Re: reset sql counter every 30 minute

2011-01-27 Thread Bishal Pun 
You can use Session-Timeout attribute in your radreply sql table like:

+-+---+-++-+---+
| id  | UserName  | Attribute   | op | Value   |
+-+---+-++-+---+
|  | 257 | test  | Session-Timeout | := | 1800|
+-+---+-++-+---+


Regards
Bishal

On Thu, Jan 27, 2011 at 1:34 PM, piston  wrote:

> Hi
>
> Is that possible to reset the sql counter every 30 minute?
>
> Basically, i need to get user free access of 20 minutes, after 20 minutes
> NAS will logout the user.
>
> And the user is allow to login again after 30 minute.
>
> Thanks
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius authentication problem.

2011-01-27 Thread Alan Buxey 
Hi,

>"vijay"    Auth-Type := Local, Cleartext-Password == "123qwe",
 1   ^ 2


1 is wrong. you dont need it.

2 is wrong, operator should be :=  , not  ==

>Above mentioned is my configuration. when i try to connect client with SSH
>it is not sending a request for authenticating user to RADIUS server.

tcpdump, radiusd -X debug etc ?  is the server running?

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Treating octets as string

2011-01-27 Thread Brian Candler 
In an accounting server, I would like to be able to parse the Class
attribute with a regexp to pull parts out.  However the standard dictionary
defines it as 'octets' which makes it hard to parse - and I'd like to avoid
modifying the dictionary if possible.

Copying it to a 'string' attribute doesn't help, because it gets
hex-expanded at that point. e.g.

Reply-Message := "%{Class}"
}

gives

Class = 0x466f6f7c426172
Reply-Message = "0x466f6f7c426172"

I notice that recently a %{integer:...} expansion was added. Is there
perhaps a case for a corresponding %{string:...} expansion? Or is there a
better way to do this?

Thanks,

Brian.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Treating octets as string

2011-01-27 Thread Eddie Stassen 
Just add the line:

ATTRIBUTE   Class   25  string

to the end of raddb/dictionary.  It will override the type defined in
the standard dictionaries, which you may not want to fiddle with too
much.


On Thu, Jan 27, 2011 at 2:45 PM, Brian Candler  wrote:
> In an accounting server, I would like to be able to parse the Class
> attribute with a regexp to pull parts out.  However the standard dictionary
> defines it as 'octets' which makes it hard to parse - and I'd like to avoid
> modifying the dictionary if possible.
>
> Copying it to a 'string' attribute doesn't help, because it gets
> hex-expanded at that point. e.g.
>
>        Reply-Message := "%{Class}"
>        }
>
> gives
>
>        Class = 0x466f6f7c426172
>        Reply-Message = "0x466f6f7c426172"
>
> I notice that recently a %{integer:...} expansion was added. Is there
> perhaps a case for a corresponding %{string:...} expansion? Or is there a
> better way to do this?
>
> Thanks,
>
> Brian.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Treating octets as string

2011-01-27 Thread Alan DeKok 
Brian Candler wrote:
> I notice that recently a %{integer:...} expansion was added. Is there
> perhaps a case for a corresponding %{string:...} expansion?

  Yes.

  Editing the dictionaries is not recommended, as it can have additional
side effects.  Adding %{string:Class} is pretty specific.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Python module/program

2011-01-27 Thread McCann, Brian 
The python module is currently catching NO exceptions.  There are no try/except 
blocks.  Right now I just have the module simply printing something and 
returning "OK" for everything...just as a proof of concept.

Thanks though,
--Brian

From: freeradius-users-bounces+bmccann=andmore@lists.freeradius.org 
[mailto:freeradius-users-bounces+bmccann=andmore@lists.freeradius.org] On 
Behalf Of Terry Simons
Sent: Wednesday, January 26, 2011 6:07 PM
To: FreeRadius users mailing list
Subject: Re: Python module/program

Is the python module catching all exceptions?

