Re: Where to find sql counter module ?
On 2/24/07, PD [EMAIL PROTECTED] wrote: Simple questions... how and where to get sql counter module ? I try to googling for hours but still can not find it. TIA PD You should compile FR with experimental modules You have to create the module yourself Read rlm_sqlcounter in the doc/ folder . It's explained how to use this. Kind Regards, Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Where to find sql counter module ?
YvesDM wrote: On 2/24/07, *PD* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Simple questions... how and where to get sql counter module ? I try to googling for hours but still can not find it. TIA PD You should compile FR with experimental modules You have to create the module yourself Read rlm_sqlcounter in the doc/ folder . It's explained how to use this. In the current version of FR (1.1.4) the sqlcounter module is no longer experimental - comes as in the default collection of modules. There is also a wiki article on using sqlcounter: http://wiki.freeradius.org/Rlm_sqlcounter Its not complete but I am working on it. -- Graham Beneke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strange problems in large proxy setup
On Fri, Feb 23, 2007 at 10:23:50AM -0500, Dennis Skinner wrote: Kostas Zorbadelos wrote: radiusd -X confirms that the configuration is correct, however I have this problem behaviour in large scale. My initial suspitions go to the proxying code to be honest, but I need to take a good look to grasp it. Hi Dennis, I would try running the production radius in debugging mode and send the output to a file that you can review for anomalies. If it is happening often enough and you don't want to run the primary radius in debug mode, you could do it on the secondary and force a failover for a short time and try to catch it. By 'debugging mode' I guess you are referring to radiusd -xxx or something is that correct? Could this affect the authentication service for our customers? I was thinking something in the lines of changing the freeradius config to log the packets going to the home server and their replies (detail_log module in pre_proxy and post_proxy stages). Has anyone else noticed this behaviour in a large load proxy setup? -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com -- Kostas Zorbadelos Systems Designer/Developer, Otenet SA [EMAIL PROTECTED] contact: kzorba (at) otenet.gr - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Where to find sql counter module ?
On 2/24/07, Graham Beneke [EMAIL PROTECTED] wrote: In the current version of FR (1.1.4) the sqlcounter module is no longer experimental - comes as in the default collection of modules. There is also a wiki article on using sqlcounter: http://wiki.freeradius.org/Rlm_sqlcounter Its not complete but I am working on it. -- Graham Beneke Interesting, tnx for your work! I'm struggling with the sqlcounter module too for the moment. Try to define the reply-name (FR1.1.4), but it gives me errors If I specify this in sqlcounter.conf: sqlcounter volumelimit { counter-name = Octets-Total check-name = Max-Octets reply-name = ChilliSpot-Max-Total-Octets sqlmod-inst = sql key = User-Name reset = monthly # This query will calculate the total volume used it results in: freeradius -X | grep sqlcounter snip sqlcounter: counter-name = Octets-Total sqlcounter: check-name = Max-Octets sqlcounter: reply-name = ChilliSpot-Max-Total-Octets sqlcounter: key = User-Name sqlcounter: sqlmod-inst = sql sqlcounter: query = SELECT (SUM(AcctInputOctets) +SUM(AcctInputGigawords * 4294967295) +SUM(AcctOutputOctets) +SUM(AcctOutputGigawords * 4294967295)) / 1048576 FROM radacct WHERE UserName = '%{%k}' AND AcctStartTime FROM_UNIXTIME('%b') sqlcounter: reset = monthly sqlcounter: safe-characters = @abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: / rlm_sqlcounter: No such attribute ChilliSpot-Max-Total-Octets obelix:/etc/freeradius# sqlcounter: counter-name = Octets-Total sqlcounter: check-name = Max-Octets sqlcounter: reply-name = ChilliSpot-Max-Total-Octets sqlcounter: key = User-Name sqlcounter: sqlmod-inst = sql sqlcounter: query = SELECT (SUM(AcctInputOctets) +SUM(AcctInputGigawords * 4294967295) +SUM(AcctOutputOctets) +SUM(AcctOutputGigawords * 4294967295)) / 1048576 FROM radacct WHERE UserName = '%{%k}' AND AcctStartTime FROM_UNIXTIME('%b') sqlcounter: reset = monthly sqlcounter: safe-characters = @abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: / rlm_sqlcounter: No such attribute ChilliSpot-Max-Total-Octets obelix:/etc/freeradius# Strange... But I'm not in a rush, I'll find out what's wrong :-) Kind regards, Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radclient.c hack for ntlm_auth testing
