Regarding using freeradius in cluster
Hi Is free radius can be used in cluster?? , If so please provide some links to go through in detail. Thanks & Regards Ravi Tech Mahindra, formerly Mahindra-British Telecom. Disclaimer: This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review at http://www.techmahindra.com/Disclaimer.html externally and http://tim.techmahindra.com/Disclaimer.html internally within Tech Mahindra. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: one attribute with more values
> > I have to make a dictionary file, but I have a little problem: > > There is an attribute in the vsa attributes, which has more > > than one value. Is it possible to separate it in the > > dictionary file? Is there a class attribute, or something? > > "man 5 users". Use the "+=" operator. So I get accounting requests from a client, which contains an attribute whit these TLV parameters: Type : PC_Header Length: 76 bytes The Problem: Value : 003ab54687bcc3029a(152 hexadecimal numbers) parts : message ID. | Event type | The message ID is a random number. But I need to know the event type. But all of this are together in one attribute. I want to separate these. Sorry, I've read the users' man, but still don't know, what to do! F! _ Kamatmentes vásárlás 45 napig! Különleges mindennapok az [origo] klikkbank hitelkártyával. http://www.klikkbank.hu/lakossagi/termekek/hitelkartya/index.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sqlcounter
Hello all How can I make sqlcounter module for rechargeable account in my freeradius server with mysql backened. Bsal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Cisco VoIP
Hi GeoffreyI am using Cisco 3600. In my case, I have found out the following issues with AV pairs:Call Leg 1:Cisco sends the following AV pairs to the radius server:User-NameUser-Passwordh323-conf-id Cisco-AVPair=h323-ivr-outNAS-Port-Typecisco-nas-portNAS-PortCisco-AVPair=interfaceService-TypeNAS-IP-AddressCisco expects to see the following AV pairs sent by the radius server:h323-credit-amount h323-credit-timeh323-return-codeCall Leg 2:Cisco sends the following AV pairs to the radius server:User-NameUser-Passwordh323-conf-idCisco-AVPair=h323-ivr-outCalled-Station-IdService-Type NAS-IP-AddressCisco expects to see the following AV pairs sent by the radius server: h323-credit-amount h323-credit-time h323-return-codeThe above AV pairs are for authenticating the user, after these two call legs, you should concern accounting the user. I think there are no AV pairs sent by the radius server for accounting, since it just waits until Cisco sends the stop packet. Of course, there are two different sets of AV pairs that are both have Acct-Status-Type=stop, but these two sets are for Call Leg 3 and 4, and they differ in one or two AV pairs from which you can determine the different call legs. Hope this information can help you.Best RagrdsAliOn 9/6/06, Geoffrey Cauchi <[EMAIL PROTECTED] > wrote:Not much mention there unfortunately. A practical example would help me most.ThanksGef-Original Message-From: freeradius-users-bounces+agcauchi=[EMAIL PROTECTED][mailto: [EMAIL PROTECTED]rg] On Behalf Of Alan DeKokSent: 06 September 2006 18:00To: FreeRadius users mailing listSubject: Re: Freeradius + Cisco VoIP "Geoffrey Cauchi" <[EMAIL PROTECTED]> wrote:> Can anyone provide a sample config of the AV Pairs required by a ciscoVoIP> gateway to accept a user? See the NAS documentation. Alan DeKok.-- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog-List info/subscribe/unsubscribe? Seehttp://www.freeradius.org/list/users.html-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and accounting -- radrelay?
On Wed, 6 Sep 2006, Alan DeKok wrote: Justin Church <[EMAIL PROTECTED]> wrote: OK. The patch worked, since I can now run radiusd -n radrelay w/o the Abort, but I still am not seeing a way to replicate to multiple accounting servers with radiusd -n radrelay. Unfortunately, it doesn't yet do that. The issue is that the server core is really designed to forward packets, not to clone them. I think it's possible to clone the packets, it just requires additional work in the server core. Just a side note on the clone packets issue i ve come across it in another situation. We act as a proxy for various ISPs and we need to have a way to replicate accounting-on/off packets (which obviously don't carry a [EMAIL PROTECTED] attribute) to all ISPs. But currently this is not possible since we have a server logic of one request,one thread. Being able to use multiple Proxy-To-Realm attributes would be great. I need to take accounting requests that arrive at "main-radius" in "radrelay-detail" and replicate them to "remote-radius1", "remote-radius2", "remote-radius3" in parallel. It appears as if my only two options in radrelay.conf are to store accounting data in sql or proxy to other servers. You can do more than that. Pretty much anything the server can do is valid in radrelay, it's just that the example config is simpler. With the old radrelay, I believe I could have just run #radrelay -r remote-radius1 radrelay-detail; radrelay -r remote-radius2 radrelay-detail; radrelay -r remote-radius3 radrelay-detail. i.e. one radrelay per detail file. You can still do this with the new code, you just have to create "radrelay1.conf", radrelay2.conf", etc. It's a big pain, and something that should be fixed before 2.0. Am I missing something, and is this still possible with radiusd -n radrelay? Yes, it is. But it's more work. And looking at the conf files, I think the main "libdir", "raddbdir", etc. stuff at the top should be moved into a separate "directories.conf" file. That way all of the other "radiusd.conf" and "radrelay.conf" files can just $INCLUDE it, which gives a central point for storing all changes. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Cisco VoIP
Hi AlanI replied Geoffrey with all I knew about AV pairs expected by a Cisco VoIP gateway. But I have another problem.I am using rlm_example to develop a module to handle VoIP stuff.My question is, how should I pack and send those AV piars expected by the gateway? For example, in example_authenticate function, I should return a number of AV pairs to the gateway in order to authenticate the user. How should I do that?Best RegardsAli On 9/6/06, Alan DeKok <[EMAIL PROTECTED]> wrote: "Geoffrey Cauchi" <[EMAIL PROTECTED]> wrote:> Can anyone provide a sample config of the AV Pairs required by a cisco VoIP> gateway to accept a user? See the NAS documentation. Alan DeKok.-- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and accounting -- radrelay?
