Re: rewrite accounting request

[Ashraf Al-Basti]

Thanks Alan..
But do have any idea to work around that?

Alan DeKok wrote:


Ashraf Al-Basti wrote:
...
 


in the freeradius server we replace the username with a new one which is
the same as the password, so we are using pre-proxy to call attr_rewrite
that will replace the username with the  new one. As an authintecation
process every thing goes will, but for the Accounting the free radius
didnt change the username and send it as it is to the another radius
which mean that i couldnt do accounting for them. so could you please
help me to solve like this problem.
   


...
 


This is what i found in the log file,
   



 Why?  Why aren't you running the server in debugging mode as suggested
in the README, FAQ, INSTALL, and daily on this list?

 In any case, your post already contains the answer to your question:
There's no "Password" attribute in accounting requests.  The log files
you posted show this clearly.  Read them.

 Alan DeKok.
--
 http://deployingradius.com   - The web site of the book
 http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rewrite accounting request

[Alan DeKok]

Ashraf Al-Basti wrote:
...
> in the freeradius server we replace the username with a new one which is
> the same as the password, so we are using pre-proxy to call attr_rewrite
> that will replace the username with the  new one. As an authintecation
> process every thing goes will, but for the Accounting the free radius
> didnt change the username and send it as it is to the another radius
> which mean that i couldnt do accounting for them. so could you please
> help me to solve like this problem.
...
> This is what i found in the log file,

  Why?  Why aren't you running the server in debugging mode as suggested
in the README, FAQ, INSTALL, and daily on this list?

  In any case, your post already contains the answer to your question:
There's no "Password" attribute in accounting requests.  The log files
you posted show this clearly.  Read them.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Usage of Cleartext-Password

[Alan DeKok]

Federico Giannici wrote:
> I have just upgraded from 1.1.2. to 1.1.4.
> Now I tried to convert my custom authorization module to use the 
> "Cleartext-Password" attribute instead of "User-Password" (my passwords 
> are in clear-text).
...
> But the daemon started to give "Login incorrect" errors (with no other 
> error description), so I had to revert the change.

  Did you list the "PAP" module last in the "authorize" section?

  The README, etc. says "go read the rlm_pap documentation".  The
changes are explained there.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem syncing radius.logs with radrelay

[Alan DeKok]

John Brittain wrote:
> It's being used for incorrect logins and other information, and we had a
> web page that pierced that file when a customer called with a problem.
> Now, we have to look at both files to see the errors/information.

  Having a web server parse (or even have read access to) the
"radius.log" file is a bad idea.  All of the information the web page
needs could be put into an SQL database.

> That's why I was asking if there was a way to have both radius.log files
> sync'd like it was with Cistron.  How did it stay sync'd in Cistron?
> Was it the radrelay program?

  No.  Someone at your site probably wrote a script to copy the data
back and forth.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

rewrite accounting request

[Ashraf Al-Basti]

Dear All,
I need your help to configure FreeRadius to rewrite the User-Name 
attribute in Accounting-Request.

my setup as follow; please correct me if i had a mistake,
i'm using Freeradius to do a proxy to another radius server. we are 
using one username (wanadoo) as a default username for our prepaid card 
system.
in the freeradius server we replace the username with a new one which is 
the same as the password, so we are using pre-proxy to call attr_rewrite 
that will replace the username with the  new one. As an authintecation 
process every thing goes will, but for the Accounting the free radius 
didnt change the username and send it as it is to the another radius 
which mean that i couldnt do accounting for them. so could you please 
help me to solve like this problem.


attr_rewrite fixusername {
   attribute = User-Name
   searchin = proxy
   searchfor ="wanadoo"
   replacewith = %{Password}
   ignore_case = no
   new_attribute = no
   max_matches = 10
   append = no
   }

pre-proxy {
   fixusername
   pre_proxy_log
}
This is what i found in the log file,

Packet-Type = Access-Request
Wed Jan 31 07:55:27 2007
   User-Name = "114242"
   User-Password = "114242"
   NAS-IP-Address = 172.16.5.188
   Client-IP-Address = 172.16.5.188
   Stripped-User-Name = "wanadoo"
   Realm = "coolnet"
   Realm = "coolnet"
   Proxy-State = 0x3833