You need to make sure you don't mask out the KeyboardInterrupt exception... 
otherwise, you may prevent Control-C from being passed up the stack.

I'm not sure if that's your issue, but it sounds like it could be.  It's 
considered a Python best practice to explicitly catch the exact exceptions that 
you know how to handle, and let exceptions that you're not going to handle 
directly trickle up.

That is to say that you should never do something like:

try:

except:
   

because you *will* end up masking things like KeyboardInterrupt.

You should always do something like:

try:

except TheExceptionClass:


HTH,

- Terry

On Wed, Jan 26, 2011 at 2:47 PM, McCann, Brian 
mailto:bmcc...@andmore.com>> wrote:
Hi all.  I've got freeradius working using a python library for auth, but 
something interesting happened when I did.  When I run "radius -X", and press  
CRTL+C, it no longer exits.  It just returns "Ready to process requests.".  The 
PID doesn't change, so it's not like its exiting and restarting.

I looked at http://wiki.freeradius.org/Rlm_perl (yes...I know...perl != python, 
but as the python page doesn't say much, I'm going on the perl page for a 
starting point) and it doesn't look like the script has to do anything to 
handle exits.  Does anyone know what I'm missing?

Thanks,
--Brian

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Python module/program

2011-01-27 Thread Alan DeKok 
McCann, Brian wrote:
> The python module is currently catching NO exceptions.  There are no
> try/except blocks.  Right now I just have the module simply printing
> something and returning “OK” for everything…just as a proof of concept.

  IIRC, the python libraries do trap signals, for a variety of reasons.

  If nothing else, having CTRL-C stop working when you add Python is
pretty definitive.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

radius.log records individual client IP. Possible??

2011-01-27 Thread Difan Zhao 
Hi experts,

I'm wondering if it's possible for the radius.log file to show the NAS IP 
instead of the "client" name (which is IP range in my case).

Currently the log looks like:
Thu Jan 27 11:53:15 2011 : Auth: Login incorrect: [08000f513f60/08000f513f60] 
(from client 10.143.115.0/24 port 50303 cli 08-00-0F-51-3F-60)

It'd be ideal if it can show the IP of the NAS where the request is coming 
from. I know I could configure the client file to have individual IP for each 
client instead of entire subnet. However just wondering if there is easy 
"switch" to turn it on lol

Thanks!


Difan Zhao, M.Eng
Network Engineer
Guest-Tek Interactive Entertainment Inc.

Email: difan.z...@guest-tek.com
Office: +1 (403) 509 1010 ext 3048
Cell: +1 (403) 689 7514
www.guest-tek.com

[http://www.guest-tek.com/images/Guest-Tek%20-%20Formal_files/Logo.jpg]

INTERNET  |  MEDIA  |  VOICE

[http://www.guest-tek.com/images/Guest-Tek%20-%20Formal_files/image004.jpg]

The contents of this email are confidential and intended for the recipient 
only. If you have received this email in error, please notify us, and destroy 
all copies.



<><>-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radius.log records individual client IP. Possible??

2011-01-27 Thread Alan DeKok 
Difan Zhao wrote:
> I’m wondering if it’s possible for the radius.log file to show the NAS
> IP instead of the “client” name (which is IP range in my case).

  Read radiusd.conf, look for msg_goodpass

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Rejecting EAP-TLS based on cert Subject field

2011-01-27 Thread Matt Garretson 
For years, we've been doing simple EAP-TLS with various versions of
FreeRADIUS.  Now, a new requirement has come down to me such that radius
will have to reject certain valid client certs based on a string in the
Subject field of the client cert.

I've met this need (using 2.1.11 from git) with a simple bit of unlang
in post-auth{}:

 if ( "%{TLS-Client-Cert-Subject}" =~ /OU=Evil/ ) {
   reject
 }

It works, but there are two non-ideal things about the way it works:

 1) Windows XP doesn't seem to notice the rejection and keeps retrying
for a minute or two, ultimately failing to show any failure/error
message to the user.

