Acct Output and Input Gigawords

[Eric]

Hi,
RFC2869 says that Input and Output gigaword shoud be sent from NAS to radius
server.
Now new versions of freeradius support gigaword. Should NAS supports
gigaword?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Any free Java APIs to access freeRadius server?

[Ivan Kalik]

> 1) With EAPMSCHAPv2Authenticator as authenticator, as you said the server
> logs are fine with Challenge. But radius client receives only the final
> access-accept response.

No, it recieved all the Challenges too.

> But I want each request in access-challenge should
> be sent to client and the client will handle it.

There is nothing for client to "handle" there - it just passes it on to
the supplicant. Supplicant has additional data.

> For instance, I want to
> authenticate user with multiple passwords. How can I achieve this?
>
> 2) Is this(using EAPMSCHAPv2Authenticator) the only way to trigger
> Access-Challenge? Or any other way? Please suggest me.

This is freeradius users list. It looks like you are trying to develop a
custom authentication protocol. You probably want the developers list.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 1.x to 2.x Upgrade Howto available?

[Doug Hardie]

On 22 June 2009, at 10:41, John Kane wrote:

Is there a 'howto' on upgrade from Freeradius 1.x to 2.x, one that  
lists
what configs were moved where, etc. that would allow a person to do  
the
upgrade as smoothly and quickly as possible (I can't seem to find  
one).


One place that really helped me with that is raddb/sites-available/ 
README. 
 
-

List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

1.x to 2.x Upgrade Howto available?

[John Kane]

Is there a 'howto' on upgrade from Freeradius 1.x to 2.x, one that lists
what configs were moved where, etc. that would allow a person to do the
upgrade as smoothly and quickly as possible (I can't seem to find one).
  
Or better yet, are there any perl or python scripts available that
automate the config conversions (or am I just dreaming :) )?

Thanks,
John



This message is confidential to Prodea Systems, Inc unless otherwise indicated 
or apparent from its nature. This message is directed to the intended recipient 
only, who may be readily determined by the sender of this message and its 
contents. If the reader of this message is not the intended recipient, or an 
employee or agent responsible for delivering this message to the intended 
recipient:(a)any dissemination or copying of this message is strictly 
prohibited; and(b)immediately notify the sender by return message and destroy 
any copies of this message in any form(electronic, paper or otherwise) that you 
have.The delivery of this message and its information is neither intended to be 
nor constitutes a disclosure or waiver of any trade secrets, intellectual 
property, attorney work product, or attorney-client communications. The 
authority of the individual sending this message to legally bind Prodea Systems 
 
is neither apparent nor implied,and must be independently verified.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re : Radius+Huwaei switch + auto VLan Assignment issue

[A . L . M . Buxey]

Hi,

>   Unfortunatly, the switch still not switching the port from VLAN 1 to VLAN 
> 2. Maybe 
> there is other misconfigurations on our switch or another settings in radius 
> configurations ?

it looks like theres another config you need to set on the switch port
to ensure the AAA server values are taken... check our documentation
for things like vlan-assignment-mode  (your switch probably uses
the VLAN name to tag things rather than its ID number!)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re : Radius+Huwaei switch + auto VLan Assignment issue

[Attou eric]

Thanks very much for your answers. In our eap section, we had the following :

 copy_request_to_tunnel = no
 use_tunneled_reply = no

Since we change these to :

    copy_request_to_tunnel = yes
    use_tunneled_reply = yes

The Access-Accept message send VLAN attributes as below :

Sending Access-Accept of id 43 to 192.168.100.5 port 5001
    Framed-Protocol = PPP
    Framed-Compression = Van-Jacobson-TCP-IP
    Tunnel-Private-Group-Id:0 = "2"
    Tunnel-Medium-Type:0 = IEEE-802
    Tunnel-Type:0 = VLAN
    User-Name = "toto"
    MS-MPPE-Recv-Key = 
0x69f0f1c436ccbe11df23099070ca2c3ceb6116c3246344a8d2c78c96a68fa146
    MS-MPPE-Send-Key = 
0x6aad292ef955ae61e910e51a9ae7d2b903f5e123c48dc4cc0e12f713490d2aa3
    EAP-Message = 0x030b0004
    Message-Authenticator = 0x
Mon Jun 22 16:08:39 2009 : Debug: Finished request 10.
Mon Jun 22 16:08:39 2009 : Debug: Going to the next request
Mon Jun 22 16:08:39 2009 : Debug: Waking up in 4.0 seconds.

  Unfortunatly, the switch still not switching the port from VLAN 1 to VLAN 2. 
Maybe 

there is other misconfigurations on our switch or another settings in radius 
configurations ?

Any ideas to help please! 

Best regards.


    





De : "a.l.m.bu...@lboro.ac.uk" 
À : FreeRadius users mailing list 
Envoyé le : Lundi, 22 Juin 2009, 11h29mn 47s
Objet : Re: Radius+Huwaei switch + auto VLan Assignment issue

hi,

have you set the copy tunnel = yes for the PEAP section in eap.conf?

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Re[4]: rlm_python - Unresponsive child

[Meyers, Dan]

>  As I told - all working file in freeradius debug mode (with -X), I
>  have problems with productional threads pool mode.

I see the same issue with rlm_perl and my perl code. Works fine in
radiusd -X, or if perl is compiled to not use threads, but as soon as I
compile perl for threading and start trying to use CLONE I get all sorts
of issues with unresponsive children. When I used radclient to hammer
the hell out of my server the messages appeared for 10-15 seconds or so,
then went away. I theorised that radius was trying to hand off work to
radius/perl threads that hadn't been fully instantiated yet.

On the current live system (using an older version of FreeRadius - 2.0.3
- until we have another stable development version to move to) it
sometimes shows up and just never goes away until radiusd is restarted.
I never managed to nail down what the issue was. I did wonder if DBI or
DBD::Mysql was doing something funky in a threaded environment and
hanging on database access. You may be having similar issues?

Dan

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Any free Java APIs to access freeRadius server?

[kpani]

Thanks Ivan.
Sorry for extending again. I am not clear with first part.

