How to Change Source Port for
I'm using copy-acct-to-home-server . Freeradius sends any acct request using the source port of 1814 My client sent me a trace, where wireshark is claiming duplicate requests. We have to handle 1000+ Requests per second. Is it possible to change the source port settings to get a new source port for every request? Thanks. Regarts Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to Change Source Port for
Hi, > Freeradius sends any acct request using the source port of 1814 > My client sent me a trace, where wireshark is claiming duplicate requests. > We have to handle 1000+ Requests per second. > > Is it possible to change the source port settings to get a new source port > for every request? you arent handling accounting quickly enough. fix/improve the database (or switch to using offline accounting - eg the detail file method - buffered-sql) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and Cisco VPN IPSEC profiles authentication
Jevos, Peter wrote: > Hi Alan, , thanks , I’ve read it but it’s too complicated and I’m > missing more examples of configurations The raddb directory *does* come with examples. > If anybody help me with the syntax and code location with this issue: Sorry, but: 1) the "unlang" documentation contains a detailed description of the syntax 2) my previous message gave the *specific* location of where the logic should go. *PLEASE* read the existing documentation and messages on this list. Failure to do so is a major reason for not solving issues. > If requests come from NAS-IP-Address==1.1.1.1 and the > %{mschap:NT-Domain}=vipdomainuser , check them against module > ntlm_auth_vip ( module is already working ) and if pass give them > Cisco-Avpair += "ipsec:addr-pool=vip_vpn_pool" and other optional AVpairs. The "unlang" syntax is pretty much exactly that. It's not that hard. if ((NAS-IP-Address == 1.1.1.1) && "%{mschap:NT-Domain}" = "vipdomainuser")) { update control { Auth-Type := ntlm_auth_vip } update reply { Cisco-AVPair += "ipsec:addr-pool=vip_vpn_pool" } } Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius Client password not accepted
Hi, I am using free radius for communication between asterisk voip server and database. I have everything setup on same machine which has Centos 5.4. My problem is that when i send request from client to server the radius password is not accepted, also when i see radius packets in wireshark i see that accountstatus type value is not correct. I have checked the password at client and server are same. Please help i have been trying to solve this issue for the past 15 days. Regards Azam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radreply Attributs full lists
Hi every one, Could someone point me to the place i could find the entire list of available attribut that could be send to a user via radreply (or radgroupreply)? i- have been digging a while and only found WISPR-Bandwidth-Max-Down and frame things. i'm pretty sure there is more than that. regards -- View this message in context: http://freeradius.1045715.n5.nabble.com/Radreply-Attributs-full-lists-tp3261819p3261819.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radreply Attributs full lists
morocon wrote: > Hi every one, > > Could someone point me to the place i could find the entire list of > available attribut that could be send to a user via radreply (or > radgroupreply)? See the "dictionary" files. There are nearly 5K attributes defined. But most of those are irrelevant. Instead, look at the documentation for the NAS to see which attributes it understands. *All* other attributes will be ignored. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Client password not accepted
Azam Zia wrote: > I am using free radius for communication between asterisk voip server > and database. I have everything setup on same machine which has Centos > 5.4. My problem is that when i send request from client to server the > radius password is not accepted, What does that mean? > also when i see radius packets in > wireshark i see that accountstatus type value is not correct. What does that mean? > I have checked the password at client and server are same. Have you tried running the server in debugging mode, as suggested in the FAQ, README, INSTALL, web page, "man" pages, and daily on this list? > Please help i have > been trying to solve this issue for the past 15 days. Ask questions earlier. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Output from Exec-Program-Wait in users file
