Re: How the hell do you use multiple NOT values with rlm_checkval and sql??

[Alan DeKok]

Mike Jakubik <[EMAIL PROTECTED]> wrote:
> If there is a way to accomplish this outside of SQL, im quite open to 
> suggestions. As long as i can refer to the groups which are in SQL. 
> Basically, i need to be able to restrict certain user groups from 
> dialing certain numbers.

  Use rlm_passwd to map many dial-in numbers to one dial-in group.
Then, do:

DEFAULT SQL-Group == "foo", Dial-in-group == "bar", Auth-Type := Reject

  And repeat for the combinations of SQL groups & dial-in groups.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

unresponsive / radiusd - X versus rc.radius start

[WI Cricket]

Hello,
I just joined the list. This is my first post. I tried to review the
archives for something similar but I am not sure if I did find a way
around it. First, is there a difference running FreeRadius using:

rc.radiusd start versus radiusd -X

Here is my set-up. I have two winXP supplicants using TLS for
authentication and one W2K using TTLS-MS-CHAPv2. My FreeRadius is
running on SuSE Linux 10 and my NAS is Linksys WRT54GS running 4.71 +
HyperWRT + Thibor15c (this make not make any difference)

Anyway, what is happening is that all the supplicants seem to work well
using radiusd -X, however the freeRadius server seems unresponsive after
a few hours of running it with rc.radiusd start.

Please let me know if anyone sees an immediate issue with my setup or I
can provide more information if need. I am running 1.1.2 of FreeRadius.
Thank you all for your support and this great software.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Server Specs

[King, Michael]

 

> -Original Message-
> > It's about 200-500 simultaneous authentications.
> 
>   What do you mean by that?  Authentications per second?

Yes.

> 
> > I'm guessing 1ghz of cpu, 512MB of RAM, and 30gig of HD.  
> Suggestions, 
> > comments, criticisms?
> 
>   That should be lots.


Cool.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How the hell do you use multiple NOT values with rlm_checkval and sql??

[Mike Jakubik]

Alan DeKok wrote:

Mike Jakubik <[EMAIL PROTECTED]> wrote:
  
First of all, the above can be accomplished in SQL using the checkval 
module and the += OP. Thats great and dandy until you need to specify 
numbers that users can NOT dial to. In any case that will not work for 
me, as i need to do this for each group defined in SQL, not DEFAULT for 
all users.



  So add the group as an additional check item.
  


It does not work with the != OP.

  

  This doesn't work quite the same in SQL, because the module doesn't
support multiple entries.
  
  

Yes it does, just not with a logical NOT.



  As I said, it's not really supported.

  

I installed FreeRadius because it touted SQL support, now im finding
out the features are limited, which is disappointing.



  There are few programs with unlimited features.

  That being said, I still think what you want is doable in
FreeRADIUS.  Perhaps you could try discussing the problem, rather than
SQL as a solution.  Odds are there's more than one way to reach the
goal.  If you're fixated on SQL, you may not see another solution.
  


If there is a way to accomplish this outside of SQL, im quite open to 
suggestions. As long as i can refer to the groups which are in SQL. 
Basically, i need to be able to restrict certain user groups from 
dialing certain numbers.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Server Specs

[Alan DeKok]

"King, Michael" <[EMAIL PROTECTED]> wrote:
> It's about 200-500 simultaneous authentications.

  What do you mean by that?  Authentications per second?

> I'm guessing 1ghz of cpu, 512MB of RAM, and 30gig of HD.  Suggestions,
> comments, criticisms?

  That should be lots.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Auth-Type = System not working

[Alan DeKok]

Shane <[EMAIL PROTECTED]> wrote:
> >   Read radiusd.conf, and look for "/etc/passwd".  Odds are that you
> > enabled caching of /etc/passw.  There's a reason it's not enabled by
> > default, it doesn't work on FreeBSD.  Which is explicitly documented.
>
> No, that isn't the cause as I have the following in radiusd.conf:
...
>  unix {
>  # allowed values: {no, yes}
>  cache = no

  OK...

>  #  This is required for some systems, like FreeBSD,
>  #  and Mac OSX.
>  passwd = /etc/passwd

  Those should be commented out.

