Re: Spaces in the end of User-Name.

[admin]

Alan DeKok  писал(а) в своём письме Wed, 19 Jan  
2011 09:13:35 +0200:



admin wrote:

What i must to specify in a config file of freeradius2 that in each
request before its further handling it automatically deleted spaces in  
the

end of %{User-Name}?


  You need to write a custom rule in "unlang".



Something of type such this?

if ("%{User-Name}"=~/([a-zA-Z0-9_.]+)\s+$/i) {
%{User-Name}=%{1}
}

Where it is necessary to insert it in config file that User-Name changed  
globally before any actions with it?



  However... my $0.02 is that you shouldn't.  Instead, if you see a
User-Name with spaces, *reject* it.  The user is trying to play games.


Yes, but it creates many questions from users.



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Storing of salt in freeradius

[Mark]

Alan, Fajar,

Thank you both for your help and advice on this.

On 19-Jan-2011, at 3:14 PM, Alan DeKok wrote:

> Mark wrote:
>> In the event of using salted md5 hashes for passwords, where exactly does 
>> one store the salt? There doesn't seem to be a place within the FR config  
>> to do that. Any advice would be much appreciated.
> 
>  The salt is stored in the same string as the hashed password.  See
> wikipedia for descriptions of how salted passwords work, or "man crypt".
> 
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Kind regards,

Mark


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help needed with user authentication

[Fajar A. Nugraha]

On Wed, Jan 19, 2011 at 1:52 PM, Johan Meiring wrote:

> On 2011/01/19 04:24 AM, Luke Hammond wrote:
>
>> I want to have a wireless network, that will be
>> open, and when a user connects and tries to browse they get redirected to
>> a
>> page where they have to login
>
>
It's called captive portal
http://en.wikipedia.org/wiki/Captive_portal


> Try
> coova.org/CoovaChilli
>
>
What we usually do:
- get a wireless AP which has captive portal feature. I find it easier than
having to install a captive portal manually on a server.
For example, if you're willing to use third-party firmware, dd-wrt support
these devices: http://www.dd-wrt.com/wiki/index.php/Supported_Devices
- get a radius server (you already have that)
- get a login page. Something like
http://net-mai.net/files/hotspotlogin.php.txt
- adjust settings as required

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Storing of salt in freeradius

[Alan DeKok]

Mark wrote:
> In the event of using salted md5 hashes for passwords, where exactly does one 
> store the salt? There doesn't seem to be a place within the FR config  to do 
> that. Any advice would be much appreciated.

  The salt is stored in the same string as the hashed password.  See
wikipedia for descriptions of how salted passwords work, or "man crypt".

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Spaces in the end of User-Name.

[Alan DeKok]

admin wrote:
> What i must to specify in a config file of freeradius2 that in each
> request before its further handling it automatically deleted spaces in the
> end of %{User-Name}?

  You need to write a custom rule in "unlang".

  However... my $0.02 is that you shouldn't.  Instead, if you see a
User-Name with spaces, *reject* it.  The user is trying to play games.

> The parameter nospace_user doesn't work.

  That was removed many years ago.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Proxying authentication from FreeRadius to Cisco ACS

[Erisan Nyamutenha]

Hello All,
 
I am setting up an Eduroam authentication server using FreeRadius 2.1.1
on Suse Linux 12. I am proxying authentication requests to a Cisco ACS.
When testing using radtest from the FreeRadius box authentication is
proxyed to ACS fine and i get an access-accept back. However when i try
from a wireless client the proxy response from the ACS is an
Access-Reject. In the failed attempts logs on the ACS it says bad
username or password. i'm pretty sure im using the correct password. Is
there any reason why this should not work? I've posted my logs below:-
 
