Re: newbie on radiustesting

2008-04-16 Thread Andrew Hood 
Si St wrote:

> linux:/etc/raddb/certs # l
> insgesamt 53
> drw-r-  3 root radiusd  472 2008-03-31 22:53 ./
> drwxr-xr-x  5 root root 728 2008-04-16 20:40 ../
> -rw-r-  1 root radiusd  721 2005-09-13 04:15 cert-clt.der
> -rw-r-  1 root radiusd 1741 2005-09-13 04:15 cert-clt.p12
> -rw-r-  1 root radiusd 2452 2005-09-13 04:15 cert-clt.pem
> -rw-r-  1 root radiusd  717 2005-09-13 04:15 cert-srv.der
> -rw-r-  1 root radiusd 1733 2005-09-13 04:15 cert-srv.p12
> -rw-r-  1 root radiusd 2439 2005-09-13 04:15 cert-srv.pem
> drw-r-  2 root radiusd  200 2008-03-31 22:53 demoCA/
> -rw-r-  1 root radiusd0 2005-09-13 04:15 dh
> -rw-r-  1 root radiusd 2913 2005-09-13 04:15 newcert.pem
> -rw-r-  1 root radiusd 1753 2005-09-13 04:15 newreq.pem
> -rw-r-  1 root radiusd 1024 2005-09-13 04:15 random
> -rw-r-  1 root radiusd  431 2005-09-13 04:15 README
> -rw-r-  1 root radiusd  954 2005-09-13 04:15 root.der
> -rw-r-  1 root radiusd 1973 2005-09-13 04:15 root.p12
> -rw-r-  1 root radiusd 2764 2005-09-13 04:15 root.pem
> 
> linux:/etc/raddb/certs/demoCA # l
> insgesamt 21
> drw-r-  2 root radiusd  200 2008-03-31 22:53 ./
> drw-r-  3 root radiusd  472 2008-03-31 22:53 ../
> -rw-r-  1 root radiusd 1346 2005-09-13 04:15 cacert.pem
> -rw-r-  1 root radiusd  276 2005-09-13 04:15 index.txt
> -rw-r-  1 root radiusd  140 2005-09-13 04:15 index.txt.old
> -rw-r-  1 root radiusd3 2005-09-13 04:15 serial
> -rw-r-  1 root radiusd3 2005-09-13 04:15 serial.old

Bad directory perms?

umask 022
find /etc/raddb/ -type d -exec chmod ug+x {} \;

-- 
REALITY.SYS not found: Universe halted.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: newbie on radiustesting

2008-04-16 Thread A . L . M . Buxey 
Hi,

> A: All running, both radiusd -X and rcradiusd start, is done as root, and 
> unfortunately all messages comes from the user root.

okay. so definately a permission issue for a non root user.
...its late now so if noone else steps in you'll have to wait
to hear from me again. (in radiusd.conf the user is set to
radiusd, yes?)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SQL log accounting and post_auth

2008-04-16 Thread A . L . M . Buxey 
Hi,

> And change the insert line with this line
> postauth_query = "INSERT INTO ${postauth_table} (username, pass, reply)
> VALUES
> ('%{User-Name}','%{%{User-Password}:-%{Chap-Password}}','%{reply:Packet-
> Type}')"

yes. but do you REALLY want to log peoples passwords into a nice
database?  I've changed/obfuscated ours eg in your case...

INSERT INTO ${postauth_table} (username, pass, reply) VALUES\
('%{User-Name}','password','%{reply:Packet-Type}')"

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: newbie on radiustesting

2008-04-16 Thread Si St 

> - Original Message -
> From: [EMAIL PROTECTED]
> To: "FreeRadius users mailing list" 
> Subject: Re: newbie on radiustesting
> Date: Wed, 16 Apr 2008 20:11:11 +0100
> 
> 
> Hi,
> 
> > Does the rlm_eap message tell you anything:
> 
> yes, no EAP-Message  - but thats just talking about the incoming
> packet.  are you running SELinux by any chance (just thinking
> about the file permissions and why the servers cannot read the
> cert)

A: I am running SuSE linux 10.0 and use the radius packages directly from that 
installation. Apparmor/subdomain is deactivated, due to the demands on the 
dazuko-module running  AVIRA antivir. 

Do not think there is any security enhanced system here:

linux:/etc/raddb # uname -a
Linux linux 2.6.13-15.18-default #1 Tue Oct 2 17:36:20 UTC 2007 i686 i686 i386 
GNU/Linux
 linux:/etc/raddb # l /boot/
insgesamt 6262
drwxr-xr-x   3 root root 584 2008-03-24 11:24 ./
drwxr-xr-x  27 root root 664 2008-04-13 13:22 ../
-rw---   1 root root 512 2006-01-30 10:51 backup_mbr
lrwxrwxrwx   1 root root   1 2006-01-30 10:48 boot -> ./
-rw---   1 root root 512 2006-01-30 10:51 boot.0300
-rw-r--r--   1 root root 512 2006-02-21 17:43 boot.0800
-rw-r--r--   1 root root   63954 2007-10-03 20:33 config-2.6.13-15.18-default
drwxr-xr-x   2 root root 456 2006-01-30 13:26 grub/
lrwxrwxrwx   1 root root  27 2008-03-24 11:21 initrd -> 
initrd-2.6.13-15.18-default
-rw-r--r--   1 root root 1748236 2008-03-24 11:20 initrd-2.6.13-15.18-default
-rw---   1 root root  220160 2008-03-24 11:24 map
-rw-r--r--   1 root root  133120 2008-03-07 18:16 message
-rw-r--r--   1 root root   73696 2007-10-03 20:33 
symvers-2.6.13-15.18-i386-default.gz
-rw-r--r--   1 root root  756977 2007-10-03 20:24 
System.map-2.6.13-15.18-default
-rw-r--r--   1 root root 1840531 2007-10-03 20:33 
vmlinux-2.6.13-15.18-default.gz
lrwxrwxrwx   1 root root  28 2008-03-24 11:21 vmlinuz -> 
vmlinuz-2.6.13-15.18-default
-rw-r--r--   1 root root 1545043 2007-10-03 20:24 vmlinuz-2.6.13-15.18-default

-I did a online update recently, weeks ago, but the message after that on YaST 
gave inconsistency warning and a possible unstable system on radius, so I chose 
to go back to the original radius-package of the 10.0 CDs. After that no 
warning anymore, but should I go back and reinstall the update?

> does it all work fine when you, as root, run 'radiusd -X' ?

A: All running, both radiusd -X and rcradiusd start, is done as root, and 
unfortunately all messages comes from the user root.
> 

>


-- 
___
Surf the Web in a faster, safer and easier way:
Download Opera 9 at http://www.opera.com

Powered by Outblaze

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: regular expression

2008-04-16 Thread Alan DeKok 
Kevin J wrote:
> Is there a way that I can use for a regular expression to validate the
> username attribute?

$ man unlang

> Something like
> User-Name =~ [0-9a-zA-Z.#_]

  Yup.  There are examples in the documentation.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Assistance with Compiling pam_radius_auth Please.

2008-04-16 Thread Alan DeKok 
chase pettet wrote:
> This host is running CentOS 4.3.  uname -r output
> "2.6.9-67.0.4.plus.c4smp".  I have tried looking for an already
> compiled module for PAM on centos without success, my google-foo is
> weak apparently.  I downloaded the tar file straight from
> freeradius.org .  When I unpacked and tried
> using "make" (as root) in the folder I get the following output.  I
> am not much of a programmer so this error looks very confusing to
> me.  Any help would be greatly appreciated.
...
> pam_radius_auth.c:63:34: security/pam_modules.h: No such file or
> directory

  You need the pam development package installed.  See your distribution
documentation for details.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

regular expression

2008-04-16 Thread Kevin J 
Is there a way that I can use for a regular expression to validate the username 
attribute?

Something like 
User-Name =~ [0-9a-zA-Z.#_] 

I think . or # does not work.




  

Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: SQL log accounting and post_auth

2008-04-16 Thread Guillaume Chartrand 

I re and reread man unlang

And change the insert line with this line
postauth_query = "INSERT INTO ${postauth_table} (username, pass, reply)
VALUES
('%{User-Name}','%{%{User-Password}:-%{Chap-Password}}','%{reply:Packet-
Type}')"

It's the value chap-password who's corrected. So for the fix, please
update the insert for the correct value

Thank


>> For the post_auth it can be userful to other person if it's
integrated to the next update of freeradius.

>noted - fix and updated has been submitted as bug 545
Just for notice, I have again the warning in debug mode when I do the
post_auth queries
rlm_sql (sql): Processing sql_postauth
expand: %{User-Name} -> guillaume
rlm_sql (sql): sql_set_user escaped user --> 'guillaume'
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
expand: INSERT INTO radpostauth (username, pass, reply) VALUES
('%{User-Name}',
'%{User-Password:-Chap-Password}','%{reply:Packet-Type}') -> INSERT INTO
radpostauth (username, pass, reply) VALUES ('guillaume',
'Chap-Password','Access-Accept')
expand: /usr/local/var/log/radius/sqltrace.sql ->
/usr/local/var/log/radius/sqltrace.sql

And I don't know what is it. And it's fot the post_auth. The post_auth
have just this
post-auth {
sql
}

Thank again

>alan
>-
>List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: SQL log accounting and post_auth

2008-04-16 Thread Guillaume Chartrand 

>Hi,

>> So for this, now it's working. But I have nothing in radacct table
and even if I only keep the sql_log in the >>accounting section, i have
nothing in my sql-relay file.