  Maybe radiusd doesn't have permission to call getpwent()?  See the
comments around the "unix" module in radiusd.conf.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: processes invoked goes

[Alan DeKok]

"Fabio" <[EMAIL PROTECTED]> wrote:
> I am using freeradius 1.0.5,

  Install 1.1.2.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Auth-Type = Reject not 'working'

[Alan DeKok]

[EMAIL PROTECTED] wrote:
> i know this one - but why the change in behaviour when running
> in debug mode (where it all works fine - nice 1 second timeout,
> no checking against other Authentication methods etc) compared
> to running as a real service?

  The "reject_delay" not working properly is a bug.

  And I'd be *very* suprised to see a request continuing against
"other" authentication methods, because only one authentication method
is used.

  Could you explain what you mean, maybe with debug traces?

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius 1.1.1 and mysql issues

[Alan DeKok]

[EMAIL PROTECTED] wrote:
> I have tried reordering the elements in the radiusd.conf file so
> that the database is tried first, and then commented out the section
> to check the users file, and I am still having the same issues.

  Re-ordering radiusd.conf won't help.  The problem is the broken
configuration.

  1) The server is receiving an EAP request
  2) You're forcing it to do Auth-Type of Local.
  3) therefore it's not doing EAP, *or* Local.

  Stop setting Auth-Type.  You're breaking the server.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP (PEAP) problems

[Alan DeKok]

Drew Linsalata <[EMAIL PROTECTED]> wrote:
> Auth-Type = EAP?
> 
> A few folks had mentioned to us that using the EAP auth type was a bad 
> idea.  Why?  No idea.  It seems obvious, so we'll give it a shot.

  NO!  Read the documentation in eap.conf for why it's a bad idea.

  The solution to one broken configuration is NOT to add yet another
broken configuration.

  Find out where the "Auth-Type Accept" is comming from, and fix it!

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP (PEAP) problems

[Phil Mayers]

Drew Linsalata wrote:

Alan DeKok wrote:


  Why did you add Auth-Type = Accept to the server?  It's breaking EAP.

  Alan DeKok.



Auth-Type = EAP?

A few folks had mentioned to us that using the EAP auth type was a bad 
idea.  Why?  No idea.  It seems obvious, so we'll give it a shot.


No. You should not have to set Auth-Type to anything, at all, except in 
very specialised configurations. Don't set it at all. For example, the 
entry in the users file might look like:


username User-Password := "password"

...and nothing else.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re: freeradius 1.1.1 and mysql issues

[A . L . M . Buxey]

Hi,

> I have tried reordering the elements in the radiusd.conf file so that the 
> database is tried first, and then commented out the section to check the 
> users file, and I am still having the same issues.
> 
> Here is the output again:
> 
> modcall: leaving group authorize (returns updated) for request 0
>   rad_check_password:  Found Auth-Type Local
> auth: type Local
> auth: No User-Password or CHAP-Password attribute in the request
^^^


> auth: Failed to validate the user.
> Login incorrect: [simon/] (from client 
> linksys-434 port 56 cli 0013ce29c6d7)
^^

check the logs when you run NTRadPing etc - it looks like the linksys isnt 
sending all it needs
to send.

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Server Specs

[King, Michael]

We're going to be setting up a few new FreeRADIUS servers on virtual
hardware.  The server admin is asking me what I need for specs.
(Virtually, they can allocate whatever I need)

It's about 200-500 simultaneous authentications. (This is my prediction
for the next 4 years, we're about 10 right now).  Using NTLM-auth to
talk to Active Directory, and performing PEAP.

I'm guessing 1ghz of cpu, 512MB of RAM, and 30gig of HD.  Suggestions,
comments, criticisms?