Hi All, Is there any way to get radclient working with chap and ntlm_auth? If I try to use it with ntlm_auth, I get an Accept even with a bad password. redhatfc5:/etc/raddb # rt /tmp/file Sending Access-Request of id 15 to 127.0.0.1 port 1812 User-Name = codo CHAP-Password = 0x0f25a253a1113c6f903f31ec0d8eb7fae9 NAS-IP-Address = 180.44.200.10 NAS-Port-Type = Ethernet NAS-Port = 1 Calling-Station-Id = 00010001 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=15, length=61 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 103 HP-port-priority-regeneration-table = 0 Total approved auths: 1 Total denied auths: 0 Total lost auths: 0 redhatfc5:/etc/raddb # grep codo users codoAuth-Type := ntlm_auth redhatfc5:/etc/raddb # radtest codo badpass 127.0.0.1 1 hpsecret Sending Access-Request of id 144 to 127.0.0.1 port 1812 User-Name = codo User-Password = badpass NAS-IP-Address = 255.255.255.255 NAS-Port = 1 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=144, length=35 The radiusd debug output shows: auth: type ntlm_auth Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: '/usr/bin/ntlm_auth ntlm_auth --request-nt-key --domain=NETIDM --username=codo --password=' Exec-Program: /usr/bin/ntlm_auth ntlm_auth --request-nt-key --domain=NETIDM --username=codo --password= modcall[authenticate]: module ntlm_auth returns ok for request 0 modcall: leaving group authenticate (returns ok) for request 0 Login OK: [codo/CHAP-Password] (from client me port 1 cli 00010001) Processing the post-auth section of radiusd.conf I saw Alan's blog that states this isn't currently available but I was wondering if there was a way around it. Thanks ! Corey Corey Dow Solution Test Center Engineer ProCurve Networking Hewlett-Packard Company smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Where to find sql counter module ?
- Original Message - From: YvesDM To: FreeRadius users mailing list Sent: Saturday, February 24, 2007 9:03 AM Subject: Re: Where to find sql counter module ? On 2/24/07, PD [EMAIL PROTECTED] wrote: Simple questions... how and where to get sql counter module ? I try to googling for hours but still can not find it. TIA PD You should compile FR with experimental modules You have to create the module yourself Read rlm_sqlcounter in the doc/ folder . It's explained how to use this. Kind Regards, Yves -- Everithing step I do, but, if the Max-Daily-Session 3600, the FR not do anything. why?- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CHAP Modification
I'm trying to edit the way the CHAP module fetches passwords before hasing them due to a limitation in 2 different types of hardware we have. One set of devices takes a HEX password stored on the device, converts it to binary, and then calculates the MD5 CHAP challenge to send to the server. The other set of devices just takes the HEX password and calculates the MD5 as if it were a string. I can distinguish which device is which when I'm adding passwords to my database (by adding a prefix 0x to let me know it's going from HEX - BIN or whatnot) because the password is fixed at 32 characters, but definately not which device is which at run time. I guess what I'm trying to do is find where in the CHAP encoding module is the password attribute accessed/read and then passed (I'm guessing as an arguement) to be hashed. I think I could possibly do my funky math in mind there by checking the length of the password or the first two letters, and then converting to binary as needed or just passing it through. My problem is where exactly is this password CHAP challege code? I'm sifting through the radius.c file but can't seem to find anything. I'm comfortable writing some stuff with C and reading more complex things, so I don't think that will be a barrier. When I change it, will it require me to recompile everything every time I want to check? I'm using Fedora Core 6, Freerad 1.1.4, and MySql 5.0. -- View this message in context: http://www.nabble.com/CHAP-Modification-tf3284565.html#a9136389 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No db files for default main_ippool
Hi im wondering why my two db files listed in the main_ippool do not exist the files are db.ippool and i think db.index, is there any way to create these files? thanks graeme - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Where to find sql counter module ?
