SV: SV: SV: No known good password
Thank you Ivan, I figured that out after actually *reading* your post, unfortunately I'm a little bit stressed at the moment. After uncommenting the entry, FreeRadius does not start. Errors: E:\FreeRADIUS.net\binradiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Errors reading /freeradius/etc/raddb: No such file or directory Errors reading radiusd.conf (what a clever way to get rid of errors) The application is installed in the E:\freeradius.net folder. Still a whole bunch of files in the bin and lib directories defines a prefix to prefix=/freeradius. Is there a bug in the installation script or has someone actually changed the name of the installation folder? Anyway, I changed all files in tn the bin directory to read prefix=/freeradius.net, and restarted the service. That didn't help. I even tried to reboot the server without any luck. So I guess it's the .la-files in the lib directory that is the problem. I am reluctant to manually change these entries sinse the usage of these files are not obvious to me (yet). And yes, I'm reading the documentation as best as I can ;-) Ove -Opprinnelig melding- Fra: freeradius-users-bounces+ove.fagerheim=helgelandskraft...@lists.freeradius.org [mailto:freeradius-users-bounces+ove.fagerheim=helgelandskraft...@lists.freeradius.org] På vegne av t...@kalik.net Sendt: 3. mars 2009 15:10 Til: FreeRadius users mailing list Emne: Re: SV: SV: No known good password Ooops, I took over for a 3. party consultant who gave up. Luckily, I still have the original clients.conf. I'll try that one. It's in radiusd.conf in 1.1.7. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SV: SV: SV: No known good password
Ove Fagerheim wrote: After uncommenting the entry, FreeRadius does not start. Errors: E:\FreeRADIUS.net\binradiusd -X Ah freeradius.net. That's a cygwin build of a *very* old version of the server. I'd suggest running it instead on a Linux machine. You can run a *new* version of the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-tls configuration not running...
Hello My server is now accepting the eap authentication, but is sending after this accept an access challenge to the client. It seems that the client ignores the access challenge sent by the server !! Any idea ?? Fabien rad_recv: Access-Request packet from host 10.166.42.30:1024, id=3, length=159 User-Name = sierre08015 NAS-IP-Address = 10.166.42.30 NAS-Port = 1 Called-Station-Id = 00-14-C2-BB-FF-70:test Calling-Station-Id = 00-1F-3C-13-1A-1F Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 0Mbps 802.11g EAP-Message = 0x02070010017369657272653038303135 Message-Authenticator = 0x44d8e63aaf78d1dd710924a013bfe7ba Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module preprocess returns ok for request 3 rlm_eap: EAP packet type response id 7 length 16 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 3 users: Matched entry sierre08015 at line 97 modcall[authorize]: module files returns ok for request 3 modcall: leaving group authorize (returns updated) for request 3 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 3 modcall: leaving group authenticate (returns handled) for request 3 Sending Access-Challenge of id 3 to 10.166.42.30 port 1024 EAP-Message = 0x010800060d20 Message-Authenticator = 0x State = 0x70d9ca888398794265f013f1ea86a3b8 Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.166.42.30:1024, id=4, length=241 User-Name = sierre08015 NAS-IP-Address = 10.166.42.30 NAS-Port = 1 Called-Station-Id = 00-14-C2-BB-FF-70:test Calling-Station-Id = 00-1F-3C-13-1A-1F Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 0Mbps 802.11g EAP-Message = 0x020800500d8000461603010041013d030149ae3f67c2530394de05ba7fb9c39413db6dd4d884994527880e0543a428dee41600040005000a000900640062000300060013001200630100 State = 0x70d9ca888398794265f013f1ea86a3b8 Message-Authenticator = 0x56372f6bfce57e79360ae0c757da625b Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module preprocess returns ok for request 4 rlm_eap: EAP packet type response id 8 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 4 users: Matched entry sierre08015 at line 97 modcall[authorize]: module files returns ok for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: TLS 1.0 Handshake [length 02ad], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: TLS 1.0 Handshake [length 00a3], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module eap returns handled for request 4 modcall: leaving group authenticate (returns handled) for request 4 Sending Access-Challenge of id 4 to 10.166.42.30 port 1024 EAP-Message =