>to get the sql-relay file you will need to call sql_log in the
accounting
>stanza and ensure that the sql_log is configured in the main server.
It's my accounting section
accounting {
sql_log
  #  Filter attributes from the accounting response.
  attr_filter.accounting_response
}
And in radiusd.conf
sql_log {
path = "${radacctdir}/sql-relay"
acct_table = "radacct"
postauth_table = "radpostauth"
sql_user_name = "%{%{User-Name}:-DEFAULT}"
Start = "INSERT INTO ${acct_table} (AcctSessionId,
UserName, \
 NASIPAddress, FramedIPAddress, AcctStartTime,
AcctStopTime, \
 AcctSessionTime, AcctTerminateCause) VALUES
\
 ('%{Acct-Session-Id}', '%{User-Name}',
'%{NAS-IP-Address}', \
 '%{Framed-IP-Address}', '%S', '0', '0', '');"
Stop = "INSERT INTO ${acct_table} (AcctSessionId,
UserName,  \
 NASIPAddress, FramedIPAddress, AcctStartTime,
AcctStopTime, \
 AcctSessionTime, AcctTerminateCause) VALUES
\
 ('%{Acct-Session-Id}', '%{User-Name}',
'%{NAS-IP-Address}', \
 '%{Framed-IP-Address}', '0', '%S',
'%{Acct-Session-Time}',  \
 '%{Acct-Terminate-Cause}');"
Alive = "INSERT INTO ${acct_table} (AcctSessionId,
UserName, \
 NASIPAddress, FramedIPAddress, AcctStartTime,
AcctStopTime, \
 AcctSessionTime, AcctTerminateCause) VALUES
\
 ('%{Acct-Session-Id}', '%{User-Name}',
'%{NAS-IP-Address}', \
 '%{Framed-IP-Address}', '0', '0',
'%{Acct-Session-Time}','');"

Post-Auth = "INSERT INTO ${postauth_table}
\
 (username, pass, reply, authdate) VALUES
\
 ('%{User-Name}', '%{User-Password:-Chap-Password}',
\
 '%{reply:Packet-Type}', '%S');"
}

So it's defined in radiusd.conf and called in accounting section. What
I'm missing?

>> For the post_auth it can be userful to other person if it's
integrated to the next update of freeradius.

>noted - fix and updated has been submitted as bug 545
Just for notice, I have again the warning in debug mode when I do the
post_auth queries
rlm_sql (sql): Processing sql_postauth
expand: %{User-Name} -> guillaume
rlm_sql (sql): sql_set_user escaped user --> 'guillaume'
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
expand: INSERT INTO radpostauth (username, pass, reply) VALUES
('%{User-Name}',
'%{User-Password:-Chap-Password}','%{reply:Packet-Type}') -> INSERT INTO
radpostauth (username, pass, reply) VALUES ('guillaume',
'Chap-Password','Access-Accept')
expand: /usr/local/var/log/radius/sqltrace.sql ->
/usr/local/var/log/radius/sqltrace.sql

And I don't know what is it. And it's fot the post_auth. The post_auth
have just this
post-auth {
sql
}

Thank again

>alan
>-
>List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: newbie on radiustesting

2008-04-16 Thread A . L . M . Buxey 
Hi,

> Does the rlm_eap message tell you anything:

yes, no EAP-Message  - but thats just talking about the incoming
packet.  are you running SELinux by any chance (just thinking
about the file permissions and why the servers cannot read the
cert)

does it all work fine when you, as root, run 'radiusd -X' ?

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: newbie on radiustesting

2008-04-16 Thread Si St 

> - Original Message -
> From: [EMAIL PROTECTED]
> To: "FreeRadius users mailing list" 
> Subject: Re: newbie on radiustesting
> Date: Wed, 16 Apr 2008 19:37:44 +0100
> 
> 
> Hi,
> 
> > linux:/etc/raddb # id radiusd
> > uid=105(radiusd) gid=104(radiusd) Gruppen=104(radiusd)
> >
> > ls -l:
> > drw-r-   3 root radiusd   472 2008-03-31 22:53 certs/
> 
> and the files within?


> 
> alan
The files within seem to have the same permission setup:
linux:/etc/raddb/certs # l
insgesamt 53
drw-r-  3 root radiusd  472 2008-03-31 22:53 ./
drwxr-xr-x  5 root root 728 2008-04-16 20:40 ../
-rw-r-  1 root radiusd  721 2005-09-13 04:15 cert-clt.der
-rw-r-  1 root radiusd 1741 2005-09-13 04:15 cert-clt.p12
-rw-r-  1 root radiusd 2452 2005-09-13 04:15 cert-clt.pem
-rw-r-  1 root radiusd  717 2005-09-13 04:15 cert-srv.der
-rw-r-  1 root radiusd 1733 2005-09-13 04:15 cert-srv.p12
-rw-r-  1 root radiusd 2439 2005-09-13 04:15 cert-srv.pem
drw-r-  2 root radiusd  200 2008-03-31 22:53 demoCA/
-rw-r-  1 root radiusd0 2005-09-13 04:15 dh
-rw-r-  1 root radiusd 2913 2005-09-13 04:15 newcert.pem
-rw-r-  1 root radiusd 1753 2005-09-13 04:15 newreq.pem
-rw-r-  1 root radiusd 1024 2005-09-13 04:15 random
-rw-r-  1 root radiusd  431 2005-09-13 04:15 README
-rw-r-  1 root radiusd  954 2005-09-13 04:15 root.der
-rw-r-  1 root radiusd 1973 2005-09-13 04:15 root.p12
-rw-r-  1 root radiusd 2764 2005-09-13 04:15 root.pem

linux:/etc/raddb/certs/demoCA # l
insgesamt 21
drw-r-  2 root radiusd  200 2008-03-31 22:53 ./
drw-r-  3 root radiusd  472 2008-03-31 22:53 ../
-rw-r-  1 root radiusd 1346 2005-09-13 04:15 cacert.pem
-rw-r-  1 root radiusd  276 2005-09-13 04:15 index.txt
-rw-r-  1 root radiusd  140 2005-09-13 04:15 index.txt.old
-rw-r-  1 root radiusd3 2005-09-13 04:15 serial
-rw-r-  1 root radiusd3 2005-09-13 04:15 serial.old
...

More output:

What I have done now is to start the radiusd with /rcradiusd start/ first with 
the uchanged eap.conf, and then copy the uncommented eap.conf(EAP-TLS_Part) 
back to where it should be and run /radeapclient/ in debugmode:
Does the rlm_eap message tell you anything:

linux:/etc/raddb # radeapclient -x -f 
/usr/share/doc/packages/freeradius/tmp/radius.test 127.0.0.1:1812 auth 
testing123

+++> About to send encoded packet:
User-Name = "qvnu"
User-Password = "ygd"
NAS-IP-Address = 127.0.0.1
NAS-Port-Id = "0"
Sending Access-Request of id 244 to 127.0.0.1:1812
User-Name = "qvnu"
User-Password = "ygd"
NAS-IP-Address = 127.0.0.1
NAS-Port-Id = "0"
Re-sending Access-Request of id 244 to 127.0.0.1:1812
User-Name = "qvnu"
User-Password = "\351\371V6$\024\t\315\263\271.\037\003\311\325\320"
NAS-IP-Address = 127.0.0.1
NAS-Port-Id = "0"
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=244, length=20
rlm_eap: EAP-Message not found
<+++ EAP decoded packet:

+++> About to send encoded packet:
User-Name = "eaoqk"
User-Password = "uroco"
NAS-IP-Address = 127.0.0.1


-- 
___
Surf the Web in a faster, safer and easier way:
Download Opera 9 at http://www.opera.com

Powered by Outblaze

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SQL log accounting and post_auth

2008-04-16 Thread A . L . M . Buxey 
Hi,

> So for this, now it's working. But I have nothing in radacct table and even 
> if I only keep the sql_log in the accounting section, i have nothing in my 
> sql-relay file.

to get the sql-relay file you will need to call sql_log in the accounting
stanza and ensure that the sql_log is configured in the main server.

> For the post_auth it can be userful to other person if it's integrated to the 
> next update of freeradius.

noted - fix and updated has been submitted as bug 545

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: newbie on radiustesting

2008-04-16 Thread A . L . M . Buxey 
Hi,

> linux:/etc/raddb # id radiusd
> uid=105(radiusd) gid=104(radiusd) Gruppen=104(radiusd)
> 
> ls -l:
> drw-r-   3 root radiusd   472 2008-03-31 22:53 certs/

and the files within?

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: SQL log accounting and post_auth

2008-04-16 Thread Guillaume Chartrand 
I resolved some part of my question.

The post_auth part is now inserted in my sql database. What I modify is
In mssql.conf add these line

postauth_table = "radpostauth"
postauth_query = "INSERT INTO ${postauth_table} (username, pass, reply) VALUES 
('%{User-Name}', '%{User-Password:-Chap-Password}','%{reply:Packet-Type}')"

Before that I also created a table who's not in the mssql/schema.sql
It's a table named  radpostauth with this command
CREATE TABLE [radpostauth] (
[id] [int] IDENTITY (1, 1) NOT NULL ,
[userName] [varchar] (64) NOT NULL ,
[pass] [varchar] (64) NOT NULL ,
[reply] [varchar] (32) NOT NULL ,
[authdate] [datetime] NOT NULL
)
GO
ALTER TABLE [radpostauth] WITH NOCHECK ADD
CONSTRAINT [DF_radpostauth_userName] DEFAULT ('') FOR [userName],
CONSTRAINT [DF_radpostauth_pass] DEFAULT ('') FOR [pass],
CONSTRAINT [DF_radpostauth_reply] DEFAULT ('') FOR [reply],
CONSTRAINT [DF_radpostauth_authdate] DEFAULT (getdate()) FOR [authdate],
CONSTRAINT [PK_radpostauth] PRIMARY KEY NONCLUSTERED
(
[id]
) ON [PRIMARY]

With theses lines when an INSERT is made to the table, the table automaticly 
add the date in the authdate.

