Re: Username in MySQL with regexp
DEFAULT, just like in the users file. Alan DeKok. What do i have to set for further reply-item settings in the User-Name column? I have more than one Username which should be checked against a regexp and then should reply individual items. Sorry but i dont understand you answer :-( Christian Meutes systems engineer -- claranet gmbh internet service provider tel +49 (0) 69 - 40 80 18 - 300 email: [EMAIL PROTECTED] http://www.claranet.de/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Framed-IP-Address accounted in Hex
On 6 Jul 2006, at 22:20, Alan DeKok wrote: Graeme Hinchliffe [EMAIL PROTECTED] wrote: What would cause FreeRADIUS to output in this manner, we have summized that if it sees a none ASCII byte in the field it would convert the whole field into a hex representation to stop trying to write binary to the db. No, it should print out non-ASCII bytes as octal in that case. It will create octal attributes if it can't find the attribute in the dictionaries. these are hex values, not octal, and it seems to be an intermittent thing. example session ID 0x464631304646464635383230333045322d3434363938363135 and the dictionaries are installed in /usr/share/freeradius where they have been since initial install on this system. The dictionary includes the rfc dictionaries at the start which includes the Acct- Session-Id attribute. Are dictionaries loaded each time a child is started? or just once and then kept in memory? Graeme - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/PAP - LDAP for WPA2
Stefan Winter wrote: The thing about anonymous outer identity is that it doesn't matter what you put in there. If your real name is iamcool and your password is evencooler you can happily send foobar as Identity. Authentication will only depend on what's inside the tunneled PAP request. Most supplicants allow to specify the outer identity to your liking. That said, there is one exception: if you are using roaming, the realm part of the username must be the correct one, otherwise the request can't be routed to the correct server. Most supplicants. So there's a chance that a supplicant might not do so? Is the Identity in the EAP-Message in the first packet always the same as the User-name i see in all packets? I'm searching through my dell wireless wlan card utility and i'm pretty sure i can't hide it. Are dell breaking any rfcs or other standards that i can take them up on? This is quite worrying for me as it seems to make the setup quite insecure instead of making it more secure as i had originally hoped. Perhaps a shared key and a captive portal would provide better security. I understand the weakness, but i dont see that it would be weaker than a shared key alone and has the advantage of not allowing the username to be read by any arbitrary person. Thanks for the further explanation of the RADIUS protocol - i think i will take your advice about the configuration files and leave well enough alone:) John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius ip pool
Hi, (please respond to the list, not me privately. Others may have the same question) yes, my clients using 802.1X. I make a DHCP Server together with freeradius, but he don't deliver ip's. I want to know if the radius have any configuration for this, to work with a DHCP server. In fact, others _did_ have the same question. Reading the list archives would have helped. .1X authentication and DHCP have *nothing* to do with each other. If you have a DHCP server and it doesn't talk to your authenticated clients, that's a completely FreeRADIUS unrelated problem. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgpYmPeSASauL.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Session Log
Is there a session log in freeradius? I want to find out who logged on and how much time they have until there session is timeout. Is there such a thing? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FW: mpd+freeradius+AD
Thank you so much Nikos! -Original Message- From: Nikos Vassiliadis [mailto:[EMAIL PROTECTED] Sent: Friday, June 30, 2006 4:57 PM To: freeradius-users@lists.freeradius.org Cc: Егоров Сергей Subject: Re: FW: mpd+freeradius+AD On Friday 30 June 2006 11:57, Егоров Сергей wrote: Ok, this is my users file testAuth-Type := MS-CHAP Framed-IP-Address = 192.168.10.65 DEFAULT Auth-Type := MS-CHAP And this is freeradius log, then I connect to mpd via test account: Login OK: [test/no User-Password attribute] (from client localhost port 0 cli 192.168.12.126) Sending Access-Accept of id 121 to 127.0.0.1 port 49791 Framed-IP-Address = 192.168.10.65 MS-CHAP2-Success = 0x01533d424543343039384343413934433832344138443146393830364138413345323 6394441413430 MS-MPPE-Recv-Key = 0x0bbdc1d49670112e799bd5a86b084808 MS-MPPE-Send-Key = 0x0df81127464f94a443c13e7e683f5251 MS-MPPE-Encryption-Policy = 0x0002 MS-MPPE-Encryption-Types = 0x0004 