Authentication failure via PAP
Hi, I'm using Freeradius 1.1.6 inside a Solaris 10 zone and compiled it from vanilla sources. I configured rlm_ldap since the usernames and cleartext-passwords are stored in an LDAP directory and it works just fine for applications like Cisco-VPN or 802.1X EAP-TTLS. Now I wanted to set up the Captive Portal of pfsense/m0n0wall to authenticate against radius, which is using PAP for password transmission but authentication always fails even if I triple-check the entered user credentials. The freeradius log always says: Auth: Login incorrect (rlm_ldap: Bind as user failed): [my_username] (from client pfsensebox port 1 cli 00:17:f2:xx:yy:zz) Of course I also checked if the radius client is using the correct secret. I set auto_headers to "yes" as it is suggested in the rlm_pap manpage and put pap at the end of the authorize section. I also included an excerpt of my radiusd.conf ---begin radiusd.conf--- modules { pap { auto_header = yes } ldap { server = "ldapserver.mydomain.com" basedn = "ou=people,o=my organization,c=de" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" start_tls = no access_attr = "uid" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = userPassword timeout = 4 timelimit = 3 net_timeout = 1 } } authorize { auth_log chap mschap suffix eap ldap files daily pap } authenticate { pap chap mschap ldap eap } ---end radiusd.conf--- Here is an output of radiusd -X: ---begin radiusd -X output--- rad_recv: Access-Request packet from host 111.222.333.444:51087, id=255, length=131 NAS-IP-Address = 111.222.333.444 NAS-Identifier = "pfsense.local" User-Name = "my_username" User-Password = "\301q\202\355g\264g)N\265\315\311\374\205i" Service-Type = Login-User NAS-Port-Type = Ethernet NAS-Port = 1 Framed-IP-Address = 192.168.23.200 Called-Station-Id = "00:01:02:xx:yy:zz" Calling-Station-Id = "00:17:f2:aa:bb:cc" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 radius_xlat: '/opt/radiusd/var/log//radacct/auth-detail-200709' rlm_detail: /opt/radiusd/var/log//radacct/auth-detail-%Y%m expands to /opt/radiusd/var/log//radacct/auth-detail-200709 modcall[authorize]: module "auth_log" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "my_username", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "my_username" rlm_realm: Proxying request from user my_username to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for my_username radius_xlat: '(uid=my_username)' radius_xlat: 'ou=people,o=my organization,c=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to directory.fernuni-hagen.de:389, authentication 0 rlm_ldap: bind as / to directory.fernuni-hagen.de:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,o=my organization,c=de, with filter (uid=my_username) rlm_ldap: checking if remote access for my_username is allowed by uid rlm_ldap: looking for check items in directory... rlm_ldap: Adding uid as User-Name, value my_username & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Setting Auth-Type = ldap rlm_ldap: user my_username authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall[authorize]: module "files" returns notfound for request 0 rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair modcall[authorize]: module "daily" returns noop for request 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type ldap auth: type "ldap" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "my_username" with password "Áq?íg ´g)NµÍÉü?i"
Re: Possible FreeBSD Jail problem, or other bug in/with FreeRADIUS 2.0.0-pre2
Scott Lambert wrote: > lrad_packet_list_socket_add() is called with a pointer to the radius > request packet list structure and the socket file descriptor of the > socket which has been created with the call to socket() and bound to an > IP and port by bind() during the prior call to lrad_socket(). Is that > correct? Yes. In the jail, it asks to bind to 0.0.0.0, but the socket *actually* binds to the jail IP. This is why the "inaddr_any" check doesn't match. > So, should we be looking for != in the above if() from > lrad_packet_list_socket_add()? ... no. The issue is that when udpfromto is used, we have: a) socket binds to 0.0.0.0 (really, outside of the jail) b) the server doesn't know which IP is used to send a packet c) the server DOES know which IP the response is sent to Since the "received" IP doesn't match the "source" IP, there's a little bit of tweaking that has to be done to match the response to an outstanding request. That's what that check is for. > I flipped that to a != comparison and it seems to work inside or outside > the jail with or without specifying the "Packet_Src-IP-Address". I have no idea why that would work... > Problem solved? Or, is this going to break other things? It should really break things... > === > jail with Packet-Src-IP-Address: But that tells the server which IP to use for the source IP, so the whole "inaddr_any" checks don't apply. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Limit users traffic quota via radius
Hi, I'm trying to close the connection of a pre-paid mobile user, after he reached a limited amount of traffic (ie. 100 megabytes), the network device is a Cisco router. I've found may way to rate-limit the traffic bandwidth but not one to do this. Is radius the correct way to achieve this goal? It'all about vsa? Thanks all, Massimiliano - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending Cisco AV Pairs per realm
> Here is a short example that should work for you using the hints file: > > #hints > DEFAULT User-Name =~ "@dsl.realm" > Hint = "DSL" > #/hints > > #users > DEFAULT Hint == "DSL" > Cisco-AVPair += "..." > #/users Thanks Kevin This looks great, however the caveat is that we're using MySQL and not the users file; I can't for the life of me work out how to get that data in to the tables! Any hints would be appreciated. Cheers Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trouble configuring SQL data store for users (second attempt)