Freeradius with CoA
Hello all! I have freeradius 2.1.3 installed on my FreeBSD 7.1 OS. And i have cisco 7201 with ISG module. When i try to send CoA (Change of authorization) account-logon request like this /bin/echo User-Name='cisco',User-Password='cisco',cisco-avpair='subscriber:command=account-logon',Cisco-Account-Info='S172.16.xx.xx' | /usr/local/bin/radclient -x 172.16.yy.yy coa secret i immediatly recieve CoA-NAK. rad_recv: CoA-NAK packet from host 172.16.yy.yy port 1700, id=5, length=56 Cisco-Command-Code = \0202;cisco Cisco-Account-Info = S172.16.xx.xx There's cisco debug: 012618: *Mar 4 03:03:35.479: RADIUS: COA received from id 234 172.16.xx.xx:51830, CoA Request, len 105 012619: *Mar 4 03:03:35.479: COA: 172.16.xx.xx request queued 012620: *Mar 4 03:03:35.479: RADIUS: authenticator 94 A8 95 26 37 C1 9F F5 - 44 C6 E6 E4 59 21 91 74 012621: *Mar 4 03:03:35.479: RADIUS: User-Name [1] 7 cisco 012622: *Mar 4 03:03:35.479: RADIUS: User-Password [2] 18 * 012623: *Mar 4 03:03:35.479: RADIUS: Vendor, Cisco [26] 40 012624: *Mar 4 03:03:35.479: RADIUS: Cisco AVpair [1] 34 subscriber:command=account-logon 012625: *Mar 4 03:03:35.479: RADIUS: Vendor, Cisco [26] 20 012626: *Mar 4 03:03:35.479: RADIUS: ssg-account-info [250] 14 S172.16.xx.xx 012627: *Mar 4 03:03:35.479: ++ CoA Attribute List ++ 012628: *Mar 4 03:03:35.479: 068F1110 0 0009 username(396) 5 cisco 012629: *Mar 4 03:03:35.479: 068F0F08 0 0009 password(282) 13 opaque value 012630: *Mar 4 03:03:35.479: 068F0F18 0 0009 ssg-account-info(430) 12 S172.16.xx.xx 012631: *Mar 4 03:03:35.479: 068F0F28 0 0009 ssg-command-code(432) 6 01 63 69 73 63 6F 012632: *Mar 4 03:03:35.479: 012633: *Mar 4 03:03:35.479: RADIUS(): sending 012634: *Mar 4 03:03:35.479: RADIUS(): Send CoA Nack Response to 172.16.xx.xx:51830 id 234, len 56 012635: *Mar 4 03:03:35.479: RADIUS: authenticator 22 E9 05 70 EB CD A1 E7 - 4C 61 07 0B 28 85 5D 97 012636: *Mar 4 03:03:35.479: RADIUS: Vendor, Cisco [26] 16 012637: *Mar 4 03:03:35.479: RADIUS: ssg-command-code [252] 10 012638: *Mar 4 03:03:35.479: RADIUS: 10 32 3B 63 69 73 63 6F [Error-Code 2;cisco] 012639: *Mar 4 03:03:35.479: RADIUS: Vendor, Cisco [26] 20 012640: *Mar 4 03:03:35.479: RADIUS: ssg-account-info [250] 14 S172.16.xx.xx Have i sent a correct request to cisco? If no, how can i send a correct account-logon request with radclient? Thank's. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SV: SV: SV: SV: No known good password
Hmm, that gives me a policy problem, my company *does not* use Linux. Is there any Windows ports out there? I've checked http://download.opensuse.org/repositories/network:/aaa/;, but I'm uncertain which folder to select and which files to download Ove -Opprinnelig melding- Fra: freeradius-users-bounces+ove.fagerheim=helgelandskraft...@lists.freeradius.org [mailto:freeradius-users-bounces+ove.fagerheim=helgelandskraft...@lists.freeradius.org] På vegne av Alan DeKok Sendt: 4. mars 2009 10:43 Til: FreeRadius users mailing list Emne: Re: SV: SV: SV: No known good password Ove Fagerheim wrote: After uncommenting the entry, FreeRadius does not start. Errors: E:\FreeRADIUS.net\binradiusd -X Ah freeradius.net. That's a cygwin build of a *very* old version of the server. I'd suggest running it instead on a Linux machine. You can run a *new* version of the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with CoA
There's cisco debug: And this is freeradius list. Feel free to send this to your friendly Cisco support people. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SV: SV: SV: SV: No known good password
Hmm, that gives me a policy problem, my company *does not* use Linux. And they are in Internet business? Not for long. Is there any Windows ports out there? freeradius.net (this is support for versions from freeradius.org). Not a real port but it works. It has support for mysql, but not for much else. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SV: SV: SV: No known good password
Le Wednesday 04 March 2009 11:21:38 t...@kalik.net, vous avez écrit : Oh, this is Windows. Uninstall the whole thing. You can download that version in default configuration from freeradius.net. Do fresh install. Just edit clients.conf and users file. Maybe, installing Virtual Machine could resolved your problems ? Windows---VM(Linux---Freeradius) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SV: SV: SV: SV: No known good password