1) With EAPMSCHAPv2Authenticator as authenticator, as you said the server
logs are fine with Challenge. But radius client receives only the final
access-accept response. But I want each request in access-challenge should
be sent to client and the client will handle it. For instance, I want to
authenticate user with multiple passwords. How can I achieve this?

2) Is this(using EAPMSCHAPv2Authenticator) the only way to trigger
Access-Challenge? Or any other way? Please suggest me.

Regards,
Dhandapani


Ivan Kalik wrote:
> 
>> Access Challenge:
>> I am able to generate Access Request/Reject/Accept with the APIs. Still I
>> am
>> not sure on how to make radius server to trigger Access Challenge
>> requests
>> and get the Access Challenge reply in radius client code. So that I can
>> prompt for next response. Please guide me.
>>
>> Please note blindly I tried to set pass EAPMSCHAPv2Authenticator instance
>> as
>> like below and could see some Access Challenge triggers in server logs
>> (Attached). However I could not
>> http://www.nabble.com/file/p24147803/radius_server_logs.txt
>> radius_server_logs.txt  see the next request in client & received only
>> final
>> Access Accept. I except the client to prompt for each request.
>> //RadiusPacket reply = radiusClient.authenticate(request, new
>> EAPMSCHAPv2Authenticator(), 1);
> 
> There is no problem with Access-Challenge in that log. Authentication
> completed fine. Accounting packets were rubbish.
> 
> Ivan Kalik
> Kalik Informatika ISP
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> 

-- 
View this message in context: 
http://www.nabble.com/Any-free-Java-APIs-to-access-freeRadius-server--tp24144424p24151027.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: NAS-IP-Address modified during Access-Request process

[kevin leblanc]

Hi,

I installed freeradius 2 but my problem is still there.
To remember it :

I configured Freeradius to look in openldap directory to authenticate and
authorize an user.
The authentication phase is OK
During the authorize phase, a ldap search is done : if the user is member of
a group identified by the host ip he wants to connect, the user is
authorized.
The problem is here : freeradius receives an Access-Request packet with a
NAS-IP-Address (the good one) and to search in the ldap, it doesn't send the
ip received in the packet but another one !

Why this attribute is modified ?
Is there any cache (the other ip comes from another equipment) ?

To precize :
I think there is some cache enabled anywhere (the ip used for ldap filter is
always the one of the first request), is there any way to disable it ?

Before testing, I created the group for IP1 and I added the test user to it.
Test 1:

   - I ran radiusd -X
   - I try to connect with IP 1. => OK
   - I try to connect with IP 2 => OK (not right result because to check the
   membership it's the first IP which is used)


Then, I kill radiusd.
test 2 :

   - I ran radiusd -X
   - I try to connect with IP2 => KO (expected because the group for IP 2
   doesn't exist)
   - I try to connect with IP1 => KO (not expected because the group for IP1
   exists)


To help, the logs :
--
rad_recv: Access-Request packet from host 126.50.0.148 port 1645, id=34,
length=80
NAS-IP-Address = 126.50.0.148
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = "testuser"
Calling-Station-Id = "126.100.100.6"
User-Password = "X"
+- entering group authorize {...}
++[preprocess] returns ok
rlm_ldap: Entering ldap_groupcmp()
[files] expand: dc=example,dc=com -> dc=example,dc=com
[files] expand: (uid=%{User-Name}) -> (uid=testuser)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=example,dc=com, with filter (uid=testuser)
rlm_ldap: ldap_search() failed: LDAP connection lost.
rlm_ldap: Attempting reconnect
rlm_ldap: attempting LDAP reconnection
rlm_ldap: closing existing LDAP connection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: starting TLS
rlm_ldap: bind as ou=radius,ou=applications,dc=example,dc=com/X to
localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=example,dc=com, with filter (uid=testuser)
rlm_ldap: ldap_release_conn: Release Id: 0
[files] expand:
(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:LDAP-UserDn})) ->
(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3dtestuser\2cuid\3dtest01\2cou\3dusers\2cdc\3dexample\2cdc\3dcom))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=example,dc=com, with filter
(&(cn=126.50.0.147)(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3dtestuser\2cuid\3dtest01\2cou\3dusers\2cdc\3dexample\2cdc\3dcom)))
rlm_ldap::ldap_groupcmp: User found in group 126.50.0.147
rlm_ldap: ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
[ldap] performing user authorization for testuser
[ldap]  expand: (uid=%{User-Name}) -> (uid=testuser)
[ldap]  expand: dc=example,dc=com -> dc=example,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=example,dc=com, with filter (uid=testuser)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the
user is configured correctly?
[ldap] user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
Found Auth-Type = LDAP
+- entering group LDAP {...}
[ldap] login attempt by "testuser" with password "azerty12"
[ldap] user DN: uid=testuser,uid=test01,ou=users,dc=example,dc=com
rlm_ldap: (re)connect to localhost:389, authentication 1
rlm_ldap: starting TLS
rlm_ldap: bind as
uid=testuser,uid=test01,ou=users,dc=example,dc=com/azerty12 to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
[ldap] user testuser authenticated succesfully
++[ldap] returns ok
Login OK: [testuser] (from client petitnom port 1 cli 126.100.100.6)
Sending Access-Accept of id 34 to 126.50.0.148 port 1645
Nokia-IPSO-User-Role = "adminRole"
Nokia-IPSO-SuperUser-Access = 1
Service-Type = Login-User
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 34 with timestamp +52
Ready to process requests.

--

-- 
KeV
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Any free Java APIs to access freeRadius server?

[Ivan Kalik]

> Access Challenge:
> I am able to generate Access Request/Reject/Accept with the APIs. Still I
> am
> not sure on how to make radius server to trigger Access Challenge requests
> and get the Access Challenge reply in radius client code. So that I can
> prompt for next response. Please guide me.
>
> Please note blindly I tried to set pass EAPMSCHAPv2Authenticator instance
> as
> like below and could see some Access Challenge triggers in server logs
> (Attached). However I could not
> http://www.nabble.com/file/p24147803/radius_server_logs.txt
> radius_server_logs.txt  see the next request in client & received only
> final
> Access Accept. I except the client to prompt for each request.
> //RadiusPacket reply = radiusClient.authenticate(request, new
> EAPMSCHAPv2Authenticator(), 1);

There is no problem with Access-Challenge in that log. Authentication
completed fine. Accounting packets were rubbish.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Any free Java APIs to access freeRadius server?

