works (at least partially).  If it came that way, then your
searchfor will never work because it is not expecting those dashes.  If
it didn't come that way, I'd be surprised because it doesn't look like
your regex should do that.

Try running the server in debug mode and send us the output.  You may be
surprised by what it tells you.

As to the link, look again.  It wasn't meant to fix your regex, it was
meant to suggest an alternative way to do what you are doing (you still
need to figure out the regex).  It has instructions on how to rewrite a
username using regex (exactly what you are trying to do) with just the
hints file.  It is a bit more elegant and will likely rewrite the
username sooner in the processing, allowing you to use the new username
in huntgroups, etc.

-- 
Dennis Skinner
Systems Administrator
BlueFrog Internet
http://www.bluefrog.com
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Rm: Mysql 5.0 with freeradius 1.1.1

[EMAIL PROTECTED] wrote:
> 
> Dear list:
> 
> 
> I´m taking up again my work with freradius since two years ago. Now I´m
> working over a RHE AS linux distribution box and working with a Mysql
> 5.0. In this version the password hashing algorithm has changed and
> differ from Mysql 3.x or 4.x. Then I´d like to know if freeradius engine
> will work without problems with Mysql 5.0 or later.
> Refer this article:

First of all this would only affect the password in the sql.conf file.
The article is referring to passwords that allow you to connect to the
db, not passwords stored in the radcheck table (I hope you aren't using
PASSWORD() on that table).

I believe that FreeRADIUS uses the mysqlclient libs (hence mysql-devel
is required to build it).  So if the libs that radiusd is linked against
support the new password format, then so should FreeRADIUS.

Third, you can still use the old password format.

Fourth, please avoid sending html to the list.

-- 
Dennis Skinner
Systems Administrator
BlueFrog Internet
http://www.bluefrog.com
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Fwd: Regular expression - Trying to rewrite User-Name

2006-05-11 Thread Damian Porter

the user-name is coming to the radius process without any dashes and i want to add dashes to separate the octets.
 
I have looked an that document and it does not offer a solution for the problem.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Regular expression - Trying to rewrite User-Name

Damian Porter wrote:
>  
> I have bee struggling with problem for a few days now.
>  
> I use Centos 4.3 and freeradius 1.0.1. I am trying to rewrite a username
> to include dashes. see my statement below in the rewrite section.
>  
>searchfor =
> "([a-z0-9]{2})([a-z0-9]{2})([a-z0-9]{2})([a-z0-9]{2})([a-z0-9]{2})([a-z0-9]{2})
> replacewith = "%{1}-%{2}-%{3}-%{4}-%{5}-%{6}" 
>  
> [0e35-353afe-3afe19-fe19/NOPASSWORD] (from client$
> Thu May 11 14:38:49 2006 : Auth: Login incorrect:
> [13ce-ce20f9-20f949-f949/NOPASSWORD] (from client$
> Thu May 11 14:38:56 2006 : Auth: Login incorrect:
> [0e35-353ad7-3ad71b-d71b/NOPASSWORD] (from client$

First of all you may want to look at this:

http://wiki.freeradius.org/index.php/Adding%2C_Removing%2C_Modifying_Attributes_for_further_processing

Next, the searchfor has no dashes in it, but the username does, so it
will never match.

Third, if the username is in hex, you only need a-f, not a-z.

-- 
Dennis Skinner
Systems Administrator
BlueFrog Internet
http://www.bluefrog.com
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Rm: Mysql 5.0 with freeradius 1.1.1

2006-05-11 Thread elimachi

Dear list:

I´m taking up again my work with freradius
since two years ago. Now I´m working over a RHE AS linux distribution box
and working with a Mysql 5.0. In this version the password hashing algorithm
has changed and differ from Mysql 3.x or 4.x. Then I´d like to know if
freeradius engine will work without problems with Mysql 5.0 or later.
Refer this article:

I´ll be very grateful with your comments.

Thank you.

Edu.
Title: MySQL 3.23, 4.0, 4.1 Reference Manual :: 5.7.9.1 Implications of
Password Hashing Changes for Application Programs

:: DEVELOPER ZONE

MySQL.com
Developer
Zone
Partners
Online Shop

Downloads
Documentation
Forums
Lists
Bugs
Events
User
Groups
Guilds
Blogs
Support
Resources
Books
FAQ

MySQL 3.23, 4.0, 4.1 Reference Manual :: 5
Database Administration :: 5.7 The MySQL Access Privilege System :: 5.7.9
Password Hashing as of MySQL 4.1 :: 5.7.9.1 Implications of Password Hashing
Changes for Application Programs

Overview
MySQL Reference Manual
3.23, 4.0, 4.1
5.0
5.1
MaxDB
Documentation

Search the MySQL manual:

the whole site
Manual 3.23, 4.0, 4.1
Manual 5.0
Manual 5.1

MySQL 3.23, 4.0,
4.1 Reference Manual

5.7.9
Password Hashing as of MySQL 4.1
5.7.9.1 Implications of Password Hashing
Changes for Application Programs
5.7.9.2
Password Hashing in MySQL 4.1.0

Get the MySQL Language Reference and MySQL
Administrator's Guide from MySQL Press!

