Re: EAP-TTLS PAP Mysql problems
Hi, See in attach naslist, clients.conf and radius -xx log. you dont have 127.0.0.1 in your clients.conf alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with OpenLDAP + FreeRADIUS
gosha-necr wrote: Hi all! I'm setup Samba PDC (3.0.25a) + LDAP and i want that users connect to the internet throught VPN using their LDAP credentials. I think it will be MPD + FreeRADIUS. But when i'm try to configure radius work with ldap it get me error. I use this HOW-TO: http://tldp.org/HOWTO/archived/LDAP-Implementation-HOWTO/radius.html This is my radiusd.conf: http://pastebin.ru/44057 And when i'm try /usr/local/sbin/radiusd -X -A it tells me: http://pastebin.ru/44058 Check the permissions on the ldap.attrmap file, and on the raddb directory. Odds are you don't have permission to read the file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd stop responding. deadlock?
Thank you for your reply, Mr.DeKok. Use 1.1.6. It has a NUMBER of bugs fixed over 1.1.0. ok, I will consider it. but 1.1.6 crash when it recieve SIGHUP ... Hmmm... I think that stopping responding in our site is similar following reports. 2007-February/060174.html 2006-March/051900.html Are these problem resolved ? Is not Port OpenSSL locking fixes from CVS head (in ChangeLog for 1.1.5) related ? --- Alan DeKok [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: We using freeradius 1.1.0 for PEAP authentication, and it is working well almost. Use 1.1.6. It has a NUMBER of bugs fixed over 1.1.0. ... (gdb) attach 10127 Attaching to program: /usr/dot1x/sbin/radiusd, process 10127 Symbols already loaded for /lib/libcrypt.so.1 (snip)... 0x401998cc in pthread_mutex_trylock () from /lib/libpthread.so.0 (gdb) whrere #0 0x401998cc in pthread_mutex_trylock () from /lib/libpthread.so.0 If the code is blocking in the libc malloc() implementation, there isn't much that FreeRADIUS can do to fix that. Try upgrading to 1.1.6, and see if that fixes it. I don't know... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Start Yahoo! Auction now! Check out the cool campaign http://pr.mail.yahoo.co.jp/auction/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS+VLANs
Hi, I found a few articles online about dynamically assigning VLAN IDs to users using RADIUS, this article was the most useful: http://searchsecurity.techtarget.com/general/0,295582,sid14_gci1169011,00.html I tried setting up something like this from that page using my mysql tables in FreeRADIUS: Tunnel-Type=VLAN (13) Tunnel-Medium-Type=802 Tunnel-Private-Group-ID=VLANID But it doesn't seem to be working. Has anyone had any experience in doing this? It could just be that my NAS isn't compatible but I'd like to know if anyone has had any success doing this and any advice you could give. Thanks, Darren Maden - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS+VLANs
Hi, Tunnel-Type=VLAN (13) Tunnel-Medium-Type=802 Tunnel-Private-Group-ID=VLANID Tunnel-Medium-Type = IEEE-802 Tunnel-Type = VLAN Tunnel-Private-Group-Id = XXX where XXX is your VLAN number ID. NB IEEE-802. thats the proper specification for that attribute in almost all cases. certainly in the current dictionaries. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd stop responding. deadlock?