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Auth-Type = System not working

[Shane]

Alan DeKok wrote:

Maillists <[EMAIL PROTECTED]> wrote:
but I know 100% that the password is correct.  What appears to be 
happening (determined from hours of frustrating testing) is Freeradius 
(rlm_unix) is looking for the users passwords in the /etc/passwd file 
but my /etc/passwd file doesn't contain any passwords:

test:*:1003:1003:Test User:/home/test:/bin/sh

my /etc/master.passwd file does:
test:$1$RlHYm4Ca$QhlYcYV7BqIjTF.UQ4pTX/:1003:1003::0:0:Test 
User:/home/test:/bin/sh


  Read radiusd.conf, and look for "/etc/passwd".  Odds are that you
enabled caching of /etc/passw.  There's a reason it's not enabled by
default, it doesn't work on FreeBSD.  Which is explicitly documented.

  Alan DeKok.


No, that isn't the cause as I have the following in radiusd.conf:

# Unix /etc/passwd style authentication
#
unix {
# allowed values: {no, yes}
cache = no
# Reload the cache every 600 seconds (10mins). 0 to
# disable.
cache_reload = 600
#  This is required for some systems, like FreeBSD,
#  and Mac OSX.
passwd = /etc/passwd
shadow = /etc/master.passwd
group = /etc/group
#
radwtmp = ${logdir}/radwtmp
}

I'm assuming the cache_reload=600 doesn't matter as it the cache was 
disabled earlier in the code.  Any other things I should check to get 
Auth-Type = System working?


Shane
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: RE: Re: freeradius 1.1.1 and mysql issues

[simon]

There is a password in the database (in the radcheck table) associated with 
the username.  I am also supplying both the username and password on my laptop 
as I am trying to connect.  I currently have the Auth-Type being set (:=) to 
Local in the radgroupcheck table.  I believe this should all be set up 
properly.  

Simon

>>>  modcall[authorize]: module "sql" returns ok for request 0
>>>modcall: leaving group authorize (returns updated) for request 0
>>>  rad_check_password:  Found Auth-Type Local
>>>auth: type Local
>>>auth: No User-Password or CHAP-Password attribute in the request
>>>auth: Failed to validate the user.
>>>Login incorrect: [simon/] (from client
>>linksys->434 port 56 cli 0013ce29c6d7)
>>
>>There is no password ? Is that okay?
>>
>>You can set Auth-Type to Accept if the user is found in sql !
>>If that is what you actually want.
>>
>>Regards,
>>
>>Edvin
>>
>>
>>- 
>>List info/subscribe/unsubscribe? See 
>>http://www.freeradius.org/list/users.html
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

PEAP + Active directory

[Kartthik Raghunathan]

Am having a strange problem after my supplicant get authenticated to my active 
directory. My supplicant trying to get authenticated to active directory or 
validating identity every 60 mins, which disturbs wireless connection that 
bother me a lot. Is this normal or can i set the timer to authenticate every 
120 mins or whatever timing i like.

Am using dynamic WEP and it has been set to change the key every 6 hours. Any 
help will be really appreciated.

Thanks in advance.

Kartthik

-- 
___

Search for businesses by name, location, or phone number.  -Lycos Yellow Pages

http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp?SRC=lycos10


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Re: freeradius 1.1.1 and mysql issues

[Seferovic Edvin]

>  modcall[authorize]: module "sql" returns ok for request 0
>modcall: leaving group authorize (returns updated) for request 0
>  rad_check_password:  Found Auth-Type Local
>auth: type Local
>auth: No User-Password or CHAP-Password attribute in the request
>auth: Failed to validate the user.
>Login incorrect: [simon/] (from client
linksys->434 port 56 cli 0013ce29c6d7)

There is no password ? Is that okay?

You can set Auth-Type to Accept if the user is found in sql !
If that is what you actually want.

Regards,

Edvin


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Re: freeradius 1.1.1 and mysql issues

[simon]

Hi,

I have tried reordering the elements in the radiusd.conf file so that the 
database is tried first, and then commented out the section to check the users 
file, and I am still having the same issues.