On Thu 07 Sep 2006 08:05, Kostas Kalevras wrote: > On Wed, 6 Sep 2006, Alan DeKok wrote: > > Justin Church <[EMAIL PROTECTED]> wrote: > >> OK. The patch worked, since I can now run radiusd -n radrelay w/o the > >> Abort, but I still am not seeing a way to replicate to multiple > >> accounting servers with radiusd -n radrelay. > > > > Unfortunately, it doesn't yet do that. The issue is that the server > > core is really designed to forward packets, not to clone them. > > > > I think it's possible to clone the packets, it just requires > > additional work in the server core. > > Just a side note on the clone packets issue i ve come across it in another > situation. We act as a proxy for various ISPs and we need to have a way to > replicate accounting-on/off packets (which obviously don't carry a > [EMAIL PROTECTED] attribute) to all ISPs. But currently this is not > possible since we have a server logic of one request,one thread. Being able > to use multiple Proxy-To-Realm attributes would be great. I second this. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpVso87fuQ9V.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.3 on Solaris 10 (sparc)
Rafiqul Ahsan wrote: Thanks to Lin, Mercel, and Rob for your input. I am not sure about Mercel's comment on value of AR, this has been set to false in the Makefile at libltdl/ directory (where it actually fails). The question is what value should it be ? Also, Rob - when I put the /usr/ccs/bin/ on top of my PATH, it picks a make that gives me error as "make: Fatal error in reader: Makefile, line 41: Unexpected end of line seen". Wheras my earlier picks on make file from /usr/local/bin - did not give me this error. Following is the various command output FYI. Also - I could you please explain a little more on where to put this get -R/path/to/dep alongside the -L linker flags (an example would be appreciated). Is it needed to add on the Makefile on ./libltdl/ directory ? Thanks for your help. Rafi I've got the ball rolling with a Solaris build page on the WIKI http://wiki.freeradius.org/index.php/Solaris Rob -- Rob Shepherd | Computer and Network Engineer | Technium CAST | LL57 4HJ [EMAIL PROTECTED] | 01248 675024 | 07776 210516 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.3 on Solaris 10 (sparc)
On Thu 07 Sep 2006 08:52, Rob Shepherd wrote: > Rafiqul Ahsan wrote: > > Thanks to Lin, Mercel, and Rob for your input. I am not sure about > > Mercel's comment on value of AR, this has been set to false in the > > Makefile at libltdl/ directory (where it actually fails). The question > > is what value should it be ? > > > > Also, Rob - when I put the /usr/ccs/bin/ on top of my PATH, it picks a > > make that gives me error as "make: Fatal error in reader: Makefile, line > > 41: Unexpected end of line seen". Wheras my earlier picks on make file > > from /usr/local/bin - did not give me this error. Following is the > > various command output FYI. Also - I could you please explain a little > > more on where to put this get -R/path/to/dep alongside the -L linker > > flags (an example would be appreciated). Is it needed to add on the > > Makefile on ./libltdl/ directory ? > > > > Thanks for your help. > > > > Rafi > > I've got the ball rolling with a Solaris build page on the WIKI > > http://wiki.freeradius.org/index.php/Solaris Hi Rob Thanks for doing this, however there is already a Solaris section on the "Build" page of the wiki at: http://wiki.freeradius.org/index.php/Build#Building_on_Solaris_10 I think the info you have added should probably be rolled into that page rather than starting a new one. Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpgH9WMkQjJw.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about Multiple-valued attributes
Hi Is it possible to catch Multiple-valued attributes through a C program?I can fetch, for example, User-Name attribute by calling USER_NAME = getenv (USER_NAME); but how should I fetch something like Cisco-AVPair? Best RegardsAli - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: XT Radius to Free Radius
Alan DeKok wrote:
relists <[EMAIL PROTECTED]> wrote:
The external script in XT Radius checks the username and password
against a postgres database and if username and password match it
returns the details for that user e.g. IP address, Framed-Address etc etc.
We are using the default xradiusd.conf file with the port number
changed to 1645. We have changed the users file to the following:
DEFAULT Auth-Type := External
Exec-Program = "/etc/raddb/checkpassword.pl %u
%{User-Password}"
You should use "Auth-Type := Accept" here. That should work.
Alan DeKok.