Get Support with MySQL Network today!

Order from our online shop and get
technical support from MySQL engineers today.

Get Support Now Â»

Learn about new MySQL releases,
technical articles, events and more.

Subscribe to the monthly MySQL Newsletter!

Previous / Next / Up / Table of Contents

5.7.9.1. Implications of Password Hashing Changes for Application
Programs

An upgrade to MySQL 4.1 can cause
a compatibility issue for applications that use PASSWORD() to generate passwords for their own
purposes. Applications really should not do this, because PASSWORD() should be used only to manage passwords
for MySQL accounts. But some applications use PASSWORD() for their own purposes anyway.

If you upgrade to 4.1 and run the
server under conditions where it generates long password hashes, an application
that uses PASSWORD() for its
own passwords breaks. The recommended course of action is to modify the
application to use another function, such as SHA1() or MD5(), to produce hashed values. If that is not
possible, you can use the OLD_PASSWORD() function, which is provided to generate short
hashes in the old format. But note that OLD_PASSWORD() may one day no longer be supported.

If the server is running under
circumstances where it generates short hashes, OLD_PASSWORD() is available but is equivalent to PASSWORD().

PHP programmers migrating their
MySQL databases from version 4.0 or lower to version 4.1 or higher should see Section 17.3, âMySQL PHP APIâ.

Previous / Next / Up / Table of Contents

User Comments

Add
your own comment.

Top
/ Previous / Next / Up / Table of Contents

Â© 1995-2006 MySQL AB. All rights
reserved.

About
MySQL
Careers
Site
Map
Contact Us
Legal
Privacy Policy
Trademark Info

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Regular expression - Trying to rewrite User-Name

2006-05-11 Thread Damian Porter



 

I have bee struggling with problem for a few days now.
 
I use Centos 4.3 and freeradius 1.0.1. I am trying to rewrite a username to include dashes. see my statement below in the rewrite section.
 
   searchfor = "([a-z0-9]{2})([a-z0-9]{2})([a-z0-9]{2})([a-z0-9]{2})([a-z0-9]{2})([a-z0-9]{2})    replacewith = "%{1}-%{2}-%{3}-%{4}-%{5}-%{6}"  
 
this is the output that i am getting in my radius.log file. 

Thu May 11 14:36:24 2006 : Info: rlm_sql_mysql: Starting connect to MySQL server for #0Thu May 11 14:36:24 2006 : Info: rlm_sql_mysql: Starting connect to MySQL server for #1Thu May 11 14:36:24 2006 : Info: rlm_sql_mysql: Starting connect to MySQL server for #2 
Thu May 11 14:36:24 2006 : Info: rlm_sql_mysql: Starting connect to MySQL server for #3Thu May 11 14:36:24 2006 : Info: rlm_sql_mysql: Starting connect to MySQL server for #4Thu May 11 14:36:24 2006 : Info: Ready to process requests. 
Thu May 11 14:36:39 2006 : Auth: Login incorrect: [0e35-353afe-3afe19-fe19/NOPASSWORD] (from client$Thu May 11 14:38:49 2006 : Auth: Login incorrect: [13ce-ce20f9-20f949-f949/NOPASSWORD] (from client$Thu May 11 14:38:56 2006 : Auth: Login incorrect: [0e35-353ad7-3ad71b-d71b/NOPASSWORD] (from client$ 
 

 
PS i have even gone as far as downloading regular _expression_ programs to check my code. If anybody has any suggestions or has encounted this problem before let me know.
 
 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Nested groups in ldap

2006-05-11 Thread Kobiske, Rob









I was wounding if there was a way for ldap to look into
nested groups.  

 

I have enabled ldap groups, and I have a ldap group that
contains another group, and I would like ldap to search with in that main group
and nested group to see if a user belongs to either group.

 

If anyone know how to do this with freeradius+ldap, please
let me know.

 

Thanks,

Rob Kobiske






- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius and MySQL

2006-05-11 Thread Seferovic Edvin

Hello Jeremy,

PLEASE ! SPECIFY YOUR PROBLEM ! you have sent 2-3 comments to the mailing
list and nobody ( besides Alan ) wanted to respond! Why? No needed
information ( aka I have car, car has tires, but I cannot drive, why? ).

You are using db. Okay. What DB? Firebird, MySql, MSSQL, Oracle? 
How does your config looks like? 
Send us the debug output of freeradius!

We cannot help you without information ( or do you expect us to hack into
your server to get some info about your config ?? ).

Regards,

Edvin

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
g] On Behalf Of Jeremy ohara
Sent: Donnerstag, 11. Mai 2006 20:23
To: freeradius-users@lists.freeradius.org
Subject: Freeradius and MySQL


 Hi there
 
i have free radius updated on fedora. 
 
got a mysql database. but from what i'm noticing its not being check on the 
database. 
 
got dialupadmin installed and using that to put the accounts into the 
database. and have setup freeradisu with the db
 
Jeremy



This email has been scanned for Virus by MDaemon AntiVirus part of MDaemon.
Updated daily to keep up-to-date with all new and old viruses.



- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Strange error

2006-05-11 Thread A . L . M . Buxey

Hi,

> i tried ntradping it seems to work. but from what me and my friend are seing 
> its being stopped at the mysql database. we arent sure

could you be more specific - ie send the output from FreeRADIUS in debug mode -
radiusd -X

you may, of course, obfuscate private words and bytes

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Strange error

Jeremy ohara wrote:
> i tried ntradping it seems to work. but from what me and my friend are
> seing its being stopped at the mysql database. we arent sure
>  
> have you delt with MYSQL much?
>  
> Jeremy

Jeremy,

Have you read any of the docs included with the server?  It says over
and over and over again (as does this list) to run the server in debug
mode.  Please do that before posting again.

radiusd -X

read it.  *all* of it.  If you don't know what is wrong, go back to the
initial config (ie w/o mysql) and make it work just using a simple entry
in the users file.  Then change as little as possible until you get to
your desired config.

FYI - Alan DeKok is the most familiar person in the world with
FreeRADIUS.  He is the primary developer.  He also answers the vast
majority of questions here on this list.

-- 
Dennis Skinner
Systems Administrator
BlueFrog Internet
http://www.bluefrog.com
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius and MySQL


 Hi there
 
i have free radius updated on fedora. 
 
got a mysql database. but from what i'm noticing its not being check on the 
database. 
 
got dialupadmin installed and using that to put the accounts into the 
database. and have setup freeradisu with the db
 
Jeremy



This email has been scanned for Virus by MDaemon AntiVirus part of MDaemon.
Updated daily to keep up-to-date with all new and old viruses.



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Strange error

"Jeremy ohara" <[EMAIL PROTECTED]> wrote:
> i tried ntradping it seems to work. but from what me and my friend are seing 
> its being stopped at the mysql database. we arent sure

  Don't CC me on messages to the list. I get enough email already.

  And read the FAQ for how to debug the server.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Strange error

2006-05-11 Thread Seferovic Edvin

> how formilar are you with Freeradius?

  Uh... try reading the list for a while.

  Alan DeKok.


HAHAHHA :) Sorry - I just couldn't help myself! 

For mailing-list-newbies: people that respond to your questions have more
experience then you do and they are willing to help ( in most cases ).
Nobody should attach a freeradius-CV when answering to the list! Yes - I
have compiled freeradius at least 100 times ( in a row ;) ) and does that
make me "familiar" with this software?

Regards,

Edvin

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Strange error



i tried ntradping it seems to work. but from what me and my friend are 
seing its being stopped at the mysql database. we arent sure
 
have you delt with MYSQL much?
 
Jeremy 
-Original 
Message-From: "Alan DeKok" <[EMAIL PROTECTED]>To: 
FreeRadius users mailing list 
Date: Thu, 11 May 2006 
12:51:53 -0400Subject: Re: Strange error
"Jeremy ohara" 
<[EMAIL PROTECTED]> wrote:> when i try to use a test radius 
program to test the radius to see if it > works i geot> 
> error: warning bad radius packet form host x.x.x.x: unknown packet code 
100> > does anyone know what th is means?  It 
means that the test client is not sending a normal RADIUS packet.
  Can you say what test client you're using?  Alan 
DeKok.- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

This email has been scanned for Virus by MDaemon AntiVirus part of MDaemon.
Updated daily to keep up-to-date with all new and old viruses.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Strange error

"Jeremy ohara" <[EMAIL PROTECTED]> wrote:
> i'm using Radas.

  Never heard of it.  This probably means it's market share is
miniscule.  i.e. no one else is using it.

> how formilar are you with Freeradius?

  Uh... try reading the list for a while.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Solaris 8/SPARC - MySQL 5.0 NDB Cluster - Freeradius 1.1.1 with rlm_sqlippool module: 'radiusd' segmentation fault

"Robles Rodriguez,Alejandro" <[EMAIL PROTECTED]> wrote:
>   Well, I'm wondering if this is in a clustered configuration i.e.
> multiple nodes handling the load and cooperating (sharing data such
> as IP pools).

  Sharing data is harder.  You're better off splitting the IP pools by
server.  The clients won't notice, or care.

  See: http://www.freeradius.org/testimonials.html

> I'd really like o create some sort of standard architecture for
> freeradius that can scale and is reliable and have it in a "real"
> environment for a while for others to have confidence when making
> this same decision that I'm about to make.

  Sounds good to me.  Diagrams on the Wiki would be good.

>   I have compared my version with that of the CVS root and apart
> form some small differences that I'll investigate further I noticed
> that it has the same bug that I found. The problem is that I don't
> know how to report it.

  bugs.freeradius.org.

  After looking at your proposed patch, I'm not sure it's much better.
There are a number of cases where the function returns without calling
"finish select", which can/will leak memory.

> Also I think it'd be a good idea to back-port it to 1.1.x. Who
> decides this and how do I express my interest?

