FreeRadius and LDAP/AD username/password check

[Mats Blomgren B]

Hi,

Today I check the "etc/passwd" for the usernames and passwords and fetches the 
users default group from "etc/passwd".
In the "users" file I have the rights for each group.

My current config:
OS: Solaris 10
FreeRadius: 1.1.7
Mysql: 5.0.51 - For logging and NAS clients
OS packages installed: db-4.2.52.NC-sol9-sparc-local
OS packages installed: freeradius-1.1.7-sol10-sparc-local
OS packages installed: gcc-3.4.6-sol10-sparc-local
OS packages installed: gdbm-1.8.3-sol9-sparc-local
OS packages installed: libiconv-1.11-sol10-sparc-local
OS packages installed: libtool-1.5.24-sol10-sparc-local
OS packages installed: make-3.81-sol10-sparc-local
OS packages installed: mysql-5.0.51-sol10-sparc-local
OS packages installed: ncurses-5.6-sol10-sparc-local
OS packages installed: netsnmp-5.4.1-sol10-sparc-local
OS packages installed: openldap-2.3.35-sol10-sparc-local
OS packages installed: openssl-0.9.8f-sol10-sparc-local
OS packages installed: perl-5.8.8-sol10-sparc-local
OS packages installed: sasl-2.1.21-sol10-sparc-local
OS packages installed: zlib-1.2.3-sol10-sparc-local
OS packages installed: Freeradius: 1.1.7

#etc/passwd
testuser:x:103:500:Test User:/home/testuser:/bin/bash

#etc/group
admin-network::500:
user-network::600:

#/usr/local/etc/raddb/users
DEFAULT Group == "admin-network", Auth-Type = System
Service-Type = Administrative-User,
Fall-Through = No

#/usr/local/etc/raddb/huntgroups
defaultgroupNAS-IP-Address == 192.168.1.20
Group = admin-network,
Group = user-network


Today the user "testuser" would get Administrative rights on the nas with 
IP=192.168.1.20 since he is a member of the group "admin-network".

I have been browsing the mailing list, wiki and google trying to find out if 
anyone has done the following:
1. I want to check the username/password against LDAP/AD instead of directly 
towards "etc/passwd".
2. After that I would like to continue by fetching the user's default group 
from the Solaris 10 system (/"etc/passwd") to give it rights depending on which 
group the user belongs to.
3. I know that this means I still have to have the username in the 
"/etc/passwd" but this will keep the users from having different logins in our 
infrastructure.

Best regards

Mats Blomgren B - IP Engineer

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

vocera(with Peap)+AP+freeRADIUS

[Hangjun He]

Hi,
   I am using freeRADIUS 1.1.7.  Notebook with odyssey client (peap 
mschap-v2) can talk to freeRADUS well. But when I use Vocera client, which can 
support peap + mschap-v2, It does not work.  
  
 
  debug message (see more debug message in attachment):
  ...
  rad_recv: Access-Request packet from host 10.50.1.38:1034, id=55, length=233
User-Name = "lwang"
NAS-IP-Address = 10.50.1.38
NAS-Identifier = "QA-AP1-21f0"
NAS-Port = 0
Called-Station-Id = "00-19-77-00-21-F5:vocera_test"
Calling-Station-Id = "00-16-41-F7-F7-75"
Framed-MTU = 1500
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 
0x020a00391980002f14030100010116030100248393f1d6391a86ab0605df998e0336f7c651a560328bf621b1ddebbfad332d8ea8796c49
State = 0xfd6f3b2761e20233acdc5d29ec63d11f
Message-Authenticator = 0xc4ee170f5d47ee55bead80b4a36580cb
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 40
  modcall[authorize]: module "preprocess" returns ok for request 40
radius_xlat:  '/usr/local/var/log/radius/radacct/auth-detail-20080212'
rlm_detail: /usr/local/var/log/radius/radacct/auth-detail-%Y%m%d expands to 
/usr/local/var/log/radius/radacct/auth-detail-20080212
  modcall[authorize]: module "auth_log" returns ok for request 40
  modcall[authorize]: module "chap" returns noop for request 40
  modcall[authorize]: module "mschap" returns noop for request 40
rlm_realm: No '@' in User-Name = "lwang", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 40
rlm_realm: No '\' in User-Name = "lwang", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "ntdomain" returns noop for request 40
  rlm_eap: EAP packet type response id 10 length 57
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 40
users: Matched entry lwang at line 95
  modcall[authorize]: module "files" returns ok for request 40
modcall: leaving group authorize (returns updated) for request 40
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 40
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11 
  rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]  
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished  
TLS_accept: SSLv3 read finished A 
(other): SSL negotiation finished successfully 
SSL Connection Established 
  eaptls_process returned 13 
  rlm_eap_peap: EAPTLS_HANDLED
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns reject for request 40
modcall: leaving group authenticate (returns reject) for request 40
auth: Failed to validate the user.
Delaying request 40 for 1 seconds
Finished request 40
Going to the next request
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 10.50.1.38:1034, id=56, length=156
User-Name = "lwang"
NAS-IP-Address = 10.50.1.38
NAS-Identifier = "QA-AP1-21f0"
NAS-Port = 0
Called-Station-Id = "00-19-77-00-21-F5:vocera_test"
Calling-Station-Id = "00-16-41-F7-F7-75"
Framed-MTU = 1500
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
Message-Authenticator = 0x834864649ecf9fba4cbd71673b5bb042
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 41
  modcall[authorize]: module "preprocess" returns ok for request 41
radius_xlat:  '/usr/local/var/log/radius/radacct/auth-detail-20080212'
rlm_detail: /usr/local/var/log/radius/radacct/auth-detail-%Y%m%d expands to 
/usr/local/var/log/radius/radacct/auth-detail-20080212
  modcall[authorize]: module "auth_log" returns ok for request 41
  modcall[authorize]: module "chap" returns noop for request 41
  modcall[authorize]: module "mschap" returns noop for request 41
rlm_realm: No '@' in User-Name = "lwang", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 41
rlm_realm: No '\' in User-Name = "lwang", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "ntdomain" returns noop for request 41
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 41
users: Matched entry lwang at line 95
  modcall[authorize]: module "files" returns ok for request 41
modcall: leaving group authorize (returns ok) for request 41
auth: type Local
auth: No User-Password or CHAP-Password attribute in the request
auth: Failed to validate the user.