Hi, Thank you for your reply, Mr.DeKok. Use 1.1.6. It has a NUMBER of bugs fixed over 1.1.0. ok, I will consider it. but 1.1.6 crash when it recieve SIGHUP ... Hmmm... all FR of 1.1.6 and below have issues with SIGHUP - just not as directly visible. do a stop/start instead. almost as quick. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radsqlrelay is rude
Hi, attempting to kill a running radsql with ^C doesn't do anything, and kill'ing it with TERM doesn't impress it either on my system. I had to send KILL to get rid of it. Is this intentional? Then, on startup I see it instantiated but only the post-auth query is printed on startup with -X - leaving me with the question on whether the other queries are actually properly read or not (see below). That's not nice as well. I'm on 1.1.6. Module: Loaded sql_log sql_log: path = /var/log/radius/radacct/sql-relay-main sql_log: Post-Auth = INSERT INTO radpostauth (id, user, pass, reply, date) VALUES ('', '%{User-Name}', '%{RESTENA-Service-Type}', '%{reply:Packet-Type}', '%S') sql_log: sql_user_name = sql_log: safe-characters = @abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: / Module: Instantiated sql_log (sql_relay_main) (I'm very sure the config contains Start, Alive, Stop as well) Greetings, Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgpwwyFTSNVf2.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with OpenLDAP + FreeRADIUS
Thanks for answer, but this solution is first what i'm check. I'm set chmod -R 444 ./raddb chmod 555 ./raddb and nothing changes. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS+VLANs
[EMAIL PROTECTED] wrote: Hi, Tunnel-Type=VLAN (13) Tunnel-Medium-Type=802 Tunnel-Private-Group-ID=VLANID Tunnel-Medium-Type = IEEE-802 Tunnel-Type = VLAN Tunnel-Private-Group-Id = XXX where XXX is your VLAN number ID. NB IEEE-802. thats the proper specification for that attribute in almost all cases. certainly in the current dictionaries. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html If your NAS doesn't explicitly state that it supports it, then it probably doesn't It's been a right pain, and cost us quite a bit of money getting Access Points that support dynamic VLAN assignment .. -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
multilink attempt and double login
hi, wats the difference between multilink attempt and double login. thank you... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multilink attempt and double login
Multilink - combining two or more connectins into a single, faster connection Multiple login - for instance, guest account, which several users can use at the same time, but all these connections are independant Ivan Kalik Kalik Informatika ISP Dana 22/6/2007, Mahalakshmi Vijayakumar [EMAIL PROTECTED] piše: hi, wats the difference between multilink attempt and double login. thank you... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
terminating EAP tunnels, proxy and realms
Hi all, we're using FreeRadius 1.1.6 to give access to our WLAN with EAP-TTLS. Worked great so far. No we want to participate in inter University roaming (eduroam) and thus have to proxy some requests a parent server. Everything works great except regarding the outer identity. If it's just anonymous everything is ok, but if it's anonymous@somerealm and somerealm is configured in proxy.conf the EAP-Request ist proxied instead of terminated. This is correct by configuration but not wanted. Is there a way to terminate the EAP regardless of the outer identity? Here's an example: User-Name = [EMAIL PROTECTED] Calling-Station-Id = 00-18-DE-B5-3A-E2 ... EAP-Message = 0x0201001e01616e6f6e796d6f75734074752d6461726d73746164742e 6465 Message-Authenticator = 0x7a211176339c3e2ee9f7a0fe56864b2a ... rlm_realm: Looking up realm tu-darmstadt.de for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm tu-darmstadt.de rlm_realm: Adding Stripped-User-Name = anonymous rlm_realm: Proxying request from user anonymous to realm tu-darmstadt.de rlm_realm: Adding Realm = tu-darmstadt.de rlm_realm: Preparing to proxy authentication request to realm tu-darmstadt. de modcall[authorize]: module suffix returns updated for request 6 rlm_eap: Request is supposed to be proxied to Realm tu-darmstadt.de. Not doing EAP. modcall[authorize]: module eap returns noop for request 6 ... How can I bypass proxy authentication for EAP-Messages? This is the setup in users: ... # matches request without any realm (local) DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Realm !