  Do the work and send in the patch.  If nothing else, it can go in as
an "experimental" module, which means you can enable it in your local
configuration.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radius filters for ldap searching

2006-05-11 Thread Terry J Fike Jr




The only way i got this to work, was seperate trees in ldap for each 
group. and then in your default line in your users file put the tree you 
want it to search for the group and nas definition.


Message: 2
Date: Thu, 11 May 2006 12:52:47 +0300
From: Mircea Harapu <[EMAIL PROTECTED]>
Subject: radius filters for ldap searching
To: freeradius-users@lists.freeradius.org
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Hello,

I'm using freeradius 1.0.4 with openldap 2.2.24 to authenticate users on 
cisco switches.
Every switch belongs to a specific group and for every user I'm setting 
the groups he can access. I also use cisco avpairs for level privilege.

So far , so good!
The problems occured when I tried to make a user to have different level 
privileges on different switches .

This is the profile I'm using :

# test, radius, isp.ro
dn: uid=test,ou=radius,dc=isp,dc=ro
uid: test
objectClass: radiusprofile
cn: test
userPassword:: xxx
radiusGroupName: bucuresti
radiusGroupName: valcea
radiusServiceType: NAS-Prompt-User

# bucuresti, test, radius, isp.ro
dn: cn=bucuresti,uid=test,ou=radius,dc=isp,dc=ro
uid: test
objectClass: radiusprofile
userPassword:: xxx
radiusGroupName: bucuresti
radiusServiceType: NAS-Prompt-User
radiusCiscoLevel: "shell:priv-lvl=15"
cn: bucuresti

# valcea, test, radius, isp.ro
dn: cn=valcea,uid=test,ou=radius,dc=isp,dc=ro
uid: test
objectClass: radiusprofile
userPassword:: xxx
radiusGroupName: valcea
radiusServiceType: NAS-Prompt-User
radiusCiscoLevel: "shell:priv-lvl=7"
cn: valcea

raddb/users
# Switch 192.168.50.202
# Descriere test
DEFAULT NAS-IP-Address == 192.168.50.202, Ldap-Group == bucuresti
   Fall-Through = no
DEFAULT Auth-Type := Reject

what I need is to filter the ldap search in authorize section based on 
GroupName and I don't know how.


--
Terry J Fike Jr
System Administrator
MTA Solutions
907-793-4100
[EMAIL PROTECTED]
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Strange error



i'm using Radas. i'm just about to try ntradping
 
how formilar are you with Freeradius?
 
jeremy 
-Original 
Message-From: "Alan DeKok" <[EMAIL PROTECTED]>To: 
FreeRadius users mailing list 
Date: Thu, 11 May 2006 
12:51:53 -0400Subject: Re: Strange error
"Jeremy ohara" 
<[EMAIL PROTECTED]> wrote:> when i try to use a test radius 
program to test the radius to see if it > works i geot> 
> error: warning bad radius packet form host x.x.x.x: unknown packet code 
100> > does anyone know what th is means?  It 
means that the test client is not sending a normal RADIUS packet.
  Can you say what test client you're using?  Alan 
DeKok.- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

This email has been scanned for Virus by MDaemon AntiVirus part of MDaemon.
Updated daily to keep up-to-date with all new and old viruses.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PB with Accent in nspmPassword in request LDAP between FREE-RADIUS 1.0.5 (suse) and edirectory novell 6.5

[EMAIL PROTECTED] wrote:
> Then the freeradius server compare this login / nspmPassword with the
> login / password received first, it find differences and does not
> authenticate the user.
> I don?t know if the nspmPassword sent back by the Novell server is bad or
> good because the ldap response is crypted (port 636).

  Edit rlm_ldap.c to print out the nspmPassword is receives.

  My tests with FreeRADIUS indicate that it supports UTF-8 just fine.
So there should be no problems using characters with accents.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Strange error

"Jeremy ohara" <[EMAIL PROTECTED]> wrote:
> when i try to use a test radius program to test the radius to see if it 
> works i geot
> 
> error: warning bad radius packet form host x.x.x.x: unknown packet code 100
> 
> does anyone know what th is means?

  It means that the test client is not sending a normal RADIUS packet.

  Can you say what test client you're using?

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Strange error



Hi there
 
i just setup freeradius with mysql
 
when i try to use a test radius program to test the radius to see 
if it works i geot
 
error: warning bad radius packet form host x.x.x.x: unknown packet code 
100
 
does anyone know what th is means?
 
jeremy 

This email has been scanned for Virus by MDaemon AntiVirus part of MDaemon.
Updated daily to keep up-to-date with all new and old viruses.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS, MySQL and usergroups again

Am Donnerstag, 11. Mai 2006 17:38 schrieb Christopher Carver:
> If you want to use rlm_sql you do this with the tables radius.usergroup
> and radius.radgroupcheck.  In radius.radgroupcheck you'd have something
> like this:
>
> ++---+---+++
>
> | id | GroupName | Attribute | op | Value  |
>
> ++---+---+++
>
> |  1 | RASUser | Auth-Type | := | system |
>
> Then in radius.usergroup for each user you want in this group you'll
> have a row like this:
>
> ++--+---+
>
> | id | UserName | GroupName |
>
> ++--+---+
>
> |  39747 | thisuser  | RASUser|
>
> That pasted rather ugly, but I think you should get the point.  Using
> sql eliminates the need for the users file to be able to do what you
> asked about.  Let me know if this doesn't answer your question.
>
> Chris Carver


