date:20090615


Thank you very much Ivan for your detailed response. I will check it and
respond you.

Regards,
Dhandapani


Ivan Kalik wrote:
> 
>> Not sure how ssh/telnet will handle.
> 
> That depends on your pam radius module. I believe freeradius hosted module
> can handle it. Don't know for others.
> 
>> But I assume, other than password it
>> may request for additional RSA key generated to access a particular
>> machine
>> or something similar to that.
> 
> Why? Server already knows it's RSA key. This has nothing to do with user
> authentication.
> 
>> Also, does NAS need any installation to support Access-Challenge like
>> CHAP?
> 
> It needs pam module that supports it. BTW chap doesn't have
> Access-Challenge in the authentication process. Nor mschap.
> 
> Ivan Kalik
> Kalik Informatika ISP
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> 

-- 
View this message in context: 
http://www.nabble.com/Access-Challenge-in-freeRadius-server-tp24025860p24048486.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate

2009-06-15 Thread john

For the sake of posterity (e.g future searches on this topic). The
stanza that Ivan replace in the MAKEFILE used to create working
client.p12 files under Windows XP SP3 are:


client.csr client.key: client.cnf
openssl req -new  -out client.csr -keyout client.key -config
./client.cnf

client.crt: client.csr ca.pem ca.key index.txt serial
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr
-key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile
xpextensions -config ./client.cnf

client.p12: client.crt
openssl pkcs12 -export -in client.crt -inkey client.key -out
client.p12  -passin pass:$(PASSWORD_CLIENT) -passout
pass:$(PASSWORD_CLIENT)

client.pem: client.p12
openssl pkcs12 -in client.p12 -out client.pem -passin
pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
cp client.pem $(USER_NAME).pem

.PHONY: server.vrfy
client.vrfy: ca.pem client.pem
c_rehash .
openssl verify -CApath . client.pem



>
> The makefile you sent me allowd me to generate a correct client.p12
> which cleared up the error reported by windows. Thanks very much. So
> it looks like windows may prefer personal certs signed by the CA
> rather than the server? I can sucessfully use the client cert with the
> "Smart Card or other Certificate" options on Windows XP/SP3 (which
> uses EAP-TLS I believe).
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate

2009-06-15 Thread john

On Mon, Jun 15, 2009 at 3:46 PM, Ivan Kalik wrote:
>> However it didn't fix my issue with trying to use a cert and PEAP or
>> TTLS. So I am stumped still on that one.
>
> You need a supplicant that supports it. SecureW2 probably doesn't. Try
> wpa_supplicant.

Thanks Ivan. Do you know if the windows wired PEAP supplicant supports
sending a client cert back to the server?

I'll look at wpa_supplicant as well.

Also, thanks again for that amended MAKEFILE. Perhaps an extra stanza
should be included in the MAKEFILE in a future freeradius version that
directs someone to try that approach if windows rejects client.p12
files signed by the server? I think it might be a real help to others.

Cheers!

John

>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate

> However it didn't fix my issue with trying to use a cert and PEAP or
> TTLS. So I am stumped still on that one.

You need a supplicant that supports it. SecureW2 probably doesn't. Try
wpa_supplicant.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_exec wiki

2009-06-15 Thread Doug Hardie



On 15 June 2009, at 14:41, a.l.m.bu...@lboro.ac.uk wrote:


Hi,

(grin), but of course, if I want to write for the wiki, I'm going  
to have
to install the latest release, to be sure what I write is valid for  
the
most current context. Fortunately I have a test box for stuff like  
this.

:)


..but to mirror wat you've ben saying - why not support 1.x fully
on the wiki - theres plenty of 1.x installs out there and 1.x users
who are forced into such a situation - eg because their enforced
distro/repository policy means no building from source

it would be much beter if there was a full delineation between
1.x and 2.x docs - the web is full of older resources that dont
say what version their tweaks and info is good for.


Thats actually a good idea.  For example, during the initial  
introduction period for 2.x, there was nothing in the wiki about  
writing your own modules for 2.x.  The existing page was only for  
1.x.  It didn't know about the existence of 2.x because it didn't  
exist when the page was written.  As a result, anyone who was trying  
to use 2.x in the early days and wanted to write their own modules  
would have failed horribly.  The 1.x instructions were not at all  
appropriate for 2.x.  Since I only use FreeRadius for authenticating a  
small number of dial-in users, I didn't need to convert at all.  1.x  
would have been just fine for me probably longer than I will have dial- 
in users.  I only did the conversion to be able to rewrite the module  
page for 2.x.  Now both of them are there.  However, by having 2  
editions of each page, the top page would become enormous and  
difficult to handle.  Making separate sections for each version would  
make it a lot easier for people during these transitions.  There seems  
to be no end to Alan's imagination for new features.  I expect a  
version 3.x in the near future.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_exec wiki

Hi,

> (grin), but of course, if I want to write for the wiki, I'm going to have 
> to install the latest release, to be sure what I write is valid for the  
> most current context. Fortunately I have a test box for stuff like this. 
> :)

..but to mirror wat you've ben saying - why not support 1.x fully
on the wiki - theres plenty of 1.x installs out there and 1.x users
who are forced into such a situation - eg because their enforced
distro/repository policy means no building from source

it would be much beter if there was a full delineation between
1.x and 2.x docs - the web is full of older resources that dont
say what version their tweaks and info is good for.

if i see one more config with Auth-Type = EAP  I'll scream ;-)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate

2009-06-15 Thread john

On Sat, Jun 13, 2009 at 7:08 AM, Ivan Kalik wrote:
>> I used the Makefile to generate the certs. I then exported ca.der and
>> client.p12 and installed them on the XP box. Did I get the wrong
>> files?
>
> No, those are correct files. Is ca OK but you get errors for client
> certificate? Try using included Makefile (rename old Makefile to
> Makefile.old and this one to Makefile). It will create client certificates
> signed by the ca certificate.
>
> Ivan Kalik
> Kalik Informatika ISP

Hi Ivan,

The makefile you sent me allowd me to generate a correct client.p12
which cleared up the error reported by windows. Thanks very much. So
it looks like windows may prefer personal certs signed by the CA
rather than the server? I can sucessfully use the client cert with the
"Smart Card or other Certificate" options on Windows XP/SP3 (which
uses EAP-TLS I believe).

However it didn't fix my issue with trying to use a cert and PEAP or
TTLS. So I am stumped still on that one.

Any other ideas?

Thanks for your help!

John
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [rad] Re: Problem with external authentication script

> On Mon, 15 Jun 2009, Stefan Kuegler wrote:
>>> >  exec motp {
>>> >wait = yes
>>> >program = "/usr/local/bin/otpverify.sh %{User-Name}
>>> >  %{User-Password} %{reply:Secret} %{reply:PIN} %{reply:Offset}"
>>> >input_pairs = request
>>> >output_pairs = config
>>> >  }
>> It seems, that freeradius never uses the "MOTP"-Auth-type:
>> auth: type "PAP"
>> +- entering group PAP
>
> Not an expert on motp. But should it be mistaken for 'PAP'?

It got "mistaken" for pap because user1 line in users file had a crypt
password in it (I don't know what it's doing there - probably shouldn't
be).

> Perhaps
> you need to put your check for 'motp' in the auth section *before* PAP?

Forcing Auth-Type in users file should work.

If you need both pap (password known to the server) and MOTP (password to
be verified by external script) working user entry can be replaced with
unlang statement after pap in authorize (both can't be made to work in
1.x).

> Or remove the reference to PAP altogether if you never use it?

The policy of the list is "that you should make minimal changes to default
configuration until you make things work; then remove one by one things
you think you don't need, making sure everything you need still works". In
that way, if you mess up it is easy to backtrack.

Listing motp in authorize before pap is likely to achieve - nothing. There
is nothing to suggest that something called "otpverify" can set Auth-Type
to MOTP. So, better not go that way.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with external authentication script

Stefan Kuegler wrote:
> Thanks for your advice.
> I configured the users-file described above, but it didn't work. Now I
> can see, that freeradius never calls the external script.

  Because the user was rejected.

  Ensure that the user is accepted, follow Ivan's instructions for
configuring the "users" file, and it will work.

   Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [rad] Re: Problem with external authentication script

On Mon, 15 Jun 2009, Stefan Kuegler wrote:

>  exec motp {
>wait = yes
>program = "/usr/local/bin/otpverify.sh %{User-Name}
>  %{User-Password} %{reply:Secret} %{reply:PIN} %{reply:Offset}"
>input_pairs = request
>output_pairs = config
>  }

Silly thought:
The exec is named 'mopt' with an 'm'.
But your script is 'optverify' with no 'm'.
Just want to be sure that's not a silly typo :)

It seems, that freeradius never uses the "MOTP"-Auth-type:
auth: type "PAP"
+- entering group PAP

Not an expert on motp. But should it be mistaken for 'PAP'? Perhaps
you need to put your check for 'motp' in the auth section *before* PAP?
Or remove the reference to PAP altogether if you never use it?

Do I need to configure something in the authorize-section or somewhere 
else ??

A line with the single word 'motp', probably just above the 'pap' line,
if tht is causing trouble

- Charles
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Access Challenge in freeRadius server

> Not sure how ssh/telnet will handle.

That depends on your pam radius module. I believe freeradius hosted module
can handle it. Don't know for others.

> But I assume, other than password it
> may request for additional RSA key generated to access a particular
> machine
> or something similar to that.

Why? Server already knows it's RSA key. This has nothing to do with user
authentication.

> Also, does NAS need any installation to support Access-Challenge like
> CHAP?

It needs pam module that supports it. BTW chap doesn't have
Access-Challenge in the authentication process. Nor mschap.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with external authentication script

2009-06-15 Thread Stefan Kuegler


Hi Ivan.


exec motp {
  wait = yes
  program = "/usr/local/bin/otpverify.sh %{User-Name}
%{User-Password} %{reply:Secret} %{reply:PIN} %{reply:Offset}"
  input_pairs = request
  output_pairs = config
}



You have changed them to reply items ...


/etc/freeradius/users:
DEFAULT Auth-Type = Accept
 Exec-Program-Wait = "/usr/local/bin/otpverify.sh '%{User-Name}'
'%{User-Password}' '%{reply:Secret}' '%{reply:PIN}' '%{reply:Offset}'",
 Fall-Through = Yes

user1   Secret:=143a5c6fa125ac1f, PIN:=1234, Offset:=0



... but configured them as check items. Revert to original exec line and
place user entry *above* DEFAULT entry.


Thanks for your advice.
I configured the users-file described above, but it didn't work. Now I 
can see, that freeradius never calls the external script.


It seems, that freeradius never uses the "MOTP"-Auth-type:

[...]
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.82.40 port 1026, 
id=109, length=78

User-Name = "user1"
User-Password = "secret"
Service-Type = Authenticate-Only
NAS-Identifier = "debian.local"
NAS-IP-Address = 192.168.82.40
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "user1", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
users: Matched entry user1 at line 3
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
  rad_check_password:  Found Auth-Type
auth: type "PAP"
+- entering group PAP
rlm_pap: login attempt with password "secret"
rlm_pap: Using CRYPT encryption.
rlm_pap: Passwords don't match
++[pap] returns reject
auth: Failed to validate the user.
Login incorrect (rlm_pap: CRYPT password check failed): [user1/secret] 
(from client 192.168.82.40 port 0)

  Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> user1
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 192.168.82.40 port 1026, 
id=109, length=78

Waiting to send Access-Reject to client 192.168.82.40 port 1026 - ID: 109
Sending delayed reject for request 0
Sending Access-Reject of id 109 to 192.168.82.40 port 1026
Waking up in 4.9 seconds.
Cleaning up request 0 ID 109 with timestamp +17
Ready to process requests.



Do I need to configure something in the authorize-section or somewhere 
else ??



Thank you for your help.

Stefan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Failover fails in proxy.conf

> With the primary server everything works fine, but my problem is when I
> force to switch to fallover server (I switch off IP 1.2.3.4 machine) my
> freeradius server does not change to request 1.2.3.5 server.

How hard have you tried? It does not mark home server as dead on the first
packet that doesn't get answered. Have a look at proxy.conf and dead and
zombie times.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Access Challenge in freeRadius server

Thanks Ivan. 

Not sure how ssh/telnet will handle. But I assume, other than password it
may request for additional RSA key generated to access a particular machine
or something similar to that.

Also, does NAS need any installation to support Access-Challenge like CHAP? 

Regards,
Dhandapani

Ivan Kalik wrote:
> 
>> And also may I know why it is not advised to support Access Challenge for
>> ssh or telnet.
> 
> Nothing to do with what's advisable but with what's available. Will pam
> module on ssh/telnet server be able to handle a challenge and know what to
> do with it?
> 
> Ivan Kalik
> Kalik Informatika ISP
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> 

-- 
View this message in context: 
http://www.nabble.com/Access-Challenge-in-freeRadius-server-tp24025860p24040267.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

ldap groupmembership_filter - resolved.

2009-06-15 Thread Jeff Davis





Ok.  it's working.  I found it "helpful" to use the correct base dn
when searching for group membership.

Ya gotta love self-inflicted wounds...

Jeff Davis wrote:

  
The two things I have changed to get it working are:
  
in users:
  DEFAULT Auth-Type := LDAP
    Service-Type = NAS-Prompt-User,
    cisco-avpair = "shell:priv-lvl=15",
    Fall-Through = 1
  
and added on the switch:
  
  aaa authorization exec default group radius local
aaa authorization network default group radius local
  
Next - ldapgroupfilter.
  
I have a group of users called "radiususers" - and the following in
radiusd.conf:
  
  groupname_attribute = cn
groupmembership_filter =
(&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))
  
and in users:
  
  DEFAULT LDAP-Group == radiususers
    Service-Type = Administrative-User
  
But any ldap user can sill login regardless of group membership.
  
Where am I screwing up?
  
Thanks,
  
-Jeff
  
  
Ivan Kalik wrote:
  

  19:23:13: RADIUS: no appropriate authorization type for user.

I am all but certain this is a self-inflicted wound.



It is. Have a look at your aaa configuration. Do you see an authorization
line anywhere?

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  
  
  
  -- 
Jefferson K Davis
Technology & Information Systems Manager
Standard School District
1200 North Chester Ave
Bakersfield, CA  93308
USA
661.392.2110 ext 120
  

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
Jefferson K Davis
Technology & Information Systems Manager
Standard School District
1200 North Chester Ave
Bakersfield, CA  93308
USA
661.392.2110 ext 120


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_exec wiki


On Mon, 15 Jun 2009, a.l.m.bu...@lboro.ac.uk wrote:

I think the initial idea would be to document what/how you've used
exec module to define an attribute - rlm_exec is quite bare on the wiki 
;-)


Uh, yeah, almost forgot, that was actually one of the places I looked 
before I posted on the list. :)


I think before I write anything I will test my script a bit further 
and make sure that it has the complete functionality I expect. I'll be 
doing that this week. I'm gonna get a few shots for this next statement 
(grin), but of course, if I want to write for the wiki, I'm going to have 
to install the latest release, to be sure what I write is valid for the 
most current context. Fortunately I have a test box for stuff like this. :)


Thanks.

- Charles
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [rad] Re: SOLVED Re: pseudo-newbie exec scripts and session-time

hi,

> H. My first gut reaction is that I "don't know enough", but before
> I dismiss this idea, I have to ask what you have in mind.


I think the initial idea would be to document what/how you've used
exec module to define an attribute - rlm_exec is quite bare on the wiki ;-)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problems with Cisco switch and authorization. - resolved.

2009-06-15 Thread Jeff Davis





The two things I have changed to get it working are:

in users:
DEFAULT Auth-Type := LDAP
    Service-Type = NAS-Prompt-User,
    cisco-avpair = "shell:priv-lvl=15",
    Fall-Through = 1

and added on the switch:

aaa authorization exec default group radius local
aaa authorization network default group radius local

Next - ldapgroupfilter.

I have a group of users called "radiususers" - and the following in
radiusd.conf:

groupname_attribute = cn
groupmembership_filter =
(&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))

and in users:

DEFAULT LDAP-Group == radiususers
    Service-Type = Administrative-User

But any ldap user can sill login regardless of group membership.

Where am I screwing up?

Thanks,

-Jeff


Ivan Kalik wrote:

  
19:23:13: RADIUS: no appropriate authorization type for user.

I am all but certain this is a self-inflicted wound.

  
  
It is. Have a look at your aaa configuration. Do you see an authorization
line anywhere?

