Re: Denying access without restarting radiusd [SEC=UNCLASSIFIED]

[A . L . M . Buxey]

Hi,

>   Hello All,
>
>   I have a freeradius v1.51 as can be seen bellow ranning on a
> linux server.

err, no.

you have radclient version 1.51  - the tools are at different
version levels. to check what version of freeradius, 

radiusd -v

>   Can someone show me how to deny a set of users like this without
> restarting radius?

SQL table...or maybe the hashed 'fastusers' file

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 2.0.0-pre1 - cannot build on FreeBSD

[David Wood]

Hi Nicolas (and everyone),

In message <[EMAIL PROTECTED]>, David Wood 
<[EMAIL PROTECTED]> writes
>In message <[EMAIL PROTECTED]>, David Wood
><[EMAIL PROTECTED]> writes
>>For future robustness, rather than a version number check (it's just
>>possible that FreeBSD 5.x will get a working gethostbyaddr_r(), much as
>>I doubt it), here's an alternative patch to that in bug #454, using
>>
>>as my inspiration:
>
>Not only is that patch ugly - further testing proves that it's flawed.
>
>I'll have another go at it tomorrow.

It didn't take until tomorrow - this looks better, and is tested and 
apparently working with autoconf 2.61.


Note - this patch is against 2.0.0-pre1, not CVS HEAD.

--- BEGIN ---
--- configure.inTue May 29 04:58:50 2007
+++ configure.inTue May 29 04:57:03 2007
@@ -904,9 +904,17 @@
  AC_MSG_CHECKING([gethostbyaddr_r() syntax])
  case "$host" in
  *-freebsd*)
-   AC_DEFINE(GETHOSTBYADDRRSTYLE, BSDSTYLE, [style of gethostbyaddr_r 
functions ])
-   gethostbyaddrrstyle=BSD
-   AC_MSG_WARN([FreeBSD overridden to BSD-style])
+dnl With FreeBSD, check if there's a prototype for gethostbyaddr_r.
+dnl Some versions (FreeBSD 5.1?) have a symbol but no prototype - so we 
override this test to
+dnl BSDSTYLE. FreeBSD 6.2 and up have proper GNU style support.
+   AC_CHECK_DECLS([gethostbyaddr_r], [], [
+   AC_DEFINE(GETHOSTBYADDRRSTYLE, BSDSTYLE, [style of 
gethostbyaddr_r functions ])
+   gethostbyaddrrstyle=BSD
+   AC_MSG_WARN([FreeBSD overridden to BSD-style])
+   ], [
+#include 
+#include 
+])
 ;;
  esac
  if test "x$gethostbyaddrrstyle" = "x"; then
--- END ---

(with apologies once again about the lost tabs - a plain/text MIME 
attachment might keep them, but cut and paste means a tab is turned into 
8 spaces in my mailer)


As a check on functionality, I temporarily changed the name of the 
function in the first parameter of AC_CHECK_DECLS to garbage, which 
changed the behaviour of the code as I'd intended (verified by diffing 
config.log between the 'garbage'' and normal runs).

What do you think? Do you agree that that's a better solution than the 
patch in bug #454?


Meanwhile, I think I've fixed the packaging list for the FreeRADIUS 2 
port on FreeBSD (and the script that generates it) - though this process 
did flag up one oddity. src/modules/rlm_eap/types/rlm_eap_psk is not 
built in 2.0.0-pre1. So far as I can tell, this is because Makefile.in 
is never turned into a Makefile. Is this intentional?

I'll continue to test as I find the time over the next few days - I need 
to port my configuration to FreeRADIUS 2.x, as well as check my port 
carefully.


Best wishes,




David
-- 
David Wood
[EMAIL PROTECTED]
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Denying access without restarting radiusd [SEC=UNCLASSIFIED]

[Ranner, Frank MR]

___

From:
[EMAIL PROTECTED]
g
[mailto:[EMAIL PROTECTED]
adius.org] On Behalf Of Emmanuel A Kwarteng
Sent: Tuesday, 29 May 2007 00:42
To: freeradius-users@lists.freeradius.org
Subject: Denying access without restarting radiusd


Hello All,
 
I have a freeradius v1.51 as can be seen bellow ranning on a
linux server.
 
[EMAIL PROTECTED] raddb]# radclient -v
radclient: $Id: radclient.c,v 1.51 2002/10/28 21:11:29 aland Exp
$ built on May  9 2003 at 09:18:10

I have included a file access.deny in the users file and wants
to deny access to all users in the access.deny file. What I have
realised is that I have to restart radius anytime i update this file. 
 
Can someone show me how to deny a set of users like this without
restarting radius?
 
kwarteng

The sample users file supplied with radiusd shows an example of whet you
want. You use 
an entry like:

DEFAULTGroup == "disabled", Auth-Type := Reject
   Reply-Message = "Your account has been disabled."

And put users into group disabled (or sql-group, or ldap-group). The
point is, group 
membership is dynamically checked, while files are only read at startup.

Regards,
Frank Ranner

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: log file for free radius 1.1.6 eap-tls authentication

[anoop_c]

Hi
   1 I know its eap-tls and certificate based.
Earlier i was using Navis radius .In that for eap-tls we have to add 
certificate name to  a specific user file.
 Like that here also user file is there can i make use of the user file so 
that only that user get authenticated,

  2 Logs are not happening.In config changes required to get the same?
Regards
Anoop

>
> 
> Message: 2
> Date: Mon, 28 May 2007 15:07:06 +0100
> From: <[EMAIL PROTECTED]>
> Subject: Re: log file for free radius 1.1.6 eap-tls authentication
> To: \"FreeRadius users mailing list\"
>   
> Message-ID: <[EMAIL PROTECTED]>
> Content-Type: text/plain; charset=ISO-8859-2
> 
> This is EAP-TLS. This user has a valid user certificate and is
> accepted.
> If you don\'t want to go via certificates but use user/password, use
> EAP-TTLS with MS-CHAPv2 (or PAP or any other auth protocol).
> 
> Ivan Kalik
> Kalik Informatika ISP
> 
>
> 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 2.0.0-pre1 - cannot build on FreeBSD

[David Wood]

In message <[EMAIL PROTECTED]>, David Wood 
<[EMAIL PROTECTED]> writes
>For future robustness, rather than a version number check (it's just
>possible that FreeBSD 5.x will get a working gethostbyaddr_r(), much as
>I doubt it), here's an alternative patch to that in bug #454, using
>
>as my inspiration:

Not only is that patch ugly - further testing proves that it's flawed.

I'll have another go at it tomorrow.



David
-- 
David Wood
[EMAIL PROTECTED]
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 2.0.0-pre1 - cannot build on FreeBSD

[David Wood]

Hi Nicolas,

In message <[EMAIL PROTECTED]>, Nicolas 
Baradakis <[EMAIL PROTECTED]> writes
>David Wood wrote:
>
>> As an aside, FreeBSD 6.2-RELEASE-p4 i386, which is the OS on my
>> development box, finishes up with #define GETHOSTBYNAMERSTYLE GNUSTYLE
>> in confdefs.h - so there won't be a similar problem with redefining
>> gethostbyname_r on FreeBSD - but there may be on other operating
>> systems.
>
>This should be fixed in CVS, but unfortunately after the release
>of 2.0.0-pre1. I think the problem you describe is the same as
>bug #454 in the bugzilla.
>
>http://bugs.freeradius.org/show_bug.cgi?id=454


Thanks for the quick reply. That's a solution - but there's still 
arguably an underlying problem left here.