rad_recv: Accounting-Request packet from host 127.0.0.1:54511, id=119, length=139 NAS-Identifier = testradius.ion.ru NAS-Port = 0 NAS-Port-Type = Virtual Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = 192.168.12.126 User-Name = test Framed-IP-Address = 192.168.10.12 Acct-Status-Type = Start Acct-Session-Id = 1652038-pptp0 Acct-Multi-Session-Id = 1652038-pptp0 Acct-Link-Count = 1 Acct-Authentic = RADIUS Sending Accounting-Response of id 119 to 127.0.0.1 port 54511 In this log freeradius said that account test OK, and his address 192.168.10.65. But mpd replace it this his own. How could I improve it? use radius-ip read more here /usr/local/share/doc/mpd/mpd22.html -Original Message- From: Nikos Vassiliadis [mailto:[EMAIL PROTECTED] Sent: Thursday, June 29, 2006 7:05 PM To: Undisclosed.Recipients : Cc: Егоров Сергей Subject: Re: FW: mpd+freeradius+AD On Thursday 29 June 2006 15:28, Егоров Сергей wrote: This is Framed-IP-Address in radius dialect. Thanks for explaining freeradius basic concepts. I understood, that to assign IP to user I should use users freeradius file. But I couldn't configure it correctly. Now I have only one line in this file DEFAULT Auth-Type := MS-CHAP I've add another string (for user test), but it doesn't correct test Auth-Type := MS-CHAP, Try without the comma run the server in debug mode(radiusd -X) and use radclient Framed-IP-Address = 192.168.10.65, I think you can put this in AD. Don't know... That should I fix? -Original Message- From: Nikos Vassiliadis [mailto:[EMAIL PROTECTED] Sent: Monday, June 26, 2006 5:09 PM To: freeradius-users@lists.freeradius.org Cc: Егоров Сергей Subject: Re: mpd+freeradius+AD On Monday 26 June 2006 14:04, Егоров Сергей wrote: Thanks for reply. You can use one of the three firewalls avaliable in the base system(ipfw, ipf and pf), however mpd comes with a small dictionary that uses ipfw(8) and you can easily define some filter bound to an interface (bound to a username) via a radius reply attribute, let filter be a pipe(for bandwidth control) or a packet filtering expression. That's fine for filtering vpn users access to local net. But how could I assign specific IP for specific user in AD? Your questions don't clearly tell where your problem is. Active Directory? mpd? or FreeRADIUS? You should define them better in order to get help from the list. My goal is to replace VPN server, based on win2003, with FreeBSD one. WIN 2003 can do 1 and 2 in my questions, so I have to realize how to setup this in mpd + freeradius. I already authenticate users from AD group: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --require-membership-of=EXAMPLE+VPN_Allowed. But I have several vpn groups and need to setup timeouts on each one. setup timeout? This looks like Session-Timeout in radius dialect. Also I need to I assign specific IP for specific user in AD. This is Framed-IP-Address in radius dialect. Looks like FreeRadius should respond for this. Yes, you have to have basic understanding of what radius is. All of these are very basic setup. I don't know how FreeRADIUS interacts with AD and what info it should get from AD. So, try searching (or asking) for active directory and FreeRADIUS. Keep the mpd part out of it, since it will add unneeded complexity. Or perhaps start from setting up mpd and FreeRADIUS. And then you could add AD. A few suggestions, Nikos - List info/subscribe/unsubscribe? See
Re: EAP-TTLS/PAP - LDAP for WPA2
Most supplicants. So there's a chance that a supplicant might not do so? Yes. It's implementation-specific. The Win XP built-in supplicant for example does not do it. Is the Identity in the EAP-Message in the first packet always the same as the User-name i see in all packets? Yes, that's what the RFC demands. I'm searching through my dell wireless wlan card utility and i'm pretty sure i can't hide it. Are dell breaking any rfcs or other standards that i can take them up on? No. It's optional. If Dell doesn't do it, bad luck. But you can always install a supplicant that does it, for example at www.securew2.com (very nice supplicant, IMO). This is quite worrying for me as it seems to make the setup quite insecure instead of making it more secure as i had originally hoped. Perhaps a shared key and a captive portal would provide better security. I understand the weakness, but i dont see that it would be weaker than a shared key alone and has the advantage of not allowing the username to be read by any arbitrary person. Uh. You should consider that you will have _no_ link-layer encryption when using captive portals. And connections can be hijacked. And with a shared key, you have no accountability. And the shared key will flow over the net unencrypted, so anyone can pick it up and abuse your network. OTOH, what's so secret about a user name? User names are the _public_ parts of credentials, it's the passwords that are critical. If you really don't want usernames to be important at all, use EAP-TLS. The client certificate will identify you, no matter what garbage you put into the user name. Captive portals are a step back with regards to security. Greetings, Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgpuGNzTxR9ms.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x authentication
