about FreeRADIUS password encrypt
Hello, I will appreciate it very much, if you do me a favour. My customer asks us to store the encrypted password into the FreeRADIUS (DB has Configured Mysql). The password I have passed to FreeRADIUS is clear text. Can the FreeRadius be configured like that? Pls give me some advice . Rock - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about FreeRADIUS password encrypt
That depends on authentication protocol you are using. If you are using PAP there is no problem. Just replace Cleartext-Password with the ecrypted one and appropriate attribute (Crypt-Password for crypt() etc.). If you are using something like MSCHAP, then your options are much more limited. You can only use NT-Password. Have a look at the protocol/encryption table: http://deployingradius.com/documents/protocols/compatibility.html Ivan Kalik Kalik Informatika iSP Dana 22/9/2007, yangcuilin [EMAIL PROTECTED] piše: HelloŁŹ I will appreciate it very much, if you do me a favour. My customer asks us to store the encrypted password into the FreeRADIUS (DB has Configured Mysql). The password I have passed to FreeRADIUS is clear text. Can the FreeRadius be configured like that? Pls give me some advice .. Rock - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configuration for Cisco DSL Users
I'm new both to freeradius and the *nix operating system. I have successfully implemented freeradius for users dialing in through Portmaster3 Access Servers using FreeRadius 1.0.1-1 on Fedora. I am currently authenticating DSL users locally on a Cisco 7206VXR Router. I would like to authenticate the DSL users on the FreeRadius Server, but attempts have been unsuccessful. The Accounting works. Even now with DSL Users set to Auth locally on the Router, Radius is faithfully logging the activity. With Radius Auth, the DSL modem will not connect and I get no entry in the Radius accounting log. AAA Debug is virtually Identical to the Local Auth output! The only difference was the line Method=local changed to Method=Radius. Both log entry sets have Status = PASS and both show the virtual-access change to up! So now I'm thinking the AAA/Radius is working but I have a communications issue. When a DSL user authenticates locally, he then gets an IP address from the local pool on the Cisco. When the same DSL User authenticates on Radius, all communication seems to stop. Here are the relevant config sections from the Cisco. aaa new-model aaa authentication login default line [*currently set to local] aaa authentication ppp default group radius local [see*above] aaa authorization network default group radius local aaa accounting delay-start aaa accounting network default start-stop group radius interface Loopback1 description DSL ip address 206.206.89.1 255.255.255.0 secondary ip address 206.206.88.161 255.255.255.240 secondary ip address 206.206.86.1 255.255.255.0 interface Virtual-Template2 description DFN NEW Template ip unnumbered Loopback1 ip mroute-cache peer default ip address pool OsoGranDSL OsoGranDsl2 ppp authentication pap radius-server host [omitted] auth-port 1645 acct-port 1646 radius-server host [omitted] auth-port 1645 acct-port 1646 radius-server key [omitted] Heres an example entry from my users file: username Auth-Type := Local, User-Password == omitted User-Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Address = 255.255.255.254, Framed-Netmask = 255.255.255.255, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = std.ppp, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP I think I'm close, and I have a hunch the users file settings that work for PortMasters may not be good for Cisco. Any suggestions or sample configs would be appreciated. Bill Green Dfn Systems - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration for Cisco DSL Users
You will need to do debug ppp negotiation to see is IP address allocation the problem. If it is, you can always use Freeradius ippool (or sqlippool in latest versions) to alocate IPs. Ivan Kalik Kalik Informatika ISP Dana 22/9/2007, DFN Systems Office [EMAIL PROTECTED] piše: I'm new both to freeradius and the *nix operating system. I have successfully implemented freeradius for users dialing in through Portmaster3 Access Servers using FreeRadius 1.0.1-1 on Fedora. I am currently authenticating DSL users locally on a Cisco 7206VXR Router. I would like to authenticate the DSL users on the FreeRadius Server, but attempts have been unsuccessful. The Accounting works. Even now with DSL Users set to Auth locally on the Router, Radius is faithfully logging the activity. With Radius Auth, the DSL modem will not connect and I get no entry in the Radius accounting log. AAA Debug is virtually Identical to the Local Auth output! The only difference was the line Method=local changed to Method=Radius. Both log entry sets have Status = PASS and both show the virtual-access change to up! So now I'm thinking the AAA/Radius is working but I have a communications issue. When a DSL user authenticates locally, he then gets an IP address from the local pool on the Cisco. When the same DSL User authenticates on Radius, all communication seems to stop. Here are the relevant config sections from the Cisco. aaa new-model aaa authentication login default line [*currently set to local] aaa authentication ppp default group radius local [see*above] aaa authorization network default group radius local aaa accounting delay-start aaa accounting network default start-stop group radius interface Loopback1 description DSL ip address 206.206.89.1 255.255.255.0 secondary ip address 206.206.88.161 255.255.255.240 secondary ip address 206.206.86.1 255.255.255.0 interface Virtual-Template2 description DFN NEW Template ip unnumbered Loopback1 ip mroute-cache peer default ip address pool OsoGranDSL OsoGranDsl2 ppp authentication pap radius-server host [omitted] auth-port 1645 acct-port 1646 radius-server host [omitted] auth-port 1645 acct-port 1646 radius-server key [omitted] Heres an example entry from my users file: username Auth-Type := Local, User-Password == omitted User-Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Address = 255.255.255.254, Framed-Netmask = 255.255.255.255, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = std.ppp, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP I think I'm close, and I have a hunch the users file settings that work for PortMasters may not be good for Cisco. Any suggestions or sample configs would be appreciated. Bill Green Dfn Systems - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Possible FreeBSD Jail problem, or other bug in/with FreeRADIUS 2.0.0-pre2
On Sat, Sep 22, 2007 at 04:59:25AM +0200, Alan DeKok wrote: Scott Lambert wrote: I've been expecting that there would be a similar chunk of code in the server that I could go find if you thought I was on the right track. Unfortunately, there isn't. Okay, I'm not going crazy then... I've been using radclient to debug because you indicated that it used the same library for matching up packets. If the above is legitimately the bug I was looking for, I'll have to solve the proxy issue seperately, but with a better idea of what I am looking for. Or, simply tell the server to listen on the jail IP address. That will solve the problem, without code changes. Yeah, I'm running with that workaround. I was just hoping I wouldn't have to maintain config differences between the multiple server instances. But it's definitely acceptable. One patch which *would* help is the ability to set the source IP address for proxying. It's likely not difficult to do, but the code hasn't been written yet. I'm speaking from ignorance here. Could the server do the bind calls for the listen sockets and check to see if the bound IP is the same as the one specified in the bind call and if not, update the server to use the bound IP rather than the configured IP at least in the case of listen { ipaddr = * }. pseudo code: server_addr = read_from_config_file; bind (sockfd, {listensocketinfo} ); if ( server_addr == INADDR_ANY sockfd-ipaddr != server_addr ) { server_addr = fd-ipaddr; } At that point, would the existing code work alright for this wierd and wonderful jail environment without breaking other environments? I suspect it might not be workable due to the udpfromto stuff. I think this is the last message I will bother you with on this topic. My problem is resolved by specifying the IP address in the config file and doing anything more generic is probably beyond my skills at this point. Thank you for your time and patience. -- Scott LambertKC5MLE Unix SysAdmin [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html