The reporter of bug #454 is quite correct - FreeBSD 6.2 has 
gethostbyname_r() prototype and the corresponding code exists, whilst 
earlier versions of FreeBSD didn't have gethostbyname_r() (see 
 for 
the change in HEAD and 
 
for the change on RELENG_6).


The underlying problem that remains unfixed in 2.x following the patch 
in bug #454 is that if GETHOSTBYNAMERSTYLE is BSDSTYLE but there is 
already a definition of gethostbyname_r() in the headers that are being 
included by src/lib/getaddrinfo.c, you'll finish up with a compile error 
because of the attempt to redefine gethostbyname_r().

As the current state of configure.in means that this scenario is only 
likely on FreeBSD 6.2 and upwards and the patch in bug #454 deals with 
that problem, you can argue that the bug is closed and that's it.

However, I looked deeper into why the special case in the section of 
configure.in dealing with GETHOSTBYNAMERSTYLE for FreeBSD arose in the 
first place.



Checking back on the FreeRADIUS CVS server shows that this special case 
for FreeBSD in configure.in arose from a commit with the following log 
message:

revision 1.188
date: 2003/10/13 12:12:28;  author: phampson;  state: Exp;  lines: +11 
-3
Override GETHOSTBYADDRSTYLE for FreeBSD to be BSD, to avoid stub 
GNU-style gethostbyaddr_r being linked in during configure, but not 
during build.


That relates to the thread on freeradius-users that started with 
.

My understanding based on that thread is that at some point early in the 
FreeBSD 5 line, there was a gethostbyname_r() symbol to link against, 
but no corresponding prototype. Whether gethostbyname_r() worked if you 
called it, I have no idea; FreeBSD 5.0 / 5.1 is pretty ancient now and 
long since unsupported. The mention of gethostbyaddr_r as a stub and the 
fact that it took until 6.2 for this to be available suggests that it 
didn't work in 5.1.

FreeBSD 5.5 is the latest and almost certainly the last release from the 
5.x line - most people have migrated now to 6.x, and many skipped 5.x 
completely for reasons that don't matter here.



FreeRADIUS 1.1.6 compiles just fine on FreeBSD 6.2-RELEASE - even though 
GETHOSTBYADDRRSTYLE is forced to BSDSTYLE on FreeBSD and there is a 
usable gethostbyaddr_r() function. However, FreeRADIUS 1.1.6 doesn't 
attempt to provide its own gethostbyaddr_r() function - instead, it uses 
the BSD style gethostbyaddr(), which on FreeBSD 4.11 and upwards (if not 
before) is thankfully thread safe.

At the very least, I would argue that the patch in bug #454 should be 
applied to the 1.1 branch - if FreeBSD 6.2-RELEASE has a working 
gethostbyaddr_r() function, shouldn't FreeRADIUS 1.1.x be using it?


For future robustness, rather than a version number check (it's just 
possible that FreeBSD 5.x will get a working gethostbyaddr_r(), much as 
I doubt it), here's an alternative patch to that in bug #454, using 
 
as my inspiration:

--- configure.in   Mon May 28 19:46:57 2007
+++ configure.inTue May 29 00:17:43 2007
@@ -904,9 +904,21 @@
  AC_MSG_CHECKING([gethostbyaddr_r() syntax])
  case "$host" in
  *-freebsd*)
+dnl With FreeBSD, check if there's a GNU style prototype for 
gethostbyaddr_r.
+dnl Some versions (FreeBSD 5.1?) have a symbol but no prototype - so we 
override this test to
+dnl BSDSTYLE. FreeBSD 6.2 and up have proper GNU style support.
+   freebsdmissingprototype=yes
+   AC_TRY_COMPILE([
+#include 
+#include 
+], [ gethostbyaddr_r(NULL, 0, 0, NULL, NULL, 0, NULL, NULL) ], [
+   freebsdmissingprototype=no
+])
+if test "$freebsdmissingprototype" = "yes"; then
 AC_DEFINE(GETHOSTBYADDRRSTYLE, BSDSTYLE, [style of 
gethostbyaddr_r functions ])
 gethostbyaddrrstyle=BSD
 AC_MSG_WARN([FreeBSD overridden to BSD-style])
+fi
 ;;
  esac
  if test "x$gethostbyaddrrstyle" = "x"; then



(with apologies that my mailer will mangle the tabs and possibly the 
line wraps - it's a good mailer but hopeless for patches).

T

Re: 2.0.0-pre1 - cannot build on FreeBSD

[Nicolas Baradakis]

David Wood wrote:

> As an aside, FreeBSD 6.2-RELEASE-p4 i386, which is the OS on my 
> development box, finishes up with #define GETHOSTBYNAMERSTYLE GNUSTYLE 
> in confdefs.h - so there won't be a similar problem with redefining 
> gethostbyname_r on FreeBSD - but there may be on other operating 
> systems.

This should be fixed in CVS, but unfortunately after the release
of 2.0.0-pre1. I think the problem you describe is the same as
bug #454 in the bugzilla.

http://bugs.freeradius.org/show_bug.cgi?id=454

-- 
Nicolas Baradakis

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: howto limit the acces of users

[tnt]

I have no idea, since I don't use dialup admin, but looking at this:

http://www.freeradius.org/dialupadmin.html

you should be able to do it all with that. User radius settings
administration is where you can sort out attributes and main page should
give you info about time used.

In MySQL, setting your limit is defined by the counter attribute
Max-whatever and time spent is contained in radacct table. Time left is
calculated by subtracting time spent and used to dynamically set
Session-Timeout attribute at logon.

Ivan Kalik
Kalik Informatika ISP


Dana 28/5/2007, "vik" <[EMAIL PROTECTED]> piše:

>Ok, but when i create a new user, using dialup admin, how do i define how long 
>could he stay connected.
>
>In the mysql db where could i find the correspondance User-Name <-> Time spent 
>ot time left.
>Is it stored in the db ?
>
>Sorry for all those stupid questions but i didn't manage to find any 
>documentation on that, if you have a link in your mind :)
>
>Thx once again.
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: JRS Service configurations + Wiki

[Arran Cudbard-Bell]

Peter Nixon wrote:
> On Mon 28 May 2007, Arran Cudbard-Bell wrote:
>   
>> Alan D,
>>
>> Would you mind having configuration documents for 3rd party services
>> like JRS on the FreeRADIUS wiki ?
>>
>> Alan B,
>>
>> Would JANET mind having configuration documents for  JRS on the
>> FreeRADIUS wiki ?
>>
>> It is meant to be a repository for everything FreeRADIUS after all ...
>> and it's easier if all this stuff is in one place.
>> 
>
> I certainly have no problem with anything related to AAA being in the wiki as 
> long as anything not part of FreeRADIUS itself is clearly labeled with a 
> description of what its for.
>
> Cheers
>   
Ok ...
Theres no reason why the wiki can't cross link to the Janet Roaming 
Service site for configuration pages.