Re: 2 different authorization?

[Evgeney Bakhtin]

Hello,

I just need to configure FreeRadius to manage auth & acct for 2 different users 
too. I have create 2 instances of the sql module, in my sql.conf:
sql instance1 {
...
}
sql instance2 {
...
}
But I don't understand how and where I can use this instances. In radiusd.conf 
I have:
[authorize] {
...
instance1
...
}

[accounting] {
...
instance1
...
}
Where I need to indicate different sql instances for different users?

Regards,
Evgeney Bakhtin.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

proxed EAP and eduroam project

[inverse]

hi all,

rather than a problem, this is a question.
I assume you know what eduroam is, but just in case:
What is eduroam

eduroam which stands for Education Roaming, is a RADIUS-based
infrastructure that uses 802.1X security technology to allow for
inter-institutional roaming. Substitute institutional with
'university' and you get the picture.
So basically this is a hierarchy of radius servers at european level.

Implementing it from my side (that of a university) has been rather trivial.
What happens is that the EAP conversation traverls in cleartext across
the public internet (really the inter-university networks).
I would assume that EAP-TLS is highly safe from this point of view, am I right?


Bye
Inverse


-- 
"In a sea of glass shards, I hear you screaming"
--icchan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: proxed EAP and eduroam project

[inverse]

On Feb 18, 2008 11:12 AM, Alan DeKok <[EMAIL PROTECTED]> wrote:
>   Yes.


thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FR2 - proxying inner tunnel

[Alan DeKok]

Dmitry Sergienko wrote:
> Please give me some tips how/where to fix this issue. I'm somewhat lost
> while debugging this EAP stuff with tunnelling and proxying ;)

  It's rather complicated after a while.  I'm not sure how it can be
easily debugged...

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: proxed EAP and eduroam project

[Alan DeKok]

inverse wrote:
> Implementing it from my side (that of a university) has been rather trivial.
> What happens is that the EAP conversation traverls in cleartext across
> the public internet (really the inter-university networks).
> I would assume that EAP-TLS is highly safe from this point of view, am I 
> right?

  Yes.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: eap authentication and cpu utilization

[Alan DeKok]

Norbert Wegener wrote:
> Just for information:
> I made some tests on different machines. Around 60% of the theoretical
> maximum was the best value I got.
> The behaviour was heavy influenced by the parameters in the "thread
> pool" section and num_sql_socks, as I have a database backend.

  Yes.  The interaction effects are strong.  If there are fewer SQL
sockets than threads, then the threads will block waiting for an SQL
socket to become ready.  At that point, performance drops significantly.

  I would be curious to know how many PAP authentications/s you can do
with that database back-end.  Knowing the 3 numbers will help scope
interaction effects.

  e.g. OpenSSL says: S   rsa/a
  PAP says: P  requests/s
  EAP testing says: E requests/s

  You say E < S, but E << P, too...

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: vocera(with Peap)+AP+freeRADIUS

[Alan DeKok]

Hangjun He wrote:
> Hi,
>  I am using freeRADIUS 1.1.7.  Notebook with odyssey client (peap
> mschap-v2) can talk to freeRADUS well. But when I use Vocera client,
> which can support peap + mschap-v2, It does not work.  

  Something weird is going on:

> SSL Connection Established
>   eaptls_process returned 13
>   rlm_eap_peap: EAPTLS_HANDLED
>   rlm_eap: Freeing handler
>   modcall[authenticate]: module "eap" returns reject for request 40

  Weird.  I'd suggest trying 2.0.2.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 1.1.7 and rlm_sql_mysql duplicated query

[Phil Mayers]

Santiago Balaguer García wrote:
The answer is not totally correct. Because a microcuts in the 
connectibity of hotspot cause that hotspot re-sends the acct request.


No, because then the Acct-Session-Id would remain the same.


In that case, you have to desactivate:
 - accounting_start_query_alt
 - accounting_stop_query_alt


No. Re-read the original post. The Acct-Session-Id is different, hence 2 
sessions are being inserted into SQL, but no Accounting-Stop ever gets 
send for the 1st.


The NAS is misbehaving.

 
Maybe It can cause that some requests do not register, and it is a risk 
that you must accept.