Thanks for your answer. But I think this is not quite what I was looking for. 
I want to administer the passwords in MySQL, not in the system, so I need 
Auth-Type := Local. And this authenticates every user that is in the 
database, not only these in the specific group. I solved it adding

DEFAULT Group !="RASUser", Auth-Type := Reject

in my files.
-- 
Dr. Michael Schwartzkopff
MultiNET Services GmbH
Bretonischer Ring 7
85630 Grasbrunn

Tel: (+49 89) 456 911 - 0
Fax: (+49 89) 456 911 - 21
mob: (+49 174) 343 28 75

PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B
Skype: misch42


pgpQQAJ9wQU6H.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MySQL: Group membership test

2006-05-11 Thread Bogdan Dumitriu - Technical Support Team

Am Donnerstag, 11. Mai 2006 16:23 schrieb Bogdan Dumitriu - Technical Support 
Team:
> You can create a group "deactivated" for the users you don't want to
> allow to connect and set Auth-Type == Reject for that group.
(...)
> Thanks,
> Bogdan.

hi,

Auth-Type == Reject was the right solution. But I use it a little bit 
different:

DEFAULT Group != "RASUser", Auth-Type := Reject

This seems to work, at least in the first tests ...

-- 
Dr. Michael Schwartzkopff
MultiNET Services GmbH
Bretonischer Ring 7
85630 Grasbrunn

Tel: (+49 89) 456 911 - 0
Fax: (+49 89) 456 911 - 21
mob: (+49 174) 343 28 75

PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B
Skype: misch42


pgpFfT60MU4uA.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS, MySQL and usergroups again

2006-05-11 Thread Christopher Carver

If you want to use rlm_sql you do this with the tables radius.usergroup 
and radius.radgroupcheck.  In radius.radgroupcheck you'd have something 
like this:


++---+---+++
| id | GroupName | Attribute | op | Value  |
++---+---+++
|  1 | RASUser | Auth-Type | := | system |

Then in radius.usergroup for each user you want in this group you'll 
have a row like this:


++--+---+
| id | UserName | GroupName |
++--+---+
|  39747 | thisuser  | RASUser|

That pasted rather ugly, but I think you should get the point.  Using 
sql eliminates the need for the users file to be able to do what you 
asked about.  Let me know if this doesn't answer your question.


Chris Carver
Pennswoods.Net
Network Engineer

Michael Schwartzkopff wrote:

Hi,

I want to authorize users according to the membership in a group. With 
Auth-Type=System it is easy:


DEFAULT   Auth-Type = System, Group == "RASUser"

Is there any analogy to this setup in the sql module? Thanks for any help, I 
am quite desparate already ...


  



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Several passwords for a user

2006-05-11 Thread Seferovic Edvin

Hello,

besides the comment of Alan D. I think you should have a damn good reason
for entering more than one password for ONE user. Are you trying to make
your system THAT complicated? Or are your users just stupid to remeber ( or
even write down ) a given password?

Regards,

Edvin 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
g] On Behalf Of Alan DeKok
Sent: Donnerstag, 11. Mai 2006 15:46
To: FreeRadius users mailing list
Subject: Re: Several passwords for a user 

=?iso-8859-1?B?U2FudGlhZ28gQmFsYWd1ZXIgR2FyY+1h?= <[EMAIL PROTECTED]>
wrote:
>   I use freeradius-1.1.0. Where is any problem an account has two or more 
> entries in radcheck table???
> 
> I use :
>11:22:33:44:55:66 :=''
>11:22:33:44:55:66 :=mypassword

  WHat are you trying to do?  Those entries don't match anything in
the FreeRADIUS documentation, and will *not* do anything useful.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: MySQL: Group membership test

You can create a group "deactivated" for the users you don't want to
allow to connect and set Auth-Type == Reject for that group.

If you want to tie a group to a certain NAS you have to use huntgroups:

TestNAS1NAS-IP-Address == xxx.xxx.xxx.xxx
SQL-Group == dialup,
SQL-Group == adsl

It means that is the user is coming from this NAS it has to be a member
of those groups. Otherwise auth fail.

Is this what you are looking for?

At least this is my set up. If you find a better way please let me know.

Thanks,
Bogdan.

-Original Message-
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
ius.org] On Behalf Of Michael Schwartzkopff
Sent: May 11, 2006 4:22 AM
To: freeradius-users@lists.freeradius.org
Subject: MySQL: Group membership test


Hi,

As a backend database to RADIUS I use MySQL. No I have a special
problem:

I want to autorize a user for a specific service only if the user is
member of 
a specific group, say "RAS_User". This configuration is nescessary
because 
this database is used also for other authentication/autorization.

The documentation says, that the authcheck_table is beeing searched for
the 
user and the reply items in the authrepl_table are returned for the
user. I 
did not find any hint how to configure my freeradius that way, that the
user 
is autorized to use the service only if he is member of a specific
group. The 
groupcheck is only adds further attributes.