Hi, thanks for the reply.
The problem with your suggestion is that you can enter the wrong
password and it will still authenticate you. We need this to obviously
accept when the password is correct and reject when the password is
incorrect.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA with Chillispot in proxy mode, problem
Hi Alan,
I've update freeradius version, when i connect a client in WPA mode,
chillispot give no error (but it can't authenticate however), when i
connect a client in WPA2 mode, chillispot returns me the same error,
whitout authenticate. I think that there is also an EAP problem.
Thanks in advance.
Giusy.
Chillispot log:
[EMAIL PROTECTED]:/usr/local/etc/raddb# chilli --fg --conup /etc/conup
--condown /etc/condown --eapolenable
chillispot[22760]: ChilliSpot 1.1.0. Copyright 2002-2005 Mondru AB.
Licensed under GPL. See http://www.chillispot.org for credits.
WHEN I TRY WPA
chillispot[22760]: chilli.c: 3125: New DHCP request from MAC=00-0C-6E-B8-AA-AB
chillispot[22760]: chilli.c: 3095: Client MAC=00-0C-6E-B8-AA-AB
assigned IP 192.168.182.2
chillispot[22760]: chilli.c: 3125: New DHCP request from MAC=00-17-9A-08-C6-3E
chillispot[22760]: chilli.c: 3095: Client MAC=00-17-9A-08-C6-3E
assigned IP 192.168.182.3
chillispot[22760]: chilli.c: 3125: New DHCP request from MAC=11-17-D8-44-11-C8
WHEN I TRY WPA2
chillispot[22760]: chilli.c: 3125: New DHCP request from MAC=00-11-D8-30-DC-6C
chillispot[22760]: chilli.c: 3095: Client MAC=00-11-D8-30-DC-6C
assigned IP 192.168.182.4
chillispot[22760]: radius.c: 1602: Received unknown radius packet 11!
chillispot[22760]: chilli.c: 3751: radius_proxy_ind() failed!
chillispot[22760]: radius.c: 1602: Received unknown radius packet 11!
chillispot[22760]: chilli.c: 3751: radius_proxy_ind() failed!
chillispot[22760]: chilli.c: 3083: Requested IP address when allready allocated
chillispot[22760]: chilli.c: 3095: Client MAC=11-17-D8-44-11-C8
assigned IP 192.168.182.5
==
Freeradius log:
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded LDAP
ldap: server = "localhost"
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity = "cn=Manager,dc=mydomain,dc=it"
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = "(null)"
ldap: tls_cacertdir = "(null)"
ldap: tls_certfile = "(null)"
ldap: tls_keyfile = "(null)"
ldap: tls_randfile = "(null)"
ldap: tls_require_cert = "allow"
ldap: password = "aPassword"
ldap: basedn = "ou=myDepartment,dc=mydomain,dc=it"
ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
ldap: base_filter = "(objectclass=radiusprofile)"
ldap: default_profile = "(n
Re: 1.1.3 on Solaris 10 (sparc)
Peter Nixon wrote: Thanks for doing this, however there is already a Solaris section on the "Build" page of the wiki at: My Bad! http://wiki.freeradius.org/index.php/Build#Building_on_Solaris_10 I think the info you have added should probably be rolled into that page rather than starting a new one. The method described on the Build#Building_on_Solaris_10 page is a different method altogether, not that either way is wrong of course. When I have time, I'll familiarise myself with the approach of the exisiting method and attempt to merge the information without confusing either method. At present mine is an 'alternative', and I'm biased to state that it's the easiest method, of course. I've linked it as an alternative into the original document, hopefully it can still be of some help. Cheers Rob -- Rob Shepherd | Computer and Network Engineer | Technium CAST | LL57 4HJ [EMAIL PROTECTED] | 01248 675024 | 07776 210516 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: windowsXP+LDAP+freeradius
Hai,
Thanks for your reply.
I was trying to use PAM authentication with freeradius for Win XP client
(PEAP). I was getting error in the tls section. I posted to freeradius
userlist. I got the reply as below. Is this right?. If not, Can I use
LDAP+PEAP+freeradius.
=
You cannot use PAM to answer PEAP/MS-CHAP requests. You must either have
the plaintext password for the user, the NT or LM hashes for their
password, or access to an NT domain controller and use the "ntlm_auth"
helper in the mschap module.
=
> > I have Link sys wireless router, windows XP clients, freeradius
> > and LDAP server (Linux). I want to make the user authentication for the
> > windows XP clients against freeradius to connect to Link sys router. I
> > have all the users in LDAP. The LDAP server is set as user database for
> > freeradius sever. Is this possible?. If possible, can you please give me
> > the idea how to do this.
Perfectly fine. Take a look at the ldap { } section in radiusd.conf
(it's pretty much self explanatory), and enable ldap in authorize { }
and authenticate { }. For wireless, you'll also need at least a server
certificate, a script for generating one is in the scripts/ subdirectory
of freeradius. Use that certificate for the eap.conf configuration,
where you will have to enable at least the tls { } part, and either peap
or ttls, depending on what supplicant you use on the Win XP side. The
built-in supplicant (not recommended, but working) is using peap.