 > Date: Mon, 18 Feb 2008 01:36:54 +
 > From: [EMAIL PROTECTED]
 > To: freeradius-users@lists.freeradius.org
 > Subject: Re: 1.1.7 and rlm_sql_mysql duplicated query
 >
 > > So when the user logs I have two queries inserting similar data 
with different sessions ids:

 > >
 > > 47B7691A2F4300 and 47B7691A2F4301
 > >
 > >
 > > I would really appreciate some guidance from this point on as I'm 
pretty much out of ideas.

 >
 > Your NAS is broken / misbehaving. It sends the Acct-Session-Id and it's
 > sending two. Consult your NAS documentation for possible reasons (e.g.
 > some Cisco NAS send accounting sessions for the PPP LCP and IPCP layers
 > - this can be disabled) or open a bug with the vendor.
 >
 > -
 > List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html




Sigue los principales acontecimientos deportivos en directo. MSN Motor 






-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

one username and 2 NAS

[Enrico Fanti]

Hi ,

I have freeradius configured with Mysql.

I would like to have a user "pippo"  can ssh login to 2 server linux 
wich uses pam_radius in /etc/pam.d/sshd (i.e. 2 NAS , same username).


Freeradius must make the control if NAS-IP Address is ok for this user 
in the radcheck table..


I use the "==" operator end my radcheck table is:

mysql> SELECT id, UserName, Attribute, Value, op from radcheck WHERE 
Username = 'pippo' order by id;

++--++---++
| id | UserName | Attribute  | Value | op |
++--++---++
| 39 | pippo| NAS-IP-Address | 10.0.0.52  | == |
| 40 | pippo| NAS-IP-Address | 10.0.0.49  | == |
| 41 | pippo| Expiration | 1203325200| == |
| 42 | pippo| Crypt-Password | v7fawImvQUoXM | == |
++--++---++


It doesn't work..

Some ideas ???

Thank you

Enrico

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: one username and 2 NAS

[Ivan Kalik]

You have asked this once already. It has been answered.

Ivan Kalik
Kalik Informatika ISP


Dana 18/2/2008, "Enrico Fanti" <[EMAIL PROTECTED]> piše:

>Hi ,
>
>I have freeradius configured with Mysql.
>
>I would like to have a user "pippo"  can ssh login to 2 server linux
>wich uses pam_radius in /etc/pam.d/sshd (i.e. 2 NAS , same username).
>
>Freeradius must make the control if NAS-IP Address is ok for this user
>in the radcheck table..
>
>I use the "==" operator end my radcheck table is:
>
>mysql> SELECT id, UserName, Attribute, Value, op from radcheck WHERE
>Username = 'pippo' order by id;
>++--++---++
>| id | UserName | Attribute  | Value | op |
>++--++---++
>| 39 | pippo| NAS-IP-Address | 10.0.0.52  | == |
>| 40 | pippo| NAS-IP-Address | 10.0.0.49  | == |
>| 41 | pippo| Expiration | 1203325200| == |
>| 42 | pippo| Crypt-Password | v7fawImvQUoXM | == |
>++--++---++
>
>
>It doesn't work..
>
>Some ideas ???
>
>Thank you
>
>Enrico
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: proxed EAP and eduroam project

[A . L . M . Buxey]

Hi,

> rather than a problem, this is a question.
> I assume you know what eduroam is, but just in case:
> What is eduroam

several members of this list are involved in eduroam at sites
worldwide.

> What happens is that the EAP conversation traverls in cleartext across
> the public internet (really the inter-university networks).

cleartext?  not really.  the proxied traffic will be at least
encapsulated via a shared secret between each RADIUS end point. 
and the inner method itself is sat in the EAP tunnel. unless
using very old method like EAP-MD5.  ideally you wouldnt use a PAP
method either - MSCHAPv2 challenge response in PEAP or EAP-TTLS
would give greater security.  however, EAP-TLS is the defacto
top-level way of doing it. platinum service, as it were - but
you've got to have a full PKI infrastructure for creation, 
deployment and revokation. 

looking to the future, RADSEC will be involved in 'beefing up'
the RADIUS to RADIUS communication channel. as well as the
automatic assignment/discovery of AAA end point systems.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Query regarding Cluster configuration of Radius server

[Kartik CDS]

Hello,

I have a cluster setup of radius server.
The cluster having ip adress as VIP and the cluster members are having IP1
and IP2.

Radius client sends access-request to the ip address VIP
The cluster is responding with IP1 or IP2 instead of VIP as the source
address, should the radius client allow such a response ?

I mean to say whether the radius client should validate the source address
?? [ I couldnt find anything related to this in the RFC, kindly help]

Regards,
Kartik
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: one username and 2 NAS

[Enrico Fanti]

Sorry.

I mistake with my thunderbird button.

I would like to know whatt'is the huntgroups concept in radius database. 
I have this db schema:


mysql> show tables;
+--+
| Tables_in_radius |
+--+
| nas  |
| radacct  |
| radcheck |
| radgroupcheck|
| radgroupreply|
| radippool|
| radpostauth  |
| radreply |
| usergroup|
+--+


Thank you

Enrico

Ivan Kalik wrote:

You have asked this once already. It has been answered.

Ivan Kalik
Kalik Informatika ISP


Dana 18/2/2008, "Enrico Fanti" <[EMAIL PROTECTED]> piše:

  

Hi ,

I have freeradius configured with Mysql.