* NULL, Proxy-To-Realm := MyRealm User-Name = `%{User-Name}`,Fall-Through = Yes # matches requests going explicitly to tu-darmstadt.de (local) DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Realm == tu-darmstadt.de, Proxy-To-Realm := MyRealm User-Name = `%{User-Name}`,Fall-Through = Yes # matches requests going parent radius DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Realm == DEFAULT, Proxy-To-Realm := Parent User-Name = `%{User-Name}`,Fall-Through = Yes ... Thanks a lot, -Andreas -- Andreas Liebe/Darmstadt University of Technology/+49 6151 16-3150/3050(FAX) signature.asc Description: This is a digitally signed message part - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP/TLS ,after access-challenge nothing happen
Hi I have a little problem with authenticate using EAP/TLS on freeradius. After Access Challenge freeradius not display Reject or Accept, only going to the begin and repeat the same operation. What`s wrong ?? as NAS i`m using CISCO catalyst 2950 and client supplicant WinXP. this is logs from tcpdump: 21:43:21.547329 IP 192.168.1.9.radius 192.168.1.7.radius: RADIUS, Access Request (1), id: 0x7d length: 120 21:43:21.648845 IP 192.168.1.7.radius 192.168.1.9.radius: RADIUS, Access Challenge (11), id: 0x7d length: 64 21:43:21.572693 IP 192.168.1.9.radius 192.168.1.7.radius: RADIUS, Access Request (1), id: 0x7e length: 189 21:43:21.587661 IP 192.168.1.7.radius 192.168.1.9.radius: RADIUS, Access Challenge (11), id: 0x7e length: 1100 21:43:21.602274 IP 192.168.1.9.radius 192.168.1.7.radius: RADIUS, Access Request (1), id: 0x7f length: 115 21:43:21.604767 IP 192.168.1.7.radius 192.168.1.9.radius: RADIUS, Access Challenge (11), id: 0x7f length: 976 21:43:21.620631 IP 192.168.1.9.radius 192.168.1.7.radius: RADIUS, Access Request (1), id: 0x80 length: 115 21:43:21.629087 IP 192.168.1.7.radius 192.168.1.9.radius: RADIUS, Access Challenge (11), id: 0x80 length: 68 and this is logs from freeradius debug mode: rad_recv: Access-Request packet from host 192.168.1.9:1812, id=207, length=115 NAS-IP-Address = 192.168.1.9 NAS-Port-Type = Async User-Name = client Service-Type = Framed-User Framed-MTU = 1500 Calling-Station-Id = 00-11-09-26-48-fa State = 0xf4dbd9e74648ce65d56e471171d0e7f3 EAP-Message = 0x020200060d00 Message-Authenticator = 0x767944f13525d633320393682cb2403f Processing the authorize section of radiusd.conf modcall: entering group authorize for request 90 modcall[authorize]: module preprocess returns ok for request 90 modcall[authorize]: module chap returns noop for request 90 modcall[authorize]: module mschap returns noop for request 90 rlm_realm: No '@' in User-Name = client, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 90 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 90 modcall[authorize]: module files returns notfound for request 90 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 90 modcall: leaving group authorize (returns updated) for request 90 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 90 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module eap returns handled for request 90 modcall: leaving group authenticate (returns handled) for request 90 Sending Access-Challenge of id 207 to 192.168.1.9 port 1812 EAP-Message = 0x010303900d800786310b300906035504061302504c311630140603550408130d7769656c6b6f706f6c736b6965311430120603550407130b6269616c6f736c69776965310f300d060355040a130670696f6e6172310f300d060355040b130670696f6e6172311e301c0603550403131546756e6e79626f6e6520576972656c657373204341311b301906092a864886f70d010901160c70696f6e61724077702e706c30819f300d06092a864886f70d010101050003818d0030818902818100ab728b302468bd3da758ecc16f15f289ae5c37adfac5899868d65302c0ee57926b30c6e450d5359222aa219ab45bb0e9dde0ff05f1435501f3331e19 EAP-Message = 0x88ba32d22d28818f980032dbc1f3da8223bb32cd29ae2c7ecbebd082539086f97fd226292ac4dcaa005767cd00ab6cd544325f19e2a19709b4db1df9952ede369656506b0203010001a38201023081ff301d0603551d0e041604143513a6ddabae787d49cc40b35d86cc53e716de263081cf0603551d230481c73081c480143513a6ddabae787d49cc40b35d86cc53e716de26a181a0a4819d30819a310b300906035504061302504c311630140603550408130d7769656c6b6f706f6c736b6965311430120603550407130b6269616c6f736c69776965310f300d060355040a130670696f6e6172310f300d060355040b130670696f6e6172311e301c EAP-Message = 0x0603550403131546756e6e79626f6e6520576972656c657373204341311b301906092a864886f70d010901160c70696f6e61724077702e706c820900f3854e49a9d8e78c300c0603551d13040530030101ff300d06092a864886f70d0101050500038181002961967ffb8fd7a6b2062b2d78880f2a61c84eb4b52dc6eeae4511192dee95d22e354171bdca060b84cf6b7c6646081bd7d20d3c38d70708a2eb2695a5180a527354cf7105af7cddb16c3a38bf4bed480b0a50fbbeb7c932a7aed302ff4065763ef1dc7abc1b7459cc3db095bea25cbf11f863d8db6220c62499d15b0cb3a3f216030100ac0da4020102009f009d30819a310b300906 EAP-Message =