Here is the output again:

Ready to process requests.
rad_recv: Access-Request packet from host 10.10.1.1:1320, id=0, length=123
User-Name = "simon"
NAS-IP-Address = 10.10.1.1
Called-Station-Id = "0014bff3dac8"
Calling-Station-Id = "0013ce29c6d7"
NAS-Identifier = "0014bff3dac8"
NAS-Port = 56
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020a0173696d6f6e
Message-Authenticator = 0x68b3f01e605eb032281dd6c99dfd9e52
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "simon", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: EAP packet type response id 0 length 10
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 0
radius_xlat:  'simon'
rlm_sql (sql): sql_set_user escaped user --> 'simon'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op   FROM 
radcheck   WHERE Username = 'simon'   ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_mysql: query:  SELECT id, UserName, Attribute, Value, op   FROM 
radcheckWHERE Username = 'simon'   ORDER BY id
radius_xlat:  'SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
  FROM radgroupcheck,usergroup WHERE usergroup.Username = 'simon' AND 
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query:  SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
  FROM radgroupcheck,usergroup WHERE usergroup.Username = 'simon' AND 
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat:  'SELECT id, UserName, Attribute, Value, op   FROM 
radreply   WHERE Username = 'simon'   ORDER BY id'
rlm_sql_mysql: query:  SELECT id, UserName, Attribute, Value, op   FROM 
radreplyWHERE Username = 'simon'   ORDER BY id
radius_xlat:  'SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
  FROM radgroupreply,usergroup WHERE usergroup.Username = 'simon' AND 
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query:  SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
  FROM radgroupreply,usergroup WHERE usergroup.Username = 'simon' AND 
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 4
  modcall[authorize]: module "sql" returns ok for request 0
modcall: leaving group authorize (returns updated) for request 0
  rad_check_password:  Found Auth-Type Local
auth: type Local
auth: No User-Password or CHAP-Password attribute in the request
auth: Failed to validate the user.
Login incorrect: [simon/] (from client linksys-434 
port 56 cli 0013ce29c6d7)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 0 to 10.10.1.1 port 1320
Waking up in 5 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 0 with timestamp 447ef7e2
Nothing to do.  Sleeping until we see a request.


As before, it still authenticates perfectly when I try it with either NTRadPing 
or radtest.

Thanks again,

Simon


>hi,
>
>you say it works okay with NTRadPing and that when you use an entry in users 
>file it works...however
>in the log you supplied its still matching an entry in the users file - and 
>the server is then
>happy to use that matching entry rather than one in the DB. the log you posted 
>also shows that it
>is attempting to use the files method...and that the match told it to use 
>Local authentication..the
>database query is then superfluous.
>
>alan
>- 
>List info/subscribe/unsubscribe? See 
>http://www.freeradius.org/list/users.html
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP (PEAP) problems

[Drew Linsalata]

Alan DeKok wrote:


  Why did you add Auth-Type = Accept to the server?  It's breaking EAP.

  Alan DeKok.



Auth-Type = EAP?

A few folks had mentioned to us that using the EAP auth type was a bad 
idea.  Why?  No idea.  It seems obvious, so we'll give it a shot.



--

Drew Linsalata
The Gotham Bus Company, Inc.
Dedicated Servers and Colocation Solutions
Long Island, New York
http://www.gothambus.com
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

processes invoked goes

[Fabio]

Hi,
I am using freeradius 1.0.5, configured so that when a user fails the password 
for X times, a mail is sent to a sysadmin.
I have added the following to modules section:

exec accept_notify {
  wait = no
  program = "/usr/local/etc/raddb/radius_reject_notify %{User-Name} accept 
%{FreeRADIUS-Proxied-To}"
  input_pairs = request
}
exec reject_notify {
  wait = no
  program = "/usr/local/etc/raddb/radius_reject_notify %{User-Name} reject 
%{FreeRADIUS-Proxied-To}"
  input_pairs = request
}

and this is my posth-auth section:
post-auth {
  accept_notify

  Post-Auth-Type REJECT {
reject_notify
  }
}

radius_reject_notify is the bash script attached.

However, when a user log in and the script is executed, I see that the script 
remains in a  state. After some time I see hundreds of such processes:

Output of ps -e:
13110 ?00:00:00 radius_reject_n 
13232 ?00:00:00 radius_reject_n 
13233 ?00:00:00 radius_reject_n 


Has someone idea why freeradius does not close correctly my script?