rad_recv: Access-Request packet from host 1.1.1.1 port 32768, id=210,
length=255
User-Name = "username ( mailto:01420...@uct.ac.za )@xyz.ac.za"
Calling-Station-Id = "00-1e-64-8f-f1-2a"
Called-Station-Id = "08-17-35-32-f2-90:Eduroam"
NAS-Port = 29
NAS-IP-Address = 1.1.1.1   
NAS-Identifier = "uc-wism-2"
Airespace-Wlan-Id = 4
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "63"
EAP-Message =
0x02a0002b190017030100204673d48ae9e9d21afa7fe1fd6cae4d95841ae136e4fe85ad44acd3a4d0228a69
State =
0x4541503d302e2e63666337302e373b5356433d302e31363139623b
Message-Authenticator = 0xaab2e06ffb5753411ad8d42b71cafbdd
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "xyz.ac.za" for User-Name =
"usern...@xyz.ac.za"
[suffix] Found realm "xyz.ac.za"
[suffix] Adding Stripped-User-Name = "username"
[suffix] Adding Realm = "xyz.ac.za"
[suffix] Proxying request from user username to realm xyz.ac.za
[suffix] Preparing to proxy authentication request to realm
"xyz.ac.za"
++[suffix] returns updated
[eap] Request is supposed to be proxied to Realm xyz.ac.za.  Not doing
EAP.
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Sending Access-Request of id 81 to 2.2.2.2 port 1812
User-Name = "username"
Calling-Station-Id = "00-1e-64-8f-f1-2a"
Called-Station-Id = "08-17-35-32-f2-90:Eduroam"
NAS-Port = 29
NAS-IP-Address = 1.1.1.1
NAS-Identifier = "uc-wism-2"
Airespace-Wlan-Id = 4
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "63"
EAP-Message =
0x02a0002b190017030100204673d48ae9e9d21afa7fe1fd6cae4d95841ae136e4fe85ad44acd3a4d0228a69
State =
0x4541503d302e2e63666337302e373b5356433d302e31363139623b
Message-Authenticator = 0x
Proxy-State = 0x323130
Proxying request 8 to home server 2.2.2.2 port 1812
Sending Access-Request of id 81 to 2.2.2.2 port 1812
User-Name = "username"
Calling-Station-Id = "00-1e-64-8f-f1-2a"
Called-Station-Id = "08-17-35-32-f2-90:Eduroam"
NAS-Port = 29
NAS-IP-Address = 1.1.1.1
NAS-Identifier = "uc-wism-2"
Airespace-Wlan-Id = 4
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "63"
EAP-Message =
0x02a0002b190017030100204673d48ae9e9d21afa7fe1fd6cae4d95841ae136e4fe85ad44acd3a4d0228a69
State =
0x4541503d302e2e63666337302e373b5356433d302e31363139623b
Message-Authenticator = 0x
Proxy-State = 0x323130
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Reject packet from host 2.2.2.2 port 1812, id=81,
length=61
Proxy-State = 0x323130
EAP-Message = 0x04a4
Reply-Message = "Rejected\n\r"
Message-Authenticator = 0xbcede120e168d2d92558e5f4ab8e03d5
 
Thanks 
 
Erisan


 

###
UNIVERSITY OF CAPE TOWN 

This e-mail is subject to the UCT ICT policies and e-mail disclaimer
published on our website at
http://www.uct.ac.za/about/policies/emaildisclaimer/ or obtainable from
+27 21 650 9111. This e-mail is intended only for the person(s) to whom
it is addressed. If the e-mail has reached you in error, please notify
the author. If you are not the intended recipient of the e-mail you may
not use, disclose, copy, redirect or print the content. If this e-mail
is not related to the business of UCT it is sent by the sender in the
sender's individual capacity.

###
 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Storing of salt in freeradius

[Fajar A. Nugraha]

On Wed, Jan 19, 2011 at 12:39 PM, Mark  wrote:

> Hi folks,
>
> Been trying to look for information on this but haven't been able to find
> anything, prompting me to turn to the mailing list for help.
>
> In the event of using salted md5 hashes for passwords, where exactly does
> one store the salt?


In the beginning of the password.


> There doesn't seem to be a place within the FR config  to do that. Any
> advice would be much appreciated.
>
>
No special place needed.

You're probably confusing MD5-Password and Crypt-Password (which in turn can
use MD5 hash). For example, if you use PAP, these three attributes will
allow access when user enter password "testpass":

Cleartext-Password := "testpass"
MD5-Password := "179ad45c6ce2cb97cf1029e212046e81"
Crypt-Password := "$1$12345678$duTc/02K9TK/XCYFyofbZ/"
Crypt-Password := "122U0BPYjrauc"

MD5-Password does not have any salt.
Crypt-Password in the first example has the salt "$1$12345678$", with
MD5-based hash (crypted passwords have the hash in front of them, which for
MD5 starts with $1$ and is 12 characters long)
Crypt-Password in the second example has the salt "12", with DES-based hash

See also:
http://freeradius.org/radiusd/man/rlm_pap.txt
http://en.wikipedia.org/wiki/Crypt_(Unix)#MD5-based_scheme
http://id.php.net/manual/en/function.crypt.php

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Spaces in the end of User-Name.

