Re: Trouble "SQL Based IP Pool"

2008-05-07 Thread Alan DeKok 
Leander S. wrote:
> this is how my radius.conf looks like in the IPPOOL section:

  The SQL IPpool module in 1.1.7 is broken.  Don't use it.

> ##
> 
> ##
> 
> 
>ippool main_pool {
> 
>#  range-start,range-stop: The start and end ip
>#  addresses for the ip pool
> #   range-start = 192.168.1.1
> #   range-stop = 192.168.3.254
> 
>#  netmask: The network mask used for the ip's
> #   netmask = 255.255.255.0
> 
>#  cache-size: The gdbm cache size for the db
>#  files. Should be equal to the number of ip's
>#  available in the ip pool
> #   cache-size = 800
> 
># session-db: The main db file used to allocate ip's to
> clients
> #   session-db = ${raddbdir}/db.ippool
> 
># ip-index: Helper db index file used in multilink
> #   ip-index = ${raddbdir}/db.ipindex
> 
># override: Will this ippool override a Framed-IP-Address
> already set
> #   override = no
> 
># maximum-timeout: If not zero specifies the maximum time
> in seconds an
># entry may be active. Default: 0
> #   maximum-timeout = 0
>}
> 
> #$INCLUDE  ${confdir}/sqlippool.conf
> 
>$INCLUDE  ${confdir}/postgresqlippool.conf
> 
> #OTP token support.  Not included by default.
> #$INCLUDE  ${confdir}/otp.conf
> 
> ##
> 
> ##
> 
> 
> 
> 
> 
> 
> and this is my postgresqlippool.conf which I'm using - it's left original.
> 
> 
> 
> 
> 
> 
> ##  Configuration for the SQL based IP Pool module (rlm_sqlippool)
> ##
> ##  The database schemas are available at:
> ##
> ##   doc/examples/*.sql
> ##
> ##  $Id: postgresqlippool.conf,v 1.1.2.1 2007/07/16 06:35:22 pnixon Exp $
> 
> sqlippool sqlippool {
> 
> 
> ## SQL instance to use (from postgresql.conf) ##
> 
> sql-instance-name = "sql"
> 
> ## SQL table to use for ippool range and lease info
> ippool_table = "radippool"
> 
> ## IP lease duration. (Leases expire even if Acct Stop packet is lost)
> lease-duration = 3600
> 
> ## Attribute which should be considered unique per NAS
> ## Using NAS-Port gives behaviour similar to rlm_ippool. (And ACS)
> ## Using Calling-Station-Id works for NAS that send fixed NAS-Port
> ## ONLY change this if you know what you are doing!
> pool-key = "%{NAS-Port}"
> #pool-key = "%{Calling-Station-Id}"
> 
> 
> ###
> ## PostgreSQL specific queries.  ##
> ###
> 
> ## This query allocates an IP address from the Pool
> ## The ORDER BY clause of this query tries to allocate the same IP-address
> ## to the user that they had last session...
> allocate-find = "SELECT framedipaddress FROM ${ippool_table} \
>  WHERE pool_name = '%{check:Pool-Name}' AND expiry_time <
> 'now'::timestamp(0) \
>  ORDER BY (username <> '%{SQL-User-Name}'), \
>  (callingstationid <> '%{Calling-Station-Id}'), expiry_time \
>  LIMIT 1 \
>  FOR UPDATE"
> 
> ## If you prefer to allocate a random IP address every time, use this
> query instead
> #allocate-find = "SELECT framedipaddress FROM ${ippool_table} \
> # WHERE pool_name = '%{check:Pool-Name}' AND expiry_time <
> 'now'::timestamp(0) \
> # ORDER BY RANDOM() \
> # LIMIT 1 \
> # FOR UPDATE"
> 
> 
> ## This query marks the IP address handed out by "allocate-find" as used
> ## for the period of "lease-duration" after which time it may be reused.
> allocate-update = "UPDATE ${ippool_table} \
>  SET nasipaddress = '%{NAS-IP-Address}', pool_key = '${pool-key}', \
>  callingstationid = '%{Calling-Station-Id}', username =
> '%{SQL-User-Name}', \
>  expiry_time = 'now'::timestamp(0) + '${lease-duration} second'::interval \
>  WHERE framedipaddress = '%I'"
> 
> 
> ## This query frees the IP address assigned to "pool-key" when a new
> request
> ## comes in for the same "pool-key". This means that either you are losing
> ## accounting Stop records or you use Calling-Station-Id instead of
> NAS-Port
> ## as your "pool-key" and your users are able to reconnect before your NAS
> ## has timed out their previous session. (Generally on wireless networks)
> ## (Note: If your pool-key is set to Calling-Station-Id and not NAS-Port
> ## then you may wish to delete the "AND nasipaddress = '%{Nas-IP-Address}'
> ## from the WHERE clause)
> allocate-clear = "UPDATE ${ippool_table} \
>  SET nasipaddress = '', pool_key = 0, callingstationid = '', \
>  expiry_time = 'now'::timestamp(0) - '

Re: deployingradius.com down?

2008-05-07 Thread Alan DeKok 
Matt Ashfield wrote:
> I can’t seem to get to deployingradius.com website. Anyone know if this
> is down?

  My ISP re-numbered their hosting space.  It would have been nice to
tell me *before* they did it.  Oh well.

  The machine was back up since about 4pm GMT on Wednesday.  But it
might take a while for DNS to propogate.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re : Re : howto EAP-TLS on freeradius 2.0.2-3 ??

2008-05-07 Thread Ivan Kalik 
Please don't mess with configuration. Default one works. Your problem
was with the user certificate.

http://www.procurve.com/NR/rdonlyres/06538B80-6DB0-4AC6-893E-8E8E12A180C6/0/ConfiguringFreeRADIUSwithIDMbyExample_Dec_07_WW_Eng_Ltr.pdf

On page 52 you have a picture of the Details tab list with Enhanced Key
Usage filed containing client OID. Does your client certificate have
that field and that value?

Ivan Kalik
Kalik Informatika ISP


Dana 7/5/2008, "Joel MBA OYONE" <[EMAIL PROTECTED]> piše:

>Ok,
>
>i think i really missed something! that config should take less than 15 
>minutes but i can't solve my problem for more than a week.
>
>Alan or Ivan, could you give me a half our to help me to fix my RADIUS EAP-TLS 
>config please. i would like to give you a full access to my network and my 
>terminal too, so the diagnostic should be very very easy for you!
>is it possible?
>
> 
>MBA OYONE JoĂŤl
>Lot. El Firdaous
>Bât GH20, Porte A 204, Appt 8
>2 Oulfa
>Casablanca - Maroc
> 
>TĂŠl. : +212 69 25 85 70
>
>
>- Message d'origine 
>De : Alan DeKok <[EMAIL PROTECTED]>
>� : FreeRadius users mailing list 
>
>EnvoyĂŠ le : Lundi, 5 Mai 2008, 17h18mn 10s
>Objet : Re: Re : howto EAP-TLS on freeradius 2.0.2-3 ??
>
>Joel MBA OYONE wrote:
>...
>> The VLAN attributes defined in RFC3580 are as follows:
>> �   Tunnel-Type=VLAN (13)
>> �   Tunnel-Medium-Type=802
>> �   Tunnel-Private-Group-ID=VLANID
>> 
>> NOTE: The FreeRADIUS dictionary maps the 802 string value to the integer 6, 
>> which
>> is why client entries use 6 for the Tunnel-Medium-Type value.
>
>  No.  For Tunnel-Medium-Type, "802" is a *name*, not a *number*.See
>Section 3.2 of RFC 2868:
>
>...
>   Value
>  The Value field is three octets and contains one of the values
>  listed under "Address Family Numbers" in [14].  For the sake of
>  convenience, a relevant excerpt of this list is reproduced below.
>
>   1  IPv4 (IP version 4)
>   2  IPv6 (IP version 6)
>   3  NSAP
>   4  HDLC (8-bit multidrop)
>   5  BBN 1822
>   6  802 (includes all 802 media plus Ethernet "canonical format")
>...
>
>  FreeRADIUS gets it *right*.  Many NAS vendors get it *wrong*.
>
>> To create a user and assign the user to a particular VLAN by using 
>> FreeRADIUS, open the
>> etc/raddb/users file, which contains the user account information, and add 
>> for the new user.
>> The following example shows the entry for a user in the users file. The 
>> username is
>> �johndoe,� the password is 
>> �test1234.� The user is assigned to VLAN 77.
>> 
>> johndoe Auth-Type: = EAP, User-Password == �test1234"
>>   Tunnel-Type = 13,
>>   Tunnel-Medium-Type = 6,
>
>  Or:  Tunnel-Medium-Type = IEEE-802
>
>> 
>> in both cases, it stays on "IDENTITY VALIDATION" in xp wireless management 
>> and sometime i receive the right ip adresss in the right IP Pool. ut lost it 
>> immediately, maybe cause of the repeating cycle of athentication sequence.
>> AND, the client certificate, signed by the Server (not the CA root) is still 
>> with the same message.
>> 
>> 
>> hope it would be helpfull !!
>
>  Arg.  Microsoft keeps putting magic nonsense into their OS's to make
>it difficult to use non-Microsoft RADIUS servers.
>
>  And yes, this *is* a problem even inside of Microsoft!  So if you're
>finding it a PITA to get it working, rest assured that Microsoft does, too.
>
>  Alan DeKok.
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>__
>Do You Yahoo!?
>En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible 
>contre les messages non sollicitĂŠs 
>http://mail.yahoo.fr Yahoo! Mail 
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Trouble "SQL Based IP Pool"

2008-05-07 Thread Ivan Kalik 
>^^ It's not ippool.sql - we're talking about the RADIPPOOL table - No I
>haven't changed this - go and check it by
>yourself:/freeradius-1.1.7/freeradius-1.1.7/doc/examples/postgresql
>And besides that I'm not using "ippool.sql" but instead of I'm using
>"postgresqlippool.conf" because I'm using PostgreSQL as DB Server.


You are correct. Schema in 1.1.7 is broken and will not work as
documented. I have attached postgre ippool.sql schema from 2.0.4. That
will correct the input errors. It's also indexed so it should work
faster.

>Didn't you read what I wrote? ; ) It won't work , because there are
>fields which can't be NULL ... for example "pool_key" and so on
>>
..
>proper shema won't work.

This one should.

>>
>>> ^^ 2. What is expiry_time good for if there is already an
>>> lease-duration = 3600 configured in the postgresqlippool.conf? And why
>>> do I get forced to use unix timestamp instead of using a simple time in
>>> secounds when it'll be expired?
>>>
>>
>> Seconds from when? You do need a timestamp for lease start then.
>>
>^^ ah, ok that makes sence ; ) but untill now I'm only able to tell the
>DB a fix Timestamp like 2008-12-31 11:15:00 but how do I change that the
>server is picking up the actual time everytime somebody gets an IP.
>Might there be a special variable for our case?

start-update query should do that.

Ivan Kalik
Kalik Informatika ISP
--
-- Table structure for table 'radippool'
--

CREATE TABLE radippool (
id  BIGSERIAL PRIMARY KEY,
pool_name   varchar(64) NOT NULL,
FramedIPAddress INET NOT NULL,
NASIPAddressVARCHAR(16) NOT NULL default '',
pool_keyVARCHAR(64) NOT NULL default 0,
CalledStationId VARCHAR(64),
CallingStationIdtext NOT NULL default ''::text,
expiry_time TIMESTAMP(0) without time zone NOT NULL default 
'now'::timestamp(0),
usernametext DEFAULT ''::text
);

CREATE INDEX radippool_poolname_expire ON radippool USING btree (pool_name, 
expiry_time);
CREATE INDEX radippool_framedipaddress ON radippool USING btree 
(framedipaddress);
CREATE INDEX radippool_nasip_poolkey_ipaddress ON radippool USING btree 
(nasipaddress, pool_key, framedipaddress);
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re : Re : Re : howto EAP-TLS on freeradius 2.0.2-3 ??

2008-05-07 Thread Joel MBA OYONE 
up! 
(never says die)


 ==


Ok,

i think i really missed something! that config should take less than 15 minutes 
but i can't solve my problem for more than a week.

Alan or Ivan, could you give me a half our to help me to fix my RADIUS EAP-TLS 
config please. i would like to give you a full access to my network and my 
terminal too, so the diagnostic should be very very easy for you!
is it possible?


MBA OYONE Joël
Lot. El Firdaous
Bât GH20, Porte A 204, Appt 8
2 Oulfa
Casablanca - Maroc

Tél. : +212 69 25 85 70


- Message d'origine 
De : Alan DeKok <[EMAIL PROTECTED]>
À : FreeRadius users mailing list 
Envoyé le : Lundi, 5 Mai 2008, 17h18mn 10s
Objet : Re: Re : howto EAP-TLS on freeradius 2.0.2-3 ??

Joel MBA OYONE wrote:
...
> The VLAN attributes defined in RFC3580 are as follows:
> •   Tunnel-Type=VLAN (13)
> •   Tunnel-Medium-Type=802
> •   Tunnel-Private-Group-ID=VLANID
> 
> NOTE: The FreeRADIUS dictionary maps the 802 string value to the integer 6, 
> which
> is why client entries use 6 for the Tunnel-Medium-Type value.

  No.  For Tunnel-Medium-Type, "802" is a *name*, not a *number*.See
Section 3.2 of RFC 2868:

...
   Value
  The Value field is three octets and contains one of the values
  listed under "Address Family Numbers" in [14].  For the sake of
  convenience, a relevant excerpt of this list is reproduced below.

   1  IPv4 (IP version 4)
   2  IPv6 (IP version 6)
   3  NSAP
   4  HDLC (8-bit multidrop)
   5  BBN 1822
   6  802 (includes all 802 media plus Ethernet "canonical format")
...

  FreeRADIUS gets it *right*.  Many NAS vendors get it *wrong*.

> To create a user and assign the user to a particular VLAN by using 
> FreeRADIUS, open the
> etc/raddb/users file, which contains the user account information, and add 
> for the new user.
> The following example shows the entry for a user in the users file. The 
> username is
> “johndoe,” the password is “test1234.” The user is assigned to VLAN 77.
> 
> johndoe Auth-Type: = EAP, User-Password == “test1234"
>   Tunnel-Type = 13,
>   Tunnel-Medium-Type = 6,

  Or:  Tunnel-Medium-Type = IEEE-802

> 
> in both cases, it stays on "IDENTITY VALIDATION" in xp wireless management 
> and sometime i receive the right ip adresss in the right IP Pool. ut lost it 
> immediately, maybe cause of the repeating cycle of athentication sequence.
> AND, the client certificate, signed by the Server (not the CA root) is still 
> with the same message.
> 
> 
> hope it would be helpfull !!

  Arg.  Microsoft keeps putting magic nonsense into their OS's to make
it difficult to use non-Microsoft RADIUS servers.

  And yes, this *is* a problem even inside of Microsoft!  So if you're
finding it a PITA to get it working, rest assured that Microsoft does, too.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

__
Do You Yahoo!?
En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible 
contre les messages non sollicités 
http://mail.yahoo.fr Yahoo! Mail 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

__
Do You Yahoo!?
En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible 
contre les messages non sollicités 
http://mail.yahoo.fr Yahoo! Mail 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: huntgroups are failing auth - missing Chap Password

2008-05-07 Thread Ivan Kalik 
Read instructions in users file about which password attribute should you
be using. User-Password is wrong for 1.1.7.

Ivan Kalik
Kalik Informatika ISP


Dana 14/9/2007, "Terry Pelley" <[EMAIL PROTECTED]> piše:

>FreeRADIUS Version 1.1.7
>
>I am using the FreeRADIUS.net Windows version of the software. at least
>for the time being.
>
>I am trying to set up a very basic single user account for a very specific
>purpose and have created the account as follows.
>
>hunttest User-Password == "hunttest", Huntgroup-Name == "hunttest"
>
>My huntgroups file has a huntgroup called hunttest with a single NAS IP
>Address listed as follows.
>
>public NAS-IP-Address == 10.252.9.2
>
>when the user huntest attempts to authenticate it fails. My RADIUS Log
>shows the following entry.
>
>Wed May  7 15:07:25 2008 : Auth: Login incorrect (rlm_chap: Clear text
>password not available): [hunttest/] (from client NAS04
>port 5 cli 00-1E-8C-0E-8E-70)
>Wed May  7 15:07:25 2008 : Auth: Login incorrect (rlm_chap: Clear text
>password not available): [hunttest/] (from client NAS04
>port 5 cli 00-1E-8C-0E-8E-70)
>
>Can some one tell me what is wrong. I am simply trying to create a config
>that will allow the user hunttest to authenticate only if the request
>comes from the client NAS04. Perhaps a huntgroup is not the best way to do
>this.
>
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_sql_oracle compilation woes

2008-05-07 Thread Alan DeKok 
Anders Holm wrote:
> I'm trying to compile the rlm_sql_oracle module for FreeRadius 2.0.3
> using Oracle 10.2 client. Now, I've tried every suggestion the configure
> scripts has thrown at me, and none seem to find my header files.

  The configure scripts are there for the common case.  If they don't
work, just edit the rlm_sql_oracle/Makefile file directly.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: hello

2008-05-07 Thread Alan DeKok 
Misael Vasquez Sosa wrote:
> which free radius version I should used for Solaris 10??

  The latest released one.  2.0.4.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Converting User-Name to lower letters

2008-05-07 Thread Alan DeKok 
Khaiti, Issam (ext) wrote:
> I need a procedure to convert usernames from upper to lower letters. The
> entries in the fastuser files are all in lower letters. When an
> access-request comes where the username is in uppercase it has to be
> converted to lowercase otherwise the authentication will fail.

  Write a C module, or use the Perl module.

> In the FR version 1.x there was a config option "lower_user = before".
> This isn't existent in the 2.x version anymore. I tried to achieve this
> with unlang but wasn't successful. With the attribute rewrite option I
> can't find a way to do this either. 

  The "lower_user" feature was broken, and was removed.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius proxy: rewriting response messages

2008-05-07 Thread Alan DeKok 
Simone Vendemia wrote:
> Unfortunately we need to rewrite the response returned to freeradius
> by the other server, in order to change the framed-ip-address and
> framed-route given by the proprietary radius with the data inserted
> previously in our freeradius sql database (mysql) through dialupadmin.
> Both the proxy and the proprietary server have the same usernames in
> their local db.
> Is that a possible setup? We've already searched online without much luck.
> Thank you in advance.

  See the "rewrite" module in radiusd.conf.

  In 2.0, you can update any attribute using "unlang".

post-proxy {
...
if (proxy-reply:Framed-IP-Address) {
update proxy-reply {
Framed-IP-Address := 1.2.3.4
...
}
}
}

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Machine authentication

2008-05-07 Thread Alan DeKok 
George KNIGHT wrote:
> Thank you for your reply David.
> 
> I have a long way to go I guess.

  I understand.  I've been hitting the same wall for 10 years.

Q: How do I get FreeRADIUS working with a proprietary, undocumented,
non-compliant vendor software?

A: Damned if I know.  When you find out, please tell us, so other people
don't run into the same problem.

  ... and ... silence.

  Repeat that exchange every month for a decade, with different NAS
vendors, Microsoft, supplicants, VPN's, etc.  It's no wonder I'm a
little cranky at times.  I've put everything I know into the server, and
people *still* get upset that FreeRADIUS is a PoS because they can't get
some crappy vendor's products to work with it.

  What are we supposed to do?  Your frustration is natural, but we're
stuck, too.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Referencing Ldap-Group in unlang

2008-05-07 Thread Alan DeKok 
Jason Alderfer wrote:
> I would like to convert the following users file entry to unlang code in
> 2.0.4.
> 
> DEFAULT Ldap-Group == "cn=not_student,ou=n,o=emu"
> Tunnel-Type = "VLAN",
> Tunnel-Medium-Type = "IEEE-802",
> Tunnel-Private-Group-Id = 6
> 
> But after reading the unlang man page and trying it several ways, I can't
> figure out how to duplicate this functionality.

  Um... it doesn't really work well right now.  I think that the patch
shouldn't be hard, but I don't have time to do much right now.

  In the short term, stick with the "users" file.  Sorry...

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pptpd / MySql / MD5

2008-05-07 Thread Thibault Le Meur 

Sascha Kiefer a écrit :

Hi,

Thanks to http://wiki.freeradius.org/PopTop i can authenticate my vpn 
users

using an remote radius server using MS-CHAPv2

You're welcome ;-)

Passwords are stored in clear in the mysql database.
PopTop is responsible for the remoteip.
Everything works.
Now, is it possible?
* to use md5 passwords in db; i had this in the first place but
authentication failed
No, with MS-CHAPv2 your radius server needs either to know the NTLM-Hash 
version of your password or the plaintext version of your password. MD5 
is not supported by design.


Thibault

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pptpd / MySql / MD5

2008-05-07 Thread Nicholas Hall 
On Wed, May 7, 2008 at 2:03 PM, Sascha Kiefer <[EMAIL PROTECTED]> wrote:

> Hi,
>
> Thanks to http://wiki.freeradius.org/PopTop i can authenticate my vpn
> users
> using an remote radius server using MS-CHAPv2
> Passwords are stored in clear in the mysql database.
> PopTop is responsible for the remoteip.
> Everything works.
> Now, is it possible?
> * to use md5 passwords in db; i had this in the first place but
> authentication failed


CHAP requires passwords to be stored in plaintext on the backend.


> * achieve the following: user A is logged in from workstation X; dont let
> him log in from workstation Y as long he is logged in from X


I believe Simultaneous-Use is what you're looking for.  Documentation on
this is included in the source.

-- 
Nicholas Hall
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

huntgroups are failing auth - missing Chap Password

2008-05-07 Thread Terry Pelley 
FreeRADIUS Version 1.1.7 

I am using the FreeRADIUS.net Windows version of the software. at least
for the time being.

I am trying to set up a very basic single user account for a very specific
purpose and have created the account as follows.

hunttest User-Password == "hunttest", Huntgroup-Name == "hunttest"

My huntgroups file has a huntgroup called hunttest with a single NAS IP
Address listed as follows.

public  NAS-IP-Address == 10.252.9.2

when the user huntest attempts to authenticate it fails. My RADIUS Log
shows the following entry.

Wed May  7 15:07:25 2008 : Auth: Login incorrect (rlm_chap: Clear text
password not available): [hunttest/] (from client NAS04
port 5 cli 00-1E-8C-0E-8E-70)
Wed May  7 15:07:25 2008 : Auth: Login incorrect (rlm_chap: Clear text
password not available): [hunttest/] (from client NAS04
port 5 cli 00-1E-8C-0E-8E-70)

Can some one tell me what is wrong. I am simply trying to create a config
that will allow the user hunttest to authenticate only if the request
comes from the client NAS04. Perhaps a huntgroup is not the best way to do
this.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Pptpd / MySql / MD5

2008-05-07 Thread Sascha Kiefer 

Hi,

Thanks to http://wiki.freeradius.org/PopTop i can authenticate my vpn users
using an remote radius server using MS-CHAPv2
Passwords are stored in clear in the mysql database.
PopTop is responsible for the remoteip.
Everything works. 


Now, is it possible?
* to use md5 passwords in db; i had this in the first place but
authentication failed
* achieve the following: user A is logged in from workstation X; dont let
him log in from workstation Y as long he is logged in from X

Thanks for any hints.

Sascha




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

hello

2008-05-07 Thread Misael Vasquez Sosa 

which free radius version I should used for Solaris 10??

thanks

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Referencing Ldap-Group in unlang

2008-05-07 Thread Jason Alderfer 
Hi all,

I would like to convert the following users file entry to unlang code in
2.0.4.

DEFAULT Ldap-Group == "cn=not_student,ou=n,o=emu"
Tunnel-Type = "VLAN",
Tunnel-Medium-Type = "IEEE-802",
Tunnel-Private-Group-Id = 6

But after reading the unlang man page and trying it several ways, I can't
figure out how to duplicate this functionality.  The above users file
entry causes this in the debug output:

rlm_ldap: Entering ldap_groupcmp()
expand: o=emu -> o=emu
expand:
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))) ->
(|(&(objectClass=GroupOfNames)(member=cn\3dalderfjh\2cou\3dis\2cou\3dn\2co\3demu)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in cn=not_student,ou=n,o=emu, with filter
(|(&(objectClass=GroupOfNames)(member=cn\3dalderfjh\2cou\3dis\2cou\3dn\2co\3demu)))
request done: ld 0x81a5118 msgid 29
rlm_ldap::ldap_groupcmp: User found in group cn=not_student,ou=n,o=emu

But so far none of the syntax below has invoked ldap_groupcmp().

if ( Ldap-Group == "cn=not_student,ou=n,o=emu" ) {
if ( control:Ldap-Group == "cn=not_student,ou=n,o=emu" ) {
if ( "%{Ldap-Group}" == "cn=not_student,ou=n,o=emu" ) {
if ( "%{ldap:Ldap-Group}" == "cn=not_student,ou=n,o=emu" ) {

Jason

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Trouble "SQL Based IP Pool"

2008-05-07 Thread Leander S. 

this is how my radius.conf looks like in the IPPOOL section:
##
##

   ippool main_pool {

   #  range-start,range-stop: The start and end ip
   #  addresses for the ip pool
#   range-start = 192.168.1.1
#   range-stop = 192.168.3.254

   #  netmask: The network mask used for the ip's
#   netmask = 255.255.255.0

   #  cache-size: The gdbm cache size for the db
   #  files. Should be equal to the number of ip's
   #  available in the ip pool
#   cache-size = 800

   # session-db: The main db file used to allocate ip's to 
clients

#   session-db = ${raddbdir}/db.ippool

   # ip-index: Helper db index file used in multilink
#   ip-index = ${raddbdir}/db.ipindex

   # override: Will this ippool override a 
Framed-IP-Address already set

#   override = no

   # maximum-timeout: If not zero specifies the maximum 
time in seconds an

   # entry may be active. Default: 0
#   maximum-timeout = 0
   }

#$INCLUDE  ${confdir}/sqlippool.conf

   $INCLUDE  ${confdir}/postgresqlippool.conf

#OTP token support.  Not included by default.
#$INCLUDE  ${confdir}/otp.conf

##
##





and this is my postgresqlippool.conf which I'm using - it's left original.






##  Configuration for the SQL based IP Pool module (rlm_sqlippool)
##
##  The database schemas are available at:
##
##   doc/examples/*.sql
##
##  $Id: postgresqlippool.conf,v 1.1.2.1 2007/07/16 06:35:22 pnixon Exp $

sqlippool sqlippool {


## SQL instance to use (from postgresql.conf) ##

sql-instance-name = "sql"

## SQL table to use for ippool range and lease info
ippool_table = "radippool"

## IP lease duration. (Leases expire even if Acct Stop packet is lost)
lease-duration = 3600

## Attribute which should be considered unique per NAS
## Using NAS-Port gives behaviour similar to rlm_ippool. (And ACS)
## Using Calling-Station-Id works for NAS that send fixed NAS-Port
## ONLY change this if you know what you are doing!
pool-key = "%{NAS-Port}"
#pool-key = "%{Calling-Station-Id}"


###
## PostgreSQL specific queries.  ##
###

## This query allocates an IP address from the Pool
## The ORDER BY clause of this query tries to allocate the same IP-address
## to the user that they had last session...
allocate-find = "SELECT framedipaddress FROM ${ippool_table} \
 WHERE pool_name = '%{check:Pool-Name}' AND expiry_time < 
'now'::timestamp(0) \

 ORDER BY (username <> '%{SQL-User-Name}'), \
 (callingstationid <> '%{Calling-Station-Id}'), expiry_time \
 LIMIT 1 \
 FOR UPDATE"

## If you prefer to allocate a random IP address every time, use this 
query instead

#allocate-find = "SELECT framedipaddress FROM ${ippool_table} \
# WHERE pool_name = '%{check:Pool-Name}' AND expiry_time < 
'now'::timestamp(0) \

# ORDER BY RANDOM() \
# LIMIT 1 \
# FOR UPDATE"


## This query marks the IP address handed out by "allocate-find" as used
## for the period of "lease-duration" after which time it may be reused.
allocate-update = "UPDATE ${ippool_table} \
 SET nasipaddress = '%{NAS-IP-Address}', pool_key = '${pool-key}', \
 callingstationid = '%{Calling-Station-Id}', username = 
'%{SQL-User-Name}', \

 expiry_time = 'now'::timestamp(0) + '${lease-duration} second'::interval \
 WHERE framedipaddress = '%I'"


## This query frees the IP address assigned to "pool-key" when a new 
request

## comes in for the same "pool-key". This means that either you are losing
## accounting Stop records or you use Calling-Station-Id instead of 
NAS-Port

## as your "pool-key" and your users are able to reconnect before your NAS
## has timed out their previous session. (Generally on wireless networks)
## (Note: If your pool-key is set to Calling-Station-Id and not NAS-Port
## then you may wish to delete the "AND nasipaddress = '%{Nas-IP-Address}'
## from the WHERE clause)
allocate-clear = "UPDATE ${ippool_table} \
 SET nasipaddress = '', pool_key = 0, callingstationid = '', \
 expiry_time = 'now'::timestamp(0) - '1 second'::interval \
 WHERE pool_key = '${pool-key}' \
 AND nasipaddress = '%{Nas-IP-Address}'"


## This query extends an IP address lease by "lease-duration" when an 
accounting

## START record arrives
start-update = "UPDATE ${ippool_table} \
 SET expiry_time = 'now'::timestamp(0) + '${lease-duration} 
second'::interval \

 WHERE nasi

Re: Trouble "SQL Based IP Pool"

2008-05-07 Thread Leander S. 

Ivan Kalik schrieb:

>From your previous post:



PostgreSQL:


CREATE TABLE radippool (
id  BIGSERIAL PRIMARY KEY,
pool_name   text NOT NULL,
FramedIPAddress INET,
NASIPAddresstext NOT NULL,
CalledStationId VARCHAR(64),
CallingStationIdtext DEFAULT ''::text NOT NULL,
expiry_time TIMESTAMP(0) without time zone NOT NULL,
usernametext DEFAULT ''::text,
pool_keyVARCHAR(30) NOT NULL
);

#

This is not the schema from ippool.sql. You have made changes and broke
the queries. Use the schema provided with the server.

 
^^ It's not ippool.sql - we're talking about the RADIPPOOL table - No I 
haven't changed this - go and check it by 
yourself:/freeradius-1.1.7/freeradius-1.1.7/doc/examples/postgresql
And besides that I'm not using "ippool.sql" but instead of I'm using 
"postgresqlippool.conf" because I'm using PostgreSQL as DB Server.

This is my actual output for a user who has attribute: "Pool-Name = mypool"

root ~ #  radtest leander 123456 10.1.10.80:1812 2 schaefer
Sending Access-Request of id 79 to 10.1.10.80 port 1812
   User-Name = "leander"
   User-Password = "123456"
   NAS-IP-Address = 255.255.255.255
   NAS-Port = 2
rad_recv: Access-Accept packet from host 10.1.10.80:1812, id=79, length=122
   Framed-Protocol = PPP
   Framed-MTU = 1492
   Framed-Compression = Van-Jacobson-TCP-IP
   Session-Timeout = 86400
   Framed-IP-Address = 255.255.255.254
   Service-Type = Framed-User
   Framed-IP-Netmask = 255.255.255.255
root ~ #

^^ Btw. Why is my NAS-IP-Address = 255.255.255.255 ? I didn't write that
in clients.conf? Where might I change that?



You can't configure NAS-IP-Address in radtest. If you want to send
different NAS-IP-Address use radclient.

Well actually I think I don't need to change that .. I was just wondering why 
NAS's IP address is 255.255.255.255
  

 just once again .. because I can't get rid of the guess that my
mistake is in the data I typed into the DB table:

INSERT INTO radippool (pool_name, framedipaddress, nasipaddress,
expiry_time, pool_key) VALUES ('mypool', '192.168.5.1', '10.1.10.80',
'2008-12-31 00:00:00', '0');



Don't. Type what's documented. If you use proper schema it will work.
  
Didn't you read what I wrote? ; ) It won't work , because there are 
fields which can't be NULL ... for example "pool_key" and so on
  

^^ 1. What is pool_key standing for? Why do _I_ have to write that in
manually?



No you don't. You are just breking thing further. Again, use proper
schema.
  


^^
proper shema won't work.
  

^^ 2. What is expiry_time good for if there is already an
lease-duration = 3600 configured in the postgresqlippool.conf? And why
do I get forced to use unix timestamp instead of using a simple time in
secounds when it'll be expired?



Seconds from when? You do need a timestamp for lease start then.
  
^^ ah, ok that makes sence ; ) but untill now I'm only able to tell the 
DB a fix Timestamp like 2008-12-31 11:15:00 but how do I change that the 
server is picking up the actual time everytime somebody gets an IP. 
Might there be a special variable for our case?

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


  


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Converting User-Name to lower letters

2008-05-07 Thread Ivan Kalik 
Use rlm_perl and lc() or \L.

Ivan Kalik
Kalik Informatika ISP



Dana 7/5/2008, "Khaiti, Issam (ext)" <[EMAIL PROTECTED]>
piše:

>
>Hallo to all,
>
>I need a procedure to convert usernames from upper to lower letters. The
>entries in the fastuser files are all in lower letters. When an
>access-request comes where the username is in uppercase it has to be
>converted to lowercase otherwise the authentication will fail.
>
>In the FR version 1.x there was a config option "lower_user = before".
>This isn't existent in the 2.x version anymore. I tried to achieve this
>with unlang but wasn't successful. With the attribute rewrite option I
>can't find a way to do this either.
>
>Therefore my question: how can I convert the User-Name attribute from
>uppercase to lowercase?
>
>
>I did the following :
>
>Radiusd.conf:
>--
>
>authorize {
>preprocess
>eap
>
>if ("%{User-Name}" !~  /(%{User-Name}\L)/ )  {
>  update request {
>  User-Name = `%{1}`
>  }
> }
>
>   fastusers_voip_printer   {
>ok = return
>}
>
>
>fastusers_mac  {
>ok = return
>}
>
>
>fastusers_assigned  {
>ok = return
>}
>  fastusers_all   {
>notfound = reject
>
>   }
>   }
>
>
>
>fastusers_all:
>
>-
>
>radiustest3 Auth-Type := EAP
>Service-Type = Framed-User,
>Tunnel-Type = VLAN,
>Tunnel-Medium-Type = IEEE-802,
>Tunnel-Private-Group-ID = 230,
>Reply-Message = "auth von fastuser_all"
>
>
>Radiusd -X :
>
>--
>
>rad_recv: Access-Request packet from host 146.254.173.225 port 48125,
>id=0, length=130
>User-Name = "RAdiustest2"
>NAS-IP-Address = 127.0.0.1
>Calling-Station-Id = "02-00-00-00-00-01"
>Framed-MTU = 1400
>NAS-Port-Type = Wireless-802.11
>Connect-Info = "CONNECT 11Mbps 802.11b"
>EAP-Message = 0x0210015241646975737465737432
>Message-Authenticator = 0x5093767d601db7bf8a1ba95e9200fc77
>+- entering group authorize
>++[preprocess] returns ok
>  rlm_eap: EAP packet type response id 0 length 16
>  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>++[eap] returns updated
>++? if ("%{User-Name}" !~  /(%{User-Name})\L)/ )
>expand: %{User-Name} -> RAdiustest2
>expand: (%{User-Name})L) -> (RAdiustest2)L)
>? Evaluating ("%{User-Name}" !~  /(%{User-Name})\L)/) -> TRUE
>++? if ("%{User-Name}" !~  /(%{User-Name})\L)/ ) -> TRUE
>++- entering if ("%{User-Name}" !~  /(%{User-Name})\L)/ )
>expand: %{1} ->
>Exec-Program output: Exec-Program: FAILED to execute : No such file or
>directory
>Exec-Program-Wait: plaintext: Exec-Program: FAILED to execute : No such
>file or directory
>Exec-Program: returned: 1
>+++[request] returns invalid
>++- if ("%{User-Name}" !~  /(%{User-Name})\L)/ ) returns invalid
>Invalid user: [RAdiustest2/] (from client radtest2
>port 0 cli 02-00-00-00-00-01)
>Delaying reject of request 0 for 1 seconds
>Going to the next request
>Waking up in 0.9 seconds.
>Sending delayed reject for request 0
>Sending Access-Reject of id 0 to 146.254.173.225 port 48125
>Waking up in 0.9 seconds.
>Cleaning up request 0 ID 0 with timestamp +5
>Ready to process requests.
>
>---
>
>I'm sure I have missed something in the docs.
>
>Is there a possible setup? I've already searched in the config examples,
>docs, manpages and the mailing list archive but without luck.
>
>Thank you in advance.
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Can't get the value of 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'

2008-05-07 Thread Phil Mayers 
rad_recv: Access-Request packet from host 192.168.1.227 
 port 33361, id=96, length=252

User-Name = "[EMAIL PROTECTED] "
X-Ascend-Netware-timeout = 1785686126
X-Ascend-Send-Secret = 0x3139322e3136382e312e323237
X-Ascend-Receive-Secret = snip
X-Ascend-IP-Pool-Definition = snip
X-Ascend-IPX-Peer-Mode = 0x5245474953544552
Digest-Response = "7cfeea7f2242db43d8ee8956cf116617"
Service-Type = IAPP-Register
X-Ascend-PW-Lifetime = 1785686126
Cisco-AVPair = snip
NAS-IP-Address = 127.0.0.1 
NAS-Port = 5060
+- entering group authorize
++[preprocess] returns ok
ERROR: Received Digest-Response without Digest-Attributes
++[digest] returns invalid


HOW MANY TIMES must you be told this?!?!

Your CLIENT IS NOT SENDING ALL THE DIGEST ATTRIBUTES!

FIX YOUR CLIENT!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Can't get the value of 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'

2008-05-07 Thread Ivan Kalik 
>rad_recv: Access-Request packet from host 192.168.1.227 port 33360, id=95,
>length=252
>User-Name = "[EMAIL PROTECTED]"
>X-Ascend-Netware-timeout = 1785686126
>X-Ascend-Send-Secret = 0x3139322e3136382e312e323237
>X-Ascend-Receive-Secret =
>0x3438323163336363623962623466396334363964656132376565306534346438373831653830
>X-Ascend-IP-Pool-Definition = "sip:192.168.1.227"
>X-Ascend-IPX-Peer-Mode = 0x5245474953544552
>Digest-Response = "7cfeea7f2242db43d8ee8956cf116617"
>Service-Type = IAPP-Register
>X-Ascend-PW-Lifetime = 1785686126
>Cisco-AVPair = "call-id=
>[EMAIL PROTECTED]"
>NAS-IP-Address = 127.0.0.1
>NAS-Port = 5060

You are (again) sending a request without Digest-Attributes. Try sending
one with them.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SQLIP pool backend - MySQL or PostgreSQL

2008-05-07 Thread rsg 
>From my experience when MySQL InnoDB (for ip-pool-table) and row-level
locking is used, I didn't come across any issue with duplicate IPs for
250+ concurrent auth requests made.

I have different architectural issues for successful Auth and
Accounting, but aren't related to SQLIPPOOL..


On Wed, May 7, 2008 at 4:43 PM, Flamur Rogova <[EMAIL PROTECTED]> wrote:
> Hi,
>  I have been using rlm_ippool successfully for more than a year, and didnt
> have problems with it.
>
>  Since we have many IP pools(~4-10 per nas) and we need non-continuous IP
> addresses in pool, I would try SQL based pools.
>
>  I have read some posts that in MySQL you might get duplicate IPs if you
> have a lot of connections towards db...
>
>  Could you share your experience/opinions on sqlip/MySQL or sqlip/PostgreSQL
> under heavy load, if you use any ?
>
>  Thanks,
>  Flamur
>  -
>  List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PAM for RADIUS

2008-05-07 Thread Nick Owen 
On Mon, May 5, 2008 at 5:46 AM, Ravi setty <[EMAIL PROTECTED]> wrote:
> Hi,
>We are trying to authenticate Solaris box using RADIUS user
>  accounts, and configured PAM to send ssh requests to RADIUS.
>  Eventhough RADIUS accepts the user request by sending Access-Accept
>  packet, ssh is not logging in to the system.
>
>  Can anybody know what to configure to make Radius users to login to solaris 
> box.
>
>  Thanks,
>  Ravi

Ravi:

It sounds like this is more of a PAM issue than radius.  I know
nothing about PAM on Solaris, but perhaps it is your pam.d/sshd file.
You might get more info on the PAM list or from Sun.  In your
pam.d/sshd file, check the setting for account and session.  Does your
log say that the user is being authenticated?  What messages are you
getting?

hth.

nick

-- 
-- 
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Can't get the value of 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'

2008-05-07 Thread johnson elangbam 
hi,
 I am using freeradius 2.0.3 with radiusclient-ng 0.5.6. I need to used
the following attributes
Digest-User-name', 'Digest-Realm',   'Digest-Method', 'Digest-Uri',
'Digest-Nonce',   'Digest-Response' into my perl code, to do my md5
calculation, unfortunately I can't get any of the values except
Digest-Response,
hopefully i've tried all the alternatives that is posted by Ivan Kalik
earlier.

1. I've uncommented all the digest entries in sites-enabled/default file and
I've uncommented out all the perl entries from the
default.
2. I've tried accessing the digest attributes in my perl code by using
RAD_CHECK as well as RAD_CHECK.

