CHAP, LDAP and MS AD
I just wanted to confirm what I have researched and found to be 'not feasible'. Using CHAP authentication with Microsoft Active Directory is not possible without modifying the Active Directory to store a plain-text version of the password. MS-CHAP is an option but must be supported on the client end, using ntlm_auth. I ask as I am trying to persue the path of getting the end client to use PAP, but wanted to get my facts straight first. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Local groups in FreeRadius ?
Alan, I'm using the man rlm_passwd examples and the examples within radiusd.conf and still I can't manage to make User-Group membership to work. Here's my config: in radiusd.conf : passwd MyGroup { filename = /etc/MyGroup format = ~Group-Name:::*,User-Name hashsize = 50 ignoreislike = yes allowmultiplekeys = yes delimiter = : } # Similar configuration, for the /etc/group file. Adds a Group-Name # attribute for every group that the user is member of. # #passwd etc_group { # filename = /etc/group # format = =Group-Name:::*,User-Name # hashsize = 50 # ignorenislike = yes # allowmultiplekeys = yes # delimiter = : #} My /etc/MyGroup file : FIGrp:::*,Ami FIGrp:::*,John My users file : Ami Auth-Type := Local, Pool-Name := FITest, User-Password == ami123 Reply-Message = Hello, %u, Service-Type = Framed-User, Framed-Protocol = PPP FIGrp Auth-Type := Local Reply-Message = Hello from Group, %u My dictionary file: #ATTRIBUTE My-Local-String 3000 string #ATTRIBUTE My-Local-IPAddr 3001 ipaddr #ATTRIBUTE My-Local-Integer 3002 integer ATTRIBUTE My-Group 3003 string When I start radiusd -X : Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /usr/local/var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /usr/local/etc/raddb/users files: acctusersfile = /usr/local/etc/raddb/acct_users files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded
freeRADIUS doc
Hi all, I'm trying to access freeRaDIUS doc section (http://www.freeradius.org/radiusd/doc/), but I got a Forbidden access message. Is this section accessible to normal users? Best regards, Carlo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
A few clarifications on EAP-TTLS
Hello, I'am using freeradius 1.1.2 with eap-ttls. I have read that I can use Eap-Ttls in trasparent way for the Client, that is without using Client side certificates and without installing other software since that eap-ttls support legacy authentication system (I'am using a wall garden and I'can't install nothing on the clients). So i've configured eap.conf (I've just decommented this few lines in default configuration) tls { private_key_password = whatever private_key_file = /etc/mycerts/cert-srv.pem certificate_file = /etc/mycerts/cert-srv.pem CA_file = /etc/mycerts/root.pem dh_file = /etc/mycerts/dh random_file = /etc/mycerts/random fragment_size = 1024 include_length = yes } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no } And this is the output of radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /usr/local/var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded LDAP ldap: server = localhost ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = cn=Manager,dc=valug,dc=it ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = (null) ldap: tls_cacertdir = (null) ldap: tls_certfile = (null) ldap: tls_keyfile = (null) ldap: tls_randfile = (null) ldap: tls_require_cert = allow ldap: password = mypass ldap: basedn = ou=homewifi,dc=valug,dc=it ldap: filter = (uid=%{Stripped-User-Name:-%{User-Name}}) ldap: base_filter = (objectclass=radiusprofile) ldap: default_profile = (null) ldap: profile_attribute = (null) ldap: password_header = (null) ldap: password_attribute = userPassword ldap: access_attr = userPassword ldap: groupname_attribute = cn ldap: groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) ldap: groupmembership_attribute = radiusGroupName ldap: dictionary_mapping = /usr/local/etc/raddb/ldap.attrmap ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes ldap: set_auth_type = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap-radius mappings from file /usr/local/etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP userPassword
Re: CHAP, LDAP and MS AD
Hi, MS-CHAP is an option but must be supported on the client end, using ntlm_auth. ntlm_auth needs to run on the server that also runs FreeRADIUS, because FreeRADIUS passes the credentials to ntlm_auth, which will then do the job (i.e. talk to AD and verify the credentials). The client does not have to know anything about ntlm_auth. It just needs to talk MS-CHAP. Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche - Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and accounting
On Wednesday 23 August 2006 20:25, Alan DeKok wrote: Peter Nixon [EMAIL PROTECTED] wrote: That would seem like th logical way to do it, and would certainly make the perl code clearer.. Ok. Unless Boian Jordanov has concerns, I'll commit a patch in a few days. Please i have no concerns :-) -- Best Regards, Boian Jordanov SNE Orbitel - Next Generation Telecom tel. +359 2 4004 723 tel. +359 2 4004 002 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: A few clarifications on EAP-TTLS
luigi natalino wrote: Hello, I'am using freeradius 1.1.2 with eap-ttls. I have read that I can use Eap-Ttls in trasparent way for the Client, that is without using Client side certificates and without installing other software since that eap-ttls support legacy authentication system (I'am using a wall garden and I'can't install nothing on the clients). Windows XP does not support EAP-TTLS. You would have to install extra software e.g. SecureW2 MacOS X does I belive. Sorry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Local groups in FreeRadius ?