Packet-Type = Accounting-Request
Wed Jan 31 07:55:27 2007
   Acct-Session-Id = "76"
   Acct-Status-Type = Start
   User-Name = "wanadoo"
   NAS-Port = 2
   Service-Type = Framed-User
   Framed-Protocol = PPP
   Framed-IP-Address = 255.255.255.254
   Class = 0x5376633d32
   NAS-IP-Address = 172.16.5.188
   Client-IP-Address = 172.16.5.188
   Acct-Unique-Session-Id = "26331f725bfc7b96"
   Stripped-User-Name = "wanadoo"
   Realm = "coolnet"
   Realm = "coolnet"
   Proxy-State = 0x3834
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Problem syncing radius.logs with radrelay

[John Brittain]

 >   radrelay copies accounting packets, not authentication packets.  In
 > FreeRADIUS, the "Login OK" message appears in radius.log 
 > ONLY when the
 > server sends an Access-Accept.
 > 
 >   In any case, the radius.log file is informative, not 
 > definitive.  If
 > you're using it for any purpose other than having admins occasionally
 > reading it, that's wrong.  You should be looking at the 
 > accounting logs
 > to see what the users are really doing.
 > 
 >   Alan DeKok.
 > --

Alan,

It's being used for incorrect logins and other information, and we had a
web page that pierced that file when a customer called with a problem.
Now, we have to look at both files to see the errors/information.

That's why I was asking if there was a way to have both radius.log files
sync'd like it was with Cistron.  How did it stay sync'd in Cistron?
Was it the radrelay program?  If so, I guess I could do some hacking on
that program to satisfy our needs.

Thanks.

--John

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy based on MAC

[Michael Griego]

Where you put it all depends on your local configuration.  If you put  
it in the users file, it might look something like this:

DEFAULT Calling-Station-Id =~ "^(00-0D-93-|00-03-93-|00-05-02-)",  
Proxy-To-Realm := "ReamToProxyTo"

--Mike

On Feb 2, 2007, at 7:47 PM, King, Michael wrote:

>
>
>> -Original Message-
>
>> following would work just as well and be much more readable:
>>
>> Calling-Station-Id =~ "^(00-0D-93-|00-03-93-|00-05-02-)"
>>
> I was just concerned with a partial match I wasn't expecting.
> E.g.  XX-XX-00-0D-93-XX
>
>> And as to where it goes, anywhere a check expression goes:
>> users file, SQL radcheck table, etc.  As long as the server
>> is compiled with regular expressions and they're left enabled
>> (which in the default configs, they are), you should be golden.
>
>
> Ok...  Any hints on where a proxy should go?  :-)
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
> users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + OpenLDAP for accounting

[Peter Micunek]

Thanx a lot

I supposed this and definitely I will ask our vendor  for modification of
the interface

regards,
Peter Micunek

On 2/3/07, Phil Mayers <[EMAIL PROTECTED]> wrote:


Peter Micunek wrote:
> The proxy cannot speak to an SQL server.

Then it's very poor software, and my advice would be to look elsewhere.

>
> Do you know some LDAP-SQL proxy which listen on LDAP server  port  and
> convert  LDAP  request  to  SQL  and vice versa.

OpenLDAP will do this, but it's not suitable for your needs (see below)

>
> Also, I am considering to use:
>
> NAS ---> FreeRADIUS (rlm_sql_mysql) ---> MySQL DB <--->  OpenLDAP with
> slapd-sql <---> LDAP client
>
> what do you think about this?

I am not an OpenLDAP expert any more, but the last time I investigated
this you could not modify the SQL database "underneath" slapd-sql
because of the servers caching. You had to make modifications via LDAP.

If you really need FreeRadius accounting to perform an
ldapadd/ldapmodify I suggest you use Exec-Program in the "acct_users"
file, but be prepared for it to go slowly and break a lot.