[kpani]

Hi Ivan,

Thanks I am able setup standalone JRadius to access radius server and able
to send/receive access requests. I need one more clarification here :)

Access Challenge:
I am able to generate Access Request/Reject/Accept with the APIs. Still I am
not sure on how to make radius server to trigger Access Challenge requests
and get the Access Challenge reply in radius client code. So that I can
prompt for next response. Please guide me.

Please note blindly I tried to set pass EAPMSCHAPv2Authenticator instance as
like below and could see some Access Challenge triggers in server logs
(Attached). However I could not
http://www.nabble.com/file/p24147803/radius_server_logs.txt
radius_server_logs.txt  see the next request in client & received only final
Access Accept. I except the client to prompt for each request.
//RadiusPacket reply = radiusClient.authenticate(request, new
EAPMSCHAPv2Authenticator(), 1);

Regards,
Dhandapani


Ivan Kalik wrote:
> 
>> I am using freeRadius server for authentication. I am able to
>> authenticate
>> for ssh login.
>>
>> I want to authenticate my java application using radius server. Is there
>> any
>> java libraries/APIs available to access and authenticate directly. Please
>> advise me.
> 
> jRadius.
> 
> Ivan Kalik
> Kalik Informatika ISP
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> 

-- 
View this message in context: 
http://www.nabble.com/Any-free-Java-APIs-to-access-freeRadius-server--tp24144424p24147803.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: rlm_raw not included in compile

[Eric Geier]

Thank you, Johan. I'll give it a try.

> -Original Message-
> From: freeradius-users-bounces+me=egeier@lists.freeradius.org
> [mailto:freeradius-users-bounces+me=egeier@lists.freeradius.org] On
> Behalf Of Johan Meiring
> Sent: Monday, June 22, 2009 9:26 AM
> To: FreeRadius users mailing list
> Subject: Re: rlm_raw not included in compile
> 
> Eric Geier wrote:
> > Johan,
> >
> > I'm a Linux/freeradius newbie, and I don't understand what you meant
> by "had
> > to run autogen.sh first".
> >
> 
> I had to do the following:
> 
> 1) dump rlm_raw in src/modules
> 2) run "touch src/modules/rlm_raw/configure" from the freeradius source
> root directory.
> 3) run "./autoconf.sh" from the freeradius source root directory.
> 4) I use debian so I edited debian/rules
> looked for the "configure" line, and added:
> --with-modules=rlm_raw \
> --with-experimental-modules \
> If you do a manual compile, add this to you configure line.
> If you use something else, ask them how to add it to configure.
> 
> 
> > I'm actually using 1.1.7.so I don't think I need to make the two
> changes you
> > mentioned.
> >
> > Also, what did you mean by "touch src/modules/rlm_raw/configure" and
> "added
> > rlm_raw to debian configure by editing debian/rules" in a previous
> post?
> >
> > Thanks!
> > Eric
> >
> >> -Original Message-
> >> From: freeradius-users-bounces+me=egeier@lists.freeradius.org
> >> [mailto:freeradius-users-bounces+me=egeier@lists.freeradius.org]
> On
> >> Behalf Of Johan Meiring
> >> Sent: Friday, May 29, 2009 12:16 PM
> >> To: FreeRadius users mailing list
> >> Subject: Re: rlm_raw not included in compile
> >>
> >> Alan DeKok wrote:
>  Does anyone have a clue how to add rlm_raw to the current git tar
> >> file?
> >>> $ tar -zxf freeradius-server-2.1.7.tar.gz
> >>> << add rlm_raw >>
> >>> $ tar -zcf freeradius-server-2.1.7.tar.gz freeradius-server-2.1.7
> >>>
> >> It wasn't that simple because rlm_raw did not contain a configure
> >> script.
> >>
> >> You had to run autogen.sh first.
> >>
> >>
>  PS:he rlm_raw I'm using comes from
>  http://lists.cistron.nl/pipermail/freeradius-devel/2005-
> >> January/007873.html
> >>>   That was before version 2.0 was released.  You'll likely have to
> >>> update the module to use the new API's && header files in 2.0.
> >>>
> >> Using my "copy and paste" method of c coding (I know VERY little
> about
> >> c) I maneged to copy the code from the old rlm_raw into rlm_example.
> >>
> >> I needed to make two changes to get it to compile.
> >>
> >> 1) replace strNcpy with strncpy
> >> 2) replace radlib_safeprint with fr_print_string
> >>
> >> It compiled and IT WORKS!!!
> >>
> >>>   Alan DeKok.
> >>
> 
> 
> --
> 
> 
> Johan Meiring
> Cape PC Services CC
> Tel: (021) 883-8271
> Fax: (021) 886-7782
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> 
> No virus found in this incoming message.
> Checked by AVG - www.avg.com
> Version: 8.5.339 / Virus Database: 270.12.87/2195 - Release Date:
> 06/22/09 06:54:00

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS as a general authentication system

[John Dennis]

On 06/22/2009 05:14 AM, Lloyd wrote:


Hi FreeRADIUS list,

In our "system" there is a need for an authentication server. The
required characteristics of the server are

*) The authentication client will be a custom built one. It may be
running on *NIX,Windows and Mac. Is it possible to write a client using
the FreeRADIUS client library? (The client will have much more other
functionalities, not related to authentication)

*) Is it possible to extentd the server? As an example, in our case,
each time a client wants to communicate with other clients, it will
request a "session key" to the server, and the server will send the key
to all clients which take part in the communication. (The aim of this is
to encrypt the communication session with the new session key generated,
so that only the clients who know the session key can decrypt the
message) So, is it possible to introduce a key generation system as well
as a "request interpretation" system to the FreeRADIUS server?


