Re: Question regarding external script authentication

[Patric]

Alan DeKok wrote:
> Patric wrote:
>> I just want to clarify, if I set the reject_delay to 0, and in my 
>> external script the only thing I do is "exit(1);", then freeradius will 
>> return a reject response to the NAS?
> 
>   It will send a reject to the NAS.

Thanks Alan, you're an absolute gem!

Patrick

--
Free pop3 email with a spam filter.
http://www.bluebottle.com

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Performance with Freeradius-1.1.4

[nikitha george]

Hi Alan,

I have not enabled full debugging with -X option. But syslog was enabled,
all the logs were redirected to a remote syslog server. You want me to test
with all the debugging including syslog turned off?

Thanks,
Nikitha
On 5/18/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:


Hi,

> If I connect  2  clients per second then all the clients ( 2 per second
for
> 30 minutes ) are getting connected.
>
> Please let me know what could be the reason for this? The log file is
very
> huge.. if you could  not figure out the issue with the above statistic
it
> will send the log to the group.

is this with full debugging turned on? if so, try it with full debug off.
the server will spend quite some time spewing that text out in debug mode

alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

usage counter....

[Trio Yulistianto]

next problem...
i have read all documentation ebaout sql counter and all based on time..
any docoumentation about volume based ?
volume based (total of inputoctets and outputoctets)
in my case, i want to give user limitation about his byte usage,
ie. user heavy  :  has 10 Gb (total of  inputoctets and outputoctets) per
month
user medium : has 5 Gb (total of inputoctets and outputoctets) per month
user light : has 1 Gb (total of inputoctets and outputoctets) per month

how thats can handle by freeradius and mysql ?
fyi. my nas is mikrotik v2.9.40
for now i just limiting by  *Mikrotik-Recv-Limit *and *Mikrotik-Xmit-Limit *
attribute*
*any solution to limiting by total of those 2 variables ?

thanks be4
trio
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: confusing about Simultaneous-Use (still)

[Trio Yulistianto]

solved, thanks...
i just comment in this part :
#simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName,
NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol
FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0"

and now everything work well
thanks for any reply


2007/5/18, [EMAIL PROTECTED] <[EMAIL PROTECTED]>:


Did you change the type for this NAS to "other"?

Ivan Kalik
Kalik Informatika ISP


Dana 17/5/2007, "Trio Yulistianto" <[EMAIL PROTECTED]> piše:

>hi all im using Freeradius-1.1.6, with mysql database.i'm still confusing
>about simultaneous-use.
>i want to limiting the maximum number of simultaneous logons ( just 1
>session can login for every 1 user in a same time)
>this is my radiusd.conf
>
>session {
>sql
>}
>and this is my database :
>mysql> select * from radcheck where username='[EMAIL PROTECTED]';
>++-+---++--+
>| id | UserName   | Attribute   | op | Value  |
>++-+++-+
>| 55 | [EMAIL PROTECTED] | Password | == | denpasar |
>| 65 | [EMAIL PROTECTED] | Simultaneous-Use | :=  | 1|
>++-+---++--+
>2 rows in set (0.00 sec)
>mysql>  select username,acctstoptime from radacct where
>username='[EMAIL PROTECTED]' and acctstoptime=0;
>++---+
>| username   | acctstoptime |
>+++
>| [EMAIL PROTECTED] | -00-00 00:00:00  |
>+-+---+
>1 row in set (0.00 sec)
>
>with that config and data rows, user [EMAIL PROTECTED] can login for second
session
>:(
>any help expected
>
>thanks
>trio
>
>

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP-TTLS Accounting Bug

[Sam Schultz]

I didn't see anything about it in the list of changes, but I was wondering
if this issue has been fixed in any recent releases ( > 1.1.5)

Quick summary of the problem is that the := operator wouldn't replace
the current anonymous outer identity for the User-Name attribute, but
rather would just add another User-Name attribute. All output then of
course used the anonymous identity, which isn't helpful in the least
for radius accounting, or user tracking.

> -Original Message-
> From: freeradius-users-bounces+jhubert=med-
> [EMAIL PROTECTED] [mailto:freeradius-users-
> [EMAIL PROTECTED] On Behalf Of
> Sam Schultz
> Sent: Wednesday, March 14, 2007 7:14 PM
> To: freeradius-users@lists.freeradius.org
> Subject: Re: RE : EAP-TTLS outer identity & accounting
>
> An entry like:
>
> DEFAULT Realm == "test", Autz-Type := sql-test
> User-Name = "%{User-Name}"
>
> does add a new User-Name attribute with the proper value, but I need a
> way to delete the anonymous@ entry still, because I Access- Accepts
> like
> this:
>
> Sending Access-Accept of id 134 to 192.168.0.5 port 5190
> User-Name := "[EMAIL PROTECTED]"
> User-Name := "[EMAIL PROTECTED]"
>
> Followed by Accounting-Requests that still contain the anonymous
> entry, so it is still using the oldest (first?) User-Name attribute.
> Is
> there any way at all to REMOVE already set attributes so they aren't
> re-sent to the NAS?
>
> For that matter, shouldn't the "use_tunneled_reply = yes" in the ttls
> module configuration have kept me from having this problem?
>
> I also have copy_request_to_tunnel set to yes, but I doubt that should
> be causing a problem like this.
>
> On Wed, 14 Mar 2007 13:03:21 -0500 Sam Schultz
> <[EMAIL PROTECTED]> wrote:
> >On Wed, 14 Mar 2007 11:25:20 -0500 Thibault Le Meur
> ><[EMAIL PROTECTED]> wrote:
> >>> -Message d'origine-
> >>> De :
> >>> freeradius-users-
> [EMAIL PROTECTED]
> >>> radius.org
> >>> [mailto:freeradius-users-
> [EMAIL PROTECTED]
> >>> sts.freeradius.org] De la part de Sam Schultz Envoyé : mercredi 14
> >>> mars 2007 17:13 À : freeradius-users@lists.freeradius.org
> >>> Objet : Re: EAP-TTLS outer identity & accounting
> >>>
> >>>
> >>>
> >>>
> >>> On Tue, 13 Mar 2007 13:15:52 -0500 Alan DeKok
> >>> <[EMAIL PROTECTED]> wrote:
> >>> >Sam Schultz wrote:
> >>> >>
> >>> >> This should be solvable by adding something like 'User-Name =
> >>> >> %{User-Name}' to the DEFAULT entries in
> the
> >>users
> >>> >file,
> >>> >> correct?
> >>> >
> >>> >  Yes.
> >>>
> >>> One of my users file DEFAULT entries look like this:
> >>>
> >>> DEFAULT Realm == "test", Autz-Type := sql-test,
> User-
> >>Name =
> >>> "%u"
> >>>
> >>> However, FreeRADIUS tells me this:
> >>>
> >>> Error: Invalid operator for item User-Name: reverting to
> '=='
> >>>
> >>> I assume I'm not supposed to forcibly change User-Name, so
> what
> >>> attribute would I set to return the correct username to
> the
> >NAS?
> >>
> >>> I know there is a run-time variable %(reply:User-Name},
> would I
> >>> need to somehow update it with the correct value for User-
> Name
> >>> instead?
> >>
> >>Yes, by simply adding the User-Name = XXX to the reply items
> >(that
> >>is to say
> >>not on the first line). Try something like this:
> >
> >This didn't make much sense at first, but I think I
> understand it
> >now.
> >What you're saying is that the first line is only for check
> items,
> >which is why I couldn't set User-Name there. The second line
> and
> >beyond
> >then are for, what? Reply items ONLY, or check & reply items?
> Is
> >this
> >documented anywhere? I just did a quick check through the freeradius
> >doc directory, and only found a rlm_fastusers document which
> didn't
> >have anything to say about format restrictions.
> >
> >>
> >>DEFAULT Realm == "test", Autz-Type := sql-test
> >>User-Name=`%{User-Name}`
> >>
> >>HTH,
> >>Thibault

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

SQL query in Pre-Proxy

[Ivan Kalik]

>do you mean that i have to do the following:
in the radcheck i have to put
usernamecalling-station-id=number
and in the radreply,
usernameproxy-to-realm:=domain

No. Put them both in radcheck:

INSERT INTO radcheck SET UserName='thatname',
Attribute='Calling-Station-Id', op='==', Value='thatnumber'
INSERT INTO radcheck SET UserName='thatname', Attribute='Proxy-To-Realm',
op=':=', Value='thatdomain'

Use correct operators. "=" is not the same as "==" and is not allowed as
check operator.

Ivan Kalik
Kalik Informatika ISP

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: db performance

[Phil Mayers]

> 
> What kind of performance are people getting in general ?

This is a pretty small installation I guess, but to give you an idea...

We have two servers; dual 3.2GHz HP DL380G4s with mirrored disks and 3Gb 
RAM. Both run identically configured radius instances. One of the radius 
servers also runs the main postgres server, the other radius server runs 
a postgres hot standby (slony replica). Postgres is v8.3, standard FR 
SQL schema.

Network is ~450 Cisco heavyweight APs, ~1000 3Com 4400 switches (of 
which 1/3rd are doing MAC-based vlans - the rest soon) and two heavily 
used PPTP VPN servers.

Quick disclaimer: these numbers were gathered quickly and may not be 
accurate, don't sell your house based on them yadda yadda.

We did ~25k authentications in the last 24 hours, about a 90/10 mix of 
EAP-PEAP/MS-CHAP (wireless) and plain MS-CHAP (PPTP). All breakout to AD 
via winbind. Average EAP exchange for us is 10 packets (5 request, 5 
response) and it's obviously crypto-heavy.

We handled ~115k accounting packets (mix of start, interim @ 300-second 
intervals and stop; averaged ratio 1:3.8:1) all of which were inserted 
direct into the SQL db on the primary radius server - no radsqlrelay or 
similar. At the same time, the SQL data was replicated to the 
installation on the slave SQL server (i.e. 2nd radius server).

We also handled about ~75k PAP requests (MAC-based vlans) on the primary 
radius server. Each of these used an Exec-Program (so, fork+exec) to 
syslog the info (different setup, no SQL there yet).

Finally we dump the SQL rows for finished sessions >3 days old from the 
radacct table into .csv files nightly. These files average ~15-30k 
entries - our average daily NAS session count, in other words.

The servers break even at about 3% utilisation per processor, most of 
which I'm confident is crypto.