Added basic HP configuration pages to the wiki, and cleaned up the 
configuration page.
Looks all perty now :)

Will add stuff on the nt passwords tomorrow, as I need the ldap schema 
definition.
Fortunately the stuff that I wrote for our own wiki (PMWiki) seems to 
use most (not all) the formatting rules of MediaWiki.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 2.0.0-pre1 - cannot build on FreeBSD

[David Wood]

Hi Nicolas,

In message <[EMAIL PROTECTED]>, Nicolas 
Baradakis <[EMAIL PROTECTED]> writes
>David Wood wrote:
>
>> I've put in quite a bit of work today towards porting 2.0.0-pre1 to
>> FreeBSD, with the intention of submitting a FreeRADIUS 2 port as soon as
>> possible.
>>
>> Unfortunately, there's a problem which I don't have the autoconf skills
>> to patch quickly. When checking (and later attempting to use) net/if.h,
>> you need to #include sys/socket.h on FreeBSD to get the definition of
>> struct sockaddr.
>
>Thanks for the report. I hope the following changes in CVS head will
>solve the problem. (you also need to run autoconf)

That solves that problem - thanks. As you've committed that to the CVS 
head, the chances are that that problem is fixed for good - and it may 
help out on other BSD and BSD like operating systems.


Fortunately it's a two line change in the port's Makefile to delete 
configure after applying the patch and run configure.in through autoconf 
2.61 - though if I don't need to do that, I don't, as it means that the 
port doesn't force systems without autoconf 2.61 to build and install 
autoconf.

That said, there's a problem in the 1.x port that I want to fix in 2.x 
(and eventually backport to 1.x) which will require me to patch 
configure.in - so I'll probably finish up depending on autoconf anyway.



Back to 2.0.0-pre1. Fixing that problem reveals another problem - 
src/lib/getaddrinfo.c (a new file in 2.x) attempts to redefine 
gethostbyaddr_r():

/usr/local/bin/libtool --mode=compile cc  -O -pipe -march=pentium3 
-I/usr/local/include -L/usr/local/lib -D_REENTRANT 
-D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -D_LIBRADIUS 
-I/var/ports/usr/ports_updated/net/freeradius2/work/freeradius-server-2.0
.0-p
re1/src -c getaddrinfo.c
  cc -O -pipe -march=pentium3 -I/usr/local/include -L/usr/local/lib 
-D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG 
-D_LIBRADIUS 
-I/var/ports/usr/ports_updated/net/freeradius2/work/freeradius-server-2.0
.0-pre1/src -c getaddrinfo.c  -fPIC -DPIC -o .libs/getaddrinfo.o
getaddrinfo.c:159: error: conflicting types for 'gethostbyaddr_r'
/usr/include/netdb.h:225: error: previous declaration of 
'gethostbyaddr_r' was here
getaddrinfo.c:159: error: conflicting types for 'gethostbyaddr_r'
/usr/include/netdb.h:225: error: previous declaration of 
'gethostbyaddr_r' was here
getaddrinfo.c:26: warning: 'lrad_hostbyname' defined but not used
getaddrinfo.c:28: warning: 'lrad_hostbyname_mutex' defined but not used
getaddrinfo.c:159: warning: 'gethostbyaddr_r' defined but not used
gmake[4]: *** [getaddrinfo.lo] Error 1


There's a comment in configure.in, at line 900 (after applying your 
patch), about Tru64 having a BSD style function gethostbyaddr_r() 
function that's thread safe. The same is true of FreeBSD now - the BSD 
style gethostbyaddr_r() function is thread safe on FreeBSD since at 
least FreeBSD 4.11. FreeBSD 4.x is now end of life, and the only 
supported versions of FreeBSD are 5.x and 6.x - with 7.x under 
development, so that means all supported (and even some legacy) versions 
of FreeBSD have a thread safe (but three argument BSD style) function 
built in.

The FreeBSD ports system has dropped support for 4.x, but I haven't 
removed the 4.x specific stuff from the FreeRADIUS 1.x port. I'm not 
going to support 4.x on FreeRADIUS 2.x, however - I would be very 
unlikely to get any new port with 4.x support committed now.

 is the reference to the 
appropriate man page - see the second paragraph under BUGS for the 
reference to thread safety.


The prototype for gethostbyaddr_r is included via #include , 
which configure is picking up as available on FreeBSD. That's the same 
header as the C compiler is flagging up in the errors.


I suspect this problem will affect all other systems which finish up the 
configure run with #define GETHOSTBYADDRRSTYLE BSDSTYLE in confdefs.h 
and that also have a prototype for the built-in gethostbyaddr_r() 
netdb.h (or another header file that FreeRADIUS finishes up #including). 
The logic in src/lib/getaddrinfo.c makes this attempted redefinition 
near certain on many BSD and BSD-like systems:

#undef LOCAL_GETHOSTBYADDRR
#ifndef GETHOSTBYADDRRSTYLE
#define LOCAL_GETHOSTBYADDRR 1
#elif (GETHOSTBYADDRRSTYLE != SYSVSTYLE) && (GETHOSTBYADDRRSTYLE != 
GNUSTYLE)
#define LOCAL_GETHOSTBYADDRR 1
#endif /* GETHOSTBYADDRRSTYLE */

If GETHOSTBYADDRRSTYLE is BSDSTYLE, LOCAL_GETHOSTBYADDRR is #defined to 
1, which means the block of code around line 180 that begins #ifdef 
LOCAL_GETHOSTBYADDRR will be compiled, attempting to redefine 
gethostbyaddr_r(). However, if GETHOSTBYADDRRSTYLE is BSDSTYLE rather 
than not defined, the chances are that you've already #included the 
header that contains the prototype for the system gethostbyaddr_r().



As an aside, FreeBSD 6.2-RELEASE-p4 i386, whic

Re: Rlm_python - need documentation

[Peter Nixon]

On Mon 28 May 2007, UriCALL Support wrote:
> Hi All,
>
> I am in need of developing my own application using rlm_python. Can
> anybody inform me about some documentation available? From what I have
> found on Internet it looks like an isolate project with lack of users ...
> Anybody able to share the experience with me? Is it stable for production?

Some patches went in recently to make it better based on code that reportedly 
has been running in production for over 12 months. YMMV.

Cheers

-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: JRS Service configurations + Wiki

[Peter Nixon]

On Mon 28 May 2007, Arran Cudbard-Bell wrote:
> Alan D,
>
> Would you mind having configuration documents for 3rd party services
> like JRS on the FreeRADIUS wiki ?
>
> Alan B,
>
> Would JANET mind having configuration documents for  JRS on the
> FreeRADIUS wiki ?
>
> It is meant to be a repository for everything FreeRADIUS after all ...
> and it's easier if all this stuff is in one place.

I certainly have no problem with anything related to AAA being in the wiki as 
long as anything not part of FreeRADIUS itself is clearly labeled with a 
description of what its for.

Cheers

-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

howto limit the acces of users

[vik]

Ok, but when i create a new user, using dialup admin, how do i define how long 
could he stay connected.

In the mysql db where could i find the correspondance User-Name <-> Time spent 
ot time left.
Is it stored in the db ?

Sorry for all those stupid questions but i didn't manage to find any 
documentation on that, if you have a link in your mind :)

Thx once again.

>Have a look at Login-Time, Session-Timeout and counters (daily and SQL
>daily and monthly are in radiusd.conf).