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  


-- 
Jefferson K Davis
Technology & Information Systems Manager
Standard School District
1200 North Chester Ave
Bakersfield, CA  93308
USA
661.392.2110 ext 120


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [rad] Re: SOLVED Re: pseudo-newbie exec scripts and session-time

2009-06-15 Thread John Dennis


Enough already :-) Take it off list please.

--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [rad] Re: SOLVED Re: pseudo-newbie exec scripts and session-time


On Mon, 15 Jun 2009, Arran Cudbard-Bell wrote:
See the thing is a lot of the documentation pitfalls aren't there in 2.*, a 
lot of the inconsistencys aren't there in 2.*. I know, because I regularly 
play the dumb user and pester Alan about niggly bits of syntax and 
documentation.


I try to be a fair person. And I knew that one argument used against me 
would be that the docs had improved since version 1.x, but when I had a 
look I found that this 'basic' element remained essentially unchanged.

Indeed the one change I spotted was that the references to 'exec-program'
had disappeared! But there was nothing more about 'exec' modules. And when 
I checked the documentation for the latest release, neither the users file 
itself nor the documentation for it mentions 'exec'. So I would still
have found no help there And the docs for freeradisud.conf remained 
the same.


Think of it this way. In the French language, when someone turns a light 
on they say "make the light OPEN". They *mean* the same thing, but they 
use a different word. But if you don't *know* that, you can spend a lot of 
time trying to figure out why someone wants to 'open' something that you 
just want to turn 'on'.


Thus it was with my understanding of config files in FreeRADIUS. I came 
from a background where config files only contained constants. Nothing 
dynamic. I had come so far as to realize that we could 'specify' modules 
in the main config file, but presumed that sub files remained lists of 
constant specifications. There was no mention of executable code in the 
users file comments, so I presumed that was just the 'wrong place'.


My bad? Well, yes, BUT I would expect that any expert on RADIUS would have 
long ago encountered this kind of thinking and recognize it for what it 
is. And if they really wanted to help, they'd be sure to say a few 'basic' 
things like "what you are looking for is in the README, not the 
individual files". That was all I was asking for, but instead I get this 
attitude like I failed to take advice (sigh)


I've been following this thread (mostly for its Jerry Springer'esq 
qualities) and I saw where you stumbled. The documentation in v1 is far 
from perfect, but if you'd actually read around a bit more then you'd 
have figured out exactly what was going on.


Actually, I *did* exactly that. My only complaint was that I had to hunt 
at random through files I never imagined containing what I wanted. If 
someone had grasped that I was 'not getting it' they could have just 
pointed me where I needed to go. Not saying they were obliged to do so, 
but I am saying they shouldn't treat their failure to do so with the 
attitude that they did 'enough' to help.


The *only* place in 1.* where the syntax used in the rlm_exec example 
exists is in the users file.


Actually, to the uninitated, that is NOT true. Within the module 
definitions in the radiusd.conf there are numerous 'assignements' of 
values to 'variables' that look remarkably similar to attribute 
assignments. Only once it has been *explained* would I realize that there 
is something special about the users file 'assignments'. And again, I 
point out that the syntax of assigning an executable to an attribute is 
*not* given as an example in the users file. If only it had been, then I 
would have figured it all out without this mess.


But then again, I would also have been using an older technique.

But you're not a user, you're a sysadmin/developer. It's assumed that 
you'll have a modicum of initiative.


Certainly. I *did* find my answer on my own. (smile)

This is the stumbling point. I thought I had looked in all the obvious and 
relevant documents. And enough of them were lacking in detail that I don't 
think anyone can fairly say I didn't bother to look for my answer before I 
posted my question. And that's why I get angry when people just say I was 
offered lots of options. No, not really. They were only options for 
someone who (and I know this happens) posts a question without having read 
*any* of the documentation. I had hoped my included syntax sample would 
have desmontrated that I had made progress. :) But really, if no one 
grasped that I was lacking that key concept, then how would they know to 
tell me where to look for what I wanted? So who is to blame there?


I don't always agree with Alans way of dealing with users on the list, 
but I understand why he's the way he is.


I understand it too. I just figur if he wants to be helpful, then he could 
try to understand how he wasn't. Yes, it is mostly *my* shortcoming, but 
when someone like me doesn't *know* he has a shortcoming, just saying 
'read the docs' or 'upgrade to 2.x' does not fix this error. I hope my 
comments lend themselves to increased awareness of ignorance and better 
handling of it.



 In all honesty, I don't even know what 'EAP' is.
Extensible Authentication Protocol, it's the Authentication protocol used in 
802.1X (WPA-Enterprise etc...).


Silly

mod_auth_radius

2009-06-15 Thread Thomas Noppe

Hi,

Has anyone compiled the mod_auth_radius module for apache 2.x on windows?
Wheren can I download the binary?

Kind regards

-
Thomas Noppe
Dienst Informatiesystemen - S&O

thomas.no...@uzleuven.be
+32 16 34 79 87
+32 16 34 78 01
UZ Leuven | campus Gasthuisberg | Herestraat 49 | B - 3000 Leuven | 
www.uzleuven.be

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [rad] Re: SOLVED Re: pseudo-newbie exec scripts and session-time

2009-06-15 Thread Arran Cudbard-Bell

On 15/6/09 16:37, Charles Gregory wrote:

On Mon, 15 Jun 2009, a.l.m.bu...@lboro.ac.uk wrote:

one of the main issues is using a distro version of the code.

(nod) Once John mentioned a folder I just didn't have, the light came on
(so to speak) :)

...they might have been dumped into somewhere like /usr/share/doc/radiusd
or somesuch.

(smile) Nope. But good thought.
Strictly speaking, all the information I needed was in the various
documentation files. I just made an error of presumption from the 'look'
of the code and examples and comments in the 'radiusd.conf' file

you can get v2.x for CentOS - read the WIKI - theres a repository for
it too so it will get updated with new versions.

Well, if I had been unable to make the existing package work, it was
certainly an option. But it's better the way I have it now. :)

as for 'marking you down as yet another stubborn user' - well I thought
by singularly attacking the project leaader/manager you were wanting to
be thought of like that ;-)

I hope I don't set off another round of garbage with this comment, but
quite honestly, he has an attitude I've never seen in a project leader.
Usually they are the ones who have had years of experience dealing with
newbies and *know* the stupid 2+2=3 mistakes that people like me can
make, and would be the first one to say, "hey, dummy, that goes in the
users file". But instead, I got. what I got.

See the thing is a lot of the documentation pitfalls aren't there in 2.*, a lot of the inconsistencys aren't there in 2.*. I know, because I regularly play the dumb user and pester Alan about niggly
bits of syntax and documentation.

I've been following this thread (mostly for its Jerry Springer'esq qualities) and I saw where you stumbled. The documentation in v1 is far from perfect, but if you'd actually read around a bit more
then you'd have figured out exactly what was going on. The *only* place in 1.* where the syntax used in the rlm_exec example exists is in the users file.

I work in a similar capacity being both the developer/admin for our
internet service *and* the helpdesk. And the one thing I've learned in
dealing with people on the phone is how differently all sorts of people
will think, and how difficult some concepts are to get across even when
they seem 'simple' and 'obvious' to me.

But you're not a user, you're a sysadmin/developer. It's assumed that you'll have a modicum of initiative. I don't always agree with Alans way of dealing with users on the list, but I understand why
he's the way he is.

It takes some time and patience,
but I've learned to recognize the signs of the user who 'thinks
differently' and know those special things I need to mention to get them
back 'on track', and get them thinking the right way.

seriously though, most (if not all) support will be for 2.x now - as
thats what most of us run - due to wanting the features, stability and
speed (yes, lots of speed!) of the new version. we all used to run 1.x
and deal with common/similar issueswe now run 2.x and do the same.

If I had 'issues' (aka problems) I would quite simply upgrade. It would
not be worth my time or effort to try and fight with problematic old
code. But FR is *not* problematic. It was just my understanding. I
needed to know *how* to do what I wanted to do. It's always been my
ignorance.
And I've not asked anyone to 'hand hold'. I just figured there had to be
some working examples out there from the 1.x days.

with EAP, 2.x is almost a must (unless you want your DB etc hit
far too many times).

In all honesty, I don't even know what 'EAP' is.

Extensible Authentication Protocol, it's the Authentication protocol used in
802.1X (WPA-Enterprise etc...).

[snip]

That's what I hope for. That people who mean to help really do help.
I have my answer. My problem is solved. I can jsut walk away. But that
doesn't help the next person who falls over the same shortfall in the
old docs. If nothing else, I will be here to help them if I see their
post. :)

If you genuinely want to help other FreeRADIUS v1 users, then you can contact
me, or any other wiki admins for an account.