What you are describing in essence is Kerberos and in particular clients 
which use GSSAPI. Although FreeRADIUS can utilize Kerberos by requesting 
a TGT on behalf of an authenticating client the TGT credentials are not 
passed back to the client which is necessary to establish a session key 
and secure subsequent cooperating channels.


My general recommendation is that a KDC server is better suited to your 
needs than a radius server. Kerberos is a mature authentication system 
(it's the heart of Microsoft's AD and many other systems) and you will 
find a great deal of support for it. Another reason to use kerberos for 
the scenario you're describing is that it's hard to design a secure 
protocol, if you attempt to design a new system by extending radius 
you'll expend a lot of work and will likely come up with a result which 
has security defects. There are many examples of "I can design my own 
authentication system" which are subsequently shown to have holes in 
them like swiss cheese :-)


If you do decide to go the Kerberos route you may be interested in the 
FreeIPA project (http://freeipa.org). IPA gives you a complete Kerberos 
solution, web UI, command line utilities, backed by a commercial grade 
LDAP server (IPA is 100% open source). In addition the project has also 
just released SSSD which allows for secure offline caching of 
credentials and related identity information so there is no interruption 
if network connectivity is lost. I work on the IPA development team so 
if you have additional questions feel free to contact me off-list.




*) Or is there a better way inplemented in FreeRADIUS to accomplish the
above requirements?

Thanks in advance,
Lloyd

__
Scanned and protected by Email scanner
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius on 64 bits

[Fajar A. Nugraha]

On Mon, Jun 22, 2009 at 8:21 PM, John Dennis wrote:
> Nor would the
> backend database, the database tables for radius just aren't that large.

radacct CAN be quite large and busy. Especially when you have tens of
thousands of concurrent online users, turn on 15-minute interim
updates, and let your users view real-time acct usage. In this case
having large amount of memory is quite handy for innodb buffer pool.

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: i can't stop freeradius

[Kenneth Grady]

try killing the 5193 process instead of the non-existing one 18189

Ayşe GİR wrote:
>
> r...@blacky:/etc/init.d# ./freeradius stop
>  * Stopping FreeRADIUS daemon
> freeradiusstart-stop-daemon:
> warning: failed to kill 18189: No such process
> 
> [ OK ]
> r...@blacky:/# /etc/init.d/freeradius stop
>  * Stopping FreeRADIUS daemon
> freeradiusstart-stop-daemon:
> warning: failed to kill 18189: No such process
> 
> [ OK ]
>
> i think i install daemon tool ?
>
>
> 2009/6/22 vol...@ufamts.ru   >
>
> Ayşe GİR wrote:
>> (i love freeradius but i don't lovefreeradius on ubuntu ...)
>> i install freeradius on ubuntu 9.4 but i can't stop freeradius...
>> what can i do ?
>> my console out
>>
>> r...@blacky:/etc/init.d #
>> freeradius stop
>> r...@blacky:/etc/init.d # ps -aux
>> | grep freeradius
>> Warning: bad ps syntax, perhaps a bogus '-'? See
>> http://procps.sf.net/faq.html
>> root  5193  0.0  0.0 106828  2556 ?Ssl  Jun19   0:00
>> freeradius
>> root 16823  0.0  0.0   7524   892 pts/2R+   14:13   0:00
>> grep freeradius
>> r...@blacky:/etc/init.d #
>>  
>>  ( i use freeradius on centos everything is ok but on ubuntu
>> everything is bad. :( )
>> i'm sorry for my bad english :)
>> thank you for everything
> try adding "./" before freeradius
>> r...@blacky:/etc/init.d #
>> ./freeradius stop
> or writing full path to script:
>
>> r...@blacky:~ #
>> /etc/init.d/freeradius stop
> And check logs.
>
> Best regards,
> Denis Volkov
> 
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> 
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: i can't stop freeradius

[Ayşe GİR]

r...@blacky:/etc/init.d# ./freeradius stop
 * Stopping FreeRADIUS daemon
freeradiusstart-stop-daemon:
warning: failed to kill 18189: No such process
 [
OK ]
r...@blacky:/# /etc/init.d/freeradius stop
 * Stopping FreeRADIUS daemon
freeradiusstart-stop-daemon:
warning: failed to kill 18189: No such process
 [
OK ]

i think i install daemon tool ?


2009/6/22 vol...@ufamts.ru 

>  Ayşe GİR wrote:
>
> (i love freeradius but i don't lovefreeradius on ubuntu ...)
> i install freeradius on ubuntu 9.4 but i can't stop freeradius...
> what can i do ?
> my console out
>
> r...@blacky:/etc/init.d# freeradius stop
> r...@blacky:/etc/init.d# ps -aux | grep freeradius
> Warning: bad ps syntax, perhaps a bogus '-'? See
> http://procps.sf.net/faq.html
> root  5193  0.0  0.0 106828  2556 ?Ssl  Jun19   0:00 freeradius
> root 16823  0.0  0.0   7524   892 pts/2R+   14:13   0:00 grep
> freeradius
> r...@blacky:/etc/init.d#
>
>  ( i use freeradius on centos everything is ok but on ubuntu everything is
> bad. :( )
> i'm sorry for my bad english :)
> thank you for everything
>
> try adding "./" before freeradius
>
> r...@blacky:/etc/init.d# ./freeradius stop
>
> or writing full path to script:
>
> r...@blacky:~ # /etc/init.d/freeradius stop
>
> And check logs.
>
> Best regards,
> Denis Volkov
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_raw not included in compile

[Johan Meiring]

Eric Geier wrote:

Johan,

I'm a Linux/freeradius newbie, and I don't understand what you meant by "had
to run autogen.sh first".



I had to do the following:

1) dump rlm_raw in src/modules
2) run "touch src/modules/rlm_raw/configure" from the freeradius source 
root directory.

3) run "./autoconf.sh" from the freeradius source root directory.
4) I use debian so I edited debian/rules
   looked for the "configure" line, and added:
   --with-modules=rlm_raw \
   --with-experimental-modules \
   If you do a manual compile, add this to you configure line.
   If you use something else, ask them how to add it to configure.