Hi, all: To further describe my challenge, here is debugging output from freeradius. One line says, rlm_eap: Failed in EAP select. I must have set up eap wrong. Could anyone help me out here? Btw, in the following example, user TRPZEDU\\jfan tries to authenticate through 802.1x. Thanks. Jin rad_recv: Access-Request packet from host 192.168.3.26:2, id=89, length=157 NAS-Port-Id = 1/1 Calling-Station-Id = 00-0B-BE-D4-50-46 Called-Station-Id = 00-0B-0E-13-74-C0:hotspot Service-Type = Framed-User User-Name = TRPZEDU\\jfan State = 0xdcfe3f22dc8680c7b0e05b3d498b6090 EAP-Message = 0x020200060319 NAS-Identifier = Trapeze NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 192.168.3.26 Message-Authenticator = 0xc846da111c9f48b4a5570fff318767a2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module preprocess returns ok for request 6 modcall[authorize]: module chap returns noop for request 6 modcall[authorize]: module mschap returns noop for request 6 rlm_realm: No '@' in User-Name = TRPZEDU\jfan, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 6 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 6 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 users: Matched entry TRPZEDU\jfan at line 228 modcall[authorize]: module files returns ok for request 6 radius_xlat: 'TRPZEDU\\jfan' rlm_sql (sql): sql_set_user escaped user -- 'TRPZEDU\\jfan' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'TRPZEDU=5C=5C=5C=5Cjfan' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): User TRPZEDU\\jfan not found in radcheck radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'TRPZEDU=5C=5C=5C=5Cjfan' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'TRPZEDU=5C=5C=5C=5Cjfan' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): User TRPZEDU\\jfan not found in radgroupcheck rlm_sql (sql): User not found rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module sql returns notfound for request 6 modcall: group authorize returns updated for request 6 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: No such EAP type peap rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 6 modcall: group authenticate returns invalid for request 6 auth: Failed to validate the user. Delaying request 6 for 1 seconds Finished request 6 Going to the next request Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 89 to 192.168.3.26:2 EAP-Message = 0x04020004 Message-Authenticator = 0x Trapeze-VLAN-Name = vlan10 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 5 ID 88 with timestamp 44ae6d5d Cleaning up request 6 ID 89 with timestamp 44ae6d5d Nothing to do. Sleeping until we see a request. From: [EMAIL PROTECTED] on behalf of Jin Fan Sent: Thu 7/6/2006 5:22 PM To: FreeRadius users mailing list Subject: 802.1x authentication Hi, All: I need some pointers on how to set up 802.1x (PEAP/MSCHAP v.2) authentication in freeradius. Generating certificates? Modifying configurations? Jin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html winmail.dat- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error: rlm_sql_mysql: MYSQL Error
Hi all, I am using freeradius 1.1.0. The backend is mysql 5.0.22 which is located on a different server on the same network. My configuration is as follows: I am doing some stress testing to benchmark my infrastructure. I use SIPp for the same. The SIPp sends the calls to cisco gateway, the cisco gateway sends the authentication request to freeradius server. The radius server queries the mysql databaseand once the authentication is successful and the call is completed;the accounting request is also passed to the radius server by cisco which in turn is sent to the mysql database. Now I kept the SIPp at rate of 45 calls per second, but after say 10 to 15 minutes the radius server dies. This is the message I could see in the log: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Error: rlm_sql_mysql: MYSQL Error: Cannot get resultFri Jul 7 14:18:46 2006 : Error: rlm_sql_mysql: MYSQL Error:Fri Jul 7 14:18:46 2006 : Error: rlm_sql_mysql: MYSQL Error: No FieldsFri Jul 7 14:18:46 2006 : Error: rlm_sql_mysql: MYSQL error:Fri Jul 7 14:18:46 2006 : Info: rlm_sql_mysql: Starting connect to MySQL server for #4Fri Jul 7 14:18:46 2006 : Error: rlm_sql (sql): failed after re-connect. I tried googling the archive but could not get a proper solution. One more thing; I had configured rlm_mysql using the following command: ./configure --without-thread. Could this be a cause of some problem, I did this as the radius was not finding mysql libraries. Can someone please help on this. Thanks in advance. w/regards, Jayesh Nambiar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/PAP - LDAP for WPA2