But it doesn't work.

can anybody please tell me that is it possible to call the digest attributes
in the perl code. If it is possible, please show me the way how to call
these attributes('Digest-User-name', 'Digest-Realm',   'Digest-Method',
'Digest-Uri', 'Digest-Nonce',   'Digest-Response'.

Or will it be the problem of not getting the digest attributes by the
incompatible dictionaries of radius client and radius server.
Please help,I am really confused where is the problem.

Thanks for your valuable time.

*Here is the output files when running in debug mode before authenticate a
user*

FreeRADIUS Version 2.0.3, for host i686-pc-linux-gnu, built on May  7 2008
at 16:45:53
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/clients.conf
including configuration file /usr/local/etc/raddb/snmp.conf
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/sql.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = "/usr/local"
localstatedir = "/usr/local/var"
logdir = "/usr/local/var/log/radius"
libdir = "/usr/local/lib"
radacctdir = "/usr/local/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
 security {
max_attributes = 200
reject_delay = 1
status_server = yes
 }
}
 client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
shortname = "localhost"
nastype = "other"
 }
 client 192.168.1.227 {
require_message_authenticator = no
secret = "johnson"
shortname = "mynetwork"
nastype = "other"
 }
radiusd:  Loading Realms and Home Servers 
radiusd:  Instantiating modules 
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating exec
  exec {
wait = yes
input_pairs = "request"
shell_escape = yes
  }
 Module: Linked to module rlm_expr
 Module: Instantiating expr
 Module: Linked to module rlm_expiration
 Module: Instantiating expiration
  expiration {
reply-message = "Password Has Expired  "
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating logintime
  logintime {
reply-message = "You are calling outside your allowed timespan  "
minimum-timeout = 60
  }
 }
radiusd:  Loading Virtual Servers 
server {
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_digest
 Module: Instantiating digest
 Module: Linked to module rlm_perl
 Module: Instantiating perl
  perl {
module = "/usr/local/etc/raddb/myperltemp.pl"
func_authorize = "authorize"
func_authenticate = "authenticate"
func_accounting = "accounting"
func_preacct = "preacct"
func_checksimul = "checksimul"
func_detach = "detach"
func_xlat = "xlat"
func_pre_proxy = "pre_proxy"
func_post_proxy = "post_proxy"
func_post_auth = "post_auth"
  }
  perl {
max_clones = 32
start_clones = 32
min_spare_clones = 0
max_spare_clones = 32
cleanup_delay = 5
max_request_per_clone = 0
  }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_preprocess
 Module: Instantiating preprocess
  preprocess {
huntgroups = "/usr/local/etc/raddb/huntgroups"
hints = "/usr/local/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntd

Converting User-Name to lower letters

2008-05-07 Thread Khaiti, Issam (ext) 
 
Hallo to all, 

I need a procedure to convert usernames from upper to lower letters. The
entries in the fastuser files are all in lower letters. When an
access-request comes where the username is in uppercase it has to be
converted to lowercase otherwise the authentication will fail.

In the FR version 1.x there was a config option "lower_user = before".
This isn't existent in the 2.x version anymore. I tried to achieve this
with unlang but wasn't successful. With the attribute rewrite option I
can't find a way to do this either. 

Therefore my question: how can I convert the User-Name attribute from
uppercase to lowercase?


I did the following : 

Radiusd.conf:
--

authorize {
preprocess
eap

if ("%{User-Name}" !~  /(%{User-Name}\L)/ )  {
  update request {
  User-Name = `%{1}`
  }
 } 

   fastusers_voip_printer   {
ok = return
}


fastusers_mac  {
ok = return
}


fastusers_assigned  {
ok = return
}
  fastusers_all   {
notfound = reject

}
   }
 


fastusers_all:

-

radiustest3 Auth-Type := EAP
Service-Type = Framed-User,
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = 230,
Reply-Message = "auth von fastuser_all"


Radiusd -X :

--

rad_recv: Access-Request packet from host 146.254.173.225 port 48125,
id=0, length=130
User-Name = "RAdiustest2"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0210015241646975737465737432
Message-Authenticator = 0x5093767d601db7bf8a1ba95e9200fc77
+- entering group authorize
++[preprocess] returns ok
  rlm_eap: EAP packet type response id 0 length 16
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++? if ("%{User-Name}" !~  /(%{User-Name})\L)/ )
expand: %{User-Name} -> RAdiustest2
expand: (%{User-Name})L) -> (RAdiustest2)L)
? Evaluating ("%{User-Name}" !~  /(%{User-Name})\L)/) -> TRUE
++? if ("%{User-Name}" !~  /(%{User-Name})\L)/ ) -> TRUE
++- entering if ("%{User-Name}" !~  /(%{User-Name})\L)/ )
expand: %{1} ->
Exec-Program output: Exec-Program: FAILED to execute : No such file or
directory
Exec-Program-Wait: plaintext: Exec-Program: FAILED to execute : No such
file or directory
Exec-Program: returned: 1
+++[request] returns invalid
++- if ("%{User-Name}" !~  /(%{User-Name})\L)/ ) returns invalid
Invalid user: [RAdiustest2/] (from client radtest2
port 0 cli 02-00-00-00-00-01)
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 0 to 146.254.173.225 port 48125
Waking up in 0.9 seconds.
Cleaning up request 0 ID 0 with timestamp +5
Ready to process requests.

---

I'm sure I have missed something in the docs. 

Is there a possible setup? I've already searched in the config examples,
docs, manpages and the mailing list archive but without luck.

Thank you in advance.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

SQLIP pool backend - MySQL or PostgreSQL

2008-05-07 Thread Flamur Rogova 

Hi,
I have been using rlm_ippool successfully for more than a year, and 
didnt have problems with it.


Since we have many IP pools(~4-10 per nas) and we need non-continuous IP 
addresses in pool, I would try SQL based pools.


I have read some posts that in MySQL you might get duplicate IPs if you 
have a lot of connections towards db...


Could you share your experience/opinions on sqlip/MySQL or 
sqlip/PostgreSQL under heavy load, if you use any ?


Thanks,
Flamur
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: deployingradius.com down?

2008-05-07 Thread Pedro Figueiredo 

On 7 May 2008, at 14:15, Matt Ashfield wrote:
I can’t seem to get to deployingradius.com website. Anyone know if  
this is down?


looks like it:

http://downforeveryoneorjustme.com/deployingradius.com

cheers,

pedro
--
"you don't code php. you merely edit it until it works." - merlyn


Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trade marks of British Sky Broadcasting Group plc and are used under licence. British Sky Broadcasting Limited (Registration No. 2906991), Sky Interactive Limited (Registration No. 3554332), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of British Sky Broadcasting Group plc (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD. 


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

deployingradius.com down?

2008-05-07 Thread Matt Ashfield 
I can't seem to get to deployingradius.com website. Anyone know if this is
down?

 

Matt 

[EMAIL PROTECTED]

 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Windows XP and EAP-logoff

2008-05-07 Thread Mike Perdide 
Hi,
I working on dynamic VLan assignement using FreeRadius, and I'm trying to 
authenticate machines before the users.
When the machine starts, it uses its own credentials to access the network, 
then the user logs on using the Windows XP GINA. 