I would like to have a user "pippo"  can ssh login to 2 server linux
wich uses pam_radius in /etc/pam.d/sshd (i.e. 2 NAS , same username).

Freeradius must make the control if NAS-IP Address is ok for this user
in the radcheck table..

I use the "==" operator end my radcheck table is:

mysql> SELECT id, UserName, Attribute, Value, op from radcheck WHERE
Username = 'pippo' order by id;
++--++---++
| id | UserName | Attribute  | Value | op |
++--++---++
| 39 | pippo| NAS-IP-Address | 10.0.0.52  | == |
| 40 | pippo| NAS-IP-Address | 10.0.0.49  | == |
| 41 | pippo| Expiration | 1203325200| == |
| 42 | pippo| Crypt-Password | v7fawImvQUoXM | == |
++--++---++


It doesn't work..

Some ideas ???

Thank you

Enrico

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Query regarding Cluster configuration of Radius server

[Alan DeKok]

Kartik CDS wrote:
> Radius client sends access-request to the ip address VIP
> The cluster is responding with IP1 or IP2 instead of VIP as the source
> address, should the radius client allow such a response ?

  No.  You need to use "udpfromto" in the server.  See the "configure"
flags.

> I mean to say whether the radius client should validate the source
> address ?? [ I couldnt find anything related to this in the RFC, kindly
> help]

  Yes, it needs to validate the source address.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: one username and 2 NAS

[Ivan Kalik]

It's a file in raddb directory, not a part of the database schema.

Ivan Kalik
Kalik Informatika ISP

Dana 18/2/2008, "Enrico Fanti" <[EMAIL PROTECTED]> piše:

>Sorry.
>
>I mistake with my thunderbird button.
>
>I would like to know whatt'is the huntgroups concept in radius database. 
>I have this db schema:
>
>mysql> show tables;
>+--+
>| Tables_in_radius |
>+--+
>| nas  |
>| radacct  |
>| radcheck |
>| radgroupcheck|
>| radgroupreply|
>| radippool|
>| radpostauth  |
>| radreply |
>| usergroup|
>+--+
>
>
>Thank you
>
>Enrico
>
>Ivan Kalik wrote:
>> You have asked this once already. It has been answered.
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>>
>> Dana 18/2/2008, "Enrico Fanti" <[EMAIL PROTECTED]> piše:
>>
>>   
>>> Hi ,
>>>
>>> I have freeradius configured with Mysql.
>>>
>>> I would like to have a user "pippo"  can ssh login to 2 server linux
>>> wich uses pam_radius in /etc/pam.d/sshd (i.e. 2 NAS , same username).
>>>
>>> Freeradius must make the control if NAS-IP Address is ok for this user
>>> in the radcheck table..
>>>
>>> I use the "==" operator end my radcheck table is:
>>>
>>> mysql> SELECT id, UserName, Attribute, Value, op from radcheck WHERE
>>> Username = 'pippo' order by id;
>>> ++--++---++
>>> | id | UserName | Attribute  | Value | op |
>>> ++--++---++
>>> | 39 | pippo| NAS-IP-Address | 10.0.0.52  | == |
>>> | 40 | pippo| NAS-IP-Address | 10.0.0.49  | == |
>>> | 41 | pippo| Expiration | 1203325200| == |
>>> | 42 | pippo| Crypt-Password | v7fawImvQUoXM | == |
>>> ++--++---++
>>>
>>>
>>> It doesn't work..
>>>
>>> Some ideas ???
>>>
>>> Thank you
>>>
>>> Enrico
>>>
>>> -
>>> List info/subscribe/unsubscribe? See 
>>> http://www.freeradius.org/list/usershtml
>>>
>>>
>>> 
>>
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>>
>>   
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius and LDAP/AD username/password check

[Alan DeKok]

Mats Blomgren B wrote:
> Today I check the "etc/passwd" for the usernames and passwords and
> fetches the users default group from "etc/passwd".

  I'm not so sure...

> #/usr/local/etc/raddb/users
> DEFAULT Group == "admin-network", Auth-Type = System

  This checks /etc/groups, via the getgrent() call.  It sees if the user
is a member of that group, not if that is the user's default group.

> I have been browsing the mailing list, wiki and google trying to find
> out if anyone has done the following:
> 1. I want to check the username/password against LDAP/AD instead of
> directly towards "etc/passwd".

  Configure the LDAP module.  See the various howto's.

> 2. After that I would like to continue by fetching the user's default
> group from the Solaris 10 system (/"etc/passwd") to give it rights
> depending on which group the user belongs to.

  You don't have to change anything in your current configuration.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: acct copy

[Alan DeKok]

Alexandre Chapellon wrote:
> here follow an output of freeradius -XXX, sorry it's quite verbose...
> but as you can see, there's no error neither a warning whereas the
> detail.work contains (a lot of) remainings accounting queries to
> proceed

  Hmmm... it's due to an interaction between reading files normally, and
reading them buffered...  Ugh.

  I'll see if I can come up with something.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Query regarding Cluster configuration of Radius server

[Kartik CDS]

Thanks for the response Alan.
But can you please let me know whether it is mentioned in the radius rfc
that the client should validate the source address?

