Re: list problem?
Norbert Wegener wrote: > Is there a problem with the list/mailserver? > The archives show newer threads, where the last message I received from > the list has been from September, 10. > It arrived this mornig. The last day or two, messages appear to be somewhat slow. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: intermediate CA authentication failing
mallika wrote: > Thank you very much for your reply.Which freeradius server version will > support this facility. What part of my message was unclear? The most recent one. Read the web page. It's really not that hard. > Because we are implenting it in our product. Could you explain why you chose a version that is *years* old? > We are > using CENT OS -kernel 2.4.20 .Is there any patches are available to upgrade > freeradius.please help me. I've been trying... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply VSA Attributes in a list
Faqeer ALI wrote: > i want to add the vp list in a VSA like following. (the way that > NTRadping utility sends the vps) > VSA > ->vp >->vp >->vp If you want them in that format, then add them in that format. The server doesn't re-order VSAs. And you *are* aware that the VALUE_PAIR structure and lists are independent from the attributes in the packet, right? Are you sure you understood my response? > This problem is my bottle line for me and i have to do it, because the > client's application knows the attributes that way. The client application is broken. Fix it. http://freeradius.org/rfc/rfc2865.html Section 5: ... A RADIUS server or client MUST NOT have any dependencies on the order of attributes of different types. ... > please guide me where and what are the code changes that i have to make, > and what structure i have to follow. Fix the client program. It is NOT following the RADIUS specification. FreeRADIUS is fine. If you *do* want to fix FreeRADIUS, you have all of the code in front of you. There's even comments explaining what the code does. If you have *specific* questions about FreeRADIUS, then ask them. Otherwise, you're asking us to (essentially) implement the solution for you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : LOGs of eap-tls authentication
hello, To restart the radius I knew only one command which is service radiusd restart;all what you have to do when you are in debuce mode is stoping it by using service radiusd stop, then you can restart it . I hope that this can help you. regards habiba [EMAIL PROTECTED] a écrit : DearThanks for the information.I am getting the logs when stopped server in debug mode. But the commands service radiusd stop and service radiusd restart is not working.So i killed the process radiusd using kill command.Pls let me know the commands to stop and start the server in normal mode.Regards Anoop> > Message: 2 > Date: Tue, 11 Sep 2007 10:39:38 +0200 (CEST) > From: inelec communication > Subject: RE : LOGs of eap-tls authentication (inelec communication) > To: FreeRadius users mailing list >> Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=\"iso-8859-1\" > > Hello, > > you have no logs in your radius.log file because you are running in > debug mode , you have to run in normal mode to get the logs, so what you > have to do is the following: > first stop your debug mode by this command: service radiusd stop; then > restart the service radius by: service radiusd restart; doing that you > are in normal mode and you can do your wlan loging without any problem > and you get your log. > > regards > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Terminate TLS and proxy PEAP
Hi At the moment I use FreeRADIUS to proxy eap peap mschapv2 request to a RADIUS server for authentication. The connecting machine submits in addition to the authentication information, some information about it's health state encrypted in the PEAP packets. Is there a possibility to decrypt the packets on the FreeRADIUS Proxy, to get the health state, and forward the PEAP packets for authentication to the RADIUS server. Or in other words is there a possibility to determine the TLS-Connection on the FreeRADIUS proxy and to forward the PEAP packets to the RADIUS Server and how the FreeRADIUS proxy has to be configured? Your help would be much appreciated, Thanks Fuki -- View this message in context: http://www.nabble.com/Terminate-TLS-and-proxy-PEAP-tf4434055.html#a1264 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: sometimes double records in radacct
I’ve seen this happening too, We have some nases that are not on local network and they are sending packets on sometimes unstable networks(VPN,Internet)... I think what happens is that since the nas doesn't get the reply in the given time, it will resend the last packet... Sometimes interim packet and stop packets are sent almost at the same time, but stop packet gets to the radius server first and then the interim packet ... Parham From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nelson Serafica Sent: Wednesday, September 12, 2007 9:20 AM To: freeradius-users@lists.freeradius.org Subject: Re: sometimes double records in radacct Is it advisable that I uncomment the accounting_start_query_alt? Would there be conflict to other query commands like accounting_stop_query_alt, accounting_stop_query, etc. - Original Message From: Nelson Serafica <[EMAIL PROTECTED]> To: freeradius-users@lists.freeradius.org Sent: Wednesday, September 12, 2007 1:33:30 PM Subject: sometimes double records in