So for this, now it's working. But I have nothing in radacct table and even if 
I only keep the sql_log in the accounting section, i have nothing in my 
sql-relay file.

For the post_auth it can be userful to other person if it's integrated to the 
next update of freeradius.

When I write this email I've received the response from A L M Buxey who wrote 
this
>if you want to use the sql_logging function, ONLY uncomment the sql_log and 
>configure the sql_log{} section as required.  >if you activate sql as well, 
>then it will attempt live SQL insertion into the database for incoming 
>accounting packets.

So now I comment the sql_log for the post_Auth and leave the sql to make insert 
in my database and
I comment sql in accouting section and leave uncomment sql_log but I have 
nothing in sql-relay file

>which version of FR are you running?
>ideally you'd be with 2.x and then just activate the buffered-sql virtual 
>server

I run 2.0.3




Guillaume Chartrand
Technicien informatique
Cégep régional de Lanaudière
Centre administratif, Repentigny
(450) 470-0911 poste 7218

-Message d'origine-
De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Guillaume 
Chartrand
Envoyé : 16 avril 2008 10:54
À : FreeRadius users mailing list
Objet : SQL log accounting and post_auth

Hi,

I want to log accounting information and post-auth information in my sql
database. I have an MSSQL database. In my accounting section I uncomment
sql and sql_log. In post_auth section I uncomment sql and sql_log too.
Here is the result I receive with debug mode


Login OK: [guillaume\000/] (from client AP1 port 1
cli 00-0E-35-99-F3-E9)
+- entering group post-auth
rlm_sql (sql): Processing sql_postauth
expand: %{User-Name} -> guillaume
rlm_sql (sql): sql_set_user escaped user --> 'guillaume'
++[sql] returns noop
rlm_sql_log (sql_log): Processing sql_log_postauth
expand: %{User-Name} -> guillaume
expand: %{%{User-Name}:-DEFAULT} -> guillaume
rlm_sql_log (sql_log): sql_set_user escaped user --> 'guillaume'
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
expand: INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES
('%{User-Name}', '%{User-Password:-Chap-Password}',
'%{reply:Packet-Type}', '%S'); -> INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES
('guillaume', 'Chap-Password',  'Access-Accept',
'2008-04-16 09:40:46');
expand: /usr/local/var/log/radius/radacct/sql-relay ->
/usr/local/var/log/radius/radacct/sql-relay
++[sql_log] returns ok
MS-MPPE-Recv-Key =
0xddbdd27124caa81a4d0abacd8aa22d99cff95b591717efff32054bbeec88959c
MS-MPPE-Send-Key =
0x1326576688892a9369c4e6f3246aca4a65b572b1767232847b10a93935535b70
EAP-Message = 0x034f0004
Message-Authenticator = 0x
User-Name = "guillaume"
Finished request 9.

So why the sql module return noop... And didn't insert anything in my
table.
With the sql_log module, I've just insert the post_auth command, not the
other, but in my sql_log section I have other thing like that.

sql_log {
path = "${radacctdir}/sql-relay"
acct_table = "radacct"
postauth_table = "radpostauth"
sql_user_name = "%{%{User-Name}:-DEFAULT}"

Start = "INSERT INTO ${acct_table} (AcctSessionId,
UserName, \
 NASIPAddress, FramedIPAddress, AcctStartTime,
AcctStopTime, \
 AcctSessionTime, AcctTerminateCause) VALUES
\
 ('%{Acct-Session-Id}', '%{User-Name}',
'%{NAS-IP-Address}', \
 '%{Framed-IP-Address}', '%S', '0', '0', '');"

Re: newbie on radiustesting

2008-04-16 Thread Si St 

> - Original Message -
> From: [EMAIL PROTECTED]
> To: "FreeRadius users mailing list" 
> Subject: Re: newbie on radiustesting
> Date: Wed, 16 Apr 2008 18:51:12 +0100
> 
> 
> Hi,
> > FreeRADIUS Version 1.0.4, for host , built on Sep 13 2005
> >
> > I might not know what I am doing, but what is the first thing for 
> > me do to here?
> 
> ...update to 2.0.3?  ;-)
> 
> > But changing no other tings, leaving the test-setup (unchanged 
> > files in /etc/raddb/certs from the installation of radius-package 
> > in YaST) as it was.
> 
> you need to ensure that the process you run freeradius (radiusd daemon) as
> (which is probably 'radiusd' id) has permission to read the /etc/raddb/certs
> directory.
> 
> alan
> -
--
Answ to Alan:
I think it has the permissions:

linux:/etc/raddb # id radiusd
uid=105(radiusd) gid=104(radiusd) Gruppen=104(radiusd)

ls -l:
drw-r-   3 root radiusd   472 2008-03-31 22:53 certs/

/etc/group:

radiusd:!:104:



-- 
___
Surf the Web in a faster, safer and easier way:
Download Opera 9 at http://www.opera.com

Powered by Outblaze

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Assistance with Compiling pam_radius_auth Please.

2008-04-16 Thread chase pettet 
Greetings list,

This host is running CentOS 4.3.  uname -r output
"2.6.9-67.0.4.plus.c4smp".  I have tried looking for an already compiled
module for PAM on centos without success, my google-foo is weak apparently.
I downloaded the tar file straight from freeradius.org.  When I unpacked and
tried using "make" (as root) in the folder I get the following output.  I am
not much of a programmer so this error looks very confusing to me.  Any help
would be greatly appreciated.


> [EMAIL PROTECTED] pam_radius-1.3.17]# make
> cc -Wall -fPIC -c pam_radius_auth.c -o pam_radius_auth.o
> pam_radius_auth.c:63:34: security/pam_modules.h: No such file or directory
> pam_radius_auth.c:156: error: syntax error before '*' token
> pam_radius_auth.c: In function `_int_free':
> pam_radius_auth.c:158: error: `x' undeclared (first use in this function)
> pam_radius_auth.c:158: error: (Each undeclared identifier is reported only
> once
> pam_radius_auth.c:158: error: for each function it appears in.)
> pam_radius_auth.c: In function `host2server':
> pam_radius_auth.c:270: error: `PAM_AUTHINFO_UNAVAIL' undeclared (first use
> in this function)
> pam_radius_auth.c:312: error: `PAM_SUCCESS' undeclared (first use in this
> function)
> pam_radius_auth.c: In function `initialize':
> pam_radius_auth.c:600: error: `PAM_ABORT' undeclared (first use in this
> function)
> pam_radius_auth.c:659: error: `PAM_AUTHINFO_UNAVAIL' undeclared (first use
> in this function)
> pam_radius_auth.c:691: error: `PAM_SUCCESS' undeclared (first use in this
> function)
> pam_radius_auth.c: In function `talk_radius':
> pam_radius_auth.c:798: error: `PAM_SUCCESS' undeclared (first use in this
> function)
> pam_radius_auth.c:995: error: `PAM_IGNORE' undeclared (first use in this
> function)
> pam_radius_auth.c:997: error: `PAM_AUTHINFO_UNAVAIL' undeclared (first use
> in this function)
> pam_radius_auth.c: At top level:
> pam_radius_auth.c:1014: error: syntax error before '*' token
> pam_radius_auth.c: In function `rad_converse':
> pam_radius_auth.c:1017: error: storage size of 'resp_msg' isn't known
> pam_radius_auth.c:1022: error: `msg_style' undeclared (first use in this
> function)
> pam_radius_auth.c:1023: error: `message' undeclared (first use in this
> function)
> pam_radius_auth.c:1027: warning: implicit declaration of function
> `pam_get_item'
> pam_radius_auth.c:1027: error: `pamh' undeclared (first use in this
> function)
> pam_radius_auth.c:1027: error: `PAM_CONV' undeclared (first use in this
> function)
> pam_radius_auth.c:1028: error: `PAM_SUCCESS' undeclared (first use in this
> function)
> pam_radius_auth.c:1030: error: dereferencing pointer to incomplete type
> pam_radius_auth.c:1030: error: dereferencing pointer to incomplete type
> pam_radius_auth.c:1033: error: `password' undeclared (first use in this
> function)
> pam_radius_auth.c:1042: error: dereferencing pointer to incomplete type
> pam_radius_auth.c:1017: warning: unused variable `resp_msg'
> pam_radius_auth.c: At top level:
> pam_radius_auth.c:1061: error: syntax error before "int"
> pam_radius_auth.c:1062: error: syntax error before '*' token
> pam_radius_auth.c: In function `pam_sm_authenticate':
> pam_radius_auth.c:1070: error: `PAM_AUTH_ERR' undeclared (first use in
> this function)
> pam_radius_auth.c:1078: error: `argc' undeclared (first use in this
> function)
> pam_radius_auth.c:1078: error: `argv' undeclared (first use in this
> function)
> pam_radius_auth.c:1081: warning: implicit declaration of function
> `pam_get_user'
> pam_radius_auth.c:1081: error: `pamh' undeclared (first use in this
> function)
> pam_radius_auth.c:1082: error: `PAM_SUCCESS' undeclared (first use in this
> function)
> pam_radius_auth.c:1082: warning: implicit declaration of function
> `pam_set_data'
> pam_radius_auth.c:1088: error: `PAM_USER_UNKNOWN' undeclared (first use in
> this function)
> pam_radius_auth.c:1097: error: `PAM_RUSER' undeclared (first use in this
> function)
> pam_radius_auth.c:1102: warning: assignment from incompatible pointer type
> pam_radius_auth.c:1121: error: `PAM_SERVICE' undeclared (first use in this
> function)
> pam_radius_auth.c:1135: error: `PAM_AUTHTOK' undeclared (first use in this
> function)
> pam_radius_auth.c:1152: error: `PAM_PROMPT_ECHO_OFF' undeclared (first use
> in this function)
> pam_radius_auth.c:1168: error: `PAM_RHOST' undeclared (first use in this
> function)
> pam_radius_auth.c:1199: error: `PAM_AUTHINFO_UNAVAIL' undeclared (first
> use in this function)
> pam_radius_auth.c:1216: error: `PAM_PROMPT_ECHO_ON' undeclared (first use
> in this function)
> pam_radius_auth.c:1241: warning: implicit declaration of function
> `pam_set_item'
> pam_radius_auth.c: At top level:
> pam_radius_auth.c:1268: error: syntax error before "int"
> pam_radius_auth.c:1269: error: syntax error before '*' token
> pam_radius_auth.c: In function `pam_sm_setcred':
> pam_radius_auth.c:1273: error: `PAM_SUCCESS' undeclared (first use in this
> function)
> pam_radius_auth.c:1275: w

