WPA/RADIUS Problems
Hi list, I'm a FreeRADIUS noob, and I've been charged with getting some WiFi APs authenticating against an existing FreeRADIUS server being used for dialup users. I've configured FreeRADIUS as best I can figure from what I've found on the web, but I'm having no success with getting WPA to work. I'm using a D-Link 2100AP access point, and a Mac OS X 10.4 client. From what I can gather it seems that I might have misconfigured FreeRADIUS, based on the error message below. I've configured a test user as follows: pants Auth-Type := Accept Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 1 The last 3 lines I found in a tutorial on the web, but I'm not sure if they are necessary or not (and commenting them out makes no difference). When I run radtest everything looks OK: $ radtest pants localhost 1 XX Sending Access-Request of id 141 to 127.0.0.1:1812 User-Name = pants User-Password = NAS-IP-Address = newdeewhy NAS-Port = 1 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=141, length=35 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 1 When I try to connect from my Mac OS X client I get the following error: And the following appears in the radius.log: Fri Sep 1 15:50:59 2006 : Auth: Login OK: [pants] (from client testap port 1 cli 00-0D-93-86-48-8E) Fri Sep 1 15:51:02 2006 : Error: Authentication reply packet code 2 sent to a non-proxy reply port from client testap:1025 - ID 0 : IGNORED Watching the traffic shows the Access-Accept packet being sent back to the AP, but confusingly the AP sends an Access-Accept back to the RADIUS server! (10.0.0.100 is the AP, 10.0.0.101 is the RADIUS server): # tcpdump -nXi eth1 -s 65535 host 10.0.0.100 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes 16:08:43.990613 IP 10.0.0.100.1027 10.0.0.101.1812: RADIUS, Access Request (1), id: 0x00 length: 193 0x: 4500 00dd 0008 4011 6540 0a00 0064 [EMAIL PROTECTED]@...d 0x0010: 0a00 0065 0403 0714 00c9 0613 0100 00c1 ...e 0x0020: 3daa 0458 77d9 5edd 5149 6230 7717 7c71 =..Xw.^.QIb0w.|q 0x0030: 5012 091d 4b11 cb44 3587 c0cd d27e c929 P...K..D5~.) 0x0040: 2bbd 0606 0002 0108 7061 6e74 7300 +.pants. 0x0050: 0c06 05d0 1e1b 3030 2d31 312d 3935 00-11-95 0x0060: 2d44 422d 3337 2d30 423a 5465 7374 5750 - DB-37-0B:TestWP 0x0070: 411f 1330 302d 3044 2d39 332d 3836 2d34 A.. 00-0D-93-86-4 0x0080: 382d 3845 2015 442d 4c69 6e6b 2041 6363 8-8E..D- Link.Acc 0x0090: 6573 7320 506f 696e 743d 0600 134d ess.Point=.M 0x00a0: 1843 4f4e 4e45 4354 2035 344d 6270 7320 .CONNECT. 54Mbps. 0x00b0: 3830 322e 3131 674f 0c02 0a01 7061 802.11gO..pa 0x00c0: 6e74 7304 060a 6405 0600 0157 nts.d..W 0x00d0: 0e53 5441 2070 6f72 7420 2320 31 .STA.port.#.1 16:08:43.992271 IP 10.0.0.101.1812 10.0.0.100.1027: RADIUS, Access Accept (2), id: 0x00 length: 35 0x: 4500 003f 0015 4000 4011 25d1 0a00 0065 [EMAIL PROTECTED]@. %e 0x0010: 0a00 0064 0714 0403 002b fc7c 0200 0023 ...d. +.|...# 0x0020: a6d5 7da7 33d8 c5a1 b0d4 f206 098f 1394 ..}. 3... 0x0030: 4006 000d 4106 0006 5103 31 @.A.Q.1 16:08:46.987506 IP 10.0.0.100.1027 10.0.0.101.1812: RADIUS, Access Accept (2), id: 0x00 length: 35 0x: 4500 003f 0009 4011 65dd 0a00 0064 [EMAIL PROTECTED] 0x0010: 0a00 0065 0403 0714 002b 1ab7 0200 0023 ...e. +.# 0x0020: 3daa 0458 77d9 5edd 5149 6230 7717 7c71 =..Xw.^.QIb0w.|q 0x0030: 4006 000d 4106 0006 5103 31 @.A.Q.1 16:08:48.382840 IP 10.0.0.100.1027 10.0.0.101.1812: RADIUS, Access Request (1), id: 0x01 length: 193 0x: 4500 00dd 000a 4011 653e 0a00 0064 [EMAIL PROTECTED]...d 0x0010: 0a00 0065 0403 0714 00c9 bedd 0101 00c1 ...e 0x0020: 0489 1566 53aa 5f00 1842 47e4 38e0 661d ...fS._..BG.8.f. 0x0030: 5012 46a9 7407 9185 bbc4 4d10 7445 1df2 P.F.t.M.tE.. 0x0040: 301d 0606 0002 0108 7061 6e74 7300 0.pants. 0x0050: 0c06 05d0 1e1b 3030 2d31 312d 3935 00-11-95 0x0060: 2d44 422d 3337 2d30 423a 5465 7374 5750 - DB-37-0B:TestWP 0x0070: 411f 1330 302d 3044 2d39 332d 3836 2d34 A.. 00-0D-93-86-4 0x0080: 382d 3845 2015 442d 4c69 6e6b 2041 6363 8-8E..D- Link.Acc 0x0090: 6573 7320 506f 696e 743d 0600 134d ess.Point=.M 0x00a0: 1843 4f4e 4e45 4354 2035 344d 6270 7320 .CONNECT. 54Mbps. 0x00b0: 3830 322e
Re: Duplicate requests in a session
If you aplly this change and add this rule, you do the same that freeradius
does to build acctuniqueid attribute and put this attribute as primery key.