Am 04.03.2009 um 11:24 schrieb Ove Fagerheim: Hmm, that gives me a policy problem, my company *does not* use Linux. If you do not mean only Windows, see the other options, like for examples MacOS, BSD, Solaris: http://wiki.freeradius.org/Platforms Is there any Windows ports out there? I've checked http:// download.opensuse.org/repositories/network:/aaa/, but I'm uncertain which folder to select and which files to download Ove Have a nice day! -Opprinnelig melding- Fra: freeradius-users-bounces +ove.fagerheim=helgelandskraft...@lists.freeradius.org [mailto:freeradius-users-bounces +ove.fagerheim=helgelandskraft...@lists.freeradius.org] På vegne av Alan DeKok Sendt: 4. mars 2009 10:43 Til: FreeRadius users mailing list Emne: Re: SV: SV: SV: No known good password Ove Fagerheim wrote: After uncommenting the entry, FreeRadius does not start. Errors: E:\FreeRADIUS.net\binradiusd -X Ah freeradius.net. That's a cygwin build of a *very* old version of the server. I'd suggest running it instead on a Linux machine. You can run a *new* version of the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SV: SV: SV: No known good password
Oh, this is Windows. Uninstall the whole thing. You can download that version in default configuration from freeradius.net. Do fresh install. Just edit clients.conf and users file. Windows version supports mysql but not much more. You are far better of with current (Linux) version. Ivan Kalik Kalik Informatika ISP Dana 4/3/2009, Ove Fagerheim ove.fagerh...@helgelandskraft.no piše: Thank you Ivan, I figured that out after actually *reading* your post, unfortunately I'm a little bit stressed at the moment. After uncommenting the entry, FreeRadius does not start. Errors: E:\FreeRADIUS.net\binradiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Errors reading /freeradius/etc/raddb: No such file or directory Errors reading radiusd.conf (what a clever way to get rid of errors) The application is installed in the E:\freeradius.net folder. Still a whole bunch of files in the bin and lib directories defines a prefix to prefix=/freeradius. Is there a bug in the installation script or has someone actually changed the name of the installation folder? Anyway, I changed all files in tn the bin directory to read prefix=/freeradius.net, and restarted the service. That didn't help. I even tried to reboot the server without any luck. So I guess it's the .la-files in the lib directory that is the problem. I am reluctant to manually change these entries sinse the usage of these files are not obvious to me (yet). And yes, I'm reading the documentation as best as I can ;-) Ove -Opprinnelig melding- Fra: freeradius-users-bounces+ove.fagerheim=helgelandskraft...@lists.freeradius.org [mailto:freeradius-users-bounces+ove.fagerheim=helgelandskraft@lists.freeradius.org] Pĺ vegne av t...@kalik.net Sendt: 3. mars 2009 15:10 Til: FreeRadius users mailing list Emne: Re: SV: SV: No known good password Ooops, I took over for a 3. party consultant who gave up. Luckily, I still have the original clients.conf. I'll try that one. It's in radiusd.conf in 1.1.7. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OT: Implementing RSA's SecurID
Greg Vickers wrote: Hi, (Apologies for an OT post) I was wondering if anyone know of any user list that would contain a community of people who implement systems like RSA's SecurID? The reason is that I am researching who else has implemented SecurID and am trying to find if there is another company or organisation who has implemented it in the way we wish to. Thanks, Hi Greg I suggest that you have a look at Yubico's YubiKey, one of the most interesting authentication devices I have ever seen. Note Freeradius is support via PAM http://code.google.com/p/yubico-pam/wiki/YubikeyAndRadiusViaPAM Cheers Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with CoA