Ami Schieber wrote: passwd MyGroup { filename = /etc/MyGroup format = ~Group-Name:::*,User-Name hashsize = 50 ignoreislike = yes allowmultiplekeys = yes My /etc/MyGroup file : FIGrp:::*,Ami FIGrp:::*,John No. The , prefixing the key in the format means that more than one value exists in that field, separated by commas, like the /etc/group file. The man page is quite specific. Your file would need to read: FIGrp:::Ami,John The man rlm_passwd docs are pretty specific about that example: Parse a file similar to the /etc/group file. If you're generating the file yourself, you can use a simpler format: passwd mygroup { filename = /etc/mygroup format = ~Group-Name:*User-Name hashsize = 50 allowmultiplekeys = yes } ...ands group:user1 group:user2 othergroup:user3 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: A few clarifications on EAP-TTLS
Windows XP does not support EAP-TTLS. You would have to install extra software e.g. SecureW2 MacOS X does I belive. Sorry And linux support it ? _ FREE pop-up blocking with the new MSN Toolbar - get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Local groups in FreeRadius ?
Phil, Thanks for your help. Can you also explain what format should the users file use ? Currently, I've tried : Ami User-Password == ami123 Service-Type = Framed-User, Framed-Protocol = PPP, Fall-Through = Yes FIGrp Auth-Type := Local, MyGroup-Name := FIGrp Reply-Message = Hello from Group FIGrp, %u DEFAULT Pool-Name := main_pool, Auth-Type := Local Fall-Through = Yes and my dictionary file has : ATTRIBUTE MyGroup-Name 3003 string while my /etc/FIGroup file has the following : FIGrp:Ami and my radiusd.conf has : passwd MyGroup { filename = /usr/local/etc/raddb/FIGroup format = ~MyGroup-Name:*User-Name hashsize = 50 ignoreislike = yes allowmultiplekeys = yes delimiter = : } I'm still unable to see a match to the Group entry when I run radiusd -X but only to the user and to DEFAULT entries : users: Matched entry Ami at line 1 users: Matched entry DEFAULT at line 20 Thanks again, Ami On 8/28/06, Phil Mayers [EMAIL PROTECTED] wrote: Ami Schieber wrote:passwd MyGroup { filename = /etc/MyGroup format = ~Group-Name:::*,User-Name hashsize = 50 ignoreislike = yes allowmultiplekeys = yes My /etc/MyGroup file : FIGrp:::*,Ami FIGrp:::*,JohnNo. The , prefixing the key in the format means that more than onevalue exists in that field, separated by commas, like the /etc/groupfile. The man page is quite specific. Your file would need to read: FIGrp:::Ami,JohnThe man rlm_passwd docs are pretty specific about that example:Parsea file similar to the /etc/group file.If you're generating the file yourself, you can use a simpler format: passwd mygroup { filename = /etc/mygroup format = ~Group-Name:*User-Name hashsize = 50 allowmultiplekeys = yes}...andsgroup:user1group:user2othergroup:user3 -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP PEAP, unable to load certificate
Nick Larsen [EMAIL PROTECTED] wrote: Now I'm trying to authenticate users via wireless PDA's, but I now get auth: No User-Password or CHAP-Password attribute in the request in Access-Request, I guess it's the Linksys WAG54g now, so I better start trawling through the net again. No. Run the server in debugging mode, and post the output here. That message happens ONLY if you forcibly set Auth-Type = Local when it doesn't make sense to do so. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_sqlippool
Hi; I was reading this email, and I've followed the steps. I have created the postgresql database, but what should I do to make the radius get the authentication from the postgresql database? And where should I add the configuration if I want to declare the username and the password in the database, and what changes should I do in the radiusd.conf and the users file? Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Nixon Sent: Sunday, August 27, 2006 5:05 PM To: Chris Knipe; FreeRadius users mailing list Subject: Re: rlm_sqlippool On Sat 26 Aug 2006 23:09, Chris Knipe wrote: Hi, I know this is new, and not yet documented, but I saw some good posts about it being stable, so I'm looking at implementing it at the moment... But alas, I'm confused and the lack of documentation is not helping. doc/rlm_sqlippool states: The only required fields are, pool_name and ip_address. A pool consists of one or more rows in the table with the same pool_name and a different ip_address. The is no restriction on which ip addresses/ranges may be in the same pool, and addresses do not need to be concurrent. Yet, raddb/sqlippool.conf, makes absolutely NO sense to me at the moment at all, and there is WAY more than merely a pool name and a IP address referenced in the queries... I understand that there is some unique elements required in the table to indicate that a IP is allocated, and to know where the IP is allocated (and obviously to release that IP once the session terminates). it is really not that complex :-) As the docs state