Basically, FreeRadius is *fast*.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: db performance

[Peter Nixon]

On Fri 18 May 2007, Arran Cudbard-Bell wrote:
> Peter Nixon wrote:
> > On Thu 17 May 2007, Alan DeKok wrote:
> >> Angelos Karageorgiou wrote:
> >>> Has anyone had the time to do a DB performance comparison for heavily
> >>> loaded freeradius servers ?
> >>
> >>   If your server is busy enough to be heavily loaded, you need multiple
> >> machines to maintain quality service.  Once you have multiple machines,
> >> DB performance matters a lot less, because the load is spread across
> >> multiple machines.
> >>
> >>   For DB specific issues, look for DB performance on google. 
> >> PostgreSQL usually has better performance than MySQL.  The application
> >> using the DB (radius, web, etc.) has very little effect on DB
> >> performance.
> >
> > Unless you are doing monthly or yearly summary reports which can take a
> > lightly loaded DB server and peg it for minutes at a time...
> >
> > The lesson.. Keep a second DB for reporting :-)
>
> Or use clustering :p
>
> What kind of performance are people getting in general ?
>
> On our test servers we get about 460 pap req/s using LDAP + SQL + SQL
> xlat for authorisation,
> and around 800ish when just using LDAP
>
> Which isn't that bad really... 1 LDAP lookup 5 sql selects and 1 sql
> insert per query ...
>
> Flat out using pap only and users file we only get 4600 req/s ... must
> be something weird with the G5s 
>
> Would be nice if someone altered the make file to pass the G5
> optimisation flags by default ;)

Patches are gratefully accepted :-)


-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: db performance

[Peter Nixon]

On Thu 17 May 2007, [EMAIL PROTECTED] wrote:
> Hi,
>
> > Unless you are doing monthly or yearly summary reports which can take a
> > lightly loaded DB server and peg it for minutes at a time...
> >
> > The lesson.. Keep a second DB for reporting :-)
>
> or use a DB that can handle non-blocking selects?  ;-)

I use PostgreSQL... I didnt say that it stops the DB or queries.. Just that 
it "works" it in a way the FreeRADIUS will not. If the report is big enough 
and you have a heavy enough RADIUS load, it _can_ be enough load to push 
your box over the limit and start timing out requests...

-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: db performance

[Arran Cudbard-Bell]

Peter Nixon wrote:
> On Thu 17 May 2007, Alan DeKok wrote:
>   
>> Angelos Karageorgiou wrote:
>> 
>>> Has anyone had the time to do a DB performance comparison for heavily
>>> loaded freeradius servers ?
>>>   
>>   If your server is busy enough to be heavily loaded, you need multiple
>> machines to maintain quality service.  Once you have multiple machines,
>> DB performance matters a lot less, because the load is spread across
>> multiple machines.
>>
>>   For DB specific issues, look for DB performance on google.  PostgreSQL
>> usually has better performance than MySQL.  The application using the DB
>> (radius, web, etc.) has very little effect on DB performance.
>> 
>
> Unless you are doing monthly or yearly summary reports which can take a 
> lightly loaded DB server and peg it for minutes at a time...
>
> The lesson.. Keep a second DB for reporting :-)
>
>
>   
Or use clustering :p

What kind of performance are people getting in general ?

On our test servers we get about 460 pap req/s using LDAP + SQL + SQL 
xlat for authorisation,
and around 800ish when just using LDAP

Which isn't that bad really... 1 LDAP lookup 5 sql selects and 1 sql 
insert per query ...

Flat out using pap only and users file we only get 4600 req/s ... must 
be something weird with the G5s 

Would be nice if someone altered the make file to pass the G5 
optimisation flags by default ;)



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: confusing about Simultaneous-Use (still)

[tnt]

Did you change the type for this NAS to "other"?

Ivan Kalik
Kalik Informatika ISP


Dana 17/5/2007, "Trio Yulistianto" <[EMAIL PROTECTED]> piše:

>hi all im using Freeradius-1.1.6, with mysql database.i'm still confusing
>about simultaneous-use.
>i want to limiting the maximum number of simultaneous logons ( just 1
>session can login for every 1 user in a same time)
>this is my radiusd.conf
>
>session {
>sql
>}
>and this is my database :
>mysql> select * from radcheck where username='[EMAIL PROTECTED]';
>++-+---++--+
>| id | UserName   | Attribute   | op | Value  |
>++-+++-+
>| 55 | [EMAIL PROTECTED] | Password | == | denpasar |
>| 65 | [EMAIL PROTECTED] | Simultaneous-Use | :=  | 1|
>++-+---++--+
>2 rows in set (0.00 sec)
>mysql>  select username,acctstoptime from radacct where
>username='[EMAIL PROTECTED]' and acctstoptime=0;
>++---+
>| username   | acctstoptime |
>+++
>| [EMAIL PROTECTED] | -00-00 00:00:00  |
>+-+---+
>1 row in set (0.00 sec)
>
>with that config and data rows, user [EMAIL PROTECTED] can login for second 
>session
>:(
>any help expected
>
>thanks
>trio
>
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: db performance

[A . L . M . Buxey]

Hi,

> Unless you are doing monthly or yearly summary reports which can take a 
> lightly loaded DB server and peg it for minutes at a time...
> 
> The lesson.. Keep a second DB for reporting :-)

or use a DB that can handle non-blocking selects?  ;-)

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Performance with Freeradius-1.1.4

[A . L . M . Buxey]

Hi,

> If I connect  2  clients per second then all the clients ( 2 per second for
> 30 minutes ) are getting connected.
> 
> Please let me know what could be the reason for this? The log file is very
> huge.. if you could  not figure out the issue with the above statistic it
> will send the log to the group.

is this with full debugging turned on? if so, try it with full debug off.
the server will spend quite some time spewing that text out in debug mode

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: db performance

[A . L . M . Buxey]

Hi,

> Yep. Last "production" load test I did was with Postgresql 7.x, FreeRADIUS 
> 1.0 and my pgsql-voip.conf was on a 4GB table and I was happily pushing a 
> steady 800 Accounting requests per second on a single CPU P4 3.0 desktop 
> machine with a single 7200rpm PATA disk. This was around 5 years ago.

5 years ago...Pentium 4. hmmm. that would have been the rather poor
Northwood P4 processor too - several functions missing from the core, small
L2 cache and slow FSB.

> My current production servers are single Opteron CPU SunFire 2100 machines 
> with SATA disks. The backend DBs are the same. The RADIUS boxes never break 
> 3% CPU load. The Postgresql servers are IO bound by the SATA disks

dirty thoughtif these are mainly queries then you *could* do the
following (depending on memory and table size) simpyl create a
4Gb tmpfs partition and use that for the database - with the real
disk-based database being a synchronized DB. 

> Basically on a properly designed DB server, with the correct indexes for your 
> data you are always going to be IO bound for any type of RADIUS requests 
> that dont involve EAP (expensive crypto operations)

...and even those *might* be offloaded onto an SSL crypto acceleration card

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: db performance

[A . L . M . Buxey]

Hi,

> Let me elucidate my situation a bit, the organization where I am 
> currently employed is split into factions. The faction I run is heavily 
> OSS friendly , the application development/ DBA faction is not!

yes. i can imagine. I'd always imagine what it could be like to setup 
your FR/MySQL solution and have it ticking away, then letting them go 
ahead with the IAS/Oracle/Consultancy route... but I feel its unethical
(waste of money, waste of time, wrong tools etc). however, if they DO
want to pay 50k EUR then let them - FreeRADIUS, MySQL + Linux could
always do with some hard cash to developer time! ;-)

> What I need is proof positive that mysql / postgresql is at least as 
> good as oracle for a radius DB.

pah. can of worms and a mix of politics. there are PLENTY of articles
that feature such details and reports. the issue of FreeRADIUS is nothing
here - the importance is how each database scales, how many trans/sec it can
do. how you can configure failover/redundancy/hot-spare etc. but support
is a major factor in many context.

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Machine account authentication progress?

[A . L . M . Buxey]

Hi,

> ~Ahhh.hmm.they work ok when authenticating user based, just not
> computer/machine based.  Maybe Netgear stuff just isn;t up to it?

without configuration, the machine is probably attempting an
EAP-TLS smartcard-type login? 

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: db performance

[Peter Nixon]

On Thu 17 May 2007, Alan DeKok wrote:
> Angelos Karageorgiou wrote:
> > Has anyone had the time to do a DB performance comparison for heavily
> > loaded freeradius servers ?
>
>   If your server is busy enough to be heavily loaded, you need multiple
> machines to maintain quality service.  Once you have multiple machines,
> DB performance matters a lot less, because the load is spread across
> multiple machines.
>
>   For DB specific issues, look for DB performance on google.  PostgreSQL
> usually has better performance than MySQL.  The application using the DB
> (radius, web, etc.) has very little effect on DB performance.

Unless you are doing monthly or yearly summary reports which can take a 
lightly loaded DB server and peg it for minutes at a time...

The lesson.. Keep a second DB for reporting :-)


-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: db performance

[Peter Nixon]

On Thu 17 May 2007, Angelos Karageorgiou wrote:
> Hello gentle people
>
> Has anyone had the time to do a DB performance comparison for heavily
> loaded freeradius servers ?

Yep. Last "production" load test I did was with Postgresql 7.x, FreeRADIUS 
1.0 and my pgsql-voip.conf was on a 4GB table and I was happily pushing a 
steady 800 Accounting requests per second on a single CPU P4 3.0 desktop 
machine with a single 7200rpm PATA disk. This was around 5 years ago.

My current production servers are single Opteron CPU SunFire 2100 machines 
with SATA disks. The backend DBs are the same. The RADIUS boxes never break 
3% CPU load. The Postgresql servers are IO bound by the SATA disks

Basically on a properly designed DB server, with the correct indexes for your 
data you are always going to be IO bound for any type of RADIUS requests 
that dont involve EAP (expensive crypto operations)

HTH

-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

confusing about Simultaneous-Use (still)

[Trio Yulistianto]

hi all im using Freeradius-1.1.6, with mysql database.i'm still confusing
about simultaneous-use.
i want to limiting the maximum number of simultaneous logons ( just 1
session can login for every 1 user in a same time)
this is my radiusd.conf

session {
   sql
}
and this is my database :
mysql> select * from radcheck where username='[EMAIL PROTECTED]';
++-+---++--+
| id | UserName   | Attribute   | op | Value  |
++-+++-+
| 55 | [EMAIL PROTECTED] | Password | == | denpasar |
| 65 | [EMAIL PROTECTED] | Simultaneous-Use | :=  | 1|
++-+---++--+
2 rows in set (0.00 sec)
mysql>  select username,acctstoptime from radacct where
username='[EMAIL PROTECTED]' and acctstoptime=0;
++---+
| username   | acctstoptime |
+++
| [EMAIL PROTECTED] | -00-00 00:00:00  |
+-+---+
1 row in set (0.00 sec)

with that config and data rows, user [EMAIL PROTECTED] can login for second 
session
:(
any help expected

thanks
trio
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: db performance

[Angelos Karageorgiou]

Man thanks to all you folks for all the info.

Let me elucidate my situation a bit, the organization where I am 
currently employed is split into factions. The faction I run is heavily 
OSS friendly , the application development/ DBA faction is not!

I have deployed freeradius with mysql backends in the past with great 
success (100K users etc.)
but the current people being insecure prefer to fork out 50K euros / 
year for oracle RAC licenses
instead of looking into an "unsupported" platform

What I need is proof positive that mysql / postgresql is at least as 
good as oracle for a radius DB.

Again thanks.