I'm actually using 1.1.7.so I don't think I need to make the two changes you
mentioned.

Also, what did you mean by "touch src/modules/rlm_raw/configure" and "added
rlm_raw to debian configure by editing debian/rules" in a previous post?

Thanks!
Eric


-Original Message-
From: freeradius-users-bounces+me=egeier@lists.freeradius.org
[mailto:freeradius-users-bounces+me=egeier@lists.freeradius.org] On
Behalf Of Johan Meiring
Sent: Friday, May 29, 2009 12:16 PM
To: FreeRadius users mailing list
Subject: Re: rlm_raw not included in compile

Alan DeKok wrote:

Does anyone have a clue how to add rlm_raw to the current git tar

file?

$ tar -zxf freeradius-server-2.1.7.tar.gz
<< add rlm_raw >>
$ tar -zcf freeradius-server-2.1.7.tar.gz freeradius-server-2.1.7


It wasn't that simple because rlm_raw did not contain a configure
script.

You had to run autogen.sh first.



PS:he rlm_raw I'm using comes from
http://lists.cistron.nl/pipermail/freeradius-devel/2005-

January/007873.html

  That was before version 2.0 was released.  You'll likely have to
update the module to use the new API's && header files in 2.0.


Using my "copy and paste" method of c coding (I know VERY little about
c) I maneged to copy the code from the old rlm_raw into rlm_example.

I needed to make two changes to get it to compile.

1) replace strNcpy with strncpy
2) replace radlib_safeprint with fr_print_string

It compiled and IT WORKS!!!


  Alan DeKok.





--


Johan Meiring
Cape PC Services CC
Tel: (021) 883-8271
Fax: (021) 886-7782

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius on 64 bits

[John Dennis]

On 06/21/2009 06:39 PM, Sajeewa Warnakulasuriya wrote:

Alan,

Is there any advantage going with a 64bits system?


Others may have differing opinions or insights into issues I'm not aware 
of, but in the case of a radius server I don't believe a 64-bit system 
buys you all that much. The larger address space and expanded integer 
range is an advantage in some scenarios such as databases, clusters, 
etc. But the radius protocol and internal server operation doesn't 
really benefit from the wider integer and pointer addressing to the best 
of my knowledge. Nor would the backend database, the database tables for 
radius just aren't that large. One can't forget there is a performance 
penality for moving from 32-bits to 64-bits. Each situation is unique 
and it's dangerous to draw general conclusions but a rule of thumb 
around here is that compiled code (as opposed to interpreted code [1]) 
will consume an extra 1/3 of memory on average (that's run time locals 
and heap usage, plus extra for the larger code size). So you're paying a 
price to move larger amounts of data around and if you're not benefiting 
from the larger data then all you're doing is dropping your performance.


[1] The reason for the distinction between compiled code and interpreted 
code is that many interpreters always allocate the maximum size data 
element whereas a compiler won't automatically use the maximum size data 
element, it's smarter.


--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Please help me (Ivan Kalik)

[josgeorge thaikudathil]

 Hi ,

 Thank you very much  for the response  but still i am getting
same error can you please suggest accordingly  .I had done 3 different tries
in my user file those tries and output is given below

Also  i more think i remember while my installation db.ippool file and
db.index file where not formed then i had to created those files in
respective directory and i had given appropriate permission for that

whether it will create any problem ? Also   while useing  command
*rlm_ippool_tool
-a ip-pool.db ip-index.db *i am getting output as 0 whether is it any
problem ?...






* DEFAULT Pool-Name := main_pool
Fall-Through = Yes*
**
*steve   Auth-Type := Local, User-Password == "testing"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 172.16.3.33,
Framed-IP-Netmask = 255.255.255.0,
Framed-Routing = Broadcast-Listen,
Framed-Filter-Id = "std.ppp",
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP*

modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "steve", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
users: Matched DEFAULT at 81
users: Matched steve at 84
  modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns ok for request 0
  rad_check_password:  Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password
  Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 0
rlm_ippool: Could not find nas port information. Return NOOP.
  modcall[post-auth]: module "main_pool" returns noop for request 0
modcall: group post-auth returns noop for request 0
Sending Access-Accept of id 2 to 10.143.71.15:3734
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 172.16.3.33
Framed-IP-Netmask = 255.255.255.0
Framed-Routing = Broadcast-Listen
Framed-Filter-Id = "std.ppp"
Framed-MTU = 1500
Framed-Compression = Van-Jacobson-TCP-IP
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 2 with timestamp 4a3f7d84
Nothing to do.  Sleeping until we see a request.
--
*steve   Auth-Type := Local, User-Password == "testing"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 172.16.3.33,
Framed-IP-Netmask = 255.255.255.0,
Framed-Routing = Broadcast-Listen,
Framed-Filter-Id = "std.ppp",
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP,*

*Fall-Through = Yes
DEFAULT Pool-Name := main_pool*

Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "steve", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
users: Matched steve at 82
users: Matched DEFAULT at 94
  modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns ok for request 0
  rad_check_password:  Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password
  Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 0
rlm_ippool: Could not find nas port information. Return NOOP.
  modcall[post-auth]: module "main_pool" returns noop for request 0
modcall: group post-auth returns noop for request 0
Sending Access-Accept of id 3 to 10.143.71.15:3740
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 172.16.3.33
Framed-IP-Netmask = 255.255.255.0
Framed-Routing = Broadcast-Listen
Framed-Filter-Id = "std.ppp"
Framed-MTU = 1500
Framed-Compression = Van-Jacobson-TCP-IP
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 3 with timestamp 4a3f7e1c
Nothing to do.  Sleeping until we see a request.