Re: EAP/TLS ,after access-challenge nothing happen
http://wiki.freeradius.org/index.php/FAQ#PEAP_or_EAP-TLS_Doesn.27t_Work_with_a_Windows_machine Ivan Kalik Kalik Informatika ISP Dana 22/6/2007, stefek143 [EMAIL PROTECTED] piše: Hi I have a little problem with authenticate using EAP/TLS on freeradius. After Access Challenge freeradius not display Reject or Accept, only going to the begin and repeat the same operation. What`s wrong ?? as NAS i`m using CISCO catalyst 2950 and client supplicant WinXP. this is logs from tcpdump: 21:43:21.547329 IP 192.168.1.9.radius 192.168.1.7.radius: RADIUS, Access Request (1), id: 0x7d length: 120 21:43:21.648845 IP 192.168.1.7.radius 192.168.1.9.radius: RADIUS, Access Challenge (11), id: 0x7d length: 64 21:43:21.572693 IP 192.168.1.9.radius 192.168.1.7.radius: RADIUS, Access Request (1), id: 0x7e length: 189 21:43:21.587661 IP 192.168.1.7.radius 192.168.1.9.radius: RADIUS, Access Challenge (11), id: 0x7e length: 1100 21:43:21.602274 IP 192.168.1.9.radius 192.168.1.7.radius: RADIUS, Access Request (1), id: 0x7f length: 115 21:43:21.604767 IP 192.168.1.7.radius 192.168.1.9.radius: RADIUS, Access Challenge (11), id: 0x7f length: 976 21:43:21.620631 IP 192.168.1.9.radius 192.168.1.7.radius: RADIUS, Access Request (1), id: 0x80 length: 115 21:43:21.629087 IP 192.168.1.7.radius 192.168.1.9.radius: RADIUS, Access Challenge (11), id: 0x80 length: 68 and this is logs from freeradius debug mode: rad_recv: Access-Request packet from host 192.168.1.9:1812, id=207, length=115 NAS-IP-Address = 192.168.1.9 NAS-Port-Type = Async User-Name = client Service-Type = Framed-User Framed-MTU = 1500 Calling-Station-Id = 00-11-09-26-48-fa State = 0xf4dbd9e74648ce65d56e471171d0e7f3 EAP-Message = 0x020200060d00 Message-Authenticator = 0x767944f13525d633320393682cb2403f Processing the authorize section of radiusd.conf modcall: entering group authorize for request 90 modcall[authorize]: module preprocess returns ok for request 90 modcall[authorize]: module chap returns noop for request 90 modcall[authorize]: module mschap returns noop for request 90 rlm_realm: No '@' in User-Name = client, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 90 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 90 modcall[authorize]: module files returns notfound for request 90 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 90 modcall: leaving group authorize (returns updated) for request 90 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 90 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module eap returns handled for request 90 modcall: leaving group authenticate (returns handled) for request 90 Sending Access-Challenge of id 207 to 192.168.1.9 port 1812 EAP-Message = 0x010303900d800786310b300906035504061302504c311630140603550408130d7769656c6b6f706f6c736b6965311430120603550407130b6269616c6f736c69776965310f300d060355040a130670696f6e6172310f300d060355040b130670696f6e6172311e301c0603550403131546756e6e79626f6e6520576972656c657373204341311b301906092a864886f70d010901160c70696f6e61724077702e706c30819f300d06092a864886f70d010101050003818d0030818902818100ab728b302468bd3da758ecc16f15f289ae5c37adfac5899868d65302c0ee57926b30c6e450d5359222aa219ab45bb0e9dde0ff05f1435501f3331e19 EAP-Message = 0x88ba32d22d28818f980032dbc1f3da8223bb32cd29ae2c7ecbebd082539086f97fd226292ac4dcaa005767cd00ab6cd544325f19e2a19709b4db1df9952ede369656506b0203010001a38201023081ff301d0603551d0e041604143513a6ddabae787d49cc40b35d86cc53e716de263081cf0603551d230481c73081c480143513a6ddabae787d49cc40b35d86cc53e716de26a181a0a4819d30819a310b300906035504061302504c311630140603550408130d7769656c6b6f706f6c736b6965311430120603550407130b6269616c6f736c69776965310f300d060355040a130670696f6e6172310f300d060355040b130670696f6e6172311e301c EAP-Message =
Re: terminating EAP tunnels, proxy and realms