BTW , I have been using freeradius for a number of years , I would like 
to thank the developers for an awesome product



Arran Cudbard-Bell wrote:
> Alan DeKok wrote:
>   
>> Angelos Karageorgiou wrote:
>> 
>>> Has anyone had the time to do a DB performance comparison for heavily
>>> loaded freeradius servers ?
>>>   
>>   If your server is busy enough to be heavily loaded, you need multiple
>> machines to maintain quality service.  Once you have multiple machines,
>> DB performance matters a lot less, because the load is spread across
>> multiple machines.
>>
>>   For DB specific issues, look for DB performance on google.  PostgreSQL
>> usually has better performance than MySQL.  The application using the DB
>> (radius, web, etc.) has very little effect on DB performance.
>>
>> 
>
> However if you do choose to use MySQL, setting up query caching properly 
> will have a huge (positive) impact on performance.
>
> Same data being read out of the database four times, per authentication 
> session 
>
> Clustering is a good idea too, though it's not a good idea to run an SQL 
> server / SQL cluster node / LDAP directory server on the same box as 
> FreeRADIUS as it will almost always have a negative impact on performance.
>
>   
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: expiration doesn't work in freebsd + mysql (sparc64 only)

[Richard Cotrina]

Hello :

It seems that something goes wrong in the FreeBSD/sparc64 plattform, because
the same configuration also works in FreeBSD/i386.

The problem appears when rlm_sqlcounter is enabled.

Here is the normal debug output for i386 (authentication gets an
access-accept) :

#
radius_xlat:  '[EMAIL PROTECTED]'
rlm_sql (sql): sql_set_user escaped user --> '[EMAIL PROTECTED]'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op   FROM
radcheck   WHERE Username = '[EMAIL PROTECTED]'   ORDER BY
id'
rlm_sql (sql): Reserving sql socket id: 7
radius_xlat:  'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE
usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op   FROM
radreply   WHERE Username = '[EMAIL PROTECTED]'   ORDER BY
id'
radius_xlat:  'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
ly.Value,radgroupreply.op  FROM radgroupreply,usergroup WHERE
usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 7
  modcall[authorize]: module "sql" returns ok for request 1
rlm_sqlcounter: Entering module authorize code
sqlcounter_expand:  'SELECT SUM(AcctSessionTime -
GREATEST((1179378000 - UNIX_TIMESTAMP(AcctStartTime)), 0))
[...]



In the other hand, this is the debug output for freeBSD/sparc64, where the
authentication gets an access-reject

***
radius_xlat:  '[EMAIL PROTECTED]'
rlm_sql (sql): sql_set_user escaped user --> '[EMAIL PROTECTED]'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op   FROM
radcheck   WHERE Username = '[EMAIL PROTECTED]'   ORDER BY
id'
rlm_sql (sql): Reserving sql socket id: 8
radius_xlat:  'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE
usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op   FROM
radreply   WHERE Username = '[EMAIL PROTECTED]'   ORDER BY
id'
radius_xlat:  'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
ly.Value,radgroupreply.op  FROM radgroupreply,usergroup WHERE
usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 8
Invalid operator for item Expiration: reverting to '=='
Invalid operator for item Expiration: reverting to '=='
Invalid operator for item Expiration: reverting to '=='
Invalid operator for item Expiration: reverting to '=='
Invalid operator for item Expiration: reverting to '=='
Invalid operator for item Expiration: reverting to '=='
Invalid operator for item Expiration: reverting to '=='
rlm_sql (sql): No matching entry in the database for request from user
[EMAIL PROTECTED]
  modcall[authorize]: module "sql" returns notfound for request 1
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
[...]
*


In both cases, the radiusd.conf and sql.conf are identical, as well as the
database. Freeradius version 1.1.6 from ports.

Is there any function or module that could depend on the architecture type ?
Or maybe a special flag is needed during compilation for 64bits plattforms ?

Regards

Richard Cotrina

- Original Message -
From: "Richard Cotrina" <[EMAIL PROTECTED]>
To: "FreeRadius users mailing list" 
Sent: Thursday, May 03, 2007 2:46 PM
Subject: expiration doesn't work in freebsd + mysql


> Hello :
>
> I'm getting a weard error using expiration with mysql backend in FreeBSD.
> The same configuration works fine in linux (centos) but not in FreeBSD 6.1
>
> In Linux, all works fine (freeradius 1.1.6 + mysql 5.0), I've tried both
> "==" and ":=" operators and everything goes well.
>
> In FreeBSD 6.1 (freeradius 1.1.6 + mysql 4.1) everything works fine until
I
> enable Expiration in the user's attributes. Despite the fact that I use
the
> same configuration, I got the following message, whatever the operator be
:
>
>

> 
> Invalid operator for item Expiration: reverting to '=='
> rlm_sql (sql): No matching entry in the database for request from user
> [EMAIL PROTECTED]
>

> 
>
> Has anyone had a similar experience ?
>
> Kind Regards
>
> Richa

Very critical: Memory leak in freeradius-1.1.6

[nikitha george]

Hi,

I am seeing a very serious memory leak issue with freeradius-1.1.6. The
memory usage of freeradius gone from 3386Byte to 64MB when i was trying to
connect 16 clients with roaming interval of 1 second. More Access-Requests
are coming and we keep saving those requests until cleanup_delay.

After my initial investigation in the souce code,  we keep cleaning the
requests only if the select() fails, which means no more request to handle.
But in my case the clients are keep sending the request i think the cached
request_list is not cleared properly or misses out some requests or
something happens i guess. I may be wrong too, so please let me know what
could be the root cause.

Awaiting for any earliest reply.

Thanks,
Nikitha
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Performance with Freeradius-1.1.4

[nikitha george]

No. I am using local database.

On 4/27/07, inverse <[EMAIL PROTECTED]> wrote:


> I am using freeradius-1.1.4 with PEAP-MSCHAPV2. Each session starting
from
> Access-Request till Access-Accept it takes more than 250ms to complete.
Is

are you doing it against an LDAP server?
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Performance with Freeradius-1.1.4

[nikitha george]

Hi Alan,

I regret for the late reply.
Yes. I am running the server in single threaded mode. Will it be an overhead
for taking more time?
I verified the same by running in different high speed machine. It looks
pretty okay. It took arround 150ms. So i am okay with this performance.

But one more issue i am facing is when i try to connect 3 clients per second
for 30 minutes with freeradius-1.1.6 only 200 or 250 clients are getting
connected ( means 67 to 83 seconds the authentication happened) after that
the clients are not getting connected, not seeing any Access-Accept going to
the NAS.

If I connect  2  clients per second then all the clients ( 2 per second for
30 minutes ) are getting connected.

Please let me know what could be the reason for this? The log file is very
huge.. if you could  not figure out the issue with the above statistic it
will send the log to the group.

Thank you so much for all your help.
Regards,
Nikitha

On 4/27/07, Alan DeKok <[EMAIL PROTECTED]> wrote:


nikitha george wrote:
> I am using freeradius-1.1.4 with PEAP-MSCHAPV2. Each session starting
> from Access-Request till Access-Accept it takes more than 250ms to
> complete. Is it the normal performance of freeradius-1.1.4 or anything
> suspicious in this regard?

  It depends on your CPU speed, etc.  But it's not out of line.  Almost
all of that time is spent in OpenSSL, doing cryptography.

> When i  try to send many Request
> simultaneously then there is no response from the server for the latest
> requests as the server is busy processing first request.
> Only the first request gets response after 250ms.

  Are you sure you're not running the server in single threaded mode?

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: db performance

[Arran Cudbard-Bell]

Alan DeKok wrote:
> Angelos Karageorgiou wrote:
>> Has anyone had the time to do a DB performance comparison for heavily
>> loaded freeradius servers ?
> 
>   If your server is busy enough to be heavily loaded, you need multiple
> machines to maintain quality service.  Once you have multiple machines,
> DB performance matters a lot less, because the load is spread across
> multiple machines.
> 
>   For DB specific issues, look for DB performance on google.  PostgreSQL
> usually has better performance than MySQL.  The application using the DB
> (radius, web, etc.) has very little effect on DB performance.
> 

However if you do choose to use MySQL, setting up query caching properly 
will have a huge (positive) impact on performance.

Same data being read out of the database four times, per authentication 
session 

Clustering is a good idea too, though it's not a good idea to run an SQL 
server / SQL cluster node / LDAP directory server on the same box as 
FreeRADIUS as it will almost always have a negative impact on performance.

-- 
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Machine account authentication progress?

[Peter Savage]

On 17/05/07, Alan DeKok <[EMAIL PROTECTED]> wrote:


Peter Savage wrote:
> I also got this as a log when the machine was trying to authenticate
>
> WARNING: Malformed RADIUS packet from host 172.29.99.82
> : too short (received 0 < minimum 20)

  That's fairly stupid.  The access point is sending empty UDP packets
to the RADIUS server.

  I've never seen that before.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



~Ahhh.hmm.they work ok when authenticating user based, just not
computer/machine based.  Maybe Netgear stuff just isn;t up to it?

--
Pete Savage - cbx33::silentk
wiki.ubuntu.com/PeteSavage
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Machine account authentication progress?

[Peter Savage]

On 17/05/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:


Hi,

> it's been fixedhoo diddly rah!!!
> So now I just need to see why we're getting 0 length requests and mung
about
> with the User-Name as was stated earlier.  eeek!  So If I have EAP-TLS
> working with PEAP ie, the AD users/passwords workam I almost there?
> ;)

not just 'almost there' - yuo are there - next step is giving them
all right network based on who they are..what time it is...where
they are logged in from etc :-)

alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



I'm there on the user side, just not on the machine side...at the mo they
must log in first to get authenticated ;)

--
Pete Savage - cbx33::silentk
wiki.ubuntu.com/PeteSavage
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pool-Name from Called-Station-Id

[Alan DeKok]

Hugh Messenger wrote:
> I hate to bump my question like this, but I think it may have gotten lost in
> a flurry of activity that day.  And I really would like to get this working.

  Try putting it in the "hints" section.  I think the "users" file
doesn't do the proper translations, unfortunately.

DEFAULT Calling-Station-Id =~ ...
Pool-Name = ...

  That might work.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radrelay patch for 1.1.6

[Alan DeKok]

Milan Holub wrote:
> Here is my tested patch:

  Are you sure?

...
> } while(0);
> -   if (r_args->records_print && state == STATE_RUN){
> +   else {
> stats.records_read++;
...

  The "after" portion doesn't look like valid C to me.  I'll check in a
few days when I have access to a test machine.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius <=> MS IAS passthrough

[Alan DeKok]

Ian Savoy wrote:
> What's happening, is when i use the radclient to auth DIRECTLY to the 
> IAS server, i get an Access-Accept response.  However, when i use the 
> proxy, they are receiving an encrypted password...either that or an 
> incorrectly encrypted password that cannot be decrypted by their IAS.

  Then the shared secret is wrong.

>  I 
> am using the Password attribute with radclient rather than 
> User-Password,

  They are the same attribute.

> so i believe when i was using radclient it was sending an
> unencrypted password.  When i run radiusd -X, I am able to see his 
> password, so I'm assuming it's being relayed in plain-text is this 
> correct?  or does debug mode decrypt the password for my viewing pleasure?

  It decrypts the password so you can see it.

> I guess the root of my question is, Does IAS send plain-text passwords?  

  I'm not sure what you mean by that.  The RADIUS protocol specifies
that passwords are encrypted when sent over the wire, but the shared
secret allows each RADIUS server to turn that encrypted password into a
plain-text one.

  So if IAS is sending something to FreeRADIUS, IAS has the password in
clear text.  It's encrypted on the Ethernet.  FreeRADIUS decrypts it to
clear text.

> Also is there a way i can send the password to IAS via an encryption 
> method that it can understand without making a global change?  this 
> can't be done in proxy.conf, so would the answer than be user specific?  