[admin]

Hi!
What i must to specify in a config file of freeradius2 that in each
request before its further handling it automatically deleted spaces in the
end of %{User-Name}?
The parameter nospace_user doesn't work. Not to start up users with spaces
in username doesn't approach.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help needed with user authentication

[Johan Meiring]

On 2011/01/19 04:24 AM, Luke Hammond wrote:

Hey, i am new so sorry that i know nothing about Freeradius.

Basically, i found a tutorial and followed it to get Freeradius2, Mysql and
Daloradius working together.. that part is ok.

But i am confused with this: I want to have a wireless network, that will be
open, and when a user connects and tries to browse they get redirected to a
page where they have to login, and that will talk to freeradius to make sure
the user is authorised, then it will accept them and continue to where they
were trying to browse to.. Thats basically what i need, but how does
Freeradius do that? Where is that page so i can edit it with my logo or
whatever? Or do i need more software to have that login page?

Please assist, am desperate here to get this working.. thanks in advance!



Try
coova.org/CoovaChilli

--


Johan Meiring
Cape PC Services CC
Tel: (021) 883-8271
Fax: (021) 886-7782

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Call for 2.1.11

[Johan Meiring]

On 2011/01/18 03:58 PM, Alan DeKok wrote:

   Anything else for 2.1.11?  It's been 5 months since 2.1.10.

   I think the updfromto fixes should go in, if I can figure out how to
make it work on Linux *and* other systems.



Hi,

I still think this might make alot of questions go away.

http://lists.freeradius.org/pipermail/freeradius-users/2009-September/msg00357.html

Cheers,

--


Johan Meiring
Cape PC Services CC
Tel: (021) 883-8271
Fax: (021) 886-7782

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Storing of salt in freeradius

[Mark]

Hi folks,

Been trying to look for information on this but haven't been able to find 
anything, prompting me to turn to the mailing list for help.

In the event of using salted md5 hashes for passwords, where exactly does one 
store the salt? There doesn't seem to be a place within the FR config  to do 
that. Any advice would be much appreciated.

Thanks in advance!

Kind regards,

Mark


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Help needed with user authentication

[Luke Hammond]

Hey, i am new so sorry that i know nothing about Freeradius.

Basically, i found a tutorial and followed it to get Freeradius2, Mysql 
and Daloradius working together.. that part is ok.


But i am confused with this:  I want to have a wireless network, that 
will be open, and when a user connects and tries to browse they get 
redirected to a page where they have to login, and that will talk to 
freeradius to make sure the user is authorised, then it will accept them 
and continue to where they were trying to browse to.. Thats basically 
what i need, but how does Freeradius do that? Where is that page so i 
can edit it with my logo or whatever?  Or do i need more software to 
have that login page?


Please assist, am desperate here to get this working.. thanks in advance!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius 2.1.10

[Samuel Isaias Barriga Perez]

Hi to all freeradius users:

I'm working on setting it up to authenticate users (windows XP)  to our
wireless network which I succesfully completed, when I run radiusd -X
(debug) my output is as follow:

rad_recv: Access-Request packet from host 172.16.x.x port 1029, id=13,
length=229
Message-Authenticator = 0x8fc8a30cc4c74e50a1bab260971c63d1
Service-Type = Framed-User
User-Name = "CAMINOSCA\\samuel.barriga"
Framed-MTU = 1488
State = 0x37f6879135fb9ef39d433a1d3d148b7b
Called-Station-Id = "00-1E-58-A3-C9-1C:FREERADIUS"
Calling-Station-Id = "00-11-95-DF-71-29"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020d00061900
NAS-IP-Address = 172.16.x.x
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default.original
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "CAMINOSCA\samuel.barriga", looking up realm
NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 13 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file
/usr/local/etc/raddb/sites-enabled/default.original
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 13 to 172.16.3.8 port 1029
EAP-Message = 0x010e00061900
Message-Authenticator = 0x
State = 0x37f6879134f89ef39d433a1d3d148b7b
Finished request 19.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 16 ID 10 with timestamp +252
Cleaning up request 17 ID 11 with timestamp +252
Cleaning up request 18 ID 12 with timestamp +252
Cleaning up request 19 ID 13 with timestamp +252
WARNING:
!!
WARNING: !! EAP session for state 0x37f6879134f89ef3 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING:
!!
Ready to process requests.