>
> regards,
> Peter Micunek
>
>
> On 2/3/07, *Phil Mayers* <[EMAIL PROTECTED]
> > wrote:
>
> Peter Micunek wrote:
>  > A problem is that this proxy know IP address of customer instead
of
>  > MSISDN and unfortunately cannot use a RADIUS to
>  > obtain the MSISDN from another source. This proxy is able to use
only
>  > the LDAP request with IP of customer and then
>
> FreeRadius can't write to (account to) an LDAP directory.
>
> It's a fundamentally bad idea to do lots of writes to LDAP. Most
LDAP
> servers are heavily read-optimised - not write.
>
> Can the proxy speak to an SQL server?
>
> If not, you could use an Exec-Program attribute in the "acct_users"
> file
> to run "ldapmodify"
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
> 
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + OpenLDAP for accounting

[Phil Mayers]

Peter Micunek wrote:
> The proxy cannot speak to an SQL server.

Then it's very poor software, and my advice would be to look elsewhere.

> 
> Do you know some LDAP-SQL proxy which listen on LDAP server  port  and 
> convert  LDAP  request  to  SQL  and vice versa.

OpenLDAP will do this, but it's not suitable for your needs (see below)

> 
> Also, I am considering to use:
> 
> NAS ---> FreeRADIUS (rlm_sql_mysql) ---> MySQL DB <--->  OpenLDAP with 
> slapd-sql <---> LDAP client
> 
> what do you think about this?

I am not an OpenLDAP expert any more, but the last time I investigated 
this you could not modify the SQL database "underneath" slapd-sql 
because of the servers caching. You had to make modifications via LDAP.

If you really need FreeRadius accounting to perform an 
ldapadd/ldapmodify I suggest you use Exec-Program in the "acct_users" 
file, but be prepared for it to go slowly and break a lot.

> 
> regards,
> Peter Micunek
> 
> 
> On 2/3/07, *Phil Mayers* <[EMAIL PROTECTED] 
> > wrote:
> 
> Peter Micunek wrote:
>  > A problem is that this proxy know IP address of customer instead of
>  > MSISDN and unfortunately cannot use a RADIUS to
>  > obtain the MSISDN from another source. This proxy is able to use only
>  > the LDAP request with IP of customer and then
> 
> FreeRadius can't write to (account to) an LDAP directory.
> 
> It's a fundamentally bad idea to do lots of writes to LDAP. Most LDAP
> servers are heavily read-optimised - not write.
> 
> Can the proxy speak to an SQL server?
> 
> If not, you could use an Exec-Program attribute in the "acct_users"
> file
> to run "ldapmodify"
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> 
> 
> 
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Check against TWO possible password?

[Federico Giannici]

Jan Mulders wrote:
> if all else fails, try using rlm_perl to do the authentication (or 
> maybe, compare the password against both elements in the database, then 
> 'rewrite' it as the first if it matches, so rlm_sql recognises it 
> properly. This, of course, is a bit of a hack (but if it works every 
> time and is less complex than a failover implementation, is it bad?).

Well... this is a little more than "a bit of a hack".
It will work with clear-text authentication mechanisms only...

Bye.


> On 03/02/07, *Federico Giannici* <[EMAIL PROTECTED] 
> > wrote:
> 
> Alan DeKok wrote:
>  > Federico Giannici wrote:
>  >> Now we have to check every authentication against TWO different
>  >> passwords (it's OK if ONE is matched). Something like setting two
>  >> different and alternative "User-Password" attributes...
>  >
>  >   Sort of.  See doc/configurable_failover.
> 
> I read it, but I'm a little confused...
> 
> How can I use it to make the AUTHENTICATE sections to be tried a SECOND
> time (with a different Cleartext-Password set by an authorization
> module), if the first time the authentication failed?
> 
> 
> Thanks.
> 
> --
> ___
>  __
> |-   [EMAIL PROTECTED]
> 
> |ederico Giannici  http://www.neomedia.it
> ___
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> 
> 
> 
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
___
 __
|-  [EMAIL PROTECTED]
|ederico Giannici  http://www.neomedia.it

Presidente del CDA - Neomedia S.r.l.
___
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Usage of Cleartext-Password

[Federico Giannici]

I have just upgraded from 1.1.2. to 1.1.4.
Now I tried to convert my custom authorization module to use the 
"Cleartext-Password" attribute instead of "User-Password" (my passwords 
are in clear-text).