Arran

--
Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [rad] Re: SOLVED Re: pseudo-newbie exec scripts and session-time


On Mon, 15 Jun 2009, a.l.m.bu...@lboro.ac.uk wrote:

Charles, this is an unpaid community support list. you are coming
across as a very angry person with no regard that the people
on this list arent paid to give you informaation which is probably
essential for you to actually do your work, get paid etc.


We have nothing to fear but fear itself. The thing which makes me angry is 
not that people choose to be unhelpful. If Mr. DeKok really thinks I'm not 
worth his time and just doesn't answer my posts, then I have no problem 
with that. I end up doing exactly what I *did* do: I worked it out on my 
own.


What angers me is when I get accused of doing things I didn't do, or of 
rejecting help I didn't receive. This can be subtle. If someone says 'go 
read the docs' am I 'rejecting' that suggestion when I believe I've 
alredy read all the relevant documentation I could find? It is even more 
angering when you consider that the original question was to ask where 
there might be more docs/examples At any point someone could have 
said, "did you look in /usr/shar/docs/README. I'd feel like a dummy, but I 
would have gotten an important clue about one way to do this. Instead, I 
read the man pages, and read the comments in the config files, and I'm 
sorry, but they were confusing to the point of being misleading.


I'm not asking that people correct docs for an old version, but please 
stop accusing me of failing to do my legwork or heed suggestions to read 
those docs when I've SAID I've done it already.


Yes, makes me quite angry. :)

if you'd actually like any help/advice in the future from the community 
its probably best that you realise we are all humans, we too suffer from 
undocumented bits (and then use the WIKI or the mailing list to 
disemminate such information) rather than make a big hoo haa out of such 
a piffling little issue and personally attack people.


Actually I'm making a big 'hoo haa' out of being personally attacked with 
these blatantly false claims. Someone with Mr. Dekok's (now) obvious 
knowledge and expertise should never say "I have no idea", like I had 
failed to even lay out the basic intent and method I was trying to use.
He made it sound like I had posted little or nothing about what I was 
trying to do. As near as you can get to lying about me as I think you can 
with a clever indirect statement. And yes, lying about me really angers 
me.



one day you may need to real help regarding a feature or option


With respect, why would that be any different than now? That's my point 
about making the big fuss. If the people who *could* help don't reflect 
and refine their understanding of *how* they help, then even if I shut my 
mouth and was very polite, I would have no expectation of ever getting any 
help on anything that I could not look up myself in a man page or file.
Yes, I'm well aware that I could be shooting myself in the foot by 
angering the people who might help me, but they *weren't* helping, so 
really, I lose nothing. While I might stand to gain proper understanding 
of how I was not helped and by extension, help not only myself but anyone 
else in a similar 'newbie' position in future.


I can't predict the future but i can say the future is always more 
promising if you can look back and say you've never burnt your bridges.


To be honest, if I wanted to burn bridges I would just unsubscribe from 
the group. Burn and forget. No, I'm still hanging onto the assumption that 
the people who argue so passionately actually *do* care, and if I can 
convince them that they fell short in this case, and that not all the 
blame is mine, then maybe that will be of lasting benefit, rather than 
leaving things at the status quo, where a certain percentage of people 
just don't get help (even though others think they are).


Thanks for your thoughts Alan. I know I'm an angry argumentative person, 
but I always do so with the intent to make things BETTER.


- Charles
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Failover fails in proxy.conf

2009-06-15 Thread Santiago Balaguer García


Hi,

 

  I am using in my AAA servers the freeradius 2.1.3 version. 

I am configuring the failover for the myrealm.com in proxy.conf.

For myrealm.com realm I have two AAA servers: 1.2.3.4 and 1.2.3.5



home_server primary_server {
type = auth+acct
ipaddr = 1.2.3.4
port = 1812
secret = mysecret
require_message_authenticator = no
response_window = 5
zombie_period = 60
revive_interval = 5
status_check = status-server
check_interval = 60

num_answers_to_alive = 3
}
home_server secondary_server {
type = auth+acct
ipaddr = 1.2.3.5
port = 1812
secret = mysecret
require_message_authenticator = no
response_window = 5
zombie_period = 60
revive_interval = 5
status_check = status-server
check_interval = 60

num_answers_to_alive = 3
}

 

home_server_pool roam_pool {
type = fail-over
home_server = primary_server

home_server = secondary_server
}
realm myrealm.com {
nostrip
pool= roam_pool
}

#

With the primary server everything works fine, but my problem is when I force 
to switch to fallover server (I switch off IP 1.2.3.4 machine) my freeradius 
server does not change to request 1.2.3.5 server.

 

I try the fowoling configuration:

3

home_server primary_server {

...

}

home_server secondary_server {

...

}

home_server_pool roam_pool {
type = fail-over
home_server = primary_server

}
realm myrealm.com {
nostrip
pool= roam_pool
}

home_server_pool roam_pool2 {
type = fail-over
home_server = secondary_server
}
realm myrealm.com {
nostrip
pool= roam_pool2
}

3

With the same result --> does not work.

 

Any suggestion?

_
Nuevo Windows Live, un mundo lleno de posibilidades. Descúbrelo.
http://www.microsoft.com/windows/windowslive/default.aspx-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [rad] Re: SOLVED Re: pseudo-newbie exec scripts and session-time


On Mon, 15 Jun 2009, a.l.m.bu...@lboro.ac.uk wrote:

one of the main issues is using a distro version of the code.


(nod) Once John mentioned a folder I just didn't have, the light came on 
(so to speak) :)



...they might have been dumped into somewhere like /usr/share/doc/radiusd
or somesuch.


(smile) Nope. But good thought.
Strictly speaking, all the information I needed was in the various
documentation files. I just made an error of presumption from the 'look'
of the code and examples and comments in the 'radiusd.conf' file


you can get v2.x for CentOS - read the WIKI - theres a repository for
it too so it will get updated with new versions.


Well, if I had been unable to make the existing package work, it was 
certainly an option. But it's better the way I have it now. :)



as for 'marking you down as yet another stubborn user' - well I thought
by singularly attacking the project leaader/manager you were wanting to
be thought of like that ;-)


I hope I don't set off another round of garbage with this comment, but 
quite honestly, he has an attitude I've never seen in a project leader. 
Usually they are the ones who have had years of experience dealing with 
newbies and *know* the stupid 2+2=3 mistakes that people like me can make, 
and would be the first one to say, "hey, dummy, that goes in the users 
file". But instead, I got. what I got.


I work in a similar capacity being both the developer/admin for our
internet service *and* the helpdesk. And the one thing I've learned in 
dealing with people on the phone is how differently all sorts of people 
will think, and how difficult some concepts are to get across even when 
they seem 'simple' and 'obvious' to me. It takes some time and patience, 
but I've learned to recognize the signs of the user who 'thinks 
differently' and know those special things I need to mention to get them 
back 'on track', and get them thinking the right way.


seriously though, most (if not all) support will be for 2.x now - as 
thats what most of us run - due to wanting the features, stability and 
speed (yes, lots of speed!) of the new version. we all used to run 1.x 
and deal with common/similar issueswe now run 2.x and do the same.


If I had 'issues' (aka problems) I would quite simply upgrade. It would 
not be worth my time or effort to try and fight with problematic old code. 
But FR is *not* problematic. It was just my understanding. I needed to 
know *how* to do what I wanted to do. It's always been my ignorance.
And I've not asked anyone to 'hand hold'. I just figured there had to be 
some working examples out there from the 1.x days.


 with EAP, 2.x is almost a must (unless you want your DB etc hit far 
too many times).


In all honesty, I don't even know what 'EAP' is. Maybe it could handle
some of what I want to do. I don't know. I have an existing perl script 
which until now has been functioning strictly as a stand-alone daemon 
handling radius log output, and sending disconnect commands directly to 
the NAS. Now we want to set Session-Timeout and eliminate that 'timing' 
aspect of the script. But all the database handling, time quota management 
and so on are already coded. I'm just adapting an existing script to work 
as a module.


And I've figured out how radius handles that, so I think I'm okay.
The rest of this discussion generally boils down to the helpdesk geek in 
me analyzing why the people with the knowledge couldn't seem to 
communicate that knowledge clearly to the newbie ignoramus (me).