put one or more records in the tabe with a pool_name and ip_address and then use the pool_name the same way you do with the standard ippool module. Thats it. Can someone perhaps please just take a moment to explain what exactly is going on in those queries?? I'm not referring to the SQL as such, but rather as to what is updated, and why. A table structure accompanying those queries in sqlippool.conf may help significantly as well, as I'm guessing at the moment what needs to go where :( The table structure is in the same file as all the rest of the database schema at doc/examples/postgresql.sql For reference it is: CREATE TABLE radippool ( id BIGSERIAL PRIMARY KEY, pool_name text NOT NULL, FramedIPAddress INET, NASIPAddresstext NOT NULL, CalledStationId VARCHAR(64), CallingStationIdtext DEFAULT ''::text NOT NULL, expiry_time TIMESTAMP(0) without time zone NOT NULL, usernametext DEFAULT ''::text, pool_keyVARCHAR(30) NOT NULL ); I have only tested this with Postgresql, although I will probably be testing on Oracle at some point. If you want to test it on some other database you are welcome. Please report the results :-) Regards -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Local groups in FreeRadius ?
Ami Schieber [EMAIL PROTECTED] wrote: I'm still unable to see a match to the Group entry when I run radiusd -X but only to the user and to DEFAULT entries : users: Matched entry Ami at line 1 users: Matched entry DEFAULT at line 20 You're not trying to match the group name. See man users FIGrpAuth-Type := Local, MyGroup-Name := FIGrp Reply-Message = Hello from Group FIGrp, %u ':=' is not a comparison operator. Read the man page. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to send to a switch Port Priority ?
hello I have the following users file and I wold like to send to the switch on authentification PortPriority ... a auth-Type := Local, User-Password == a Service-Type = Administrative-User, Reply-Message = Salut user:A! b Auth-Type := EAP, User-Password == b Service-Type = Administrative-User, Reply-Message = Hi :B!, Port-Priority = Platinum, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 256, Vendor-Specific = 562 ... -- Cu respect, George Comanescu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Report Generator
Hi Sean, Please may I get a copy of this. Thanks, Andre van der Walt -Original Message- From: [EMAIL PROTECTED] s.org [mailto:[EMAIL PROTECTED] reeradius.org] On Behalf Of Sean Sent: 23 August 2006 09:58 PM To: freeradius-users@lists.freeradius.org Subject: Report Generator Hi, Ive written a report generator in PHP and HTML that will allow your clients to generate usage reports from the FreeRadius log files. When the user logs in he/she is asked for their IP address and the Month that they want to display. If anyone wants a copy let me know. If there is enough interest I'll make it available for public download. Regards, Sean Bracken http://swarmhotspots.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Please note: This email and its content are subject to the disclaimer as displayed at the following link http://www.is.co.za/disc.asp. Should you not have Web access, send a mail to [EMAIL PROTECTED] and a copy will be emailed to you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlippool
Hi Elie My instructions assume that you already know how to setup rlm_sql. If you do not, you first need to read doc/rlm_sql Alternatively you can read the wiki: http://wiki.freeradius.org/index.php/Rlm_sql Regards Peter On Mon 28 Aug 2006 18:04, Elie Hani wrote: Hi; I was reading this email, and I've followed the steps. I have created the postgresql database, but what should I do to make the radius get the authentication from the postgresql database? And where should I add the configuration if I want to declare the username and the password in the database, and what changes should I do in the radiusd.conf and the users file? Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Nixon Sent: Sunday, August 27, 2006 5:05 PM To: Chris Knipe; FreeRadius users mailing list Subject: Re: rlm_sqlippool On Sat 26 Aug 2006 23:09, Chris Knipe wrote: Hi, I know this is new, and not yet documented, but I saw some good posts about it being stable, so I'm looking at implementing it at the moment... But alas, I'm confused and the lack of documentation is not helping. doc/rlm_sqlippool states: The only required fields are, pool_name and ip_address. A pool consists of one or more rows in the table with the same pool_name and a different ip_address. The is no restriction on which ip addresses/ranges may be in the same pool, and addresses do not need to be concurrent. Yet, raddb/sqlippool.conf, makes absolutely NO sense to me at the moment at all, and there is WAY more than merely a pool name and a IP address referenced in the queries... I understand that there is some unique elements required in the table to indicate that a IP is allocated, and to know where the IP is allocated (and obviously to release that IP once the session terminates). it is really not that complex :-) As the docs state put one or more records in the tabe with a pool_name and ip_address and then use the pool_name the same way you do with the standard ippool module. Thats it. Can someone perhaps please just take a moment to explain what exactly is going on in those queries?? I'm not referring to the SQL as such, but rather as to what is updated, and why. A table structure accompanying those queries in sqlippool.conf may help significantly as well, as I'm guessing at the moment what needs to go where :( The table structure is in the same file as all the rest of the database schema at doc/examples/postgresql.sql For reference it is: CREATE TABLE radippool ( id BIGSERIAL PRIMARY KEY, pool_name text NOT NULL, FramedIPAddress INET, NASIPAddresstext NOT NULL, CalledStationId VARCHAR(64), CallingStationIdtext DEFAULT ''::text NOT NULL, expiry_time TIMESTAMP(0) without time zone NOT NULL, usernametext DEFAULT ''::text, pool_keyVARCHAR(30) NOT NULL ); I have only tested this with Postgresql, although I will probably be testing on Oracle at some point. If you want to test it on some other database you are welcome. Please report the results :-) Regards -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpNuM29n6kbA.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to send to a switch Port Priority ?
George Comanescu [EMAIL PROTECTED] wrote: hello I have the following users file and I wold like to send to the switch on authentification PortPriority ... Port-Priority = Platinum, Does the NAS documentation say you can do this? In most situations like this, you just have to tell the NAS the right information. And the only place that documentation exists is the NAS vendor... Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Local groups in FreeRadius ?
On 8/28/06, Alan DeKok [EMAIL PROTECTED] wrote: Ami Schieber [EMAIL PROTECTED] wrote: I'm still unable to see a match to the Group entry when I run radiusd -X but only to the user and to DEFAULT entries : users: Matched entry Ami at line 1 users: Matched entry DEFAULT at line 20You're not trying to match the group name.See man users man users doesn't show me anything I find related to users file of FreeRadius : NAME users - print the user names of users currently logged in to the current host SYNOPSIS users [OPTION]... [ FILE ] DESCRIPTION Output who is currently logged in according to FILE. If FILE is not specified, use /var/run/utmp. /var/log/wtmp as FILE is common. --help display this help and exit --version output version information and exit AUTHOR Written by Joseph Arceneaux and David MacKenzie. REPORTING BUGS Report bugs to bug-coreutils@gnu.org. COPYRIGHT Copyright 2004 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. SEE ALSO The full documentation for users is maintained as a Texinfo manual. If the info and users pro- grams are properly installed at your site, the command info coreutils users should give you access to the complete manual. FIGrpAuth-Type := Local, MyGroup-Name := FIGrp Reply-Message = Hello from Group FIGrp, %u':=' is not a comparison operator.Read the man page. I've changed the ':=' operator to '==' , so my file looks like : FIGrp Auth-Type := Local, MyGroup-Name == FIGrp Reply-Message = Hello from Group, %u Is my comparison correct ? Am I right to try and match the attribute name (MyGroup-Name) with the actual group name (FIGrp) ? Should it be in the users file ? Thanks, Ami Alan DeKok.--http://deployingradius.com - The web site of the bookhttp://deployingradius.com/blog/ - The blog-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: A few clarifications on EAP-TTLS
Hi, Windows XP does not support EAP-TTLS. You would have to install extra software e.g. SecureW2 MacOS X does I belive. Sorry And linux support it ? with a supplicant such as Xsupplicant or wpa_supplicant. MacOSX EAP-TTLS works out of the box. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Account lockout enforcement and min lengh reqs
Title: Account lockout enforcement and min lengh reqs Hello everyone, I am running freeradius v1.0.1 in a Redhat linux environment. Does there exist a mechanism to enforce account lockout after 3 tries and strong passwords? The environment is Cisco routers and switches. If there exists some kind of post-auth script, that would be nice. Thanks, Scott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regarding memory leaks
Ravi S M [EMAIL PROTECTED] wrote: I am integrating my rlm_otp module with freeradius code . if I run radiusd server with the purify it is giving leaks sigh The information you provided doesn't help to determine where the bugs are located. There's one mention of a C file, and tons of other issues that aren't related to any C file. Can you convince purify to give useful information, and then post that here? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Local groups in FreeRadius ?