Re: i can't stop freeradius

[vol...@ufamts.ru]

Ayşe GİR wrote:

(i love freeradius but i don't lovefreeradius on ubuntu ...)
i install freeradius on ubuntu 9.4 but i can't stop freeradius...
what can i do ?
my console out

r...@blacky:/etc/init.d # freeradius stop
r...@blacky:/etc/init.d # ps -aux | 
grep freeradius
Warning: bad ps syntax, perhaps a bogus '-'? See 
http://procps.sf.net/faq.html
root  5193  0.0  0.0 106828  2556 ?Ssl  Jun19   0:00 
freeradius
root 16823  0.0  0.0   7524   892 pts/2R+   14:13   0:00 grep 
freeradius

r...@blacky:/etc/init.d #
 
 ( i use freeradius on centos everything is ok but on ubuntu 
everything is bad. :( )

i'm sorry for my bad english :)
thank you for everything

try adding "./" before freeradius
r...@blacky:/etc/init.d # ./freeradius 
stop

or writing full path to script:
r...@blacky:~ # /etc/init.d/freeradius 
stop

And check logs.

Best regards,
Denis Volkov

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: i can't stop freeradius

[Ivan Kalik]

> i install freeradius on ubuntu 9.4 but i can't stop freeradius...
> what can i do ?

Ask Ubuntu people. Try man freeradius or man radiusd.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re[4]: rlm_python - Unresponsive child

[Ivan Kalik]

>  As I told - all working file in freeradius debug mode (with -X), I
>  have problems with productional threads pool mode.

When things work with radiusd -X and don't under radius user problems are
permissions, SE Linux or stuff like that.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: i can't stop freeradius

[Nicolas Goutte]

Look at inetd, xinetd or any other daemon control software. (I do not  
know which one Ubuntu uses.)


Normally it is on purpose that daemons get re-started when they are  
killed.


Have a nice day!

Am 22.06.2009 um 13:24 schrieb Ayşe GİR:


(i love freeradius but i don't lovefreeradius on ubuntu ...)
i install freeradius on ubuntu 9.4 but i can't stop freeradius...
what can i do ?
my console out

r...@blacky:/etc/init.d# freeradius stop
r...@blacky:/etc/init.d# ps -aux | grep freeradius
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
root  5193  0.0  0.0 106828  2556 ?Ssl  Jun19   0:00  
freeradius
root 16823  0.0  0.0   7524   892 pts/2R+   14:13   0:00  
grep freeradius

r...@blacky:/etc/init.d#

 ( i use freeradius on centos everything is ok but on ubuntu  
everything is bad. :( )

i'm sorry for my bad english :)
thank you for everything
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman  
Haerdle

Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

i can't stop freeradius

[Ayşe GİR]

(i love freeradius but i don't lovefreeradius on ubuntu ...)
i install freeradius on ubuntu 9.4 but i can't stop freeradius...
what can i do ?
my console out

r...@blacky:/etc/init.d# freeradius stop
r...@blacky:/etc/init.d# ps -aux | grep freeradius
Warning: bad ps syntax, perhaps a bogus '-'? See
http://procps.sf.net/faq.html
root  5193  0.0  0.0 106828  2556 ?Ssl  Jun19   0:00 freeradius
root 16823  0.0  0.0   7524   892 pts/2R+   14:13   0:00 grep
freeradius
r...@blacky:/etc/init.d#

 ( i use freeradius on centos everything is ok but on ubuntu everything is
bad. :( )
i'm sorry for my bad english :)
thank you for everything
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re[4]: rlm_python - Unresponsive child

[Mike Tkachuk]

Hello Ivan,

 As I told - all working file in freeradius debug mode (with -X), I
 have problems with productional threads pool mode.

 Sure there is no 'authenticate' function but 'authorize', that
 function called while authentificate block executed:

python {
mod_instantiate = radiusd_test
func_instantiate = instantiate
mod_authenticate = radiusd_test
func_authenticate = authorize
mod_accounting = radiusd_test
func_accounting = accounting
mod_detach = radiusd_test
func_detach = detach
}

authorize {
files
}

authenticate {
Auth-Type Python {
python
}
}

accounting {
python
}

Monday, June 22, 2009 1:03:03 PM, you wrote:

>> IK> Permissions. Check if freeradius user has permissions to execute the
>> IK> script. I assume that you have checked that script actually works.
>>
>>  Thanks for the answer.
>>  I was testing under root user, so the permissions should not be a
>>  problem, but I checked that also - added
>>  > user = root
>>  > group = wheel
>>  I see that instatination code in radiusd_test.py running ok:
>>  > *** instantiate ***
>>  > None
>>  But authenticate just hang.
>>
>>  Any other suggestions?

IK> There is no authenticate subroutine in radiusd_test.py.

IK> Ivan Kalik
IK> Kalik Informatika ISP




--
Mike Tkachuk

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: multiple ippools configured for group of users.

[Ivan Kalik]

> ive gone through the documentation but dont seem to find this specific
> answer and really one just want confirmation on a small matter relating to
> assigning ips dynamically to my users.
>
> can i have multiple pools linked to a single hunting group since my
> hostmaster allocated me ranges that are scattered all over the place..

Use sqlippool. It can handle multiple subnets inside single pool. If you
want to stick to using ippools - use fail-over.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

multiple ippools configured for group of users.

[jc]

hi guys,

ive gone through the documentation but dont seem to find this specific
answer and really one just want confirmation on a small matter relating to
assigning ips dynamically to my users.

can i have multiple pools linked to a single hunting group since my
hostmaster allocated me ranges that are scattered all over the place..

for instance..

DEFAULT Huntgroup-Name == speedy, Called-Station-Id == "speedfreaks.co.za", 
Auth-Type := Accept, Pool-Name := "speedy-pool1", Pool-Name := "speedy-pool2", 
Pool-Name := "speedy-pool3"

single pool works perfectly...

ive tried defining multiple ranges within a pool, but that doesnt work at
all; freeradius just takes the last range in the config..

appreciate the feedback.

j.



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Please help me

[Ivan Kalik]

> in users file
>
>  steve   Auth-Type := Local, User-Password == "testing"
> Service-Type = Framed-User,
> Framed-Protocol = PPP,
> Framed-IP-Address = 172.16.3.33,
> Framed-IP-Netmask = 255.255.255.0,
> Framed-Routing = Broadcast-Listen,
> Framed-Filter-Id = "std.ppp",
> Framed-MTU = 1500,
> Framed-Compression = Van-Jacobsen-TCP-IP

Add Fall-Through = yes.