If I were genuinely lazy and hadn't read a single doc file, then maybe
there would be a legitimate complaint that I should 'go read docs', but I 
indicated right up front that I had read docs, searched archives and so 
on. I was hoping someone would say "did you look in the doc/README" or 
something similar that would point me to the doc with the information that 
I needed. But it didn't happen. (sigh)


But if people (particularly Mr. DeKok) are going to have this attitude 
that amounts to "we tried to help but you ignored us" then I think that 
serves no one. The next person along with the same lack of comprehension 
will be no better helped than I was. But if the people with the knowledge 
admit that their 'help' did not suit the target audience, and that it 
needs to be clearer and more specific, then future inquiries like mine 
will be met with a clearer and helpful response.


That's what I hope for. That people who mean to help really do help.
I have my answer. My problem is solved. I can jsut walk away. But that 
doesn't help the next person who falls over the same shortfall in the old 
docs. If nothing else, I will be here to help them if I see their post. :)


- Charles
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius and Alvarion

2009-06-15 Thread Ben Wiechman

It looks like you're using the non-802.16e release. If you are using 802.16e
someone sent you the wrong information.

The service configuration is different under Eth CS and IP CS. Which are you
using?

Ben

> -Original Message-
> From: freeradius-users-
> bounces+wiechman.lists=gmail@lists.freeradius.org
> [mailto:freeradius-users-
> bounces+wiechman.lists=gmail@lists.freeradius.org] On Behalf Of
> Jairos Jackson
> Sent: Friday, June 12, 2009 6:27 AM
> To: 'FreeRadius users mailing list'
> Subject: RE: Freeradius and Alvarion
> 
> I do not have any Vlans, I am working with only one subnet for all my
> connections...
> 
> 
> 
> .
> 
> > I got the below info from some guys who support Alvarion Wimax and
> they
> > say
> > all is ready on the Alverion staff only left with changes on the
> radius
> > server. I have to have the string below ready(still don't know how to
> come
> > up with such a string).
> >
> 
> There is nothing to change on the radius server. Pap works by default.
> 
> > Pointers from alvarion guys
> >
> 
> .
> >
> > "With regards to the VSA's (vendor specific attributes) that the base
> > station requires is as follows:
> >
> > n=Service_name:v=:h=ON/OFF:a=:c=ON/OFF
> >
> > n=Service_name(Servive profile created on the BS)
> > :v=(list of VLANS allowed on this link
> > blank
> > if untagged)
> > :h=ON/OFF   (Hybrid mode on or off)
> > :a=( Access VLAN on or off and if on the VLAN ID
> > :c=ON/OFF( VLAN Classification Mode on or
> off)
> >
> > The string needs to be sent as one continuous string as in the example
> > above."
> >
> 
> You need to make an entry like this in users file:
> 
> mac-add-ress Cleartext-Password := "mac-add-ress"
>  That-Alvarion-VSA = "that_string"
> 
> *You* will have to come up with the string. We can't make it up for you.
> There is nothing misterious in their instructions - you should know
> answer
> to all of these (do you want features on or off, what VLAN is/are to be
> used, if any, ...).
> 
> Ivan Kalik
> Kalik Informatika ISP
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cleartext password between NAS and Radius Server

kpani wrote:
> When we use PAP for user authentication, the password will be passed from
> user to NAS(radius client) as cleartext password. But how it is transmitted
> from NAS to Radius server. 1) As clear text password? or 2)  The password is
> encrypted using the secret keyword(used in both radius client & server) and
> decrypted using secret key in server. Please correct me. I am seeing
> different answers in web pages.

  (2)

  See http://freeradius.org/rfc/attributes.html

  Click on User-Password.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Cleartext password between NAS and Radius Server


Hi,

I am using PAP for radius authentication. I have a general question here.

When we use PAP for user authentication, the password will be passed from
user to NAS(radius client) as cleartext password. But how it is transmitted
from NAS to Radius server. 1) As clear text password? or 2)  The password is
encrypted using the secret keyword(used in both radius client & server) and
decrypted using secret key in server. Please correct me. I am seeing
different answers in web pages.

Regards,
Dhandapani
-- 
View this message in context: 
http://www.nabble.com/Cleartext-password-between-NAS-and-Radius-Server-tp24035942p24035942.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Access Challenge in freeRadius server


Thanks Ivan. 

Not sure how ssh/telnet will handle. But I assume, other than password it
may request for additional RSA key generated to access a particular machine
or something similar to that.

Regards,
Dhandapani



Ivan Kalik wrote:
> 
>> And also may I know why it is not advised to support Access Challenge for
>> ssh or telnet.
> 
> Nothing to do with what's advisable but with what's available. Will pam
> module on ssh/telnet server be able to handle a challenge and know what to
> do with it?
> 
> Ivan Kalik
> Kalik Informatika ISP
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> 

-- 
View this message in context: 
http://www.nabble.com/Access-Challenge-in-freeRadius-server-tp24025860p24035107.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: build error on Solaris (undefined symbol)

2009-06-15 Thread Ihsan Dogan

Alan DeKok wrote:

>> Have you been using as well the most recent version 2.2.6a of libtool?
> 
>   No.  You should use the version of libtool that comes with the server.

I'm very sorry, but I've mixed up something here. I tested it also with
the system libtool, but the error message is from the libtool that comes
with the server.

I'm wondering now, what the difference between your system and my system
is. It's slightly weird that it works for and not for me.

Ihsan

-- 
ih...@dogan.ch  http://blog.dogan.ch/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Missing Realm when entering second authorization group

2009-06-15 Thread Xiwen Cheng

On Mon, Jun 15, 2009 at 10:54:10AM +0100, Ivan Kalik wrote:
> Don't proxy internally. Remove that home server and leave only the realm
> as local realm:

Thank you and everybody's replies! That did the trick. 

Kind regards,
Xiwen

-- 
--
Xiwen Cheng
System Administrator;" Enthusiasm is contagious,
Mathematical Institute  ;  but hype is a disease. "
Leiden University   ;E-mail: xch...@math.leidenuniv.nl
Niels Bohrweg 1 K210;Office: (+31) 715277134
2333 CA Leiden  ;Mobile: (+31) 69991
The Netherlands ;GPG Key id: 194F572B
++


pgp9cRDEKoNjW.pgp
Description: PGP signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius, PostgreSQL and One-Time-Password backends

> So i start by adding the section to proxy.conf
>
> --proxy.conf
> realm Safeword {
> type = radius
> authhost= :1645
> accthost= :1646
> secret  = 
> }
>
> realm Portwise {
> type = radius
> authhost= :1645
> accthost= :1646
> secret  = 
> }
>
>
> But how do i configure users file so that it does query the SQL-database?

You don't. Use unlang.

> Let´s say every user-record contains information in the table
> Authentication-Server (Safeword or Portwise).

update control {
 Proxy-To-Realm := %{sql:"SELECT...FROM Authentication-Server WHERE...}
}

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Access Challenge in freeRadius server

> And also may I know why it is not advised to support Access Challenge for
> ssh or telnet.

Nothing to do with what's advisable but with what's available. Will pam
module on ssh/telnet server be able to handle a challenge and know what to
do with it?

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius, PostgreSQL and One-Time-Password backends

mikoi wrote:
> But how do i configure users file so that it does query the SQL-database?

  You don't.  You edit raddb/sites-available/default,
raddb/radiusd.conf, and raddb/sql.conf

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: build error on Solaris (undefined symbol)

Ihsan Dogan wrote:
> Have you been using as well the most recent version 2.2.6a of libtool?

  No.  You should use the version of libtool that comes with the server.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius, PostgreSQL and One-Time-Password backends

2009-06-15 Thread mikoi


OK. So it seems to be possible.
So i start by adding the section to proxy.conf

--proxy.conf
realm Safeword {
type = radius
authhost= :1645
accthost= :1646
secret  = 
}

realm Portwise {
type = radius
authhost= :1645
accthost= :1646
secret  = 
}


But how do i configure users file so that it does query the SQL-database?
Let´s say every user-record contains information in the table
Authentication-Server (Safeword or Portwise).

Regards
Mika
-- 
View this message in context: 
http://www.nabble.com/Freeradius%2C-PostgreSQL-and-One-Time-Password-backends-tp23996193p24034395.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: build error on Solaris (undefined symbol)

2009-06-15 Thread Ihsan Dogan

Hello Alan,

Alan DeKok wrote:

Thank you for the very quick reply.