Ami Schieber wrote: man users doesn't show me anything I find related to users file of FreeRadius : NAME users - print the user names of users currently logged in to the current host Try man 5 users. Man page names are only unique within section numbers. Alternatively, man -a users will show you all the pages calles users from each section in turn. You want to read and understand man 5 users carefully else you'll get nowhere with FreeRadius. Additionally I'd point out since you didn't know how to use man properly, you might need to check a basic primer on unix else your time with FreeRadius will be EXTREMELY frustrating. You said you had tried: Ami User-Password == ami123 Service-Type = Framed-User, Framed-Protocol = PPP, Fall-Through = Yes FIGrpAuth-Type := Local, MyGroup-Name := FIGrp Reply-Message = Hello from Group FIGrp, %u DEFAULT Pool-Name := main_pool, Auth-Type := Local Fall-Through = Yes ...which is virtually all wrong. You want: Ami User-Password := ami123 Fall-Through = yes DEFAULT MyGroup-Name == FIGrp Reply-Message = Hello from group FIGrp, Fall-Through = yes DEFAULT Pool-Name := main_pool With the server properly configured, you should not need to set Auth-Type and will ALMOST CERTAINLY break things if you do. You don't use == to compare passwords, but use := to *set* the server-side copy. You don't use := to compare, you use ==, and group names never go on the left-hand-side - either usernames or DEFAULT. Hope that helps - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Report Generator
Hi Andre, You can download the work to date here http://swarmhotspots.com/phpreports.tar.gz I'm integrating phpMyPrepaid and Dialup Admin into it at the moment, so there are a lot of redundant files included in the tar file. You can have a look at how it works at http://topup.ie/reports username testuser, password testuser. Some reports ask for a client user name use seanb52, some reports ask for a NAS ID use palm1 and some reports request the NAS IP use 82.153.112.235 Please give me some feedback. I'd like to know if any of this would be useful or worth putting onto Sourceforge when it's ready for release. There is no documentation ready yet but if you need help send me an email. Don't tie up the FreeRadius list with private correspondence. Regards, Sean Bracken http://swarmhotspots.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Suggestions about captive portal
Hi all, I would like to know what Captive Portal you advise to use and in particular what supports better Freeradius. For the moment I'am using Chillispot. My problem is always the same: set the NAS to accept the IP address, assigned by IP pool, from FreeRADIUS. I have searched documentation related to my NAS (Doc, forum, mailing list, ecc.ecc.) but I haven't find nothing of useful for my problem. Fort this reason i would to use another captive portal (that support freeradius) that can solve my problem. Thanks in advance for every advice or help. Best regards. Giusy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Report Generator
Thank you, Sean. Have a great day. Edward -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of Sean Sent: Monday, August 28, 2006 10:45 AM To: freeradius-users@lists.freeradius.org Subject: RE: Report Generator Hi Andre, You can download the work to date here http://swarmhotspots.com/phpreports.tar.gz I'm integrating phpMyPrepaid and Dialup Admin into it at the moment, so there are a lot of redundant files included in the tar file. You can have a look at how it works at http://topup.ie/reports username testuser, password testuser. Some reports ask for a client user name use seanb52, some reports ask for a NAS ID use palm1 and some reports request the NAS IP use 82.153.112.235 Please give me some feedback. I'd like to know if any of this would be useful or worth putting onto Sourceforge when it's ready for release. There is no documentation ready yet but if you need help send me an email. Don't tie up the FreeRadius list with private correspondence. Regards, Sean Bracken http://swarmhotspots.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Please help !!!