Thanks & Best Regards,
Kartik

On Feb 18, 2008 6:01 PM, Alan DeKok <[EMAIL PROTECTED]> wrote:

> Kartik CDS wrote:
> > Radius client sends access-request to the ip address VIP
> > The cluster is responding with IP1 or IP2 instead of VIP as the source
> > address, should the radius client allow such a response ?
>
>  No.  You need to use "udpfromto" in the server.  See the "configure"
> flags.
>
> > I mean to say whether the radius client should validate the source
> > address ?? [ I couldnt find anything related to this in the RFC, kindly
> > help]
>
>  Yes, it needs to validate the source address.
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Query regarding Cluster configuration of Radius server

[Phil Mayers]

Kartik CDS wrote:

Thanks for the response Alan.
But can you please let me know whether it is mentioned in the radius rfc 
that the client should validate the source address?


The wording may not be explicit, but aside from radius secrets being 
bound to a server IP & port, the client-generated radius ID numbers are 
bound to a server IP & port, and radius clients are *required* to ignore 
reply packets with no outstanding request for that IP/port/ID tuple (see 
RFC2865 sections 4.2. RFC5080 section 2.2.2 clarifies this.


You need to use a different load-balancing setup; having the server 
reply from the VIP is fairly trivial in most cases. We do it. It's 
usually a case of ordering the load balancer to not translate the 
destination IP, binding an IP of $VIP/32 to the NIC and using the server 
listen {} statement.




Thanks & Best Regards,
Kartik

On Feb 18, 2008 6:01 PM, Alan DeKok <[EMAIL PROTECTED] 
> wrote:


Kartik CDS wrote:
 > Radius client sends access-request to the ip address VIP
 > The cluster is responding with IP1 or IP2 instead of VIP as the
source
 > address, should the radius client allow such a response ?
d
 No.  You need to use "udpfromto" in the server.  See the "configure"
flags.

 > I mean to say whether the radius client should validate the source
 > address ?? [ I couldnt find anything related to this in the RFC,
kindly
 > help]

 Yes, it needs to validate the source address.

 Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FR2 - proxying inner tunnel

[Dmitry Sergienko]

Hi!

Alan DeKok wrote:

Dmitry Sergienko wrote:

Please give me some tips how/where to fix this issue. I'm somewhat lost
while debugging this EAP stuff with tunnelling and proxying ;)


  It's rather complicated after a while.  I'm not sure how it can be
easily debugged...


Added some functions to make debugging easier and found out the following:
There is a call of eaplist_add() in eap_post_proxy():

541 if ((handler->eap_ds->request->code == PW_EAP_REQUEST) 
&&
542 (handler->eap_ds->request->type.type >= 
PW_EAP_MD5)) {
543 eaplist_add(inst, handler);

and in eaplist_add():

271 handler->src_ipaddr = handler->request->packet->src_ipaddr;

But during proxying handler->request->packet->src_ipaddr.ipaddr.ip4addr is zero:

(gdb) p handler->request->packet->src_ipaddr
$7 = {af = 2, ipaddr = {ip4addr = {s_addr = 0}, ip6addr = {in6_u = {u6_addr8 = 
"\000\000\000\000\220\006\030\b\215\b\b\000\000\000",

u6_addr16 = {0, 0, 1680, 2072, 36260, 2056, 0, 0}, u6_addr32 = {0, 
135792272, 134778276, 0}

Then we're trying to find a session with correct ip address of NAS, i.e. 192.168.2.3 and eaplist_find() fails because it 
contains session with zero ipaddr.


I'll try to debug deeper and figure out how to fix this correctly (and not to 
break anything else ;)

--
Best wishes,
Dmitry Sergienko (SDA104-RIPE)
Trifle Co., Ltd.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: acct copy

[Alexandre Chapellon]

Thx for that answer Alan...
Right now I have others problems that threaten me, so my freeradius 
setup is actually in stand by (I'll just put one or too to log in mysql 
db for them moment).
Anyway If you can come up with something about that problem, be sure 
I'll be glad to start over my test and complete my setup... and lastly 
replace my old funk with brand new freeradiuses.


thx


Alan DeKok a écrit :

Alexandre Chapellon wrote:
  

here follow an output of freeradius -XXX, sorry it's quite verbose...
but as you can see, there's no error neither a warning whereas the
detail.work contains (a lot of) remainings accounting queries to
proceed



  Hmmm... it's due to an interaction between reading files normally, and
reading them buffered...  Ugh.

  I'll see if I can come up with something.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re: 1.1.7 and rlm_sql_mysql duplicated query

[Georgi Alexandrov]

 >Santiago Balaguer García wrote:
 >> The answer is not totally correct. Because a microcuts in the 
 >> connectibity of hotspot cause that hotspot re-sends the acct request.
 >
 >No, because then the Acct-Session-Id would remain the same.
 >
 >> In that case, you have to desactivate:
 >>  - accounting_start_query_alt
 >>  - accounting_stop_query_alt
 >
 >No. Re-read the original post. The Acct-Session-Id is different, hence 2 
 >sessions are being inserted into SQL, but no Accounting-Stop ever gets 
 >send for the 1st.
 >
 >The NAS is misbehaving.
 >

The problem was in the NAS itself indeed and not in freeradius. Thanks.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FR2 - proxying inner tunnel

[Dmitry Sergienko]

Hi!


Dmitry Sergienko wrote:
But during proxying handler->request->packet->src_ipaddr.ipaddr.ip4addr 
is zero:


I'll try to debug deeper and figure out how to fix this correctly (and 
not to break anything else ;)




At last it works. Patch is in attachment.
I'm still not sure if this patch doesn't break anything so please double check it. I'm new 
to freeradius code.


Here is the result:

   PEAP: Sending tunneled request
 EAP-Message = 0x020b00061a03
 FreeRADIUS-Proxied-To = 127.0.0.1
 User-Name = "aaa"
 State = 0xc0688788c1639d2a0b378c391f825bde
server proxy-inner-tunnel {
Mon Feb 18 18:53:04 2008 : Debug: +- entering group authorize
Mon Feb 18 18:53:04 2008 : Debug:   modsingle[authorize]: calling eap (rlm_eap) 
for request 9
Mon Feb 18 18:53:04 2008 : Debug:   rlm_eap: EAP packet type response id 11 
length 6
Mon Feb 18 18:53:04 2008 : Debug:   rlm_eap: No EAP Start, assuming it's an on-going EAP 
conversation
Mon Feb 18 18:53:04 2008 : Debug:   modsingle[authorize]: returned from eap (rlm_eap) for 
request 9

Mon Feb 18 18:53:04 2008 : Debug: ++[eap] returns updated
Mon Feb 18 18:53:04 2008 : Debug: ++[control] returns updated
} # server proxy-inner-tunnel
   PEAP: Got tunneled reply RADIUS code 0
Mon Feb 18 18:53:04 2008 : Debug:   PEAP: Calling authenticate in order to initiate 
tunneled EAP session.

Mon Feb 18 18:53:04 2008 : Debug: +- entering group authenticate
Mon Feb 18 18:53:04 2008 : Debug:   modsingle[authenticate]: calling eap (rlm_eap) for 
request 9

Mon Feb 18 18:53:04 2008 : Debug:   rlm_eap: Request found, released from the 
list
Mon Feb 18 18:53:04 2008 : Debug:   rlm_eap: EAP/mschapv2
Mon Feb 18 18:53:04 2008 : Debug:   rlm_eap: processing type mschapv2
Mon Feb 18 18:53:04 2008 : Debug:   rlm_eap: Freeing handler
Mon Feb 18 18:53:04 2008 : Debug:   modsingle[authenticate]: returned from eap (rlm_eap) 
for request 9

Mon Feb 18 18:53:04 2008 : Debug: ++[eap] returns ok

   PEAP: Processing from tunneled session code 0x81a3380 2
 EAP-Message = 0x030b0004
 Message-Authenticator = 0x
 User-Name = "aaa"
Mon Feb 18 18:53:04 2008 : Debug:   PEAP: Tunneled authentication was 
successful.
Mon Feb 18 18:53:04 2008 : Debug:   rlm_eap_peap: SUCCESS
Mon Feb 18 18:53:04 2008 : Debug:   modsingle[authenticate]: returned from eap (rlm_eap) 
for request 9

Mon Feb 18 18:53:04 2008 : Debug: ++[eap] returns handled
Sending Access-Challenge of id 128 to 192.168.2.3 port 8021
 EAP-Message =
0x010c003b190017030100306ab8df262f8c6d2baed3a48cebc42431d0e21fdb1c045843655aece32052f1d927b38a0913526945e8d673551cf09b68
 Message-Authenticator = 0x
 State = 0x34e964c03de57d86becfe482ce4c450e
Mon Feb 18 18:53:04 2008 : Debug: Finished request 9.
Mon Feb 18 18:53:04 2008 : Debug: Going to the next request
Mon Feb 18 18:53:04 2008 : Debug: Waking up in 0.9 seconds.
Mon Feb 18 18:53:05 2008 : Debug: Cleaning up request 7 ID 126 with timestamp 
+18
Mon Feb 18 18:53:05 2008 : Debug: Waking up in 2.0 seconds.
rad_recv: Access-Request packet from host 192.168.2.3 port 8021, id=129, 
length=295
 Framed-MTU = 1466
 NAS-IP-Address = 192.168.2.3
 NAS-Identifier = "D-Link"
 User-Name = "[EMAIL PROTECTED]"
 Service-Type = Framed-User
 NAS-Port = 33
 NAS-Port-Type = Ethernet
 NAS-Port-Id = "ether3_33"
 Called-Station-Id = "00-15-e9-b8-79-dd"
 Calling-Station-Id = "00-a9-40-0f-83-a5"
 Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
 State = 0x34e964c03de57d86becfe482ce4c450e
 EAP-Message =
0x020c006019001703010020ba6525822b5e46cf96b43f8d5f3472ee0add04778e445cccee670a1323faf5751703010030f14f2456303f64be72a49607993cd63f327c6fff01e45d0b020e39714c106692f7bdddfc8b51df1163648d47b4b24ece
 Message-Authenticator = 0x4213abb85ac838f3426660c0304d3f84
Mon Feb 18 18:53:06 2008 : Debug: +- entering group authorize
Mon Feb 18 18:53:06 2008 : Debug:   modsingle[authorize]: calling preprocess 
(rlm_preprocess) for request 10
Mon Feb 18 18:53:06 2008 : Debug:   modsingle[authorize]: returned from preprocess 
(rlm_preprocess) for request 10

Mon Feb 18 18:53:06 2008 : Debug: ++[preprocess] returns ok
Mon Feb 18 18:53:06 2008 : Debug:   modsingle[authorize]: calling chap (rlm_chap) for 
request 10
Mon Feb 18 18:53:06 2008 : Debug:   modsingle[authorize]: returned from chap (rlm_chap) 
for request 10

Mon Feb 18 18:53:06 2008 : Debug: ++[chap] returns noop
Mon Feb 18 18:53:06 2008 : Debug:   modsingle[authorize]: calling mschap (rlm_mschap) for 
request 10
Mon Feb 18 18:53:06 2008 : Debug:   modsingle[authorize]: returned from mschap 
(rlm_mschap) for request 10

Mon Feb 18 18:53:06 2008 : Debug: ++[mschap] returns noop
Mon Feb 18 18:53:06 2008 : Debug:   modsingle[authorize]: calling suffix (rlm_realm) for 
request 10
Mon Feb 18 18:53:06 2008 : Debug: rlm_realm: Looking up realm "myn

SMUX not registering with FreeRadius 1.1.7 and SNMP 5.1.2 after radiusd -X

[shrinivas alageri]

Hello
   
I wanted to integrate SMUX aith FreeRadius with above version.
   
Tried the steps

1)Compiling FreeRadius with snmp option
2. modified the freeradius snmp.conf file to include

smux_password = verysecret

2. modified the radiusd.conf file with

snmp = yes
$INCLUDE ${confdir}/snmp.conf

3. modified the net-snmp snmpd.conf file to include

smuxpeer = 1.3.6.1.4.1.3317.1.3.1 verysecret

4. started the radiusd and snmpd daemons.

When I do an 'snmpwalk -v1 -c public localhost system' I get the system
info from the MIB (as expected).
   
  When I do radiusd -X no SMUX message is displayed
   
  Please help
   
  Thanks
   
  Shrinivas
  
 

   
-
 Now you can chat without downloading messenger. Click here to know how.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRadius question

[Harley Race]

Ladies and Gentlemen,

I am trying to find out how I can check what options
the freeradius binary available for download was
compiled with.   I have STFW and RTFM, but still am
not sure as to how to check.  radiusd -X gives some
information, but
nothing about what freeradius was compiled with.  I am
interested in finding out if the binary was compiled
with e-Directory support. Thanks for any help.


  

Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius question

[A . L . M . Buxey]

Hi,
> Ladies and Gentlemen,
> 
> I am trying to find out how I can check what options
> the freeradius binary available for download was
> compiled with.   I have STFW and RTFM, but still am
> not sure as to how to check.  radiusd -X gives some
> information, but
> nothing about what freeradius was compiled with.  I am
> interested in finding out if the binary was compiled
> with e-Directory support. Thanks for any help.

WHICH binary available for download?

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

how can I configure CHAP or PAP

[Sarp Kaya]

Hello, how can I do it I don't know. I am using Antcor OS router and
it has hotspot settings. I also have a pc which has ubuntu. and I
installed Freeradius 1.1.6-2 but my router cannot connect to
freeradius. How can I solve this?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

SMUX not registering with FreeRadius 1.1.7 and SNMP 5.1.2 after radiusd -X

[shrinivas alageri]

Hello
   
I wanted to integrate SMUX aith FreeRadius with above version.Attached is 
the logs.I donot see any SMUX/SNMP strings from radiusd -X
   
Tried the steps
   
1)Compiling FreeRadius with snmp option
2. modified the freeradius snmp.conf file to include
  smux_password = verysecret
  2. modified the radiusd.conf file with
  snmp = yes
$INCLUDE ${confdir}/snmp.conf
  3. modified the net-snmp snmpd.conf file to include
  smuxpeer = 1.3.6.1.4.1.3317.1.3.1 verysecret
  4. started the radiusd and snmpd daemons.
  When I do an 'snmpwalk -v1 -c public localhost system' I get the system
info from the MIB (as expected).


   
-
 Unlimited freedom, unlimited storage. Get it now[EMAIL PROTECTED] ~]# radiusd -X
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /usr/local/etc/raddb/proxy.conf
Config:   including file: /usr/local/etc/raddb/clients.conf
Config:   including file: /usr/local/etc/raddb/snmp.conf
Config:   including file: /usr/local/etc/raddb/eap.conf
Config:   including file: /usr/local/etc/raddb/sql.conf
 main: prefix = "/usr/local"
 main: localstatedir = "/usr/local/var"
 main: logdir = "/usr/local/var/log/radius"
 main: libdir = "/usr/local/lib"
 main: radacctdir = "/usr/local/var/log/radius/radacct"
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/usr/local/var/log/radius/radius.log"
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
 main: user = "(null)"
 main: group = "(null)"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/local/sbin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = no
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
 pap: encryption_scheme = "crypt"
 pap: auto_header = yes
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: with_ntdomain_hack = no
 mschap: passwd = "(null)"
 mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
 unix: cache = no
 unix: passwd = "(null)"
 unix: shadow = "(null)"
 unix: group = "(null)"
 unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
 eap: default_eap_type = "md5"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 gtc: challenge = "Password: "
 gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
 mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
 preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
 preprocess: hints = "/usr/local/etc/raddb/hints"
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
 preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
 realm: format = "suffix"
 realm: delimiter = "@"
 realm: ignore_default = no
 realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
 files: usersfile = "/usr/local/etc/raddb/users"
 files: acctusersfile = "/usr/local/etc/raddb/acct_users"
 files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
 files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
 acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, 
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique

Re: how can I configure CHAP or PAP

[Ivan Kalik]

http://wiki.freeradius.org/index.php/FreeRADIUS_Wiki:FAQ#It_still_doesn.27t_work.21

Ivan Kalik
Kalik Informatika ISP


Dana 18/2/2008, "Sarp Kaya" <[EMAIL PROTECTED]> piše:

>Hello, how can I do it I don't know. I am using Antcor OS router and
>it has hotspot settings. I also have a pc which has ubuntu. and I
>installed Freeradius 1.1.6-2 but my router cannot connect to
>freeradius. How can I solve this?
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FR2 - proxying inner tunnel

[Alan DeKok]

Dmitry Sergienko wrote:
> At last it works. Patch is in attachment.
> I'm still not sure if this patch doesn't break anything so please double
> check it. I'm new to freeradius code.

  The patch is correct.  I've also added a similar patch to ttls.c

  Thanks.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FR & Unix pws

[Lemaster, Rob]

I read the passwd module in radiusd.conf, and I couldn't find how to enable 
clear-text passwords for authentication. Could you reply with a direct link or 
more specifics?
 
8 out of 11 dentists prefer FreeRADIUS over the leading brand for fresh breath 
and healthy gums.
 
-
 
Lemaster, Rob wrote:
> I am using FreeRADIUS v1.0.5 in a non-production lab environment.

  Well... I suggest upgrading.

> What hashing algorithm is used to store passwords in passwd?

$ man passwd

  i.e. whatever your system supports.

> Does FreeRADIUS have an option to read passwords in clear text?
Sure. See the "passwd" module && documentation in FreeRADIUS.> Is there an easy 
way to create hashed passwords from some Unix
> command-line utility?

  The simplest is Apache's "htpasswd" program.

> 4 out of 10 women surveyed think Alan DeKok is a sex magnet.

  Then they cry themselves to sleep at night.  I'm not available. :(

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

2 different authorization?

[javkhlanbaatar]

Hi.

I know I asked this question.
I want to filter users depending on their status. I mean active users can
login (authenticate) to internet and rest are able to login but only to
the local (or certain) websites. If I add a field named Status in the
radcheck table and it only takes yes/no values.

Username Attribute Op Value *Status*

and I tried to insert in checkval section as follows:

checkval mac {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
checkval status {
item-name = Status
check-name = Status
data-type = string
}

and in the authorize section:
authorize {
..
mac
status
..
}

It doesn't get Status (there is not Status Attribute).
All I tried is if Status is yes then user authenticates and uses internet.
If Status is no, also user authenticates but unable to access internet
only for certain sites.

Also, I read templates.conf and proxy,conf. I think my answer is in there
but lack of my English, I cannot understand clearly.

2. I've tried also create 2 sql instances. But after that how the radius
differs the users according to their connection. I mean when user1
connects then it checked from sql1 instances etc.

But in the debugging mode, radius checks from both 2 instances. How can I
manage this?

Sorry for my English. Maybe I chose wrong words so you may misunderstand.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 2 different authorization?

[Alan DeKok]

[EMAIL PROTECTED] wrote:
> I want to filter users depending on their status. I mean active users can
> login (authenticate) to internet and rest are able to login but only to
> the local (or certain) websites. If I add a field named Status in the
> radcheck table and it only takes yes/no values.
> 
> Username Attribute Op Value *Status*

  I'm not sure what that means...

> and I tried to insert in checkval section as follows:

  Why are you using checkval?  In 2.x, just use "unlang".  It's much easier.

> Also, I read templates.conf and proxy,conf. I think my answer is in there
> but lack of my English, I cannot understand clearly.

  Read "man unlang".

> 2. I've tried also create 2 sql instances. But after that how the radius
> differs the users according to their connection. I mean when user1
> connects then it checked from sql1 instances etc.
> 
> But in the debugging mode, radius checks from both 2 instances. How can I
> manage this?

  Read "man unlang" and "man radiusd.conf".

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/PEAP inner identity and rlm_exec

[Alan DeKok]

Kolbjørn Barmen wrote:
> However, it only works for the so called "outter" identity.
> Any tip on how to make it work for the "inner" identity instead?

  In 2.0, just put that into a virtual server for inner tunnels.  See
raddb/sites-available/inner-tunnel.

  In 1.x, do:

# runs only in the inner tunnel
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, ...
reply 

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP/PEAP inner identity and rlm_exec

[Kolbjørn Barmen]

I'm trying to use a selfmade script to decide VLAN-attributes for 
EAP/PEAP users:

DEFAULT Realm == realm.org
  Tunnel-Type = VLAN,
  Tunnel-Medium-Type = IEEE-802,
  Tunnel-Private-Group-Id = `%{exec:/usr/sbin/ldap2vlan %{User-Name}`

However, it only works for the so called "outter" identity.
Any tip on how to make it work for the "inner" identity instead?

-- 
Kolbjørn Barmen
UNINETT Driftsenter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FR & Unix pws

[Alan DeKok]

Lemaster, Rob wrote:
> I read the passwd module in radiusd.conf, and I couldn't find how to enable 
> clear-text passwords for authentication. Could you reply with a direct link 
> or more specifics?

  You don't.  You tell the server what the users clear-text password is,
and the server figures it out.

  See "man rlm_pap" in 2.x.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html