  The question makes no sense.  There is one way for clear text
passwords to be sent over the wire.  If it's not working, the shared
secret is wrong.

> On the IAS end the reason why they can't auth is their problem - their 
> proxy is stripping the realm info from teh username and just sending us 
> user@, i.e. no realm info, but how do i set the FR proxy to relay the 
> login info via an encryption method that can be understood by IAS?

  Huh?  Who's sending what to who?  You've just said multiple servers
are proxying to each other.

>  they
> accept the following auth methods - MS-CHAP, MS-CHAP V2, CHAP, and PAP.

  RADIUS servers don't change authentication protocols.  If the client
sends X, a proxy will forward X to the home server.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pool-Name from Called-Station-Id

[Hugh Messenger]

Hugh Messenger (that's me!) said:
> Alan DeKok said:
> 
> > DEFAULT Called-Station-Id =~ "^(\w+_pppoe_\d+)$", Pool-Name :=
> `%{1}`
> >
> > \w && \d may not be supported by the regex library on your system.  You
> > may have to use [a-fA-F] etc. explictely.
> 
> I don't seem to be able to get this to work.  This is my DEFAULT entry:
> 
> DEFAULT Called-Station-Id =~ "^([A-z0-9]+_pppoe_[0-9]+)$", Pool-Name :=
> `%{1}`
> Framed-IP-Netmask = 255.255.0.0,
> Fall-Through = 1
> 
> ... and it seems to be matching on authentication requests, as per this -X
> fragment:
> 
> users: Matched entry DEFAULT at line 162
> 
> ... where line 162 is the above DEFAULT.  And I've triple checked my
> regexp
> using my IDE's RX toolkit.  But sqlippool isn't picking up that pattern
> match as the pool name:
> 
> rlm_sql_mysql: query:  SELECT FramedIPAddress FROM radippool   WHERE
> pool_name = '' AND expiry_time < NOW()   ORDER BY pool_name, (UserName <>
> 'radiustest'), (CallingStationId <> '00:60:B3:45:6A:98'), expiry_time
> LIMIT 1   FOR UPDATE
> sqlippool_query1: SQL query did not return any results
> 
> If I replace the regexp version with a specific one, like ...
> 
> DEFAULT Called-Station-Id == "brantley_pppoe_141", Pool-Name :=
> "brantley_pppoe_141"
> 
> ... it all works fine.

*bump*

I hate to bump my question like this, but I think it may have gotten lost in
a flurry of activity that day.  And I really would like to get this working.

TIA for any suggestions.

   -- hugh


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Machine account authentication progress?

[Alan DeKok]

Peter Savage wrote:
> I also got this as a log when the machine was trying to authenticate
> 
> WARNING: Malformed RADIUS packet from host 172.29.99.82
> : too short (received 0 < minimum 20)

  That's fairly stupid.  The access point is sending empty UDP packets
to the RADIUS server.

  I've never seen that before.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radius+ldap+peap

[Alan DeKok]

Arjuna Scagnetto wrote:
> can someone tell me a good tutorial about making work freeradius with 
> ldap and peap on a 802.1x architecture ?

  Get LDAP working with PAP authentication, but NOT using "ldap bind".

  Get PEAP working with passwords in the "users" file.

  Try PEAP with a user whose password is in LDAP.

> For the moment my freeradius server dies with a Segmentation Fault, i 
> think it's caused by a misunderstanding between peap and ldap but i'm 
> not sure.

  Please say which version of the server you're using.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius > CVS 100504 Cannot bind on MAC OSX

[Alan DeKok]

Arran Cudbard-Bell wrote:
> FreeRADIUS cannot bind in pre1 and CVS HEAD
> 
> Last CVS that worked was 100504.
> 
> Have you done anything major that would break this ?

  I don't recall changing anything drastic.

> Tried it on two boxes, so know it's nothing local.
> 
> /usr/local/freeradius-2.0pre1/etc/raddb/radiusd.conf[195]: Error binding 
> to port for 0.0.0.0 port 1812
> 
> Won't bind with wildcard ip or static ip.

  Hmm... I'll look at it in a few days.  I'm away from a test system
right now.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: db performance

[Alan DeKok]

Angelos Karageorgiou wrote:
> Has anyone had the time to do a DB performance comparison for heavily
> loaded freeradius servers ?

  If your server is busy enough to be heavily loaded, you need multiple
machines to maintain quality service.  Once you have multiple machines,
DB performance matters a lot less, because the load is spread across
multiple machines.

  For DB specific issues, look for DB performance on google.  PostgreSQL
usually has better performance than MySQL.  The application using the DB
(radius, web, etc.) has very little effect on DB performance.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question regarding external script authentication

[Alan DeKok]

Patric wrote:
>
> I just want to clarify, if I set the reject_delay to 0, and in my 
> external script the only thing I do is "exit(1);", then freeradius will 
> return a reject response to the NAS?

  It will send a reject to the NAS.

> Or will it simply not respond?
> Because the complaint my NAS maintainer has is that he is getting no 
> response.

  Yes, I understood that from your previous message.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius <=> MS IAS passthrough

[Ian Savoy]

So, I made sure all of our settings were configured correctly in 
proxy.conf and in clients.conf.  the way we tested, was i had the IAS 
server set the reply message to "yes" like John mentioned.  This helped 
a great deal.

What's happening, is when i use the radclient to auth DIRECTLY to the 
IAS server, i get an Access-Accept response.  However, when i use the 
proxy, they are receiving an encrypted password...either that or an 
incorrectly encrypted password that cannot be decrypted by their IAS.  I 
am using the Password attribute with radclient rather than 
User-Password, so i believe when i was using radclient it was sending an 
unencrypted password.  When i run radiusd -X, I am able to see his 
password, so I'm assuming it's being relayed in plain-text is this 
correct?  or does debug mode decrypt the password for my viewing pleasure?

I guess the root of my question is, Does IAS send plain-text passwords?  
Also is there a way i can send the password to IAS via an encryption 
method that it can understand without making a global change?  this 
can't be done in proxy.conf, so would the answer than be user specific?  
On the IAS end the reason why they can't auth is their problem - their 
proxy is stripping the realm info from teh username and just sending us 
user@, i.e. no realm info, but how do i set the FR proxy to relay the 
login info via an encryption method that can be understood by IAS?  they 
accept the following auth methods - MS-CHAP, MS-CHAP V2, CHAP, and PAP.

Thanks for your help again guys (gals)!

-Ian Savoy

John Horne wrote:
> On Wed, 2007-05-16 at 17:12 -0400, Ian Savoy wrote:
>   
>> Is there anything else?
>>
>> 
> Hi,
>
> Not sure if it's still relevant but with our IAS servers the sysadmin
> made sure it set the reply message to "yes". If you test from freeradius
> to the IAS server using the 'radtest' command, and run freeradius as
> 'radiusd -X', you should then see something like this from radiusd:
>
>   rad_recv: Access-Accept packet from host 10.1.2.3:1812, id=0,
> length=74
> Proxy-State = 0x323235
> Framed-Protocol = PPP
> Reply-Message = "Yes"
> Service-Type = Framed-User
>
>
>
> John.
>
>   


-- 
Ian Savoy
Webforce Systems, Inc
Operations Support/UNIX Engineer
CompTIA A+ Certified Professional
Tech. Support: 614-899-9257 x22
Website: http://www.ewebforce.net
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Machine account authentication progress?

[A . L . M . Buxey]

Hi,

> it's been fixedhoo diddly rah!!!
> So now I just need to see why we're getting 0 length requests and mung about
> with the User-Name as was stated earlier.  eeek!  So If I have EAP-TLS
> working with PEAP ie, the AD users/passwords workam I almost there?
> ;)

not just 'almost there' - yuo are there - next step is giving them
all right network based on who they are..what time it is...where
they are logged in from etc :-)

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: db performance

[A . L . M . Buxey]

Hi,
> Hello gentle people
> 
> Has anyone had the time to do a DB performance comparison for heavily 
> loaded freeradius servers ?

not that i am aware of - though a real comparison can only be done
on the same hardware with the same loading and setup - and
in such cases the admin only have experience/total knowledge of
one DB engine and how to optimise it - eg PostgreSQL, Oracle or MySQL
but not all three

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

radius+ldap+peap

[Arjuna Scagnetto]

can someone tell me a good tutorial about making work freeradius with 
ldap and peap on a 802.1x architecture ?

For the moment my freeradius server dies with a Segmentation Fault, i 
think it's caused by a misunderstanding between peap and ldap but i'm 
not sure.

radius.conf{
ldap {
server = "127.0.0.1"
#identity = "cn=manager"
#password = prova
basedn = "dc=example,dc=com"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectClass=radiusprofile)"
password_attribute = userPassword


}
}

user in ldap database {
dn: uid=wclient,ou=dot1x,dc=example,dc=com
objectClass: top
objectClass: radiusprofile
objectClass: inetOrgPerson
cn: wclient
sn: wclient
uid: wclient
description: 802.1x user
userPassword: {SSHA}xxx
}

Now when i try to authenticate the wireless station freeradius die with 
a Segmentation Fault:


...
_realm: No '@' in User-Name = "wclient", looking up realm NULL
 rlm_realm: No such realm "NULL"
   modcall[authorize]: module "suffix" returns noop for request 5
   rlm_eap: EAP packet type response id 6 length 80
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module "eap" returns updated for request 5
rlm_ldap: - authorize
rlm_ldap: performing user authorization for wclient
radius_xlat:  '(uid=wclient)'
radius_xlat:  'dc=example,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=example,dc=com, with filter (uid=wclient)
rlm_ldap: Added password {SSHA}tymOzgljNoVkhZT+K1+jUIW7HKkX3Epe in check 
items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as User-Password, value 
{SSHA}tymOzgljNoVkhZT+K1+jUIW7HKkX3Epe & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user wclient authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
   modcall[authorize]: module "ldap" returns ok for request 5
Segmentation fault

thanks for helping
Arjuna

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

radrelay patch for 1.1.6

[Milan Holub]

Hi Alan,

when using -R switch with radrelay binary from latest 1.1.6 release:
`radrelay -f -R5 -d /etc/freeradius -a /var/log/freeradius/radacct/radrelay -S 
/etc/freeradius/radrelay_secret
-r  detail`
I was continuously flooded by similar messages:
...
radrelay: Running and Processing Records.
Seconds since startup: 
Records Read: 
Packets Sent: 0
Record Rate since startup: 
Packet Rate since startup: 0.00
...

There was an empty detail file (without any writer) thus I did not expected any 
records to be read...

Here is my tested patch:

Index: src/main/radrelay.c
===
RCS file: /source/radiusd/src/main/Attic/radrelay.c,v
retrieving revision 1.22.2.3.2.4
diff -u -r1.22.2.3.2.4 radrelay.c
--- src/main/radrelay.c 16 Mar 2007 13:22:03 -  1.22.2.3.2.4
+++ src/main/radrelay.c 17 May 2007 14:27:35 -
@@ -678,9 +678,11 @@
rad_unlockfd(fileno(fp), 0);
fseek(fp, fpos, SEEK_SET);
} while(0);
-   if (r_args->records_print && state == STATE_RUN){
+   else {
stats.records_read++;
-   if (stats.last_print_records - 
stats.records_read >= r_args->records_print){
+   }
+   if (r_args->records_print && state == STATE_RUN){
+   if (stats.records_read != 
stats.last_print_records && (stats.records_read - stats.last_print_records) % 
r_args->records_print == 0){
now = time(NULL);
uptime = (stats.startup == now) ? 1 : 
now - stats.startup;
fprintf(stderr, "%s: Running and 
Processing Records.\n",progname);


I believe it should be fixed in 1.X...