Stefan Winter wrote: I'm searching through my dell wireless wlan card utility and i'm pretty sure i can't hide it. Are dell breaking any rfcs or other standards that i can take them up on? No. It's optional. If Dell doesn't do it, bad luck. But you can always install a supplicant that does it, for example at www.securew2.com (very nice supplicant, IMO). I'm very impressed. I installed this and all of my complaints and concerns are answered! Now, i'm assuming and hoping the linux wpa supplicant also supports this... Uh. You should consider that you will have _no_ link-layer encryption when using captive portals. And connections can be hijacked. And with a shared key, you have no accountability. And the shared key will flow over the net unencrypted, so anyone can pick it up and abuse your network. OTOH, what's so secret about a user name? User names are the _public_ parts of credentials, it's the passwords that are critical. If you really don't want usernames to be important at all, use EAP-TLS. The client certificate will identify you, no matter what garbage you put into the user name. Captive portals are a step back with regards to security. Well, i was going to use wpa2 with a preshared key which would provide the link-layer encryption (as i understand it) but then require a username and password as another step in case the key got leaked. You're right about the accountability, but are you sure about the shared key going over the net unencrypted? This doesn't sound right... Since we're talking about our ldap directory, which we use for pretty much *everything*, having a list of usernames gives an attacker a starting point for trying brute force attacking. This could also be used as a starting point for identity theft or spamming. EAP-TLS probably is the most secure way to do things though it does require installing certs. I'll definitely be giving it consideration Thanks again for all your help - i'm feeling pretty happy with my setup now, John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/PAP - LDAP for WPA2
Hi, I'm very impressed. I installed this and all of my complaints and concerns are answered! Now, i'm assuming and hoping the linux wpa supplicant also supports this... Sure thing :-) It's Free Open Source Software after all :-) Uh. You should consider that you will have _no_ link-layer encryption when using captive portals. And connections can be hijacked. And with a shared key, you have no accountability. And the shared key will flow over the net unencrypted, so anyone can pick it up and abuse your network. OTOH, what's so secret about a user name? User names are the _public_ parts of credentials, it's the passwords that are critical. If you really don't want usernames to be important at all, use EAP-TLS. The client certificate will identify you, no matter what garbage you put into the user name. Captive portals are a step back with regards to security. Well, i was going to use wpa2 with a preshared key which would provide the link-layer encryption (as i understand it) but then require a username and password as another step in case the key got leaked. You're right about the accountability, but are you sure about the shared key going over the net unencrypted? This doesn't sound right... You would need to have the user enter his username and password on the captive portal server. From there on up to the RADIUS server, it would be clear text (unless you do some black magic with a PAP to EAP-TTLS gateway, which is possible, but no fun). The wireless link would be encrypted though, so it wouldn't be as bad as *just* the captive portal. Since we're talking about our ldap directory, which we use for pretty much *everything*, having a list of usernames gives an attacker a starting point for trying brute force attacking. This could also be used as a starting point for identity theft or spamming. That's pretty much arguable. If you indeed use that username for everything the probability that it is spied as the user enters it somewhere, leaves it on a scrap paper, tells it his best friend while having a beer etc. is *far* higher than someone sniffing IP traffic between your supplicant and your RADIUS server. Unless the RADIUS server is at the other end of the world. EAP-TLS probably is the most secure way to do things though it does require installing certs. I'll definitely be giving it consideration That's for the hardcore paranoid people, right. But if you are happy with SecureW2 and EAP-TTLS: that's perfectly fine. Thanks again for all your help - i'm feeling pretty happy with my setup now, Great! Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche - Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Standalone FreeRadius EAP-SIM Configuration Recipe?