Greetings, Stefan Winter
Thanks & Regards,
Muthu.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: windowsXP+LDAP+freeradius
Hello, > I was trying to use PAM authentication with freeradius for Win XP > client (PEAP). I was getting error in the tls section. I posted to > freeradius userlist. I got the reply as below. Is this right?. If not, Can > I use LDAP+PEAP+freeradius. Yes, the info was right. But _still_, your chances are very good that you can use LDAP: your LDAP server needs to store the user passwords in clear text and allow your LDAP admin user to retrieve them. This is a common scheme in most LDAP instances, the notable exception being ActiveDirectory. But even with ActiveDirectory you could do PEAP, it would just be a little m,ore complicated than I outlined below (ntlm_auth, as the text you quoted suggested). Greetings, Stefan Winter >== You cannot use PAM to answer PEAP/MS-CHAP > requests. You must either have the plaintext password for the user, the NT > or LM hashes for their password, or access to an NT domain controller and > use the "ntlm_auth" helper in the mschap module. > > === Greetings -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgpuGAfxdkDhA.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA/RADIUS Problems
Hi, You can view what is done in the Debian/rules file Yupp, it works now! My mistake was to use the little bit broken 1.1.0 deb package a few months ago. Source-Build didn't work. If I take the sources of the official tar.gz I can build now all without problems under unstable. Great. Don't like Suse... Thanks Alex -- ServiceCenter IT - Alexandros Gougousoudis (Leiter) Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule für Musik "Hanns Eisler" und der Hochschule für Schauspielkunst "Ernst Busch". Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiiple values in an attribute
Hi FonciThanks for your attention.I consulted the freeradius documentation about the problem.They have mentioned that the AV pairs which contain multiple values are maintained using arrays. These arrays are available in, for example, shell scripts:
example:%{Cisco-AVPair[0]} references the value of the *first* Cisco-AVPair attribute (if it exists) in the request packet.You can pass these values as command line arguments to your program.But my problem was about fetching these types of AV pairs using getenv() in C.
Example:char *Cisco-AVPair;if (getenv ("Cisco-AVPair")){ Cisco-AVPair = getenv ("Cisco-AVPair");}Hope this information can help.Best RegardsAli
On 9/7/06, Fonci <[EMAIL PROTECTED]> wrote:
Hi Ali!I've seen your mail in the freeradius mailing list. I thinkwe have the same problem. Let me write here mine:So I get accounting requests from a client, which containsan attribute whit these TLV parameters:
Type : PC_HeaderLength: 76 bytesThe Problem:Value : 003ab54687bcc3029a(152 hexadecimal numbers)parts : message ID. | Event type | The message ID is a random number. But I need to know the
event type. But all of this are together in one attribute. Iwant to separate these.How can I catch this value, and separate them? You mentioneda C program or something. Can you give me an advice, how to
try, or where to find information?Thank you, andRegards:F._Kamatmentes vásárlás 45 napig! Különleges mindennapok az [origo] klikkbank hitelkártyával.
http://www.klikkbank.hu/lakossagi/termekek/hitelkartya/index.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiiple values in an attribute
Ah sorry,By the way, in the C code, please change Cisco-AVPair to CISCO_AVPAIR. This is the transformation which freeradius makes with regard to its environment variables and you should take care of the issue in your shell scripts or C code.
Best RegardsAliOn 9/7/06, Ali Majdzadeh <[EMAIL PROTECTED]> wrote:
Hi FonciThanks for your attention.I consulted the freeradius documentation about the problem.They have mentioned that the AV pairs which contain multiple values are maintained using arrays. These arrays are available in, for example, shell scripts:
example:%{Cisco-AVPair[0]} references the value of the *first* Cisco-AVPair attribute (if it exists) in the request packet.You can pass these values as command line arguments to your program.But my problem was about fetching these types of AV pairs using getenv() in C.
Example:char *Cisco-AVPair;if (getenv ("Cisco-AVPair")){ Cisco-AVPair = getenv ("Cisco-AVPair");}Hope this information can help.Best Regards
Ali
On 9/7/06, Fonci <[EMAIL PROTECTED]> wrote:
Hi Ali!I've seen your mail in the freeradius mailing list. I thinkwe have the same problem. Let me write here mine:So I get accounting requests from a client, which containsan attribute whit these TLV parameters:
Type : PC_HeaderLength: 76 bytesThe Problem:Value : 003ab54687bcc3029a(152 hexadecimal numbers)parts : message ID. | Event type | The message ID is a random number. But I need to know the
event type. But all of this are together in one attribute. Iwant to separate these.How can I catch this value, and separate them? You mentioneda C program or something. Can you give me an advice, how to
try, or where to find information?Thank you, andRegards:F._Kamatmentes vásárlás 45 napig! Különleges mindennapok az [origo] klikkbank hitelkártyával.