On Mon, 2007-09-17 at 20:30 -0700, Bill Shaver wrote: > Please forgive the duplicate post. I posted this a few days back and > didn't see any response; thought I would give it just one more try. > Thanks for any response. > --Bill > > > > I have started to experiment with using mysql as the datastore for users > and clients instead of the default file method for my relatively small > installation. Right now my work is on a test system and all is working > well, with one exception: a user that is a member of two or more groups. > Based on all I have read, this last thing should be very basic. > > If I put the user in only groupA (in the usergroup table), the test > works great. If I put user1 in only groupB, the test works great. When > I put user1 in both groupA and groupB in the usergroup table it will > only work against the first record of the two, the second record always > returns a failure. Versions of FreeRadius prior to 2.0pre/CVS handle multiple groups a little bit oddly. The SQL code merges the check items for the user (from radcheck) and all their groups (from radgroupcheck) into one check list, compares them all, then if they all match, merges the reply items for the user (from radreply) and all their groups (from radgroupreply) into one set of reply items, which are added to the reply. So having a user in two groups with conflicting check or reply items doesn't work. This is annoying, since it's usually what you want to do! In FreeRadius 2.x the SQL groups work as expected. The user check/reply items are processed, then the groups are processed in order of precedence, processing stopping the first time Fall-Through==no (the default). The easiest way to get around this is in 1.x to modify the group membership SQL query to include more than just the username as the "key". I like to refer to this as "netgroup-like". For example, you might set: group_membership_query = " select groupname from netgroup where \ username='%{SQL-User-Name}' and \ realm='%{Realm}'" In SQL: create table netgroup (username varchar(253), realm varchar(253), groupname varchar(253), primary key (username,realm)); insert into netgroup values ('kpass','cisi','CiscoAdm'); insert into netgroup values ('kpass','syst','LdapHpReho'); This is a very simple example, and can in fact be accomplished without changing anything; just change the SQL-User-Name to be User-Name as opposed to Stripped-User-Name and put the [EMAIL PROTECTED] in the user column. However, there are endless variations on this scheme, including putting things such as: * Service-Type * Calling-Station-Id * Called-Station-Id * Huntgroup-Name * etc. ...in the "key" to the group table. > > I am sure this is probably something really stupid, but I just cannot > see it. Any help would be appreciated. > > I have attatched table dumps, sample commands, and a debug trace. I hope > it is helpful > > Thanks, > --Bill > > > FreeRadius version 1.0.1 This is ancient. Upgrade to 1.1.7 > MySQL version 4.1.20 > > > vm # /usr/bin/radtest -d /etc/raddb [EMAIL PROTECTED] password \ > localhost:1645 10 naspass > will sucseed, while > vm # /usr/bin/radtest -d /etc/raddb [EMAIL PROTECTED] password \ > localhost:1645 10 naspass > fails, but should sucseed > > > The following is a test data set to validate a variety of cases that we > need to support in our environment. > > select * from radcheck into outfile '/tmp/f1'; > > idusernameattribute op value > --- -- - > 1 billPassword== userpass > 5 guest01 Auth-Type := Local Once you've upgraded to 1.1.7, you can stop setting Auth-Type to Local, and stop using password comparison. Instead, do: Cleartext-Password := value ...and ensure the PAP module is at the bottom of the authorize section. Then it'll a) magically work and b) be the recommended way of doing it. > 6 guest01 Password== password > > select * from radreply into outfile '/tmp/f4'; > > idusernameattribute op value > --- -- - > 7 guest01 Class := OU=Wireless; > 8 guest01 Fall-Through:= No > As above, Fall-Through is irrelevant on SQL groups in FreeRadius 1.x. > select * from radgroupcheck into outfile '/tmp/f2'; > > idgroupname attribute op value > --- -- - > 6 LocalUnix Auth-Type == System > 7 LocalUnix Realm == Test > 9 LdapCiscoAdmPassword== password > 10LdapCiscoAdmAuth-Type == Local > 11LdapCiscoAdmRealm
Denying user from authentication
Hi I am using EAP_TLS authentication with free radius 1.1.7 .The authentication is a certificate based one. I want to reject one user .I have done config in users file anoop07Auth-Type := Reject Reply-Message = \"Your account has been disabled.\" Stll the user autheticates.How can i prevent user like this? Regards Anoop - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication failure via PAP