 2) The rejection is not logged in radiusd.log; rather, three "Auth:
Login OK" lines are logged (the repetition is due to XP's retries)

Is there any way I can address these two issues?  I did try putting the
above unlang into eap.conf's tls{} section (where check_cert_issuer and
check_cert_cn would be), in hopes that the rejection would occur during
the auth rather than after it, but the code doesn't seem to have any
effect there.

Thanks in advance for any clues...
-Matt
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Rejecting EAP-TLS based on cert Subject field

2011-01-27 Thread Alan Buxey 
hi,

you are authenticating...and then rejecting in the post-auth
stage.   you really need to break the process in the authentication
stage.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Rejecting EAP-TLS based on cert Subject field

2011-01-27 Thread Matt Garretson 
On 1/27/2011 1:14 PM, Alan Buxey wrote:
> you are authenticating...and then rejecting in the post-auth
> stage.   you really need to break the process in the authentication
> stage.



Thanks.  That's actually my goal.  But unlang isn't allowed in
authenticate{}, and my attempts to sneak it into the authentication
phase via the tls{} section in eap.conf didn't seem to work.

Any other ways to do it?

I'd thought of using rlm_perl, but couldn't see that the cert fields are
passed to the module.

Thanks,
-Matt
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Rejecting EAP-TLS based on cert Subject field

2011-01-27 Thread Phil Mayers 

On 01/27/2011 06:04 PM, Matt Garretson wrote:

For years, we've been doing simple EAP-TLS with various versions of
FreeRADIUS.  Now, a new requirement has come down to me such that radius
will have to reject certain valid client certs based on a string in the
Subject field of the client cert.

I've met this need (using 2.1.11 from git) with a simple bit of unlang
in post-auth{}:

  if ( "%{TLS-Client-Cert-Subject}" =~ /OU=Evil/ ) {
reject
  }


Just put this in the "authorize" section? If it's early in the EAP 
conversation, TLS-Client-* won't be set so won't match, meaning this 
will succeed as soon as yo uget that far.




It works, but there are two non-ideal things about the way it works:

  1) Windows XP doesn't seem to notice the rejection and keeps retrying
for a minute or two, ultimately failing to show any failure/error
message to the user.

  2) The rejection is not logged in radiusd.log; rather, three "Auth:
Login OK" lines are logged (the repetition is due to XP's retries)

Is there any way I can address these two issues?  I did try putting the
above unlang into eap.conf's tls{} section (where check_cert_issuer and
check_cert_cn would be), in hopes that the rejection would occur during
the auth rather than after it, but the code doesn't seem to have any
effect there.


Correct. Unlang is only processed in authorize-like steps, not arbitrary 
bits of the config.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: reset sql counter every 30 minute

2011-01-27 Thread Christ Schlacta 

On 1/26/2011 23:49, piston wrote:

Hi

Is that possible to reset the sql counter every 30 minute?

Basically, i need to get user free access of 20 minutes, after 20 
minutes NAS will logout the user.


And the user is allow to login again after 30 minute.

Thanks


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
if nothing else you could use a script to fire an at command or cronjob 
for "30 minutes from now"
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Rejecting EAP-TLS based on cert Subject field

2011-01-27 Thread Matt Garretson 
On 1/27/2011 1:24 PM, Matt Garretson wrote:
> Thanks.  That's actually my goal.  But unlang isn't allowed in
> authenticate{}, and my attempts to sneak it into the authentication
> phase via the tls{} section in eap.conf didn't seem to work.
> Any other ways to do it?