Thanks,

  Fabio



radius_reject_notify:

#!/bin/bash
#
#Sintax:
#
#mail_notify user access type
#  user:   user name
#  access: accept or reject
#  type:   accepted only if ( == FreeRADIUS-Proxied-To ) == 127.0.0.1
#

# TRY: number of retry
TRY=10

FAILED_USERS_DIR=/tmp/radius_user_fail/
MAIL_ADMINS="[EMAIL PROTECTED]"

USER_RETRY=0
CURRENT_USER=$1
ACCESS=$2


failed() {
mkdir -p $FAILED_USERS_DIR

if
[ -e $FAILED_USERS_DIR/$CURRENT_USER ]
then
USER_RETRY=`cat $FAILED_USERS_DIR/$CURRENT_USER`
fi

USER_RETRY=$(( USER_RETRY + 1 ))
echo $USER_RETRY > $FAILED_USERS_DIR/$CURRENT_USER

if (( USER_RETRY == $TRY ))
then
#Limit exceded!
send_mail
fi ;
}

success() {
if
[ -e $FAILED_USERS_DIR/$CURRENT_USER ]
then
rm -f $FAILED_USERS_DIR/$CURRENT_USER
fi
}

send_mail() {
HOSTNAME=`hostname`
env MAILRC=/dev/null [EMAIL PROTECTED] smtp=smtp.domain.com nail -n -s 
"RADIUS - Autentication failed $TRY
 times" $MAIL_ADMINS <<-END
$CURRENT_USER failed authentication for $TRY times.
END

}

case $3 in
'127.0.0.1')

case $ACCESS in
'accept')
success
;;
'reject')
failed
;;
esac
;;
esac


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

revoking ca certificates

[sumi thra]

Hey All,Any body knows how to revoke the certificates?  what changes needs to be done in the freeradius 
eap.conf file.Im trying to do in the way its given in the default config file:Oopenssl command to revoke the ca-certificate: 
openssl ca -gencrl -keyfile ./privatekey.pem  -cert  cacert.pem  revoke cacert.pem -out crl.pem 1. copied ca & crl to ./ directory( my ca & crl files are in current directory )2. c_rehash ./


tls {...CA_file = ./cacert.pemCA_path = ./ check_crl = yes}Still the server returns success for the user.Any idea ? where am i missing the configuration?
Please reply me with your info.ThanksSumi-- "If u look at what u dont have in life, u dont have anything But if u look at what u have in life, u have everything.!!"


-- "If u look at what u dont have in life, u dont have anything But if u look at what u have in life, u have everything.!!"


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

PPPoE server + MySQLbackend tutotrial

[Rani Ahmed]

plz do  you  have totorial links to PPPoE server + MySQL backend??
strait forward and easy to understand. thanks

this tool really needs Howtos
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Auth-Type = Reject not 'working'

[A . L . M . Buxey]

Hi,

>   #  Setting this number to 0 means "send rejects immediately"
>   reject_delay = 1

i know this one - but why the change in behaviour when running
in debug mode (where it all works fine - nice 1 second timeout,
no checking against other Authentication methods etc) compared
to running as a real service?

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

1.1.2 eap problem

[VannMann32 .]

Hi !

Upgrading from 1.1.1 to 1.1.2 and now I get this error message :


Thu Jun  1 12:26:22 2006 : Info: rlm_eap_tls: Loading the certificate file 
as a chain
Thu Jun  1 12:26:22 2006 : Error: rlm_eap: SSL error error:02001002:system 
library:fopen:No such file or directory
Thu Jun  1 12:26:22 2006 : Error: rlm_eap_tls: Error reading Trusted root CA 
list

Thu Jun  1 12:26:22 2006 : Error: rlm_eap: Failed to initialize type tls
Thu Jun  1 12:26:22 2006 : Error: radiusd.conf[10]: eap: Module 
instantiation failed.

Thu Jun  1 12:26:22 2006 : Error: radiusd.conf[1735] Unknown module "eap".
Thu Jun  1 12:26:22 2006 : Error: radiusd.conf[1722] Failed to parse 
authenticate section.