When i try to execute the radtest command with AD user logon credentials it rejects the packet and here is the output. rad_recv: Access-Request packet from host 127.0.0.1:32874, id=81, length=61 User-Name = "test" User-Password = "test123" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_unix: [test]: invalid password modcall[authenticate]: module "unix" returns reject for request 0 modcall: leaving group authenticate (returns reject) for request 0 auth: Failed to validate the user. using wbinfo -u and wbinfo -g command, able to pull the users and groups from AD. Also I have linux nis server running under same subnet. This machine is binded to linux NIS domain and joined to windows 2003 domain. Here is my nsswitch.conf file. passwd: files winbind nis dns shadow: files nis dns group: files winbind nis dns #hosts: db files nisplus nis dns hosts: files dns winbind nis In users.conf its default configuration: DEFAULT Auth-Type = System Fall-Through = 1 Also i tried removing it from linux nis domain and running only with winbind service, it didnt help me. Here is the log file i found about winbind service. winbindd[16208]: [2006/08/28 10:57:31, 0] nsswitch/winbindd_util.c:winbindd_param_init(560) winbindd[16208]: winbindd: idmap uid range missing or invalid winbindd[16208]: [2006/08/28 10:57:31, 0] nsswitch/winbindd_util.c:winbindd_param_init(561) winbindd[16208]: winbindd: cannot continue, exiting. winbind: winbindd startup succeeded I have another linux machine running good with the same error message. could someone throw some light to resolve my issue. Thanks, Kartthik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please help !!!
Kartthik [EMAIL PROTECTED] wrote: When i try to execute the radtest command with AD user logon credentials it rejects the packet and here is the output. ... rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_unix: [test]: invalid password The user isn't in /etc/passwd. What, exactly did you do to configure the server to check the user against the AD login credentials? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP PEAP, unable to load certificate
Hi,I have forcibly set Auth-Type to Local, so perhaps that's the problem.Here's my debug output anyway...rad_recv: Access-Request packet from host 10.10.1.199:1812, id=1, length=73 User-Name = nick Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02010009016e69636b NAS-IP-Address = 10.10.1.199 Message-Authenticator = 0xa2632b22341f08798a0fca4aa0f457c9 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 160 modcall[authorize]: module preprocess returns ok for request 160 modcall[authorize]: module chap returns noop for request 160 modcall[authorize]: module mschap returns noop for request 160 rlm_realm: No '@' in User-Name = nick, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 160 rlm_eap: EAP packet type response id 1 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 160 radius_xlat: 'nick'rlm_sql (sql): sql_set_user escaped user -- 'nick' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'nick' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'nick' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'nick' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute ,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'nick' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns ok for request 160modcall: leaving group authorize (returns updated) for request 160 rad_check_password: Found Auth-Type Local auth: type Localauth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user.Login incorrect: [nick] (from client Finc-Wireless port 0) Delaying request 160 for 1 seconds Finished request 160Going to the next request --- Walking the entire request list ---Waking up in 1 seconds... --- Walking the entire request list ---Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 1 to 10.10.1.199 port 1812Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 160 ID 1 with timestamp 44f357bfNothing to do. Sleeping until we see a request.Cheers for your help, Nick LarsenOn 8/29/06, Alan DeKok [EMAIL PROTECTED] wrote: Nick Larsen [EMAIL PROTECTED] wrote: Now I'm trying to authenticate users via wireless PDA's, but I now get auth: No User-Password or CHAP-Password attribute in the request in Access-Request, I guess it's the Linksys WAG54g now, so I better start trawling through the net again.No.Run the server in debugging mode, and post the output here.That message happens ONLY if you forcibly set Auth-Type = Local when it doesn't make sense to do so.Alan DeKok.--http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regards,Nick LarsenWellingtonNEW ZEALAND - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP and authenticating via AD