radacct I notice in my radacct that there are double records. See sample below: +---+---+--+--+-+-+---++ | RadAcctId | AcctSessionId | AcctUniqueId | UserName | AcctStartTime | AcctStopTime | ConnectInfo_start | AcctStartDelay | +---+---+--+--+-+-+---++ | 531828 | 41002919 | a8003a3450fdcddc | glastec | 2007-09-12 11:18:32 | 2007-09-12 11:20:14 | | 0 | | 531826 | 41002919 | a8003a3450fdcddc | glastec | 2007-09-12 11:18:33 | 2007-09-12 11:19:14 | 3 LAPM/V42BIS | 0 | +---+---+--+--+-+-+---++ I noticed that the difference (AcctStartTime,AcctStartDelay,ConnectInfo_start) are indicated in the accounting_start_query_alt parameters. If you will noticed, there are identical AcctSessionId which was supposed to be none and the difference between them is the one that is updated by accounting_start_query_alt. It must not be identical. The problem is there are identical AcctSessionId. Would it be possible that the culprit is in the accounting_start_query_alt parameters? Is the accounting_start_query failing that's why accounting_start_query_alt take over? accounting_start_query is not broken and one line only. Is there a way to increase time before accounting_start_query_alt takes over? Tired of spam? Yahoo! Mail has the best spam protection around http://ph.mail.yahoo.com Tired of spam? Yahoo! Mail has the best spam protection around http://ph.mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Terminate TLS and proxy PEAP
On Thu, 2007-09-13 at 01:25 -0700, fuki wrote: > Hi > > At the moment I use FreeRADIUS to proxy eap peap mschapv2 request to a > RADIUS server for authentication. The connecting machine submits in addition > to the authentication information, some > information about it's health state encrypted in the PEAP packets. > > Is there a possibility to decrypt the packets on the FreeRADIUS Proxy, to > get the health state, and forward the PEAP packets for authentication to the > RADIUS server. Or in other words is there a possibility to determine the > TLS-Connection on the FreeRADIUS proxy and to forward the PEAP packets to > the RADIUS Server and how the FreeRADIUS proxy has to be configured? You can certainly terminate the PEAP and still proxy the inner EAP-MSCHAP to another radius server; however as far as I am aware, FreeRadius doesn't yet have support for the various health state attributes, or for that matter >1 set of data inside the PEAP tunnel. In particular if you are talking about the Vista built-in health check packets, that uses PEAPv2 which FreeRadius doesn't support, and you won't be able to terminate. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Terminate TLS and proxy PEAP
Phil Mayers wrote: > In particular if you are talking about the Vista built-in health check > packets, that uses PEAPv2 which FreeRadius doesn't support, and you > won't be able to terminate. I'm trying to get PEAPv2 patches from someone who claims they had it working a few years ago. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wholesale issue
You can use huntgroups: isp1 Realm == isp1realm Calling-Statin-Id = numbe1, Calling Station-Id = number2 Ivan Kalik Kalik Informatika ISP Dana 13/9/2007, "Ashraf Al-Basti" <[EMAIL PROTECTED]> piše: >Dear All, >i want to setup a freeradius as a proxy radius for a wholesale, and want >to limit the access by using the calling-station-id; so [EMAIL PROTECTED] can >connect only from any calling-station-id that belong to isp1, (ex, >555111, 333222) and [EMAIL PROTECTED] can connect only from any >calling-station-id that belong to isp2 >i have all the calling station id which belong to the ISPs, but i didnt >have the username for every ISP, and want to use the realm instead of >the username to do that. >can i use the checkval to check for the calling-station-id and realm, or >is there anyway to do that? > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : LOGs of eap-tls authentication
hi I am not able to start server by service radiusd restart command/. I used to start by simply typing radiusd command Pls anyone no the command to stop the server Regards Anoop > > -- > > Message: 6 > Date: Thu, 13 Sep 2007 10:01:53 +0200 (CEST) > From: HBA BOX <[EMAIL PROTECTED]> > Subject: RE : LOGs of eap-tls authentication > To: FreeRadius users mailing list > > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=\"iso-8859-1\" > > hello, > > To restart the radius I knew only one command which is service radiusd > restart;all what you have to do when you are in debuce mode is stoping > it by using service radiusd stop, then you can restart it . I hope that > this can help you. > > regards > habiba > > [EMAIL PROTECTED] a ?crit : > > DearThanks for the information.I am getting the logs when > stopped server in debug mode. But the commands service radiusd stop and > service radiusd restart is not working.So i killed the process radiusd > using kill command.Pls let me know the commands to stop and start the > server in normal mode.Regards Anoop> > Message: 2 > > Date: Tue, 11 Sep 2007 10:39:38 +0200 (CEST) > From: inelec > communication > Subject: RE : LOGs of eap-tls authentication (inelec > communication) > To: FreeRadius users mailing list >> Message-ID: > <[EMAIL PROTECTED]> > Content-Type: > text/plain; charset=\"iso-8859-1\" > > Hello, > > you have no > logs in your radius.log file because you are running in > debug mode , > you have to run in normal mode to get the logs, so what you > have to > do is the following: > first stop your debug mode by this