Replying to myself here I got a bit closer to my goal by putting 
this in the verify{} subsection of tls{} :

  tmpdir = /tmp/radiusd
  client = "/usr/local/bin/checkcert  %{TLS-Client-Cert-Filename}"

Where /usr/local/bin/checkcert contains:

  #!/bin/sh
  if /usr/bin/openssl x509 -in "$1" -noout -text | \
   /bin/grep -q " Subject:.* OU=Evil," ; then
  RC=1
  else
  RC=0
  fi
  exit $RC

The XP client still tries three times (duh), but at least radius.log reflects 
a failure:

  Error: TLS_accept: error in SSLv3 read client certificate B
  Error: rlm_eap: SSL error error:140890B2:SSL 
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
  Error: SSL: SSL_read failed in a system call (-1), TLS session fails.
  Auth: Login incorrect (TLS Alert write:fatal:certificate unknown): [snip]

Still, it would be nice if I could use unlang (or something) to match against
%{TLS-Client-Cert-Subject} during the authenticate stage somehow.  Is there
a way that I'm missing?

Thanks,
-Matt
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Rejecting EAP-TLS based on cert Subject field

2011-01-27 Thread Matt Garretson 
On 1/27/2011 3:41 PM, Matt Garretson wrote:
> The XP client still tries three times (duh), but at least radius.log reflects 
> a failure:
> 
>   Error: TLS_accept: error in SSLv3 read client certificate B
>   Error: rlm_eap: SSL error error:140890B2:SSL 
> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>   Error: SSL: SSL_read failed in a system call (-1), TLS session fails.
>   Auth: Login incorrect (TLS Alert write:fatal:certificate unknown): [snip]


*sigh*  I left out the first (and most useful) logging line in the above:

  Auth: rlm_eap_tls: Certificate CN (eviluser) fails external verification!

So, again, it's better than what I'd had before, but not as elegant as I 
was hoping.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius SQL: PEAP: Tunneled authentication was rejected.

2011-01-27 Thread chris 

Hi,
i prepare freeradius with eap/peap and the users file that works fine.

Now i setup a sql database, 
i can use radtest or radeapclient to check the user and password in the
database and it works fine,
but if i try to connect to freeradius the request will be rejected and i
have no idea why

So if you can give me some hints you are welcome...

here the reject:
PEAP: Tunneled authentication was rejected. 


here the total debug log:

rad_recv: Access-Request packet from host 192.168.0.50 port 1037, id=0,
length=194
Message-Authenticator = 0x6462a3c080bc0ee0af1d99a080b2d335
Service-Type = Framed-User
User-Name = "sqluser"
Framed-MTU = 1488
Called-Station-Id = "F0-7D-68-17-D4-39:dlink"
Calling-Station-Id = "00-18-DE-E1-85-89"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020c0173716c75736572
NAS-IP-Address = 192.168.0.50
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "sqluser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 0 length 12
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
expand: %{User-Name} -> sqluser
rlm_sql (sql): sql_set_user escaped user --> 'sqluser'
rlm_sql (sql): Reserving sql socket id: 3
expand: SELECT id, username, attribute, value, op   FROM
radcheck   WHERE username = '%{SQL-User-Name}'   ORDER
BY id -> SELECT id, username, attribute, value, op   FROM radcheck  

WHERE username = 'sqluser'   ORDER BY id
rlm_sql_mysql: query:  SELECT id, username, attribute, value, op  
FROM radcheck   WHERE username = 'sqluser'   ORDER BY
 id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op   FROM
radreply   WHERE username = '%{SQL-User-Name}'   ORDER
BY id -> SELECT id, username, attribute, value, op   FROM radreply  

WHERE username = 'sqluser'   ORDER BY id
rlm_sql_mysql: query:  SELECT id, username, attribute, value, op  
FROM radreply   WHERE username = 'sqluser'   ORDER BY
 id
expand: SELECT groupname   FROM radusergroup   WHERE
username = '%{SQL-User-Name}'   ORDER BY priority -> SELECT
 groupname   FROM radusergroup   WHERE username = 'sqluser' 
 