Re: newbie on radiustesting

2008-04-16 Thread A . L . M . Buxey 
Hi,
> FreeRADIUS Version 1.0.4, for host , built on Sep 13 2005
> 
> I might not know what I am doing, but what is the first thing for me do to 
> here?

...update to 2.0.3?  ;-)

> But changing no other tings, leaving the test-setup (unchanged files in 
> /etc/raddb/certs from the installation of radius-package in YaST) as it was.

you need to ensure that the process you run freeradius (radiusd daemon) as
(which is probably 'radiusd' id) has permission to read the /etc/raddb/certs
directory. 

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SQL log accounting and post_auth

2008-04-16 Thread A . L . M . Buxey 
Hi,
> Hi,
> 
> I want to log accounting information and post-auth information in my sql
> database. I have an MSSQL database. In my accounting section I uncomment
> sql and sql_log. In post_auth section I uncomment sql and sql_log too.
> Here is the result I receive with debug mode

if you want to use the sql_logging function, ONLY uncomment the sql_log
and configure the sql_log{} section as required.  if you activate
sql as well, then it will attempt live SQL insertion into the database 
for incoming accounting packets.  which version of FR are you running?
ideally you'd be with 2.x and then just activate the buffered-sql
virtual server.

> rlm_sql_log (sql_log): Processing sql_log_postauth
> expand: %{User-Name} -> guillaume
> expand: %{%{User-Name}:-DEFAULT} -> guillaume
> rlm_sql_log (sql_log): sql_set_user escaped user --> 'guillaume'
> WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
> details

hmm, follow what the server says...dont use that expansion check.
(i see it in your sql_log section)

> The sql_relay file contains this line
> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES
> ('guillaume', 'Chap-Password','Access-Accept', '2008-04-16 10:04:59');
> 
> And if I take that line and put in my sql query, it's work and
> succcesfully insert the info

yep - which is EXACTLY what radsqlrelay will do when you aim it at that file.
this isnt live insertion. it creates a log file, which you then use radsqlrelay 
on.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

newbie on radiustesting

2008-04-16 Thread Si St 
FreeRADIUS Version 1.0.4, for host , built on Sep 13 2005

I might not know what I am doing, but what is the first thing for me do to here?

(take a look at the /linux:~ # radiusd -X / part further down)
Are these errors in the debugmode caused by not running the script saying in 
eap.conf:
## EAP-TLS
#
#  To generate ctest certificates, run the script
#
#   ../scripts/certs.sh

Or are the errors caused by other tings?

What I simply have done is to uncomment the EAP part in eap.conf in this way:

tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem

#  If Private key & Certificate are located in
#  the same file, then private_key_file &
#  certificate_file must contain the same file
#  name.
certificate_file = ${raddbdir}/certs/cert-srv.pem

#  Trusted Root CA list
CA_file = ${raddbdir}/certs/demoCA/cacert.pem

dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random

#
#  This can never exceed the size of a RADIUS
#  packet (4096 bytes), and is preferably half
#  that, to accomodate other attributes in
#  RADIUS packet.  On most APs the MAX packet
#  length is configured between 1500 - 1600
#  In these cases, fragment size should be
#  1024 or less.
#
fragment_size = 1024


#  include_length is a flag which is
#  by default set to yes If set to
#  yes, Total Length of the message is
#  included in EVERY packet we send.
#  If set to no, Total Length of the
#  message is included ONLY in the
#  First packet of a fragment series.
#
include_length = yes

#  Check the Certificate Revocation List
#
#  1) Copy CA certificates and CRLs to same directory.
#  2) Execute 'c_rehash '.
#'c_rehash' is OpenSSL's command.
#  3) Add 'CA_path='
#  to radiusd.conf's tls section.
#  4) uncomment the line below.
#  5) Restart radiusd
check_crl = yes

   #
   #  If check_cert_cn is set, the value will
   #  be xlat'ed and checked against the CN
   #  in the client certificate.  If the values
   #  do not match, the certificate verification
   #  will fail rejecting the user.
   #
  check_cert_cn = %{User-Name}
}

But changing no other tings, leaving the test-setup (unchanged files in 
/etc/raddb/certs from the installation of radius-package in YaST) as it was.


---
linux:~ # radiusd -X
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/raddb/proxy.conf
Config:   including file: /etc/raddb/clients.conf
Config:   including file: /etc/raddb/snmp.conf
Config:   including file: /etc/raddb/eap.conf
Config:   including file: /etc/raddb/sql.conf
 main: prefix = "/usr"
 main: localstatedir = "/var"
 main: logdir = "/var/log/radius"
 main: libdir = "/usr/lib/freeradius"
 main: radacctdir = "/var/log/radius/radacct"
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/var/log/radius/radius.log"
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = "/var/run/radiusd/radiusd.pid"
 main: user = "radiusd"
 main: group = "radiusd"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/sbin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = yes
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config

Re: ENV variables in external scripts

2008-04-16 Thread rsg 
Yes, that works well. Many thanks.

In fact by changing the logic slightly you can achieve the required
functionality fairly easily.
e.g. changing the UserID/Password upon radius_request such that
corresponding policies can be applied based on the modified UserName.

rg.