command: > service radiusd stop; then > restart the service radius by: service > radiusd > restart; doing that you > are in normal mode and you can do your wlan > loging without any problem > and you get your log. > > regards > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > - > Ne gardez plus qu\'une seule adresse mail ! Copiez vos mails vers Yahoo! > Mail > -- next part -- > An HTML attachment was scrubbed... > URL: > <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070913/866809ee/attachment-0001.html> > > -- > > Message: 7 > Date: Thu, 13 Sep 2007 01:25:12 -0700 (PDT) > From: fuki <[EMAIL PROTECTED]> > Subject: Terminate TLS and proxy PEAP > To: freeradius-users@lists.freeradius.org > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=us-ascii > > > Hi > > At the moment I use FreeRADIUS to proxy eap peap mschapv2 request to a > RADIUS server for authentication. The connecting machine submits in > addition > to the authentication information, some > information about it\'s health state encrypted in the PEAP packets. > > Is there a possibility to decrypt the packets on the FreeRADIUS Proxy, > to > get the health state, and forward the PEAP packets for authentication to > the > RADIUS server. Or in other words is there a possibility to determine > the > TLS-Connection on the FreeRADIUS proxy and to forward the PEAP packets > to > the RADIUS Server and how the FreeRADIUS proxy has to be configured? > > Your help would be much appreciated, Thanks Fuki > > -- > View this message in context: > http://www.nabble.com/Terminate-TLS-and-proxy-PEAP-tf4434055.html#a1264 > Sent from the FreeRadius - User mailing list archive at Nabble.com. > > > > -- > > Message: 8 > Date: Thu, 13 Sep 2007 12:10:29 +0330 > From: \"Parham Beheshti\" <[EMAIL PROTECTED]> > Subject: RE: sometimes double records in radacct > To: \"FreeRadius users mailing list\" > > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=\"utf-8\" > > I?ve seen this happening too, > We have some nases that are not on local network and they are sending > packets on sometimes unstable networks(VPN,Internet)... > I think what happens is that since the nas doesn\'t get the reply in the > given time, it will resend the last packet... > Sometimes interim packet and stop packets are sent almost at the same > time, but stop packet gets to the radius server first and then the > interim packet ... > > Parham > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behal
Re: Terminate TLS and proxy PEAP
On Thu, 2007-09-13 at 11:01 +0200, Alan DeKok wrote: > Phil Mayers wrote: > > In particular if you are talking about the Vista built-in health check > > packets, that uses PEAPv2 which FreeRadius doesn't support, and you > > won't be able to terminate. > > I'm trying to get PEAPv2 patches from someone who claims they had it > working a few years ago. Related; how would you envisage FreeRadius "presenting" the presence of >1 authentication exchange inside the tunnel? Presumably the same issue exists with the EAP-TNC inside TTLS method. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : LOGs of eap-tls authentication
On Thu, 2007-09-13 at 14:40 +0500, [EMAIL PROTECTED] wrote: > hi >I am not able to start server by service radiusd restart command/. > I used to start by simply typing radiusd command > > Pls anyone no the command to stop the server If you are on Unix, radiusd is just an ordinary process, which you stop the ordinary way for your OS. I can think of dozens of ways. Usually you would wrap the low-level methods in a script to do some housekeeping, but you could try: pkill -TERM radiusd It sounds like you're not very familiar with your operating system; I'd learn more about it if I were you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Terminate TLS and proxy PEAP
Phil Mayers wrote: > > On Thu, 2007-09-13 at 01:25 -0700, fuki wrote: > > You can certainly terminate the PEAP and still proxy the inner > EAP-MSCHAP to another radius server; however as far as I am aware, > FreeRadius doesn't yet have support for the various health state > attributes, or for that matter >1 set of data inside the PEAP tunnel. > > In particular if you are talking about the Vista built-in health check > packets, that uses PEAPv2 which FreeRadius doesn't support, and you > won't be able to terminate. > Yes I'm talking about the Vista build-in health check packets. I used a packet sniffer to analyze the submitted packets and compared them with the PEAPv2 specification (http://tools.ietf.org/html/draft-josefsson-pppext-eap-tls-eap-10#page-11, 2.1.4. Version Negotiation). According the specification PEAP v0 is used by Vista, so it should be possible to use FreeRadius as proxy to decrypt the packages, to analyze the health state (has to be implemented) and to proxy the inner EAP-MSCHAP to another radius server? -- View this message in context: http://www.nabble.com/Terminate-TLS-and-proxy-PEAP-tf4434055.html#a12651948 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Terminate TLS and proxy PEAP