My system is a FreeBSD 6.1-Stable


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Auth-Type = Reject not 'working'

[Phil Mayers]

[EMAIL PROTECTED] wrote:

however, when running freeradius is debug mode, with -X, the Reject
reply message is pretty fast...though still a lot slower than an 
Access-Accept message for a valid user - even though the valid user

is in a database or a kerberos check. I assumed that a Auth-Type := Reject
was an instant hit, with no further procedures...  why then, when run


security {
  #  delayed_reject: When sending an Access-Reject, it can be
  #  delayed for a few seconds.  This may help slow down a DoS
  #  attack.  It also helps to slow down people trying to brute-force
  #  crack a users password.
  #
  #  Setting this number to 0 means "send rejects immediately"
  reject_delay = 1
}


in debug mode, does FreeRADIUS happily reject the client request but
when run as a normal process, it throws the request towards other
Auth mechanisms?


I'm not sure about *that* aspect of it. I've never seen it. But rejects 
are delayed in the default config.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

proxy_fail_type attribute

[Geoffroy Arnoud]

Hi,

I just get the last CVS update, and I discovered a "hidden" attribute in 
mainconfig.c, name "proxy_fail_type".
By reading the source code, my understanding is that setting this attribute to 
"fail" (for example) in proxy.conf, and setting the value "fail" for 
Post-Proxy-Type in dictionary.freeradius.internal, will allow FreeRADIUS to 
execute a module when the proxy of a request failed (no response from server or 
other cases).

My 1st question:
- Am I right (or near to the truth)?

I saw that this was not shipped into 1.1.2. But this feature appeared by the 
end of 2004. So my 2nd and 3rd questions are:
- Has anyone used or is anyone using this feature on prodcution deployement?
- Is this feature planned to be shipped in 1.2.x?

Thank you in advance.

Geof.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

listening interface configuration

[Geoffroy Arnoud]

Hi,

I am going to configure a FreeRADIUS as a RADIUS proxy. My proxy will have to 
listen on a couple of ports on 2 interfaces, so I set the following 
configuration in radiusd.conf:

listen {
ipaddr = IP1
port = 1812
type = auth
}
listen {
ipaddr = IP1
port = 1813
type = acct
}
listen {
ipaddr = IP2
port = 1812
type = auth
}
listen {
ipaddr = IP2
port = 1813
type = acct
}

When I start FreeRADIUS, I get the following

...
Listening on authentication IP1:1812
Listening on accounting IP1:1813
Listening on authentication IP2:1812
Listening on accounting IP2:1813
Listening on proxy IP1:1814
...


If I understand packets coming inside IP2, will be forwarded through IP1, right?

Is there a configuration solution to make packets coming inside IP2 to be 
forwarded through IP1, or is FreeRADIUS limited to only one proxy ip/port?

Thank you in advance,

Geof.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Filter attributes when proxying

[Martin Zuziak]

Hello all

Is it possible to (easily) remove single attributes sent or received
when proxying? I know it can be done with attr_filter but if you only
want to remove a single attribute while leaving the rest untouched, you
need pass rules for every other attribute.

It doesn't look like attr_rewrite can remove attributes. Am I wrong?

Otherwise I think this would be a nice feature to implement. The
attr_filter module can easily (I think) be changed to include a variable
to control whether or not passing rules are needed to allow an
attribute.

Currently attributes are only allowed if they don't fail any rules in
attrs and pass at least one rule:

if (fail == 0 && pass > 0)

This could be changed to something like
if (fail == 0 && (pass > 0 || allow_no_match))

where a variable in the attrs file could control if passing rules are
required.

Sincerely,

Martin Zuziak <[EMAIL PROTECTED]>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: mysql 5.0.22 with fr 1.1.2

[Alexander Serkin]

Oh, sorry for flood, found the solution in the archives.
http://lists.freeradius.org/mailman/htdig/freeradius-users/2003-April/017789.html

[EMAIL PROTECTED] пишет:

Hi,

while trying to compile the fr 1.1.2 with mysql 5.0.22 i got the 
following with rlm_sq_mysql configure:



you did do

./configure --with-mysql-lib-dir=/opt/mysql/lib/mysql

as per the output bleatings, yes?