2008/4/16 Ivan Kalik <[EMAIL PROTECTED]>:
> No. Use it to bypass chap.
>
>  http://www.freeradius.org/radiusd/man/unlang.html
>
>
>  Ivan Kalik
>  Kalik Informatika ISP
>
>
>  Dana 16/4/2008, "rsg" <[EMAIL PROTECTED]> piše:
>
>
>
>  >Could unlang be used check Calling-station-Id for instance, from an SQL 
> backend?
>  >
>  >
>  >2008/4/10 Ivan Kalik <[EMAIL PROTECTED]>:
>  >> You use unlang for that. Read man unlang.
>  >>
>  >>
>  >>
>  >>  Ivan Kalik
>  >>  Kalik Informatika ISP
>  >>
>  >>
>  >>  Dana 10/4/2008, "rsg" <[EMAIL PROTECTED]> piše:
>  >>
>  >>  >Hi,
>  >>  >
>  >>  >After a brief review of the logic, i managed to get it working. My
>  >>  >apologies for the trouble and thank you for your time.
>  >>  >
>  >>  >
>  >>  >
>  >>  >rlm_perl related question once again:
>  >>  > When performing credential based Auth, how could I simply fall-though
>  >>  >to the next check when there isn't a match.
>  >>  >
>  >>  >With RAD_REQUEST if Calling-Station-Id is found Password
>  >>  >authentication could be bypassed.
>  >>  >
>  >>  >If not found how to hand the process into a different module e.g. PAP 
> or CHAP?
>  >>  >
>  >>  >Is it possible to achieve this with rlm_perl?
>  >>  >
>  >>  >Also could it be possible to go to a deeper level like user credential
>  >>  >checking? E.g. to check on a particular user profile and perform IP
>  >>  >allocation,etc? And this should come after the Calling-station-id
>  >>  >check.
>  >>  >
>  >>  >Thanks once again for your valuable thoughts.
>  >>  >
>  >>  >rg.
>  >>  >
>  >>  >
>  >>  >
>  >>  >
>  >>  >
>  >>  >
>  >>  >
>  >>  >2008/4/10 Ivan Kalik <[EMAIL PROTECTED]>:
>  >>  >> $myvalue = $RAD_REQUEST{'Calling-Station-Id'};
>  >>  >>  # Print it or check in some other way
>  >>  >>
>  >>  >>  $myquery = "SELECT IF(EXISTS(SELECT callerid FROM auth WHERE
>  >>  >>  callerid='" . $myvalue . "'),'y','n')";
>  >>  >>  # Now print or check in some other way the query to see if it is 
> joined
>  >>  >>  well
>  >>  >>
>  >>  >>  $yourquery = "SELECT IF(EXISTS(SELECT callerid FROM auth WHERE
>  >>  >>  callerid='$RAD_REQUEST{/'Calling-Station-Id'/}'),'y','n')";
>  >>  >>  # And print or check in some other way this to see why it doesn't 
> work
>  >>  >>
>  >>  >>  $status = $db->Mysql::query($myquery);
>  >>  >>
>  >>  >>
>  >>  >>  Ivan Kalik
>  >>  >>  Kalik Informatika ISP
>  >>  >>
>  >>  >>
>  >>  >>  Dana 10/4/2008, "rsg" <[EMAIL PROTECTED]> piše:
>  >>  >>
>  >>  >>
>  >>  >>
>  >>  >>  >Hi,
>  >>  >>  >
>  >>  >>  >I attempted setting it to a local variable as well.
>  >>  >>  >
>  >>  >>  >Result was the same.
>  >>  >>  >
>  >>  >>  >Thanks so much for your suggestions & guidance. It's really 
> appreciated.
>  >>  >>  >
>  >>  >>  >
>  >>  >>  >
>  >>  >>  >On Thu, Apr 10, 2008 at 1:02 PM,  <[EMAIL PROTECTED]> wrote:
>  >>  >>  >> Hi,
>  >>  >>  >>
>  >>  >>  >>
>  >>  >>  >>  > My next query is when I tried to retrieve the CallerId from a 
> Mysql DB
>  >>  >>  >>  > using the same perl script with,
>  >>  >>  >>  >
>  >>  >>  >>  > -
>  >>  >>  >>  > use Mysql;
>  >>  >>  >>  > :
>  >>  >>  >>  > :
>  >>  >>  >>  > $status = $db->Mysql::query("SELECT IF(EXISTS(SELECT callerid 
> FROM
>  >>  >>  >>  > auth WHERE 
> callerid='$RAD_REQUEST{/'Calling-Station-Id'/}'),'y','n')");
>  >>  >>  >>
>  >>  >>  >>  your escape characters are wrong
>  >>  >>  >>
>  >>  >>  >>  $RAD_REQUEST{\'Calling-Station-Id\'}
>  >>  >>  >>
>  >>  >>  >>  personally, i would set the value into a local variable and do 
> some
>  >>  >>  >>  sanity checking to ensure it'll not screw up the SQL... a nasty
>  >>  >>  >>  person could do something trivial like set their Calling station 
> id
>  >>  >>  >>  to "'; drop all from users" :-)
>  >>  >>  >>
>  >>  >>  >>  alan
>  >>  >>  >>
>  >>  >>  >>
>  >>  >>  >> -
>  >>  >>  >>  List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/usershtml
>  >>  >>
>  >>  >>
>  >>  >> >>
>  >>  >>  >-
>  >>  >>  >List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>  >>  >>  >
>  >>  >>  >
>  >>  >>
>  >>  >>  -
>  >>  >>  List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/usershtml
>  >>  >>
>  >>  >
>  >>  >-
>  >>  >List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>  >>  >
>  >>  >
>  >>
>  >>  -
>  >>  List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/usershtml
>  >>
>  >
>  >-
>  >List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>  >
>  >
>
>  -
>  List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.h

Re: ENV variables in external scripts

2008-04-16 Thread Ivan Kalik 
No. Use it to bypass chap.

http://www.freeradius.org/radiusd/man/unlang.html

Ivan Kalik
Kalik Informatika ISP


Dana 16/4/2008, "rsg" <[EMAIL PROTECTED]> piše:

>Could unlang be used check Calling-station-Id for instance, from an SQL 
>backend?
>
>
>2008/4/10 Ivan Kalik <[EMAIL PROTECTED]>:
>> You use unlang for that. Read man unlang.
>>
>>
>>
>>  Ivan Kalik
>>  Kalik Informatika ISP
>>
>>
>>  Dana 10/4/2008, "rsg" <[EMAIL PROTECTED]> piše:
>>
>>  >Hi,
>>  >
>>  >After a brief review of the logic, i managed to get it working. My
>>  >apologies for the trouble and thank you for your time.
>>  >
>>  >
>>  >
>>  >rlm_perl related question once again:
>>  > When performing credential based Auth, how could I simply fall-though
>>  >to the next check when there isn't a match.
>>  >
>>  >With RAD_REQUEST if Calling-Station-Id is found Password
>>  >authentication could be bypassed.
>>  >
>>  >If not found how to hand the process into a different module e.g. PAP or 
>> CHAP?
>>  >
>>  >Is it possible to achieve this with rlm_perl?
>>  >
>>  >Also could it be possible to go to a deeper level like user credential
>>  >checking? E.g. to check on a particular user profile and perform IP
>>  >allocation,etc? And this should come after the Calling-station-id
>>  >check.
>>  >
>>  >Thanks once again for your valuable thoughts.
>>  >
>>  >rg.
>>  >
>>  >
>>  >
>>  >
>>  >
>>  >
>>  >
>>  >2008/4/10 Ivan Kalik <[EMAIL PROTECTED]>:
>>  >> $myvalue = $RAD_REQUEST{'Calling-Station-Id'};
>>  >>  # Print it or check in some other way
>>  >>
>>  >>  $myquery = "SELECT IF(EXISTS(SELECT callerid FROM auth WHERE
>>  >>  callerid='" . $myvalue . "'),'y','n')";
>>  >>  # Now print or check in some other way the query to see if it is joined
>>  >>  well
>>  >>
>>  >>  $yourquery = "SELECT IF(EXISTS(SELECT callerid FROM auth WHERE
>>  >>  callerid='$RAD_REQUEST{/'Calling-Station-Id'/}'),'y','n')";
>>  >>  # And print or check in some other way this to see why it doesn't work
>>  >>
>>  >>  $status = $db->Mysql::query($myquery);
>>  >>
>>  >>
>>  >>  Ivan Kalik
>>  >>  Kalik Informatika ISP
>>  >>
>>  >>
>>  >>  Dana 10/4/2008, "rsg" <[EMAIL PROTECTED]> piše:
>>  >>
>>  >>
>>  >>
>>  >>  >Hi,
>>  >>  >
>>  >>  >I attempted setting it to a local variable as well.
>>  >>  >
>>  >>  >Result was the same.
>>  >>  >
>>  >>  >Thanks so much for your suggestions & guidance. It's really 
>> appreciated.
>>  >>  >
>>  >>  >
>>  >>  >
>>  >>  >On Thu, Apr 10, 2008 at 1:02 PM,  <[EMAIL PROTECTED]> wrote:
>>  >>  >> Hi,
>>  >>  >>
>>  >>  >>
>>  >>  >>  > My next query is when I tried to retrieve the CallerId from a 
>> Mysql DB
>>  >>  >>  > using the same perl script with,
>>  >>  >>  >
>>  >>  >>  > -
>>  >>  >>  > use Mysql;
>>  >>  >>  > :
>>  >>  >>  > :
>>  >>  >>  > $status = $db->Mysql::query("SELECT IF(EXISTS(SELECT callerid FROM
>>  >>  >>  > auth WHERE 
>> callerid='$RAD_REQUEST{/'Calling-Station-Id'/}'),'y','n')");
>>  >>  >>
>>  >>  >>  your escape characters are wrong
>>  >>  >>
>>  >>  >>  $RAD_REQUEST{\'Calling-Station-Id\'}
>>  >>  >>
>>  >>  >>  personally, i would set the value into a local variable and do some
>>  >>  >>  sanity checking to ensure it'll not screw up the SQL... a nasty
>>  >>  >>  person could do something trivial like set their Calling station id
>>  >>  >>  to "'; drop all from users" :-)
>>  >>  >>
>>  >>  >>  alan
>>  >>  >>
>>  >>  >>
>>  >>  >> -
>>  >>  >>  List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/usershtml
>>  >>
>>  >>
>>  >> >>
>>  >>  >-
>>  >>  >List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>>  >>  >
>>  >>  >
>>  >>
>>  >>  -
>>  >>  List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/usershtml
>>  >>
>>  >
>>  >-
>>  >List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>>  >
>>  >
>>
>>  -
>>  List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/usershtml
>>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: exec-program-wait problem with freeradius 2.0.3

2008-04-16 Thread Emmanuel Willems 




Thank you for your feedback and sorry for the confusion.
The program is being executed and returning the correct result, but I
still can't authenticate.
I'm using EAP-TTLS-PAP to connect to a Cisco Aironet AP1200.
Using the same sql db in freeradius 1.1.3 it works, but not with
freeradius 2.0.3.

Any suggestions,

Emmanuel


Alan DeKok wrote:

  Emmanuel Willems wrote:
  
  
> Here is a relevant part of the debug log:

  
  ...
  
  

  >> Tue Apr 15 14:36:27 2008 : Auth: Login OK: [000d2885af3e/000d2885af3e]
>> (from client wlan-sen port 737 cli 000d.2885.af3e)
>> Tue Apr 15 14:36:27 2008 : Debug: +- entering group post-auth
>> Tue Apr 15 14:36:27 2008 : Debug:   modsingle[post-auth]: calling exec
>> (rlm_exec) for request 0
>> Tue Apr 15 14:36:28 2008 : Debug: Exec-Program output:
>> Tue Apr 15 14:36:28 2008 : Debug: Exec-Program: returned: 0
  

  
  
  What's the problem?  It's calling your program.

  Alan DeKok.
  