>> I'm trying to build FreeRADIUS on Solaris (versions 9 and 10) and I'm
>> getting this error:
>> Undefined   first referenced
>>  symbol in file
>> lt__PROGRAM__LTX_preloaded_symbols  .libs/modules.o
> 
>   I have no idea how to fix that.  It builds for me on Solaris.

Have you been using as well the most recent version 2.2.6a of libtool?

>> Configure runs fine. I've tried to build FreeRADIUS with Sun Studio 12
>> and GCC 4.3.3 and both show the same error.
> 
>   Are you disabling the ltdl install?

No.

>   What configure options are you using?

./configure --prefix=/opt/csw --exec_prefix=/opt/csw
--bindir=/opt/csw/bin --sbindir=/opt/csw/sbin
--libexecdir=/opt/csw/libexec --datadir=/opt/csw/share
--sysconfdir=/opt/csw/etc --sharedstatedir=/opt/csw/share
--localstatedir=/opt/csw/var --libdir=/opt/csw/lib
--infodir=/opt/csw/share/info --includedir=/opt/csw/include
--mandir=/opt/csw/share/man

Nothing special so far.



Ihsan

-- 
ih...@dogan.ch  http://blog.dogan.ch/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Access Challenge in freeRadius server


Thanks Ivan for the clarification. I am just setting up the tool eapol_test
to test it. Thanks.

But I am also investigating whether it is possible to achieve Access
Challenge with ssh/telnet without using any other tools. Could you please
help if you have done it before?

And also may I know why it is not advised to support Access Challenge for
ssh or telnet.

Regards,
Dhandapani


Ivan Kalik wrote:
> 
>> I am trying to authorize the ssh and telnet login users of my Redhat
>> Linux
>> machine using freeRadius server.
>>
>> I am able to test Access-Accept and Access-Reject with right and wrong
>> credentials respectively by configuring the file '/etc/pam.d/sshd' with
>> entry pam_radius_auth.so.
>>
>> But I do not know how to achieve and test the Access-Challenge concept.
> 
> Do you need to? ssh and telnet supplicants tend not to use protocols with
> challenge-response exchange.
> 
>> I
>> mean what type of input will result in Access Challenge (I know it
>> happens
>> when we provide partial login information but not sure how to achieve
>> with
>> login in real time)?
> 
> Send an eap request (eapol_test).
> 
> Ivan Kalik
> Kalik Informatika ISP
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> 

-- 
View this message in context: 
http://www.nabble.com/Access-Challenge-in-freeRadius-server-tp24025860p24033950.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Robust proxy accounting

Chris Howley wrote:
> This is the debug output using the latest release of 2.1.7 from 
> http://git.freeradius.org/pre.

  Arg.  There was an idiotic typo in the code.  I can't help but feel at
least partially responsible.

  OK... I've put the updated version on the same web site.  You don't
have to re-configure && re-build.  Just copy src/main/event.c from the
newer "tar" file to where-ever you had built the previous snapshot of 2.1.7.

$ mdkir foo
$ cd foo
$ wget http://git.freeradius.org/freeradius-server-2.1.7.tar.gz
$ tar -zxf freeradius-server-2.1.7.tar.gz
$ cd freeradius-server-2.1.7/src/main/
$ cp event.c ~/previous-version/src/main/event.c
$ cd ~/previous-version/src/main
$ make
$ make install

  And that *should* fix it.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: build error on Solaris (undefined symbol)

Ihsan Dogan wrote:
> I'm trying to build FreeRADIUS on Solaris (versions 9 and 10) and I'm
> getting this error:
> Undefined   first referenced
>  symbol in file
> lt__PROGRAM__LTX_preloaded_symbols  .libs/modules.o

  I have no idea how to fix that.  It builds for me on Solaris.

  Random people seem to be running into this on various platforms, and I
don't know why.  It's definitely a libtool / libtldl issue, but that's
about all I can say.

> ld: fatal: Symbol referencing errors. No output written to .libs/radiusd
> gmake[6]: *** [radiusd] Error 1
> gmake[6]: Leaving directory
> `/home/ihsan/gar/csw/mgar/pkg/freeradius/trunk/work/build-isa-sparcv8/freeradius-server-2.1.6/src/main'
> -
> 
> Configure runs fine. I've tried to build FreeRADIUS with Sun Studio 12
> and GCC 4.3.3 and both show the same error.

  Are you disabling the ltdl install?

  What configure options are you using?

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Robust proxy accounting

> Alan,
>
> This is the debug output using the latest release of 2.1.7 from
> http://git.freeradius.org/pre.

Hm, for some reason failure doesn'r result in retry in last pass:

...
>   Found Post-Proxy-Type
>  server home.example.com {
> +- entering group Fail {...}
> [detail.example.com] Suppressing writes to detail file as the request was
> just read from a detail file.
> ++[detail.example.com] returns noop
>  }
> server home.example.com {
> } # server home.example.com
> No response configured for request 12.  Will retry in 30 seconds
> Finished request 12.
...

That looks good but after internal proxy:

...
>   Found Post-Proxy-Type
>  server home.example.com {
> +- entering group Fail {...}
> [detail.example.com] Suppressing writes to detail file as the request was
> just read from a detail file.
> ++[detail.example.com] returns noop
>  }
> server home.example.com {
> } # server home.example.com
> Finished request 16.

Line:

> No response configured for request 16.  Will retry in 30 seconds

is missing in the debug.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

build error on Solaris (undefined symbol)

2009-06-15 Thread Ihsan Dogan

Hello,

I'm trying to build FreeRADIUS on Solaris (versions 9 and 10) and I'm
getting this error:

-
rm -f .libs/radiusdS.c .libs/radiusd.nm .libs/radiusd.nmS .libs/radiusd.nmT
/opt/csw/gcc4/bin/gcc .libs/radiusdS.o -mcpu=v8 -o .libs/radiusd
.libs/acct.o .libs/auth.o .libs/client.o .libs/conffile.o .libs/crypt.o
.libs/exec.o .libs/files.o .libs/listen.o .libs/log.o .libs/mainconfig.o
.libs/modules.o .libs/modcall.o .libs/radiusd.o .libs/stats.o
.libs/session.o .libs/threads.o .libs/util.o .libs/valuepair.o
.libs/version.o .libs/xlat.o .libs/event.o .libs/realms.o
.libs/evaluate.o .libs/vmps.o .libs/detail.o  -L/opt/csw/gcc4/lib/.
-L/opt/csw/lib
/home/ihsan/gar/csw/mgar/pkg/freeradius/trunk/work/build-isa-sparcv8/freeradius-server-2.1.6/src/lib/.libs/libfreeradius-radius.so
-lnsl -lresolv -lsocket -lposix4 -lpthread -lcrypt -lltdl -lssl -lcrypto
 -R/opt/csw/lib
Undefined   first referenced
 symbol in file
lt__PROGRAM__LTX_preloaded_symbols  .libs/modules.o
ld: fatal: Symbol referencing errors. No output written to .libs/radiusd
gmake[6]: *** [radiusd] Error 1
gmake[6]: Leaving directory
`/home/ihsan/gar/csw/mgar/pkg/freeradius/trunk/work/build-isa-sparcv8/freeradius-server-2.1.6/src/main'
-

Configure runs fine. I've tried to build FreeRADIUS with Sun Studio 12
and GCC 4.3.3 and both show the same error.