I tried everything and according to the debug output this is what I am
getting, and the wiki page said that I should check into the certificates, I
erase the  the clients certificates reinstalled and I have the same output,
plese can some one give me a hand.

Thank you




Saludos cordiales,

Samuel I. Barriga
Dpto. Sistemas
EMAIL: samuel.barr...@caminosca-sa.com
Mariana de Jesús  E7 -248 y La Pradera
PBX:+ 593 2 2236759Ext. 215
Fax: + 593 2 2564193
www.caminosca.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradiusd 2.1.8

[Bjørn Mork]

Brian Carpio  writes:

> I have a production environment which is running freeradiusd 2.1.8 and
> last night in the logs I see the following message
>
> Sat Jan  1 20:11:24 2011 : Error: Mon Jan 10 17:04:58 2011 : Info: Exiting 
> normally.
>
> No one was on the box doing anything... I was looking into this issue
> with google and came across a thread back in Nov 2009 about an issue a
> user was experiencing with radiusd 2.1.8,

2.1.8 was released Dec 30 2009.  But freeradius version numbers are
usually updated early in the developement cycle.  The code discussed in
Nov 2009 was a development version between 2.1.7 and 2.1.8.

IIRC the issue discussed was fixed well before the 2.1.8 release.  2.1.8
was very stable.

> and this user send some gdb dumps to the development team... I can't
> seem to recreate the issue as quickly as he does (plus my server is in
> production) but I didn't see any follow up if this is a known bug? Is
> this fixed in 2.1.10?

There are lots of fixes in 2.1.10, which has been as stable as 2.1.8 was
for us (2.1.9 was not...).  I would have upgraded before investing any
more time debugging the problem. Maybe even to current git, as 2.1.11 is
really close according to Alan DeKok.  It may not fix your problem, but
at least it will make your debugging useful to the developers. 2.1.8 is
getting sort of outdated.


Bjørn

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Machine Authentication and Active Directory group lookups

[Graham, Robert]

Hello all,

I have FreeRadius v 2.1.10 installed and configured to authenticate
users against Active Directory using PEAP/MSChapV2 and perform Group
membership lookups via the ldap module so that I can configure radius
reply attributes to provide VLAN assignment and Dymanic ACL's.  All is
working extremely well, but one item that I would also like to get
working is the Machine Authentication.Machine Authentication is
working with the exception of the ldap group lookup.  From what I can
tell, when the machine authenticates, the ntlm_auth knows that the
request is a Machine Authentication and appends the $ to the end of the
username for the sAMAccountName:


# Executing group from file /usr//etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[inner-eap] Request found, released from the list
[inner-eap] EAP/mschapv2
[inner-eap] processing type mschapv2
[mschapv2] # Executing group from file
/usr//etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: host/lab..com
[mschap] Told to do MS-CHAPv2 for host/lab..XXX with NT-Password
[mschap]expand: --username=%{mschap:User-Name:-None} ->
--username=lab$
[mschap]  mschap2: 78
[mschap] Creating challenge hash with username: host/lab..XXX
[mschap]expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=a9c34f78fae78fd0
[mschap]expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=961d047adaedc84346d00fcd2a0a67139ff4a95c9e13ae61
Exec-Program output: NT_KEY: 65891DD9BE6290D3EEB54D8EB6612EFF
Exec-Program-Wait: plaintext: NT_KEY: 65891DD9BE6290D3EEB54D8EB6612EFF
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success


Since I am using:

filter = "(&(sAMAccountName=%{mschap:User-Name}))" in the ldap module,
FreeRadius is trying to do a group lookup on: lab$ which is not found in
any Active Directory groups:

# Executing section post-auth from file
/usr//etc/raddb/sites-enabled/default
+- entering group post-auth {...}
  [ldap] Entering ldap_groupcmp()
[files] expand: ou=,dc=,dc=XXX -> ou=,dc=,dc=XXX
[files] expand: (&(sAMAccountName=%{mschap:User-Name})) ->
(&(sAMAccountName=lab$))
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in ou=,dc=,dc=XXX, with filter
(&(sAMAccountName=lab$))
  [ldap] object not found


Is it possible to remove the "$" from the sAMAccountName in the LDAP
module without breaking the User Authentication?