http://www.klikkbank.hu/lakossagi/termekek/hitelkartya/index.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy Control
I have a VPN appliance authenticating users (~20 users) against my freeradius server. I have another radius server running on a windows box authenticating users on local and trusted domains (250+ users). For technical reasons I can't point the VPN appliance to the windows radius server. However, I'm setting up a proxy on the freeradius server to redirect auth requests to the windows radius server (to authenticate VPN users with active directory). The problem now is all 250+ users can essentially authenticate on the VPN. I'm wondering if there is a way to control which users (the ~20 users) in freeradius can be proxied to the windows radius server? Almost like a list of valid proxy users? Josh __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: XT Radius to Free Radius
relists <[EMAIL PROTECTED]> wrote: > The problem with your suggestion is that you can enter the wrong > password and it will still authenticate you. We need this to obviously > accept when the password is correct and reject when the password is > incorrect. Really? I thought I understood how the server works. Please go try my suggestion. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: windowsXP+LDAP+freeradius
Muthu <[EMAIL PROTECTED]> wrote: > I was trying to use PAM authentication with freeradius for Win XP client > (PEAP). PAM works only for clear-text passwords. I'll update the compatibility matrix on my web site. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and accounting -- radrelay?
Kostas Kalevras <[EMAIL PROTECTED]> wrote: > Just a side note on the clone packets issue i ve come across it in > another situation. We act as a proxy for various ISPs and we need to > have a way to replicate accounting-on/off packets (which obviously > don't carry a [EMAIL PROTECTED] attribute) to all ISPs. But currently > this is not possible since we have a server logic of one request,one > thread. Being able to use multiple Proxy-To-Realm attributes would > be great. I think the easiest way to do this is to write a special-purpose 1-N proxying server. It's special purpose enough that I'm not sure that work belongs in the server core. i.e. Doing N proxies means what, exactly for pre/post-proxy sections? Do we add a queue of proxied packets to the REQUEST? The 1-N proxying server can look for special "proxy to X" attributes in the packet, strip them out, and proxy the packet to N different places. It can even read proxy.conf, so there's one source for configuration files. With a little more work, it can also read the "detail" files, and be radrelay, too. I don't think that's hard to do. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about Multiple-valued attributes
"Ali Majdzadeh" <[EMAIL PROTECTED]> wrote: > Is it possible to catch Multiple-valued attributes through a C program? > I can fetch, for example, User-Name attribute by calling USER_NAME = getenv > (USER_NAME); > but how should I fetch something like Cisco-AVPair? You don't. You write a module in the server, that has complete access to everything. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA with Chillispot in proxy mode, problem
"Giuseppina Venezia" <[EMAIL PROTECTED]> wrote: > I've update freeradius version, when i connect a client in WPA mode, > chillispot give no error (but it can't authenticate however), when i > connect a client in WPA2 mode, chillispot returns me the same error, > whitout authenticate. I think that there is also an EAP problem. Ah. It looks like Chillispot doesn't do EAP. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
exec-program-wait to send back AV pairs to freeradius
Hi
All,
I am trying to set
values for more than one attributes in the exec-program-wait for accounting
start packets.
Below is the code i
am trying in the exec-program-wait
putenv("Calling-Station-ID=10")
putenv("Called-Station-ID=50")
Putenv("Acct-Session-ID="20")
return
0;
I have set the
exec-wait=yes in the radiusd.conf
I am not sure
whether freeradius picks all this values and sets in the valuepairs of the
radius_exec_program ()
I am trying to set
the accounting response packets with this value pairs in the rad_accounting
using pairmove but still my accounting response packets does not contain
this attributes
value pairs.
Can some body help
me to solve this problem ?
Thanks and
regards
Shankar
ganesh
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy Control
Easier - create a policy in IAS to only authorise the users you want. josh. Josh wrote: I have a VPN appliance authenticating users (~20 users) against my freeradius server. I have another radius server running on a windows box authenticating users on local and trusted domains (250+ users). For technical reasons I can't point the VPN appliance to the windows radius server. However, I'm setting up a proxy on the freeradius server to redirect auth requests to the windows radius server (to authenticate VPN users with active directory). The problem now is all 250+ users can essentially authenticate on the VPN. I'm wondering if there is a way to control which users (the ~20 users) in freeradius can be proxied to the windows radius server? Almost like a list of valid proxy users? Josh __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.3 on Solaris 10 (sparc)