On Thu, 2007-09-13 at 02:56 -0700, fuki wrote: > > > Phil Mayers wrote: > > > > On Thu, 2007-09-13 at 01:25 -0700, fuki wrote: > > > > You can certainly terminate the PEAP and still proxy the inner > > EAP-MSCHAP to another radius server; however as far as I am aware, > > FreeRadius doesn't yet have support for the various health state > > attributes, or for that matter >1 set of data inside the PEAP tunnel. > > > > In particular if you are talking about the Vista built-in health check > > packets, that uses PEAPv2 which FreeRadius doesn't support, and you > > won't be able to terminate. > > > > Yes I'm talking about the Vista build-in health check packets. I used a > packet sniffer to analyze the submitted packets and compared them with the > PEAPv2 specification > (http://tools.ietf.org/html/draft-josefsson-pppext-eap-tls-eap-10#page-11, > 2.1.4. Version Negotiation). According the specification PEAP v0 is used by > Vista, so it should be possible to use FreeRadius as proxy to decrypt the > packages, to analyze the health state (has to be implemented) and to proxy > the inner > EAP-MSCHAP to another radius server? > Provided FreeRadius can parse the PEAP contents (which it can't) then yes, sending the inner EAP-MSCHAP to another server is easy: DEFAULT FreeRadius-Proxied-To == 127.0.0.1, Proxy-To-Realm := "foo" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Terminate TLS and proxy PEAP
Phil Mayers wrote: > > On Thu, 2007-09-13 at 02:56 -0700, fuki wrote: >> >> >> Phil Mayers wrote: >> > >> > On Thu, 2007-09-13 at 01:25 -0700, fuki wrote: >> > >> > You can certainly terminate the PEAP and still proxy the inner >> > EAP-MSCHAP to another radius server; however as far as I am aware, >> > FreeRadius doesn't yet have support for the various health state >> > attributes, or for that matter >1 set of data inside the PEAP tunnel. >> > >> > In particular if you are talking about the Vista built-in health check >> > packets, that uses PEAPv2 which FreeRadius doesn't support, and you >> > won't be able to terminate. >> > >> >> Yes I'm talking about the Vista build-in health check packets. I used a >> packet sniffer to analyze the submitted packets and compared them with >> the >> PEAPv2 specification >> (http://tools.ietf.org/html/draft-josefsson-pppext-eap-tls-eap-10#page-11, >> 2.1.4. Version Negotiation). According the specification PEAP v0 is used >> by >> Vista, so it should be possible to use FreeRadius as proxy to decrypt the >> packages, to analyze the health state (has to be implemented) and to >> proxy >> the inner >> EAP-MSCHAP to another radius server? >> > > Provided FreeRadius can parse the PEAP contents (which it can't) then > yes, sending the inner EAP-MSCHAP to another server is easy: > > DEFAULT FreeRadius-Proxied-To == 127.0.0.1, Proxy-To-Realm := "foo" > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > Based on http://lists.freeradius.org/pipermail/freeradius-users/2005-March/042098.html I got the following idea (it's suggested to work with FreeRadius): RADIUS Client <- PEAP (eap-mschapv2) -> FreeRadius Proxy (tsl termination and conversion) <- mschapv2 -> RADIUS Server Are there any comments for this recommendation. If it works, does somebody now how to configure the FreeRadius proxy? -- View this message in context: http://www.nabble.com/Terminate-TLS-and-proxy-PEAP-tf4434055.html#a12653324 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS-LDAPv3.schema attribute description(s)
Is there any documentation of the attributes in the LDAP schema? I'm trying to write a GUI manager for RADIUS (actually a 'plugin' to my http://phpQLAdmin.com) but I don't know how to write the lead text to the form... I took a look at the schema in 1.1.7, but that don't have any comments or DESC fields either.. -- Why can't programmers tell the difference between halloween and christmas day? Because 25 DEC = 31 OCT. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Terminate TLS and proxy PEAP
Try reading the post you have replied to. Ivan Kalik Kalik Informatika ISP Dana 13/9/2007, "fuki" <[EMAIL PROTECTED]> piše: > > > >Phil Mayers wrote: >> >> On Thu, 2007-09-13 at 02:56 -0700, fuki wrote: >>> >>> >>> Phil Mayers wrote: >>> > >>> > On Thu, 2007-09-13 at 01:25 -0700, fuki wrote: >>> > >>> > You can certainly terminate the PEAP and still proxy the inner >>> > EAP-MSCHAP to another radius server; however as far as I am aware, >>> > FreeRadius doesn't yet have support for the various health state >>> > attributes, or for that matter >1 set of data inside the PEAP tunnel. >>> > >>> > In particular if you are talking about the Vista built-in health check >>> > packets, that uses PEAPv2 which FreeRadius doesn't support, and you >>> > won't be able to terminate. >>> > >>> >>> Yes I'm talking about the Vista build-in health check packets. I used a >>> packet sniffer to analyze the submitted packets and compared them with >>> the >>> PEAPv2 specification >>> (http://tools.ietf.org/html/draft-josefsson-pppext-eap-tls-eap-10#page-11, >>> 2.1.4. Version Negotiation). According the specification PEAP v0 is used >>> by >>> Vista, so it should be possible to use FreeRadius as proxy to decrypt the >>> packages, to analyze the health state (has to be implemented) and to >>> proxy >>> the inner >>> EAP-MSCHAP to another radius server? >>> >> >> Provided FreeRadius can parse the PEAP contents (which it can't) then >> yes, sending the inner EAP-MSCHAP to another server is easy: >> >> DEFAULT FreeRadius-Proxied-To == 127.0.0.1, Proxy-To-Realm := "foo" >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> >> > >Based on >http://lists.freeradius.org/pipermail/freeradius-users/2005-March/042098.html >I got the following idea (it's suggested to work with FreeRadius): > >RADIUS Client <- PEAP (eap-mschapv2) -> FreeRadius Proxy (tsl termination >and conversion) <- mschapv2 -> RADIUS Server > >Are there any comments for this recommendation. If it works, does somebody >now how to configure the FreeRadius proxy? >-- >View this message in context: >http://www.nabble.com/Terminate-TLS-and-proxy-PEAP-tf4434055.html#a12653324 >Sent from the FreeRadius - User mailing list archive at Nabble.com. > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: intermediate CA authentication failing