Thanks
Robert Graham



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradiusd 2.1.8

[Brian Carpio]

I have a production environment which is running freeradiusd 2.1.8 and last 
night in the logs I see the following message

Sat Jan  1 20:11:24 2011 : Error: Mon Jan 10 17:04:58 2011 : Info: Exiting 
normally.

No one was on the box doing anything... I was looking into this issue with 
google and came across a thread back in Nov 2009 about an issue a user was 
experiencing with radiusd 2.1.8, and this user send some gdb dumps to the 
development team... I can't seem to recreate the issue as quickly as he does 
(plus my server is in production) but I didn't see any follow up if this is a 
known bug? Is this fixed in 2.1.10?

Thanks,
Brian
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius + Sql Server

[Maiquel Consalter]

exactly, Microsoft Sql Server. But  I'll read the doc.
Thanks Phil

2011/1/18 Phil Mayers 

> On 18/01/11 15:26, Maiquel Consalter wrote:
>
>> Thanks Phil,
>> i found this, http://it.reinhardt.edu/dave/radius-mssql-howto.html
>>
>
> Do you specifically mean Microsoft SQL server?
>
> Take a look at:
>
> raddb/sql/mssql.conf
>
> ...in newer versions of the server source code.
>
> The instructions you reference *may* work, or may not. There's a lot of bad
> FreeRadius info on the web, and we don't use Microsoft SQL so I can't verify
> them. Perhaps someone else can.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
Att,
Maiquel
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius + Sql Server

[Phil Mayers]

On 18/01/11 15:26, Maiquel Consalter wrote:

Thanks Phil,
i found this, http://it.reinhardt.edu/dave/radius-mssql-howto.html


Do you specifically mean Microsoft SQL server?

Take a look at:

raddb/sql/mssql.conf

...in newer versions of the server source code.

The instructions you reference *may* work, or may not. There's a lot of 
bad FreeRadius info on the web, and we don't use Microsoft SQL so I 
can't verify them. Perhaps someone else can.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius + Sql Server

[Maiquel Consalter]

Thanks Phil,
i found this, http://it.reinhardt.edu/dave/radius-mssql-howto.html
thanks :-)


2011/1/18 Phil Mayers 

> On 18/01/11 15:19, Maiquel Consalter wrote:
>
>> Hello I wonder if I have to implement freeradius + sql server. I tried
>> to find on google but not found.
>>
>
> There is a lot of documentation on this.
>
> Have you looked at:
>
> doc/rlm_sql
> raddb/sql.conf
> raddbl/sql/*
>
> ...and:
>
> http://wiki.freeradius.org/Rlm_sql
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
Att,
Maiquel
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius + Sql Server

[Phil Mayers]

On 18/01/11 15:19, Maiquel Consalter wrote:

Hello I wonder if I have to implement freeradius + sql server. I tried
to find on google but not found.


There is a lot of documentation on this.

Have you looked at:

doc/rlm_sql
raddb/sql.conf
raddbl/sql/*

...and:

http://wiki.freeradius.org/Rlm_sql
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: modules directory

[Phil Mayers]

On 18/01/11 14:45, Christ Schlacta wrote:

that does help.  can the first instance be named as well, or must there


Yes


always be an unnamed instance?


I don't think so.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRadius + Sql Server

[Maiquel Consalter]

  Hello I wonder if I have to implement freeradius + sql server. I tried to
find on google but not found.
Could someone help me.?

Thanks.

-- 
Att,
Maiquel
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sub-TLV's

[Alan DeKok]

David Peterson wrote:
> OK figured out the "Stable" thing and have it compiled and running.  I like
> the changes in the dictionary.wimax file, but one question.  How can I  add
> the following:
> 
> To:  ATTRIBUTEWiMAX-Packet-Flow-Descriptor 28 tlv: (note that the
> numbering is per the previous dictionary.wimax)
> 
> 
> ATTRIBUTE WiMAX-Classifier11  tlv

  Use "28.11" instead of "11", because it's a nested TLV.

> BEGIN-TLV WiMAX-Classifier

  Delete that.

> ATTRIBUTE WiMAX-ClassifierID  1
> integer

  Similarly, use "28.11.1" instead of "1".

> ATTRIBUTE WiMAX-Classifer-Priority2   integer
> ATTRIBUTE WiMAX-Classifer-Protocol3   integer
> ATTRIBUTE WiMAX-Classifer-Direction   4   byte

  And so on... "28.11.*"

> VALUE WiMAX-Classifer-Direction   Reserved-0
> 0

  These are based on names, and don't need to be changed.