Duncan Glendinning [EMAIL PROTECTED] wrote: I'm attempting to configure FreeRadius to use EAP-SIM, in a standalone fashion (i.e., the GSM tuples are stored locally). Does a 'recipe' exist to appropriately FreeRadius to do so? Not really, sorry. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Framed-IP-Address accounted in Hex
Graeme Hinchliffe [EMAIL PROTECTED] wrote: these are hex values, not octal, and it seems to be an intermittent thing. Dang. Those bugs are hard to track down. Are dictionaries loaded each time a child is started? or just once and then kept in memory? The server doesn't start any children. The dictionaries are loaded once, and cached as long as it's running. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session Log
fvt3 [EMAIL PROTECTED] wrote: Is there a session log in freeradius? I want to find out who logged on and how much time they have until there session is timeout. Is there such a thing? $ man radwho Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x authentication
Jin Fan [EMAIL PROTECTED] wrote: To further describe my challenge, here is debugging output from freeradius. One line says, rlm_eap: Failed in EAP select. The *important* message is: rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: No such EAP type peap The client is asking for PEAP, and you didn't configure the server to do peap. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql variable substitution clarification
I have run into an issue where we now have different types of NAS servers. I would like to use %{Connect-Info} if available or a string formatted from two attributes like : D%{Ascend-Data-Rate}_X%{Ascend-Xmit-Rate} This is how I tried to do it : ConnectInfo_stop = \ '%{Connect-Info:-D%{Ascend-Data-Rate}_X%{Ascend-Xmit-Rate}}' This is what I get when %{Connect-Info} is not available : D_X I haven't seen any examples where two attributes are combined to make one attribute. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql variable substitution clarification
On Fri, 2006-07-07 at 11:02 -0600, Guy Fraser wrote: I have run into an issue where we now have different types of NAS servers. I would like to use %{Connect-Info} if available or a string formatted from two attributes like : D%{Ascend-Data-Rate}_X%{Ascend-Xmit-Rate} This is how I tried to do it : ConnectInfo_stop = \ '%{Connect-Info:-D%{Ascend-Data-Rate}_X%{Ascend-Xmit-Rate}}' This is what I get when %{Connect-Info} is not available : D_X I haven't seen any examples where two attributes are combined to make one attribute. Thanks I figured it out when running debug for some other reason, sorry for the stupid question. Reason : X-Ascend-Disconnect-Cause = PPP-Rcv-Terminate-Req X-Ascend-Connect-Progress = LAN-Session-Up X-Ascend-Data-Rate = 26400 X-Ascend-PreSession-Time = 32 X-Ascend-Pre-Input-Octets = 364 X-Ascend-Pre-Output-Octets = 253 X-Ascend-Pre-Input-Packets = 15 X-Ascend-Pre-Output-Packets = 13 X-Ascend-First-Dest = 209.115.142.9 X-Ascend-Xmit-Rate = 26400 X-Ascend-Modem-PortNo = 21 X-Ascend-Modem-SlotNo = 16 X-Ascend-Modem-ShelfNo = 1 The attributes are not named like they were in Cistron dictionaries. They all start with X-. Thanks anyway. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql variable substitution clarification
On Fri, 2006-07-07 at 11:19 -0600, Guy Fraser wrote: On Fri, 2006-07-07 at 11:02 -0600, Guy Fraser wrote: I have run into an issue where we now have different types of NAS servers. I would like to use %{Connect-Info} if available or a string formatted from two attributes like : D%{Ascend-Data-Rate}_X%{Ascend-Xmit-Rate} This is how I tried to do it : ConnectInfo_stop = \ '%{Connect-Info:-D%{Ascend-Data-Rate}_X%{Ascend-Xmit-Rate}}' This is what I get when %{Connect-Info} is not available : D_X I haven't seen any examples where two attributes are combined to make one attribute. Thanks I figured it out when running debug for some other reason, sorry for the stupid question. Reason : X-Ascend-Disconnect-Cause = PPP-Rcv-Terminate-Req X-Ascend-Connect-Progress = LAN-Session-Up X-Ascend-Data-Rate = 26400 X-Ascend-PreSession-Time = 32 X-Ascend-Pre-Input-Octets = 364 X-Ascend-Pre-Output-Octets = 253 X-Ascend-Pre-Input-Packets = 15 X-Ascend-Pre-Output-Packets = 13 X-Ascend-First-Dest = 209.115.142.9 X-Ascend-Xmit-Rate = 26400 X-Ascend-Modem-PortNo = 21 X-Ascend-Modem-SlotNo = 16 X-Ascend-Modem-ShelfNo = 1 The attributes are not named like they were in Cistron dictionaries. They all start with X-. Thanks anyway. Foiled again :^( I changed it to : ConnectInfo_stop = \ '%{Connect-Info:-D%{X-Ascend-Data-Rate}_X%{X-Ascend-Xmit-Rate}}' Now I get stuff like : D26400 Help would still be appreciated. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql variable substitution clarification