Milan Holub
holub (at) thenet (dot) ch

--
 TheNet-Internet Services AG,
 im Bernertechnopark, Morgenstr. 129
 CH-3018, Bern, Switzerland
 031 998 4333, Fax 031 998 4330
 http://www.thenet.ch
 http://wlan.thenet.ch
--
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

db performance

[Angelos Karageorgiou]

Hello gentle people

Has anyone had the time to do a DB performance comparison for heavily 
loaded freeradius servers ?

Thank you
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Machine account authentication progress?

[Peter Savage]

On 17/05/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:


Hi,

> >I have done all these steps except number 5.  Are you saying that we
can
> now get machine names to authenticate prior to the user actually logging
> in?  I can get it working fine after the user has logged in.  It's just
> getting the machine to join the wireless network before log in so that
they
> join the domain ok.

oh for sure! and whats more, the login doesnt hang - because the wireless
is on
and working. it means you arent relying on cached login credentials. as a
side
affect, the network is 'real' when the windows box starts - so all the
other parts
of windows works on the wireless - eg stuff you must be in the doamin for.
drive mappings, GPOs, SMS bits all 'just work(tm)'



Wow, that's awesome, I read a post which said it wasn't working so I guess
it's been fixedhoo diddly rah!!!
So now I just need to see why we're getting 0 length requests and mung about
with the User-Name as was stated earlier.  eeek!  So If I have EAP-TLS
working with PEAP ie, the AD users/passwords workam I almost there?
;)


BUT BEWARE


one thing doesnt work.  microsoft, in their wisdom, decided that the
machine<->AD
renegotiation of AD password key CANNOT WORK OVER AN ENCRYPTED LINK.

yes. that AD password will expire. on a wired network the machine will
talk
to the AD to gets its new key. if you are USING the key the machine knows
for the login process then that key is invalid in the AD and cannot be
upgraded
over the PEAP encrypted wifi link.  - it also cant be updated on a PPTP
link
from what I've read.  the default time for this to occur is 30 days IIRC.
change it on the AD to longer if you want less pain.




--
Pete Savage - cbx33::silentk
wiki.ubuntu.com/PeteSavage
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SQL query in Pre-Proxy

[Ashraf Al-Basti]

Hi,
do you mean that i have to do the following:
in the radcheck i have to put
usernamecalling-station-id=number
and in the radreply,
usernameproxy-to-realm:=domain

could you please send me the whole process for the request.

[EMAIL PROTECTED] wrote:


Make user entry:

thatuser   Calling-Station-Id==number,  Proxy-To-Realm:="domain"

Put attributes in radcheck if you are using SQL.

Ivan Kalik
Kalik Informatika ISP


Dana 17/5/2007, "Ashraf Al-Basti" <[EMAIL PROTECTED]> piše:

 


Dear,
or is there any way to do authentication before doing proxy

Ashraf Al-Basti wrote:

   


Dear all,
i want to use freeradius as a proxy server for more than domain, but i
need to do some query from the DB before doing proxy.
i have a DB that contain the username and the telephone number and the
domain for that user. i want to do a query to check if for that data, if
matched to do proxy if not to cancel the proxy.
please advice...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



 


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


   



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Machine account authentication progress?

[A . L . M . Buxey]

Hi,

> >I have done all these steps except number 5.  Are you saying that we can
> now get machine names to authenticate prior to the user actually logging
> in?  I can get it working fine after the user has logged in.  It's just
> getting the machine to join the wireless network before log in so that they
> join the domain ok.

oh for sure! and whats more, the login doesnt hang - because the wireless is on
and working. it means you arent relying on cached login credentials. as a side
affect, the network is 'real' when the windows box starts - so all the other 
parts
of windows works on the wireless - eg stuff you must be in the doamin for.
drive mappings, GPOs, SMS bits all 'just work(tm)' 

BUT BEWARE

one thing doesnt work.  microsoft, in their wisdom, decided that the 
machine<->AD
renegotiation of AD password key CANNOT WORK OVER AN ENCRYPTED LINK.

yes. that AD password will expire. on a wired network the machine will talk
to the AD to gets its new key. if you are USING the key the machine knows
for the login process then that key is invalid in the AD and cannot be upgraded
over the PEAP encrypted wifi link.  - it also cant be updated on a PPTP link
from what I've read.  the default time for this to occur is 30 days IIRC.
change it on the AD to longer if you want less pain.

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: free radius 1.1.6 -eap-tls authentication

[Keith Moores]

CRL's are not the best way to conduct authorization for EAP-TLS,  
their control is too coarse when the goal is to enable/disable the  
use of valid  certificates use for different purposes and don't let  
you assign other authorization info like what VLAN a user should be  
assigned to.

The only option that currently works for access to real authorization  
with EAP-TLS is to use the:
check_cert_cn = %{User-Name}
option in the tls section of eap.conf so you can be sure the outer  
identity (User-Name) matches the inner identity in the certificate,  
its then valid to check User-Name against another source for  
authorization.  If you don't perform this check you can't be sure the  
outer identity (User-Name) has any relation to the the identity  
represented by the certificate.  This is only an option if your user  
certificates contain the unique "user id" you will lookup for  
authorization in the Common Name field, not in the Subject  
Alternative Name - Principle Name field (which many organizations use  
as their User certificate Common Names are not unique user identifiers).

-Keith


On May 17, 2007, at 1:49 AM, Alan DeKok wrote:

> [EMAIL PROTECTED] wrote:
>>   1 Where will i find the log of the authentication like  
>> username login ok...or login failed
>
>   It's in "radius.log"
>
>>   2 One user\'s certificate if I installed in other user\'s laptop  
>> it works.I want one user certificate should work in one laptop only.
>
>   There's no real way of doing that.  You *could* put the MAC address
> into the certificate, and have the RADIUS server check that against  
> the
> MAC address in the RADIUS request, but there's no guarantee that will
> work.  It can be spoofed, and it can break valid configurations.
>
>>   3 In users file i havn\'t added any certificate name as it is  
>> eap-tls.So if i want to remove the user from n/w i don\'t have  
>> control.Is ther any method like i can add the certificate names in  
>> users file then only it should work
>
>   Certificate revocation lists.
>
>   Alan DeKok.
> --
>   http://deployingradius.com   - The web site of the book
>   http://deployingradius.com/blog/ - The blog
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
> users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Machine account authentication progress?

[Peter Savage]

On 17/05/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:


Hi,

> WARNING: Malformed RADIUS packet from host 172.29.99.82: too short
(received
> 0 < minimum 20)

received 0? I'm sure that they cant be THAT short. I'd advise that you get
all the
windows XP KB's installed...especially this one:

http://support.microsoft.com/kb/885453

and of course our perenial favs -

http://support.microsoft.com/kb/893357
http://support.microsoft.com/kb/917021

you'll also need to ensure that the systems are configured to use PEAP
(not EAP-TLS)
and dont use guest - these are settings that can be nicely pushed out via
GPO.
especially from an AD 2003 box which can also push WPA2 policies



I'll check all those,  The machine itself is using PEAP, but I think the
radius server is using EAP-TLS, as per the wiki, which for user
authentication works fine

alan

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html





--
Pete Savage - cbx33::silentk
wiki.ubuntu.com/PeteSavage
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Machine account authentication progress?

[Peter Savage]

1) generate correct certs. configure eap.conf
2) bind system into the AD (needs config of samba, winbind and 'net ads
join' commands
as per docs all over the web
3) change permissions in winbindd_priviledged directory or ntlm_auth wont
work
(you'll get debug logs saying winbind_auth_crap permissions not correct
etc)
4) enable the ntlm_auth line - ensuring its correct for your
application/usage

5) spend time massaging the Stripped-Username or Username to ensure that
you
only pass the machine over to the AD during ntlm_auth - check the mailing
list
history for such useful methods

I have done all these steps except number 5.  Are you saying that we can

now get machine names to authenticate prior to the user actually logging
in?  I can get it working fine after the user has logged in.  It's just
getting the machine to join the wireless network before log in so that they
join the domain ok.


--
Pete Savage - cbx33::silentk
wiki.ubuntu.com/PeteSavage
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Machine account authentication progress?

[A . L . M . Buxey]

Hi,

> WARNING: Malformed RADIUS packet from host 172.29.99.82: too short (received
> 0 < minimum 20)

received 0? I'm sure that they cant be THAT short. I'd advise that you get all 
the
windows XP KB's installed...especially this one:

http://support.microsoft.com/kb/885453

and of course our perenial favs -

http://support.microsoft.com/kb/893357
http://support.microsoft.com/kb/917021

you'll also need to ensure that the systems are configured to use PEAP (not 
EAP-TLS)
and dont use guest - these are settings that can be nicely pushed out via GPO.
especially from an AD 2003 box which can also push WPA2 policies

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Machine account authentication progress?

[A . L . M . Buxey]

Hi,

> I followed the wiki howto,
> http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO,
> and it works great for user authentication, but does nothing for mchine
> authentication.  Is there something extra I have o configure for machine
> access?  Like the ntlm_auth line?

basic steps

1) generate correct certs. configure eap.conf
2) bind system into the AD (needs config of samba, winbind and 'net ads join' 
commands
as per docs all over the web
3) change permissions in winbindd_priviledged directory or ntlm_auth wont work
(you'll get debug logs saying winbind_auth_crap permissions not correct etc)
4) enable the ntlm_auth line - ensuring its correct for your application/usage

5) spend time massaging the Stripped-Username or Username to ensure that you
only pass the machine over to the AD during ntlm_auth - check the mailing list
history for such useful methods 

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius > CVS 100504 Cannot bind on MAC OSX

[Arran Cudbard-Bell]

FreeRADIUS cannot bind in pre1 and CVS HEAD

Last CVS that worked was 100504.

Have you done anything major that would break this ?

Tried it on two boxes, so know it's nothing local.

/usr/local/freeradius-2.0pre1/etc/raddb/radiusd.conf[195]: Error binding 
to port for 0.0.0.0 port 1812

Won't bind with wildcard ip or static ip.

-- 
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SQL query in Pre-Proxy

[tnt]

Make user entry:

thatuser   Calling-Station-Id==number,  Proxy-To-Realm:="domain"

Put attributes in radcheck if you are using SQL.

Ivan Kalik
Kalik Informatika ISP


Dana 17/5/2007, "Ashraf Al-Basti" <[EMAIL PROTECTED]> piše:

>Dear,
>or is there any way to do authentication before doing proxy
>
>Ashraf Al-Basti wrote:
>
>>Dear all,
>>i want to use freeradius as a proxy server for more than domain, but i
>>need to do some query from the DB before doing proxy.
>>i have a DB that contain the username and the telephone number and the
>>domain for that user. i want to do a query to check if for that data, if
>>matched to do proxy if not to cancel the proxy.
>>please advice...
>>-
>>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
>>
>>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question regarding external script authentication

[Patric]

Hi Alan,

Thanks for ur response.