Good question. Does anyone have anything against changing this?
-Peter
On Thu 31 Aug 2006 10:11, Santiago Balaguer GarcÃa wrote:
Thanks James, I don't figure out to use primary key solves the problem
of
duplicate keys.
I had in radacct as primary key radacctid but now I am going to
have
acctuniqueid.
This proble cause a new thread: why radacctid is the primary key of
radacct
table instead od acctuniqueid?
I used a slightly different solution in my PostgreSQL implementation :
ALTER TABLE ONLY radacct
ADD CONSTRAINT radacct_unique_session UNIQUE (
username, nasipaddress, nasportid, acctsessionid
);
NOTE: When duplicate records come in you will see errors in the
log file like these :
Fri Jul 7 13:06:47 2006 : Error: rlm_sql (sql): failed after re-connect
Fri Jul 7 13:06:47 2006 : Error: rlm_sql (sql): Couldn't insert SQL
accounting START record - ERROR: duplicate key violates unique
constraint radacct_unique_session
These errors are mostly informational, because when the insert
fails, rlm_sql will use the alternate update method and will
succeed.
This is the same method I used on a customized Cistron
server I used for over 5 years and had no problems.
For some reason acctuniqueid was not unique in the duplicate
packets, so my initial attempts at using it were unsuccessful.
PostgreSQL can have a primary key that spans multiple
columns, and would look like this {IIRC} :
ALTER TABLE ONLY radacct
ADD CONSTRAINT radacct_pkey_session PRIMARY KEY (
username, nasipaddress, nasportid, acctsessionid
);
I did not use this, because I did not want to significantly change
the default configuration of most of the tables. Once I get a chance
to clean up the admin interface I have been developing I will
likely want to add some changes to the PostgreSQL default schema
that will allow better management without affecting the default
configuration, but since I am not finished I don't want to add
the changes to CVS quite yet.
_
Acepta el reto MSN Premium: Protección para tus hijos en internet.
Descárgalo y pruébalo 2 meses gratis.
http://join.msn.com?XAPID=1697DI=1055HL=Footer_mailsenviados_proteccioninfantil
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA/RADIUS Problems
On the rare occasions that I post to mailing lists I always forget something in the first message. This is the error that I get from Internet Connect on Mac OS X when I connect: 802.1X Authentication has failed. 802.1X is unable to authenticate. It is possible that the configuration you have provided is invalid. If you are unsure about what configuration to connect with, check with your network administrator. ( Error: 1 on port en1 ) Loukas On 01/09/2006, at 4:12 PM, Loukas Kalenderidis wrote: Hi list, I'm a FreeRADIUS noob, and I've been charged with getting some WiFi APs authenticating against an existing FreeRADIUS server being used for dialup users. I've configured FreeRADIUS as best I can figure from what I've found on the web, but I'm having no success with getting WPA to work. I'm using a D-Link 2100AP access point, and a Mac OS X 10.4 client. From what I can gather it seems that I might have misconfigured FreeRADIUS, based on the error message below. I've configured a test user as follows: pants Auth-Type := Accept Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 1 The last 3 lines I found in a tutorial on the web, but I'm not sure if they are necessary or not (and commenting them out makes no difference). When I run radtest everything looks OK: $ radtest pants localhost 1 XX Sending Access-Request of id 141 to 127.0.0.1:1812 User-Name = pants User-Password = NAS-IP-Address = newdeewhy NAS-Port = 1 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=141, length=35 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 1 When I try to connect from my Mac OS X client I get the following error: And the following appears in the radius.log: Fri Sep 1 15:50:59 2006 : Auth: Login OK: [pants] (from client testap port 1 cli 00-0D-93-86-48-8E) Fri Sep 1 15:51:02 2006 : Error: Authentication reply packet code 2 sent to a non-proxy reply port from client testap:1025 - ID 0 : IGNORED Watching the traffic shows the Access-Accept packet being sent back to the AP, but confusingly the AP sends an Access-Accept back to the RADIUS server! (10.0.0.100 is the AP, 10.0.0.101 is the RADIUS server): # tcpdump -nXi eth1 -s 65535 host 10.0.0.100 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes 16:08:43.990613 IP 10.0.0.100.1027 10.0.0.101.1812: RADIUS, Access Request (1), id: 0x00 length: 193 0x: 4500 00dd 0008 4011 6540 0a00 0064 [EMAIL PROTECTED]@...d 0x0010: 0a00 0065 0403 0714 00c9 0613 0100 00c1 ...e 0x0020: 3daa 0458 77d9 5edd 5149 6230 7717 7c71 =..Xw.^.QIb0w.|q 0x0030: 5012 091d 4b11 cb44 3587 c0cd d27e c929 P...K..D5~.) 0x0040: 2bbd 0606 0002 0108 7061 6e74 7300 +.pants. 0x0050: 0c06 05d0 1e1b 3030 2d31 312d 3935 00-11-95 0x0060: 2d44 422d 3337 2d30 423a 5465 7374 5750 - DB-37-0B:TestWP 0x0070: 411f 1330 302d 3044 2d39 332d 3836 2d34 A.. 00-0D-93-86-4 0x0080: 382d 3845 2015 442d 4c69 6e6b 2041 6363 8-8E..D- Link.Acc 0x0090: 6573 7320 506f 696e 743d 0600 134d ess.Point=.M 0x00a0: 1843 4f4e 4e45 4354 2035 344d 6270 7320 .CONNECT. 54Mbps. 0x00b0: 3830 322e 3131 674f 0c02 0a01 7061 802.11gO..pa 0x00c0: 6e74 7304 060a 6405 0600 0157 nts.d..W 0x00d0: 0e53 5441 2070 6f72 7420 2320 31 .STA.port.#.1 16:08:43.992271 IP 10.0.0.101.1812 10.0.0.100.1027: RADIUS, Access Accept (2), id: 0x00 length: 35 0x: 4500 003f 0015 4000 4011 25d1 0a00 0065 [EMAIL PROTECTED]@. %e 0x0010: 0a00 0064 0714 0403 002b fc7c 0200 0023 ...d. +.|...# 0x0020: a6d5 7da7 33d8 c5a1 b0d4 f206 098f 1394 ..}. 3... 0x0030: 4006 000d 4106 0006 5103 31 @.A.Q.1 16:08:46.987506 IP 10.0.0.100.1027 10.0.0.101.1812: RADIUS, Access Accept (2), id: 0x00 length: 35 0x: 4500 003f 0009 4011 65dd 0a00 0064 [EMAIL PROTECTED] 0x0010: 0a00 0065 0403 0714 002b 1ab7 0200 0023 ...e. +.# 0x0020: 3daa 0458 77d9 5edd 5149 6230 7717 7c71 =..Xw.^.QIb0w.|q 0x0030: 4006 000d 4106 0006 5103 31 @.A.Q.1 16:08:48.382840 IP 10.0.0.100.1027 10.0.0.101.1812: RADIUS, Access Request (1), id: 0x01 length: 193 0x: 4500 00dd 000a 4011 653e 0a00 0064 [EMAIL PROTECTED]...d 0x0010: 0a00 0065 0403 0714 00c9 bedd 0101 00c1 ...e 0x0020: 0489 1566 53aa 5f00 1842 47e4 38e0 661d ...fS._..BG.8.f. 0x0030: 5012 46a9 7407 9185 bbc4 4d10 7445 1df2 P.F.t.M.tE.. 0x0040: 301d 0606 0002 0108
Re: URGENT! Dialupadmin Could not connect to SQL database
Make sure you pass the checklist on http://ora-12154.ora-code.com/ Personally I've seen oracle clients that suddenly refuse to work because it decides that it wants ip-name mappings. Usually a trip to the dns or /etc/hosts solves the probe On 31/ago/06, at 16:38GMT+02:00, Guilherme Franco wrote:Mr. Peter,I did a test right now with the command line "php", for example "php test.php" and it works!test.php is a program I've created to retrieve some tables from the oracle server. (tcpdump in oracle server shows traffic correctly this way) But when I try to open test.php from the apache web page, it states Parse error: syntax error, unexpected '' in /www/htdocs/test.php on line 10 (then, tcpdump in oracle server shows nothing) I think that the same problem is blocking dialupadmin from connecting with oracle. What might it be?Thanks.On 8/31/06, Guilherme Franco [EMAIL PROTECTED] wrote: Hello,Yes, I configured it with the option "--with-oci8", and phpinfo() shows oci8 support as enabled.This machine (dialupadmin server) is standalone (oracle in other server and radius in other). I'm trying to use sqlplus from the dialupadmin server but it gives me either ORA-12546 TNS permission denied or ORA-12514 TNS listener does not currently know of service requested in connect descriptor.I've researched a lot about this problems but found nothing. note: (I've read somewhere that oci does not work well with modules, just with static php links)Please help.Thank you very much. On 8/31/06, Peter Nixon [EMAIL PROTECTED] wrote: On Thu 31 Aug 2006 16:17, Guilherme Franco wrote: URGENT! Hi, I'm getting this error *Could not connect to SQL database. *in dialupadmin. (using OCI8 with ORACLE) * *Radiusd connects to Oracle without any problems, dialupadmin don't.Does your PHP module have Oracle support?--Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and SNMP
Am Freitag, 1. September 2006 00:16 schrieb Kevin Bonner: On Wednesday 30 August 2006 11:09, Michael Schwartzkopff wrote: Hi, thanks to that explanation. But my question was: Why I do get no answer if I do snmpwalk (...) localhost enterprises.3317 while walking mib-2.67 gives results? Michael. The ent.3317 OID is only used to establish the SMUX session with the SNMP daemon. It is never registered with snmpd, which is why you receive no results. -Kevin Thanks. That explains a lot. -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 pgpMPSoUuEUvM.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WebDAV HTTP Auth to RADIUS, possible?
Michael Check wrote: On 8/31/06, Michael Check [EMAIL PROTECTED] wrote: WebDAV will allow either Basic or Digest (it uses the same HTTP Auth mechanism that Apache provides) so I think it will work. Even with DAV On, you can have AuthType Basic - so my assumption at this point is that it will work. I'll report back to the list. I'm having difficulty getting Basic authentication done with mod_auth_radius Here is the http conf directives used: IfModule mod_auth_radius.c AddRadiusAuth 127.0.0.1:1812 testing123 5:3 AddRadiusCookieValid 5 /IfModule Location /calendars/ AllowOverride None Options None AuthType Basic AuthName Calendars #AuthAuthoritative Off AuthRadiusAuthoritative On AuthRadiusCookieValid 5 AuthRadiusActive On Limit GET HEAD OPTIONS require valid-user /Limit /Location Our configuration for Apache 1.3 (but it was for https authentication, not for WebDAV...) was AuthAuthoritative on AuthRadiusAuthoritative on As far as I remember the order of module declaration was also important. We had : LoadModule access_module libexec/mod_access.so LoadModule radius_auth_module libexec/mod_auth_radius.so LoadModule auth_module libexec/mod_auth.so Hope it will help you -- Samuel Degrande LIFL - UMR8022 CNRS - INRIA Futurs - Bat M3 Phone: (33)3.28.77.85.30 USTL - Universite de Lille 1 Fax: (33)3.28.77.85.37 59655 VILLENEUVE D'ASCQ CEDEX - FRANCE [CA certs: http://igc.services.cnrs.fr/CNRS-Standard/recherche.html ] smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA/RADIUS Problems
Loukas Kalenderidis [EMAIL PROTECTED] wrote: I've configured FreeRADIUS as best I can figure from what I've found on the web, but I'm having no success with getting WPA to work. I'm using a D-Link 2100AP access point, and a Mac OS X 10.4 client. From what I can gather it seems that I might have misconfigured FreeRADIUS, based on the error message below. I've configured a test user as follows: pants Auth-Type := Accept That won't make WPA work. WPA requires a whole bunch of data exchange before all the machines involved believe that net access has been granted. You have to configure users, passwords, and certificates for it to work. The last 3 lines I found in a tutorial on the web, but I'm not sure if they are necessary or not (and commenting them out makes no difference). They're for VLAN assignment. You don't need them. Watching the traffic shows the Access-Accept packet being sent back to the AP, but confusingly the AP sends an Access-Accept back to the RADIUS server! (10.0.0.100 is the AP, 10.0.0.101 is the RADIUS server): That's what the debug log shows, too. I'm a little surprised that the AP is sending the Access-Request back to the server. Since you've configured the server to do something the AP doesn't expect, I guess you're in an untested area of its behavior. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Redirect question
Hi allI have a question i used freeradisu with mysqlbackend for auth and accounting for dialup account , i want to know it is is possible when the user account is expired i want to allow the user to connect but to be redirected to a website telling him that the account is expired is it possible? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redirect question
Mordor Networks [EMAIL PROTECTED] wrote: I have a question i used freeradisu with mysqlbackend for auth and accounting for dialup account , i want to know it is is possible when the user account is expired i want to allow the user to connect but to be redirected to a website telling him that the account is expired is it possible? You will need a captive portal to do this. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL user in multiple groups
Hello! Anybody uses user in multiple groups with SQL backend? -- Pavel D.Kuzin System Administrator Nodex ISP St. Petersburg, Russia [EMAIL PROTECTED] http://nodex.ru - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems getting eap-mschapv2 working.
Been trying to get eap working with peap/mschapv2 but it doesn't seem to work.This is my radiusd.conf file:
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = /var/run
sbindir = ${exec_prefix}/sbin
logdir = /var/log
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
$INCLUDE ${confdir}/clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
eap {
default_eap_type = md5
timer_expire = 60
md5 {
}
tls {
private_key_password =
private_key_file = /usr/local/etc/raddb/new.cert.key
certificate_file = /usr/local/etc/raddb/new.cert.cert
CA_file = /usr/local/etc/raddb/cacert.pem
dh_file = /dev/urandom
random_file = /dev/urandom
fragment_size = 1024
include_length = yes
}
peap {
default_eap_type = mschapv2
mschapv2 {
authtype = mschapv2
use_mppe = yes
require_encryption = yes
require_strong = yes
}
}
}
files {
usersfile = ${confdir}/users
compat = no
}
exec cerb {
wait = yes
program = /usr/local/bin/cerbauth -e freeradius
input_pairs = request
output_pairs = reply
}
preprocess {
}
}
authorize {
preprocess
eap
files
}
authenticate {
Auth-Type eap {
eap
}
Auth-Type CERB {
cerb
}
}
as you can see, I'm currently working with md5 and this works perfectly well. But when I set the client and configure the server to default for peap/tls, then it fails saying:No such EAP type mschapv2
I believe if I can get passed this, that my system will authenticate with peap/mschapv2 successfully.Hope you can help.RegardsIan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Everything lookslike it works, but PC is not authentified
Hi,
I'am running Freeradius 1.1.0 on Suse 10.1 with certificates. After a
lot of help from that list and a good FAQ I'am so far, that I generated
the certs for server and client and that the communication between
Client, Server and AP (Linksys Switch) works.
My problem is, that looking in the logs, the client should be
authentified, but it isn't. The AP doesn't open the port. I assume the
problem is windows, submitting the username as host/computername which
brakes the certs (but I have no hint on the logfile). The PC tries to
autheticate 13 times (I get at least 13 requests to the radius), but I
get no error...
My users files contains that:
testuserUser-Password == test2
host/vinfo-t1 Auth-Type:= EAP
vinfo-t1 Auth-Type:= EAP
# On no match, the user is denied access.
DEFAULT Auth-Type := Reject
Reply-Message = Bye
Please have a short look on my debuglog. I don't know where to look further.
TIA
Alex
Debuglog:
radius:/etc/raddb # radiusd -A -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/lib/freeradius
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = radiusd
main: group = radiusd
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = yes
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded eap
eap: default_eap_type = tls
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = (null)
tls: pem_file_type = yes
tls: private_key_file = /etc/raddb/certs/ssl/radius-neuer-cert-key.pem
tls: certificate_file = /etc/raddb/certs/ssl/radius-neuer-cert-key.pem
tls: CA_file =
/etc/raddb/certs/ssl/ServiceCenter-IT_KHB_HfM_HfS-cacert.pem
tls: private_key_password = secret
tls: dh_file = /etc/raddb/certs/ssl/dh
tls: random_file = /etc/raddb/certs/ssl/random
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = (null)
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
ttls: default_eap_type = md5
ttls: copy_request_to_tunnel = no
ttls: use_tunneled_reply = no
rlm_eap: Loaded and initialized type ttls
peap: default_eap_type = mschapv2
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /etc/raddb/huntgroups
preprocess: hints = /etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded files
files: usersfile = /etc/raddb/users
files: acctusersfile = /etc/raddb/acct_users
files: preproxy_usersfile = /etc/raddb/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
RE: Problems getting eap-mschapv2 working.
Did you generate the certificates that are mentioned
there? The one's that ship with the server are expired, you have to
generate your owncertificate.
What version of FreeRADIUS. Version 1.1.1 fixed alot
of little PEAP things.
Version 1.1.3 of course is what you should be
running.
Mostversionsafter1.0.0havetheeapsectionbrokenouttoaseparatefile,thathaslotsofcommentsinitaboutgeneratingCerts.
Also, it looks like your actual problem is that you have
re-written the eap section... and missed a
Paren
This is Mine. In yours you have included mschapv2
inside of PEAP. It is its own section, outside of the PEAP
section.
peap
{
default_eap_type = mschapv2
copy_request_to_tunnel =
no
use_tunneled_reply = yes
# proxy_tunneled_request_as_eap =
yes
}
mschapv2
{
}
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Ian WalkerSent: Friday, September 01, 2006 8:36
AMTo: freeradius-users@lists.freeradius.orgSubject:
Problems getting eap-mschapv2 working.
Been trying to get eap working with peap/mschapv2 but it doesn't
seem to work.This is my radiusd.conf file:
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = /var/run
sbindir = ${exec_prefix}/sbin
logdir = /var/log
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
$INCLUDE ${confdir}/clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
eap {
default_eap_type = md5
timer_expire = 60
md5 {
}
tls {
private_key_password =
private_key_file = /usr/local/etc/raddb/new.cert.key
certificate_file = /usr/local/etc/raddb/new.cert.cert
CA_file = /usr/local/etc/raddb/cacert.pem
dh_file = /dev/urandom
random_file = /dev/urandom
fragment_size = 1024
include_length = yes
}
peap {
default_eap_type = mschapv2
mschapv2 {
authtype = mschapv2
use_mppe = yes
require_encryption = yes
require_strong = yes
}
}
}
files {
usersfile = ${confdir}/users
compat = no
}
exec cerb {
wait = yes
program = "/usr/local/bin/cerbauth -e freeradius"
input_pairs = request
output_pairs = reply
}
preprocess {
}
}
authorize {
preprocess
eap
files
}
authenticate {
Auth-Type eap {
eap
}
Auth-Type CERB {
cerb
}
}
as you can see, I'm currently working with md5 and this works
perfectly well. But when I set the client and configure the server to
default for peap/tls, then it fails saying:"No such EAP type mschapv2"
I believe if I can get passed this, that my system will authenticate
with peap/mschapv2 successfully.Hope you can
help.RegardsIan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems getting eap-mschapv2 working.
On Friday 01 September 2006 08:36, Ian Walker wrote:
Been trying to get eap working with peap/mschapv2 but it doesn't seem to
work.
This is my radiusd.conf file:
}
peap {
default_eap_type = mschapv2
mschapv2 {
authtype = mschapv2
use_mppe = yes
require_encryption = yes
require_strong = yes
}
}
You have some items misplaced. Check against the default configuration that
came with the server. In particular, mschapv2 and the contents of that
stanza.
Zoltan Ori
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Everything lookslike it works, but PC is not authentified
Hi, Sending Access-Challenge of id 0 to 10.48.244.21 port 49154 EAP-Message = 0x0112000a0d80 Message-Authenticator = 0x State = 0x3f9387f3adb41ddea578c30fd328358f Finished request 13 Going to the next request Waking up in 6 seconds... This *doesn't* look like it works. The server sends a packet to the client, and the client refuses to answer thereafter. The usual cause of this, which generates the same question and the same answers multiple times a week in this list, is that the server cert doesn't have the MS TLS Web Server Authentication OID in the cert. Please read the various documentation about this topic that exists both here in the list archives and n HOWTOs throughout the web. Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche - Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: URGENT! Dialupadmin Could not connect to SQL database
Thanks,I've already managed to make it work using oracle instant client and custom tnsnames.ora. I was using the entire oracle enterprise install before and it didn't work! Crazy, but it's working now.Thanks. On 9/1/06, Edoardo Causarano [EMAIL PROTECTED] wrote: Make sure you pass the checklist onhttp://ora-12154.ora-code.com/ Personally I've seen oracle clients that suddenly refuse to work because it decides that it wants ip-name mappings. Usually a trip to the dns or /etc/hosts solves the prob eOn 31/ago/06, at 16:38GMT+02:00, Guilherme Franco wrote:Mr. Peter,I did a test right now with the command line php, for example php test.php and it works!test.php is a program I've created to retrieve some tables from the oracle server. (tcpdump in oracle server shows traffic correctly this way) But when I try to open test.php from the apache web page, it states Parse error: syntax error, unexpected '' in /www/htdocs/test.php on line 10 (then, tcpdump in oracle server shows nothing) I think that the same problem is blocking dialupadmin from connecting with oracle. What might it be?Thanks. On 8/31/06, Guilherme Franco [EMAIL PROTECTED] wrote: Hello,Yes, I configured it with the option --with-oci8, and phpinfo() shows oci8 support as enabled. This machine (dialupadmin server) is standalone (oracle in other server and radius in other). I'm trying to use sqlplus from the dialupadmin server but it gives me either ORA-12546 TNS permission denied or ORA-12514 TNS listener does not currently know of service requested in connect descriptor. I've researched a lot about this problems but found nothing. note: (I've read somewhere that oci does not work well with modules, just with static php links)Please help.Thank you very much. On 8/31/06, Peter Nixon [EMAIL PROTECTED] wrote: On Thu 31 Aug 2006 16:17, Guilherme Franco wrote: URGENT! Hi, I'm getting this error *Could not connect to SQL database. *in dialupadmin. (using OCI8 with ORACLE) * *Radiusd connects to Oracle without any problems, dialupadmin don't.Does your PHP module have Oracle support?--Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
openssl certificate, need help
Could someone help me out pleas...
we're trying to make our wpa-wlan work, but currently i'm stuck with the
certificates part of tls.
i'd tried running CA.all, but the script gives me error's. (freeradius
1.1.3)
-
+ openssl pkcs12 -export -in demoCA/cacert.pem -inkey newreq.pem -out
root.p12 -cacerts -passin pass:whatever -passout pass:whatever
Error opening input file demoCA/cacert.pem
demoCA/cacert.pem: No such file or directory
+ openssl pkcs12 -in root.p12 -out root.pem -passin pass:whatever
-passout pass:whatever
Error opening input file root.p12
root.p12: No such file or directory
+ openssl x509 -inform PEM -outform DER -in root.pem -out root.der
Error opening Certificate root.pem
20898:error:02001002:system library:fopen:No such file or
directory:bss_file.c:278:fopen('root.pem','r')
20898:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:280:
unable to load certificate
in the script dir there is no demoCA en no cacert.pam?! also, the CA.all
script has a rm -rf demoCA.
so if i comment the 'rm' out, copied the default demoCA and cacert.pam
from my working installation
(version 1.0.2 that was shipped with fedora, and has certificates for
localhost)
and gues what, another error:
---
+ openssl pkcs12 -export -in demoCA/cacert.pem -inkey newreq.pem -out
root.p12 -cacerts -passin pass:whatever -passout pass:whatever
No certificate matches private key
+ openssl pkcs12 -in root.p12 -out root.pem -passin pass:whatever
-passout pass:whatever
21004:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too
long:asn1_lib.c:140:
+ openssl x509 -inform PEM -outform DER -in root.pem -out root.der
unable to load certificate
21005:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:642:Expecting: TRUSTED CERTIFICATE
+ echo -e ''
-
dunno where to go now!? is there some help on how to make the
certificate thing work for tls, and windowsxpsp2 clients ??
Thx
Collen
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Everything lookslike it works, but PC is not authentified
Hi, On 9/1/06, Alexandros Gougousoudis [EMAIL PROTECTED] wrote: My users files contains that: testuserUser-Password == test2 host/vinfo-t1 Auth-Type:= EAP vinfo-t1 Auth-Type:= EAP # On no match, the user is denied access. DEFAULT Auth-Type := Reject Reply-Message = Bye 1. Don't set Auth-Type. See http://deployingradius.com/documents/configuration/auth_type.html 2. Further action depends on what you want (eap-tls or eap-peap/mschapv2), eventually the CN in your client's certificates and finally what the supplicant sends. What is host/vinfo-t1 supposed to be? regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is it possible to log connection details in MySQL?
Hello:
I'd like to know if it is possible to save all the info under the log
directory radacct (connections' details by client's IP) in MySQL instead
of files in hard disk.
Are all the variables accessible?. I mean, are they valid for an SQL
sentence in 'postauth_query' variables %{Packet-Type}, %{User-Name},
%{User-Password}, %{NAS-IP-Address}, %{NAS-Port} and %{Client-IP-Address}?
Am I missing any other info?
After reading the answer
(http://wiki.freeradius.org/index.php/FAQ#How_do_I_log_failed_login_attempts_in_a_SQL_database.3F)
to the question How do I log failed login attempts in a SQL database? in
the FreeRadius wiki it seems it is possible with adequate SQL sentences.
I see three problems:
- I don't see clearly how to separate successfully authentication of
unsuccessfull. Maybe like this? How could I tell FreeRadius different
queries depending on type of request?
post-auth {
# Login successful: get an address from the IP pool.
ippool
Post-Auth-Type ACCEPT {
sql
}
Post-Auth-Type REJECT {
# Login failed: log to SQL database.
sql
}
}
- Where I can find documentation about the different packet types and their
data?
- Is it possible to tell FreeRadius that I want to send more than one query
to MySQL?
I really want this functionality (keep the connection logs in MySQL, not in
the filesystem). I make this question to know if I am in the right path or
ideally if anybody has already make something like this.
--
View this message in context:
http://www.nabble.com/Is-it-possible-to-log-connection-details-in-MySQL--tf2202961.html#a6099963
Sent from the FreeRadius - User forum at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Everything lookslike it works, but PC is not authentified
Stefan Winter wrote: Hi, Sending Access-Challenge of id 0 to 10.48.244.21 port 49154 EAP-Message = 0x0112000a0d80 Message-Authenticator = 0x State = 0x3f9387f3adb41ddea578c30fd328358f Finished request 13 Going to the next request Waking up in 6 seconds... This *doesn't* look like it works. The server sends a packet to the client, and the client refuses to answer thereafter. The usual cause of this, which generates the same question and the same answers multiple times a week in this list, is that the server cert doesn't have the MS TLS Web Server Authentication OID in the cert. Please read the various documentation about I wonder if it would be possible to have the PEAP, TLS and TTLS EAP sub-modules print a VERY LOUD WARNING if that OID is missing from the certificate on startup? A quick 60 second scan of the OpenSSL API doesn't show the obvious call, but given how incomprehensible the OpenSSL API is in general, that's not surprising... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is it possible to log connection details in MySQL?
On Fri 01 Sep 2006 17:42, ZaiPower wrote:
Hello:
I'd like to know if it is possible to save all the info under the log
directory radacct (connections' details by client's IP) in MySQL instead
of files in hard disk.
Yes. This is certainly possible.
Are all the variables accessible?. I mean, are they valid for an SQL
sentence in 'postauth_query' variables %{Packet-Type}, %{User-Name},
%{User-Password}, %{NAS-IP-Address}, %{NAS-Port} and %{Client-IP-Address}?
Am I missing any other info?
'postauth_query' is funnily enough related to postauth, NOT Accounting.
Please read http://wiki.freeradius.org/index.php/Rlm_sql
After reading the answer
(http://wiki.freeradius.org/index.php/FAQ#How_do_I_log_failed_login_attempt
s_in_a_SQL_database.3F) to the question How do I log failed login attempts
in a SQL database? in the FreeRadius wiki it seems it is possible with
adequate SQL sentences.
Yes. Do you want to log unsuccessfull logins or (successfull) accounting info
to SQL?
I see three problems:
- I don't see clearly how to separate successfully authentication of
unsuccessfull. Maybe like this? How could I tell FreeRadius different
queries depending on type of request?
post-auth {
# Login successful: get an address from the IP pool.
ippool
Post-Auth-Type ACCEPT {
sql
}
Post-Auth-Type REJECT {
# Login failed: log to SQL database.
sql
}
}
Please reread this. It is very clear.
- Where I can find documentation about the different packet types and their
data?
Your NAS documentation may contain this info. You can also read
http://www.ietf.org/rfc/rfc2865.txt
http://www.ietf.org/rfc/rfc2866.txt
- Is it possible to tell FreeRadius that I want to send more than one query
to MySQL?