In the ldap module f.i. I can use the "groupmembership_filter".

Is there anything similar in the sql module? How can I configure
freeradius or 
the sql module to test the group membership?

Thanks for any help.

-- 
Dr. Michael Schwartzkopff
MultiNET Services GmbH
Bretonischer Ring 7
85630 Grasbrunn

Tel: (+49 89) 456 911 - 0
Fax: (+49 89) 456 911 - 21
mob: (+49 174) 343 28 75

PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B
Skype: misch42

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRADIUS, MySQL and usergroups again

Hi,

I want to authorize users according to the membership in a group. With 
Auth-Type=System it is easy:

DEFAULT   Auth-Type = System, Group == "RASUser"

Is there any analogy to this setup in the sql module? Thanks for any help, I 
am quite desparate already ...

-- 
Dr. Michael Schwartzkopff
MultiNET Services GmbH
Bretonischer Ring 7
85630 Grasbrunn

Tel: (+49 89) 456 911 - 0
Fax: (+49 89) 456 911 - 21
mob: (+49 174) 343 28 75

PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B
Skype: misch42


pgpU3e2uwUxB1.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Several passwords for a user

=?iso-8859-1?B?U2FudGlhZ28gQmFsYWd1ZXIgR2FyY+1h?= <[EMAIL PROTECTED]> wrote:
>   I use freeradius-1.1.0. Where is any problem an account has two or more 
> entries in radcheck table???
> 
> I use :
>11:22:33:44:55:66 :=''
>11:22:33:44:55:66 :=mypassword

  WHat are you trying to do?  Those entries don't match anything in
the FreeRADIUS documentation, and will *not* do anything useful.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MS-CHAP: what password backends can be used?

Alain Fauconnet <[EMAIL PROTECTED]> wrote:
> Then I must have missed it. I probably have searched for the wrong
> keywords... yes, I see now in the FAQ, I should have searched for
> "chap" and not "ms-chap" or "mschap". Sorry.

  You're not the first person to ask this question.  Google should
return a *lot* of answers.

> This PPTP so encryption is MPPE.
> When you configure a Windows client for a VPN (PPTP)
> connection, if you enable encryption and allow anything but MS-CHAP
> and MS-CHAP-V2, it says that if anything else is used (such as PAP),
> encryption will be disabled.

  Ah.  That would appear to be definitive, then.

> Well, I've inherited this installation and the Radius service is used
> for a dozen different things so I have to be very careful not to break
> anything. Anyway why is PAM so evil by itself?

  I've been working with PAM for many years.  I've never liked it.

  If nothing else, PAM isnt designed to be used in the way that
FreeRADIUS is using it: one process doing many PAM authentications.
It's meant to be used by "login", and similar programs.  We've had
problems in the past with PAM because of this.

> OK, assuming I have a smbpasswd format file somewhere (not the case
> now), I should configure the mschap *and* passwd modules,
> uncommenting out:

  Yes.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Several passwords for a user

2006-05-11 Thread Santiago Balaguer García


Hi,
 I use freeradius-1.1.0. Where is any problem an account has two or more 
entries in radcheck table???


I use :
  11:22:33:44:55:66 :=''
  11:22:33:44:55:66 :=mypassword

I change the op := instead of ==. Is there any problem???

_
Horóscopo, tarot, numerología... Escucha lo que te dicen los astros. 
http://astrocentro.msn.es/


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Accounting - FramedIPAddress - DHCP/IPPOOL

2006-05-11 Thread mad

2006/5/10, Alan DeKok <[EMAIL PROTECTED]>:
>  We have to script the coordination between the DHCP server?  Yes.
For to be sure to understand ...
There are scripts who permit to coordinate the AP information for
accounting and the dialog dhcp client/server ... the AP can take the
information of dhcp dialog ...
Sorry if I say an error ...

I have client wireless and wire ... What is it possible with the switch ? (cisco2950)

Thanks
 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Accounting - FramedIPAddress - DHCP/IPPOOL

2006-05-11 Thread mad

2006/5/10, Alan DeKok <[EMAIL PROTECTED]>:
  A well written DHCP server should be as flexible as FreeRADIUS, andallow you to write the IP to an SQL table.
  Unfortunately, there is no such DHCP server.
I don't understand ...
You want to say that it's necessary to devellop a better ippool/dhcp function in Freeradius ?

Thanks for your answer now I am sure that it's impossible to use ippool with EAP

Psymad

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PB with Accent in nspmPassword in request LDAP between FREE-RADIUS 1.0.5 (suse) and edirectory novell 6.5

2006-05-11 Thread freeradius

Hello,
I apologize for the delay in this
 reply.
My 802.1x client send a demand
of authentification on the network.
By means of ENTERASYS switch, the
demand of authentification arrive at the radius server with login / password.
The demand of authentification
(login /password with accents) arrives correctly at the RADIUS server.

To authenticate the user, the freeradius
server send a LDAP request to the novell server (just with the user login)
to ask it the nspmPassword.