1. Secret is different (probability 99%) 2. MD5 libraries on the client or the server are broken I would delete the secret on the server and the client and type in another one. If that doesn't work then you will need to fix the MD5 calculations. If it's the server you will get this problem with every client you try. If it's only one client ... Ivan Kalik Kalik Informatika ISP Dana 18/9/2007, "Thomas Schmitz" <[EMAIL PROTECTED]> piše: >Hi, > >I'm using Freeradius 1.1.6 inside a Solaris 10 zone and compiled >it from vanilla sources. I configured rlm_ldap since the >usernames and cleartext-passwords are stored in an LDAP >directory and it works just fine for applications like Cisco-VPN >or 802.1X EAP-TTLS. Now I wanted to set up the Captive Portal of >pfsense/m0n0wall to authenticate against radius, which is using >PAP for password transmission but authentication always fails >even if I triple-check the entered user credentials. > >The freeradius log always says: >Auth: Login incorrect (rlm_ldap: Bind as user failed): >[my_username] (from client pfsensebox port 1 cli >00:17:f2:xx:yy:zz) > >Of course I also checked if the radius client is using the >correct secret. I set auto_headers to "yes" as it is suggested >in the rlm_pap manpage and put pap at the end of the authorize >section. > >I also included an excerpt of my radiusd.conf > >---begin radiusd.conf--- >modules { >pap { >auto_header = yes >} >ldap { >server = "ldapserver.mydomain.com" >basedn = "ou=people,o=my organization,c=de" >filter >= "(uid=%{Stripped-User-Name:-%{User-Name}})" >start_tls = no >access_attr = "uid" >dictionary_mapping = ${raddbdir}/ldap.attrmap >ldap_connections_number = 5 >password_attribute = userPassword >timeout = 4 >timelimit = 3 >net_timeout = 1 >} >} >authorize { >auth_log >chap >mschap >suffix >eap >ldap >files >daily >pap >} > >authenticate { >pap >chap >mschap >ldap >eap >} >---end radiusd.conf--- > >Here is an output of radiusd -X: > >---begin radiusd -X output--- >rad_recv: Access-Request packet from host 111.222.333.444:51087, >id=255, length=131 >NAS-IP-Address = 111.222.333.444 >NAS-Identifier = "pfsense.local" >User-Name = "my_username" >User-Password >= "\301q\202\355g\264g)N\265\315\311\374\205i" >Service-Type = Login-User >NAS-Port-Type = Ethernet >NAS-Port = 1 >Framed-IP-Address = 192.168.23.200 >Called-Station-Id = "00:01:02:xx:yy:zz" >Calling-Station-Id = "00:17:f2:aa:bb:cc" > Processing the authorize section of radiusd.conf >modcall: entering group authorize for request 0 >radius_xlat: '/opt/radiusd/var/log//radacct/auth-detail-200709' >rlm_detail: /opt/radiusd/var/log//radacct/auth-detail-%Y%m >expands to /opt/radiusd/var/log//radacct/auth-detail-200709 > modcall[authorize]: module "auth_log" returns ok for request 0 > modcall[authorize]: module "chap" returns noop for request 0 > modcall[authorize]: module "mschap" returns noop for request 0 >rlm_realm: No '@' in User-Name = "my_username", looking up >realm NULL >rlm_realm: Found realm "NULL" >rlm_realm: Adding Stripped-User-Name = "my_username" >rlm_realm: Proxying request from user my_username to realm >NULL >rlm_realm: Adding Realm = "NULL" >rlm_realm: Authentication realm is LOCAL. > modcall[authorize]: module "suffix" returns noop for request 0 > rlm_eap: No EAP-Message, not doing EAP > modcall[authorize]: module "eap" returns noop for request 0 >rlm_ldap: - authorize >rlm_ldap: performing user authorization for my_username >radius_xlat: '(uid=my_username)' >radius_xlat: 'ou=people,o=my organization,c=de' >rlm_ldap: ldap_get_conn: Checking Id: 0 >rlm_ldap: ldap_get_conn: Got Id: 0 >rlm_ldap: attempting LDAP reconnection >rlm_ldap: (re)connect to directory.fernuni-hagen.de:389, >authentication 0 >rlm_ldap: bind as / to directory.fernuni-hagen.de:389 >rlm_ldap: waiting for bind result ... >rlm_ldap: Bind was successful >rlm_ldap: performing search in ou=people,o=my organization,c=de, >with filter (uid=my_username) >rlm_ldap: checking if remote access for my_username is allowed by >uid >rlm_ldap: looking for check items in directory... >rlm_ldap: Adding uid as User-Name, value my_username & op=21 >rlm_ldap: looking for reply items in directory... >rlm_ldap: Setting Auth-Type = ldap >rlm_ldap: user my_username authorized to use remote access >rlm_ldap: ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns ok for request 0 > modcall[authorize]: module "files" returns notfound for request >0 >rlm_counter: Entering module authorize code >rlm_counter: Could not find Check item
Re: Denying user from authentication
Revoke the certificate. Ivan Kalik Kalik Informatika ISP Dana 18/9/2007, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> piše: >Hi > I am using EAP_TLS authentication with free radius 1.1.7 .The > authentication is a certificate based one. > > I want to reject one user .I have done config in users file > > anoop07Auth-Type := Reject >Reply-Message = \"Your account has been disabled.\" > >Stll the user autheticates.How can i prevent user like this? > >Regards >Anoop > > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Denying user from authentication
and make sure to use check_crl = yes in eap.conf On 9/18/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Revoke the certificate. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: randomly crashing
>version of FR? modules or backend auth system used? Using FR 1.1.5 and using mod_auth_ldap for auth - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limit users traffic quota via radius
On 9/18/07, Massimiliano Macrì <[EMAIL PROTECTED]> wrote: > I'm trying to close the connection of a pre-paid mobile user, after he > reached a limited amount of traffic (ie. 100 megabytes), the network > device is a Cisco router. > I've found may way to rate-limit the traffic bandwidth but not one to do > this. > Is radius the correct way to achieve this goal? It'all about vsa? Radius isn't supposed to terminate anything on its own, it just takes note of a user session history and validates logins. What you should do is to find some way of telling Cisco that a particular session is to be disconnected when a certain limit is reached. If your Cisco can output real time stats AND can accept external disconnection commands, then it might be possible to implement what you want. But honestly this process should be implemented completely inside the Cisco, and then, when a disconnect triggers, your Cisco should tell Radius about it. The opposite isn't bound to happen. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Intel Proset Wireless Client does not process RFC3580 Attributes.