Cool, I'll have to take a closer look at Method 2.On 9/7/06, Rob Shepherd <[EMAIL PROTECTED]> wrote: Peter Nixon wrote:>> Thanks for doing this, however there is already a Solaris section on > the "Build" page of the wiki at:My Bad!>> http://wiki.freeradius.org/index.php/Build#Building_on_Solaris_10 >> I think the info you have added should probably be rolled into that page> rather than starting a new one.>The method described on the Build#Building_on_Solaris_10 page is adifferent method altogether, not that either way is wrong of course. When I have time, I'll familiarise myself with the approach of theexisiting method and attempt to merge the information without confusingeither method.At present mine is an 'alternative', and I'm biased to state that it's the easiest method, of course.I've linked it as an alternative into the original document, hopefullyit can still be of some help.CheersRob--Rob Shepherd | Computer and Network Engineer | Technium CAST | LL57 4HJ [EMAIL PROTECTED] | 01248 675024 | 07776 210516-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: XT Radius to Free Radius
Alan DeKok wrote: relists <[EMAIL PROTECTED]> wrote: The problem with your suggestion is that you can enter the wrong password and it will still authenticate you. We need this to obviously accept when the password is correct and reject when the password is incorrect. Really? I thought I understood how the server works. Please go try my suggestion. Alan DeKok. -- We did try your suggestion before posting back and you can enter any pasword and it will accept it. We tried it again and here is the output: rad_recv: Access-Request packet from host 192.168.1.1:1224, id=1, length=84 User-Name = "[EMAIL PROTECTED]" User-Password = "kjhtlhrfrdjkshgfdhkgj" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: Looking up realm "adslgateway.co.uk" for User-Name = "[EMAIL PROTECTED]" rlm_realm: No such realm "adslgateway.co.uk" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 users: Matched DEFAULT at 4 radius_xlat: '/etc/raddb/checkpassword.pl [EMAIL PROTECTED] kjhtlhrfrdjkshgfdhkgj' modcall[authorize]: module "files" returns ok for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user radius_xlat: '/etc/raddb/checkpassword.pl [EMAIL PROTECTED] kjhtlhrfrdjkshgfdhkgj' Exec-Program: /etc/raddb/checkpassword.pl [EMAIL PROTECTED] kjhtlhrfrdjkshgfdhkgj Sending Access-Accept of id 1 to 192.168.1.1:1224 Finished request 1 You will note that from our original post our password was "test". Any ideas? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec-program-wait to send back AV pairs to freeradius
Shankar Ganesh C <[EMAIL PROTECTED]> wrote:
> Below is the code i am trying in the exec-program-wait
>
> putenv("Calling-Station-ID=10")
That is not the documented way to send attributes back to the server.
See scripts/exec-program-wait
> I am trying to set the accounting response packets with this value
> pairs in the rad_accounting using pairmove but still my accounting
> response packets does not contain this attributes value pairs.
Accounting responses are not allowed to contain any attributes.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: XT Radius to Free Radius
relists <[EMAIL PROTECTED]> wrote: > We did try your suggestion before posting back and you can enter any > pasword and it will accept it. We tried it again and here is the output: Yes... because your "Exec-Program-Wait" script is supposed to do the authentication. It is accepting the user with a bad password. Fix it. And you *do* have to use Exec-Program-Wait. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy Control
Thanks for your suggestion... I'm actually running Funk (Juniper) Steel-Belted Radius on the windows box. I'm working out issues with the user profiles on that box... I was hoping to let freeradius take care of who had access to proxy (if possible). Any other possibilities? --- Josh Howlett <[EMAIL PROTECTED]> wrote: > Easier - create a policy in IAS to only authorise > the users you want. > > josh. > > Josh wrote: > > I have a VPN appliance authenticating users (~20 > > users) against my freeradius server. I have > another > > radius server running on a windows box > authenticating > > users on local and trusted domains (250+ users). > For > > technical reasons I can't point the VPN appliance > to > > the windows radius server. However, I'm setting > up a > > proxy on the freeradius server to redirect auth > > requests to the windows radius server (to > authenticate > > VPN users with active directory). The problem now > is > > all 250+ users can essentially authenticate on the > > VPN. I'm wondering if there is a way to control > which > > users (the ~20 users) in freeradius can be proxied > to > > the windows radius server? Almost like a list of > > valid proxy users? > > > > Josh > > > > __ > > Do You Yahoo!? > > Tired of spam? Yahoo! Mail has the best spam > protection around > > http://mail.yahoo.com > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and accounting -- radrelay?
Alan DeKok wrote: Kostas Kalevras <[EMAIL PROTECTED]> wrote: Just a side note on the clone packets issue i ve come across it in another situation. We act as a proxy for various ISPs and we need to have a way to replicate accounting-on/off packets (which obviously don't carry a [EMAIL PROTECTED] attribute) to all ISPs. But currently this is not possible since we have a server logic of one request,one thread. Being able to use multiple Proxy-To-Realm attributes would be great. I think the easiest way to do this is to write a special-purpose 1-N proxying server. It's special purpose enough that I'm not sure that work belongs in the server core. i.e. Doing N proxies means what, exactly for pre/post-proxy sections? Do we add a queue of proxied packets to the REQUEST? The 1-N proxying server can look for special "proxy to X" attributes in the packet, strip them out, and proxy the packet to N different places. It can even read proxy.conf, so there's one source for configuration files. With a little more work, it can also read the "detail" files, and be radrelay, too. How would the proxy.conf work? Would you define N identical realms with different remote servers, and the 1-N proxy server would replicate to the first N matches it finds in proxy.conf? -jc I don't think that's hard to do. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and accounting -- radrelay?