Ihsan

-- 
ih...@dogan.ch  http://blog.dogan.ch/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Robust proxy accounting

2009-06-15 Thread Chris Howley

  Tunnel-Private-Group-Id:0 = "3022"
Acct-Status-Type = Start
Calling-Station-Id = "129.11.1.138"
Called-Station-Id = "10.12.80.109"
Proxy-State = 0x313436
Proxying request 10 to home server 129.11.162.17 port 1813
Sending Accounting-Request of id 159 to 129.11.162.17 port 1813
User-Name = "isschug"
NAS-Port = 29
NAS-IP-Address = 10.12.80.109
Framed-IP-Address = 129.11.1.138
NAS-Identifier = "WM07-1"
Airespace-Wlan-Id = 1
Acct-Session-Id = "4a3629c8/00:13:02:8d:f3:1f/53"
Acct-Authentic = RADIUS
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "3022"
Acct-Status-Type = Start
Calling-Station-Id = "129.11.1.138"
Called-Station-Id = "10.12.80.109"
Proxy-State = 0x313436
Going to the next request
Waking up in 0.3 seconds.
Polling for detail file 
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Waking up in 0.3 seconds.
Cleaning up request 0 ID 129 with timestamp +6
Cleaning up request 1 ID 130 with timestamp +6
Cleaning up request 2 ID 131 with timestamp +6
Cleaning up request 3 ID 132 with timestamp +6
Cleaning up request 4 ID 133 with timestamp +6
Waking up in 0.1 seconds.
Cleaning up request 5 ID 134 with timestamp +6
Cleaning up request 6 ID 135 with timestamp +6
Waking up in 0.2 seconds.
Cleaning up request 7 ID 136 with timestamp +6
Cleaning up request 8 ID 137 with timestamp +7
Waking up in 0.1 seconds.
Cleaning up request 9 ID 138 with timestamp +7
Polling for detail file 
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Waking up in 0.7 seconds.
rad_recv: Accounting-Request packet from host 10.12.80.109 port 32769, id=146, 
length=156
Discarding duplicate request from client wism07-1 port 32769 - ID: 146 due to 
unfinished request 10
Waking up in 0.2 seconds.
Polling for detail file 
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Waking up in 1.1 seconds.
Polling for detail file 
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Waking up in 0.8 seconds.
rad_recv: Accounting-Request packet from host 10.12.80.109 port 32769, id=146, 
length=156
Discarding duplicate request from client wism07-1 port 32769 - ID: 146 due to 
unfinished request 10
Waking up in 0.2 seconds.
Polling for detail file 
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Waking up in 1.0 seconds.
Polling for detail file 
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Waking up in 0.6 seconds.
rad_recv: Accounting-Request packet from host 10.12.80.109 port 32769, id=146, 
length=156
Discarding duplicate request from client wism07-1 port 32769 - ID: 146 due to 
unfinished request 10
Rejecting request 10 due to lack of any response from home server 129.11.162.17 
port 1813
  Found Post-Proxy-Type
 server home.example.com {
+- entering group Fail {...}
[detail.example.com]expand: 
/usr/local/var/log/radius/radacct/detail.example.com/detail-%Y%m%d:%H -> 
/usr/local/var/log/radius/radacct/detail.example.com/detail-20090615:12
[detail.example.com] 
/usr/local/var/log/radius/radacct/detail.example.com/detail-%Y%m%d:%H expands 
to /usr/local/var/log/radius/radacct/detail.example.com/detail-20090615:12
[detail.example.com]expand: %t -> Mon Jun 15 12:00:24 2009
[detail.example.com] Freeradius-Proxied-To = 129.11.162.17
++[detail.example.com] returns ok
 }
Sending Accounting-Response of id 146 to 10.12.80.109 port 32769
Finished request 10.
Cleaning up request 10 ID 146 with timestamp +16
Going to the next request
PROXY: Marking home server 129.11.162.17 port 1813 as zombie (it looks like it 
is dead).
Sending Status-Server of id 121 to 129.11.162.17 port 1813
Message-Authenticator := 0x
NAS-Identifier := "Status Check. Are you alive?"
Waking up in 0.1 seconds.
Polling for detail file 
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
detail_recv: Renaming 
/usr/local/var/log/radius/radacct/detail.example.com/detail-20090615:12 -> 
/usr/local/var/log/radius/radacct/detail.example.com/detail.work
detail_recv: Read packet from 
/usr/local/var/log/radius/radacct/detail.example.com/detail.work
User-Name = "isschug"
NAS-Port = 29
NAS-IP-Address = 10.12.80.109
Framed-IP-Address = 129.11.1.138
NAS-Identifier = "WM07-1"
Airespace-Wlan-Id = 1
Acct-Session-Id = "4a3629c8/00:13:02:8d:f3:1f/53"
Acct-Authentic = RADIUS
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "3022"
Acct-Status-Type = Start
Calling-Station-Id = "129.11.1.138"
Called-Station-Id = "10.12.80.109"
Acct-Unique-Session-Id = "04fa

Re: Access Challenge in freeRadius server

> I am trying to authorize the ssh and telnet login users of my Redhat Linux
> machine using freeRadius server.
>
> I am able to test Access-Accept and Access-Reject with right and wrong
> credentials respectively by configuring the file '/etc/pam.d/sshd' with
> entry pam_radius_auth.so.
>
> But I do not know how to achieve and test the Access-Challenge concept.

Do you need to? ssh and telnet supplicants tend not to use protocols with
challenge-response exchange.

> I
> mean what type of input will result in Access Challenge (I know it happens
> when we provide partial login information but not sure how to achieve with
> login in real time)?

Send an eap request (eapol_test).

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Access Challenge in freeRadius server


Hi,

I am new to freeRadius server. 

I am trying to authorize the ssh and telnet login users of my Redhat Linux
machine using freeRadius server.
 
I am able to test Access-Accept and Access-Reject with right and wrong
credentials respectively by configuring the file '/etc/pam.d/sshd' with
entry pam_radius_auth.so.

But I do not know how to achieve and test the Access-Challenge concept. I
mean what type of input will result in Access Challenge (I know it happens
when we provide partial login information but not sure how to achieve with
login in real time)?

Please help me with some solutions in achieving Access Challenge.

Thanks in advance. 

Regards,
Dhandapani
-- 
View this message in context: 
http://www.nabble.com/Access-Challenge-in-freeRadius-server-tp24025860p24025860.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Missing Realm when entering second authorization group

Hi,

> The Realm indeed remained untouched in the username through out the request. 
> How can I stop this loop?

easiest way is to point that proxy.conf at a new virtual server
eg called 'local' in which you do not call prefix,suffix etc etc

then these details wont be touched and the server wont try to
proxy it again either.


copy eg 'inner-tunnel' to 'local' ( i chose inner-tunnel because
its been designed to be a virtual server) and give it a name
on the server {  line, then edit the authen/author/account bits as
appropriate.

in this way, the main default file is a general file and all your
local stuff, policies, actions, logic etc only happen to 'local'
people - that have been proxied to the local virtual server by
proxy.conf

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Missing Realm when entering second authorization group

> On Mon, Jun 15, 2009 at 10:24:04AM +0100, a.l.m.bu...@lboro.ac.uk wrote:
>> are you doing local proxy (ie have an entry for math.nl in
>> proxy.conf?)
>> if so, ensure you define 'nostrip' otherwise the realm will be removed
>> and you cannot use it.
>
> Yes, we have our Realm defined in proxy.conf:
> home_server_pool mi {
> type= fail-over
> home_server = localhost
> }
> realm math.leidenuniv.nl {
> auth_pool   = mi
> #nostrip
> }
>
> I tried adding the nostrip option, but as a result radiusd ends up in an
> infinite loop proxy-ing to itself:
>   
> Proxy-State = 0x313839
> Proxy-State = 0x323035
> Proxy-State = 0x313930
> Proxy-State = 0x323437
> Proxy-State = 0x3933
> Proxy-State = 0x323130
>   ...
>
> The Realm indeed remained untouched in the username through out the
> request. How can I stop this loop?

Don't proxy internally. Remove that home server and leave only the realm
as local realm:

realm math.leidenuniv.nl {
}

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius User Access Level

> I want, when request from users to my routers(and of course routers to
> FreeRadius server), feedback from FreeRadius to router: "This user not
> connecting this router" or "OK". So, look an user access level...
>
> This feature make possible? How, if possible?

Sort of. You can send user access level to the router in a vendor specific
attribute (you will have to find in your equipment manual which are you
suposed to use). There is an example for Cisco on a wiki page.

http://wiki.freeradius.org/Cisco#Per_User_Privilege_Level

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Missing Realm when entering second authorization group

2009-06-15 Thread Xiwen Cheng

On Mon, Jun 15, 2009 at 10:24:04AM +0100, a.l.m.bu...@lboro.ac.uk wrote:
> are you doing local proxy (ie have an entry for math.nl in proxy.conf?)
> if so, ensure you define 'nostrip' otherwise the realm will be removed
> and you cannot use it.

Yes, we have our Realm defined in proxy.conf:
home_server_pool mi {
type= fail-over
home_server = localhost
}
realm math.leidenuniv.nl {
auth_pool   = mi
#nostrip
}

I tried adding the nostrip option, but as a result radiusd ends up in an 
infinite loop proxy-ing to itself:

Proxy-State = 0x313839
Proxy-State = 0x323035
Proxy-State = 0x313930
Proxy-State = 0x323437
Proxy-State = 0x3933
Proxy-State = 0x323130
...