>
> DEFAULT  Pool-Name := "main_pool"

Or add it to DEFAULT entry and place DEFAULT entry above user entries.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Please help me

[josgeorge thaikudathil]

 Hi ,


I am useing a free radius version available with redhat 4.5
,RPM name is freeradius-1.0.1-3.RHEL4.3.i386.rpm

I  am trying to use ippool configuration  configurations i had made is


in radiusd.conf  file


 ippool main_pool {
#  range-start,range-stop: The start and end ip
#  addresses for the ip pool
range-start =10.143.71.15
range-stop =10.143.71.25
#  netmask: The network mask used for the ip's
netmask = 255.255.255.0
#  cache-size: The gdbm cache size for the db
#  files. Should be equal to the number of ip's
#  available in the ip pool
cache-size = 800
# session-db: The main db file used to allocate ip's to
clients
session-db = ${raddbdir}/db.ippool
# ip-index: Helper db index file used in multilink
ip-index = ${raddbdir}/db.ipindex
# override: Will this ippool override a Framed-IP-Address
already set
override = yes
# maximum-timeout: If not zero specifies the maximum time in
seconds an
# entry may be active. Default: 0
maximum-timeout = 0
}
accounting {

main_pool
}

post-auth {

main_pool

}
--
in users file

 steve   Auth-Type := Local, User-Password == "testing"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 172.16.3.33,
Framed-IP-Netmask = 255.255.255.0,
Framed-Routing = Broadcast-Listen,
Framed-Filter-Id = "std.ppp",
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP

DEFAULT  Pool-Name := "main_pool"

--

in clients file

   
-

and i am getting  errors when i run /usr/sbin/radiusd -A -X




 modcall: entering group post-auth for request 0
rlm_ippool: Could not find Pool-Name attribute.
  modcall[post-auth]: module "main_pool" returns noop for request 0
rlm_ippool: Could not find Pool-Name attribute.
I  am suspecting  some problem with users file  ... Can you please help  me
to find out what is missing









-- 
Thanks and regards
Jos george.
9844459056
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re[2]: rlm_python - Unresponsive child

[Ivan Kalik]

> IK> Permissions. Check if freeradius user has permissions to execute the
> IK> script. I assume that you have checked that script actually works.
>
>  Thanks for the answer.
>  I was testing under root user, so the permissions should not be a
>  problem, but I checked that also - added
>  > user = root
>  > group = wheel
>  I see that instatination code in radiusd_test.py running ok:
>  > *** instantiate ***
>  > None
>  But authenticate just hang.
>
>  Any other suggestions?

There is no authenticate subroutine in radiusd_test.py.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Any free Java APIs to access freeRadius server?

[Ivan Kalik]

> I am using freeRadius server for authentication. I am able to authenticate
> for ssh login.
>
> I want to authenticate my java application using radius server. Is there
> any
> java libraries/APIs available to access and authenticate directly. Please
> advise me.

jRadius.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Variable name for Minute

[Alan DeKok]

Sajeewa Warnakulasuriya wrote:
> Hi Alan,
> 
> I already checked it and all i found was the below.

  Hmm... I had thought something was there.  It looks like the code
doesn't support it, sorry.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Any free Java APIs to access freeRadius server?

[kpani]

Hi,

I am using freeRadius server for authentication. I am able to authenticate
for ssh login.

I want to authenticate my java application using radius server. Is there any
java libraries/APIs available to access and authenticate directly. Please
advise me.

Thanks in advance.

Regards,
Dhandapani
-- 
View this message in context: 
http://www.nabble.com/Any-free-Java-APIs-to-access-freeRadius-server--tp24144424p24144424.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re[2]: rlm_python - Unresponsive child

[Mike Tkachuk]

Hello Ivan,

Monday, June 22, 2009 12:20:38 PM, you wrote:
IK> Permissions. Check if freeradius user has permissions to execute the
IK> script. I assume that you have checked that script actually works.

 Thanks for the answer.
 I was testing under root user, so the permissions should not be a
 problem, but I checked that also - added
 > user = root
 > group = wheel
 I see that instatination code in radiusd_test.py running ok:
 > *** instantiate ***
 > None
 But authenticate just hang.

 Any other suggestions?

--
Mike Tkachuk

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius+Huwaei switch + auto VLan Assignment issue

[A . L . M . Buxey]

hi,

have you set the copy tunnel = yes for the PEAP section in eap.conf?

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius+Huwaei switch + auto VLan Assignment issue

[Ivan Kalik]

>    When we try the authentication with this user account, although radius
> log send the
>
> VLAN attributes (Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group-ID)
> in
>
> Access-Challenge messages and finally send an Access-Accept message, the
> switch
>
> does not assign the right VLAN(  the switching from VLAN 1 to VLAN 2 does
> not
>
> occur) and the user still in VLAN 1. We note that there is no VLAN
> attribute in
>
> Access-Accept message.
>  
>     What may be wrong ?

...
> MSCHAP Success
> ++[eap] returns handled
> } # server (null)
>   PEAP: Got tunneled reply RADIUS code 11
>     Tunnel-Private-Group-Id:0 = "2"
>     Tunnel-Medium-Type:0 = IEEE-802
>     Tunnel-Type:0 = VLAN
>     EAP-Message =
> 0x010a00331a0309002e533d45324635434146333132433946454341393932443738373436364344424342443444364643444134
>     Message-Authenticator = 0x
>     State = 0x0c186c320d1276bedb16c1e664f42fe2
>   PEAP: Processing from tunneled session code 0x7c52c0 11
>     Tunnel-Private-Group-Id:0 = "2"
>     Tunnel-Medium-Type:0 = IEEE-802
>     Tunnel-Type:0 = VLAN
>     EAP-Message =
> 0x010a00331a0309002e533d45324635434146333132433946454341393932443738373436364344424342443444364643444134
>     Message-Authenticator = 0x
>     State = 0x0c186c320d1276bedb16c1e664f42fe2

Attributes are available in the tunnel ...