Guy Fraser [EMAIL PROTECTED] wrote: The attributes are not named like they were in Cistron dictionaries. They all start with X-. There's still a bug: Reply-Message = `%{Reply-Message:-x%{User-Password}x}` returns xbob for the standard test of user bob/bob. Patch is given below. Index: src/main/xlat.c === RCS file: /source/radiusd/src/main/xlat.c,v retrieving revision 1.72.2.7.2.1 diff -u -r1.72.2.7.2.1 xlat.c --- src/main/xlat.c 8 Dec 2005 12:47:56 - 1.72.2.7.2.1 +++ src/main/xlat.c 7 Jul 2006 18:24:08 - @@ -533,7 +533,7 @@ * useless if we found what we need */ if (found) { - while((*p != '\0') (openbraces 0)) { + while((*p != '\0') (openbraces *open)) { /* * Handle escapes outside of the loop. */ Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql variable substitution clarification
On Fri, 2006-07-07 at 14:18 -0400, Alan DeKok wrote: Guy Fraser [EMAIL PROTECTED] wrote: The attributes are not named like they were in Cistron dictionaries. They all start with X-. There's still a bug: Reply-Message = `%{Reply-Message:-x%{User-Password}x}` returns xbob for the standard test of user bob/bob. Patch is given below. Index: src/main/xlat.c === RCS file: /source/radiusd/src/main/xlat.c,v retrieving revision 1.72.2.7.2.1 diff -u -r1.72.2.7.2.1 xlat.c --- src/main/xlat.c 8 Dec 2005 12:47:56 - 1.72.2.7.2.1 +++ src/main/xlat.c 7 Jul 2006 18:24:08 - @@ -533,7 +533,7 @@ * useless if we found what we need */ if (found) { - while((*p != '\0') (openbraces 0)) { + while((*p != '\0') (openbraces *open)) { /* * Handle escapes outside of the loop. */ Thank you, I'll give it a shot. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius + 802.1X
Hi, i posted 2 messages with Radius + Dhcp and Radius with ip pool, but for this answers, i learn that radius don't have anithing with dhcp, and ip pool work with connections PPP. But I need to deliver ip's to my clients, they use wifi hardware 802.1X. Why i deliver ip's for them ? My freeradius work ok, and i put dhcp to work together, but not work, anyone can answer this for me ? Anyone have any experience with it ? Thank's. Emerson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius + 802.1X
Emerson [EMAIL PROTECTED] wrote: My freeradius work ok, and i put dhcp to work together, but not work, anyone can answer this for me ? Ask on a DHCP list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Questions about debug output
I have a few questions about the debug output from an ultimately successful EAP-TTLS-CHAP authentication. Consider this snippet: ... rad_recv: Access-Request packet from host 192.168.1.228:1045, id=210, length=166 User-Name = anonymous NAS-IP-Address = 192.168.1.228 Connect-Info = CONNECT 802.11 Called-Station-Id = 000b6b8c03f9 Calling-Station-Id = 00146c6f2e75 NAS-Identifier = 00-14-6c-6f-2e-75 NAS-Port-Type = Wireless-802.11 NAS-Port = 15 NAS-Port-Id = 15 Framed-MTU = 1400 State = 0x656cef9c49bb7e305b809bc113ece6c4 EAP-Message = 0x020700061500 Message-Authenticator = 0xfd14176dee74fed4980d51bbf880b8a6 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module preprocess returns ok for request 4 modcall[authorize]: module chap returns noop for request 4 modcall[authorize]: module mschap returns noop for request 4 rlm_realm: No '@' in User-Name = anonymous, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 4 rlm_eap: EAP packet type response id 7 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 4 users: Matched entry DEFAULT at line 173 ... 1. First, what does this mean: 'module chap returns noop for request 3?' My client uses CHAP, so why doesn't chap, here, return ok? What does noop mean? 2. I read in a comment in the out-of-the-box eap.conf file that it is customary to specify anonymous for the name of the user 'outside' of the tunnel with ttls { use_tunneled_reply = yes }. Is the User-Name field in the above Access-Request this outside user name? 3. Is the User-Name in the Access-Request the same as what I've seen called the outer identity? 4. Is just using anonymous okay? Should I include a realm, e.g., [EMAIL PROTECTED] Is there something I lose by not specifying a realm in User-Name (everything seems to work okay so far)? 5. What does No EAP Start mean? 6. Why does modcall[authorize] say Matched entry DEFAULT at line 173 here and in the subsequent challenge response (not shown), whereas later in the challenge response it says Matched entry plong at line 76 (plong is the name part of the inner identity, if I'm using the terminology correctly)? Paul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html