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



--
Sincerely Yours,
Alexander
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: mysql 5.0.22 with fr 1.1.2

[A . L . M . Buxey]

Hi,

> while trying to compile the fr 1.1.2 with mysql 5.0.22 i got the 
> following with rlm_sq_mysql configure:


you did do

./configure --with-mysql-lib-dir=/opt/mysql/lib/mysql

as per the output bleatings, yes?

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Auth-Type = Reject not 'working'

[A . L . M . Buxey]

hi,

the recent post mentioning Auth-Type = System reminded me
if I've got a Auth-Type = Reject int he users file, then when making
a request with a remote RADIUS client, then the request times
out when freeradius is running as a normal process daemon... on
Fedora, this is running as a service with the '-y' option...
however, this timeout is variable..and sometimes...just sometimes
it works. 

however, when running freeradius is debug mode, with -X, the Reject
reply message is pretty fast...though still a lot slower than an 
Access-Accept message for a valid user - even though the valid user
is in a database or a kerberos check. I assumed that a Auth-Type := Reject
was an instant hit, with no further procedures...  why then, when run
in debug mode, does FreeRADIUS happily reject the client request but
when run as a normal process, it throws the request towards other
Auth mechanisms?

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: freeradius rlm_sql driver problem-need help

[Seferovic Edvin]

Hi,

how did you "installed" it? From an RPM ? or have you compiled and installed
it from source? Are your mysql libraries available?

Regards,

Edvin

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
g] On Behalf Of Abul Monsur Mannan
Sent: Donnerstag, 01. Juni 2006 08:12
To: FreeRadius users mailing list
Subject: freeradius rlm_sql driver problem-need help

Hello FR Users

Can anybody here help me out of this problem?
I installed freeradius version 1.1.1 with mysql on RH Linux Enterprise 4 ed.
I've got this result

[EMAIL PROTECTED] ~]# radiusd -X
Starting - reading configuration files ...

reread_config:  reading radiusd.conf
Config:   including file: /usr/local/etc/raddb/proxy.conf
Config:   including file: /usr/local/etc/raddb/clients.conf
Config:   including file: /usr/local/etc/raddb/snmp.conf
Config:   including file: /usr/local/etc/raddb/eap.conf
Config:   including file: /usr/local/etc/raddb/sql.conf
 main: prefix = "/usr/local"
 main: localstatedir = "/usr/local/var"
 main: logdir = "/usr/local/var/log/radius"
 main: libdir = "/usr/local/lib"
 main: radacctdir = "/usr/local/var/log/radius/radacct"
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/usr/local/var/log/radius/radius.log"
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
 main: user = "(null)"
 main: group = "(null)"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/local/sbin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = no
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
Using deprecated realms file.  Support for this will go away soon.
radiusd:  entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
 pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: with_ntdomain_hack = no
 mschap: passwd = "(null)"
 mschap: authtype = "MS-CHAP"
 mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded eap
 eap: default_eap_type = "md5"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 gtc: challenge = "Password: "
 gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
 mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
 preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
 preprocess: hints = "/usr/local/etc/raddb/hints"
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
 realm: format = "suffix"
 realm: delimiter = "@"
 realm: ignore_default = no
 realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
 files: usersfile = "/usr/local/etc/raddb/users"
 files: acctusersfile = "/usr/local/etc/raddb/acct_users"
 files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
 files: compat = "no"
Module: Instantiated files (files)
Module: Loaded SQL
 sql: driver =
"/usr/local/src/freeradius-1.1.1/src/modules/rlm_sql/drivers/rlm_sql_mysql"
 sql: server = "localhost"
 sql: port = ""
 sql: login = "radius"
 sql: password = "radpass"
 sql: radius_db = "radius"
 sql: acct_table = "radacct"
 sql: acct_table2 = "radacct"
 sql: authcheck_table = "radcheck"
 sql: authreply_table = "radreply"
 sql: groupcheck_table = "radgroupcheck"
 sql: groupreply_table = "radgroupreply"
 sql: usergroup_table = "usergroup"
 sql: nas_table = "nas"
 sql: dict_table = "dictionary"
 sql: sqltrace = no
 sql: