Proxy with TLS

[Gabriele Chervatin]

Hi, I'm very newbie to Freeradius.

I'm try to use TLS whit to freeradius server.

I've a firewall FW that talk locally (over LAN) with the freeradius A.
Then freeradius A proxies the request to a remote (over WAN)
freeradius B. The system works great and I'm able to authenticate user
on firewall FW by freeradius B (which is the only who have the user
accounts).

Now to increment the security, I'm trying to use EAP-TLS or EAP-TTLS
between the two freeradius server, but with no luck, infact in the
logs of the main server i see:

rlm_eap: No EAP-Message, not doing EAP

(an so it's no doing TLS)

I'm use version 1.1.3, and I've generate correctly the certificates,
and configured eap.conf to use tls and ttls. What is wrong? Maybe is
not possible to use TLS in proxy mode?

Thanks

--
Gabriele Chervatin
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Question about freeradius and Cisco VoIP router

[Ali Majdzadeh]

Hello AllI am writing a C program as an external program for freeradius to handle authentication requests recieved from a Cisco VoIP router.How can I pack attribute-value pairs and send them to the router? I can determine the attribute-value pairs transmitted by the router through environment variables, but I don't know how to send the attribute-value pairs which the router expects to recieve.
Best RegardsAli
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy with TLS

[affora deeb]

hi 
i just want to know what is the operating system u instaled free radius on?is  it linux red hat?
thanks 
On 9/5/06, Gabriele Chervatin <[EMAIL PROTECTED]> wrote:
Hi, I'm very newbie to Freeradius.I'm try to use TLS whit to freeradius server.I've a firewall FW that talk locally (over LAN) with the freeradius A.
Then freeradius A proxies the request to a remote (over WAN)freeradius B. The system works great and I'm able to authenticate useron firewall FW by freeradius B (which is the only who have the useraccounts).
Now to increment the security, I'm trying to use EAP-TLS or EAP-TTLSbetween the two freeradius server, but with no luck, infact in thelogs of the main server i see:rlm_eap: No EAP-Message, not doing EAP
(an so it's no doing TLS)I'm use version 1.1.3, and I've generate correctly the certificates,and configured eap.conf to use tls and ttls. What is wrong? Maybe isnot possible to use TLS in proxy mode?
Thanks--Gabriele Chervatin-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

radclient not able to send salted encrypted VSA's?

[Birchmeier Raphael]

Hi,
I'm using freeradius version 1.3. I need to send CoA
requests to a Juniper-ERX containing salted VSA
"ERX-LI-Action=enable".
radclient says it is unable to "salt" this vp's.

If someone could help extending radclient or tell me
another way how to send salted CoA requests I'd
appreciate.

Here's what raclient tells:

echo "Acct-Session-Id = 0020049806" | radclient -f
/sendcoa.txt -x localhost coa test
Sending CoA-Request of id 62 to 127.0.0.1 port 1700
ERX-LI-Action = on
radclient: Failed to send packet for ID 62: ERROR: No
request packet, cannot encrypt ERX-LI-Action attribute
in the vp.

The input file looks like:

ERX-LI-Action=1
ERX-Med-Ip-Address=1.1.1.1
ERX-Med-Dev-Handle=1234
ERX-Med-Port-Number=5061


The dictionary like:
ATTRIBUTE   ERX-LI-Action 
 58  integer encrypt=2
ATTRIBUTE   ERX-Med-Dev-Handle
 59  octets  encrypt=2
ATTRIBUTE   ERX-Med-Ip-Address
 60  ipaddr  encrypt=2
ATTRIBUTE   ERX-Med-Port-Number   
 61  integer encrypt=2


Thanks, Raphael

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problems getting eap-mschapv2 working.

[Ian Walker]

I tested this morning, and now have it working.  Previously I just had the mschapv2 outside of the peap section and it didn't work.However, I added the mschap stanza to the modules stanza outside of eap.  I also added mschap to authorize and authenticate stanzas.  Not sure if this was needed, so not entirely sure which bit did it, or whether all of it was required.
Thank you all for your input in helping me get this resolved :-)RegardsIanOn 04/09/06, Alan DeKok <
[EMAIL PROTECTED]> wrote:"Ian Walker" <
[EMAIL PROTECTED]> wrote:> however, there is no default/sample config that tells me how mschapv2 should> be configured.  The default configuration of mschapv2 works.  Massive edits to the configuration will almost always break it.
http://deployingradius.com/documents/configuration/setup.html  Small changes, with tests, will almost always get it to work
  Alan DeKok.--  http://deployingradius.com   - The web site of the book  http://deployingradius.com/blog/ - The blog
-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Mysql connection with SSL

[Fabio Pedretti]

Hi,
I'd like to know if there is a way to securing access to a Mysql  
server from freeradius. I found this thread with a patch enabling SSL  
connections:

http://lists.freeradius.org/mailman/htdig/freeradius-users/2005-March/042059.html

Have things progressed since then?

Fabio

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Problem in accounting with sql counter module max-all-session

[Bisal]

Hi,


 I have setup freeradius 1.1.2 in FreeBSD 6.0 with mysql support. I
have setup user in radcheck table as follows;

1403 | test01   |   |  || Max-All-Session | :=
| 1500|


The user test001 is allowed to login total for 25hrs. After finishing
25hrs if the user recharge his account to 30hrs again and I updated
max-all-session to 1800 seconds in radcheck table.
 Now when the user tries to connect he get disconneted after 5hrs and
when he tried to reconnect, he couldnot get authenticate. In my radius
log I see ;

Mon Sep  4 17:43:56 2006 : Auth: Invalid user (rlm_sqlcounter: Maximum
never usage time reached): [test01] (from client pppoe-bhw port 4448
cli 0:7:95:10:73:9e)

 What could be the problem with sql counter module? In my radiusd.conf
settings I have setup max-all-session counter as follows;

sqlcounter noresetcounter {
driver = "rlm_sqlcounter"
counter-name = Max-All-Session-Time
check-name = Max-All-Session
sqlmod-inst = sql
key = User-Name
reset = never
query = "SELECT SUM(AcctSessionTime) FROM
radacct WHERE UserName='%{%k}'"
}

  All things are running well except rechargeable account. How could I
make rechargeable sqlcounter module for hourly accounts?
Do I need to create the seperate sqlcounter according to plan? Like if
25hrs then in sqlcounter section "reset=25h", if 50hrs "reset=50h"
 etc,


Any suggestion?


Bishal
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: WPA/RADIUS Problems

[Alexandros Gougousoudis]

Hi Loukas,

Loukas Kalenderidis schrieb:

I'm happy to  follow your advice, if you give me some that isn't just 
"configure  stuff dude".



FreeRadius is very confusing and the docs do not explain everything in a 
manner, a beginner can understand. That was my problem. I found this 
HowTo very useful:


http://www.hep.phys.soton.ac.uk/~jhe/documents/WPA-Authentication+RADIUS-HOWTO.html

Which will IMHO exactly do what you want. Start with that one and if it 
works start to go into details. This worked for me. Only a few hints, 
never forget the right OIDs in the certs and check that the time on your 
computers do not differ to much. And don't use Debian, because eap is 
not included and compilation fails on Debian. That should save you 
around 3 weeks of work and 2 years of your life. :-)


cu
Alexandros

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Lost values

[Jack Daniels]

Hi there, I've got the next config file:

radiusd.conf
-
modules {
  exec my_auth {
 wait = yes
 program = "/home/myself/my_auth.sh %{NAS-IP-Address} 
%{Calling-Station-ID} %{User-Name}"

 input_pairs = request
 output_pairs = reply
  }
...

instantiate {
  exec
  my_auth
}

authorize {
  mschap
  my_auth
  eap
}
...

/home/myself/my_auth.sh

#!/bin/bash
echo "NAS: $1"
echo "Caller: $2"
echo "User: $3"
exit 0

And I'm using a Cisco Aironet 1200 AP.
Ok, so the problem is the next:
When I connect through the access point, i get the following output (I just 
put the parts regarding my script)

...
radius_xlat:  '/tmp/radius_auth/auth.sh 192.168.254.22 0002.2d85.4676 test'
Exec-Program: /tmp/radius_auth/auth.sh 192.168.254.22 0002.2d85.4676 test
Exec-Program output: NAS: 192.168.254.22 Caller: 0002.2d85.4676 User: test
Exec-Program-Wait: plaintext: NAS: 192.168.254.22 Caller: 0002.2d85.4676 
User: test

Exec-Program: returned: 0
...
I get like 6 of those and then I got 3 of these (Please note that the 
parameters are gone)

Exec-Program: /tmp/radius_auth/auth.sh   test
Exec-Program output: NAS: test Caller:  User:
Exec-Program-Wait: plaintext: NAS: test Caller:  User:
Exec-Program: returned: 0

And finally I get this one (And they are back)
radius_xlat:  '/tmp/radius_auth/auth.sh 192.168.254.22 0002.2d85.4676 test'
Exec-Program: /tmp/radius_auth/auth.sh 192.168.254.22 0002.2d85.4676 test
Exec-Program output: NAS: 192.168.254.22 Caller: 0002.2d85.4676 User: test
Exec-Program-Wait: plaintext: NAS: 192.168.254.22 Caller: 0002.2d85.4676 
User: test

Exec-Program: returned: 0

And access is granted.

So, my question is, why, at some point, i lose the values of 
%{NAS-IP-Address} and %{Calling-Station-ID}?
I'd like to know also if there is a way to "ignore" a request for my script. 
In this case, my script gives a 0 back, and this grants access. If I modify 
it to return 1, access is denied. I'd like to know if there is a value that 
doesn't cause the whole auth process to fail, like ignore until I get the IP 
address that was lost.
What I want to do in my script, is to check the AP's ip address and 
depending on it deny access to users of a determined AP and grant access to 
users of the others AP, but since sometimes I lose the value of those vars, 
the whole process will fail even for a user who is on an authorized AP.


If someone could shed some light, that'd be great.

Thanks a lot.

Jack

_
Don't just search. Find. Check out the new MSN Search! 
http://search.msn.click-url.com/go/onm00200636ave/direct/01/


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

rlm_sql functionality

[Nils Rønhovde]

Hi,

I am trying to do something with rlm_sql (driver: mysql) that does not 
seem to work as stated in the documentation.


Consider this database:

mysql> select * from radcheck;
| id | UserName | Attribute | op | Value |
|  1 | nar2 | Password  | == | test  |

mysql> select * from radreply;
| id | UserName | Attribute| op | Value |
|  1 | nar2 | Fall-Through | =  | Yes   |

mysql> select * from usergroup;
| id | UserName | GroupName | priority |
|  1 | nar2 | core-en   |2 |
|  2 | nar2 | access-en |1 |

mysql> select * from radgroupcheck;
| id | GroupName | Attribute  | op | Value|
|  1 | core-en   | NAS-IP-Address | == | 10.1.1.1 |
|  2 | access-en | NAS-IP-Address | == | 10.2.1.1 |

mysql> select * from radgroupreply;
| id | GroupName | Attribute | op | Value  | prio |
|  1 | core-en   | Reply-Message | =  | Core   |1 |
|  2 | access-en | Reply-Message | =  | Access |1 |


The sql.conf is unchanged from the default, except that the server 
connects to a database on a remote host.


The idea is that when nar2 tries to login on the two different NAS'es, 
the authorization would become different.


What happens with this setup is that a request from 10.2.1.1 is rejected 
even if the user supplies the right password.


I then reversed the order of records in radgroupcheck. What happened 
was that the requests coming from 10.1.1.1 was rejected. (The 
NAS-IP-Address that matches the group with the lowest id was accepted, 
and the other rejected.)


Also, even if I did that, the reply-items from the group with the lowest 
id in radgroupreply was returned, as long as the user and group are 
coupled in usergroup.


I have been playing along with this for a while and I can't see that 
this makes sense in any way. I have also changed the ordering in 
radgroupreply and tried different priority's.


The questions remaining are:

1. Can I populate the database differently so that the server does what 
I want?


2. Is there a way to rewrite the queries in sql.conf so the server does 
what I want?


3. Am I completely missing the point of having groups i RADIUS?


What I want from rlm_sql is (this should probably be a bit refined):

1. check if user check-items match, add the reply-items.
2. if they match, check each usergroup coupling, if there are any.
3. a. if the check-items of the group match, add the reply-items from
  radgroupreply.
   b. if the check-items of the group do not match, skip to next group,
  but do not reject unless no groups match, or a group explictly
  says so.
4. if no group matches then Reject.


--
best regards
Nils Rønhovde
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Failed Logins

[King, Michael]

> -Original Message-
>   It looks like a memory corruption issue.  Either there's a 
> bug in the server, or there's bad RAM in the system.

Any suggestions on how to test memory on a Debian box remotely? 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Failed Logins

[Alan DeKok]

"King, Michael" <[EMAIL PROTECTED]> wrote:
> Any suggestions on how to test memory on a Debian box remotely? 

  Google for memory test utilities.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Lost values

[Alan DeKok]

"Jack Daniels" <[EMAIL PROTECTED]> wrote:
> So, my question is, why, at some point, i lose the values of 
> %{NAS-IP-Address} and %{Calling-Station-ID}?

  ... i.e. the NAS never sends them to the server.

> I'd like to know also if there is a way to "ignore" a request for my script. 
> In this case, my script gives a 0 back, and this grants access. If I modify 
> it to return 1, access is denied. I'd like to know if there is a value that 
> doesn't cause the whole auth process to fail, like ignore until I get the IP 
> address that was lost.

  That's logic you need to write in the script.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: monitoring freeradius with snmp

[Andy Ford]

Title: RE: monitoring freeradius with snmp 






Ok - thanks

I have noticed the following from the output from configure

checking for asn1.h,snmp.h,snmp_impl.h... no


how can I get configure to look at the directory with these header files in.

I'm running Solaris 2.8

Thanks


Regards

Andy


-Original Message-
From: [EMAIL PROTECTED] on behalf of Alan DeKok
Sent: Tue 9/5/2006 4:28 AM
To: FreeRadius users mailing list
Subject: Re: monitoring freeradius with snmp

"Andy Ford" <[EMAIL PROTECTED]> wrote:
> Thanks for you suggestions.
> After running configure --with-snmp I noticed (following your notes
> below) that the '#define WITH_SNMP 1' was missing from autoconf.h.

  Because "configure" didn't find the SNMP libraries it needs.

> So I added the line manually in autoconf.h as ...

  Which won't work.

> I downloaded the latest version i.e. freeradius-1.1.2 I also have
> NET-SNMP version: 5.2.rc3 installed.

  The server *should* be able to work with net-snmp, especially if you
have built net-snmp with ucd-snmp compatibility.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






This e-mail is private and may be confidential and is for the intended recipient only. If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed. If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it. We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free. You should undertake your own virus checking. The right to monitor e-mail communications through our network is reserved by us. - 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: WPA/RADIUS Problems

[Alan DeKok]

Alexandros Gougousoudis <[EMAIL PROTECTED]> wrote:
> FreeRadius is very confusing and the docs do not explain everything in a 
> manner, a beginner can understand.

  They (and the main web page) point to EAP howto's on the main web
site, which include screenshots for configuring Windows for wireless,
including exactly where to add the certificates.

> And don't use Debian, because eap is not included and compilation
> fails on Debian.

  The server includes a "debian" directory, whixch is used to build
debian packages.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy with TLS

[Alan DeKok]

"Gabriele Chervatin" <[EMAIL PROTECTED]> wrote:
> Then freeradius A proxies the request to a remote (over WAN)
> freeradius B. The system works great and I'm able to authenticate user
> on firewall FW by freeradius B (which is the only who have the user
> accounts).

  That's pretty standard.

> Now to increment the security, I'm trying to use EAP-TLS or EAP-TTLS
> between the two freeradius server, but with no luck,

  RADIUS doesn't work that way.  EAP-TLS runs inside of RADIUS, not
the other way around.

  If you want security between the two machines, run ipsec, or some
other VPN system.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question about freeradius and Cisco VoIP router

[Alan DeKok]

"Ali Majdzadeh" <[EMAIL PROTECTED]> wrote:
> I am writing a C program as an external program for freeradius to handle
> authentication requests recieved from a Cisco VoIP router.
> How can I pack attribute-value pairs and send them to the router? 

  scripts/exec-program-wait

  Just print the attributes to stdout.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radclient not able to send salted encrypted VSA's?

[Alan DeKok]

Birchmeier Raphael <[EMAIL PROTECTED]> wrote:
> I'm using freeradius version 1.3. I need to send CoA
> requests to a Juniper-ERX containing salted VSA
> "ERX-LI-Action=enable".

  Does Juniper document that as being possible?

> If someone could help extending radclient or tell me
> another way how to send salted CoA requests I'd
> appreciate.

  The algorithm used for encrypting the salted attributes requires
that they only be sent in reply packets.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy with TLS

[Gabriele Chervatin]

2006/9/5, Alan DeKok <[EMAIL PROTECTED]>:

Tahnks for yuor reply


  RADIUS doesn't work that way.  EAP-TLS runs inside of RADIUS, not
the other way around.


Sorry but I'don't unterstand what yuo mean.


  If you want security between the two machines, run ipsec, or some
other VPN system.


Right. So TLS it'is no possibile between two proxies.

Thanks.

--
Gabriele Chervatin
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Failed Logins

[King, Michael]

 
24 hrs later, Different radius server. (on a different box, this one is
RedHat)  FreeRadius 1.1.3
Same problem, throwing the same Error.

Tue Sep  5 13:24:33 2006 : Error: rlm_eap: SSL error
error::lib(0):func(0):reason(0)
Tue Sep  5 13:24:33 2006 : Error: TLS Alert write:fatal:bad record mac
Tue Sep  5 13:24:33 2006 : Error: TLS_accept:error in SSLv3 read
certificate verify A
Tue Sep  5 13:24:33 2006 : Error: rlm_eap: SSL error error:1408F455:SSL
routines:SSL3_GET_RECORD:decryption failed or bad record mac
Tue Sep  5 13:24:33 2006 : Error: rlm_eap_tls: SSL_read failed in a
system call (-1), TLS session fails.
Tue Sep  5 13:24:33 2006 : Auth: Login incorrect: [BSC\\r1chandra] (from
client BUWiSM-1-2 port 29 cli 00-90-96-CE-DE-24)
Tue Sep  5 13:24:35 2006 : Error: TLS_accept:error in SSLv3 read
client certificate A
Tue Sep  5 13:24:35 2006 : Error: rlm_eap: SSL error
error::lib(0):func(0):reason(0)
Tue Sep  5 13:24:35 2006 : Error: TLS Alert write:fatal:bad record mac
Tue Sep  5 13:24:35 2006 : Error: TLS_accept:error in SSLv3 read
certificate verify A
Tue Sep  5 13:24:35 2006 : Error: rlm_eap: SSL error error:1408F455:SSL
routines:SSL3_GET_RECORD:decryption failed or bad record mac
Tue Sep  5 13:24:35 2006 : Error: rlm_eap_tls: SSL_read failed in a
system call (-1), TLS session fails.
Tue Sep  5 13:24:35 2006 : Auth: Login incorrect: [BSC\\d4johnson] (from
client BUWiSM-2-1 port 29 cli 00-13-02-9F-1D-58)
Tue Sep  5 13:24:37 2006 : Error: TLS_accept:error in SSLv3 read
client certificate A
Tue Sep  5 13:24:37 2006 : Error: rlm_eap: SSL error
error::lib(0):func(0):reason(0)
Tue Sep  5 13:24:37 2006 : Error: TLS Alert write:fatal:bad record mac
Tue Sep  5 13:24:37 2006 : Error: TLS_accept:error in SSLv3 read
certificate verify A
Tue Sep  5 13:24:37 2006 : Error: rlm_eap: SSL error error:1408F455:SSL
routines:SSL3_GET_RECORD:decryption failed or bad record mac
Tue Sep  5 13:24:37 2006 : Error: rlm_eap_tls: SSL_read failed in a
system call (-1), TLS session fails.
Tue Sep  5 13:24:37 2006 : Auth: Login incorrect: [glowell] (from client
BUWiSM-1-2 port 29 cli 00-13-02-A6-B9-60)
Tue Sep  5 13:24:38 2006 : Error: TLS_accept:error in SSLv3 read
client certificate A
Tue Sep  5 13:24:38 2006 : Error: rlm_eap: SSL error
error::lib(0):func(0):reason(0)
Tue Sep  5 13:24:38 2006 : Error: TLS Alert write:fatal:bad record mac
Tue Sep  5 13:24:38 2006 : Error: TLS_accept:error in SSLv3 read
certificate verify A
Tue Sep  5 13:24:38 2006 : Error: rlm_eap: SSL error error:1408F455:SSL
routines:SSL3_GET_RECORD:decryption failed or bad record mac
Tue Sep  5 13:24:38 2006 : Error: rlm_eap_tls: SSL_read failed in a
system call (-1), TLS session fails.
Tue Sep  5 13:24:38 2006 : Auth: Login incorrect: [BSC\\mmerrill] (from
client BUWiSM-2-1 port 29 cli 00-13-02-AC-AE-68)
Tue Sep  5 13:24:39 2006 : Error: TLS_accept:error in SSLv3 read
client certificate A
Tue Sep  5 13:24:39 2006 : Error: rlm_eap: SSL error
error::lib(0):func(0):reason(0)
Tue Sep  5 13:24:39 2006 : Error: TLS Alert write:fatal:bad record mac
Tue Sep  5 13:24:39 2006 : Error: TLS_accept:error in SSLv3 read
certificate verify A
Tue Sep  5 13:24:39 2006 : Error: rlm_eap: SSL error error:1408F455:SSL
routines:SSL3_GET_RECORD:decryption failed or bad record mac
Tue Sep  5 13:24:39 2006 : Error: rlm_eap_tls: SSL_read failed in a
system call (-1), TLS session fails.
Tue Sep  5 13:24:39 2006 : Auth: Login incorrect: [BSC\\jblute] (from
client BUWiSM-2-1 port 29 cli 00-13-02-A5-53-20)
Tue Sep  5 13:24:43 2006 : Error: TLS_accept:error in SSLv3 read
client certificate A
Tue Sep  5 13:24:43 2006 : Error: rlm_eap: SSL error
error::lib(0):func(0):reason(0)
Tue Sep  5 13:24:44 2006 : Error: TLS Alert write:fatal:bad record mac
Tue Sep  5 13:24:44 2006 : Error: TLS_accept:error in SSLv3 read
certificate verify A
Tue Sep  5 13:24:44 2006 : Error: rlm_eap: SSL error error:1408F455:SSL
routines:SSL3_GET_RECORD:decryption failed or bad record mac
Tue Sep  5 13:24:44 2006 : Error: rlm_eap_tls: SSL_read failed in a
system call (-1), TLS session fails.
Tue Sep  5 13:24:44 2006 : Auth: Login incorrect: [mking] (from client
BUWiSM-2-1 port 29 cli 00-0B-7D-1B-B0-BA)
Tue Sep  5 13:24:44 2006 : Error: TLS_accept:error in SSLv3 read
client certificate A
Tue Sep  5 13:24:44 2006 : Error: rlm_eap: SSL error
error::lib(0):func(0):reason(0)
Tue Sep  5 13:24:44 2006 : Error: TLS Alert write:fatal:bad record mac
Tue Sep  5 13:24:44 2006 : Error: TLS_accept:error in SSLv3 read
certificate verify A
Tue Sep  5 13:24:44 2006 : Error: rlm_eap: SSL error error:1408F455:SSL
routines:SSL3_GET_RECORD:decryption failed or bad record mac
Tue Sep  5 13:24:44 2006 : Error: rlm_eap_tls: SSL_read failed in a
system call (-1), TLS session fails.
Tue Sep  5 13:24:44 2006 : Auth: Login incorrect: [BSC\\kmaccune] (from
client BUWiSM-2-1 port 29 cli 00-13-02-BC-EC-22)

- 
List info/subscribe/unsubscribe? See h

How to restrict pppoe users on nas-port-id

[eugene]

 
 I'm using FreeRADIUS Version 1.0.4 with Dialup_admin and mysql and I
would like to know if anyone can direct me in the right place to find
out how to restrict pppoe users from logging in from multiple NAS port
IDs. I would like to restrict them to logging on to only a specific set
of port IDs that comes from a database. Any help will be appreciated.

-Eugenevdm

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_perl and accounting

[Justin Church]

Is this in the CVS head, yet?

-jc

Alan DeKok wrote:

Peter Nixon <[EMAIL PROTECTED]> wrote:

That would seem like th logical way to do it, and would certainly make the
perl code clearer..


  Ok.  Unless Boian Jordanov has concerns, I'll commit a patch in a
few days.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_perl and accounting

[Alan DeKok]

Justin Church <[EMAIL PROTECTED]> wrote:
> Is this in the CVS head, yet?

  Yes.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: monitoring freeradius with snmp

[A . L . M . Buxey]

Hi,

> Ok - thanks
> 
> I have noticed the following from the output from configure
> 
> checking for asn1.h,snmp.h,snmp_impl.h... no
> 
> 
> how can I get configure to look at the directory with these header files in.

./configure --help


note the CPPFLAGS option.  why are your proper SNMP includes not in the
compiler include PATH ? 

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Failed Logins

[Alan DeKok]

"King, Michael" <[EMAIL PROTECTED]> wrote:
> 24 hrs later, Different radius server. (on a different box, this one is
> RedHat)  FreeRadius 1.1.3
> Same problem, throwing the same Error.

  This may be related:

https://www.aet.tu-cottbus.de/pipermail/postfix_tls/2002/000353.html

...
It ends up that my IMAP server and postfix were using two different 
self-signed certs that had identical common names.  As soon as I began 
to use the same cert for both servers, the mozilla/netscape problem went 
away.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Enable Syslog

[fvt3]

Can we send radius log to a syslog? If so, how can I
accomplish this.  I am using the latest freeradius
version.. 
I try changing logdir=syslog but not successful...

Thanks in advance..

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Radius Installation

[Nico Gazzano]

I’m going to start by saying that I’m new to
radius.

 

I’ve gotten as far as installing version 1.1.3. 
Are there any scripts to add users, and how do I configure the web interface?

 

Nico Gazzano

Network & Systems Admin

MIS Choice Inc.

1699 Wall ST
  Suite 602

Mount Prospect, IL 60056

Phone 847-690-1900 ext206

Fax 847-690-1350

[EMAIL PROTECTED]

 






- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Free Radius make error with Sol10

[Rafiqul Ahsan]

Hi,
 
Following error I am getting when i try to make the free radius on Solaris 10. I am following direction as stated from link http://wiki.freeradius.org/index.php/Build

 
I installed following packages as suggested in the above link :
libgcc-3.3-sol10-sparc-local.gz
openssl-0.9.8b-sol10-sparc-local.gz
openldap-2.3.21-sol10-sparc-local.gz
 
And trying to build, freradius-1.1.3.tar.bz2
 
Using make version 3.80
 
Here is the sequesnce of command :
./configure
./make - and getting following error.
 