-- 

  

  Ingénieur-système
  
  Systeem ingenieur
  System
engineer


  Sénat de
Belgique
Place de la Nation 1
1009 Bruxelles
  Belgische
Senaat 
Natieplein 1
1009 Brussel  
  Belgian
Senate 
Place de la Nation 1
1009 Brussels
Belgium


  e-mail:
[EMAIL PROTECTED]
URL: http://www.senate.be
tel: +32 (2)
501.72.39
fax: +32 (2) 514.06.85   
  

  




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

SQL log accounting and post_auth

2008-04-16 Thread Guillaume Chartrand 
Hi,

I want to log accounting information and post-auth information in my sql
database. I have an MSSQL database. In my accounting section I uncomment
sql and sql_log. In post_auth section I uncomment sql and sql_log too.
Here is the result I receive with debug mode


Login OK: [guillaume\000/] (from client AP1 port 1
cli 00-0E-35-99-F3-E9)
+- entering group post-auth
rlm_sql (sql): Processing sql_postauth
expand: %{User-Name} -> guillaume
rlm_sql (sql): sql_set_user escaped user --> 'guillaume'
++[sql] returns noop
rlm_sql_log (sql_log): Processing sql_log_postauth
expand: %{User-Name} -> guillaume
expand: %{%{User-Name}:-DEFAULT} -> guillaume
rlm_sql_log (sql_log): sql_set_user escaped user --> 'guillaume'
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
expand: INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES
('%{User-Name}', '%{User-Password:-Chap-Password}',
'%{reply:Packet-Type}', '%S'); -> INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES
('guillaume', 'Chap-Password',  'Access-Accept',
'2008-04-16 09:40:46');
expand: /usr/local/var/log/radius/radacct/sql-relay ->
/usr/local/var/log/radius/radacct/sql-relay
++[sql_log] returns ok
MS-MPPE-Recv-Key =
0xddbdd27124caa81a4d0abacd8aa22d99cff95b591717efff32054bbeec88959c
MS-MPPE-Send-Key =
0x1326576688892a9369c4e6f3246aca4a65b572b1767232847b10a93935535b70
EAP-Message = 0x034f0004
Message-Authenticator = 0x
User-Name = "guillaume"
Finished request 9.

So why the sql module return noop... And didn't insert anything in my
table.
With the sql_log module, I've just insert the post_auth command, not the
other, but in my sql_log section I have other thing like that.

sql_log {
path = "${radacctdir}/sql-relay"
acct_table = "radacct"
postauth_table = "radpostauth"
sql_user_name = "%{%{User-Name}:-DEFAULT}"

Start = "INSERT INTO ${acct_table} (AcctSessionId,
UserName, \
 NASIPAddress, FramedIPAddress, AcctStartTime,
AcctStopTime, \
 AcctSessionTime, AcctTerminateCause) VALUES
\
 ('%{Acct-Session-Id}', '%{User-Name}',
'%{NAS-IP-Address}', \
 '%{Framed-IP-Address}', '%S', '0', '0', '');"
Stop = "INSERT INTO ${acct_table} (AcctSessionId,
UserName,  \
 NASIPAddress, FramedIPAddress, AcctStartTime,
AcctStopTime, \
 AcctSessionTime, AcctTerminateCause) VALUES
\
 ('%{Acct-Session-Id}', '%{User-Name}',
'%{NAS-IP-Address}', \
 '%{Framed-IP-Address}', '0', '%S',
'%{Acct-Session-Time}',  \
 '%{Acct-Terminate-Cause}');"
Alive = "INSERT INTO ${acct_table} (AcctSessionId,
UserName, \
 NASIPAddress, FramedIPAddress, AcctStartTime,
AcctStopTime, \
 AcctSessionTime, AcctTerminateCause) VALUES
\
 ('%{Acct-Session-Id}', '%{User-Name}',
'%{NAS-IP-Address}', \
 '%{Framed-IP-Address}', '0', '0',
'%{Acct-Session-Time}','');"

Post-Auth = "INSERT INTO ${postauth_table}
\
 (username, pass, reply, authdate) VALUES
\
 ('%{User-Name}', '%{User-Password:-Chap-Password}',
\
 '%{reply:Packet-Type}', '%S');"
}

And for the warning for := I look in man unlang but I didn't find where
to change the := in the sql_log module
The sql_relay file contains this line
INSERT INTO radpostauth (username, pass, reply, authdate) VALUES
('guillaume', 'Chap-Password','Access-Accept', '2008-04-16 10:04:59');

And if I take that line and put in my sql query, it's work and
succcesfully insert the info

Thanks

Guillaume 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ENV variables in external scripts

2008-04-16 Thread rsg 
Sorry,

I guess it should be in the following format

 %{sql:SELECT ...


However as of now lengthy query won't be supported??


2008/4/16 rsg <[EMAIL PROTECTED]>:
> Could unlang be used check Calling-station-Id for instance, from an SQL 
> backend?
>
>
>
>
>  2008/4/10 Ivan Kalik <[EMAIL PROTECTED]>:
>  > You use unlang for that. Read man unlang.
>  >
>  >
>  >
>  >  Ivan Kalik
>  >  Kalik Informatika ISP
>  >
>  >
>  >  Dana 10/4/2008, "rsg" <[EMAIL PROTECTED]> piše:
>  >
>  >  >Hi,
>  >  >
>  >  >After a brief review of the logic, i managed to get it working. My
>  >  >apologies for the trouble and thank you for your time.
>  >  >
>  >  >
>  >  >
>  >  >rlm_perl related question once again:
>  >  > When performing credential based Auth, how could I simply fall-though
>  >  >to the next check when there isn't a match.
>  >  >
>  >  >With RAD_REQUEST if Calling-Station-Id is found Password
>  >  >authentication could be bypassed.
>  >  >
>  >  >If not found how to hand the process into a different module e.g. PAP or 
> CHAP?
>  >  >
>  >  >Is it possible to achieve this with rlm_perl?
>  >  >
>  >  >Also could it be possible to go to a deeper level like user credential
>  >  >checking? E.g. to check on a particular user profile and perform IP
>  >  >allocation,etc? And this should come after the Calling-station-id
>  >  >check.
>  >  >
>  >  >Thanks once again for your valuable thoughts.
>  >  >
>  >  >rg.
>  >  >
>  >  >
>  >  >
>  >  >
>  >  >
>  >  >
>  >  >
>  >  >2008/4/10 Ivan Kalik <[EMAIL PROTECTED]>:
>  >  >> $myvalue = $RAD_REQUEST{'Calling-Station-Id'};
>  >  >>  # Print it or check in some other way
>  >  >>
>  >  >>  $myquery = "SELECT IF(EXISTS(SELECT callerid FROM auth WHERE
>  >  >>  callerid='" . $myvalue . "'),'y','n')";
>  >  >>  # Now print or check in some other way the query to see if it is 
> joined
>  >  >>  well
>  >  >>
>  >  >>  $yourquery = "SELECT IF(EXISTS(SELECT callerid FROM auth WHERE
>  >  >>  callerid='$RAD_REQUEST{/'Calling-Station-Id'/}'),'y','n')";
>  >  >>  # And print or check in some other way this to see why it doesn't work
>  >  >>
>  >  >>  $status = $db->Mysql::query($myquery);
>  >  >>
>  >  >>
>  >  >>  Ivan Kalik
>  >  >>  Kalik Informatika ISP
>  >  >>
>  >  >>
>  >  >>  Dana 10/4/2008, "rsg" <[EMAIL PROTECTED]> piše:
>  >  >>
>  >  >>
>  >  >>
>  >  >>  >Hi,
>  >  >>  >
>  >  >>  >I attempted setting it to a local variable as well.
>  >  >>  >
>  >  >>  >Result was the same.
>  >  >>  >
>  >  >>  >Thanks so much for your suggestions & guidance. It's really 
> appreciated.
>  >  >>  >
>  >  >>  >
>  >  >>  >
>  >  >>  >On Thu, Apr 10, 2008 at 1:02 PM,  <[EMAIL PROTECTED]> wrote:
>  >  >>  >> Hi,
>  >  >>  >>
>  >  >>  >>
>  >  >>  >>  > My next query is when I tried to retrieve the CallerId from a 
> Mysql DB
>  >  >>  >>  > using the same perl script with,
>  >  >>  >>  >
>  >  >>  >>  > -
>  >  >>  >>  > use Mysql;
>  >  >>  >>  > :
>  >  >>  >>  > :
>  >  >>  >>  > $status = $db->Mysql::query("SELECT IF(EXISTS(SELECT callerid 
> FROM
>  >  >>  >>  > auth WHERE 
> callerid='$RAD_REQUEST{/'Calling-Station-Id'/}'),'y','n')");
>  >  >>  >>
>  >  >>  >>  your escape characters are wrong
>  >  >>  >>
>  >  >>  >>  $RAD_REQUEST{\'Calling-Station-Id\'}
>  >  >>  >>
>  >  >>  >>  personally, i would set the value into a local variable and do 
> some
>  >  >>  >>  sanity checking to ensure it'll not screw up the SQL... a nasty
>  >  >>  >>  person could do something trivial like set their Calling station 
> id
>  >  >>  >>  to "'; drop all from users" :-)
>  >  >>  >>
>  >  >>  >>  alan
>  >  >>  >>
>  >  >>  >>
>  >  >>  >> -
>  >  >>  >>  List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/usershtml
>  >  >>
>  >  >>
>  >  >> >>
>  >  >>  >-
>  >  >>  >List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>  >  >>  >
>  >  >>  >
>  >  >>
>  >  >>  -
>  >  >>  List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/usershtml
>  >  >>
>  >  >
>  >  >-
>  >  >List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>  >  >
>  >  >
>  >
>  >  -
>  >  List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>  >
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Possible to limit user access to different types of authentication?