FreeRADIUS Version 1.1.3-r0.1.2 (Upgrade to 1.1.7 is Pending) I am running FreeRADIUS to authenticate wireless users on a bunch of Cisco AP1231's. My wireless supplicants are running a combination of the standard Windows XP client which works fine and the Intel Proset Client which is causing problems. The Radius setup is for PEAP/MSChapv2 and each user has the following attributes assigned. Tunnel-Type = "VLAN" Tunnel-Medium-Type = "IEEE-802" Tunnel-Private-Group-ID = "X" (Where X is the assigned VLAN Number) The Proset Clients do manage to eventually authenticate, but the above attributes do not appear to get processed. I think this is happening because the Proset Client sends the User-Name as "anonymous" and as there is no "anonymous" user defined, the attributes do not get applied. How do I get the User-Name to be sent correctly? Thanks in advance. Terry Pelley Network Analyst Business and Learning Technologies Ottawa-Carleton District School Board [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limit users traffic quota via radius
Actually if you are working with MySQL or some other SQL database server maybe you can write your own sql module that accomplishes that. I would suggest taking a look at Max-All-Session as an example. What you want to do is create a kind of sql module that will act as a counter for the traffic used by the user and perform actions based on that. Regards, Liran. On 9/18/07, inverse <[EMAIL PROTECTED]> wrote: > > On 9/18/07, Massimiliano Macrì <[EMAIL PROTECTED]> wrote: > > > > I'm trying to close the connection of a pre-paid mobile user, after he > > reached a limited amount of traffic (ie. 100 megabytes), the network > > device is a Cisco router. > > I've found may way to rate-limit the traffic bandwidth but not one to do > > this. > > Is radius the correct way to achieve this goal? It'all about vsa? > > Radius isn't supposed to terminate anything on its own, it just takes > note of a user session history and validates logins. > What you should do is to find some way of telling Cisco that a > particular session is to be disconnected when a certain limit is > reached. If your Cisco can output real time stats AND can accept > external disconnection commands, then it might be possible to > implement what you want. > But honestly this process should be implemented completely inside the > Cisco, and then, when a disconnect triggers, your Cisco should tell > Radius about it. The opposite isn't bound to happen. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Controlling access to my Wireless network.
Hello all, I'm looking for a simple way to protect access to my wireless network. I'm seeing a lot of old documentation on how to use EAP-TLS to protect the wireless network. I've found lots of old documentation on how to setup WPA Enterprise. I would like some updated docuentation on how to do this. I have a couple SonicWall SonicPoint devices that have the capability to do WPA Enterprise or WPA2 enterprise or both. I would like to be able to have a user attempt to join my wireless network, but be presented with the request for Username and Password. From there I would like to be able to have their connection authenticated and then allow them on. No authentication, no getting on. Securing the wireless signal is not the primary focus here. Securing the access to the network is. Is there a way to do this? I have FreeRadius 1.1.7 installed and working and currently will authenticate against my ldap server. Thank you for lending a hand to a newby here. Kent - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Controlling access to my Wireless network.
simplest, don't turn it on. On 9/18/07, Kent Thomas <[EMAIL PROTECTED]> wrote: > > Hello all, > I'm looking for a simple way to protect access to my wireless > network. I'm > seeing a lot of old documentation on how to use EAP-TLS to protect the > wireless network. I've found lots of old documentation on how to setup > WPA > Enterprise. I would like some updated docuentation on how to do this. > > I have a couple SonicWall SonicPoint devices that have the capability to > do > WPA Enterprise or WPA2 enterprise or both. I would like to be able to have > a > user attempt to join my wireless network, but be presented with the > request > for Username and Password. From there I would like to be able to have > their > connection authenticated and then allow them on. No authentication, no > getting on. Securing the wireless signal is not the primary focus here. > Securing the access to the network is. > > Is there a way to do this? I have FreeRadius 1.1.7 installed and working > and currently will authenticate against my ldap server. > > Thank you for lending a hand to a newby here. > Kent > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limit users traffic quota via radius
On Tue 18 Sep 2007, Massimiliano Macrì wrote: > Hi, > > I'm trying to close the connection of a pre-paid mobile user, after he > reached a limited amount of traffic (ie. 100 megabytes), the network > device is a Cisco router. > I've found may way to rate-limit the traffic bandwidth but not one to do > this. > Is radius the correct way to achieve this goal? It'all about vsa? You could easily accomplish this with a CoA/PoD request to the cisco when the user hits whatever limit... -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Intel Proset Wireless Client does not process RFC3580 Attributes.