The NOVELL servers reply with ldap
response containing the nspmPassword attribut.

Then the freeradius server compare
this login / nspmPassword with the login / password received first, it
find differences and does not authenticate the user.  
I don’t know if the nspmPassword
sent back by the Novell server is bad or good because the ldap response
is crypted (port 636).
The uncrypted mode is refused by
the novell server.

The debug mode of freeradius (radius-x
-A) do not show the nspmPassword received by Freeradius.

I used a free tool : LDAPbrowser.
This tool send a ldap request containing a novell login / password and
gets back a list of attributes. I made a success with a login and a password
containing characters with accents.

So the problem seems to be on the
reception of the ldap request by the FREERADIUS server.

To identify better the problem,
have  you some tests or debug command to help me? 

thank you in advance.

Best regards

Stephan

"Alan DeKok"
<[EMAIL PROTECTED]> 
Envoyé par : [EMAIL PROTECTED]
28/04/2006 17:09

Veuillez répondre à
FreeRadius users mailing list 

A
FreeRadius users mailing
list 

cc

Objet
Re: PB with Accent in nspmPassword
in request LDAP between        FREE-RADIUS
1.0.5 (suse) and edirectory novell 6.5

[EMAIL PROTECTED] wrote:
> On the other hand, if the user uses a password using characters with
> accents, this solution does not work.
> 
>  I identified the problem in the LDAP request  (ask nspmPassword)
between
> FREE-RADIUS 1.0.5 and the edirectory of novell 6.5.

  Can you show qhat the LDAP browser does, and what FreeRADIUS does?
If we don't know what's going wrong, it's difficult to know what to
fix.

  So far as I know, FreeRADIUS handles UTF-8 fine, so characters with
accents should not be a problem.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re: Re: Privileged Login on CISCO using freeradius and MySQL [Virus checked]

2006-05-11 Thread thomas . pudil

Hi Alan,

>> So the Cisco DOES receive the attributes in the reply packet, but
obviously
>> ignores them??
>
>what does your CISCO IOS config look like for radius ? It appears that you
may
>only have the authentication line and not the authorization line...eg
>
>aaa new-model
>aaa authentication login default radius local
>aaa authorization exec default radius local

Shame on me!! Seems I dont really understand how Cisco handles all this
Authorization/Authentication :-((

Adding the "authorization"-line as you suggested did the job!
(I assumed this would not be necessary since the Reply attribute would
automatically put the user in privileged mode...)


Thanks a lot for your help!

thomas





- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

radius filters for ldap searching

2006-05-11 Thread Mircea Harapu


Hello,

I'm using freeradius 1.0.4 with openldap 2.2.24 to authenticate users on 
cisco switches.
Every switch belongs to a specific group and for every user I'm setting 
the groups he can access. I also use cisco avpairs for level privilege.

So far , so good!
The problems occured when I tried to make a user to have different level 
privileges on different switches .

This is the profile I'm using :

# test, radius, isp.ro
dn: uid=test,ou=radius,dc=isp,dc=ro
uid: test
objectClass: radiusprofile
cn: test
userPassword:: xxx
radiusGroupName: bucuresti
radiusGroupName: valcea
radiusServiceType: NAS-Prompt-User

# bucuresti, test, radius, isp.ro
dn: cn=bucuresti,uid=test,ou=radius,dc=isp,dc=ro
uid: test
objectClass: radiusprofile
userPassword:: xxx
radiusGroupName: bucuresti
radiusServiceType: NAS-Prompt-User
radiusCiscoLevel: "shell:priv-lvl=15"
cn: bucuresti

# valcea, test, radius, isp.ro
dn: cn=valcea,uid=test,ou=radius,dc=isp,dc=ro
uid: test
objectClass: radiusprofile
userPassword:: xxx
radiusGroupName: valcea
radiusServiceType: NAS-Prompt-User
radiusCiscoLevel: "shell:priv-lvl=7"
cn: valcea

raddb/users
# Switch 192.168.50.202
# Descriere test
DEFAULT NAS-IP-Address == 192.168.50.202, Ldap-Group == bucuresti
  Fall-Through = no
DEFAULT Auth-Type := Reject

what I need is to filter the ldap search in authorize section based on 
GroupName and I don't know how.

--

Mircea Harapu
Abuse Engineer, RDS NOC in Bucharest
t: 021-301.08.50f: 021-301.08.51
e: [EMAIL PROTECTED]  w: www.rdslink.ro

Privileged/Confidential Information may be contained in this
message. If you are not the addressee indicated in this message
(or responsible for delivery of the message to such person),
you may not copy or deliver this message to anyone. In such a
case, you should destroy this message and kindly notify the
sender by reply e-mail.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re: Privileged Login on CISCO using freeradius and MySQL [Virus checked]

2006-05-11 Thread A . L . M . Buxey

Hi,

> So the Cisco DOES receive the attributes in the reply packet, but obviously
> ignores them??

what does your CISCO IOS config look like for radius ? It appears that you may
only have the authentication line and not the authorization line...eg

aaa new-model
aaa authentication login default radius local
aaa authorization exec default radius local


alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re: Privileged Login on CISCO using freeradius and MySQL [Virus checked]