>user1 - Session-Timeout or no reset counter
>user2 - daily counter or Login-Time (if it is particular time of day)

>Ivan Kalik
>Kalik Informatika ISP


>Dana 28/5/2007, "vik"  piše:

>>Hello,
>>

>>I would like to have for each user a time limit, for instance:
>>
>>user1 4 hours
>>user2 2 hours/day
>>user3 illimited
>>etc...
>>
>>Thx in advance.
>>





   
Got
 a little couch potato? 
Check out fun summer activities for kids.
http://search.yahoo.com/search?fr=oni_on_mail&p=summer+activities+for+kids&cs=bz
 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: howto limit the acces of users

[tnt]

Have a look at Login-Time, Session-Timeout and counters (daily and SQL
daily and monthly are in radiusd.conf).

user1 - Session-Timeout or no reset counter
user2 - daily counter or Login-Time (if it is particular time of day)

Ivan Kalik
Kalik Informatika ISP


Dana 28/5/2007, "vik" <[EMAIL PROTECTED]> piše:

>Hello,
>
>I would like to have for each user a time limit, for instance:
>
>user1 4 hours
>user2 2 hours/day
>user3 illimited
>etc...
>
>Thx in advance.
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

howto limit the acces of users

[vik]

Hello,

I would like to have for each user a time limit, for instance:

user1 4 hours
user2 2 hours/day
user3 illimited
etc...

Thx in advance.

- Original Message 
From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
To: FreeRadius users mailing list 
Sent: Thursday, May 17, 2007 11:08:12 AM
Subject: Re: freeradius + pap + md5 (or encrypt) problem

Allow only PAP on clients. For Win XP:

Go to Network Connections an open Properties for this connection.

Select Security tab

Click on Advanced radio button, and then on Settings button

Leave only PAP ticked

Click OK to set it

That's what you can do from the clent side. If you have control over
NAS, then set it to accept only PAP authentication. If you can do that,
all clients will "listen" and use only PAP. In that case there is no
need to configure anything on the client.

Ivan Kalik
Kalik Informatika ISP


Dana 17/5/2007, "vik" <[EMAIL PROTECTED]> piše:

>How do i tell my users not to send CHAP-Password ?
>
>Is pap allowed in the authorize section in 1.1.6 ?
>
>Thank you for the fastest answer i've ever expected !
>
>- Original Message 
>From: Peter Nixon <[EMAIL PROTECTED]>
>To: FreeRadius users mailing list 
>Sent: Thursday, May 17, 2007 10:28:34 AM
>Subject: Re: freeradius + pap + md5 (or encrypt) problem
>
>On Thu 17 May 2007, vik wrote:
>> Hello,
>>
>> I have 1.1.3 server version.
>
>Please update to 1.1.6
>
>> I would like to be able to store encrypted passwords on my computer, but i
>> can't. I've read about everything dealing with this problem, but still i
>> cannot manage to succeed.
>>
>> In my users file i have
>>
>> DEFAULT Auth-Type := PAP
>> Fall-Through = Yes
>
>This bit is not necessary..
>
>> gogo User-Password := "my_encrypted_password_using_md5"
>> 
>>
>> Here i've tried also with Crypt-Password, but it doesn't work either.
>
>You do need to use Crypt-Password...
>
>> Still i have in the debugs:
>> Auth: rlm_pap: Attribute "Password" is required for authentication. Cannot
>> use "CHAP-Password".
>>
>> Why is rlm_pap receiving an CHAP-Password argument, i don't understand, i
>> have disabled all chap options in the radiusd.conf.
>
>Because your users are sending you CHAP passwords. If you don't support them,
>tell your users to send use PAP instead..
>
>
>--
>
>Peter Nixon
>http://www.peternixon.net/
>PGP Key: http://www.peternixon.net/public.asc
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
>
>
>
>
>Get
> the Yahoo! toolbar and be alerted to new email wherever you're surfing.
>http://new.toolbar.yahoo.com/toolbar/features/mail/index.php
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





   
Be
 a better Globetrotter. Get better travel answers from someone who knows. 
Yahoo! Answers - Check it out.
http://answers.yahoo.com/dir/?link=list&sid=396545469

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: JRS Service configurations + Wiki

[A . L . M . Buxey]

Hi,

> Alan D,
> 
> Would you mind having configuration documents for 3rd party services 
> like JRS on the FreeRADIUS wiki ?
> 
> Alan B,
> 
> Would JANET mind having configuration documents for  JRS on the 
> FreeRADIUS wiki ?
> 
> It is meant to be a repository for everything FreeRADIUS after all ... 
> and it's easier if all this stuff is in one place.

personally I would prefer such configuration to be on the JRS
support / UKERNA document site. What should be on the main
FR wiki is the fundamental 'how to proxy' and 'how to attribute filter'
type documents. I believe that special service cases could otherwise
overrun the freeradius site (as they do the freeradius users list)

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

JRS Service configurations + Wiki

[Arran Cudbard-Bell]

Alan D,

Would you mind having configuration documents for 3rd party services 
like JRS on the FreeRADIUS wiki ?

Alan B,

Would JANET mind having configuration documents for  JRS on the 
FreeRADIUS wiki ?

It is meant to be a repository for everything FreeRADIUS after all ... 
and it's easier if all this stuff is in one place.
--
Arran
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Wiki

[Doug Hardie]

Done


On May 28, 2007, at 03:50, Arran Cudbard-Bell wrote:

>
>> I was hoping for that type of page go in the Examples section.
>> Perhaps Cookbook might be a better name for the section.
>>
> Ok , would you mind changing the section name ? Then i'll start  
> adding a
> few recipes.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
> users.html
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Denying access without restarting radiusd

[Emmanuel A Kwarteng]

Hello All,

I have a freeradius v1.51 as can be seen bellow ranning on a linux server.

[EMAIL PROTECTED] raddb]# radclient -v
radclient: $Id: radclient.c,v 1.51 2002/10/28 21:11:29 aland Exp $ built on May 
 9 2003 at 09:18:10

I have included a file access.deny in the users file and wants to deny access 
to all users in the access.deny file. What I have realised is that I have to 
restart radius anytime i update this file. 

Can someone show me how to deny a set of users like this without restarting 
radius?

kwarteng- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 2.0.0-pre2 has "Magic feature number one" :)

[Alan Dekok]

[EMAIL PROTECTED] wrote:
> makes as much sense as this weird page:
> 
> http://www.geocities.com/m_valuedlets/T3M.html

  "exceeded limits"

> certainly if we can examine the VMPS packets we should be able to control
> and handle things a little bit easier - you've probably seen those
> VMPS packets which arent the device connections - eg the switch checking
> VMPS server is alive..

  Yup.  See "dictionary.vqp" for the VMPS / VQP attributes.

  Updates as to what the heck they all mean, and sample configs are
always welcome.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 2.0.0-pre2 has "Magic feature number one" :)

[A . L . M . Buxey]

Hi,
> [EMAIL PROTECTED] wrote:
> > VMPS support in FreeRADIUS 2.0?  I'm *very* happy with that idea! ;-)
> 
>   Yup.  It's there now.  I've done some simple tests, and it works.
> 
>   The new config unlanguage (I'm beginning to like that word) makes
> testing it HUGELY easier.

makes as much sense as this weird page:

http://www.geocities.com/m_valuedlets/T3M.html


certainly if we can examine the VMPS packets we should be able to control
and handle things a little bit easier - you've probably seen those
VMPS packets which arent the device connections - eg the switch checking
VMPS server is alive..

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 2.0.0-pre2 has "Magic feature number one" :)

[Alan Dekok]

[EMAIL PROTECTED] wrote:
> VMPS support in FreeRADIUS 2.0?  I'm *very* happy with that idea! ;-)

  Yup.  It's there now.  I've done some simple tests, and it works.