I simply replaced the following command at the end of the authorization 
routine of my module:

pairadd( &request->config_items, pairmake("User-Password", password, 
T_OP_CMP_EQ) );

with:

pairadd( &request->config_items, pairmake("Cleartext-Password", 
password, T_OP_CMP_EQ) );

But the daemon started to give "Login incorrect" errors (with no other 
error description), so I had to revert the change.

What am I missing?


Thanks.

-- 
___
 __
|-  [EMAIL PROTECTED]
|ederico Giannici  http://www.neomedia.it
___
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + OpenLDAP for accounting

[Alan DeKok]

Peter Micunek wrote:
> The proxy cannot speak to an SQL server.

  Why not?

> Do you know some LDAP-SQL proxy which listen on LDAP server  port  and
> convert  LDAP  request  to  SQL  and vice versa.

  Huh?  In one word:  No.

> Also, I am considering to use:
> 
> NAS ---> FreeRADIUS (rlm_sql_mysql) ---> MySQL DB <--->  OpenLDAP with
> slapd-sql <---> LDAP client

  Uh... no.

> what do you think about this?

  I think you're very confused about RADIUS, LDAP, and SQL.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Check against TWO possible password?

[Jan Mulders]

if all else fails, try using rlm_perl to do the authentication (or maybe,
compare the password against both elements in the database, then 'rewrite'
it as the first if it matches, so rlm_sql recognises it properly. This, of
course, is a bit of a hack (but if it works every time and is less complex
than a failover implementation, is it bad?).

Jan

On 03/02/07, Federico Giannici <[EMAIL PROTECTED]> wrote:


Alan DeKok wrote:
> Federico Giannici wrote:
>> Now we have to check every authentication against TWO different
>> passwords (it's OK if ONE is matched). Something like setting two
>> different and alternative "User-Password" attributes...
>
>   Sort of.  See doc/configurable_failover.

I read it, but I'm a little confused...

How can I use it to make the AUTHENTICATE sections to be tried a SECOND
time (with a different Cleartext-Password set by an authorization
module), if the first time the authentication failed?


Thanks.

--
___
 __
|-  [EMAIL PROTECTED]
|ederico Giannici  http://www.neomedia.it
___
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + OpenLDAP for accounting

[Peter Micunek]

The proxy cannot speak to an SQL server.

Do you know some LDAP-SQL proxy which listen on LDAP server  port  and
convert  LDAP  request  to  SQL  and vice versa.

Also, I am considering to use:

NAS ---> FreeRADIUS (rlm_sql_mysql) ---> MySQL DB <--->  OpenLDAP with
slapd-sql <---> LDAP client

what do you think about this?

regards,
Peter Micunek


On 2/3/07, Phil Mayers <[EMAIL PROTECTED]> wrote:


Peter Micunek wrote:
> A problem is that this proxy know IP address of customer instead of
> MSISDN and unfortunately cannot use a RADIUS to
> obtain the MSISDN from another source. This proxy is able to use only
> the LDAP request with IP of customer and then

FreeRadius can't write to (account to) an LDAP directory.

It's a fundamentally bad idea to do lots of writes to LDAP. Most LDAP
servers are heavily read-optimised - not write.

Can the proxy speak to an SQL server?

If not, you could use an Exec-Program attribute in the "acct_users" file
to run "ldapmodify"
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Check against TWO possible password?

[Federico Giannici]

Alan DeKok wrote:
> Federico Giannici wrote:
>> Now we have to check every authentication against TWO different 
>> passwords (it's OK if ONE is matched). Something like setting two 
>> different and alternative "User-Password" attributes...
> 
>   Sort of.  See doc/configurable_failover.

I read it, but I'm a little confused...

How can I use it to make the AUTHENTICATE sections to be tried a SECOND 
time (with a different Cleartext-Password set by an authorization 
module), if the first time the authentication failed?


Thanks.