Hi, (don't write HTML mails please) (please use a more descriptive subject line instead of Please help !!!) (0 or 1 exclamation mark will do, preferably 0) first off: if you will stay with PAP later (user's password comes in in clear text), just treat the AD server like a plain ldap server, i.e. configure and activate ldap {} in both authorize and authenticate sections of radiusd.conf. No sign of AD specialties here. This is in fact the recommended way: configure the ldap {} section, activate it and be happy. It will work. If you will change to MS-CHAP later, only then will you need the AD way of authenticating users. This is what I describe below. users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_unix: [test]: invalid password modcall[authenticate]: module unix returns reject for request 0 modcall: leaving group authenticate (returns reject) for request 0 auth: Failed to validate the user. That line 152 in the users file sets the Auth-Type System if no other Auth-Type has previously been set. This is quite okay when authenticating users locally with PAP logins (i.e. password is on the FreeRADIUS server *system*). If you configure ldap {} as said above, Auth-Type will be set to LDAP and things will work. If you want to use MS-CHAP login later, things will magically work out of the box (the mschap module is by default active in authorize and will set Auth-Type to MS-CHAP by itself *if* the request is indeed an MS-CHAP request and later authenticate users via the mschap module (in which you have to activate the ntlm_auth line)). using wbinfo -u and wbinfo -g command, able to pull the users and groups from AD. This is great, you've already done the bulk of the work then. If you'll stick with PAP later, this work was unnecessary (ldap module will do). If you want to switch to MS-CHAP: uncomment the ntlm_auth line in the mschap module to tell the FreeRADIUS server to actually use this connection. Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche - Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP authentication
A general question that I have not seen in the forum.I want to authenticate against LDAP... BUT I don't want to use the LDAP password as the password in every case.In a remote connectivity solution I want to check the remotepassword attribute for authentication. Problem is (as I see it), that the real LDAP password is not passed in with the remote connectivity request, so the request seems to be failing.If I make the request with the LDAP password, it succeeds. So my question, and I know that there is a caveat about a cleartext password being required for LDAP authentication, is:Can I make a request to freeradius that gets passed to LDAP but only requires the password to be checked against an attribute of the username, NOT the real LDAP password. Any insight/experience or pointers to helpful doc sources would be appreciated.Regards,Lin Richardson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
1.1.3 on Solaris 10 (sparc)
I am quite pleased to report I have, with minimal discomfort, version 1.1.3 running on Solaris 10.The source actually compiles perfectly once OS dependencies etc. are met.I will share a few tips here for any who may be attempting the same. My main goal was LDAP functionality. Other bells and whistles might require additional steps.Please forgive the Solaris info here, it is dangerously close to being off-topic... except that you need it to install freeradius. ---Solaris System HeadersSolaris 10 will likely require you to fix the system headers.http://sunfreeware.com/indexsparc10.html . Commands as root: cd /usr/local/lib/gcc-lib/sparc-sun-solaris2.10/3.3.2/install-tools/vi mkheaders.conf - Then put the line SHELL=/bin/sh on the first line of the mkheaders.conf file. - It should look something like the following: SHELL=/bin/sh SYSTEM_HEADER_DIR=/usr/include OTHER_FIXINCLUDES_DIRS= FIXPROTO_DEFINES= STMP_FIXPROTO=stmp-fixproto STMP_FIXINC=stmp-fixinc Then you run the following command as root. It may take several minutes to rebuild the headers. ./mkheaders---Solaris PackagesSolaris 10 has versions of openssl and openLDAP installed I believe with the system. They do not fulfill the compile requirements for freeradius functionality. you should go to http://sunfreeware.com/ and get the packages there, and also resolve any unmet dependencies.If you have other modules you are concerned with that are not building correctly, don't trust the OS packages. Look for equiv packages and try the build with them installed as well. download packagegunzip packagename.gzsudo pkgadd -d packagename--- Installing FreeRadiusInstalling actually went off without a hitch. ./configure, make, sudo make installNo problems except I needed the packages so rlm_ldap would compile properly.--- RunTime EnvironmentIn order for the ldap queries to work, the following needs to be set as an environmental variable, OR if you're handy with compiler flags you can take care of it during the compile with the `-RLIBDIR' linker flag. export LD_LIBRARY_PATH=/usr/local/lib/;/usr/local/freeradius-1.1.3/lib The two locations in the above path are for access to the libgcc_s.so.1 libraries and the rlm_ldap libraries respectively. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and accounting