  The new config unlanguage (I'm beginning to like that word) makes
testing it HUGELY easier.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 2.0.0-pre2 has "Magic feature number one" :)

[A . L . M . Buxey]

Hi,

>   Plus, OpenVMPS is not under active development, so there's no
> maintainers.  It claims it's part of another project (that I won't
> name), but that project includes the *binary* of OpenVMPS, and not the
> source.  GPL concerns may apply...

VMPS support in FreeRADIUS 2.0?  I'm *very* happy with that idea! ;-)

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius-Proxied-To, radrelay and 2.0

[Alan Dekok]

Milan Holub wrote:
> Firstly I wanted to put the entry into preproxy_users where it did not
> work properly: I could see that the realm was set correctly to "LOCAL"
> but at the same time there was an attempt to send the packet to remote
> home_server:
> Proxying request 0 to realm LOCAL, home server 
> port 1813

  preproxy_users cannot currently cancel proxying.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius-Proxied-To, radrelay and 2.0

[Alan Dekok]

Milan Holub wrote:
...
> ==> I works for me well(incomming accounting/authorization packet containing
> Freeradius-Proxied-To is no more sent to IP present as a value of the
> attribute); this might not work for home servers which listen on
> non-standard ports(due to dst_port passed in to home_server_find
> function)

  Yes.  And it's not

> ==> the patch might be useful for setups where you have some home_servers
> already FR 2.0 but but some of them still FR 1.X

  I've committed a related patch, which handles servers with
non-standard ports.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: log file for free radius 1.1.6 eap-tls authentication

[tnt]

This is EAP-TLS. This user has a valid user certificate and is accepted.
If you don't want to go via certificates but use user/password, use
EAP-TTLS with MS-CHAPv2 (or PAP or any other auth protocol).

Ivan Kalik
Kalik Informatika ISP


Dana 28/5/2007, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> piše:

>Hi
>  pls find the o/p of radius -X.Also the log file is not coming.
>
>  [EMAIL PROTECTED] sbin]# radiusd -X
>Starting - reading configuration files ...
>reread_config:  reading radiusd.conf
>Config:   including file: /etc/raddb/proxy.conf
>Config:   including file: /etc/raddb/clients.conf
>Config:   including file: /etc/raddb/snmp.conf
>Config:   including file: /etc/raddb/eap.conf
>Config:   including file: /etc/raddb/sql.conf
> main: prefix = \"/usr/local\"
> main: localstatedir = \"/usr/local/var\"
> main: logdir = \"/usr/local/var/log/radius\"
> main: libdir = \"/usr/local/lib\"
> main: radacctdir = \"/usr/local/var/log/radius/radacct\"
> main: hostname_lookups = no
> main: snmp = no
> main: max_request_time = 30
> main: cleanup_delay = 5
> main: max_requests = 1024
> main: delete_blocked_requests = 0
> main: port = 0
> main: allow_core_dumps = no
> main: log_stripped_names = no
> main: log_file = \"/usr/local/var/log/radius/radius.log\"
> main: log_auth = yes
> main: log_auth_badpass = no
> main: log_auth_goodpass = no
> main: pidfile = \"/usr/local/var/run/radiusd/radiusd.pid\"
> main: user = \"(null)\"
> main: group = \"(null)\"
> main: usercollide = no
> main: lower_user = \"no\"
> main: lower_pass = \"no\"
> main: nospace_user = \"no\"
> main: nospace_pass = \"no\"
> main: checkrad = \"/usr/local/sbin/checkrad\"
> main: proxy_requests = yes
> proxy: retry_delay = 5
> proxy: retry_count = 3
> proxy: synchronous = no
> proxy: default_fallback = yes
> proxy: dead_time = 120
> proxy: post_proxy_authorize = no
> proxy: wake_all_if_all_dead = no
> security: max_attributes = 200
> security: reject_delay = 1
> security: status_server = no
> main: debug_level = 0
>read_config_files:  reading dictionary
>read_config_files:  reading naslist
>Using deprecated naslist file.  Support for this will go away soon.
>read_config_files:  reading clients
>read_config_files:  reading realms
>radiusd:  entering modules setup
>Module: Library search path is /usr/local/lib
>Module: Loaded exec
> exec: wait = yes
> exec: program = \"(null)\"
> exec: input_pairs = \"request\"
> exec: output_pairs = \"(null)\"
> exec: packet_type = \"(null)\"
>rlm_exec: Wait=yes but no output defined. Did you mean output=none?
>Module: Instantiated exec (exec)
>Module: Loaded expr
>Module: Instantiated expr (expr)
>Module: Loaded System
> unix: cache = no
> unix: passwd = \"(null)\"
> unix: shadow = \"(null)\"
> unix: group = \"(null)\"
> unix: radwtmp = \"/usr/local/var/log/radius/radwtmp\"
> unix: usegroup = no
> unix: cache_reload = 600
>Module: Instantiated unix (unix)
>Module: Loaded eap
> eap: default_eap_type = \"tls\"
> eap: timer_expire = 60
> eap: ignore_unknown_eap_types = no
> eap: cisco_accounting_username_bug = no
> tls: rsa_key_exchange = no
> tls: dh_key_exchange = yes
> tls: rsa_key_length = 512
> tls: dh_key_length = 512
> tls: verify_depth = 0
> tls: CA_path = \"(null)\"
> tls: pem_file_type = yes
> tls: private_key_file = \"/etc/1x/07xwifi.pem\"
> tls: certificate_file = \"/etc/1x/07xwifi.pem\"
> tls: CA_file = \"/etc/1x/root.pem\"
> tls: private_key_password = \"password\"
> tls: dh_file = \"/etc/1x/DH\"
> tls: random_file = \"/etc/1x/random\"
> tls: fragment_size = 1024
> tls: include_length = yes
> tls: check_crl = no
> tls: check_cert_cn = \"(null)\"
> tls: cipher_list = \"(null)\"
> tls: check_cert_issuer = \"(null)\"
>rlm_eap_tls: Loading the certificate file as a chain
>rlm_eap: Loaded and initialized type tls
>Module: Instantiated eap (eap)
>Module: Loaded preprocess
> preprocess: huntgroups = \"/etc/raddb/huntgroups\"
> preprocess: hints = \"/etc/raddb/hints\"
> preprocess: with_ascend_hack = no
> preprocess: ascend_channels_per_line = 23
> preprocess: with_ntdomain_hack = no
> preprocess: with_specialix_jetstream_hack = no
> preprocess: with_cisco_vsa_hack = no
> preprocess: with_alvarion_vsa_hack = no
>Module: Instantiated preprocess (preprocess)
>Module: Loaded realm
> realm: format = \"suffix\"
> realm: delimiter = \"@\"
> realm: ignore_default = no
> realm: ignore_null = no
>Module: Instantiated realm (suffix)
>Module: Loaded files
> files: usersfile = \"/etc/raddb/users\"
> files: acctusersfile = \"/etc/raddb/acct_users\"
> files: preproxy_usersfile = \"/etc/raddb/preproxy_users\"
> files: compat = \"no\"
>Module: Instantiated files (files)
>Module: Loaded Acct-Unique-Session-Id
> acct_unique: key = \"User-Name, Acct-Session-Id, NAS-IP-Address, 
> Client-IP-Address, NAS-Port\"
>Module: Instantiated acct_unique (acct_unique)
>Module: Loaded detail
> detail: detailfile = 
> \"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d\"
> detail: detailperm = 384
> detail: dirperm = 493
> detail: locki

Rlm_python - need documentation

[UriCALL Support]

Hi All,

I am in need of developing my own application using rlm_python. Can anybody 
inform me about some documentation available? From what I have found on 
Internet it looks like an isolate project with lack of users ... Anybody able 
to share the experience with me? Is it stable for production?