M K wrote: Hello all! I have freeradius 2.1.3 installed on my FreeBSD 7.1 OS. And i have cisco 7201 with ISG module. When i try to send CoA (Change of authorization) account-logon request like this /bin/echo User-Name='cisco',User-Password='cisco',cisco-avpair='subscriber:command=account-logon',Cisco-Account-Info='S172.16.xx.xx' | /usr/local/bin/radclient -x 172.16.yy.yy coa secret http://www.cisco.com/en/US/docs/ios/12_2sb/isg/coa/guide/isgcaapb.html#wp1009738 The following example is a typical Service Active profile: Service = Framed Cisco: Account-Info = S12.1.1.2 Cisco: Service-Info = Ncoa_service Cisco: Command-Code = 0bservice_coa where 0b is symbol with 0xb code. i.e. #define IP 192.168.10.50 int c = 0xb; printf(Cisco-Command-Code = '%cP1024x512_SERVICE'\n,c); printf(Cisco-Account-Info = S%s\n, ip); -- With best regards, Evgeniy Kozhuhovskiy Leader, Services team Minsk State Phone Network, RUE Beltelecom. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SV: SV: SV: SV: No known good password
Ove Fagerheim wrote: Hmm, that gives me a policy problem, my company *does not* use Linux. Is there any Windows ports out there? I've checked http://download.opensuse.org/repositories/network:/aaa/;, but I'm uncertain which folder to select and which files to download http://freeradius.org/business/roadmap.html If you really want a Windows port, it can be done. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-tls configuration not running...
fabien.cret...@novelis.com wrote: My server is now accepting the eap authentication, but is sending after this accept an access challenge to the client. It seems that the client ignores the access challenge sent by the server !! Any idea ?? Have you tried reading the FAQ? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Please can someone help I'm new on the list
I'm trying to install Radius EAP/TLS but when I enable the EAP module, I get the following Error: rlm_eap: Failed to link EAP-Type/tls: rlm_eap_tls.so: cannot open shared object file: No such file or directory radiusd.conf[10]: eap: Module instantiation failed. radiusd.conf[1960] Unknown module eap. radiusd.conf[1907] Failed to parse authenticate section. Can someone help me. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please can someone help I'm new on the list
Gustavo Román wrote: I'm trying to install Radius EAP/TLS but when I enable the EAP module, I get the following Error: rlm_eap: Failed to link EAP-Type/tls: rlm_eap_tls.so: cannot open shared object file: No such file or directory radiusd.conf[10]: eap: Module instantiation failed. radiusd.conf[1960] Unknown module eap. radiusd.conf[1907] Failed to parse authenticate section. Can someone help me. You are running an old version of the server, and you haven't built the EAP-TLS module. You likely need the OpenSSL development package, and then build from source. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejections
Jack D. Martin Jr. wrote: I am using freeradius 2.1.3 using MySQL for my IP pool and user auth tables in my small ISP. What I need to do is have customers that get rejected with a bad password assigned to a particular IP pool. I am sure this is possible, but can't find it. I assume I am just looking for the wrong keywords - LOL. Can somebody point me in the right direction? Thanks in advance. The server can't turn a reject into an accept. Doing so will require source code patches. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SV: SV: SV: SV: No known good password
Ove Fagerheim wrote: Hmm, that gives me a policy problem, my company *does not* use Linux. What a marvellous opportunity for you to become a respected and valued employee of your company by educating your peers on the many benefits of open source operating systems. Perhaps the money you save your company by avoiding licensing fees and the reduced cost of administration could be put towards a hefty pay raise for you. Seize the day! -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OT: Implementing RSA's SecurID
On Tue, Mar 3, 2009 at 11:38 PM, Greg Vickers g.vick...@qut.edu.au wrote: Hi, (Apologies for an OT post) I was wondering if anyone know of any user list that would contain a community of people who implement systems like RSA's SecurID? The reason is that I am researching who else has implemented SecurID and am trying to find if there is another company or organisation who has implemented it in the way we wish to. Thanks, -- Greg Vickers Phone: +61 7 3138 6902 IT Security Engineer Project Manager Queensland University of Technology, CRICOS No. 00213J There's a yahoo group for RSA. I suggest you try there. I would think you could also try RSA itself. -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
reply messages in access-reject
Hi I have a question.
How can I send attributes(for example reply-message, cvpn3000, ...) in
access-reject packet.
I tried to put my exec to the post-auth section Post-Auth-Type REJECT{},
but in this
section radius dosen't send the attribs in the reject packet.
Radius send only if i run the exec program in the files modul:
DEFAULT NAS-Port-Type == Virtual, Autz-Type = LDAP
exec-program-wait =/usr/local/etc/raddb/scripts/vpn.php
debug:
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - test
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
++? if (NAS-Port-Type==Virtual)
? Evaluating (NAS-Port-Type==Virtual) - TRUE
++? if (NAS-Port-Type==Virtual) - TRUE
++- entering if (NAS-Port-Type==Virtual) {...}
[script-bad]expand: %{User-Name} - test
[sctipt-bad]expand: %{User-Password} - test
Exec-Program output: CVPN3000-IPSec-Banner2 = 'sorry',
Exec-Program-Wait: value-pairs: CVPN3000-IPSec-Banner2 = 'sorry',
Exec-Program: returned: 0
+++[script-bad] returns ok
++- if (NAS-Port-Type==Virtual) returns ok
Delaying reject of request 7 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 7
Sending Access-Reject of id 79 to 192.168.1.1 port 1147
Waking up in 4.9 seconds.
Cleaning up request 7 ID 79 with timestamp +388
Ready to process requests.
what is wrong?
what is the solution?
thank you!
br
Gabor
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejections
What about using a fall through? Could it be that the last option to auth, even if the password is incorrect - they get assigned to a particular group? Jack Martin Magic Wireless Internet Service Providers LLC P.O. Box 278 104 W. Main Oilton, OK 74052 www.magicwisp.com Jack D. Martin Jr. wrote: I am using freeradius 2.1.3 using MySQL for my IP pool and user auth tables in my small ISP. What I need to do is have customers that get rejected with a bad password assigned to a particular IP pool. I am sure this is possible, but can't find it. I assume I am just looking for the wrong keywords - LOL. Can somebody point me in the right direction? Thanks in advance. The server can't turn a reject into an accept. Doing so will require source code patches. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can freeradius do a CoA Push.
I thought that this can already be done with radclient , no?:radclient -x -t 20 -c 1 -f /home/coa.txt 114.0.1.1:3799 coa test On Tue, Mar 3, 2009 at 11:43 PM, Alan DeKok al...@deployingradius.comwrote: Simon Herriotts wrote: New user to freeradius, nice little bit of work. Wondering if anyone knows how/if you can do a CoA Push. ie change SLA policy-map levels via a radius push to an existing user. The git stable branch can do this. It will be in 2.1.4, when it's released. Alan DeKok. - Show quoted text - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejections
Jack D. Martin Jr. wrote: What about using a fall through? Could it be that the last option to auth, even if the password is incorrect - they get assigned to a particular group? As I said: The server can't turn a reject into an accept. Doing so will require source code patches. I wrote much of the server. I *think* I know how it works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can freeradius do a CoA Push.
Marlon Duksa wrote: I thought that this can already be done with radclient , no? Yes. But integrating that into the server policies cannot currently be done well. i.e. When the server receives an accounting packet, you can check if they're over a bandwidth quota, and if so, run radclient to send a CoA packet. But this isn't integrated into the server core. Updating the contents of the CoA packet is hard. Handling the CoA reply is hard. Did the NAS do what you asked, or did it do something else? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can freeradius do a CoA Push.
ok. I see. Thanks.The NAS did exactly what I wanted it to do in my case (disconnect a user and also change the SLA parameters) Marlon On Wed, Mar 4, 2009 at 7:55 AM, Alan DeKok al...@deployingradius.comwrote: Marlon Duksa wrote: I thought that this can already be done with radclient , no? Yes. But integrating that into the server policies cannot currently be done well. i.e. When the server receives an accounting packet, you can check if they're over a bandwidth quota, and if so, run radclient to send a CoA packet. But this isn't integrated into the server core. Updating the contents of the CoA packet is hard. Handling the CoA reply is hard. Did the NAS do what you asked, or did it do something else? Alan DeKok. - Show quoted text - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejections
This kind of handling of rejected users should be handled by your NAS. Radius server is suposed to reject users with bad passwords. You can make policy on your NAS to place them in a restricted VLAN instead of dropping the connection. Ivan Kalik Kalik Informatika ISP Dana 4/3/2009, Jack D. Martin Jr. jack.d.mar...@magicwisp.com piše: What about using a fall through? Could it be that the last option to auth, even if the password is incorrect - they get assigned to a particular group? Jack Martin Magic Wireless Internet Service Providers LLC P.O. Box 278 104 W. Main Oilton, OK 74052 www.magicwisp.com Jack D. Martin Jr. wrote: I am using freeradius 2.1.3 using MySQL for my IP pool and user auth tables in my small ISP. What I need to do is have customers that get rejected with a bad password assigned to a particular IP pool. I am sure this is possible, but can't find it. I assume I am just looking for the wrong keywords - LOL. Can somebody point me in the right direction? Thanks in advance. The server can't turn a reject into an accept. Doing so will require source code patches. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejections
I wasn't questioning your skills - trust me. I have read many of your responses on the list, you helped me deploy my server without ever talking to me. I am just looking for a solution. Basically what I have is a billing solution that automatically suspends customers by scrambling their passwords. When that happens - I don't want the customers to be rejected, but to be assigned to a different group. Is that a better way of asking? What I am looking for is to not reject people with bad passwords, but to assign them a particular IP pool. Jack Martin Magic Wireless Internet Service Providers LLC P.O. Box 278 104 W. Main Oilton, OK 74052 www.magicwisp.com Jack D. Martin Jr. wrote: What about using a fall through? Could it be that the last option to auth, even if the password is incorrect - they get assigned to a particular group? As I said: The server can't turn a reject into an accept. Doing so will require source code patches. I wrote much of the server. I *think* I know how it works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejections
Jack D. Martin Jr. a écrit : I wasn't questioning your skills - trust me. I have read many of your responses on the list, you helped me deploy my server without ever talking to me. I am just looking for a solution. Basically what I have is a billing solution that automatically suspends customers by scrambling their passwords. When that happens - I don't want the customers to be rejected, but to be assigned to a different group. Is that a better way of asking? What I am looking for is to not reject people with bad passwords, but to assign them a particular IP pool. Then why don't you simply make your billing solution to put your users exceeding their quota to an Exceeded_Quota group (either in sql DB or in LDAp, or any backend). Don't scramble their password. This way an authenticated use belonging to the Exceeded_Quota group would be assigned a given IP_Pool, and those not in this group would be assigned another IP_Pool. Does my answer make sense? (i admit I've not read the preceeding posts). Thibault Jack Martin Magic Wireless Internet Service Providers LLC P.O. Box 278 104 W. Main Oilton, OK 74052 www.magicwisp.com Jack D. Martin Jr. wrote: What about using a fall through? Could it be that the last option to auth, even if the password is incorrect - they get assigned to a particular group? As I said: The server can't turn a reject into an accept. Doing so will require source code patches. I wrote much of the server. I *think* I know how it works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejections
Jack D. Martin Jr. wrote:
I wasn't questioning your skills - trust me. I have read many of your
responses on the list, you helped me deploy my server without ever talking
to me. I am just looking for a solution. Basically what I have is a
billing solution that automatically suspends customers by scrambling their
passwords. When that happens - I don't want the customers to be rejected,
but to be assigned to a different group. Is that a better way of asking?
What I am looking for is to not reject people with bad passwords, but to
assign them a particular IP pool.
What kind of authentication methods are you using? If it's PAP, then
the answer is easy:
authenticate {
...
Auth-Type PAP {
if (User-Password == %{control:Cleartext-Password}) {
update control {
Pool-Name := pool-for-good-users
}
}
else {
update control {
Pool-Name := pool-for-bad-users
}
}
ok # mark them as authenticated
}
...
}
And configure the two pools, including putting them in the post-auth
section.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can freeradius do a CoA Push.
Marlon, This looks like the item I am looking for. What is the syntax example in the coa.txt. Looks like I need to do more research into radclient usage. Cheers Simon Marlon Duksa wrote: I thought that this can already be done with radclient , no? : radclient -x -t 20 -c 1 -f /home/coa.txt 114.0.1.1:3799 coa test On Tue, Mar 3, 2009 at 11:43 PM, Alan DeKok al...@deployingradius.com wrote: Simon Herriotts wrote: New user to freeradius, nice little bit of work. Wondering if anyone knows how/if you can do a CoA Push. ie change SLA policy-map levels via a radius push to an existing user. The git "stable" branch can do this. It will be in 2.1.4, when it's released. Alan DeKok. - Show quoted text - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can freeradius do a CoA Push.
Simon - I think there is a man on radclient. But the file you are asking about usually contains the attributes that you want to change. I was doing this on JNPR so the syntax was this in my particular example: user-Name = circuit:3.remote:3 Acct-Session-ID = 3 ERX-CoS-Parameter-Type = T02 800k I was changing some QoS parameters (shaping rate) for a subscriber in JNPR. Thanks, Marlon On Wed, Mar 4, 2009 at 9:48 AM, Simon Herriotts sherr...@cisco.com wrote: Marlon, This looks like the item I am looking for. What is the syntax example in the coa.txt. Looks like I need to do more research into radclient usage. Cheers Simon Marlon Duksa wrote: - Show quoted text - I thought that this can already be done with radclient , no? : radclient -x -t 20 -c 1 -f /home/coa.txt 114.0.1.1:3799 coa test On Tue, Mar 3, 2009 at 11:43 PM, Alan DeKok al...@deployingradius.comwrote: Simon Herriotts wrote: New user to freeradius, nice little bit of work. Wondering if anyone knows how/if you can do a CoA Push. ie change SLA policy-map levels via a radius push to an existing user. The git stable branch can do this. It will be in 2.1.4, when it's released. Alan DeKok. - Show quoted text - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can freeradius do a CoA Push.
Perfect, thanks I will play with the radclient and see about the man tool. Cheers Simon Marlon Duksa wrote: Simon - I think there is a man on radclient. But the file you are asking about usually contains the attributes that you want to change. I was doing this on JNPR so the syntax was this in my particular example: user-Name = circuit:3.remote:3 Acct-Session-ID = 3 ERX-CoS-Parameter-Type = "T02 800k" I was changing some QoS parameters (shaping rate) for a subscriber in JNPR. Thanks, Marlon On Wed, Mar 4, 2009 at 9:48 AM, Simon Herriotts sherr...@cisco.com wrote: Marlon, This looks like the item I am looking for. What is the syntax example in the coa.txt. Looks like I need to do more research into radclient usage. Cheers Simon Marlon Duksa wrote: - Show quoted text - I thought that this can already be done with radclient , no? : radclient -x -t 20 -c 1 -f /home/coa.txt 114.0.1.1:3799 coa test On Tue, Mar 3, 2009 at 11:43 PM, Alan DeKok al...@deployingradius.com wrote: Simon Herriotts wrote: New user to freeradius, nice little bit of work. Wondering if anyone knows how/if you can do a CoA Push. ie change SLA policy-map levels via a radius push to an existing user. The git "stable" branch can do this. It will be in 2.1.4, when it's released. Alan DeKok. - Show quoted text - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