YvesDM wrote: rlm_sqlcounter: No such attribute ChilliSpot-Max-Total-Octets obelix:/etc/freeradius# Strange... But I'm not in a rush, I'll find out what's wrong :-) Looks like a dictionary problem to me - Chillispot's dictionary is not yet part of FR you have to add it manually. Maybe someone with a little spare time can throw together the Chillispot dictionary as a patch ;-) Graham Beneke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radeapclient error !
On Fri, 23 Feb 2007 11:08:16 +0100, Alan DeKok wrote Amin BEN ABDALLAH wrote: *I used radeapclient to test authentification with EAP-MD5* ... *I got an error in radeapclient :* *** glibc detected *** radeapclient: munmap_chunk(): invalid pointer: It's a bug. 1.1.5 will contain the fix. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Using FreeRadius 1.1.4, how can I test EAP-MD5 in FreeRadius ? is that possible using radeapclient ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MAC authorisation (but not authentication) via LDAP
Hi. Probly just me not understanding... What I want is for our switches to only allow access to MAC addresses in our LDAP database. I don't want to store passwords on our LDAP host entries. I'm set up to check LDAP during authorisation, and it correctly returns authorised / not authorised depending on whether the appropriate attribute contains the right value. The trouble comes with authentication - either I set Auth-Type := Accept, in which case and failed authorisation is overridden, or I allow authentication to carry on against LDAP ( or System, or whatever ), in which case it fails always and access is denied, even for authorised MACs. Is there a way to make the Authorisation part final and authoritative? As I say, probly just being stoopid. Mart -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authorisation (but not authentication) via LDAP
Zitat von Martin Whinnery [EMAIL PROTECTED]: Hi. Probly just me not understanding... What I want is for our switches to only allow access to MAC addresses in our LDAP database. I don't want to store passwords on our LDAP host entries. I'm set up to check LDAP during authorisation, and it correctly returns authorised / not authorised depending on whether the appropriate attribute contains the right value. The trouble comes with authentication - either I set Auth-Type := Accept, in which case and failed authorisation is overridden, or I allow authentication to carry on against LDAP ( or System, or whatever ), in which case it fails always and access is denied, even for authorised MACs. Is there a way to make the Authorisation part final and authoritative? As I say, probly just being stoopid. Mart -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html don't no if it is a good solution, but i just do this by setting the following in radiusd.conf: authenticate { ... Auth-Type LdapMAC { ok } ... } the Auth-Type is set in users file depending on huntgroups: DEFAULT Huntgroup-Name == switch, Autz-Type := LdapMAC, Auth-Type := LdapMAC i assume there are better/smarter sollutions as one can read don't set Auth-Type on many places but it works here ;-) regards markus +-+ | Markus Krause, Mogli-Soft | | Support for Mac OS X, Webmail/Horde, LDAP, RADIUS | | by order of the | |Computing Center of the Max-Planck-Institute of Biochemistry | +++ | E-Mail: [EMAIL PROTECTED] | Tel.: 089 - 89 40 85 99 | | [EMAIL PROTECTED] | Fax.: 089 - 89 40 85 98 | | Skype: markus.krause | iChat: [EMAIL PROTECTED] | +++ -- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authorisation (but not authentication) via LDAP
Markus Krause wrote: don't no if it is a good solution, but i just do this by setting the following in radiusd.conf: authenticate { ... Auth-Type LdapMAC { ok } ... } the Auth-Type is set in users file depending on huntgroups: DEFAULT Huntgroup-Name == switch, Autz-Type := LdapMAC, Auth-Type := LdapMAC i assume there are better/smarter sollutions as one can read don't set Auth-Type on many places but it works here ;-) Sorry, but it's an awful suggestion. Don't do it, and certainly don't recommend others do it. There's no need to go setting Auth-Type to random values. The correct way to do this is to reject unknown, not blindly accept known. Example - you could modify the ldap group membership query to find groups based on both the username and callingstationid: groupmembership_filter = (| ((objectClass=GroupOfMacaddrs)(member=%{Calling-Station-Id})) ((objectClass=GroupOfNames)(member=%{Ldap-UserDn})) ) Then in ldap: dn: cn=GoodMacs,dc=example,dc=com objectClass: top objectClass: GroupOfMacadds member: 00:11:22:33:44:55 member: 66:77:88:99:aa:bb Then in the users file: DEFAULT Ldap-Group == GoodMacs Fall-Through = No DEFAULT Auth-Type := Reject Reply-Message = your mac is unknown There are lots of variations of this scheme. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No db files for default main_ippool
Graeme Crawford wrote: Hi im wondering why my two db files listed in the main_ippool do not exist the files are db.ippool and i think db.index, is there any way to create these files? The server will create them. If it isn't creating them, you most likely have the permissions wrong on the filesystem. Check the directory they are in is writeable by the user radiusd runs as. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authorisation (but not authentication) via LDAP
Markus Krause wrote: Zitat von Martin Whinnery [EMAIL PROTECTED]: Hi. Probly just me not understanding... What I want is for our switches to only allow access to MAC addresses in our LDAP database. I don't want to store passwords on our LDAP host entries. I'm set up to check LDAP during authorisation, and it correctly returns authorised / not authorised depending on whether the appropriate attribute contains the right value. The trouble comes with authentication - either I set Auth-Type := Accept, in which case and failed authorisation is overridden, or I allow authentication to carry on against LDAP ( or System, or whatever ), in which case it fails always and access is denied, even for authorised MACs. Is there a way to make the Authorisation part final and authoritative? As I say, probly just being stoopid. Mart don't no if it is a good solution, but i just do this by setting the following in radiusd.conf: authenticate { ... Auth-Type LdapMAC { ok } ... } the Auth-Type is set in users file depending on huntgroups: DEFAULT Huntgroup-Name == switch, Autz-Type := LdapMAC, Auth-Type := LdapMAC i assume there are better/smarter sollutions as one can read don't set Auth-Type on many places but it works here ;-) regards markus Thanks Markus, the problem seems to be that the authorisation pass returns notfound, whereas I want it to reject, as if it found an entry in LDAP without the appropriate attribute. Mart -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authorisation (but not authentication) via LDAP
Zitat von Phil Mayers [EMAIL PROTECTED]: Markus Krause wrote: don't no if it is a good solution, but i just do this by setting the following in radiusd.conf: authenticate { ... Auth-Type LdapMAC { ok } ... } the Auth-Type is set in users file depending on huntgroups: DEFAULT Huntgroup-Name == switch, Autz-Type := LdapMAC, Auth-Type := LdapMAC i assume there are better/smarter sollutions as one can read don't set Auth-Type on many places but it works here ;-) Sorry, but it's an awful suggestion. Don't do it, and certainly don't recommend others do it. There's no need to go setting Auth-Type to random values. no need to say sorry, and i did not meant this as a suggestion but just show how i did it, along with the warning that it is not a good solution. and i am really open for any suggestions/corrections! The correct way to do this is to reject unknown, not blindly accept known. hmm, maybe i should have been more precisely on what i am doing, at least i am not thinking to blindly accept known. let me describe the scenario and what i am doing: we have a radius server which is contacted by a vpn-concentrator, a wlan-router and several switches which have dynamic ports (with vlan based on mac) and 802.1x ports (vlan based on users). depending on the huntgroup (chosen via nas-ip-address) i am setting auth-type and autz-type. i read on several places that this is commonly a very bad idea but i could not think of another way to solve it and it works for me (at least it seems so). again, i am open for any suggestions/corrections! the users for vpn and wlan are authenticated/authorized via ldap user entries ((uid=..)