ORDER BY priority
rlm_sql_mysql: query:  SELECT groupname   FROM radusergroup  
WHERE username = 'sqluser'   ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: EAP Identity
  rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.0.50 port 1037
EAP-Message = 0x01010016041056977865b8f38f672c99a5c049338698
Message-Authenticator = 0x
State = 0xeff176eaeff0727198f0e801bd7f42f1
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.50 port 1037, id=1,
length=206
Message-Authenticator = 0x97148f06ecd1d47d289947214042b441
Service-Type = Framed-User
User-Name = "sqluser"
Framed-MTU = 1488
State = 0xeff176eaeff0727198f0e801bd7f42f1
Called-Station-Id = "F0-7D-68-17-D4-39:dlink"
Calling-Station-Id = "00-18-DE-E1-85-89"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020100060319
NAS-IP-Address = 192.168.0.50
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "sqluser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 1 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
expand: %{User-Name} -> sqluser
rlm_sql (sql): sql_set_user escaped user --> 'sqluser'
rlm_sql (sql): Reserving sql socket id: 2
expand: SELECT id, username, attribute, value, op   FROM
radcheck   WHERE username = '%{SQL-User-Name}'   ORDER
BY id -> SELECT id, username, attribute, value, op   FROM radche

Re: Rejecting EAP-TLS based on cert Subject field

2011-01-27 Thread Matt Garretson 
On 1/27/2011 3:03 PM, Phil Mayers wrote:
>> I've met this need (using 2.1.11 from git) with a simple bit of unlang
>> in post-auth{}:
>>   if ( "%{TLS-Client-Cert-Subject}" =~ /OU=Evil/ ) {
>> reject
>>   }
> 
> Just put this in the "authorize" section? If it's early in the EAP 
> conversation, TLS-Client-* won't be set so won't match, meaning this 
> will succeed as soon as yo uget that far.


I'm not sure I follow you here.  Are you saying that there is a place in
the authorize section where TLS-Client-* _would_ be accessible to
unlang?  I've tried it in a few places (before eap, after eap, at the
top of the section, at the bottom of the section) and it seemed to have
no effect.  But it's entirely possible that I missed something during
these tests.


> Correct. Unlang is only processed in authorize-like steps, not arbitrary 
> bits of the config.

I can understand that.  But given that the eap module has access to some
client cert fields during authentication (e.g. check_cert_issuer and
check_cert_cn), it would be nice to be able to access these and other
client cert fields with unlang (or something similar) at that stage.
But, admittedly, I'm way over my head here  :-)   so I'll make do with
one of the methods described earlier in this thread.

Thanks,
-Matt
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

daemon for the freeradius rlm_smsotp plugin?

2011-01-27 Thread Pasi Kärkkäinen 
Hello,

https://github.com/alandekok/freeradius-server/blob/stable/raddb/modules/smsotp

Are there any daemons available that can be used by the freeradius rlm_smsotp 
plugin?
Or do I need to write my own.. 

Thanks!

-- Pasi

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

SSH-Login libpam-radius-auth

2011-01-27 Thread Marius.Meisner 
Hi,

I have a problem with passwor-matching. Everything seams to be all
right, but radius still won't accept shared_secret.

I use radius with mysql-database for ssh authenticate. If I try to
authenticate with radtest on server (10.10.10.11) - it works fine. If I
try to authenticate vom client with IP 10.10.10.200 it works as well.

If I try to authenticate from ssh I receive this message:

rad_recv: Access-Request packet from host 127.0.0.1 port 3666, id=208,
length=88
User-Name = "lisa"
User-Password = "\010\n\r\177INCORRECT"
NAS-IP-Address = 10.10.10.11
NAS-Identifier = "sshd"
NAS-Port = 2641
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = "10.10.10.200"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "lisa", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
expand: %{User-Name} -> lisa
rlm_sql (sql): sql_set_user escaped user --> 'lisa'
rlm_sql (sql): Reserving sql socket id: 4
expand: SELECT id, username, attribute, value, op   FROM
radcheck   WHERE username = '%{SQL-User-Name}'   ORDER
BY id -> SELECT id, username, attribute, value, op   FROM
radcheck   WHERE username = 'lisa'   ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op   FROM
radreply   WHERE username = '%{SQL-User-Name}'   ORDER
BY id -> SELECT id, username, attribute, value, op   FROM
radreply   WHERE username = 'lisa'   ORDER BY id
expand: SELECT groupname   FROM radusergroup
WHERE username = '%{SQL-User-Name}'   ORDER BY priority ->
SELECT groupname   FROM radusergroup   WHERE username =
'lisa'   ORDER BY priority
expand: SELECT id, groupname, attribute,   Value, op
   FROM radgroupcheck   WHERE groupname = '%{Sql-Group}'
   ORDER BY id -> SELECT id, groupname, attribute,   Value,
op   FROM radgroupcheck   WHERE groupname = 'dynamic'
ORDER BY id
rlm_sql (sql): User found in group dynamic
expand: SELECT id, groupname, attribute,   value, op
   FROM radgroupreply   WHERE groupname = '%{Sql-Group}'
   ORDER BY id -> SELECT id, groupname, attribute,   value,
op   FROM radgroupreply   WHERE groupname = 'dynamic'
ORDER BY id
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
  rad_check_password:  Found Auth-Type
auth: type "PAP"
+- entering group PAP
rlm_pap: login attempt with password "? INCORRECT"
rlm_pap: Using clear text password "lisa123"
rlm_pap: Passwords don't match
++[pap] returns reject
auth: Failed to validate the user.
Login incorrect (rlm_pap: CLEAR TEXT password check failed):
[lisa/\010\n\r\177INCORRECT] (from client localhost port 2641 cli
10.10.10.200)
  WARNING: Unprintable characters in the password.Double-check
the shared secret on the server and the NAS!
  Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> lisa
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 1.0 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 208 to 127.0.0.1 port 3666
Waking up in 4.9 seconds.


clients.conf:
=

client 127.0.0.1 {
secret = Test
shortname = localhost
nastype = other # localhost isn't usually a NAS...
}

client 10.10.10.0/24 {
secret  = Test
shortname   = local-net
}


pam_radius_auth.conf:
=
127.0.0.1 Test 3
10.10.10.11 Test 3

pam.d/common-auth:
==
# Radius auth
# For these next three lines to grant auth, you must have a local user name
# This must be the same as your RADIUS name
# Remove the "debug" argument on the next line after everything works
authsufficient  pam_radius_auth.so debug
account requiredpam_radius_auth.so
session requiredpam_radius_auth.so

# Generic unix auth services below
authrequiredpam_unix.so nullok_secure


users:
==
"susi" Cleartext-Password := "123"


If I add the user susi out of users with adduser susi and the user lisa
from database adduser lisa, then NTRadPING receives Reject. If password
is set in passwd - authentication works. But the password shouldn't read
out of passwd...

Any suggestions, where my fault or what to do?

Cheers
MM

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius-Users Digest, Vol 69, Issue 93

2011-01-27 Thread vijay s sheelavantar 
amp;nbsp; &nbsp; &nbsp;secret &nbsp; &nbsp; &nbsp; 
&nbsp; &nbsp;= testing123&nbsp;&nbsp; &nbsp; &nbsp; 
&nbsp;shortname &nbsp; &nbsp; &nbsp; = private-network-1}

I have not changed anything in radiusd.conf.

CLIENT SIDE/etc/pam.d/sshdauth &nbsp; &nbsp; &nbsp; sufficient 
&nbsp; pam_radius_auth.so

/etc/raddb/server# server[:port] shared_secret &nbsp; &nbsp; 
&nbsp;timeout (s)127.0.0.1 &nbsp; &nbsp; &nbsp; testing123 
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
&nbsp;110.150.110.42 &nbsp; testing123 &nbsp; &nbsp; &nbsp; 
&nbsp; &nbsp; &nbsp; &nbsp;3other-server &nbsp; 
&nbsp;other-secret &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
&nbsp;3

/etc/ssh/sshd_configUsePAM yes



Above mentioned is my configuration. when i try to connect client with SSH it 
is not sending a request for authenticating user to RADIUS server. kindly let 
me know what else configuration i have to do, or if there are any mistakes in 
my configuration plz help to correcr it.