-- 
___
 __
|-  [EMAIL PROTECTED]
|ederico Giannici  http://www.neomedia.it
___
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Check against TWO possible password?

[Alan DeKok]

Federico Giannici wrote:
> Now we have to check every authentication against TWO different 
> passwords (it's OK if ONE is matched). Something like setting two 
> different and alternative "User-Password" attributes...

  Sort of.  See doc/configurable_failover.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to enable Freeradius to support a smart card with AES encryption algorithm?

[Alan DeKok]

yao guoxian wrote:
> Second,suppose we have enabled the NAS(client) and Freeradius to support
> our specified attribute "My-Aes-Password" , how to write the new module
> to handle the attribute?

  See the examples & the documentation.  What about them is unclear?

>Third , how to enable Freeradius and Nas(client) to support our new
> attribute?Does it need to append the dictionary file a new entry?

  All of this is documented.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Check against TWO possible password?

[Federico Giannici]

We are currently using FreeRADIUS 1.1.2 since a lot of months (with a 
custom module to retrieve and record data from/to our database and 
perform custom things).

Now we have to check every authentication against TWO different 
passwords (it's OK if ONE is matched). Something like setting two 
different and alternative "User-Password" attributes...

Is there some way to achieve it?


Thanks.

-- 
___
 __
|-  [EMAIL PROTECTED]
|ederico Giannici  http://www.neomedia.it
___
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to enable Freeradius to support a smart card with AES encryption algorithm?

[yao guoxian]

Thanks, Alan.
But I have lots of problems.
First, what is difference between challenge-response and chap?In my opinion,
challenge-response is a authentication mechanism and flow while chap is a
method to hide and transport user' password. In challenge-response, the
random challenge is produced by the radius server and has not length limited
while the 16 bytes random authenticator used in chap is produced by the  NAS
or the  client. Is  that  right?

Second,suppose we have enabled the NAS(client) and Freeradius to support our
specified attribute "My-Aes-Password" , how to write the new module to
handle the attribute? Is it like follows:
   1. code a program like
freeradius-parth/src/modules/rlm_example/rlm_exmple.c and name it as
rlm_aes;
   2. compile it and store the aes.exe file in  the /bin/ directory;
   3. edit the radiusd.conf as follow:
   #in the modules section
   ...
   exec aes{
   wait = yes;
   program ="/bin/aes %My_Aes_Password "
   input_pairs = request
   output_pairs = reply
  }
  ...
  authorize {
preprocess
chap
mschap
suffix
sql
aes
 }
 ...
  or we needn't compile the rlm_aes.c and just leave it to the Freeradius
to do what need to do ?

  Third , how to enable Freeradius and Nas(client) to support our new
attribute?Does it need to append the dictionary file a new entry?

regards
Guoxian

2007/2/1, Alan DeKok <[EMAIL PROTECTED]>:


yao guoxian wrote:
> Hi!
> I have a smart card emluator which suports AES, not MD5 encryption
> algorithm. Is it possible to enable Freeradius to support my smart card
> emlulator?

  Edit the code.

> I have an idea as follow:
> First,amending client agent (NAS) daemon program to make it send
> chap-password which is produced with AES, not MD5.

  Don't do that.  It isn't CHAP, and you will break a lot of things.

> The usual md5
> chap-password is produced as MD5( user-packet-ID+user-secret+16 bytes
> authenticator), while the aes chap-password is produced as AES(16 bytes
> authenticator) using user-secret as key.The usual md5 chap-passwor
> attribute in an Access Request packet is as follow:
> __
>
> |  code = 3 |  Length = 19  | user-packet-ID  |  16 bytes value|
> __
> While the aes chap-password replaced the 16 bytes value ( MD5(
> user-packet-ID+user-secret+16 bytes authenticator)) with AES(16 bytes
> authenticator).
> Second ,amending rlm-chap.c to alter it  to  use  AES  to  analyze
> the  request packet.
> Is it practical? Appreciate any suggestions.

  No, it's not practical.

  What you're missing is that none of the NASes will do the AES
calculation, so changing FreeRADIUS won't help.