(objectclass=posixaccount)), some accounts for wlan are also stored in sql (for guests, only valid for a fixed amount of days after first usage). the vlans for users and devices are stored in radiusprofiles. then finally the mac addresses are stored in a way a dhcpd server can understand also, so i do not have redundant entries (easier to maintain), all known mac addreses are therefor accepted, unknown are rejected (i am using an ldap query 'filter = (dhcpHWAddress=ethernet %{Stripped-User-Name:-%{User-Name}})' and base 'base_filter = (|(objectClass=dhcpHost)(objectClass=ipNetwork))' to verify in the autz section). and here again: any suggestions/corrections are really appreciated! since now (just in testing, not yet fully in production) this solution does what it should, but there are certainly better ways to do this! Example - you could modify the ldap group membership query to find groups based on both the username and callingstationid: groupmembership_filter = (| ((objectClass=GroupOfMacaddrs)(member=%{Calling-Station-Id})) ((objectClass=GroupOfNames)(member=%{Ldap-UserDn})) ) Then in ldap: dn: cn=GoodMacs,dc=example,dc=com objectClass: top objectClass: GroupOfMacadds member: 00:11:22:33:44:55 member: 66:77:88:99:aa:bb Then in the users file: DEFAULT Ldap-Group == GoodMacs Fall-Through = No DEFAULT Auth-Type := Reject Reply-Message = your mac is unknown There are lots of variations of this scheme. i am not sure if your approach could really fullfill my needs (no redundancy, serving different types of requests) ... but i would really like to know ;-) with best regards markus +-+ | Markus Krause, Mogli-Soft | | Support for Mac OS X, Webmail/Horde, LDAP, RADIUS | | by order of the | |Computing Center of the Max-Planck-Institute of Biochemistry | +++ | E-Mail: [EMAIL PROTECTED] | Tel.: 089 - 89 40 85 99 | | [EMAIL PROTECTED] | Fax.: 089 - 89 40 85 98 | | Skype: markus.krause | iChat: [EMAIL PROTECTED] | +++ -- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authorisation (but not authentication) via LDAP
Zitat von Martin Whinnery [EMAIL PROTECTED]: Thanks Markus, the problem seems to be that the authorisation pass returns notfound, whereas I want it to reject, as if it found an entry in LDAP without the appropriate attribute. Mart Hi Mart, ugh, you are of course right, i forgot on important detail, sorry! (has been quite a time since i set this up and it is getting quite late in the night now ...) directly after the ldap entry in authorize a call a small perl script which checks for $RAD_REQUEST{'Module-Failure-Message'}, and if it is set then return with RLM_MODULE_REJECT, so 'notfound' is replaced by 'reject'. i must admit that this actually is a very dirty solution ... i should really overthink it (altough it works ...) regards markus +-+ | Markus Krause, Mogli-Soft | | Support for Mac OS X, Webmail/Horde, LDAP, RADIUS | | by order of the | |Computing Center of the Max-Planck-Institute of Biochemistry | +++ | E-Mail: [EMAIL PROTECTED] | Tel.: 089 - 89 40 85 99 | | [EMAIL PROTECTED] | Fax.: 089 - 89 40 85 98 | | Skype: markus.krause | iChat: [EMAIL PROTECTED] | +++ -- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Where to find sql counter module ?
On 2/24/07, Graham Beneke [EMAIL PROTECTED] wrote: YvesDM wrote: rlm_sqlcounter: No such attribute ChilliSpot-Max-Total-Octets obelix:/etc/freeradius# Strange... But I'm not in a rush, I'll find out what's wrong :-) Looks like a dictionary problem to me - Chillispot's dictionary is not yet part of FR you have to add it manually. Maybe someone with a little spare time can throw together the Chillispot dictionary as a patch ;-) Graham Beneke Yeah, that w - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Where to find sql counter module ?
On 2/24/07, Graham Beneke [EMAIL PROTECTED] wrote: Looks like a dictionary problem to me - Chillispot's dictionary is not yet part of FR you have to add it manually. Maybe someone with a little spare time can throw together the Chillispot dictionary as a patch ;-) Graham Beneke Yeah, that was my first thought too, but I've added the dictionary before, so the dictionary is there Kind regards, Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html