Justin Church <[EMAIL PROTECTED]> wrote: > How would the proxy.conf work? Would you define N identical realms with > different remote servers, and the 1-N proxy server would replicate to > the first N matches it finds in proxy.conf? That's an option. I'm open to suggestions as to how to configure it. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: XT Radius to Free Radius
Hi, I just looked at it in 1.1.3. I found the same behaviour you noted, when the script had not the execute permission. If you put the equivalent into an exec stanza in the main config file, that does loudly complain about not being able to run the script and then denies access therefore. After fixing that, I retried with users file again and then it behaved as wanted, allowing on exit code 0, denying on other codes (ok, just tested -1). hth K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: XT Radius to Free Radius
Hi, > We did try your suggestion before posting back and you can enter any > pasword and it will accept it. We tried it again and here is the output: > > rad_recv: Access-Request packet from host 192.168.1.1:1224, id=1, length=84 > User-Name = "[EMAIL PROTECTED]" > User-Password = "kjhtlhrfrdjkshgfdhkgj" > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 1 > modcall[authorize]: module "preprocess" returns ok for request 1 > modcall[authorize]: module "chap" returns noop for request 1 > modcall[authorize]: module "mschap" returns noop for request 1 > rlm_realm: Looking up realm "adslgateway.co.uk" for User-Name = > "[EMAIL PROTECTED]" > rlm_realm: No such realm "adslgateway.co.uk" > modcall[authorize]: module "suffix" returns noop for request 1 > rlm_eap: No EAP-Message, not doing EAP > modcall[authorize]: module "eap" returns noop for request 1 > users: Matched DEFAULT at 4 > radius_xlat: '/etc/raddb/checkpassword.pl [EMAIL PROTECTED] > kjhtlhrfrdjkshgfdhkgj' > modcall[authorize]: module "files" returns ok for request 1 > modcall: group authorize returns ok for request 1 > rad_check_password: Found Auth-Type Accept > rad_check_password: Auth-Type = Accept, accepting the user > radius_xlat: '/etc/raddb/checkpassword.pl [EMAIL PROTECTED] > kjhtlhrfrdjkshgfdhkgj' > Exec-Program: /etc/raddb/checkpassword.pl [EMAIL PROTECTED] > kjhtlhrfrdjkshgfdhkgj > Sending Access-Accept of id 1 to 192.168.1.1:1224 > Finished request 1 > > > You will note that from our original post our password was "test". > > Any ideas? Well, according to the README you should be using Exec-Program-Wait, not Exec-Program. Then your script must simply return with a non-zero return code if his password is wrong and the user will be denied access. For your convenience, here's the relevant section of the README file that accompanies FreeRADIUS: The output from Exec-Program-Wait is parsed by the radius server. If it looks like Attribute/Value pairs, they are decoded and added to the reply sent to the NAS. This way, you can for example set Session-Timeout. If Exec-Program-Wait returns a non-zero exit status, access will be denied to the user. With a zero-exit status, access is granted. Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche - Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy Control
Josh <[EMAIL PROTECTED]> wrote: > I'm actually running Funk (Juniper) Steel-Belted > Radius on the windows box. I'm working out issues > with the user profiles on that box... I was hoping to > let freeradius take care of who had access to proxy > (if possible). "man rlm_passwd" Put the users into a group, and for people not in the "VPN" group, disallow them access to the VPN. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and accounting -- radrelay?
On Thu 07 Sep 2006 15:07, Alan DeKok wrote: > Kostas Kalevras <[EMAIL PROTECTED]> wrote: > > Just a side note on the clone packets issue i ve come across it in > > another situation. We act as a proxy for various ISPs and we need to > > have a way to replicate accounting-on/off packets (which obviously > > don't carry a [EMAIL PROTECTED] attribute) to all ISPs. But currently > > this is not possible since we have a server logic of one request,one > > thread. Being able to use multiple Proxy-To-Realm attributes would > > be great. > > I think the easiest way to do this is to write a special-purpose 1-N > proxying server. It's special purpose enough that I'm not sure that > work belongs in the server core. i.e. Doing N proxies means what, > exactly for pre/post-proxy sections? Do we add a queue of proxied > packets to the REQUEST? > > The 1-N proxying server can look for special "proxy to X" attributes > in the packet, strip them out, and proxy the packet to N different > places. It can even read proxy.conf, so there's one source for > configuration files. With a little more work, it can also read the > "detail" files, and be radrelay, too. Being able to selectively replicate an accounting packet N times may not be a standard configuration (although certainly usefull) but proxying accounting-on/off packets to some/all downstream servers is something that almost _everyone_ proxying accounting will want to do. This probaby warrants a new config option in proxy.conf (acctonoff-shotgun=yes/no) In particular any downstream servers running ippools need this information... Not to mention people who charge by the minute for a particular service.. Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgp6QsEVZXvhz.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about Multiple-valued attributes
Hi Alan Thanks for your help. Best RegardsOn 9/7/06, Alan DeKok <[EMAIL PROTECTED]> wrote: "Ali Majdzadeh" <[EMAIL PROTECTED]> wrote:> Is it possible to catch Multiple-valued attributes through a C program?> I can fetch, for example, User-Name attribute by calling USER_NAME = getenv > (USER_NAME);> but how should I fetch something like Cisco-AVPair? You don't. You write a module in the server, that has completeaccess to everything. Alan DeKok.-- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA with Chillispot in proxy mode, problem