Thxs in advance,
Dan

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 2.0.0-pre2 has "Magic feature number one" :)

[Alan Dekok]

Arran Cudbard-Bell wrote:
> Neat , unfortunately only Cisco switches seem to support it, and we run 
> entirely on HP Procurves.
> Guess it means people will no longer have to use OpenVMPS to proxy :)

  Plus, OpenVMPS is not under active development, so there's no
maintainers.  It claims it's part of another project (that I won't
name), but that project includes the *binary* of OpenVMPS, and not the
source.  GPL concerns may apply...

  On top of that, the project is funded by a commercial company, as a
loss-leader for their commercial support, and the "community" that works
on it is limited to the employees of that company.  Good luck getting
patches added if they conflict with the corporate agenda...

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: log file for free radius 1.1.6 eap-tls authentication

[anoop_c]

Hi
  pls find the o/p of radius -X.Also the log file is not coming.

  [EMAIL PROTECTED] sbin]# radiusd -X
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/raddb/proxy.conf
Config:   including file: /etc/raddb/clients.conf
Config:   including file: /etc/raddb/snmp.conf
Config:   including file: /etc/raddb/eap.conf
Config:   including file: /etc/raddb/sql.conf
 main: prefix = \"/usr/local\"
 main: localstatedir = \"/usr/local/var\"
 main: logdir = \"/usr/local/var/log/radius\"
 main: libdir = \"/usr/local/lib\"
 main: radacctdir = \"/usr/local/var/log/radius/radacct\"
 main: hostname_lookups = no
 main: snmp = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = \"/usr/local/var/log/radius/radius.log\"
 main: log_auth = yes
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = \"/usr/local/var/run/radiusd/radiusd.pid\"
 main: user = \"(null)\"
 main: group = \"(null)\"
 main: usercollide = no
 main: lower_user = \"no\"
 main: lower_pass = \"no\"
 main: nospace_user = \"no\"
 main: nospace_pass = \"no\"
 main: checkrad = \"/usr/local/sbin/checkrad\"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = no
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
 exec: wait = yes
 exec: program = \"(null)\"
 exec: input_pairs = \"request\"
 exec: output_pairs = \"(null)\"
 exec: packet_type = \"(null)\"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded System
 unix: cache = no
 unix: passwd = \"(null)\"
 unix: shadow = \"(null)\"
 unix: group = \"(null)\"
 unix: radwtmp = \"/usr/local/var/log/radius/radwtmp\"
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
 eap: default_eap_type = \"tls\"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
 tls: rsa_key_exchange = no
 tls: dh_key_exchange = yes
 tls: rsa_key_length = 512
 tls: dh_key_length = 512
 tls: verify_depth = 0
 tls: CA_path = \"(null)\"
 tls: pem_file_type = yes
 tls: private_key_file = \"/etc/1x/07xwifi.pem\"
 tls: certificate_file = \"/etc/1x/07xwifi.pem\"
 tls: CA_file = \"/etc/1x/root.pem\"
 tls: private_key_password = \"password\"
 tls: dh_file = \"/etc/1x/DH\"
 tls: random_file = \"/etc/1x/random\"
 tls: fragment_size = 1024
 tls: include_length = yes
 tls: check_crl = no
 tls: check_cert_cn = \"(null)\"
 tls: cipher_list = \"(null)\"
 tls: check_cert_issuer = \"(null)\"
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
Module: Instantiated eap (eap)
Module: Loaded preprocess
 preprocess: huntgroups = \"/etc/raddb/huntgroups\"
 preprocess: hints = \"/etc/raddb/hints\"
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
 preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
 realm: format = \"suffix\"
 realm: delimiter = \"@\"
 realm: ignore_default = no
 realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
 files: usersfile = \"/etc/raddb/users\"
 files: acctusersfile = \"/etc/raddb/acct_users\"
 files: preproxy_usersfile = \"/etc/raddb/preproxy_users\"
 files: compat = \"no\"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
 acct_unique: key = \"User-Name, Acct-Session-Id, NAS-IP-Address, 
Client-IP-Address, NAS-Port\"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
 detail: detailfile = 
\"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d\"
 detail: detailperm = 384
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
 radutmp: filename = \"/usr/local/var/log/radius/radutmp\"
 radutmp: username = \"%{User-Name}\"
 radutmp: case_sensitive = yes
 radutmp: check_with_nas = yes
 radutmp: perm = 384
 radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet f

Re: 2.0.0-pre2 has "Magic feature number one" :)

[Peter Nixon]

On Mon 28 May 2007, Alan Dekok wrote:
>   I've just committed a preliminary patch to add "magic feature #1" that
> I've mentioned a few times.

Cool Waiting patiently for "magic feature #2" :-)

-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Newbie-quiz: Can't get authentication to work.

[tnt]

You have forced Auth-Type System in your user configuration and have
overruled the server trying to (correctly) do MS-CHAP. Delete that
Auth-Type from the check line and it should work.

Ivan Kalik
Kalik Informatika ISP


Dana 28/5/2007, "Giobbi Piero" <[EMAIL PROTECTED]> piše:

>Hello all.
>
>Just started out with Freeradius and got it installed and working
>(Debian Etch, FR 1.1.4).
>
>Im hooked up our firewall to authenticate to FR-server and the "link"
>works, so i guess the basics are ok. Now i have added a user in the
>system and in the Users-file:
>
>test-system   Auth-Type := System, User-Password == "test-system"
>Service-Type = Framed-User,
>Framed-Protocol = PPP,
>Framed-IP-Address = 10.0.5.7,
>Framed-IP-Netmask = 255.255.255.0,
>Framed-Routing = Broadcast-Listen,
>Framed-Filter-Id = "std.ppp",
>Framed-MTU = 1500,
>Fall-Through = yes,
>Framed-Compression = Van-Jacobsen-TCP-IP
>
>When i connect to my FR-server i get this:
>rad_recv: Access-Request packet from host 10.0.5.1:56509, id=132,
>length=182
> NAS-Identifier = "halon"
> NAS-IP-Address = 10.0.5.1
> Message-Authenticator = 0x3f0dd3b6a7a3fd31e874e22721f5073d
> NAS-Port = 0
> NAS-Port-Type = Virtual
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Calling-Station-Id = "10.0.8.184"
> User-Name = "test-system"
> MS-CHAP-Challenge = 0xbb1e68a886add6f65e6e9af66c709bfd
> MS-CHAP2-Response =
>0x01000a3194599cecfe61460a4942c9671fe7a5f8bab30f7bdf4664
>07edd2d7be2e97969a1a918def8d2c
>   Processing the authorize section of radiusd.conf
>modcall: entering group authorize for request 0
>   modcall[authorize]: module "preprocess" returns ok for request 0
>   modcall[authorize]: module "chap" returns noop for request 0
>   rlm_mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
>   modcall[authorize]: module "mschap" returns ok for request 0
> rlm_realm: No '@' in User-Name = "test-system", looking up realm
>NULL
> rlm_realm: No such realm "NULL"
>   modcall[authorize]: module "suffix" returns noop for request 0
>   rlm_eap: No EAP-Message, not doing EAP
>   modcall[authorize]: module "eap" returns noop for request 0
> users: Matched entry test-system at line 101
> users: Matched entry DEFAULT at line 185
> users: Matched entry DEFAULT at line 204
> users: Matched entry DEFAULT at line 216
>   modcall[authorize]: module "files" returns ok for request 0
>modcall: leaving group authorize (returns ok) for request 0
>   rad_check_password:  Found Auth-Type System
>auth: type "System"
>   Processing the authenticate section of radiusd.conf
>modcall: entering group authenticate for request 0
>rlm_unix: Attribute "User-Password" is required for authentication.
>   modcall[authenticate]: module "unix" returns invalid for request 0
>modcall: leaving group authenticate (returns invalid) for request 0
>auth: Failed to validate the user.
>Login incorrect: [test-system/] (from
>client halon port 0 cli 10.0.8.184)
>Delaying request 0 for 1 seconds
>Finished request 0
>Going to the next request
>--- Walking the entire request list ---
>Waking up in 1 seconds...
>--- Walking the entire request list ---
>Waking up in 1 seconds...
>--- Walking the entire request list ---
>Sending Access-Reject of id 132 to 10.0.5.1 port 56509
>Waking up in 4 seconds...
>--- Walking the entire request list ---
>Cleaning up request 0 ID 132 with timestamp 465ab8d7
>
>
>So, my firewall talks MS_CHAP, i haven't touched the radiusd.conf and
>its in there under authenticate {..
>
>Now im stuck, i really don't know where else to look for, tried
>google but everything pointed to this wonderful list! I tried to
>change auth-type = Local but same problem. Maybe the problem lies here:
>
> rlm_realm: No '@' in User-Name = "test-system", looking up realm
>NULL
> rlm_realm: No such realm "NULL"
>
>
>
>
>But i can't tell. Any thoughts, solutions, pointers to right
>directions are greatly appreciated!
>
>Many thanks.
>
>p
>
>
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Newbie-quiz: Can't get authentication to work.

[Giobbi Piero]

Hello all.

Just started out with Freeradius and got it installed and working  
(Debian Etch, FR 1.1.4).


Im hooked up our firewall to authenticate to FR-server and the "link"  
works, so i guess the basics are ok. Now i have added a user in the  
system and in the Users-file:


test-system   Auth-Type := System, User-Password == "test-system"
   Service-Type = Framed-User,
   Framed-Protocol = PPP,
   Framed-IP-Address = 10.0.5.7,
   Framed-IP-Netmask = 255.255.255.0,
   Framed-Routing = Broadcast-Listen,
   Framed-Filter-Id = "std.ppp",
   Framed-MTU = 1500,
   Fall-Through = yes,
   Framed-Compression = Van-Jacobsen-TCP-IP

When i connect to my FR-server i get this:
rad_recv: Access-Request packet from host 10.0.5.1:56509, id=132,  
length=182

NAS-Identifier = "halon"
NAS-IP-Address = 10.0.5.1
Message-Authenticator = 0x3f0dd3b6a7a3fd31e874e22721f5073d
NAS-Port = 0
NAS-Port-Type = Virtual
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "10.0.8.184"
User-Name = "test-system"
MS-CHAP-Challenge = 0xbb1e68a886add6f65e6e9af66c709bfd
MS-CHAP2-Response =  
0x01000a3194599cecfe61460a4942c9671fe7a5f8bab30f7bdf4664 
07edd2d7be2e97969a1a918def8d2c

  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  rlm_mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
  modcall[authorize]: module "mschap" returns ok for request 0
rlm_realm: No '@' in User-Name = "test-system", looking up realm  
NULL

rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry test-system at line 101
users: Matched entry DEFAULT at line 185
users: Matched entry DEFAULT at line 204
users: Matched entry DEFAULT at line 216
  modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
  rad_check_password:  Found Auth-Type System
auth: type "System"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_unix: Attribute "User-Password" is required for authentication.
  modcall[authenticate]: module "unix" returns invalid for request 0
modcall: leaving group authenticate (returns invalid) for request 0
auth: Failed to validate the user.
Login incorrect: [test-system/] (from  
client halon port 0 cli 10.0.8.184)

Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 132 to 10.0.5.1 port 56509
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 132 with timestamp 465ab8d7


So, my firewall talks MS_CHAP, i haven't touched the radiusd.conf and  
its in there under authenticate {..


Now im stuck, i really don't know where else to look for, tried  
google but everything pointed to this wonderful list! I tried to  
change auth-type = Local but same problem. Maybe the problem lies here:


rlm_realm: No '@' in User-Name = "test-system", looking up realm  
NULL

rlm_realm: No such realm "NULL"




But i can't tell. Any thoughts, solutions, pointers to right  
directions are greatly appreciated!


Many thanks.

p

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 2.0.0-pre2 has "Magic feature number one" :)

[Arran Cudbard-Bell]

Alan Dekok wrote:
>   I've just committed a preliminary patch to add "magic feature #1" that
> I've mentioned a few times.
>
>   The feature is VMPS support. :)
>
> ...
>   listen {
>   type = vmps
>   ipaddr = 10.1.2.3
>   port = 1589
>   clients = vmps_clients
>   }
>
>   vmps_clients {
>   client foo {
>   ipaddr = 1.2.3.4
>   ...
>   }
>   }
> ...
>
>   The preliminary functionality is there.  It's not ready for production
> use, but it can receive VMPS packets, and then complain that it doesn't
> know what to do with them.
>
>   The goal for 2.0.0 is to have full support for VMPS. :)
>
>   
Neat , unfortunately only Cisco switches seem to support it, and we run 
entirely on HP Procurves.
Guess it means people will no longer have to use OpenVMPS to proxy :)

--
Arran

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: log file for free radius 1.1.6 eap-tls authentication

[tnt]

Post the radiusd -X output of user not in users file being accepted.

Ivan Kalik
Kalik Informatika ISP


Dana 28/5/2007, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> piše:

>Hi all
> I have two quieres
>1
>  I have changed the log_auth= yes
>Still i am not able to get logs.Pls find my configs
>  prefix = /usr/local
>exec_prefix = ${prefix}
>sysconfdir = /etc
>localstatedir = ${prefix}/var
>sbindir = ${exec_prefix}/sbin
>logdir = /usr/local/var/log/radius
>raddbdir = ${sysconfdir}/raddb
>radacctdir = ${logdir}/radacct
>
>#  Location of config and logfiles.
>confdir = ${raddbdir}
>run_dir = ${localstatedir}/run/radiusd
>
>#
>#  The logging messages for the server are appended to the
>#  tail of this file.
>#
>log_file = /usr/local/var/log/radius/radius.log
>
>
>
>
>log_stripped_names = no
>
>#  Log authentication requests to the log file.
>#
>#  allowed values: {no, yes}
>#
>log_auth = yes
>
>#  Log passwords with the authentication requests.
>#  log_auth_badpass  - logs password if it\'s rejected
>#  log_auth_goodpass - logs password if it\'s correct
>
>
>2 While i am using Navis radius, ther will be one user file where you have to 
>add all usernames.In free radius without adding the username also the 
>authentication is working.I would like to have users file so that only the 
>users specified in that will authenticate. Wat config change i should make for 
>the same
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 2.0.0-pre1 - cannot build on FreeBSD

[Nicolas Baradakis]

David Wood wrote:

> I've put in quite a bit of work today towards porting 2.0.0-pre1 to 
> FreeBSD, with the intention of submitting a FreeRADIUS 2 port as soon as 
> possible.
> 
> Unfortunately, there's a problem which I don't have the autoconf skills 
> to patch quickly. When checking (and later attempting to use) net/if.h, 
> you need to #include sys/socket.h on FreeBSD to get the definition of 
> struct sockaddr.