# makemake: *** No targets specified and no makefile found.  Stop.# cd# cd rafi_dir/# cd free_radius_1.1.3/# cd freeradius-1.1.3# makegmake[1]: Entering directory `/export/home/dev/rafi_dir/free_radius_1.1.3/freeradius-
1.1.3'Making all in libltdl...gmake[2]: Entering directory `/export/home/dev/rafi_dir/free_radius_1.1.3/freeradius-1.1.3/libltdl'/usr/sfw/bin//gmake  all-amgmake[3]: Entering directory `/export/home/dev/rafi_dir/free_radius_1.1.3/freeradius-
1.1.3/libltdl'/bin/bash ./libtool --tag=CC   --mode=link gcc  -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -no-undefined -version-info 4:4:1  -o libltdl.la
 -rpath /usr/local/lib ltdl.lo -ldl -lnsl -lresolv -lsocket -lposix4  -lpthreadgcc -shared -Wl,-h -Wl,libltdl.so.3 -o .libs/libltdl.so.3.1.4  .libs/ltdl.o  -ldl -lnsl -lresolv -lsocket -lposix4 -lpthread -lc (cd .libs && rm -f 
libltdl.so.3 && ln -s libltdl.so.3.1.4 libltdl.so.3)(cd .libs && rm -f libltdl.so && ln -s libltdl.so.3.1.4 libltdl.so)false cru .libs/libltdl.a  ltdl.ogmake[3]: *** [
libltdl.la] Error 1gmake[3]: Leaving directory `/export/home/dev/rafi_dir/free_radius_1.1.3/freeradius-1.1.3/libltdl'gmake[2]: *** [all] Error 2gmake[2]: Leaving directory `/export/home/dev/rafi_dir/free_radius_1.1.3/freeradius-
1.1.3/libltdl'gmake[1]: *** [common] Error 2gmake[1]: Leaving directory `/export/home/dev/rafi_dir/free_radius_1.1.3/freeradius-1.1.3'make: *** [all] Error 2Please help me figure out where do i need to look at, or any configuration that I missed ?

 
Thanks
Rafi-- Rafiqul Ahsan630-717-1698(h)2120 Periwinkle Ln 630-689-1457(h)Naperville, IL 60540847-812-6176(c) 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius Installation

[Alan DeKok]

"Nico Gazzano" <[EMAIL PROTECTED]> wrote:
> I've gotten as far as installing version 1.1.3.  Are there any scripts to
> add users, and how do I configure the web interface?

  The web interface included with the server is dialup_admin.  It is a
PHP-based interface that administers users in an SQL database,
including adding, updating, and deleting users.

  The rest of the configuration files have to be edited by hand.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Radius Installation

[Nico Gazzano]

Any examples on how to configure it?  

Nico Gazzano
Network & Systems Admin
MIS Choice Inc.
1699 Wall ST Suite 602
Mount Prospect, IL 60056
Phone 847-690-1900 ext206
Fax 847-690-1350
[EMAIL PROTECTED]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
On Behalf Of Alan DeKok
Sent: Tuesday, September 05, 2006 4:23 PM
To: FreeRadius users mailing list
Subject: Re: Radius Installation 

"Nico Gazzano" <[EMAIL PROTECTED]> wrote:
> I've gotten as far as installing version 1.1.3.  Are there any scripts to
> add users, and how do I configure the web interface?

  The web interface included with the server is dialup_admin.  It is a
PHP-based interface that administers users in an SQL database,
including adding, updating, and deleting users.

  The rest of the configuration files have to be edited by hand.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius Installation

[Alan DeKok]

"Nico Gazzano" <[EMAIL PROTECTED]> wrote:
> Any examples on how to configure it?  

  To do... what, exactly?

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

sqlcounter for rechargeable account

[bishal]

Hi all,


   Can anybody guide me how to make sql counter for rechargeable account.
like user "test01" subscribe for total of 25hours and after finishing
25hours if he wants to recharge his account again to 25hrs.


Bisal

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 1.1.3 on Solaris 10 (sparc)

[Marcel . De_Boer]

Lin Richardson wrote:
You should post this to thet userlist (I am cc'ing them on this 
reply).  Perhaps someone there has seen the "false cru" error before...


I'm no compiler guru, but google tells me that libtool may be to blame. 
I don't acutally show libtool installed on my box and don't know much 
about it.
I'm no compiler guru either, but the system appears to be missing 'ar' 
(I thought I remembered 'ar' being called with options 'cru' before, and 
the config.log confirms this:)


Error:


false cru .libs/libltdl.a  ltdl.o
gmake[3]: *** [libltdl.la ] Error 1
gmake[3]: Leaving directory
`/export/home/dev/rafi_dir/free_radius_1.1.3/freeradius-1.1.3/libltdl'


config.log:


checking for ar... false

Apparently something is wrong with the configure script, and it uses 
'false' as the command for 'ar', instead of exiting with an error 
because it couldn't find 'ar'.



Gtnx
   Marcel

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html