Alan DeKok wrote:
 >
 >   Set "reject_delay = 0" in radiusd.conf.

I just want to clarify, if I set the reject_delay to 0, and in my 
external script the only thing I do is "exit(1);", then freeradius will 
return a reject response to the NAS? Or will it simply not respond? 
Because the complaint my NAS maintainer has is that he is getting no 
response.

Thanks a stack!
Patrick

--
Get a free email account with anti spam protection.
http://www.bluebottle.com

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Machine account authentication progress?

[Peter Savage]

I also got this as a log when the machine was trying to authenticate

WARNING: Malformed RADIUS packet from host 172.29.99.82: too short (received
0 < minimum 20)
--- Walking the entire request list ---
Nothing to do.  Sleeping until we see a request.
WARNING: Malformed RADIUS packet from host 172.29.99.82: too short (received
0 < minimum 20)
--- Walking the entire request list ---
Nothing to do.  Sleeping until we see a request.
WARNING: Malformed RADIUS packet from host 172.29.99.82: too short (received
0 < minimum 20)
--- Walking the entire request list ---
Nothing to do.  Sleeping until we see a request.
WARNING: Malformed RADIUS packet from host 172.29.99.82: too short (received
0 < minimum 20)
--- Walking the entire request list ---
Nothing to do.  Sleeping until we see a request.
WARNING: Malformed RADIUS packet from host 172.29.99.82: too short (received
0 < minimum 20)
--- Walking the entire request list ---
Nothing to do.  Sleeping until we see a request.
WARNING: Malformed RADIUS packet from host 172.29.99.82: too short (received
0 < minimum 20)
--- Walking the entire request list ---
Nothing to do.  Sleeping until we see a request.


--
Pete Savage - cbx33::silentk
wiki.ubuntu.com/PeteSavage
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question regarding external script authentication

[Alan DeKok]

Patric wrote:
> I am currently using exec to authenticate users through an external script.
> When all criteria match I return the correct access-accept pairs and the 
> users authenticate successfully.
> When the criteria are NOT met, I exit(1) my php script to hand control 
> back to the freeradius server.
> This seems to be causing authentication requests to time out, as I guess 
> I am not sending anything back...

  Set "reject_delay = 0" in radiusd.conf.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SQL query in Pre-Proxy

[Ashraf Al-Basti]

Dear,
or is there any way to do authentication before doing proxy

Ashraf Al-Basti wrote:

>Dear all,
>i want to use freeradius as a proxy server for more than domain, but i 
>need to do some query from the DB before doing proxy.
>i have a DB that contain the username and the telephone number and the 
>domain for that user. i want to do a query to check if for that data, if 
>matched to do proxy if not to cancel the proxy.
>please advice...
>- 
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>  
>
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Machine account authentication progress?

[Peter Savage]

On 17/05/07, Alan DeKok <[EMAIL PROTECTED]> wrote:


Peter Savage wrote:
> Has anything happened in this area, to allow machine authentication
> against AD?

  It works.  It's worked for a long time.  See the ChangeLog for 1.1.0,
released over a year ago.

>  From reading the mailing list I believe it was a problem
> with ntlm_auth, is this any closer to getting fixed, if not, how do
> people work around it.  We have laptops here that authenticate against
> the domain if it's available, or locally if not.  There is a logon
> script if they are at the site.  How best I work round this?

  I'm not sure what you mean.



Bsically we need to authenticate and be joined to the network, before a user
logs in.  IAS does this with machine/computer domain based authentication.

 So far as FreeRADIUS is concerned, "machine authentication" is just

like doing user authentication.  The machine uses 802.1x to get network
access, and FreeRADIUS checks the credentials against Active Directory.

  This is *not* the same as the machine logging into the domain.  It is
completely different.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html





--
Pete Savage - cbx33::silentk
wiki.ubuntu.com/PeteSavage
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with windows 802.1x client freeradius & digicert wildcard certificate

[Alan DeKok]

Phil Brown wrote:
> I have a problem with getting freeradius 116 to work with our digicert 
> wildcard certificate
> from winxp & vista 802.1x clients.
> Everything works fine with other clients & everything works fine if I use a 
> self signed certificate.
> I have trawled through the list history & have taken all the actions that I 
> found suggested 
> (applying hotfixes) but have made no progress, any suggestions would be 
> appreciated.

  It looks like the 802.1x clients are not performing PEAP properly.

  Have you tried this with a certificate you created via OpenSSL?

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Machine account authentication progress?

[Peter Savage]

On 17/05/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:


Hi,
> Has anything happened in this area, to allow machine authentication
against
> AD?  From reading the mailing list I believe it was a problem with
> ntlm_auth, is this any closer to getting fixed, if not, how do people
work
> around it.  We have laptops here that authenticate against the domain if
> it's available, or locally if not.  There is a logon script if they are
at
> the site.  How best I work round this?

we use machine authentication extensively here. whats your exact problem?

alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



I followed the wiki howto,
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO,
and it works great for user authentication, but does nothing for mchine
authentication.  Is there something extra I have o configure for machine
access?  Like the ntlm_auth line?

--
Pete Savage - cbx33::silentk
wiki.ubuntu.com/PeteSavage
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Machine account authentication progress?

[Alan DeKok]

Peter Savage wrote:
> Has anything happened in this area, to allow machine authentication
> against AD?

  It works.  It's worked for a long time.  See the ChangeLog for 1.1.0,
released over a year ago.

>  From reading the mailing list I believe it was a problem
> with ntlm_auth, is this any closer to getting fixed, if not, how do
> people work around it.  We have laptops here that authenticate against
> the domain if it's available, or locally if not.  There is a logon
> script if they are at the site.  How best I work round this?

  I'm not sure what you mean.

  So far as FreeRADIUS is concerned, "machine authentication" is just
like doing user authentication.  The machine uses 802.1x to get network
access, and FreeRADIUS checks the credentials against Active Directory.

  This is *not* the same as the machine logging into the domain.  It is
completely different.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Machine account authentication progress?

[A . L . M . Buxey]

Hi,
> Has anything happened in this area, to allow machine authentication against
> AD?  From reading the mailing list I believe it was a problem with
> ntlm_auth, is this any closer to getting fixed, if not, how do people work
> around it.  We have laptops here that authenticate against the domain if
> it's available, or locally if not.  There is a logon script if they are at
> the site.  How best I work round this?

we use machine authentication extensively here. whats your exact problem?

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Question regarding external script authentication

[Patric]

Hi all,

I am currently using exec to authenticate users through an external script.
When all criteria match I return the correct access-accept pairs and the 
users authenticate successfully.
When the criteria are NOT met, I exit(1) my php script to hand control 
back to the freeradius server.
This seems to be causing authentication requests to time out, as I guess 
I am not sending anything back...

My question is this:

Would it be correct to return Auth-Type="Reject" in the cases where I 
want the user to be rejected?

TIA!
Patrick

--
Free pop3 email with a spam filter.
http://www.bluebottle.com

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: users are sending CHAP passwords

[tnt]

Option 1 - you have control over NAS:

Configure NAS to accept only PAP authentification. Clents will have to
enable PAP if it is disabled (see option 2)

Option 2 - clent side approach

Configure clients to use only pap. For XP:

Go to Network Connections and open Properties for this connection

Click on Security tab

Click on Advanced radio button and Settings button

Leave only PAP ticked

OK, OK to exit

Ivan KAlik
KAlik Informatika ISP


Dana 17/5/2007, "vik" <[EMAIL PROTECTED]> piše:

>Sorry for the double post before.
>
>I'm still stuck with that problem:
>
>How to tel the user not to send CHAP-Password ?
>
>As to the server version i will update to 1.1.6 later on today.
>
>Thx a lot.
>
>- Original Message 
>From: Peter Nixon <[EMAIL PROTECTED]>
>To: FreeRadius users mailing list 
>Sent: Thursday, May 17, 2007 10:28:34 AM
>Subject: Re: freeradius + pap + md5 (or encrypt) problem
>
>On Thu 17 May 2007, vik wrote:
>> Hello,
>>
>> I have 1.1.3 server version.
>
>Please update to 1.1.6
>
>> I would like to be able to store encrypted passwords on my computer, but i
>> can't. I've read about everything dealing with this problem, but still i
>> cannot manage to succeed.
>>
>> In my users file i have
>>
>> DEFAULT Auth-Type := PAP
>> Fall-Through = Yes
>
>This bit is not necessary..
>
>> gogo User-Password := "my_encrypted_password_using_md5"
>> 
>>
>> Here i've tried also with Crypt-Password, but it doesn't work either.
>
>You do need to use Crypt-Password...
>
>> Still i have in the debugs:
>> Auth: rlm_pap: Attribute "Password" is required for authentication. Cannot
>> use "CHAP-Password".
>>
>> Why is rlm_pap receiving an CHAP-Password argument, i don't understand, i
>> have disabled all chap options in the radiusd.conf.
>
>Because your users are sending you CHAP passwords. If you don't support them,
>tell your users to send use PAP instead..
>
>
>--
>
>Peter Nixon
>http://www.peternixon.net/
>PGP Key: http://www.peternixon.net/public.asc
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
>
>
>
>
>
>Get your own web address.
>Have a HUGE year through Yahoo! Small Business.
>http://smallbusiness.yahoo.com/domains/?p=BESTDEAL
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

users are sending CHAP passwords

[vik]

Sorry for the double post before.

I'm still stuck with that problem:

How to tel the user not to send CHAP-Password ?

As to the server version i will update to 1.1.6 later on today.

Thx a lot.

- Original Message 
From: Peter Nixon <[EMAIL PROTECTED]>
To: FreeRadius users mailing list 
Sent: Thursday, May 17, 2007 10:28:34 AM
Subject: Re: freeradius + pap + md5 (or encrypt) problem

On Thu 17 May 2007, vik wrote:
> Hello,
>
> I have 1.1.3 server version.

Please update to 1.1.6

> I would like to be able to store encrypted passwords on my computer, but i
> can't. I've read about everything dealing with this problem, but still i
> cannot manage to succeed.
>
> In my users file i have
>
> DEFAULT Auth-Type := PAP
> Fall-Through = Yes

This bit is not necessary..

> gogo User-Password := "my_encrypted_password_using_md5"
> 
>
> Here i've tried also with Crypt-Password, but it doesn't work either.

You do need to use Crypt-Password...

> Still i have in the debugs:
> Auth: rlm_pap: Attribute "Password" is required for authentication. Cannot
> use "CHAP-Password".
>
> Why is rlm_pap receiving an CHAP-Password argument, i don't understand, i
> have disabled all chap options in the radiusd.conf.

Because your users are sending you CHAP passwords. If you don't support them, 
tell your users to send use PAP instead..


-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





 

Get your own web address.  
Have a HUGE year through Yahoo! Small Business.
http://smallbusiness.yahoo.com/domains/?p=BESTDEAL
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Client-IP-Address not logged in detail

[Arran Cudbard-Bell]

Alan DeKok wrote:
> Arran Cudbard-Bell wrote:
>> Yep I noticed this too, trying to create unique accounting strings with 
>> Client-IP-Address / Packet-Src-IP-Address...
> 
>   The acct_unique module was written before the whole dynamic expansion
> was finished.  As a result, it's not integrated into the rest of the server.
> 
>   It could be replaced by an accounting "hints" file, as:
> 
> DEFAULT
>   Acct-Unique-Id = `%{md5:%{foo} %{bar}}`
> 
>   That requires an "md5" handler to be written, which isn't too hard.
> 
>   It should probably be done before 2.0.0, and the "acct_unique" module
> should be marked as deprecated.
> 

Yes thats a much better way of doing it, then people can hash other 
arbitrary strings with md5 .