2008-04-16 Thread Ryan 
Hi All,

I'm currently using 2.0.3 with authentication via LDAP. Currently I
have situation whereby there is a requirement to explore on limiting
access to the various types of authentication available.

Is it possible to configure to do so? That is some users can
authenticate using just PAP and some other users can connect using
EAP-PEAP?

Thanks/Regards,
Ryan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ENV variables in external scripts

2008-04-16 Thread rsg 
Could unlang be used check Calling-station-Id for instance, from an SQL backend?


2008/4/10 Ivan Kalik <[EMAIL PROTECTED]>:
> You use unlang for that. Read man unlang.
>
>
>
>  Ivan Kalik
>  Kalik Informatika ISP
>
>
>  Dana 10/4/2008, "rsg" <[EMAIL PROTECTED]> piše:
>
>  >Hi,
>  >
>  >After a brief review of the logic, i managed to get it working. My
>  >apologies for the trouble and thank you for your time.
>  >
>  >
>  >
>  >rlm_perl related question once again:
>  > When performing credential based Auth, how could I simply fall-though
>  >to the next check when there isn't a match.
>  >
>  >With RAD_REQUEST if Calling-Station-Id is found Password
>  >authentication could be bypassed.
>  >
>  >If not found how to hand the process into a different module e.g. PAP or 
> CHAP?
>  >
>  >Is it possible to achieve this with rlm_perl?
>  >
>  >Also could it be possible to go to a deeper level like user credential
>  >checking? E.g. to check on a particular user profile and perform IP
>  >allocation,etc? And this should come after the Calling-station-id
>  >check.
>  >
>  >Thanks once again for your valuable thoughts.
>  >
>  >rg.
>  >
>  >
>  >
>  >
>  >
>  >
>  >
>  >2008/4/10 Ivan Kalik <[EMAIL PROTECTED]>:
>  >> $myvalue = $RAD_REQUEST{'Calling-Station-Id'};
>  >>  # Print it or check in some other way
>  >>
>  >>  $myquery = "SELECT IF(EXISTS(SELECT callerid FROM auth WHERE
>  >>  callerid='" . $myvalue . "'),'y','n')";
>  >>  # Now print or check in some other way the query to see if it is joined
>  >>  well
>  >>
>  >>  $yourquery = "SELECT IF(EXISTS(SELECT callerid FROM auth WHERE
>  >>  callerid='$RAD_REQUEST{/'Calling-Station-Id'/}'),'y','n')";
>  >>  # And print or check in some other way this to see why it doesn't work
>  >>
>  >>  $status = $db->Mysql::query($myquery);
>  >>
>  >>
>  >>  Ivan Kalik
>  >>  Kalik Informatika ISP
>  >>
>  >>
>  >>  Dana 10/4/2008, "rsg" <[EMAIL PROTECTED]> piše:
>  >>
>  >>
>  >>
>  >>  >Hi,
>  >>  >
>  >>  >I attempted setting it to a local variable as well.
>  >>  >
>  >>  >Result was the same.
>  >>  >
>  >>  >Thanks so much for your suggestions & guidance. It's really appreciated.
>  >>  >
>  >>  >
>  >>  >
>  >>  >On Thu, Apr 10, 2008 at 1:02 PM,  <[EMAIL PROTECTED]> wrote:
>  >>  >> Hi,
>  >>  >>
>  >>  >>
>  >>  >>  > My next query is when I tried to retrieve the CallerId from a 
> Mysql DB
>  >>  >>  > using the same perl script with,
>  >>  >>  >
>  >>  >>  > -
>  >>  >>  > use Mysql;
>  >>  >>  > :
>  >>  >>  > :
>  >>  >>  > $status = $db->Mysql::query("SELECT IF(EXISTS(SELECT callerid FROM
>  >>  >>  > auth WHERE 
> callerid='$RAD_REQUEST{/'Calling-Station-Id'/}'),'y','n')");
>  >>  >>
>  >>  >>  your escape characters are wrong
>  >>  >>
>  >>  >>  $RAD_REQUEST{\'Calling-Station-Id\'}
>  >>  >>
>  >>  >>  personally, i would set the value into a local variable and do some
>  >>  >>  sanity checking to ensure it'll not screw up the SQL... a nasty
>  >>  >>  person could do something trivial like set their Calling station id
>  >>  >>  to "'; drop all from users" :-)
>  >>  >>
>  >>  >>  alan
>  >>  >>
>  >>  >>
>  >>  >> -
>  >>  >>  List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/usershtml
>  >>
>  >>
>  >> >>
>  >>  >-
>  >>  >List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>  >>  >
>  >>  >
>  >>
>  >>  -
>  >>  List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/usershtml
>  >>
>  >
>  >-
>  >List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>  >
>  >
>
>  -
>  List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco NAS and 4GB Problem

2008-04-16 Thread Andreas M. 

Hello,
yes i rebooted the router, i was also not able to find similiar proplems on 
cisco pages.

Maybe it is easier to report this to cisco, i thought anyone had same troubles.

thanks so far.

r,
Andreas M.

Stefan Winter schrieb:

I never saw the gigaword attribute, i think they are only send, when it is
necessary, or is this wrong ?


I'm not sure. I think I saw them filled with 0 as appropriate. Did IOS tell 
you to reboot the NAS before the setting takes effect? Did you do that? 

If that doesn't help, read your NAS documentation. I'm not a Cisco employee 
and will not do their work.


Stefan





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
g,
Andreas M.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco NAS and 4GB Problem

2008-04-16 Thread Stefan Winter 
> I never saw the gigaword attribute, i think they are only send, when it is
> necessary, or is this wrong ?

I'm not sure. I think I saw them filled with 0 as appropriate. Did IOS tell 
you to reboot the NAS before the setting takes effect? Did you do that? 

If that doesn't help, read your NAS documentation. I'm not a Cisco employee 
and will not do their work.

Stefan

-- 
Stefan WINTER

Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingenieur Forschung & Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: [EMAIL PROTECTED]     Tel.:     +352 424409-1
http://www.restena.lu                Fax:      +352 422473


signature.asc
Description: This is a digitally signed message part.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: detail sql logging problem

2008-04-16 Thread Alan DeKok 
[EMAIL PROTECTED] wrote:
> a further question on this one - as the detail relay virtual
> server buffered-sql is only supposed to run when the main thread
> isnt busy...and is only supposed to read detail file, log to SQL
> then 'be quiet' why, when it encounters such an issue does the
> main authentication/accounting etc thread not process anything?

  I'm not sure  I haven't been able to test it myself, so I don't
really know what's going on in that situation.

> I'd have thought that the virtual server would be moaning and
> complaining as much as it wants, but the main core functionality
> would just keep on going...

  I would think so, too.

  Maybe the detail file reader is re-queuing "failed" requests too
quickly, and starving other threads from CPU...

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: test md5

2008-04-16 Thread Alan DeKok 
xiningtom_1986 wrote:
>   Today I tried the md5 method,but at the last step when I sent
> the Access-Accept packet to the supplicant,the supplicant said that
> there is no session key and it can't continue to do the 4 way
> handshake.Why?

  Because EAP-MD5 doesn't supply a session key.

>The client use the wpa_supplicant. 

  Read the wpa_supplicant documentation for how to tell it that a
session key is not required.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: session-timeout for disconnect at fixed time

2008-04-16 Thread Ivan Kalik 
What doesn't work? Your expression? I don't recongnize %% operator (but
I don't use C). Or placing it's value in Session-Timeout?

Ivan Kalik
Kalik Informatika ISP


Dana 16/4/2008, "[EMAIL PROTECTED]"
<[EMAIL PROTECTED]> piše:

>I've tried but it doesn't work.
>also i've tried to put this expression into modules section under expr{}.
>Then i've added expr to the authorize section. But in authorize section,
>there mustn't be any expressions. :(
>Please help
>
>>>What should be instead of ?.  I want to enter result of the expressions
>>>like `%{expr: ((%l + 86399) %% 86400) - %l}`.
>>>How can I make it?
>>>
>>
>> Try just:
>>
>> ((%l + 86399) %% 86400) - %l
>>
>>>
>>>
>>>Also, in the debug mode, how can I shorten debugs. I mean, I want to get
>>>only access-accept, access-reject, access-request packets, not any others
>>>(like entering sql, expanding user etc.,).
>>>Help please
>>>
>>
>> -x will produce shortest debug, -xx longer, -xxx even more, etc. What you
>> are asking for is not debug but radtest output.
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: detail sql logging problem

2008-04-16 Thread A . L . M . Buxey 
hi,

a further question on this one - as the detail relay virtual
server buffered-sql is only supposed to run when the main thread
isnt busy...and is only supposed to read detail file, log to SQL
then 'be quiet' why, when it encounters such an issue does the
main authentication/accounting etc thread not process anything?
I'd have thought that the virtual server would be moaning and
complaining as much as it wants, but the main core functionality
would just keep on going...

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

test md5

2008-04-16 Thread xiningtom_1986 
 
 
  Hello!
  Today I tried the md5 method,but at the last step when I sent the 
Access-Accept packet to the supplicant,the supplicant said that there is no 
session key and it can't continue to do the 4 way handshake.Why? 
   The client use the wpa_supplicant. 
  