Hello Andreas, No we want to participate in inter University roaming (eduroam) and thus have to proxy some requests a parent server. Everything works great except regarding the outer identity. If it's just anonymous everything is ok, but if it's anonymous@somerealm and somerealm is configured in proxy.conf the EAP-Request ist proxied instead of terminated. This is correct by configuration but not wanted. Is there a way to terminate the EAP regardless of the outer identity? why do you want this. The EAP Tunnel should terminate on the last RADIUS where the user belongs. On your RADIUS only the EAP-Tunnels for your users should be terminating. Read http://www.dfn.de/content/fileadmin/1Dienstleistungen/GWIN/sonstiges/Konfiguration-freeradius.pdf it is for DFN-Roaming, but it is the same as EDUROAM. regards Helmut - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
multilink
hi, can u give me an instance where multilink is used thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : Re : Off-topic: DHCP server with radius support
RADIUS was *originally* intented to assign IP's. It's been doing that since at least 1993. Do you mean radius servers has being doing DHCP since 1993 or IP pool stuff. What is is the difference? No i meant exactly what i wrote. RADIUS can assign IP's (that's why we have the rlm_pool/rlm_sqlpool modules and the Framed-IP-Address attribute). I need to forward some information to home radius servers first and based on their response decide on the ip pool to give out IP's. OK. http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.aix.security/doc/security/radius_ip_pooling.htm ISC DHCP supports scripts? News to me... A DHCP request can be transformed to an Acesss-Request (with some default password), forwarded to a RADIUS server and the IP assigned by the radius server returned back to the user. Do you want to do that or That RFC actually describes the opposite of what we are talking about. (ie. How a RADIUS server can ask a DHCP server to assign an IP instead of how a DHCP server can ask a RADIUS server to assign an IP) == Benjamin K. Eshun - Message d'origine De : Alan DeKok [EMAIL PROTECTED] À : FreeRadius users mailing list freeradius-users@lists.freeradius.org Envoyé le : Jeudi, 21 Juin 2007, 10h44mn 24s Objet : Re: Re : Off-topic: DHCP server with radius support Eshun Benjamin wrote: ... A radius server assigning IPs ...that is not radius (!) . RADIUS was *originally* intented to assign IP's. It's been doing that since at least 1993. May be you mean the radius server authenticating (MACs and/or IPs) before the dhcp assigns it; this you have to configure and write your own scripts on the dhcp server to authenticate against the radius. Radius is for AAA ISC DHCP supports scripts? News to me... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multilink
ISDN Dana 22/6/2007, Mahalakshmi Vijayakumar [EMAIL PROTECTED] piše: hi, can u give me an instance where multilink is used thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unsubscribe
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radsqlrelay is rude
On 6/22/07, Stefan Winter [EMAIL PROTECTED] wrote: attempting to kill a running radsql with ^C doesn't do anything, and kill'ing it with TERM doesn't impress it either on my system. I had to send KILL to get rid of it. Is this intentional? I remember hitting similar problem, when experimenting with radsqlrelay. IIRC I was not able to break it when it was not able to connect do DB. It sets $need_exit to 1 on signal, but value was not checked when it was constantly re-trying to connect to DB. Your problem may be similar. However, fixing it may cause trouble elsewhere. From a brief look on the script I guess you should expect duplicated records if you break it's execution and restart it. th. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : Re : Off-topic: DHCP server with radius support
On Fri 22 Jun 2007, Eshun Benjamin wrote: RADIUS was *originally* intented to assign IP's. It's been doing that since at least 1993. Do you mean radius servers has being doing DHCP since 1993 or IP pool stuff. What is is the difference? RADIUS has been assigning IPs to users since it's inception. Server side IPPools are a simply an easy way to manage limited IP address space across multiple NAS. Whether the RADIUS server assigns a static or dynamic IP address is purely an internal decision of thesoftware and doesn't use any special RADIUS attributes or features on the wire. Therefore whether or not the initial implimentations of RADIUS used pools or simply assigned a static IP to each user or modem, it is correct to say that RADIUS has been assigning IPs since the very beginning. Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radsqlrelay is rude