Hi, am migrating from an ancient radius install to FreeRADIUS Version 2.1.8 The system uses a custom authentication binary which we access from the users file via, DEFAULT NAS-IP-Address == "192.168.1.100", Auth-Type := Accept, Simultaneous-Use := 1 Exec-Program-Wait = "/usr/local/sbin/auth -X -U -u 5882626 -- %{User-Name} %{User-Password} %{%{Called-Station-Id}:-Missing} %{%{NAS-IP-Address}:-Missing} %{%{Calling-Station-Id}:-Missing} %{%{NAS-Port-Type}:-Missing} %{Vendor-Specific}" , Fall-Through = no On the old version, the output from the EXEC was sent back in the Accept packet.. Now is looks like the stdout form the Exec-Program-Wait is not being send back but either dropped or misplaced. ++[sql] returns ok +- entering group post-auth {...} Exec-Program output: Framed-Compression=Van-Jacobsen-TCP-IP Framed-Routing=None Framed-MTU=1500 Framed-IP-Netmask=255.255.255.0 Framed-Protocol=PPP Service-Type=Framed-User Idle-Timeout=1800 Session-Timeout=86400 ERX-Virtual-Router=SOMEROUTER ERX-Ingress-Policy-Name=COMFORT_UP ERX-Egress-Policy-Name=COMFORT_DOWN Exec-Program-Wait: plaintext: Framed-Compression=Van-Jacobsen-TCP-IP Framed-Routing=None Framed-MTU=1500 Framed-IP-Netmask=255.255.255.0 Framed-Protocol=PPP Service-Type=Framed-User Idle-Timeout=1800 Session-Timeout=86400 ERX-Virtual-Router=SOMEROUTER ERX-Ingress-Policy-Name=COMFORT_UP ERX-Egress-Policy-Name=COMFORT_DOWN Exec-Program: returned: 0 ++[exec] returns noop Sending Access-Accept of id 248 to 192.168.1.100 port 5 Finished request 0. Is there a way to direct the output from the Exec-Program into the Accept packet? As far as we can tell, we are sending back and empty Accept packet. The values are calculated by the auth binary, so hard coding them would be very difficult. It's after 1am here, so I hope this won't seem obvious in the morning. Any hints would be greatly appreciated. Thanks so much, -craig Craig Campbell craig.campb...@ccraft.ca CampbellCraft Consulting Inc 2 Kenny Court Whitby, Ontario Canada L1R 2L8 905 922-2789 __ Information from ESET Smart Security, version of virus signature database 5612 (2010) __ The message was checked by ESET Smart Security. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging ntlm authentication
Thanks. Could you please share the perl scripts and the corresponding configuration in radiusd.conf like authorize and post-auth section related to these logs? Schilling On Wed, Nov 10, 2010 at 10:04 PM, Garber, Neal wrote: >> Could you please summarize what you did to log the output from >> ntlm_auth and MS_CHAP-Error? > > Sure. I should mention that other options are available now that didn't > exist when I created the solution below... > > I have a PERL script that runs during authorize that obtains user/group or > machine/container permissions for the NAS in question from XML files to > determine whether the entity is authorized and it creates a Log-Data reply > attribute containing all non-sensitive request attributes. This is then > written to syslog during post-auth by another PERL script. > > Our help desk and others use a .Net application that I wrote to > display/filter the data from the current or past log files in a grid control. > The log contains specifics of the request, authorization and authentication > results/messages and reply attributes. > > Does that answer your question? > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Output from Exec-Program-Wait in users file
I think I found the issue. One of the value pairs being returned used a name not defined in the dictionary file. The new name is similar leading me to suspect the old name was deprecated and eventually replaced with a more clear name. Thanks all! -craig - Original Message - From: Craig Campbell To: FreeRadius users mailing list Sent: Friday, November 12, 2010 6:24 AM Subject: Output from Exec-Program-Wait in users file Hi, am migrating from an ancient radius install to FreeRADIUS Version 2.1.8 The system uses a custom authentication binary which we access from the users file via, DEFAULT NAS-IP-Address == "192.168.1.100", Auth-Type := Accept, Simultaneous-Use := 1 Exec-Program-Wait = "/usr/local/sbin/auth -X -U -u 5882626 -- %{User-Name} %{User-Password} %{%{Called-Station-Id}:-Missing} %{%{NAS-IP-Address}:-Missing} %{%{Calling-Station-Id}:-Missing} %{%{NAS-Port-Type}:-Missing} %{Vendor-Specific}" , Fall-Through = no On the old version, the output from the EXEC was sent back in the Accept packet.. Now is looks like the stdout form the Exec-Program-Wait is not being send back but either dropped or misplaced. ++[sql] returns ok +- entering group post-auth {...} Exec-Program output: Framed-Compression=Van-Jacobsen-TCP-IP Framed-Routing=None Framed-MTU=1500 Framed-IP-Netmask=255.255.255.0 Framed-Protocol=PPP Service-Type=Framed-User Idle-Timeout=1800 Session-Timeout=86400 ERX-Virtual-Router=SOMEROUTER ERX-Ingress-Policy-Name=COMFORT_UP ERX-Egress-Policy-Name=COMFORT_DOWN Exec-Program-Wait: plaintext: Framed-Compression=Van-Jacobsen-TCP-IP Framed-Routing=None Framed-MTU=1500 Framed-IP-Netmask=255.255.255.0 Framed-Protocol=PPP Service-Type=Framed-User Idle-Timeout=1800 Session-Timeout=86400 ERX-Virtual-Router=SOMEROUTER ERX-Ingress-Policy-Name=COMFORT_UP ERX-Egress-Policy-Name=COMFORT_DOWN Exec-Program: returned: 0 ++[exec] returns noop Sending Access-Accept of id 248 to 192.168.1.100 port 5 Finished request 0. Is there a way to direct the output from the Exec-Program into the Accept packet? As far as we can tell, we are sending back and empty Accept packet. The values are calculated by the auth binary, so hard coding them would be very difficult. It's after 1am here, so I hope this won't seem obvious in the morning. Any hints would be greatly appreciated. Thanks so much, -craig -- Craig Campbell craig.campb...