On 9/13/07, mallika <[EMAIL PROTECTED]> wrote: > > Thank you very much for your reply.Which freeradius server version will > support this facility.Because we are implenting it in our product.We are > using CENT OS -kernel 2.4.20 .Is there any patches are available to upgrade > freeradius.please help me. Mallika, I don't know if your product is going to use an embedded linux version with some weird hardware.. if that's not the case and you are using an unpatched kernel, you are running toward a shipload of problems. I'd suggest using a recent kernel, with all its bugs fixed. As for freeradius, you should download and compile the latest stable version (and upgrade the needed libraries as well) with its security fixes rather than looking for a patch which is unlikely to work and even to exist at all. Latest stable version is 1.1.7 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error while building
Hi, I am getting the following error when i am tring to build the rpm files for the freeradius-1.1.7 Error is as below: error: Installed (but unpackaged) file(s) found: /etc/raddb/postgresqlippool.conf RPM build errors: Installed (but unpackaged) file(s) found: /etc/raddb/postgresqlippool.conf When I am trying to build using rpmbuild -ba /usr/src/packages/SPECS/freeradius.spec, the above error is encountered. Can u please tell me the solution for this. Then I tried with the procedure ./configure , make and make install. But at that time when I am bringing up the deamon server using radiud -x , the output seen is like "command not found" Unlimited freedom, unlimited storage. Get it now, on http://help.yahoo.com/l/in/yahoo/mail/yahoomail/tools/tools-08.html/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IP Reverse DNS Resolution
I currently have a IPSEC/L2TP setup that uses FreeRadis (for Active Directory auth). Radius is handing out the IP addresses to the clients. Is there a way to have it update my DNS server so it can create reverse-dns entries for them? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : IP Reverse DNS Resolution
Hi, > I currently have a IPSEC/L2TP setup that uses FreeRadis (for > Active Directory auth). Radius is handing out the IP > addresses to the clients. Is there a way to have it update my > DNS server so it can create reverse-dns entries for them? Yes it is. In acct_users make a rule that run a custom program at Acct-Start and Acct-Stop time: DEFAULT NAS-IP-Address == A.B.C.D, Acct-Status-Type == Start Exec-Program = "/path/to/dnsupdate/acct-nsupdate.sh" Then your acct-nsupdate.sh can use the "nsupdate" tool to update the DNS server: Note these interresting parameters that are available in the environment: # ACCT_STATUS_TYPE = Start | Stop # FRAMED_IP_ADDRESS = attributed IP address # NAS_PORT # USER_NAME # ACCT_TERMINATE_CAUSE=User-Request (in normal case when Type=Stop) # NAS_IP_ADDRESS These parameters can be used to build the $newhostname, $assignedipaddr and $A, $B, $C, $D decimal octets of the assigne IP addr. For instance adding an IP: nsupdate -k $KEYFILE > /dev/null << EOF server $SERVER zone $ZONE prereq yxdomain $ZONE update delete $newhostname A update add $newhostname $TTL A $assignedipaddr send EOF (This is with secure update, and KEYFILE holds the TSIG key file (man dnssec-keygen)) Then updating reverse DNS: nsupdate -k $KEYFILE > /dev/null << EOF server $SERVER zone $ZONEREV prereq yxdomain $ZONEREV update delete $D.$C.$B.$A.in-addr.arpa. PTR update add $D.$C.$B.$A.in-addr.arpa. $TTL PTR $newhostname send EOF HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Possible bug in !* operator handling?
Hi! Today I noticed some strange problems on a number of RADIUS users in a test setup: I have a number of users in MySQL that contain a large number of attributes that should not occur in the Access-Request (i.e. attributes with the !* operator). When I tried to authenticate these users, I noticed that in some cases users were getting authenticated while they should have been rejected. Some investigation later, it turned out that after the first row in the radcheck table that contains a !* operator, all further attributes get ignored... I crawled through the code a bit more, and the problem appears to occur on line 287 of main/valuepair.c. This is in the function paircmp, which iterates over the list of check items to verify whether the incoming request matches: /* * Not found, it's not a match. */ if (auth_item == NULL) { /* * Didn't find it. If we were *trying* * to not find it, then we succeeded. */ if (check_item->operator == T_OP_CMP_FALSE) return 0; else return -1; } The 'return 0;' above causes paircmp to exit successfully (accepting the user) if it could not find the attribute and it should not find the attribute (because of the !* operator) instead of continuing to see if the rest of the attributes is correct too. I've changed the 'return 0;' to a 'continue;', so it does not break the for loop anymore. This appears to work, is this fix correct or would this introduce problems elsewhere? Gtnx Marcel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Possible bug in !* operator handling?