Ah. It looks like Chillispot doesn't do EAP. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog Now I have removed the RadiusFilterID (radius packet 11) attribute,but chilli still receive this : chillispot[22760]: chilli.c: 3125: New DHCP request from MAC=00-11-D8-30-DC-6C chillispot[22760]: chilli.c: 3095: Client MAC=00-11-D8-30-DC-6C assigned IP 192.168.182.4 chillispot[22760]: radius.c: 1602: Received unknown radius packet 11! chillispot[22760]: chilli.c: 3751: radius_proxy_ind() failed! It is strange, what's wrong? Best regards, Giusy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to restrict pppoe users on nas-port-id
Thank you Gef that pointed me in the right direction. What I still had to figure out was that the "check-item" variable is an extra row in the radcheck table and that the operator has to be "==". Kind regards, Eugene -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] org] On Behalf Of Geoffrey Cauchi Sent: 06 September 2006 09:25 To: 'FreeRadius users mailing list' Subject: RE: How to restrict pppoe users on nas-port-id Use the check-item variable to restrict port id's Gef -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] us.o rg] On Behalf Of [EMAIL PROTECTED] Sent: 05 September 2006 21:04 To: freeradius-users@lists.freeradius.org Subject: How to restrict pppoe users on nas-port-id I'm using FreeRADIUS Version 1.0.4 with Dialup_admin and mysql and I would like to know if anyone can direct me in the right place to find out how to restrict pppoe users from logging in from multiple NAS port IDs. I would like to restrict them to logging on to only a specific set of port IDs that comes from a database. Any help will be appreciated. -Eugenevdm - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Optimize LDAP searches
We have multiple remote sites each with it's own NAS, each NAS search
for users in multiple LDAP contexts. Each NAS (read: site) has one or
more "primary" contexts, which I like to search first before looking
in all others (roaming users). At this time search order is based on
the order of LDAP module entries in the authorize {} section.
Is there a way to configure the search order of multiple LDAP contexts
based on NAS IP address ?
I understand there is no way to do a single recursive query on a LDAP
base like o=myorg, is there some reason, or should I submit a feature
request ??? ;-)))
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP questions.
On Tue, 22 Aug 2006, Alan DeKok wrote:
|->Keith Woodworth <[EMAIL PROTECTED]> wrote:
|->> One of the things I did try was add PAP to the authorize section, but
|->> radius failed to start when I did that.
|->
|-> And the error message was...?
Had to put this project a side for the last 2 weeks...Hate when I have to
do that. Also this post has lots of debug output.
Anyway here is the error:
radiusd.conf: "PAP" modules aren't allowed in 'authorize' sections -- they
have no such method.
radiusd.conf[1569] Failed to parse authorize section.
Here is where I put pap, with all the comments stripped:
authorize {
preprocess
# auth_log
# attr_filter
### KEITH
pap
chap
mschap
# digest
# IPASS
# ntdomain
#eap
files
sql
# etc_smbpasswd
# ldap
# daily
# checkval
}
|->> Deployingradius.com did say there were very few circumstances to set
|->> Auth-Type, but not which ones. Guess I found one?
|->
|-> Possibly. Much of this is fixed in CVS head, which is currently
|->planned to be 2.0 before Christmas. The PAP module does more there,
|->and there are MANY fewer cases where you have to set Auth-Type.
At the rate I'm going, it will be Christmas before I'm ready to go.
|->> How stable is the current server version? Anyone using it in production?
|->
|-> Yes. A number of people. There are 3 issues that need addressing
|->before it's ready for an official 2.0, however.
Would it be advisable to upgrade at this point or wait till its official?
|->> Sounds like I might have to be using the CVS version to do what I want
|->> properly of only having the user in one table and do PAP authentication
|->> with the crypt password stored in sql.
|->
|-> 1.1.2 can do it, it just takes a little more configuration.
|->Basically, for every user who has a Crypt-Password attribute, you have
|->to set "Auth-Type = Local".Not ":=", but "=".
After having to put this aside for a few weeks I have finally done some
testing.
One. If the user has a crypt password in radcheck:
4 | tester | Crypt-Password | := | f3RCpSYQzT292
is listed in Usergroup:
14 | tester | default
And default is in radgroupcheck:
++---+---++---+
| id | GroupName | Attribute | op | Value |
++---+---++---+
| 1 | default | Auth-Type | = | Local |
This is the debug output:
rad_recv: Access-Request packet from host 204.244.99.67:1645, id=92,
length=76
NAS-Port-Type = Async
User-Name = "tester"
User-Password = "test"
Service-Type = Framed-User
Framed-Protocol = PPP
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
modcall[authorize]: module "files" returns notfound for request 0
radius_xlat: 'tester'
rlm_sql (sql): sql_set_user escaped user --> 'tester'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'tester' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'tester' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = 'tester' ORDER BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'tester' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 4
modcall[authorize]: module "sql" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied User-Password does NOT match local User-Password
auth: Failed to validate the user.
Ok, so next change radgroupcheck so Auth-Type is PAP:
++---+---++---+
| id | GroupName | Attribute | op | Value |
++---+---++---+
| 1 | default | Auth-Type | := | PAP |
and do another dialup try:
rad_recv: Access-Request packet from host 204.244.99.67:1645, id=93,
length=76
NAS-Port-Type = Async
User-Name = "tester"
User-Password = "test"
Service-Type = Framed-User
Framed-Protocol = PPP
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mscha