Stefan Winter wrote: attempting to kill a running radsql with ^C doesn't do anything, and kill'ing it with TERM doesn't impress it either on my system. I had to send KILL to get rid of it. Is this intentional? The radsqlrelay script doesn't exit immediately. It finishes the pending queries in sql-relay.work before that. This prevents the next run of radsqlrelay from inserting duplicate records. Then, on startup I see it instantiated but only the post-auth query is printed on startup with -X - leaving me with the question on whether the other queries are actually properly read or not (see below). That's not nice as well. I'm on 1.1.6. Module: Loaded sql_log sql_log: path = /var/log/radius/radacct/sql-relay-main sql_log: Post-Auth = INSERT INTO radpostauth (id, user, pass, reply, date) VALUES ('', '%{User-Name}', '%{RESTENA-Service-Type}', '%{reply:Packet-Type}', '%S') sql_log: sql_user_name = sql_log: safe-characters = @abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: / Module: Instantiated sql_log (sql_relay_main) (I'm very sure the config contains Start, Alive, Stop as well) The accounting queries are handled differently. They aren't hard-coded in the config, that's why you can't see them in the debug output of the parser. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS Authentication
Thanks Arran, Is packet-src-ip-address is a defined attribute in the huntgroups? Do you know where I can find more documentation about configurating huntgroups? Any thoughts about how freeRADIUS can stop the naughty hosts? Thanks in advance for your answers. Vinh Arran Cudbard-Bell wrote: nguyenvinht wrote: Thanks for replying. I want to implement this through RADIUS Server. Looking for some code modification or new attributes to accomplish the task. Vinh. tnt wrote: Allow everybody (who knows your secret) to use your radius server by entering 0.0.0.0/0 as client address in clents.conf. Use firewall to block access to radius ports for those specific IP addresses. Allow everybody (who knows your secret) to use your radius server by entering 0.0.0.0/0 as client address in clents.conf. Enter naughty hosts in naughty huntgroup. Check for naughty huntgroup and reject. Huntgroups naughty Packet-Src-IP-Address == naughtyhostone.com naughty Packet-Src-IP-Address == 139.184.12.1 naughty Packet-Src-IP-Address == 127.0.0.1 Users DEFAULT Huntgroup-Name == naughty, Auth-Type := Reject Apparently RFC states that server must respond ... so unless you use a firewall, naughty hosts will know the servers alive , and be able to flood it with lots of requests. Only way to get FreeRADIUS to be quiet is to modify the source. -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/RADIUS-Authentication-tf3918468.html#a11257669 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Duplicate accounting
I just installed freeradius Am using with Globalpops I am getting some duplicate accounting start on logins Not all the time but on occasions. I have had GP check their end they are only seeing the one coming from the nas but say this issue maybe on my end not responding fast enough, and their radius sends another The accounting records are of same seesionid, etc Is their any setting for this to make things better, any suggestions? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Version 1.1.6 - Mac Address Authentication/vlan tagging
Hello all, I wasn't able to find an answer to this on the archives. Now, here is the set up: Freeradius Ver. 1.1.6 on centOS V.5. I am testing a Cisco 2000 Series Wireless LAN Controller and am trying to figure out a way to put unknown users (via their MAC Address) into a limited access vlan. So here is the kicker, I have to be able to tell radius that users that fail to authenticate get tagged with a certain vlan tag (ie vlan ID of our limited access vlan) Can freeradius do that? Regards, Brian _ Brian Ertel Network Administrator Amherst College 413-542-8320 [EMAIL PROTECTED] _ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html