...
> Sending Access-Accept of id 32 to 192.168.100.5 port 5001
>     MS-MPPE-Recv-Key =
> 0x3fc9ad8eb5c61fa194fbcf43ec68aa879a28a6f2b25d5dcc96531f47dccdae69
>     MS-MPPE-Send-Key =
> 0xaf8ead06473463ae03e04ac1cc4f09e8e827287effa7ccaf360b0b8bbc2ed18e
>     EAP-Message = 0x030b0004
>     Message-Authenticator = 0x
>     User-Name = "toto"

... but not in the final reply. Enable use_tunneled_reply in peap section
of eap.conf.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_python - Unresponsive child

[Ivan Kalik]

>  I'm trying to use Freeradius 2.1.6 release with rlm_python (python 2.6.2)
> on
>  FreeBSD.
>  I use default radiusd_test.py bundled with rlm_python. All is fine
>  when I start radius in debug mode with -X, however in normal forked
>  mode next error appear:
>
> Error: WARNING: Unresponsive child for request 0, in module python
> component authenticate
> < few seconds later >
> Info: [python] Child is still stuck for request 0
>
>  Any ideas what can be wrong?

Permissions. Check if freeradius user has permissions to execute the
script. I assume that you have checked that script actually works.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRADIUS as a general authentication system

[Lloyd]

Hi FreeRADIUS list,

In our "system" there is a need for an authentication server. The required  
characteristics of the server are


*) The authentication client will be a custom built one. It may be running  
on *NIX,Windows and Mac. Is it possible to write a client using the  
FreeRADIUS client library? (The client will have much more other  
functionalities, not related to authentication)


*) Is it possible to extentd the server? As an example, in our case, each  
time a client wants to communicate with other clients, it will request a  
"session key" to the server, and the server will send the key to all  
clients which take part in the communication. (The aim of this is to  
encrypt the communication session with the new session key generated, so  
that only the clients who know the session key can decrypt the message)  
So, is it possible to introduce a key generation system as well as a  
"request interpretation" system to the FreeRADIUS server?


*) Or is there a better way inplemented in FreeRADIUS to accomplish the  
above requirements?


Thanks in advance,
  Lloyd

__
Scanned and protected by Email scanner
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Refusing to start due to insecure configuration

[A . L . M . Buxey]

Hi,

> C:\FreeRADIUS.net\bin>radiusd.exe -d ../etc/raddb -AX 
>  Starting - reading configuration files ...
> reread_config:  reading radiusd.conf
> Configuration directory ../etc/raddb is globally writable.  Refusing to start 
> due to insecure configuration.
> Errors reading radiusd.conf
> 
> what wrong about  it? 

I think the error message you are seeing is fairly self-evident.

the config directory is globally writable - meaning anyone on
the system can make changes to it - this is very bad. you need to use
windows file/directoy permissions to ensure that it is only writable
by admin or admin group.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Old password 'grace period'

[A . L . M . Buxey]

Hi,

> [JK] Thanks, Arran.  Another quick question.  Will 2.* do this 'straight out 
> of the box'?  If not, will it require much work?  We are evaluating whether 
> attempt this in radius, or make changes in our system.

your situation is a slightly unique bespoke requirement - as such, it wont
work 'straight out of the box' - you'll need to add a few lines of 'unlang'
to the config.

check out the FreeRADIUS wiki - in particular

http://wiki.freeradius.org/Fail-over


you'll basically need to make an SQL query for the one type...and
if it fails, make another query for the other type.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

rlm_python - Unresponsive child

[Mike Tkachuk]

Hello Freeradius-users,

 I'm trying to use Freeradius 2.1.6 release with rlm_python (python 2.6.2) on
 FreeBSD.
 I use default radiusd_test.py bundled with rlm_python. All is fine
 when I start radius in debug mode with -X, however in normal forked
 mode next error appear:

Error: WARNING: Unresponsive child for request 0, in module python component 
authenticate
< few seconds later >
Info: [python] Child is still stuck for request 0

 Any ideas what can be wrong? How to debug this?
 And is rlm_python ok for commercial productional environment? What other
 problems I can face?

 Thanks.

--
Mike Tkachuk

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Variable name for Minute

[Sajeewa Warnakulasuriya]

Hi Alan,

I already checked it and all i found was the below.

Variable  Description Proper Equivalent
  --- 
 %a   Protocol (SLIP/PPP) %{Framed-Protocol}
 %c   Callback-Number %{Callback-Number}
 %d   request day (DD)
 %f   Framed IP address   %{Framed-IP-Address}
 %i   Calling Station ID  %{Calling-Station-Id}
 %l   request timestamp
 %m   request month (MM)
 %n   NAS IP address  %{NAS-IP-Address}
 %p   Port number %{NAS-Port}
 %s   Speed (PW_CONNECT_INFO) %{Connect-Info}
 %t   request in ctime format
 %u   User name   %{User-Name}
 %A   radacct_dir %{config:radacctdir}
 %C   clientname
 %D   request date (MMDD)
 %H   request hour
 %L   radlog_dir  %{config:logdir}
 %M   MTU %{Framed-MTU}
 %R   radius_dir  %{config:raddbdir}
 %S   request timestamp
in SQL format
 %T   request timestamp
in database format
 %U   Stripped User name  %{Stripped-User-Name}
 %V   Request-Authenticator
(Verified/None)
 %Y   request year ()
 %Z   All request attributes
   except password
   (must have a big buffer)

also man unlang didn't show me any hints either, unless I'm reading it 
wrong.



Regards,



Sajeewa Warnakulasuriya

Systems Development Manager



ispONE is a wholesale ISP built to help internet access resellers and
independent ISPs to compete in the Australian marketplace through
ONE Brand, ONE Provider, ONE Solution.

Level 14
520 Collins Street
Melbourne 3000 VIC


Phone:  1300 663 400

Fax:  1300 665 400

E-Mail: sajee...@ispone.com.au

Web:http://www.ispone.com.au/

On Mon, 22 Jun 2009, Alan DeKok wrote:


Sajeewa Warnakulasuriya wrote:

Hi all,

I understand that variable %H is for request hour, I was wondering the
variable name for request minute?


 doc/variables.txt

 Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html