> VALUE WiMAX-Classifer-Direction   IN
> 1
> VALUE WiMAX-Classifer-Direction   OUT
> 2
> VALUE WiMAX-Classifer-Direction   Bi-Directional  3
> VALUE WiMAX-Classifer-Direction   FF
> 4
> 
> ATTRIBUTE WiMAX-Source-Specification  5   tlv

  Again "28.11.5"

> BEGIN-TLV WiMAX-Source-Specification  

  Delete that.

> ATTRIBUTE WiMAX-Source-IPAddress  1
> ipaddr

  And use "28.11.5.1" instead of "5".  Isn't this fun?

> Or would I add the attributes  at the end of the file.

  Add them anywhere.  If you use the "dotted number" notation, you don't
need begin/end TLVs.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: modules directory

[Christ Schlacta]

that does help.  can the first instance be named as well, or must there 
always be an unnamed instance?


On 1/17/2011 22:06, Johan Meiring wrote:

On 2011/01/17 10:37 PM, Christ Schlacta wrote:


one more question: can there be multiples of ANY module specified? for
example, can I use two different ldap or sql modules if I were to 
need to
(just as a bad example, I propose: 1 radius server, 2 wlans with 
different
user bases that can't be merged into one directory for whatever 
reasons).



The first instance of a module is defined (and called) using the 
module name


e.g.

Definition:
checkval {
item = 

}

Calling the module:
checkval


The seconds instance is "named" and called using the "name"

Definition:
checkval blah {
item = ...

}

Calling the module:
blah


Hope that helps.





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Sub-TLV's

[David Peterson]

OK figured out the "Stable" thing and have it compiled and running.  I like
the changes in the dictionary.wimax file, but one question.  How can I  add
the following:

To:  ATTRIBUTE  WiMAX-Packet-Flow-Descriptor 28 tlv: (note that the
numbering is per the previous dictionary.wimax)


ATTRIBUTE   WiMAX-Classifier11  tlv

BEGIN-TLV   WiMAX-Classifier
ATTRIBUTE   WiMAX-ClassifierID  1
integer
ATTRIBUTE   WiMAX-Classifer-Priority2   integer
ATTRIBUTE   WiMAX-Classifer-Protocol3   integer
ATTRIBUTE   WiMAX-Classifer-Direction   4   byte

VALUE   WiMAX-Classifer-Direction   Reserved-0
0
VALUE   WiMAX-Classifer-Direction   IN
1
VALUE   WiMAX-Classifer-Direction   OUT
2
VALUE   WiMAX-Classifer-Direction   Bi-Directional  3
VALUE   WiMAX-Classifer-Direction   FF
4

ATTRIBUTE   WiMAX-Source-Specification  5   tlv

BEGIN-TLV   WiMAX-Source-Specification  
ATTRIBUTE   WiMAX-Source-IPAddress  1
ipaddr
ATTRIBUTE   WiMAX-Source-IPAddressRange 2
combo-ip
ATTRIBUTE   WiMAX-Source-IPAddressMask  3
octets
ATTRIBUTE   WiMAX-Source-Port
4   octets
ATTRIBUTE   WiMAX-Source-Port-Range 5
octets
ATTRIBUTE   WiMAX-Source-Inverted   6
octets
ATTRIBUTE   WiMAX-Source-Assigned   7
octets
END-TLV WiMAX-Source-Specification

ATTRIBUTE   WiMAX-Destination-Specification 6   tlv

BEGIN-TLV   WiMAX-Destination-Specification 
ATTRIBUTE   WiMAX-Destination-IPAddress
1   ipaddr
ATTRIBUTE   WiMAX-Destination-IPAddressRange2
combo-ip
ATTRIBUTE   WiMAX-Destination-IPAddressMask 3
octets
ATTRIBUTE   WiMAX-Destination-Port
4   octets
ATTRIBUTE   WiMAX-Destination-Port-Range5
octets
ATTRIBUTE   WiMAX-Destination-Inverted
6   octets
ATTRIBUTE   WiMAX-Destination-Assigned
7   octets
END-TLV WiMAX-Destination-Specification

ATTRIBUTE   WiMAX-IP-TOS/DSCP-Range-and-Mask7   octets
ATTRIBUTE   WiMAX-VLAN-ID   8
integer
ATTRIBUTE   WiMAX-802.1p9
octets

END-TLV WiMAX-Classifier


Or would I add the attributes  at the end of the file.