Thank you.

Regards,

VIJAY S.

-- next part --

An HTML attachment was scrubbed...

URL: 
<https://lists.freeradius.org/pipermail/freeradius-users/attachments/20110127/1b123166/attachment.html>;



--



Message: 3

Date: Wed, 26 Jan 2011 23:49:38 -0800 (PST)

From: piston <pisto...@yahoo.com>

Subject: reset sql counter every 30 minute

To: Free Radiususersmailinglist

   <freeradius-users@lists.freeradius.org>

Message-ID: <407521.84265...@web36803.mail.mud.yahoo.com>

Content-Type: text/plain; charset="us-ascii"



Hi



Is that possible to reset the sql counter every 30 minute?



Basically, i need to get user free access of 20 minutes, after 20 minutes NAS 
will logout the user.



And the user is allow to login again after 30 minute.



Thanks





      

-- next part --

An HTML attachment was scrubbed...

URL: 
<https://lists.freeradius.org/pipermail/freeradius-users/attachments/20110126/e3e4e76c/attachment.html>;



--



Message: 4

Date: Thu, 27 Jan 2011 14:32:25 +0545

From: Bishal Pun <bishal...@gmail.com>

Subject: Re: reset sql counter every 30 minute

To: piston <pisto...@yahoo.com>,   FreeRadius users 
mailing list

   <freeradius-users@lists.freeradius.org>

Message-ID:

   <AANLkTi=r+pzchu0ukphxkp32hdqd_5wt_ty84i9hn...@mail.gmail.com>

Content-Type: text/plain; charset="iso-8859-1"



You can use Session-Timeout attribute in your radreply sql table like:



+-+---+-++-+---+

| id  | UserName  | Attribute       | op | Value 
  |

+-+---+-+----+-+---+

|  | 257 | test  | Session-Timeout | := | 1800    |

+-+---+-++-+---+





Regards

Bishal



On Thu, Jan 27, 2011 at 1:34 PM, piston <pisto...@yahoo.com> wrote:



> Hi

>

> Is that possible to reset the sql counter every 30 minute?

>

> Basically, i need to get user free access of 20 minutes, after 20 minutes

> NAS will logout the user.

>

> And the user is allow to login again after 30 minute.

>

> Thanks

>

>

> -

> List info/subscribe/unsubscribe? See

> http://www.freeradius.org/list/users.html

>

-- next part --

An HTML attachment was scrubbed...

URL: 
<https://lists.freeradius.org/pipermail/freeradius-users/attachments/20110127/b7d26281/attachment.html>;



--



Message: 5

Date: Thu, 27 Jan 2011 09:48:19 +

From: Alan Buxey <a.l.m.bu...@lboro.ac.uk>

Subject: Re: Radius authentication problem.

To: FreeRadius users mailing list

   <freeradius-users@lists.freeradius.org>

Message-ID: <20110127094819.gb17...@lboro.ac.uk>

Content-Type: text/plain; charset=iso-8859-1



Hi,



>    "vijay" ? ?Auth-Type := Local, Cleartext-Password == "123qwe",

                 1   
        ^ 2





1 is wrong. you dont need it.



2 is wrong, operator should be :=  , not  ==



>    Above mentioned is my configuration. when i try to connect 
client with SSH

>    it is not sending a request for authenticating user to RADIUS 
server.



tcpdump, radiusd -X debug etc ?  is the server running?



alan





--



-

List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





End of Freeradius-Users Digest, Vol 69, Issue 93



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html