Read instructions in eap.conf. You most likely need to set: use_tunneled_reply = yes in peap section. Ivan Kalik Kalik Informatika ISP Dana 18/9/2007, "Terry Pelley" <[EMAIL PROTECTED]> piše: >FreeRADIUS Version 1.1.3-r0.1.2 (Upgrade to 1.1.7 is Pending) > > >I am running FreeRADIUS to authenticate wireless users on a bunch of Cisco >AP1231's. My wireless supplicants are running a combination of the >standard Windows XP client which works fine and the Intel Proset Client >which is causing problems. > >The Radius setup is for PEAP/MSChapv2 and each user has the following >attributes assigned. > >Tunnel-Type = "VLAN" >Tunnel-Medium-Type = "IEEE-802" >Tunnel-Private-Group-ID = "X" (Where X is the assigned VLAN Number) > >The Proset Clients do manage to eventually authenticate, but the above >attributes do not appear to get processed. I think this is happening >because the Proset Client sends the User-Name as "anonymous" and as there >is no "anonymous" user defined, the attributes do not get applied. > >How do I get the User-Name to be sent correctly? > >Thanks in advance. > > >Terry Pelley >Network Analyst >Business and Learning Technologies >Ottawa-Carleton District School Board > >[EMAIL PROTECTED] > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius +MS Win XP (EAP) problems
Hi, I want to configure freeradius (Linux) in order to authenticate and authorize MS Windows XP clients (people connect to Access Point Linksys). I am using EAP-PEAP and MSCHAP fron Windows. If I perform radtest from linux clients (using wired network) I have no problem to access, but I cannot from Windows XP, this is the messages when I run usinf radiusd -X: rad_recv: Access-Request packet from host 10.30.1.151:1032, id=66, length=115 User-Name = "sbelki" Calling-Station-Id = "00-0e-35-bf-51-18" EAP-Message = 0x020400061900 Framed-MTU = 1287 NAS-IP-Address = 192.168.1.1 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 State = 0xbee0745e6005b8a43128657ff16d08ea Message-Authenticator = 0xc6044fc3eb7975f75f9afd9edfcca489 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 55 modcall[authorize]: module "preprocess" returns ok for request 55 modcall[authorize]: module "chap" returns noop for request 55 modcall[authorize]: module "mschap" returns noop for request 55 rlm_realm: No '@' in User-Name = "sbelki", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 55 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 55 users: Matched entry DEFAULT at line 159 modcall[authorize]: module "files" returns ok for request 55 rlm_ldap: - authorize rlm_ldap: performing user authorization for sbelki radius_xlat: '(uid=sbelki)' radius_xlat: 'ou=people,dc=palermo,dc=edu' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=palermo,dc=edu, with filter (uid=sbelki) request 57 done rlm_ldap: checking if remote access for sbelki is allowed by uid rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as User-Password, value sample & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user sbelki authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 55 modcall: group authorize returns updated for request 55 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 55 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 55 modcall: group authenticate returns handled for request 55 Sending Access-Challenge of id 66 to 10.30.1.151:1032 EAP-Message = 0x010500061900 Message-Authenticator = 0x State = 0x06bc31779a10f85cd934953e650bc051 Finished request 55 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 52 ID 63 with timestamp 46f01fd7 Cleaning up request 53 ID 64 with timestamp 46f01fd7 Cleaning up request 54 ID 65 with timestamp 46f01fd7 Cleaning up request 55 ID 66 with timestamp 46f01fd7 ***And This is the eap.conf: * eap { default_eap_type = mschapv2 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } tls { private_key_password = "" private_key_file = /etc/pki/tls/certs/radius.key certificate_file = /etc/pki/tls/certs/radius.crt CA_file = /etc/pki/CA/cacert.pem dh_file = /etc/raddb/certs/dh random_file = /dev/urandom include_length = yes } ttls { default_eap_type = md5 } peap { default_eap_type = mschapv2 } mschapv2 { } } Please tell me if something of this file is wrong. Thanks in advance!! -- -- Sergio Belkin - eap.conf Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Intel Proset Wireless Client does not process RFC3580 Attributes.
Thank you, That worked perfectly. FreeRadius users mailing list writes: >Read instructions in eap.conf. You most likely need to set: >use_tunneled_reply = yes >in peap section. >Ivan Kalik >Kalik Informatika ISP Terry Pelley Network Analyst Business and Learning Technologies Ottawa-Carleton District School Board - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radrelay with multiple accounting files, radrelay via NFS
Good morning, freeradius users. I have 2.5 questions. 1. Can radrelay be used with multiple accounting directories? I have multiple (7) directories with files I need to be watching with radrelay. I haven't been able to get radrelay to work properly when I use "-a /accounting-dir/" multiple times at the command line. 1.5: Can one use wildcards for the detailfile? I have two RADIUS servers, and each writes to it's own file (detail-radius1, detail-radius2) 2. On linux, radrelay doesn't appear to agree with NFS. I tried to host my detail files via NFS, and radrelay would 'run', but not actively process records. The radrelay debug would tell me it was "processing records", but would never send any packets. Meanwhile, the detail file it was supposed to be watching is ballooning with records. 2.5. Note: We have a solaris server where radrelay runs fine via NFS. I'm not too big a newbie to freeradius, but I'm trying to avoid running one process per NAS I need to monitor, and have my radius detail files split (some detail files via NFS, other detail files locally on the machine.) I've read man pages and googled, but haven't found answers. I *do* need to store my files via NFS, for accounting reasons, and doing copies to an NFS mount isn't really an option, either. Any help would is welcomed. Adam signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Controlling access to my Wireless network.
On Tue, 2007-09-18 at 08:13 -0600, Kent Thomas wrote: > Hello all, > I'm looking for a simple way to protect access to my wireless network. I'm > seeing a lot of old documentation on how to use EAP-TLS to protect the > wireless network. I've found lots of old documentation on how to setup WPA > Enterprise. I would like some updated docuentation on how to do this. > This is an extremely common setup. http://wiki.freeradius.org/WPA_HOWTO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Controlling access to my Wireless network.