Thanks for the report. I hope the following changes in CVS head will
solve the problem. (you also need to run autoconf)

Index: configure.in
===
RCS file: /source/radiusd/configure.in,v
retrieving revision 1.240
retrieving revision 1.241
diff -u -r1.240 -r1.241
--- configure.in28 May 2007 10:28:06 -  1.240
+++ configure.in28 May 2007 10:46:54 -  1.241
@@ -559,7 +559,6 @@
sys/security.h \
fcntl.h \
sys/fcntl.h \
-   net/if.h \
prot.h \
pwd.h \
grp.h \
@@ -567,6 +566,13 @@
siad.h
 )
 
+dnl FreeBSD requires sys/socket.h before net/if.h
+AC_CHECK_HEADERS(net/if.h, [], [],
+[#if HAVE_SYS_SOCKET_H
+# include 
+# endif
+])
+
 REGEX=no
 AC_CHECK_HEADER(regex.h, AC_DEFINE(HAVE_REGEX_H, [], [define this if we have 
the  header file]))
 if test "x$ac_cv_header_regex_h" = "xyes"; then
Index: src/include/missing.h
===
RCS file: /source/radiusd/src/include/missing.h,v
retrieving revision 1.35
retrieving revision 1.36
diff -u -r1.35 -r1.36
--- src/include/missing.h   25 May 2007 09:57:15 -  1.35
+++ src/include/missing.h   25 May 2007 09:58:26 -  1.36
@@ -50,6 +50,10 @@
 #include 
 #endif
 
+#ifdef HAVE_SYS_SOCKET_H
+#include 
+#endif
+
 #ifdef HAVE_UNISTD_H
 #include 
 #endif

-- 
Nicolas Baradakis
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Wiki

[Arran Cudbard-Bell]

> I was hoping for that type of page go in the Examples section.   
> Perhaps Cookbook might be a better name for the section.
>   
Ok , would you mind changing the section name ? Then i'll start adding a 
few recipes.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

2.0.0-pre2 has "Magic feature number one" :)

[Alan Dekok]

  I've just committed a preliminary patch to add "magic feature #1" that
I've mentioned a few times.

  The feature is VMPS support. :)

...
listen {
type = vmps
ipaddr = 10.1.2.3
port = 1589
clients = vmps_clients
}

vmps_clients {
client foo {
ipaddr = 1.2.3.4
...
}
}
...

  The preliminary functionality is there.  It's not ready for production
use, but it can receive VMPS packets, and then complain that it doesn't
know what to do with them.

  The goal for 2.0.0 is to have full support for VMPS. :)

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: problem connecting from windows xp to pptp server

[tnt]

Yes. Then that radius client is broken. You will need to sort it out with
the lot that made PPTP server. Post "Where's my password" question on
their list.

Ivan Kalik
Kalik Informatika ISP


Dana 28/5/2007, "Danny Milshtein" <[EMAIL PROTECTED]> piše:

>Hi,
>
>
>
>All the check options are checked.
>
>
>
>
>
>
>
>Maybe the PPTPD strip the CHAP-Password in some way ?
>
>
>
>
>
>Danny Milshtein
>
>
>
>
>
>
>
>
>
>
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED]
>On Behalf Of [EMAIL PROTECTED]
>Sent: Sunday, May 27, 2007 9:05 PM
>To: FreeRadius users mailing list
>Subject: Re: problem connecting from windows xp to pptp server
>
>
>
>Yes. There is no password in your request:
>
>
>
>rad_recv: Access-Request packet from host 127.0.0.1:32787, id=39,
>
>length=69
>
>
>
>Service-Type = Framed-User
>
>
>
>Framed-Protocol = PPP
>
>
>
>User-Name = "danielmi"
>
>
>
>Calling-Station-Id = "192.168.8.244"
>
>
>
>NAS-IP-Address = 127.0.0.1
>
>
>
>NAS-Port = 0
>
>
>
>Check your connection properties and see if "Check for name, password
>
>etc." is ticked (Options tab).
>
>
>
>Ivan Kalik
>
>Kalik Informatika ISP
>
>
>
>-
>
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
>
>
>
>No virus found in this incoming message.
>
>Checked by AVG Free Edition.
>
>Version: 7.5.472 / Virus Database: 269.8.0/819 - Release Date: 5/26/2007
>10:47 AM
>
>
>
>
>No virus found in this outgoing message.
>Checked by AVG Free Edition.
>Version: 7.5.472 / Virus Database: 269.8.0/819 - Release Date: 5/26/2007
>10:47 AM
>
>
>
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Free Radius

[Alan Dekok]

Bob Irwin wrote:
> I'm a serious Newb with Radius, and I have a question regarding support
> for "Pool Hint".  This is supported under "Radiator" (a radius server we
> use elsewhere on our network), and we need to replicate it in FreeRADIUS
> for a much smaller application.  I'm wondering if FreeRADIUS supports it
> at all.

  What's a "Pool Hint" ?

  It would help to explain what you're trying to do, rather than using
product-specific terminology.

> We are running FreeRADIUS version 1.0.1 on Redhat.  Google doesn't show
> me much at all, so I'm thinking if "Pool Hint" is supported, it might be
> under a different name.

  Why are you using 1.0.1?  1.1.6 has been out for a while.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Free Radius

[Bob Irwin]

Hi,

I'm a serious Newb with Radius, and I have a question regarding support
for "Pool Hint".  This is supported under "Radiator" (a radius server we
use elsewhere on our network), and we need to replicate it in FreeRADIUS
for a much smaller application.  I'm wondering if FreeRADIUS supports it
at all.

We are running FreeRADIUS version 1.0.1 on Redhat.  Google doesn't show
me much at all, so I'm thinking if "Pool Hint" is supported, it might be
under a different name.

Any help/advice is appreciated.

Thanks,

Bob

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: log file for free radius 1.1.6 eap-tls authentication

[anoop_c]

Hi all
 I have two quieres
1
  I have changed the log_auth= yes
Still i am not able to get logs.Pls find my configs
  prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = /etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = /usr/local/var/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct

 
#  Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd

 
#
#  The logging messages for the server are appended to the
#  tail of this file.
#
log_file = /usr/local/var/log/radius/radius.log




log_stripped_names = no

 
#  Log authentication requests to the log file.
#
#  allowed values: {no, yes}
#
log_auth = yes

 
#  Log passwords with the authentication requests.
#  log_auth_badpass  - logs password if it\'s rejected
#  log_auth_goodpass - logs password if it\'s correct


2 While i am using Navis radius, ther will be one user file where you have to 
add all usernames.In free radius without adding the username also the 
authentication is working.I would like to have users file so that only the 
users specified in that will authenticate. Wat config change i should make for 
the same
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html