@ccraft.ca CampbellCraft Consulting Inc 2 Kenny Court Whitby, Ontario Canada L1R 2L8 905 922-2789 __ Information from ESET Smart Security, version of virus signature database 5612 (2010) __ The message was checked by ESET Smart Security. http://www.eset.com __ Information from ESET Smart Security, version of virus signature database 5614 (20101112) __ The message was checked by ESET Smart Security. http://www.eset.com __ Information from ESET Smart Security, version of virus signature database 5614 (20101112) __ The message was checked by ESET Smart Security. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius and Cisco VPN IPSEC profiles authentication
Thank you phill, that's great help, but it still doesn't work as it should. Now I don't know how should I adjust the users file : ) I used if ((NAS-IP-Address == 1.1.1.1) && "%{mschap:NT-Domain}" = "vipdomainuser")) { update control { Auth-Type := ntlm_auth_vip } update reply { Cisco-AVPair += "ipsec:addr-pool=vip_vpn_pool" } } And in the user file is: DEFAULT Auth-Type := ntlm_auth_vpn_osw Service-Type = Framed-User, Framed-Protocol = PPP, With this it's working as it should , however if request comes from the different NT-Domain then "vipdomainuser" it's blocked ( according the ntlm_auth_vip ), and it doesn't go to another DEFAULT rule where everybody can pass. I trid also Fall-through parameter, it didn't work as well, I'm sorry that I'm bothering again ( Alan tried to explain me many times ), but I was using MS IAS many years, and my concepts come from this system Thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and Cisco VPN IPSEC profiles authentication
Jevos, Peter wrote: > Thank you phill, that's great help, but it still doesn't work as it > should. > Now I don't know how should I adjust the users file : ) You don't. The messages on this list should make it *very* clear that updating the "authorize" section is all that is necessary. > With this it's working as it should , however if request comes from the > different NT-Domain then "vipdomainuser" it's blocked ( according the > ntlm_auth_vip ), and it doesn't go to another DEFAULT rule where > everybody can pass. So *think* a little bit. You wrote two rules in an earlier email. One was translated for you into "unlang". It should be relatively easy to translate the *second* one into "unlang". As a hint, if you don't implement a rule for a different NT-Domain, then the rules for that different NT-Domain won't be applied. Because they don't exist. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius and Cisco VPN IPSEC profiles authentication
As a hint, if you don't implement a rule for a different NT-Domain, then the rules for that different NT-Domain won't be applied. Because they don't exist. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you Alan , it makes sense. But it doesn't solve my problem In my cisco configuration there is a group: crypto isakmp client configuration group vipgroup key dns 1.1.11.10 1.1.11.11 wins 1.1.11.12 1.1.11.13 pool vpn-vipgroup How could i ensure that this group with this parameters will be accesible only for the users from the domain vipdomainusers ( e.g. ntlm_auth_vipusers authentication) ? The other groups configured on the same router will be accessible for any domain users ( but i cannot name hundreds domains in the freeradius config ) point is that cisco radius doesn't send a group name ( vipgroup ) in the request to the radius server Ok, i can return CiscoAv pairs (pool, dns... )to the router, but still if any domain user try to connect to the group vipgroup, it recieves the pool and other parameters thanks, you're great that you can help us pet thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and Cisco VPN IPSEC profiles authentication
Jevos, Peter wrote: > Thank you Alan , it makes sense. But it doesn't solve my problem (1) Edit your responses. It shows consideration for other people (2) pick one problem at a time. Changing "the problem" midway in a conversation makes it look like you don't care about the solution to the first problem. > In my cisco configuration there is a group: > crypto isakmp client configuration group vipgroup > key > dns 1.1.11.10 1.1.11.11 > wins 1.1.11.12 1.1.11.13 > pool vpn-vipgroup > > How could i ensure that this group with this parameters will be > accesible only for the users from the domain vipdomainusers ( e.g. > ntlm_auth_vipusers authentication) ? Go back and read my messages again. Is there anything in the RADIUS packet which will distinguish the different groups? If not, you're out of luck. > The other groups configured on the same router will be accessible for > any domain users ( but i cannot name hundreds domains in the freeradius > config ) > > point is that cisco radius doesn't send a group name ( vipgroup ) in the > request to the radius server Go ask Cisco to fix their equipment. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html