 
  Xiningtom
 -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: session-timeout for disconnect at fixed time

2008-04-16 Thread javkhlanbaatar 
I've tried but it doesn't work.
also i've tried to put this expression into modules section under expr{}.
Then i've added expr to the authorize section. But in authorize section,
there mustn't be any expressions. :(
Please help

>>What should be instead of ?.  I want to enter result of the expressions
>>like `%{expr: ((%l + 86399) %% 86400) - %l}`.
>>How can I make it?
>>
>
> Try just:
>
> ((%l + 86399) %% 86400) - %l
>
>>
>>
>>Also, in the debug mode, how can I shorten debugs. I mean, I want to get
>>only access-accept, access-reject, access-request packets, not any others
>>(like entering sql, expanding user etc.,).
>>Help please
>>
>
> -x will produce shortest debug, -xx longer, -xxx even more, etc. What you
> are asking for is not debug but radtest output.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco NAS and 4GB Problem

2008-04-16 Thread Andreas M. 

Hello,
i´ve done this already twice, but why does this happen only on virtual access interfaces and not on 
the upstream interface ?!


I never saw the gigaword attribute, i think they are only send, when it is 
necessary, or is this wrong ?

r,
Andreas M.


Stefan Winter schrieb:
> Hi,
>
> your accounting packets don't include the Gigawords attributes. Try adding
> aaa accounting gigawords
>
> to your IOS config. This may require a NAS reboot on some IOS versions(!!!).
>
> Greetings,
>
> Stefan Winter
>
>
>
> 
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




Stefan Winter schrieb:

Hi,

your accounting packets don't include the Gigawords attributes. Try adding 


aaa accounting gigawords

to your IOS config. This may require a NAS reboot on some IOS versions(!!!).

Greetings,

Stefan Winter





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
g,
Andreas M.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: pam_radius authentication problem - no password?

2008-04-16 Thread Alan DeKok 
Enno wrote:
> I'm testing this on the target machine (openvpn server) using "ssh -l
> enno 127.0.0.1" and some random password (first I tried with the correct
> password and then started debugging).
> Looking at the code of pam_radius_auth.c and at the output of auth.log I
> would say the call to pam seems to not return the AUTHTOK. The call
> succedes, but the password pointer is NULL.
> 
> Any ideas?

  Ask the core PAM libraries why they're not returning the password.

  i.e. this is a PAM problem.  The pam_auth_radius module is working
correctly.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: exec-program-wait problem with freeradius 2.0.3

2008-04-16 Thread Alan DeKok 
Emmanuel Willems wrote:
> Here is a relevant part of the debug log:
...
>> Tue Apr 15 14:36:27 2008 : Auth: Login OK: [000d2885af3e/000d2885af3e]
>> (from client wlan-sen port 737 cli 000d.2885.af3e)
>> Tue Apr 15 14:36:27 2008 : Debug: +- entering group post-auth
>> Tue Apr 15 14:36:27 2008 : Debug:   modsingle[post-auth]: calling exec
>> (rlm_exec) for request 0
>> Tue Apr 15 14:36:28 2008 : Debug: Exec-Program output:
>> Tue Apr 15 14:36:28 2008 : Debug: Exec-Program: returned: 0

  What's the problem?  It's calling your program.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

pam_radius authentication problem - no password?

2008-04-16 Thread Enno 
Hi,
I have problems using pam_radius to authenticate users using our
freeradius server.
I want to use it with openvpn but tested it with ssh.

The new part of my /etc/pam.d/ssh looks like:
# /etc/security/pam_env.conf.
auth   required pam_env.so # [1]

auth   sufficient   /lib/security/pam_radius_auth.so debug
try_first_pass

To nail the problem down I added some debug info to pam_radius_auth.c:
/* grab the password (if any) from the previous authentication layer */
  retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) &password);
  DPRINT(LOG_DEBUG, "Get password retval: %d, %d", retval, PAM_SUCCESS);
  PAM_FAIL_CHECK;

DPRINT(LOG_DEBUG, "X Got password %s", password);

  if(password) {
password = strdup(password);
DPRINT(LOG_DEBUG, "Got password %s", password);
  }

My auth.log file then says:
Apr 15 13:55:04 openvpnserver sshd[29747]: pam_radius_auth: Got user
name enno
Apr 15 13:55:04 openvpnserver sshd[29747]: pam_radius_auth: Get password
retval: 0, 0
Apr 15 13:55:04 openvpnserver sshd[29747]: pam_radius_auth: X Got
password (null)
Apr 15 13:55:04 openvpnserver sshd[29747]: pam_radius_auth: Sending
RADIUS request code 1
Apr 15 13:55:09 openvpnserver sshd[29747]: pam_radius_auth: RADIUS
server  failed to respond
Apr 15 13:55:09 openvpnserver sshd[29747]: pam_radius_auth: All RADIUS
servers failed to respond.
Apr 15 13:55:09 openvpnserver sshd[29747]: pam_radius_auth:
authentication failed

There seem to be problems connecting to the radius server sometimes, but
I think this isn't the problem here. When the connection works, I get
radius response code 3 (afair).

I'm testing this on the target machine (openvpn server) using "ssh -l
enno 127.0.0.1" and some random password (first I tried with the correct
password and then started debugging).
Looking at the code of pam_radius_auth.c and at the output of auth.log I
would say the call to pam seems to not return the AUTHTOK. The call
succedes, but the password pointer is NULL.

Any ideas?

Thanks in advance
Enno Gröper


signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco NAS and 4GB Problem

2008-04-16 Thread Stefan Winter 
Hi,

your accounting packets don't include the Gigawords attributes. Try adding 

aaa accounting gigawords

to your IOS config. This may require a NAS reboot on some IOS versions(!!!).

Greetings,

Stefan Winter

-- 
Stefan WINTER

Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingenieur Forschung & Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: [EMAIL PROTECTED]     Tel.:     +352 424409-1
http://www.restena.lu                Fax:      +352 422473


signature.asc
Description: This is a digitally signed message part.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Cisco NAS and 4GB Problem

2008-04-16 Thread Andreas M. 

Hello,
i have some troubles with a cisco NAS, with a 4GB problem in the Accounting 
Data.
First i have gigawords enabled, also the sql queries, but this is not the 
reason.

I have also accounting for the upstream interface enabled, but the error exists only for users, that 
are connected via virtual-interfaces (pptp dialup). Maybe this problem is not realy radius related, 
but i hope to find an answer.


I included some log entries and config examples, maybe someone has any 
experience with this errors.

regards,
Andreas M.

Here is the last interim update:

Tue Apr 15 23:23:46 2008
Acct-Session-Id = "0006"
Tunnel-Medium-Type:0 = IPv4
Tunnel-Assignment-Id:0 = "1"
Tunnel-Server-Auth-Id:0 = "A_Router"
Acct-Tunnel-Connection = "40682"
Framed-Protocol = PPP
Framed-IP-Address = 10.1.0.1
User-Name = "6543765"
Acct-Session-Time = 28088
Acct-Input-Octets = 18615686
Acct-Output-Octets = 218389141
Acct-Input-Packets = 226199
Acct-Output-Packets = 305451
Acct-Authentic = RADIUS
Acct-Status-Type = Interim-Update
NAS-Port-Type = Virtual
NAS-Port = 3
NAS-Port-Id = "Uniq-Sess-ID3"
Service-Type = Framed-User
NAS-IP-Address = 192.168.1.11
Acct-Delay-Time = 0
Client-IP-Address = 192.168.1.11
Acct-Unique-Session-Id = "ba144af9c3c26fc1"
Timestamp = 1208294626


Here is the last stop record from the nas:

Tue Apr 15 23:26:28 2008
Acct-Session-Id = "0006"
Tunnel-Medium-Type:0 = IPv4
Tunnel-Assignment-Id:0 = "1"
Tunnel-Server-Auth-Id:0 = "A_Router"
Acct-Tunnel-Connection = "40682"
Framed-Protocol = PPP
Framed-IP-Address = 10.1.0.1
User-Name = "6543765"
Acct-Authentic = RADIUS
Acct-Session-Time = 28250
Acct-Input-Octets = 4294967295
Acct-Output-Octets = 4294966951
Acct-Input-Packets = 0
Acct-Output-Packets = 4294967290
Acct-Terminate-Cause = NAS-Error
Acct-Status-Type = Stop
NAS-Port-Type = Virtual
NAS-Port = 3
NAS-Port-Id = "Uniq-Sess-ID3"
Service-Type = Framed-User
NAS-IP-Address = 192.168.1.11
Acct-Delay-Time = 0
Client-IP-Address = 192.168.1.11
Acct-Unique-Session-Id = "ba144af9c3c26fc1"
Timestamp = 1208294788

Cisco config:

System image file is "flash:c180x-advipservicesk9-mz.124-11.XW6.bin"

A_Router#sh aaa attributes | inc giga
Type=118   Name=input-giga-words   Format=Ulong
Type=250   Name=output-giga-words  Format=Ulong

aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default group radius local
aaa authorization exec default local
aaa authorization commands 15 default local
aaa authorization network default group radius local
aaa accounting delay-start
aaa accounting nested
aaa accounting update periodic 3
aaa accounting network default start-stop group radius

interface Virtual-Template1
 ip unnumbered Loopback0
 ip nat inside
 no ip virtual-reassembly
 no logging event link-status
 no snmp trap link-status
 ppp encrypt mppe 128 required
 ppp authentication ms-chap ms-chap-v2

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html