Phil, Thanks a million for the reply. You are the first to actually reply with some info for me to look at. The document you gave is good, except for the client certificate part. I don't want to have to give certificates out to everyone on my wireless network. Is there a way to get around this? Thanks a million. Kent On 9/18/07 4:01 PM, "Phil Mayers" <[EMAIL PROTECTED]> wrote: > On Tue, 2007-09-18 at 08:13 -0600, Kent Thomas wrote: >> Hello all, >> I'm looking for a simple way to protect access to my wireless network. I'm >> seeing a lot of old documentation on how to use EAP-TLS to protect the >> wireless network. I've found lots of old documentation on how to setup WPA >> Enterprise. I would like some updated docuentation on how to do this. >> > > This is an extremely common setup. > > http://wiki.freeradius.org/WPA_HOWTO > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Possible FreeBSD Jail problem, or other bug in/with FreeRADIUS 2.0.0-pre2
On Tue, Sep 18, 2007 at 09:54:33AM +0200, Alan DeKok wrote: > Scott Lambert wrote: > > lrad_packet_list_socket_add() is called with a pointer to the radius > > request packet list structure and the socket file descriptor of the > > socket which has been created with the call to socket() and bound to an > > IP and port by bind() during the prior call to lrad_socket(). Is that > > correct? > > Yes. In the jail, it asks to bind to 0.0.0.0, but the socket > *actually* binds to the jail IP. This is why the "inaddr_any" check > doesn't match. > > > So, should we be looking for != in the above if() from > > lrad_packet_list_socket_add()? > > ... no. The issue is that when udpfromto is used, we have: > > a) socket binds to 0.0.0.0 (really, outside of the jail) > b) the server doesn't know which IP is used to send a packet > c) the server DOES know which IP the response is sent to > > Since the "received" IP doesn't match the "source" IP, there's a > little bit of tweaking that has to be done to match the response to an > outstanding request. That's what that check is for. I am sorry for being so dense. I think I can see that I was wrong before. However, what I see, though experimentation and lots of printfs, is that sockfd is bind()ing with a specified IP of 0.0.0.0. bind() takes care of fixing that up for processes in the jail and when bind returns, the socket is *actually* bound to the jail's IP address. Without the jail the socket would have remainded bound to 0.0.0.0. Then lrad_packet_list_socket_add() determines what IP we bound to from the *actual* information in the sockaddr_in structure to which sockfd points. That is the &ps->ipaddr.ipaddr.ip4addr.s_addr inside lrad_packet_list_socket_add(). In the jail that is actually the jail's IP address. That's all well and good. However, perhaps the problem comes when we get to recv_one_packet() in radclient.c and unconditionally set reply->dst_ipaddr = client_ipaddr which is apparantly due to "udpfromto issues." /* * udpfromto issues. We may have bound to "*", * and we want to find the replies that are sent to * (say) 127.0.0.1. */ reply->dst_ipaddr = client_ipaddr; Commenting that line out makes my jail work. On my systems, reply->dst_ipaddr == client_ipaddr except when Packet-Src-IP-Address is NOT specified within the jail. When Packet-Src-IP-Address is NOT specified within the jail: radclient: recv_one_packet: client_ipaddr.ipaddr.ip4addr = 0 radclient: recv_one_packet: reply->dst_ipaddr.ipaddr.ip4addr = 460364101 By leaving reply->dst_ipaddr alone, lrad_packet_list_find_byreply is able to match the ps->ipaddr with the reply->dst_ipaddr even though ps->inaddr_any = 0. I don't know the circumstances in which reply->dst_ipaddr != client_ipaddr in such a way that it would be necessary to force them ==. Are those circumstances mutually exclusive of the jail circumstances? Could this be the correct location for a fix? -- Scott LambertKC5MLE Unix SysAdmin [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Controlling access to my Wireless network.
If you have XP clients your best option is PEAP. Read instructions in eap.conf about setting it up. But that will work only if your passwords are stored in plain text or NT hash (not much to do with EAP but MSCHAPv2 used as tunnel authentication protocol). If your passwords are encrypted in some other way you can use SecureW2 suppicant and TTLS-PAP. Ivan Kalik Kalik Informatika ISP Dana 18/9/2007, "Kent Thomas" <[EMAIL PROTECTED]> piše: >Phil, >Thanks a million for the reply. You are the first to actually reply with >some info for me to look at. > >The document you gave is good, except for the client certificate part. I >don't want to have to give certificates out to everyone on my wireless >network. Is there a way to get around this? > >Thanks a million. >Kent > > >On 9/18/07 4:01 PM, "Phil Mayers" <[EMAIL PROTECTED]> wrote: > >> On Tue, 2007-09-18 at 08:13 -0600, Kent Thomas wrote: >>> Hello all, >>> I'm looking for a simple way to protect access to my wireless network. I'm >>> seeing a lot of old documentation on how to use EAP-TLS to protect the >>> wireless network. I've found lots of old documentation on how to setup WPA >>> Enterprise. I would like some updated docuentation on how to do this. >>> >> >> This is an extremely common setup. >> >> http://wiki.freeradius.org/WPA_HOWTO >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Controlling access to my Wireless network.
Ivan,Thanks a million. I've been looking at using peap. I have a mixed network, mac & xp. I wouldn't mind using plain text passwords if that could be forced. The only configurations that get close to working get as far as machapv2, then fail because of no nt/lm password. If I could use the password from my ldap connection which seems to be working nicely, then I would be thrilled. Could you give me the eap.conf that would do that? Thanks a million Kent On 9/18/07 4:27 PM, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote: > If you have XP clients your best option is PEAP. Read instructions in > eap.conf about setting it up. But that will work only if your passwords > are stored in plain text or NT hash (not much to do with EAP but > MSCHAPv2 used as tunnel authentication protocol). If your passwords are > encrypted in some other way you can use SecureW2 suppicant and TTLS-PAP. > > Ivan Kalik > Kalik Informatika ISP > > > Dana 18/9/2007, "Kent Thomas" <[EMAIL PROTECTED]> piše: > >> Phil, >> Thanks a million for the reply. You are the first to actually reply with >> some info for me to look at. >> >> The document you gave is good, except for the client certificate part. I >> don't want to have to give certificates out to everyone on my wireless >> network. Is there a way to get around this? >> >> Thanks a million. >> Kent >> >> >> On 9/18/07 4:01 PM, "Phil Mayers" <[EMAIL PROTECTED]> wrote: >> >>> On Tue, 2007-09-18 at 08:13 -0600, Kent Thomas wrote: Hello all, I'm looking for a simple way to protect access to my wireless network. I'm seeing a lot of old documentation on how to use EAP-TLS to protect the wireless network. I've found lots of old documentation on how to setup WPA Enterprise. I would like some updated docuentation on how to do this. >>> >>> This is an extremely common setup. >>> >>> http://wiki.freeradius.org/WPA_HOWTO >>> >>> - >>> List info/subscribe/unsubscribe? See >>> http://www.freeradius.org/list/users.html >>> >> >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> >> > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Controlling access to my Wireless network.
If you are in control of Ldap server then you can enforce whatever password scheme you see fit. If you map Clertext-Password attribute to plain text passwords in Ldap everything will work fine. But if you are using crypt, sha or such on your passwords, mschap will never work. Your eap.conf is likely to be OK if you are getting that far. Mschapv2 is failing because passwords in Ldap are encrypted or mapped to some other password attribute (most often User-Password). But you will need to post the whole eap conversation in order to be sure. Ivan Kalik Kalik Informatika ISP Dana 18/9/2007, "Kent Thomas" <[EMAIL PROTECTED]> piše: >Ivan,Thanks a million. I've been looking at using peap. I have a mixed >network, mac & xp. I wouldn't mind using plain text passwords if that could >be forced. The only configurations that get close to working get as far as >machapv2, then fail because of no nt/lm password. If I could use the >password from my ldap connection which seems to be working nicely, then I >would be thrilled. Could you give me the eap.conf that would do that? >Thanks a million >Kent > > >On 9/18/07 4:27 PM, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote: > >> If you have XP clients your best option is PEAP. Read instructions in >> eap.conf about setting it up. But that will work only if your passwords >> are stored in plain text or NT hash (not much to do with EAP but >> MSCHAPv2 used as tunnel authentication protocol). If your passwords are >> encrypted in some other way you can use SecureW2 suppicant and TTLS-PAP. >> >> Ivan Kalik >> Kalik Informatika ISP >> >> >> Dana 18/9/2007, "Kent Thomas" <[EMAIL PROTECTED]> piše: >> >>> Phil, >>> Thanks a million for the reply. You are the first to actually reply with >>> some info for me to look at. >>> >>> The document you gave is good, except for the client certificate part. I >>> don't want to have to give certificates out to everyone on my wireless >>> network. Is there a way to get around this? >>> >>> Thanks a million. >>> Kent >>> >>> >>> On 9/18/07 4:01 PM, "Phil Mayers" <[EMAIL PROTECTED]> wrote: >>> On Tue, 2007-09-18 at 08:13 -0600, Kent Thomas wrote: > Hello all, > I'm looking for a simple way to protect access to my wireless network. > I'm > seeing a lot of old documentation on how to use EAP-TLS to protect the > wireless network. I've found lots of old documentation on how to setup > WPA > Enterprise. I would like some updated docuentation on how to do this. > This is an extremely common setup. http://wiki.freeradius.org/WPA_HOWTO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html >>> >>> >>> - >>> List info/subscribe/unsubscribe? See >>> http://www.freeradius.org/list/users.html >>> >>> >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Solved: Gigawords
Guilherme Thanks I have committed a patch. Sorry about that. This is one of the reasons why I normally dont keep the different sql dialect files in sync without significant testing.. There are just too many differences. Unfortunately this causes them to gradually get out of sync over time. If you see any other issues, please let me know and I will fix them Regards Peter On Tue 18 Sep 2007, Guilherme Franco wrote: > Hello, > > Just to note that oraclesql.conf (in 1.1.7) is wrong about the gigawords. > The syntax for using bitwise operators is different in oracle and for such > needs, you must use the BITAND function and its variants. > > But instead of doing bit shifts, I did this to solve it: > > AcctInputOctets = '%{Acct-Input-Octets}' + ('%{Acct-Input-Gigawords}' * > 4294967296), AcctOutputOctets = '%{Acct-Output-Octets}' + > ('%{Acct-Output-Gigawords}' * 4294967296) > > Guilherme Franco > > On 9/14/07, Guilherme Franco <[EMAIL PROTECTED]> wrote: > > Hi Mr. DeKok, > > > > Ok, I've just asked it because of: > > http://wiki.freeradius.org/index.php/FAQ#Why_do_Acct-Input-Octets_and_Ac > >ct-Output-Octets_wrap_at_4_GB.3F (which says that it should work in older > > versions) > > > > Also, the rlm_sql_log module version is the same in 1.1.7 as in 1.1.4 (v > > 1.3.2.2 2005/12/12). > > > > Thank you. > > > > Guilherme Franco > > > > On 9/14/07, Alan DeKok <[EMAIL PROTECTED]> wrote: > > > Guilherme Franco wrote: > > > > Hello, > > > > > > > > I'm using rlm_sql_log in freeradius 1.1.4. > > > > > > > > In order to correctly work with acct-input/ output gigawords, > > > > > > Upgrade to 1.1.7. > > > > > > Alan DeKok. > > > - > > > List info/subscribe/unsubscribe? See > > > http://www.freeradius.org/list/users.html -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limit users traffic quota via radius
You need SNMP to disconnect the link, not Radius. The only other way I can think of is that, if you can use an external program/script to check the quota from your accounting records, and then if that quota is reached, then send the program sends to SNMP to disconnect the user. On 18/09/2007, at 6:34 PM, Massimiliano Macrì wrote: I'm trying to close the connection of a pre-paid mobile user, after he reached a limited amount of traffic (ie. 100 megabytes), the network device is a Cisco router. I've found may way to rate-limit the traffic bandwidth but not one to do this. Is radius the correct way to achieve this goal? It'all about vsa? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Denying user from authentication
HI Thank you for the response.But as per users file configuration it should deny the user if i include that user name-reject file.Do i need to do any config for this to work. Regards Anoop > Message: 3 > Date: Tue, 18 Sep 2007 11:30:53 +0100 > From: <[EMAIL PROTECTED]> > Subject: Re: Denying user from authentication > To: \"FreeRadius users mailing list\" > > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-2 > > Revoke the certificate. > > Ivan Kalik > Kalik Informatika ISP > > > Dana 18/9/2007, \"[EMAIL PROTECTED]" <[EMAIL PROTECTED]> pi?e: > > >Hi > > I am using EAP_TLS authentication with free radius 1.1.7 .The > authentication is a certificate based one. > > > > I want to reject one user .I have done config in users file > > > > anoop07Auth-Type := Reject > >Reply-Message = \"Your account has been disabled.\" > > > >Stll the user autheticates.How can i prevent user like this? > > > >Regards > >Anoop > > > > > > > > > > > > -- > > Message: 4 > Date: Tue, 18 Sep 2007 14:12:50 +0200 > From: inverse <[EMAIL PROTECTED]> > Subject: Re: Denying user from authentication > To: \"FreeRadius users mailing list\" > > Message-ID: > <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1 > > and make sure to use check_crl = yes in eap.conf > > On 9/18/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > Revoke the certificate. > > > -- > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius +MS Win XP (EAP) problems
Sergio Belkin wrote: > I want to configure freeradius (Linux) in order to authenticate and > authorize MS Windows XP clients (people connect to Access Point > Linksys). I am using EAP-PEAP and MSCHAP fron Windows. If I perform > radtest from linux clients (using wired network) I have no problem to > access, but I cannot from Windows XP, this is the messages when I run > usinf radiusd -X: ... > Sending Access-Challenge of id 66 to 10.30.1.151:1032 > EAP-Message = 0x010500061900 > Message-Authenticator = 0x > State = 0x06bc31779a10f85cd934953e650bc051 > Finished request 55 > Going to the next request > Waking up in 6 seconds... > --- Walking the entire request list --- > Cleaning up request 52 ID 63 with timestamp 46f01fd7 This is in the FAQ and comments in the "eap.conf" distributed with 1.1.7. Please read the existing documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radrelay with multiple accounting files, radrelay via NFS
Adam Bultman wrote: > Good morning, freeradius users. I have 2.5 questions. > > 1. Can radrelay be used with multiple accounting directories? I have > multiple (7) directories with files I need to be watching with > radrelay. I haven't been able to get radrelay to work properly when I > use "-a /accounting-dir/" multiple times at the command line. It doesn't work with multiple files. Perhaps in 2.x this will be easier to do. > 1.5: Can one use wildcards for the detailfile? I have two RADIUS > servers, and each writes to it's own file (detail-radius1, detail-radius2) You cannot use wildcards. radrelay reads one file, and one file only. > 2. On linux, radrelay doesn't appear to agree with NFS. I tried to > host my detail files via NFS, and radrelay would 'run', but not actively > process records. The radrelay debug would tell me it was "processing > records", but would never send any packets. Meanwhile, the detail file > it was supposed to be watching is ballooning with records. Linux doesn't do NFS properly. > 2.5. Note: We have a solaris server where radrelay runs fine via NFS. Sun wrote NFS. The Linux people disagree with how it's supposed to work. > I'm not too big a newbie to freeradius, but I'm trying to avoid running > one process per NAS I need to monitor, and have my radius detail files > split (some detail files via NFS, other detail files locally on the > machine.) I've read man pages and googled, but haven't found answers. > I *do* need to store my files via NFS, for accounting reasons, and doing > copies to an NFS mount isn't really an option, either. Storing log files to NFS is a terribly bad idea. If the NFS mounts go away, then so your RADIUS server will block. It may not come back, too. Use radrelay to copy accounting records from local disk on one machine to another machine. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy server config with PAP or CHAP
Dear All, I am trying to configure the following. User -> Access Point -> Free Radius Server(acting as proxy server) -> Radius Server Now the above configuration works when I have PAP as authentication method. Now I need to have EAP MD5 auth between user and free radius server and PAP or CHAP between free radius server and Radius server. Please let me know, what I need to configure. Please reply soon as it is urgent... thanks for the help in advance. Regards, Amit Jain - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html