Hmm hints, fall-through functionality would still be very useful ;)

>   Alan DeKok.
> --
>   http://deployingradius.com   - The web site of the book
>   http://deployingradius.com/blog/ - The blog
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Machine account authentication progress?

[Peter Savage]

Has anything happened in this area, to allow machine authentication against
AD?  From reading the mailing list I believe it was a problem with
ntlm_auth, is this any closer to getting fixed, if not, how do people work
around it.  We have laptops here that authenticate against the domain if
it's available, or locally if not.  There is a logon script if they are at
the site.  How best I work round this?

--
Pete Savage - cbx33::silentk
wiki.ubuntu.com/PeteSavage
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Disabling Single - User Based SQL lookups.

[Arran Cudbard-Bell]

Alan DeKok wrote:
> Arran Cudbard-Bell wrote:
>> Just a little one, would be useful to be able to disable the individual
>> user lookup, and go straight to the group lookup... would save an SQL 
>> query ... (SQL queries being quite expensive).
> 
>   Have you tried setting the query to an empty string?

Yes, breaks it...

rlm_sql (sql): sql_set_user escaped user --> 'ac221'
rlm_sql (sql): Reserving sql socket id: 19
radius_xlat:  ''
rlm_sql (sql): Error generating query; rejecting user
rlm_sql (sql): Released sql socket id: 19

Though yes, Logic dictates that the default action is to skip the check
not bail out .. *sigh*
> 
>   Alan DeKok.
> --
>   http://deployingradius.com   - The web site of the book
>   http://deployingradius.com/blog/ - The blog
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Client-IP-Address not logged in detail

[Alan DeKok]

Arran Cudbard-Bell wrote:
> Yep I noticed this too, trying to create unique accounting strings with 
> Client-IP-Address / Packet-Src-IP-Address...

  The acct_unique module was written before the whole dynamic expansion
was finished.  As a result, it's not integrated into the rest of the server.

  It could be replaced by an accounting "hints" file, as:

DEFAULT
Acct-Unique-Id = `%{md5:%{foo} %{bar}}`

  That requires an "md5" handler to be written, which isn't too hard.

  It should probably be done before 2.0.0, and the "acct_unique" module
should be marked as deprecated.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Client-IP-Address not logged in detail

[Alan DeKok]

Milan Holub wrote:
> despite the note in radiusd.conf:
> ...
> #  It also adds the %{Client-IP-Address} attribute to the request.
> preprocess

  This no longer happens.  That documentation should be removed.

> 
> it looks like that the attribute is not added:
 DEBUG
> rlm_acct_unique: WARNING: Attribute Client-IP-Address was not found in
> request, unique ID MAY be inconsistent
 DEBUG

  That should be updated to use Packet-Src-IP-Address, or
Packet-Src-IPv6-Address

> and I do not find it in detail file neither(where I would need it for
> radrelaying).

  The detail module should be updated to write src/dst IP's to the
detail file, along with src/dst ports.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Cisco Access Points

[Christian Ejlertsen]

That was it. 
Removed a few hash marks in the peap and tls config and it ran.
Thank you for the quick responses everyone.

Regards
Christian

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:freeradius-users-
> [EMAIL PROTECTED] On Behalf Of
> [EMAIL PROTECTED]
> Sent: 14. maj 2007 21:30
> To: FreeRadius users mailing list
> Subject: RE: Cisco Access Points
> 
> You haven't configured peap and tls in eap.conf.
> 
> Ivan Kalik
> Kalik Informatika ISP
> 
> 
> Dana 14/5/2007, "Christian Ejlertsen" <[EMAIL PROTECTED]> piše:
> 
> >This is what I get.
> >
> >triagia ~ # radiusd -A -X
> >Starting - reading configuration files ...
> >reread_config:  reading radiusd.conf
> >Config:   including file: /etc/raddb/proxy.conf
> >Config:   including file: /etc/raddb/clients.conf
> >Config:   including file: /etc/raddb/snmp.conf
> >Config:   including file: /etc/raddb/eap.conf
> >Config:   including file: /etc/raddb/sql.conf
> > main: prefix = "/usr"
> > main: localstatedir = "/var"
> > main: logdir = "/var/log/radius"
> > main: libdir = "/usr/lib"
> > main: radacctdir = "/var/log/radius/radacct"
> > main: hostname_lookups = no
> > main: max_request_time = 30
> > main: cleanup_delay = 5
> > main: max_requests = 1024
> > main: delete_blocked_requests = 0
> > main: port = 0
> > main: allow_core_dumps = no
> > main: log_stripped_names = no
> > main: log_file = "/var/log/radius/radius.log"
> > main: log_auth = no
> > main: log_auth_badpass = no
> > main: log_auth_goodpass = no
> > main: pidfile = "/var/run/radiusd/radiusd.pid"
> > main: user = "radiusd"
> > main: group = "radiusd"
> > main: usercollide = no
> > main: lower_user = "no"
> > main: lower_pass = "no"
> > main: nospace_user = "no"
> > main: nospace_pass = "no"
> > main: checkrad = "/usr/sbin/checkrad"
> > main: proxy_requests = yes
> > proxy: retry_delay = 5
> > proxy: retry_count = 3
> > proxy: synchronous = no
> > proxy: default_fallback = yes
> > proxy: dead_time = 120
> > proxy: post_proxy_authorize = no
> > proxy: wake_all_if_all_dead = no
> > security: max_attributes = 200
> > security: reject_delay = 1
> > security: status_server = no
> > main: debug_level = 0
> >read_config_files:  reading dictionary
> >read_config_files:  reading naslist
> >Using deprecated naslist file.  Support for this will go away soon.
> >read_config_files:  reading clients
> >read_config_files:  reading realms
> >radiusd:  entering modules setup
> >Module: Library search path is /usr/lib
> >Module: Loaded exec
> > exec: wait = yes
> > exec: program = "(null)"
> > exec: input_pairs = "request"
> > exec: output_pairs = "(null)"
> > exec: packet_type = "(null)"
> >rlm_exec: Wait=yes but no output defined. Did you mean output=none?
> >Module: Instantiated exec (exec)
> >Module: Loaded expr
> >Module: Instantiated expr (expr)
> >Module: Loaded PAP
> > pap: encryption_scheme = "crypt"
> > pap: auto_header = no
> >Module: Instantiated pap (pap)
> >Module: Loaded CHAP
> >Module: Instantiated chap (chap)
> >Module: Loaded MS-CHAP
> > mschap: use_mppe = yes
> > mschap: require_encryption = no
> > mschap: require_strong = no
> > mschap: with_ntdomain_hack = no
> > mschap: passwd = "(null)"
> > mschap: ntlm_auth = "(null)"
> >Module: Instantiated mschap (mschap)
> >Module: Loaded System
> > unix: cache = no
> > unix: passwd = "(null)"
> > unix: shadow = "(null)"
> > unix: group = "(null)"
> > unix: radwtmp = "/var/log/radius/radwtmp"
> > unix: usegroup = no
> > unix: cache_reload = 600
> >Module: Instantiated unix (unix)
> >Module: Loaded eap
> > eap: default_eap_type = "md5"
> > eap: timer_expire = 60
> > eap: ignore_unknown_eap_types = no
> > eap: cisco_accounting_username_bug = no
> >rlm_eap: Loaded and initialized type md5
> >rlm_eap: Loaded and initialized type leap
> > gtc: challenge = "Password: "
> > gtc: auth_type = "PAP"
> >rlm_eap: Loaded and initialized type gtc
> > mschapv2: with_ntdomain_hack = no
> >rlm_eap: Loaded and initialized type mschapv2
> >Module: Instantiated eap (eap)
> >Module: Loaded preprocess
> > preprocess: huntgroups = "/etc/raddb/huntgroups"
> > preprocess: hints = "/etc/raddb/hints"
> > preprocess: with_ascend_hack = no
> > preprocess: ascend_channels_per_line = 23
> > preprocess: with_ntdomain_hack = no
> > preprocess: with_specialix_jetstream_hack = no
> > preprocess: with_cisco_vsa_hack = no
> > preprocess: with_alvarion_vsa_hack = no
> >Module: Instantiated preprocess (preprocess)
> >Module: Loaded realm
> > realm: format = "suffix"
> > realm: delimiter = "@"
> > realm: ignore_default = no
> > realm: ignore_null = no
> >Module: Instantiated realm (suffix)
> >Module: Loaded files
> > files: usersfile = "/etc/raddb/users"
> > files: acctusersfile = "/etc/raddb/acct_users"
> > files: preproxy_usersfile = "/etc/raddb/preproxy_users"
> > files: compat = "no"
> >[/etc/raddb/users]:65 WARNING! Check item "MS-CHAP-Use-NTLM-Auth" ?found
> in
> >reply item list for user "wifiuser". ?This attribute MUST go on the first
> >line with the other check items

Re: Disabling Single - User Based SQL lookups.

[Alan DeKok]

Arran Cudbard-Bell wrote:
> Just a little one, would be useful to be able to disable the individual
> user lookup, and go straight to the group lookup... would save an SQL 
> query ... (SQL queries being quite expensive).

  Have you tried setting the query to an empty string?

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Disabling Single - User Based SQL lookups.

[Arran Cudbard-Bell]

Hi,

Just a little one, would be useful to be able to disable the individual 
user lookup, and go straight to the group lookup... would save an SQL 
query ... (SQL queries being quite expensive).

Thanks,
Arran


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Problem with windows 802.1x client freeradius & digicert wildcard certificate

[Phil Brown]

-BEGIN PGP SIGNED MESSAGE-

I have a problem with getting freeradius 116 to work with our digicert wildcard 
certificate
from winxp & vista 802.1x clients.
Everything works fine with other clients & everything works fine if I use a 
self signed certificate.
I have trawled through the list history & have taken all the actions that I 
found suggested 
(applying hotfixes) but have made no progress, any suggestions would be 
appreciated.


rlm_eap_tls:  Length Included
  eaptls_verify returned 11 
  eaptls_process returned 7 
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal access_denied  
TLS Alert read:fatal:access denied 
rlm_eap_peap: No data inside of the tunnel.
 rlm_eap: Handler failed in EAP/peap
  rlm_eap: Failed in EAP select
  modcall[authenticate]: module "eap" returns invalid for request 6
modcall: leaving group authenticate (returns invalid) for request 6


Phil Brown
Lan support
Room 2-04 Halpern House
ISO department
University of Portsmouth
-BEGIN PGP SIGNATURE-
Version: PGPfreeware 5.0i OS/2 for non-commercial use
Comment: PGP 5.0 for OS/2
Charset: cp850

wsBVAwUBRkwbkx8HY4rdc96FAQH4ggf/QSiD/5v30HOSGQwRPLcTYq8deJWjlNKl
V3qtLrq6JiPRbPxPoQqrq5//euqec1Az8WgC8VJLzcgU6pBa9+OLp+CXBseHDU2N
MyCz0vXFD4MdKCDzVt5fPcobhyCULS72pUiTG/GN/BUKdMBzi45lHTM7A2iI9k5V
q5VSK7PRG5TKXu7uNW157VGhxKx7ATo3ghlgIVBbTta/qgjz42wyL9m/pzX22UrB
NVJFfBJD2JvvxMHZXGOMhLer5Bi26s4lCiIEO3dgym7pqbXW+k8egjX6H0EKdseQ
LCPvGLIobaYLGCRgqOR+XrVgK9dgUnPqTId6AihpOmKFJ0xntPSfUw==
=ToEW
-END PGP SIGNATURE-



wildcard.str
Description: Binary data
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Client-IP-Address not logged in detail

[Arran Cudbard-Bell]

> it looks like that the attribute is not added:
 DEBUG
> rlm_acct_unique: WARNING: Attribute Client-IP-Address was not found in
> request, unique ID MAY be inconsistent
 DEBUG
> 


Yep I noticed this too, trying to create unique accounting strings with 
Client-IP-Address / Packet-Src-IP-Address...