Hi! Today I noticed some strange problems on a number of RADIUS users in a test setup: I have a number of users in MySQL that contain a large number of attributes that should not occur in the Access-Request (i.e. attributes with the !* operator). When I tried to authenticate these users, I noticed that in some cases users were getting authenticated while they should have been rejected. Never mind, I found the patch on freeradius-devel... fixed a few weeks ago... Gtnx Marcel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 2.0.0-pre2 has been released
Quoting Alan T DeKok: Hi, After much waiting, 2.0.0-pre2 has been released. It contains MAJOR Wow, looks very nice! The unlang will probably will allow us to throw away some of our own modules. As I understand the virtual servers, it is possible to have all vservers listen to the same ip/port socket, but have different client configurations. Is that right? And would that be a sensible thing to do in a high traffic environment (many million requests per day)? I'd think that every request would have to be processed by all the vserser instances only to decide that the request has to be discarded by most of them. Regards, Jakob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OpenLDAP + FreeRADIUS Complete Solution
When organizations grow, there becomes more and more systems that need to be maintained, and each may have different configurations and users which have access to them. Individually editing local config files gets old pretty fast for hundred of devices, and developing a unified and central user authorization database system that spans across all types of information systems becomes necessary. Enter: OpenLDAP. I think I've developed a solution to maintain Linux hosts which controls POSIX users/groups/sudo access/apache website access/etc. by using a central LDAP database that stores policies of what a user can do on any one of our PCs. The actual configuration got fairly ugly, though (PAM not allowing you to specify more than one LDAP Group to allow access to the machine, thus the posixGroup LDAP schema had to be used (since /etc/security/access.conf allows you to specify multiple posix group access) instead of groupOfNames, but groupOfNames is needed for apache's ldap auth module, so both must be used..), but I've only covered access management for our websites and Linux PCs, not all of the various routers, switches, or other RADIUS-aware equipment that exist within the organization. Enter: FreeRADIUS. We do already have a FreeRADIUS configuration that is auto-generated by our internal MySQL-based access policies to control access to our networking equipment, although this is fairly ugly, and it would be much much nicer if it could use the LDAP database I'm currently developing to control access across all devices instead. To put it gently, I want FreeRADIUS to be configured *entirely* off of LDAP. We currently have usernames/passwords stored/authenticated from the Kerberos database which FreeRADIUS also uses to authenticate users--I don't have LDAP do this. LDAP simply determines the _authorization_ of the user (what group they are in, what access they are provided) I've read through a few LDAP-FreeRADIUS HOWTOs, but haven't come across anything that suggests FreeRADIUS can do everything I want it to. I interpret FreeRADIUS as having the following constructs: clients (clients.conf): All devices FreeRADIUS will communicate with and provide access to. I don't see any way these can be defined in LDAP instead and have FreeRADIUS pull clients from the database instead of a local file, which is what I want. users: All users which will have some sort of access to one of the clients. It appears users are able to be pulled from the LDAP directory by providing the correct DN users are located in. For me, users are all located in ou=people,dc=grnoc,dc=iu,dc=edu. My personal entry is something like: dn: uid=mrmccrac,ou=people,dc=grnoc,dc=iu,dc=edu objectClass: inetOrgPerson objectClass: posixAccount objectClass: radiusprofile ... uid: mrmccrac I still need to go back and look at the HOWTO perhaps, although I believe this setup can be used somehow/somewhere with FreeRADIUS to have it pull all of our users (specifically uids) from LDAP instead of a local file. This leads me to the next FreeRADIUS construct.. groups (group): this specifies groups of users, which can then later be used to define access levels (in huntgroups?). From what I read this too can be pulled from FreeRADIUS, that is, the groupOfNames object class can be interpreted if you supply the DN which has all of the groups. An example groupOfNames object I currently have is as such: dn: cn=dev,ou=ldapgroups,dc=grnoc,dc=iu,dc=edu cn: dev objectClass: groupOfNames objectClass: top member: uid=mrmccrac,ou-people,dc=grnoc,dc=iu,dc=edu Thus I should be able to tell FreeRADIUS to look at dn: ou=ldapgroups,dc=grnoc,dc=iu,dc=edu, and it should know to look at the member attributes to determine which users DN are in each group it finds. Now, finally... huntgroups: I believe this is the glue between users/groups to RADIUS clients. I think the level of access can be defined per group (which would be ideal), and then with huntgroups we say which groups may get their specified level of access (enable mode or not..) to which networking devices we specified in the clients. Again, like clients.conf, I don't want to have to edit the huntgroups file anytime a change is made, but instead make the change in the LDAP directory and have FreeRADIUS pull all huntgroups from there. Is any/all of what I mentioned currently possible based upon my current setup and FreeRADIUS's capabilities? Or, will all changes to clients and huntgroups need to be made locally in a file on the radius server, but I can at least pull available users and the groups that exist/they belong in from LDAP? Again, we're using Kerberos to do the user/password authentication, but want LDAP to do the authorization schema I provided. Any FreeRADIUS configuration examples/LDIF examples would be greatly appreciated, thanks for reading this far :). Mitch - List info/subscribe/unsubscribe? See http://www.freera
Re: OpenLDAP + FreeRADIUS Complete Solution
O/H Mitch McCracken έγραψε: When organizations grow, there becomes more and more systems that need to be maintained, and each may have different configurations and users which have access to them. Individually editing local config files gets old pretty fast for hundred of devices, and developing a unified and central user authorization database system that spans across all types of information systems becomes necessary. Enter: OpenLDAP. I think I've developed a solution to maintain Linux hosts which controls POSIX users/groups/sudo access/apache website access/etc. by using a central LDAP database that stores policies of what a user can do on any one of our PCs. The actual configuration got fairly ugly, though (PAM not allowing you to specify more than one LDAP Group to allow access to the machine, thus the posixGroup LDAP schema had to be used (since /etc/security/access.conf allows you to specify multiple posix group access) instead of groupOfNames, but groupOfNames is needed for apache's ldap auth module, so both must be used..), but I've only covered access management for our websites and Linux PCs, not all of the various routers, switches, or other RADIUS-aware equipment that exist within the organization. Enter: FreeRADIUS. We do already have a FreeRADIUS configuration that is auto-generated by our internal MySQL-based access policies to control access to our networking equipment, although this is fairly ugly, and it would be much much nicer if it could use the LDAP database I'm currently developing to control access across all devices instead. To put it gently, I want FreeRADIUS to be configured *entirely* off of LDAP. We currently have usernames/passwords stored/authenticated from the Kerberos database which FreeRADIUS also uses to authenticate users--I don't have LDAP do this. LDAP simply determines the _authorization_ of the user (what group they are in, what access they are provided) I've read through a few LDAP-FreeRADIUS HOWTOs, but haven't come across anything that suggests FreeRADIUS can do everything I want it to. I interpret FreeRADIUS as having the following constructs: clients (clients.conf): All devices FreeRADIUS will communicate with and provide access to. I don't see any way these can be defined in LDAP instead and have FreeRADIUS pull clients from the database instead of a local file, which is what I want. users: All users which will have some sort of access to one of the clients. It appears users are able to be pulled from the LDAP directory by providing the correct DN users are located in. For me, users are all located in ou=people,dc=grnoc,dc=iu,dc=edu. My personal entry is something like: dn: uid=mrmccrac,ou=people,dc=grnoc,dc=iu,dc=edu objectClass: inetOrgPerson objectClass: posixAccount objectClass: radiusprofile ... uid: mrmccrac I still need to go back and look at the HOWTO perhaps, although I believe this setup can be used somehow/somewhere with FreeRADIUS to have it pull all of our users (specifically uids) from LDAP instead of a local file. This leads me to the next FreeRADIUS construct.. groups (group): this specifies groups of users, which can then later be used to define access levels (in huntgroups?). From what I read this too can be pulled from FreeRADIUS, that is, the groupOfNames object class can be interpreted if you supply the DN which has all of the groups. An example groupOfNames object I currently have is as such: dn: cn=dev,ou=ldapgroups,dc=grnoc,dc=iu,dc=edu cn: dev objectClass: groupOfNames objectClass: top member: uid=mrmccrac,ou-people,dc=grnoc,dc=iu,dc=edu Thus I should be able to tell FreeRADIUS to look at dn: ou=ldapgroups,dc=grnoc,dc=iu,dc=edu, and it should know to look at the member attributes to determine which users DN are in each group it finds. Now, finally... huntgroups: I believe this is the glue between users/groups to RADIUS clients. I think the level of access can be defined per group (which would be ideal), and then with huntgroups we say which groups may get their specified level of access (enable mode or not..) to which networking devices we specified in the clients. Again, like clients.conf, I don't want to have to edit the huntgroups file anytime a change is made, but instead make the change in the LDAP directory and have FreeRADIUS pull all huntgroups from there. Is any/all of what I mentioned currently possible based upon my current setup and FreeRADIUS's capabilities? Or, will all changes to clients and huntgroups need to be made locally in a file on the radius server, but I can at least pull available users and the groups that exist/they belong in from LDAP? Again, we're using Kerberos to do the user/password authentication, but want LDAP to do the authorization schema I provided. Any FreeRADIUS configuration examples/LDIF examples would be greatly appreciated, thanks for reading this far :). Mitch - List info/subscribe/unsubscribe? See http:/
RE: OpenLDAP + FreeRADIUS Complete Solution [sec=unclassified]
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Kostas Kalevras > Sent: Friday, 14 September 2007 04:18 > To: FreeRadius users mailing list > Subject: Re: OpenLDAP + FreeRADIUS Complete Solution > > O/H Mitch McCracken έγραψε: > > When organizations grow, there becomes more and more > systems that need > > to be maintained, and each may have different > configurations and users > > which have access to them. Individually editing local config files > > gets old pretty fast for hundred of devices, and developing > a unified > > and central user authorization database system that spans > across all > > types of information systems becomes necessary. > > > > Enter: OpenLDAP. I think I've developed a solution to > maintain Linux > > hosts which controls POSIX users/groups/sudo access/apache website > > access/etc. by using a central LDAP database that stores > policies of > > what a user can do on any one of our PCs. The actual > configuration got > > fairly ugly, though (PAM not allowing you to specify more than one > > LDAP Group to allow access to the machine, thus the posixGroup LDAP > > schema had to be used (since /etc/security/access.conf > allows you to > > specify multiple posix group access) instead of groupOfNames, but > > groupOfNames is needed for apache's ldap auth module, so > both must be > > used..), but I've only covered access management for our > websites and > > Linux PCs, not all of the various routers, switches, or