2006-05-11 Thread thomas . pudil

Hi again,

>The priv lvl I use in my users file is:
>
>Cisco-AVPair := "shell:priv-lvl=1"
>
>Debug output would help determine what isn't working.
>
>Kevin Bonner

here is a debug from my radius-server:

rad_recv: Access-Request packet from host 10.0.2.241:1645, id=9, length=76
NAS-IP-Address = 213.162.69.58
NAS-Port = 2
NAS-Port-Type = Virtual
User-Name = "pudilt"
Calling-Station-Id = "10.0.2.242"
User-Password = "1234"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
Invalid operator for item Suffix: reverting to '=='
Invalid operator for item Suffix: reverting to '=='
Invalid operator for item Suffix: reverting to '=='
  modcall[authorize]: module "preprocess" returns ok for request 2
  modcall[authorize]: module "chap" returns noop for request 2
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 2
rlm_realm: No '@' in User-Name = "pudilt", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 2
radius_xlat:  'pudilt'
rlm_sql (sql): sql_set_user escaped user --> 'pudilt'
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'pudilt' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 1
radius_xlat:  'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
  FROM radgroupcheck,usergroup WHERE usergroup.Username = 'pudilt' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = 'pudilt' ORDER BY id'
radius_xlat:  'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
  FROM radgroupreply,usergroup WHERE usergroup.Username = 'pudilt' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 1
  modcall[authorize]: module "sql" returns ok for request 2
  modcall[authorize]: module "mschap" returns noop for request 2
modcall: leaving group authorize (returns ok) for request 2
  rad_check_password:  Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password
Login OK: [pudilt] (from client xdsl-ag-RouA port 2 cli 10.0.2.242)
Sending Access-Accept of id 9 to 10.0.2.241 port 1645
Service-Type = NAS-Prompt-User
Cisco-AVPair = "shell:priv-lvl=15"
Login-Service = Telnet
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 9 with timestamp 44630dd5
Nothing to do.  Sleeping until we see a request.


And this is what I see on the Cisco:

02:52:14: AAA: parse name=tty2 idb type=-1 tty=-1
02:52:14: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2
channel=0
02:52:14: AAA/MEMORY: create_user (0x62135CF4) user='' ruser='' port='tty2'
rem_addr='10.0.2.242' authen_type=ASCII service=LOGIN priv=1
02:52:14: AAA/AUTHEN/START (728290868): port='tty2'
list='adminauthenticate' action=LOGIN service=LOGIN
02:52:14: AAA/AUTHEN/START (728290868): found list adminauthenticate
02:52:14: AAA/AUTHEN/START (728290868): Method=radius (radius)
02:52:14: AAA/AUTHEN (728290868): status = GETUSER
02:52:17: AAA/AUTHEN/CONT (728290868): continue_login (user='(undef)')
02:52:17: AAA/AUTHEN (728290868): status = GETUSER
02:52:17: AAA/AUTHEN (728290868): Method=radius (radius)
02:52:17: AAA/AUTHEN (728290868): status = GETPASS
02:52:18: AAA/AUTHEN/CONT (728290868): continue_login (user='pudilt')
02:52:18: AAA/AUTHEN (728290868): status = GETPASS
02:52:18: AAA/AUTHEN (728290868): Method=radius (radius)
02:52:18: RADIUS: ustruct sharecount=1
02:52:18: RADIUS: Initial Transmit tty2 id 9 172.31.95.162:1812,
Access-Request, len 76
02:52:18: Attribute 4 6 D5A2453A
02:52:18: Attribute 5 6 0002
02:52:18: Attribute 61 6 0005
02:52:18: Attribute 1 8 70756469
02:52:18: Attribute 31 12 31302E30
02:52:18: Attribute 2 18 C8B57C52
02:52:18: RADIUS: Received from id 9 172.31.95.162:1812, Access-Accept, len
57
02:52:18: Attribute 6 6 0007
02:52:18: Attribute 26 25 000901137368
02:52:18: Attribute 15 6 
02:52:18: RADIUS: saved authorization data for user 62135CF4 at 6207B1DC
02:52:18: AAA/AUTHEN (728290868): status = PASS


So the Cisco DOES receive the attributes in the reply packet, but obviously
ignores them??
So now I dont know - is the problem on the NAS side, or is there a config
failure on the radius-side (I do not blame freeradius - I know if its the
radius, its a config mistake!)


thank you
thomas




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: with_ntdomain_hack

2006-05-11 Thread Phil Mayers


Chris Liles wrote:


I hacked up the line to just say %{Stripped-User-Name} but that value
must be null or something, because then ntlm_auth gets called with
"--username="

Any thoughts as to why I can't get the DOMAIN\ stripped when calling
ntlm_auth


Although you've already solved it, FYI the reason this was failing is 
that Stripped-User-Name is only filled out by the "realm" module. You'd 
need to have added the "ntdomain" realm instance to authorize, and your 
NT domain as a local realm to proxy.conf


But the solution you have found is the correct one
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

MySQL: Group membership test