My problem is that the user, after that, is still accessing the network with 
the machine account. It's only when I manually unplug and re-plug the 
Ethernet cable that the user uses its credentials

I've tried setting the AuthMode to 1 and the SupplicantMode to 3, as advised, 
but it's still not doing an EAP logoff when the user logs on.

Am I missing something ?
-- 
GPG key : 0xC417137E
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

rlm_sql_oracle compilation woes

2008-05-07 Thread Anders Holm 
Hi Folks. 

This is a potential newbie question, though I seem unable to find any answers 
in the FAQ or in the archives, so ... 

I'm trying to compile the rlm_sql_oracle module for FreeRadius 2.0.3 using 
Oracle 10.2 client. Now, I've tried every suggestion the configure scripts has 
thrown at me, and none seem to find my header files. 

ORACLE_HOME is set to where the client resides. I have the headers in a 
different location though, so I've used the --with-oracle-home-dir and friends 
to try and point to where those reside. 

Always getting the same answer back from configure, which is it can't find 
oci.h, which is in the specified locations... 

Would anyone have any examples or pointers I can poke a stick at and see if I 
am just doing things backwards? Any pointers would be highly appreciated. 

//anders 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re : Re : howto EAP-TLS on freeradius 2.0.2-3 ??

2008-05-07 Thread Joel MBA OYONE 
Ok,

i think i really missed something! that config should take less than 15 minutes 
but i can't solve my problem for more than a week.

Alan or Ivan, could you give me a half our to help me to fix my RADIUS EAP-TLS 
config please. i would like to give you a full access to my network and my 
terminal too, so the diagnostic should be very very easy for you!
is it possible?

 
MBA OYONE Joël
Lot. El Firdaous
Bât GH20, Porte A 204, Appt 8
2 Oulfa
Casablanca - Maroc
 
Tél. : +212 69 25 85 70


- Message d'origine 
De : Alan DeKok <[EMAIL PROTECTED]>
À : FreeRadius users mailing list 
Envoyé le : Lundi, 5 Mai 2008, 17h18mn 10s
Objet : Re: Re : howto EAP-TLS on freeradius 2.0.2-3 ??

Joel MBA OYONE wrote:
...
> The VLAN attributes defined in RFC3580 are as follows:
> •   Tunnel-Type=VLAN (13)
> •   Tunnel-Medium-Type=802
> •   Tunnel-Private-Group-ID=VLANID
> 
> NOTE: The FreeRADIUS dictionary maps the 802 string value to the integer 6, 
> which
> is why client entries use 6 for the Tunnel-Medium-Type value.

  No.  For Tunnel-Medium-Type, "802" is a *name*, not a *number*.See
Section 3.2 of RFC 2868:

...
   Value
  The Value field is three octets and contains one of the values
  listed under "Address Family Numbers" in [14].  For the sake of
  convenience, a relevant excerpt of this list is reproduced below.

   1  IPv4 (IP version 4)
   2  IPv6 (IP version 6)
   3  NSAP
   4  HDLC (8-bit multidrop)
   5  BBN 1822
   6  802 (includes all 802 media plus Ethernet "canonical format")
...

  FreeRADIUS gets it *right*.  Many NAS vendors get it *wrong*.

> To create a user and assign the user to a particular VLAN by using 
> FreeRADIUS, open the
> etc/raddb/users file, which contains the user account information, and add 
> for the new user.
> The following example shows the entry for a user in the users file. The 
> username is
> “johndoe,” the password is “test1234.” The user is assigned to VLAN 77.
> 
> johndoe Auth-Type: = EAP, User-Password == “test1234"
>   Tunnel-Type = 13,
>   Tunnel-Medium-Type = 6,

  Or:  Tunnel-Medium-Type = IEEE-802

> 
> in both cases, it stays on "IDENTITY VALIDATION" in xp wireless management 
> and sometime i receive the right ip adresss in the right IP Pool. ut lost it 
> immediately, maybe cause of the repeating cycle of athentication sequence.
> AND, the client certificate, signed by the Server (not the CA root) is still 
> with the same message.
> 
> 
> hope it would be helpfull !!

  Arg.  Microsoft keeps putting magic nonsense into their OS's to make
it difficult to use non-Microsoft RADIUS servers.

  And yes, this *is* a problem even inside of Microsoft!  So if you're
finding it a PITA to get it working, rest assured that Microsoft does, too.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

__
Do You Yahoo!?
En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible 
contre les messages non sollicités 
http://mail.yahoo.fr Yahoo! Mail 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Possible to update radius reply with additional attributes that are dynamic

2008-05-07 Thread Ryan 
Hi,

I have a radius running on 1.1.3 with authentication via LDAP. Does
anyone knows if it is possible to add attributes to the radius reply
based on the radiusClass from LDAP as well as the NAS-IP?

Thanks/Regards,
Ryan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: small problem with unlang (2.0.4)

2008-05-07 Thread Pshem Kowalczyk 
Thank you :-) brackets did the trick :-)

kind regards
Pshem


2008/5/7 Stefan Winter <[EMAIL PROTECTED]>:
> -BEGIN PGP SIGNED MESSAGE-
>  Hash: SHA1
>
>
>  | if ("%{proxy-reply:Framed-IP-Address}" =~
>  | /([0-9]+).([0-9]+).([0-9]+).([0-9]+)/){
>  | if (\
>  | ( "%{expr: %{1} * 16777216 + %{2} *
>  | 65536 + %{3} * 256 + %{4}}" >= 3417153537  &&  \
>  | "%{expr: %{1} * 16777216 + %{2} *
>  | 65536 + %{3} * 256 + %{4}}" <= 3417153790  ) \
>  | ) {
>  | update reply {
>  | Reply-Message := "IP in range"
>  | }
>  | }
>  | else {
>  | update reply {
>  | Reply-Message := "IP not in
> range"
>  | }
>  | attr_filter.strip-ip
>  | }
>  |
>  |
>  | During debugging I've noticed that the condition is always met, even
>  | though it shouldn't (ip in question 103.109.246.254)
>
>  Every condidtion should be in its own brace pair:
>
>  ~ if (\
>
>  ~ (( "%{expr: %{1} * 16777216 + %{2} *
>  ~ 65536 + %{3} * 256 + %{4}}" >= 3417153537)  &&  (\
>  ~ "%{expr: %{1} * 16777216 + %{2} *
>  ~ 65536 + %{3} * 256 + %{4}}" <= 3417153790  )) \
>  ~ ) {
>
>  Just a guess though, I'm not a pro in unlang myself (yet).
>
>  Stefan
>  -BEGIN PGP SIGNATURE-
>  Version: GnuPG v2.0.4-svn0 (GNU/Linux)
>  Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
>
>  iD8DBQFIIUCH+jm90f8eFWYRAquLAJ9Me8cySNvUAu4OmH3joThdagJdGgCdFFpA
>  238vUXkqpk1YDbPCob0Xa4w=
>  =RtWc
>  -END PGP SIGNATURE-
>  -
>  List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html