More than one query for what?
I really want this functionality (keep the connection logs in MySQL, not in
the filesystem). I make this question to know if I am in the right path or
ideally if anybody has already make something like this.
Excellent. This functionality exists. Enjoy :-)
--
Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
pgpM6cTAdx41u.pgp
Description: PGP signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Everything lookslike it works, but PC is not authentified
Phil Mayers [EMAIL PROTECTED] wrote: I wonder if it would be possible to have the PEAP, TLS and TTLS EAP sub-modules print a VERY LOUD WARNING if that OID is missing from the certificate on startup? I think so. X509_print_ex, I believe. Dump the certificate to a string buffer, and do strstr for the OID. Yucky, but it will work. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
certificate issue
When i run CA.all script to generate the certificates, all the certificate get generated except root.cer and get the below error message: + openssl pkcs12 -export -in demoCA/cacert.pem -inkey newreq.pem -out root.p12 -cacerts -passin 'pass:whatever' -passout 'pass:whatever' No certificate matches private key + openssl pkcs12 -in root.p12 -out root.pem -passin 'pass:whatever' -passout 'pass:whatever' 17703:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:150: + openssl x509 -inform PEM -outform DER -in root.pem -out root.der unable to load certificate 17704:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: TRUSTED CERTIFICATE + echo -e '' I deleted the newcert.pem and newreq.pem but still it didnt work. Did a fresh installation of openssl 0.9.8 but still get this error message and tried with different passin key and DN. can someone help me to resolve this issue. Thanks, Kartthik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
HOW-TO for Linux radius client
Hi, I am looking for a Linux client side HOW-TO for radiusauthentication without requiring presence of the login id on client side locally. The following is the authentication scenario I am trying: 1) I have freeRadius server installed on a RedHat Linux machine 2) I would like users logging into other RedHat Linux machines in our network to have their login/passwd authenticated using freeRadius server (for login, su, ssh, telnet, ftpetc. ways of accessing local client machines in the network) 3) I do not want to use LDAP on server or client side 4) I am using PAM and have experimented with pam_radius_auth module without success 5) The problem I am facing is that the login id has also to be defined locally on client Linux machines --- otherwise, for example, the su command fails indicating that the id does not exist (if I create the login id on client locally, then it queries freeRadius server) 6) I do not want to add "ldap" to nsswitch.conf file of client --- just want to stick to radius for now In summary, is there a Linux client side HOW-TOfor radiusauthentication without requiring presence of the login id on client side locally? Regards ... J. C. Desai - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: HOW-TO for Linux radius client
Hello, what are you using as backend for freeradius server? If you use LDAP as backend for freeradius, I really do NOT see the need for the use of RADIUS protocol to do authentication for such services ( login, ssh etc ). It would be easier if you implement auth against LDAP directory for such services, and use RADIUS where it can serve the purpose ( full AAA ) ! Regards, Edvin Seferovic From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J. C. Desai Sent: Freitag, 01. September 2006 21:34 To: freeradius-users@lists.freeradius.org Subject: HOW-TO for Linux radius client Hi, I am looking for a Linux client side HOW-TO for radiusauthentication without requiring presence of the login id on client side locally. The following is the authentication scenario I am trying: 1) I have freeRadius server installed on a RedHat Linux machine 2) I would like users logging into other RedHat Linux machines in our network to have their login/passwd authenticated using freeRadius server (for login, su, ssh, telnet, ftpetc. ways of accessing local client machines in the network) 3) I do not want to use LDAP on server or client side 4) I am using PAM and have experimented with pam_radius_auth module without success 5) The problem I am facing is that the login id has also to be defined locally on client Linux machines --- otherwise, for example, the su command fails indicating that the id does not exist (if I create the login id on client locally, then it queries freeRadius server) 6) I do not want to add ldap to nsswitch.conf file of client --- just want to stick to radius for now In summary, is there a Linux client side HOW-TOfor radiusauthentication without requiring presence of the login id on client side locally? Regards ... J. C. Desai - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HOW-TO for Linux radius client
J. C. Desai wrote: I am looking for a Linux client side HOW-TO for radius authentication without requiring presence of the login id on client side locally. Please no HTML to the list. I already tried to implement a similar setup but never found all the pieces of the puzzle. 5) The problem I am facing is that the login id has also to be defined locally on client Linux machines --- otherwise, for example, the su command fails indicating that the id does not exist (if I create the login id on client locally, then it queries freeRadius server) Indeed, the missing piece is the libnss-radius. I think you'll have to write your own. I've already looked at it and it's not very hard to do. My tests indicate that you need to implement only 2 functions to get login, xdm, ssh, etc. working on the client machines. enum nss_status _nss_radius_getpwnam_r(const char *name, struct passwd *result, char *buffer, size_t buflen); enum nss_status _nss_radius_getpwuid_r(uid_t uid, struct passwd *result, char *buffer, size_t buflen); More info in the glibc manual: http://www.gnu.org/software/libc/manual/html_node/Name-Service-Switch.html -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