Hi I've noticed this comment in the cvs log (for rlm_perl.c): Over-write existing vp's with new ones. This means that the Perl module works more like the other modules, which have absolute power over the VP's, and less like the users file, which updates the VP's via operators, etc So I've compiled the source and gave it a try, but it behaved exactly as the stable version - didn't replace nor removed any attributes. Is this supposed to work? I tested the pre and post proxy methods: rad_recv: Access-Request packet from host 127.0.0.1 port 32785, id=96, length=62 User-Password = test User-Name = test Service-Type = Framed-User Framed-Protocol = PPP NAS-IP-Address = a.b.c.d Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 rlm_realm: No '@' in User-Name = test, looking up realm NULL rlm_realm: No such realm NULL perl_pool: item 0x82013e0 asigned new request. Handled so far: 1 found interpetator at address 0x82013e0 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair User-Name = test rlm_perl: Added pair User-Password = test rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair NAS-IP-Address = a.b.c.d rlm_perl: Added pair Proxy-To-Realm = quik rlm_perl: Added pair Stripped-User-Name = test perl_pool total/active/spare [32/0/32] Unreserve perl at address 0x82013e0 modcall: group authorize returns ok for request 0 Processing the pre-proxy section of radiusd.conf modcall: entering group pre-proxy for request 0 perl_pool: item 0x840f4e0 asigned new request. Handled so far: 1 found interpetator at address 0x840f4e0 rlm_perl: entering pre-proxy rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair User-Name = testuser rlm_perl: Added pair User-Password = test rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Realm = quik rlm_perl: Added pair NAS-IP-Address = a.b.c.d rlm_perl: Added pair Stripped-User-Name = test rlm_perl: Added pair Proxy-To-Realm = quik rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair User-Name = test rlm_perl: Added pair User-Password = test rlm_perl: Added pair Proxy-State = 0x3936 rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Realm = quik rlm_perl: Added pair NAS-IP-Address = a.b.c.d perl_pool total/active/spare [32/0/32] Unreserve perl at address 0x840f4e0 modcall: group pre-proxy returns updated for request 0 Sending Access-Request of id 197 to x.y.z.103 port 1812 Framed-Protocol = PPP User-Name = test User-Password = test Proxy-State = 0x3936 Service-Type = Framed-User NAS-IP-Address = a.b.c.d --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Accept packet from host x.y.z.103 port 1812, id=197, length=30 Framed-IP-Address = 192.168.1.65 Proxy-State = 0x3936 Processing the post-proxy section of radiusd.conf modcall: entering group post-proxy for request 0 perl_pool: item 0x85f6b88 asigned new request. Handled so far: 1 found interpetator at address 0x85f6b88 rlm_perl: entering post-proxy rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair User-Name = testuser rlm_perl: Added pair User-Password = test rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Realm = quik rlm_perl: Added pair NAS-IP-Address = a.b.c.d rlm_perl: Added pair Framed-IP-Address = 10.10.1.1 rlm_perl: Added pair Proxy-To-Realm = quik rlm_perl: Added pair Stripped-User-Name = test rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair User-Name = test rlm_perl: Added pair User-Password = test rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Proxy-State = 0x3936 rlm_perl: Added pair Realm = quik rlm_perl: Added pair NAS-IP-Address = a.b.c.d rlm_perl: Added pair Proxy-State = 0x3936 rlm_perl: Added pair Framed-IP-Address = 192.168.1.65 perl_pool total/active/spare [32/0/32] Unreserve perl at address 0x85f6b88 modcall: group post-proxy returns updated for request 0 authorize: Skipping authorize in post-proxy stage rad_check_password: Found Auth-Type rad_check_password: Auth-Type = Accept, accepting the user Sending Access-Accept of id 96 to 127.0.0.1 port 32785 Framed-IP-Address = 10.10.1.1 Framed-IP-Address = 192.168.1.65 Finished request 0 Going to the next request Waking up in 1 seconds... It looks like the content of the original hashes is still being kept. perl code: #add attributes to the request sub sanitise { my ($login,$realm) = split(/\@/, $RAD_REQUEST{'User-Name'}); $RAD_CHECK{'REALM'} = $realm; $RAD_CHECK{'Stripped-User-Name'} = $login; } # Function to handle pre_proxy sub pre_proxy { radiusd::radlog(1, entering pre-proxy); $RAD_REQUEST{'User-Name'} = 'testuser'; return RLM_MODULE_OK; } # Function to handle post_proxy sub post_proxy { radiusd::radlog(1, entering post-proxy);