Just doesn't work.

--
Arran

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Client-IP-Address not logged in detail

[Milan Holub]

Hi Alan,

despite the note in radiusd.conf:
...
#  It also adds the %{Client-IP-Address} attribute to the request.
preprocess
...

it looks like that the attribute is not added:
>>>DEBUG
rlm_acct_unique: WARNING: Attribute Client-IP-Address was not found in
request, unique ID MAY be inconsistent
>>>DEBUG

and I do not find it in detail file neither(where I would need it for
radrelaying).

Apparently the attribute is available since I've written following dummy
instance of attr_rewrite module to add the attribute to detail file:
...from modules{}:
attr_rewrite add_clientip {
attribute = Client-IP-Address
searchin = packet
searchfor = ".*"
replacewith = "%{Client-IP-Address}"
new_attribute = yes
max_matches = 1
append = no
}

and in accounting{} I have:
...
# add Client-IP-Address (fix)
add_clientip

# create detail file for radrelay(1.X binary)
radrelay-detail

I've compiled --without-udpfromto option - not sure whether it might
have any impact.

Is there something screwed with my config or the Client-IP-Address
attribute is really missing?

Thanks for reply.

Milan Holub
holub (at) thenet (dot) ch

--
 TheNet-Internet Services AG,
 im Bernertechnopark, Morgenstr. 129
 CH-3018, Bern, Switzerland
 031 998 4333, Fax 031 998 4330
 http://www.thenet.ch
 http://wlan.thenet.ch
--
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius + pap + md5 (or encrypt) problem

[tnt]

Allow only PAP on clients. For Win XP:

Go to Network Connections an open Properties for this connection.

Select Security tab

Click on Advanced radio button, and then on Settings button

Leave only PAP ticked

Click OK to set it

That's what you can do from the clent side. If you have control over
NAS, then set it to accept only PAP authentication. If you can do that,
all clients will "listen" and use only PAP. In that case there is no
need to configure anything on the client.

Ivan Kalik
Kalik Informatika ISP


Dana 17/5/2007, "vik" <[EMAIL PROTECTED]> piše:

>How do i tell my users not to send CHAP-Password ?
>
>Is pap allowed in the authorize section in 1.1.6 ?
>
>Thank you for the fastest answer i've ever expected !
>
>- Original Message 
>From: Peter Nixon <[EMAIL PROTECTED]>
>To: FreeRadius users mailing list 
>Sent: Thursday, May 17, 2007 10:28:34 AM
>Subject: Re: freeradius + pap + md5 (or encrypt) problem
>
>On Thu 17 May 2007, vik wrote:
>> Hello,
>>
>> I have 1.1.3 server version.
>
>Please update to 1.1.6
>
>> I would like to be able to store encrypted passwords on my computer, but i
>> can't. I've read about everything dealing with this problem, but still i
>> cannot manage to succeed.
>>
>> In my users file i have
>>
>> DEFAULT Auth-Type := PAP
>> Fall-Through = Yes
>
>This bit is not necessary..
>
>> gogo User-Password := "my_encrypted_password_using_md5"
>> 
>>
>> Here i've tried also with Crypt-Password, but it doesn't work either.
>
>You do need to use Crypt-Password...
>
>> Still i have in the debugs:
>> Auth: rlm_pap: Attribute "Password" is required for authentication. Cannot
>> use "CHAP-Password".
>>
>> Why is rlm_pap receiving an CHAP-Password argument, i don't understand, i
>> have disabled all chap options in the radiusd.conf.
>
>Because your users are sending you CHAP passwords. If you don't support them,
>tell your users to send use PAP instead..
>
>
>--
>
>Peter Nixon
>http://www.peternixon.net/
>PGP Key: http://www.peternixon.net/public.asc
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
>
>
>
>
>Get
> the Yahoo! toolbar and be alerted to new email wherever you're surfing.
>http://new.toolbar.yahoo.com/toolbar/features/mail/index.php
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius + pap + md5 (or encrypt) problem

[vik]

How do i tell my users not to send CHAP-Password ?

Is pap allowed in the authorize section in 1.1.6 ?

Thank you for the fastest answer i've ever expected !

- Original Message 
From: Peter Nixon <[EMAIL PROTECTED]>
To: FreeRadius users mailing list 
Sent: Thursday, May 17, 2007 10:28:34 AM
Subject: Re: freeradius + pap + md5 (or encrypt) problem

On Thu 17 May 2007, vik wrote:
> Hello,
>
> I have 1.1.3 server version.

Please update to 1.1.6

> I would like to be able to store encrypted passwords on my computer, but i
> can't. I've read about everything dealing with this problem, but still i
> cannot manage to succeed.
>
> In my users file i have
>
> DEFAULT Auth-Type := PAP
> Fall-Through = Yes

This bit is not necessary..

> gogo User-Password := "my_encrypted_password_using_md5"
> 
>
> Here i've tried also with Crypt-Password, but it doesn't work either.

You do need to use Crypt-Password...

> Still i have in the debugs:
> Auth: rlm_pap: Attribute "Password" is required for authentication. Cannot
> use "CHAP-Password".
>
> Why is rlm_pap receiving an CHAP-Password argument, i don't understand, i
> have disabled all chap options in the radiusd.conf.

Because your users are sending you CHAP passwords. If you don't support them, 
tell your users to send use PAP instead..


-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





   
Get
 the Yahoo! toolbar and be alerted to new email wherever you're surfing.
http://new.toolbar.yahoo.com/toolbar/features/mail/index.php
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





   
Pinpoint
 customers who are looking for what you sell. 
http://searchmarketing.yahoo.com/
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radiusd, radtest, radclient

[tnt]

radtest and radclient are used to test server configuration. Once you get
their requests accepted and correct parameters returned you start
testing with "real" clients.

Ivan Kalik
Kalik Informatika ISP


Dana 17/5/2007, "leebra girl" <[EMAIL PROTECTED]> piše:

>i have pptpd connection, i want to implement with radius, but actually i
>still confuse with 3 argument, that is radiusd, radclient, and radtest
>i read the manual page about that, i think radiusd work on server side..??
>and radclient and radtest, is use for user to connect into radius
>server?/??is that right??
>
>but, i have my client is windows XP, how can i use radclient and radtest for
>that???
>
>thanks
>
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

SQL query in Pre-Proxy

[Ashraf Al-Basti]

Dear all,
i want to use freeradius as a proxy server for more than domain, but i 
need to do some query from the DB before doing proxy.
i have a DB that contain the username and the telephone number and the 
domain for that user. i want to do a query to check if for that data, if 
matched to do proxy if not to cancel the proxy.
please advice...
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius + pap + md5 (or encrypt) problem

[vik]

How do i tell my users not to send CHAP-Password ?

Is pap allowed in the authorize section in 1.1.6 ?

Thank you for the fastest answer i've ever expected !

- Original Message 
From: Peter Nixon <[EMAIL PROTECTED]>
To: FreeRadius users mailing list 
Sent: Thursday, May 17, 2007 10:28:34 AM
Subject: Re: freeradius + pap + md5 (or encrypt) problem

On Thu 17 May 2007, vik wrote:
> Hello,
>
> I have 1.1.3 server version.

Please update to 1.1.6

> I would like to be able to store encrypted passwords on my computer, but i
> can't. I've read about everything dealing with this problem, but still i
> cannot manage to succeed.
>
> In my users file i have
>
> DEFAULT Auth-Type := PAP
> Fall-Through = Yes

This bit is not necessary..

> gogo User-Password := "my_encrypted_password_using_md5"
> 
>
> Here i've tried also with Crypt-Password, but it doesn't work either.

You do need to use Crypt-Password...

> Still i have in the debugs:
> Auth: rlm_pap: Attribute "Password" is required for authentication. Cannot
> use "CHAP-Password".
>
> Why is rlm_pap receiving an CHAP-Password argument, i don't understand, i
> have disabled all chap options in the radiusd.conf.

Because your users are sending you CHAP passwords. If you don't support them, 
tell your users to send use PAP instead..


-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





   
Get
 the Yahoo! toolbar and be alerted to new email wherever you're surfing.
http://new.toolbar.yahoo.com/toolbar/features/mail/index.php
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius + pap + md5 (or encrypt) problem

[Peter Nixon]

On Thu 17 May 2007, vik wrote:
> Hello,
>
> I have 1.1.3 server version.

Please update to 1.1.6

> I would like to be able to store encrypted passwords on my computer, but i
> can't. I've read about everything dealing with this problem, but still i
> cannot manage to succeed.
>
> In my users file i have
>
> DEFAULT Auth-Type := PAP
> Fall-Through = Yes

This bit is not necessary..

> gogo User-Password := "my_encrypted_password_using_md5"
> 
>
> Here i've tried also with Crypt-Password, but it doesn't work either.

You do need to use Crypt-Password...

> Still i have in the debugs:
> Auth: rlm_pap: Attribute "Password" is required for authentication. Cannot
> use "CHAP-Password".
>
> Why is rlm_pap receiving an CHAP-Password argument, i don't understand, i
> have disabled all chap options in the radiusd.conf.

Because your users are sending you CHAP passwords. If you don't support them, 
tell your users to send use PAP instead..


-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius + pap + md5 (or encrypt) problem

[vik]

Hello,

I have 1.1.3 server version.

I would like to be able to store encrypted passwords on my computer, but i 
can't.
I've read about everything dealing with this problem, but still i cannot manage 
to succeed.

In my users file i have

DEFAULT Auth-Type := PAP
Fall-Through = Yes

gogo User-Password := "my_encrypted_password_using_md5"


Here i've tried also with Crypt-Password, but it doesn't work either.

Still i have in the debugs: 
Auth: rlm_pap: Attribute "Password" is required for authentication. Cannot use 
"CHAP-Password".

Why is rlm_pap receiving an CHAP-Password argument, i don't understand, i have 
disabled all chap options in the radiusd.conf.

Here i have my radiusd.conf:
http://bozadjiev.free.fr/files/radiusd.conf

and users file:
http://bozadjiev.free.fr/files/users


Thank you for the time you'll spend reading, regards.




   

Moody friends. Drama queens. Your life? Nope! - their life, your story. Play 
Sims Stories at Yahoo! Games.
http://sims.yahoo.com/  
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html