The Realm indeed remained untouched in the username through out the request. 
How can I stop this loop?

Cheers,
Xiwen

-- 
--
Xiwen Cheng
System Administrator;" Enthusiasm is contagious,
Mathematical Institute  ;  but hype is a disease. "
Leiden University   ;E-mail: xch...@math.leidenuniv.nl
Niels Bohrweg 1 K210;Office: (+31) 715277134
2333 CA Leiden  ;Mobile: (+31) 69991
The Netherlands ;GPG Key id: 194F572B
++


pgpG1jgjqkt5u.pgp
Description: PGP signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Missing Realm when entering second authorization group

hi,

are you doing local proxy (ie have an entry for math.nl in proxy.conf?)
if so, ensure you define 'nostrip' otherwise the realm will be removed
and you cannot use it.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRadius User Access Level

2009-06-15 Thread Hakan OZAY

Hi All;

I'm using FreeRadius V1.
I want, when request from users to my routers(and of course routers to
FreeRadius server), feedback from FreeRadius to router: "This user not
connecting this router" or "OK". So, look an user access level...

This feature make possible? How, if possible?

Sorry my bad english, and thank you very much.

Best Redards...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Missing Realm when entering second authorization group

2009-06-15 Thread Xiwen Cheng


Version & OS:
Freeradius-2.0.5
Gentoo

It appears that during the second iteration in authorize section, the Realm has 
become NULL. We rely on checking the Realm to choose the appropriate Auth-Type 
to authenticate local users and proxy everybody else to an external network.
...
+- entering group authorize
++[preprocess] returns ok
rlm_realm: Looking up realm "math.leidenuniv.nl" for User-Name = 
"testu...@math.leidenuniv.nl"
rlm_realm: Found realm "math.leidenuniv.nl"
rlm_realm: Adding Stripped-User-Name = "testuser"
rlm_realm: Adding Realm = "math.leidenuniv.nl"
rlm_realm: Proxying request from user testuser to realm math.leidenuniv.nl
rlm_realm: Preparing to proxy authentication request to realm 
"math.leidenuniv.nl"
++[suffix] returns updated
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
users: Matched entry DEFAULT at line 292
++[files] returns ok
...
+- entering group pre-proxy
...

+- entering group authorize
++[preprocess] returns ok
++[auth_log] returns ok
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
rlm_pap: WARNING! No "known good" password found for the user.  Authentication 
may fail because of this.
++[pap] returns noop
auth: No authenticate method (Auth-Type) configuration found for the request: 
Rejecting the user 
auth: Failed to validate the user.
  Found Post-Auth-Type Reject
...

NOTE: ... means stripped normal behaviour/output.

From the verbose output, the first part is correct. The request is proxied to 
the correct server. But when it arrives in the authentication server it fails 
to extract the Realm from the proxied request. In ``users'' we have:

DEFAULT Realm == "math.leidenuniv.nl", Auth-Type := PAM
Reply-Message = "math here",
Fall-Through = no

But as the log says, which is correct, there's no Auth-Type for that Realm. If 
the Realm == "math.leidenuniv.nl" condition is removed, which results in 
Auth-Type = PAM for everybody, authentication succeeds for local users; which 
is to be expected. Our config worked perfectly in freeradius-1.1.7.

Now I wonder, why is the Realm equal to NULL? I see suffix updated the request, 
why isn't the second iteration seeing that update? 

Best regards,
Xiwen


-- 
--
Xiwen Cheng
System Administrator;" Enthusiasm is contagious,
Mathematical Institute  ;  but hype is a disease. "
Leiden University   ;E-mail: xch...@math.leidenuniv.nl
Niels Bohrweg 1 K210;Office: (+31) 715277134
2333 CA Leiden  ;Mobile: (+31) 69991
The Netherlands ;GPG Key id: 194F572B
++


pgp8E0gtErwod.pgp
Description: PGP signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [rad] Re: SOLVED Re: pseudo-newbie exec scripts and session-time

hi,

Charles, this is an unpaid community support list. you are coming
across as a very angry person with no regard that the people
on this list arent paid to give you informaation which is probably
essential for you to actually do your work, get paid etc. 

if you'd actually like any help/advice in the future from the community
its probably best that you realise we are all humans, we too suffer
from undocumented bits (and then use the WIKI or the mailing list
to disemminate such information) rather than make a big hoo haa
out of such a piffling little issue and personally attack people.

one day you may need to real help regarding a feature or option and
this time, locally to you it will be far more important (eg job on
line - a knee-jerk 'FR cant do this, we'll pay for some overrated
commercial junk and have to lose a staff member' situation). I cant
predict the future but i can say the future is always more promising
if you can look back and say you've never burnt your bridges.


alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Robust proxy accounting

Chris Howley wrote:
> Here's the output from FR2.1.7.

  OK.  Please grab an updated copy of the 2.1.7 tar file from
http://git.freeradius.org/pre/

  I've put some changes in which should help.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Logging data packet count to accounting table?

Maximilian Grobecker wrote:
> I'm using FreeRadius for authenticating DSL users. Additional to the
> Input- and Output octets I would like to log the transferred packet
> count for the actual DSL session.

  All of this data is generated by the NAS.  If the NAS doesn't send the
data in an Accounting-Request packet, it is impossible to get the data.

> I need this information to generate statistics - and in past i got this
> information from another (not local) Radius server, so I think, it
> should be not impossible.

  Then the NAS is sending the data.

> I didn't found any variables where this info is avaliable - is there any
> possibility to get this information?

  Why ask us?  Look in the packets sent by the NAS.  If the data is
there, then you're fine.  If it isn't there, then (maybe) fix the NAS so
that the data is sent by it.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Logging data packet count to accounting table?

> I'm using FreeRadius for authenticating DSL users. Additional to the
> Input- and Output octets I would like to log the transferred packet
> count for the actual DSL session.
> I need this information to generate statistics - and in past i got this
> information from another (not local) Radius server, so I think, it
> should be not impossible.
>
> I didn't found any variables where this info is avaliable - is there any
> possibility to get this information?

http://freeradius.org/rfc/rfc2866.html#Acct-Input-Packets
(and output packets below it)

If your NAS can send those you can extend radacct table to have those
columns and alter accounting queries in dialup.conf to store them.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [rad] Re: SOLVED Re: pseudo-newbie exec scripts and session-time

Hi,

one of the main issues is using a distro version of the code.
what they do to the files provided in the TARBALL is up to them.

i would advise doing something like

locate scripts | grep -i radius

...they might have been dumped into somewhere like /usr/share/doc/radiusd
or somesuch.

you can get v2.x for CentOS - read the WIKI - theres a repository for
it too so it will get updated with new versions.


as for 'marking you down as yet another stubborn user' - well I thought
by singularly attacking the project leaader/manager you were wanting to
be thought of like that ;-)

seriously though, most (if not all) support will be for 2.x now - as thats
what most of us run - due to wanting the features, stability and speed
(yes, lots of speed!) of the new version. we all used to run 1.x and deal with
common/similar issueswe now run 2.x and do the same. our issues
and fixed in 2.x wont work for 1.x as the whole construct and layout is
vastly different in places. with EAP,  2.x is almost a must (unless
you want your DB etc hit far too many times). unlang has allowed us to remove
dozens of random bits in users/groups/rewrite lines.

alan 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Logging data packet count to accounting table?

2009-06-15 Thread Maximilian Grobecker

Hello,

I'm using FreeRadius for authenticating DSL users. Additional to the
Input- and Output octets I would like to log the transferred packet
count for the actual DSL session.
I need this information to generate statistics - and in past i got this
information from another (not local) Radius server, so I think, it
should be not impossible.

I didn't found any variables where this info is avaliable - is there any
possibility to get this information?



Thank you!

Max  (Wuppertal, Germany)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Failed to parse authenticate section

Nakul Deshpande wrote:
> radiusd.conf[636] Failed to link to module 'rlm_unix': rlm_unix.a:
> cannot open shared object file: No such file or directory
> radiusd.conf[1971] Unknown module "unix".
> radiusd.conf[1931] Failed to parse authenticate section.

  The module hasn't been built.  Likely because the various headers it
needs don't exist on the system.

> I have tried searching the previous posts and read the outputs of the
> commands: ./configure, make and make install. I have not been able to
> debug this so far. Can  somebody please help me out with this?

  If you don't need the "unix" module, just delete all references to it
from the configuration files.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using Dictionary in With Freeradius