  If you control the software on the NAS, just invent a new attribute,
"My-AES-Password", and use that.  That's what attributes are for.  Then,
write a new module to support that attribute.  That's what modules are
for.

  Hacking existing attributes and modules is a recipe for disaster.
Don't do it.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + OpenLDAP for accounting

[Phil Mayers]

Peter Micunek wrote:
> A problem is that this proxy know IP address of customer instead of 
> MSISDN and unfortunately cannot use a RADIUS to
> obtain the MSISDN from another source. This proxy is able to use only 
> the LDAP request with IP of customer and then

FreeRadius can't write to (account to) an LDAP directory.

It's a fundamentally bad idea to do lots of writes to LDAP. Most LDAP 
servers are heavily read-optimised - not write.

Can the proxy speak to an SQL server?

If not, you could use an Exec-Program attribute in the "acct_users" file 
to run "ldapmodify"
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + OpenLDAP for accounting

[Alan DeKok]

Peter Micunek wrote:

> So I have to design a Accounting FreeRADIUS server which will store the
> RADIUS acconting with IP and MSISDN to OpenLDAP.

  That's not good.  LDAP isn't really designed for large volumes of
writes.  I would suggest using an SQL database.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Advanced SQL Auth/Generate clients.conf from SQL?

[Alan DeKok]

Dan Mahoney, System Admin wrote:
> My second question is, now that I've got a list of all my NASes in 
> SQL, has anyone written (or added to beta or something similar) code to do 
> *those* via SQL?  Specifically we already have all our network devices 
> (and shared secrets) in a SQL database anyway, and it would be cool to use 
> them in realtime.

  Yes, this is (mostly) supported in the server.  It will read the list
of clients from SQL at startup, but NOT during run-time.  This is to
prevent DoS attacks...

  It should be possible to mitigate the DoS potential somewhat, but
someone still has to write the code.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius(.net) and Oracle

[Alan DeKok]

Brian Atkins wrote:
> OK, so I pulled down the tarball for 1.1.4 from the site and I am in the 
> process of compiling it on Cygwin. Now I am getting an entirely 
> different error:

> In file included from sql_oracle.c:28:
> /home/Administrator/freeradius-1.1.4/src/include/radiusd.h:11:22: 
> *radpaths.h: No such file or directory*
> sql_oracle.c: In function `sql_select_query':
> sql_oracle.c:342: warning: dereferencing type-punned pointer will break 
> strict-aliasing rules
> make: *** [sql_oracle.lo] Error 1

  Let me guess.  You tried to build rlm_sql_oracle from inside of it's
directory, rather than following the instructions on doing a top-level
"configure" and "make".

> I dug back through the archives and found a reference from version 
> 0.9.0-pre1 (2003) that indicated a bug in automake. I'm using automake 
> (GNU automake) 1.10.

  FreeRADIUS doesn't use automake.

> Another question would be if I re-built Freeradius from the tarball 
> would it make the rlm_sql_oracle module automatically, or do I need to 
> build it separately?

  i.e. you are NOT trying to re-build it from the tarball.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 802.1x + freeradius authentication problem

[Alan DeKok]

Ramon Barquier wrote:

> We see the 'negotiation' messages, but no sign of "Success" at the end 
> (neither Wireless connection, of course).

  The client stops talking to the server.  This is in the FAQ.  Read it.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: When EAP-AKA can be supported by FreeRADIUS?

[Peter Nixon]

> Not only would FreeRADIUS have to support the required EAP methods,

Thats a given, and will happen as/when FreeRADIUS developers are interested, 
need it themselves, are sponsored by someone else who does, or an outsider 
donates the appropriate code.

> but new dictionary files would have to be defined to specify the WiMAX
> specific VSAs needed to fully enable a WiMAX device.

Dictionary files are easy. We encourage any vendors to send us updated 
dictionary files for any equipment (Not just WiMAX). Alternatively users of 
equipment that doesn't have appropriate dictionaries should do so.

> As the previous poster said, WiMAX is not fully defined from a RADIUS
> perspective at this point.

Yep.

-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc


pgpOLB50fKKwB.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html