other > > RADIUS-aware equipment that exist within the organization. We use radiuGroupName to assign users to groups. The attribute is stored with the User DN and you can have multiple instances. Apache mod_ldap is compatible with this approach. > > > > Enter: FreeRADIUS. We do already have a FreeRADIUS > configuration that > > is auto-generated by our internal MySQL-based access policies to > > control access to our networking equipment, although this is fairly > > ugly, and it would be much much nicer if it could use the LDAP > > database I'm currently developing to control access across > all devices > > instead. To put it gently, I want FreeRADIUS to be configured > > *entirely* off of LDAP. > > [snip] > > > > users: All users which will have some sort of access to one of the > > clients. It appears users are able to be pulled from the LDAP > > directory by providing the correct DN users are located in. For me, > > users are all located in ou=people,dc=grnoc,dc=iu,dc=edu. > My personal > > entry is something like: > > > > dn: uid=mrmccrac,ou=people,dc=grnoc,dc=iu,dc=edu > > objectClass: inetOrgPerson > > objectClass: posixAccount > > objectClass: radiusprofile > > ... > > uid: mrmccrac > > > > I still need to go back and look at the HOWTO perhaps, although I > > believe this setup can be used somehow/somewhere with FreeRADIUS to > > have it pull all of our users (specifically uids) from LDAP > instead of > > a local file. This leads me to the next FreeRADIUS construct.. > > > > groups (group): this specifies groups of users, which can > then later > > be used to define access levels (in huntgroups?). From what I read > > this too can be pulled from FreeRADIUS, that is, the groupOfNames > > object class can be interpreted if you supply the DN which > has all of > > the groups. An example groupOfNames object I currently have > is as such: > > > > dn: cn=dev,ou=ldapgroups,dc=grnoc,dc=iu,dc=edu > > cn: dev > > objectClass: groupOfNames > > objectClass: top > > member: uid=mrmccrac,ou-people,dc=grnoc,dc=iu,dc=edu > > > > Thus I should be able to tell FreeRADIUS to look at dn: > > ou=ldapgroups,dc=grnoc,dc=iu,dc=edu, and it should know to > look at the > > member attributes to determine which users DN are in each group it > > finds. Now, finally... > > > > huntgroups: I believe this is the glue between users/groups > to RADIUS > > clients. I think the level of access can be defined per > group (which > > would be ideal), and then with huntgroups we say which > groups may get > > their specified level of access (enable mode or not..) to which > > networking devices we specified in the clients. Again, like > > clients.conf, I don't want to have to edit the huntgroups > file anytime > > a change is made, but instead make the change in the LDAP directory > > and have FreeRADIUS pull all huntgroups from there. In raddb/hints DEFAULT Hint = `%{ldap:ldap:///ou=hosts,dc=whatever?radiusHuntgroupName?one?ipHostNumber=%{NAS-IP-Address}}` > > > > Is any/all of what I mentioned currently possible based upon my > > current setup and FreeRADIUS's capabilities? Or, will all > changes to > > clients and huntgroups need to be made locally in a file on > the radius > > server, but I can at least pull available users and the groups that > > exist/they belong in from LDAP? In raddb/users DEFAULT Hint == "", Huntgroup-Name !* Any,Auth-Type := Reject Repl
Gigawords
Hello, I'm using rlm_sql_log in freeradius 1.1.4. In order to correctly work with acct-input/ output gigawords, I've replaced '%{Acct-Input-Octets}' with '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}' in the rlm_sql_log conf, but this results in invalid queries like: "update radacct set... ...acctiputoctets = 0 << 32 | 98..." Looks like the rlm_sql_log module was not compiled to parse that sintax. What can I do, please (besides create a procedure on the DB to treat that)? Thank you very much. Guilherme Franco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radsniff bug in 2.0.0-pre2?
Hi all, I am testing radsniff, and I have the following behaviour: When launching radsniff with the following input, the program crashes (FreeRADIUS v2.0.0-pre2) [EMAIL PROTECTED] bin]# ./radsniff -f udp Device: [eth0] PCAP filter: [udp] RADIUS secret: [testing123] *** glibc detected *** free(): invalid pointer: 0x08120dbc *** Aborted It seems that radsniff crashes when it tries to decode packets that are not RADIUS ones (dns requests for example). If the filter is very restrictive and matches only used RADIUS ports, it works fine. I just have a problem with a RADIUS request used by my RADIUS load balancer to test my servers status (server version 1.1.3). The request used is a Status-Server request. The content of the request is the following : [EMAIL PROTECTED] ~]# tcpdump -X udp and host 10.67.106.3 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 06:36:26.078778 IP 10.67.106.3.57084 > rafale.50812: UDP, length 26 0x: 4500 0036 ff11 d32b 0a43 6a03 E..6...+.Cj. 0x0010: 0a43 6a02 defc c67c 0022 7932 0c01 001a .Cj|."y2 0x0020: 0fc2 4720 8f36 9096 d8b9 f507 de5d 811d ..G..6...].. 0x0030: 0406 0aa2 39c3 9. 06:36:26.079186 IP rafale.50812 > 10.67.106.3.57084: UDP, length 49 0x: 4500 004d 4000 4011 5215 0a43 6a02 [EMAIL PROTECTED]@.R..Cj. 0x0010: 0a43 6a03 c67c defc 0039 e8d5 0201 0031 .Cj..|...9.1 0x0020: 8605 feab 8157 42de 0bad 532a c113 9148 .WB...S*...H 0x0030: 121d 4672 6565 5241 4449 5553 2075 7020 ..FreeRADIUS.up. 0x0040: 3020 6461 7973 2c20 3232 3a34 34 0.days,.22:44 With this issue, to make radsniff work, I have to exclude my load-balancer source IP address from the CAP filter : "udp port 1812 or 1813 or 1814 and host not IP_SRC_LB" (my load-balancer performs NAT of the server, so I still see the packets from my clients) Furthermore, would the community be interested in having the date of the packet (in the same format as in radius.log) and the packet id? I think the patch is not much to do. _ Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : radsniff bug in 2.0.0-pre2?
> The request used is a Status-Server request. The > content of the request is the following : > I have just tested sniffing a Status-Request generated by radclient (v2.0.0-pre2), and radsniff crashes the same way. Regards, Geoffroy _ Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html