David

-Original Message-
From: Alan DeKok [mailto:al...@deployingradius.com] 
Sent: Monday, January 17, 2011 12:52 PM
To: David Peterson-WirelessConnections; FreeRadius users mailing list
Subject: Re: Sub-TLV's

David Peterson wrote:
> OK that makes sense.  I am using the "Master" branch per the git 
> instructions.

  Uh... no.  My email said the "stable" branch.

  I'll get around to fixing the web page and/or git in the next while.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Call for 2.1.11

[Alan DeKok]

  Anything else for 2.1.11?  It's been 5 months since 2.1.10.

  I think the updfromto fixes should go in, if I can figure out how to
make it work on Linux *and* other systems.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius 2.1.10 with oracle instantclient11.2

[Alan DeKok]

Alexandre wrote:
> Oops the patch is indeed bad.
> A bad copy/paste inserted a line break wich mess it up: here is a good
> one attached.
> sorry for that (unfortunately this won't resolve your issue with
> libtool/autoconf or whatever).

  Added, thanks.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: cleaning house on radius server?

[Josip Rodin]

On Mon, Jan 17, 2011 at 12:36:54PM -0800, Christ Schlacta wrote:
> I've got a radius server up and running, and I want to clean up my  
> configuration as much as possible.  is it a safe assumption that if I  
> remove a file (actually move it out of the way) and attempt to  
> authenticate a client that if the client can successfully authenticate  
> that everything is working?  is it also safe to assume that any file  
> with no uncommented lines is also safe to remove?  I'm most interrested  
> in removing the SQL directories and all the unused modules in the  
> modules directory.

It is perfectly possible to weed out everything that is not needed - but to
determine what is not needed simply by ad hoc testing wouldn't necessarily
be possible, because there's always the possiblity that you wouldn't be
testing some missing parts of the configuration that are tested by some
other process.

People seem to have thrown around a fair bit of FUD in this thread, but
that's probably because your proposed method seems so shaky.

An example for the "removal" of SQL directories is in the Debian FR packages
where the SQL bits are split out in several separate packages. So e.g.
people who don't install freeradius-mysql also don't get the module's .so
files or configuration fragments, at all.

Yet, we never weeded out other modules and settings because the overhead
seemed negligible - the amount of extra libraries or instantiation work for
most modules is not considerable.

So if you really need to fit FR e.g. into an embedded environment, and you
have your use cases very well defined, it might make sense to bother.
Otherwise, there are probably more worthwhile things to do :)

-- 
 2. That which causes joy or happiness.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: cleaning house on radius server?

[Alan DeKok]

Alexander Clouter wrote:
> I would recommend you either put your configuration in some revision 
> control system or alternatively accept that Mr DeKok knows what he is 
> doing and thus not straying far from the 'Path of Light' is a Good 
> Idea(tm).

  I don't think we can put *that* in the documentation.

  What we can say is "sure, go ahead and butcher the configuration.  But
if it breaks, don't ask for help on the list, because everyone will tell
you that it's *your* fault".

> This means that when you come to upgrading your FreeRADIUS installation, 
> you are applying a diff/patch file rather than trying to work everything 
> out from scratch.  You can also trivially see what you have been 
> changing.

  Or use revision control on the files.  It's *so* much easier.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: acc:acc_aaa_request: failed to add Contact, 17

[Alan DeKok]

happyeveryday1025 wrote:
> Hello:
> When I am do accounting with
> opensips1.6.4+freeradius2.1.10+radiusclient0.5.6,I meet the following error:
> acc:acc_aaa_request: failed to add Contact, 17
> I kmow I need to define the attribute "Contact"in the dictionary file
> "dictionary.opensips",but I can not find the value and type of the
> attribute "contact",can anyone tell me the value and types of the
> attribute?Thanks a lot.

  Ask the OpenSIPS people.  The error message is produced from their
software, not from FreeRADIUS.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Authcustom/authpipe on courier

[Philley Kalisha Mandiza]

Hi,

Am new to courier, but i want to set up a courier mail server where i would 
like 
to use authpipe program for authentication. i have never done this before and i 
dont know how to go about this. i want to authenticate users from a diffrent 
file not /etc/passwd and not mysql. anyone with help,

Philly


  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html