How to get fractions of seconds?
Good morning, for logging and monitoring purposes, I need to add the time spend for a particular Flow to a Logfile. Best would be to have something like '%l', but in a resolution of milliseconds. If I would have the runtime variable of (e.g.) %t for timestamp.milliseconds I could try something like update control { FlowStartTime = %t} ...do the Flow... update control {UsedTime = `%{expr: %t - control:FlowStartTime}` } Is there something like this or a similar solution? Thank you. Regards Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Persistent MySQL connections to arbitrary databases
I am asking about MySQL connections to a database *other than* the usual radius database. For one of my wireless SSIDs, part of the authorization process invokes a perl script which opens a MySQL handle to a different database, does a query, destroys the handle, and returns the value to radiusd. There's a lot of overhead in this so I would like to make radiusd open a pool of handles to this database, as it does with its own database. What's the approved method for making radiusd open persistent connections to an arbitrary database, and then using these handles from a perl module? Cheers, Jonathan Jonathan Gazeley Systems Support Specialist ResNet | Wireless VPN Team IT Services University of Bristol - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to get fractions of seconds?
Stefan A. wrote: Best would be to have something like '%l', but in a resolution of milliseconds. This is impossible. The dates and elapsed times in RADIUS have a resolution down to one second, but no more. It's possible to fake adding milliseconds, but they will bear little relation to the actual session times. Network delays, processing delays, etc. will all affect the results. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Persistent MySQL connections to arbitrary databases
Jonathan Gazeley wrote: What's the approved method for making radiusd open persistent connections to an arbitrary database, and then using these handles from a perl module? Use static variables in the Perl code. This is really a Perl question. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Persistent MySQL connections to arbitrary databases
On 02/09/2011 10:38 AM, Alan DeKok wrote: Jonathan Gazeley wrote: What's the approved method for making radiusd open persistent connections to an arbitrary database, and then using these handles from a perl module? Use static variables in the Perl code. This is really a Perl question. I'm not sure if this is a wholly Perl question, unless I have misunderstood. I want radiusd to open the handles at startup, in the same way that it already opens its own handles. Then I think I have two options: 1. A module similar to the existing sql module that is capable of running custom queries, and that should be sufficient to do my authorization - no Perl needed. 2. A Perl module that is capable of using one from the pool of handles that radiusd has opened, and will do the query itself. Are either of these feasible? Thanks, Jonathan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Persistent MySQL connections to arbitrary databases
Jonathan Gazeley wrote: I want radiusd to open the handles at startup, in the same way that it already opens its own handles. Read the example.pl file: # If you are using DBI and do some queries to DB, please be sure to # use the CLONE function to initialize the DBI connection to DB. Then I think I have two options: 1. A module similar to the existing sql module that is capable of running custom queries, and that should be sufficient to do my authorization - no Perl needed. The existing SQL module is capable of running custom queries. However, the *results* need to be simple. 2. A Perl module that is capable of using one from the pool of handles that radiusd has opened, and will do the query itself. Are either of these feasible? The docs my previous message suggested (2). Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Persistent MySQL connections to arbitrary databases
Jonathan Gazeley jonathan.gaze...@bristol.ac.uk wrote: I am asking about MySQL connections to a database *other than* the usual radius database. For one of my wireless SSIDs, part of the authorization process invokes a perl script which opens a MySQL handle to a different database, does a query, destroys the handle, and returns the value to radiusd. There's a lot of overhead in this so I would like to make radiusd open a pool of handles to this database, as it does with its own database. What's the approved method for making radiusd open persistent connections to an arbitrary database, and then using these handles from a perl module? Although I have not tried it for what you want, you should be able to do this all in your Perl module in the BEGIN section. If you 'die' in the BEGIN section then freeradius will fail to load which is handy for doing some pre-flight checking...which can also include creating a pool of DB connections. However, why do you need to close the handle? Just when you open it, do your work, store it to the side in a hash and mark it available for use (remember to add locking as it sounds like your script is threaded). Cheers -- Alexander Clouter .sigmonster says: Buck-passing usually turns out to be a boomerang. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Persistent MySQL connections to arbitrary databases
On 02/09/2011 10:33 AM, Alexander Clouter wrote: However, why do you need to close the handle? Just when you open it, do your work, store it to the side in a hash and mark it available for use (remember to add locking as it sounds like your script is threaded). Please excuse the ignorance - can you elaborate a bit on the process of storing it in a hash, and marking it as available? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to get fractions of seconds?
I see it useful too, when specifying for example response_window that instead of be 1 One second could be 1200 as in twelve hundred milliseconds. I have found some devices that time out in 3 seconds , in these cases you still want to retry at least once . Of course here the network delay is kept under 300 milliseconds end to end. From: Alan DeKok al...@deployingradius.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wed, February 9, 2011 11:38:11 AM Subject: Re: How to get fractions of seconds? Stefan A. wrote: Best would be to have something like '%l', but in a resolution of milliseconds. This is impossible. The dates and elapsed times in RADIUS have a resolution down to one second, but no more. It's possible to fake adding milliseconds, but they will bear little relation to the actual session times. Network delays, processing delays, etc. will all affect the results. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Persistent MySQL connections to arbitrary databases
Jonathan Gazeley jonathan.gaze...@bristol.ac.uk wrote: However, why do you need to close the handle? Just when you open it, do your work, store it to the side in a hash and mark it available for use (remember to add locking as it sounds like your script is threaded). Please excuse the ignorance - can you elaborate a bit on the process of storing it in a hash, and marking it as available? Meant to say an array of hashes: my @foobar; [snipped] push @foobar, { dbh = $dbh, busy= 0, }; An example of dumping objects into an array of hashes can be seen with: alex@berk:~$ perl -e 'use Digest::MD5; use Data::Dumper; my @foobar; my $md5 = Digest::MD5-new; push @foobar, { md5 = $md5, busy = 0 }; print Dumper \@foobar' $VAR1 = [ { 'busy' = 0, 'md5' = bless( do{\(my $o = 23868256)}, 'Digest::MD5' ) } ]; Without knowing what queries and logic you are throwing at your database and passing back to FreeRADIUS, I have a hard time understanding why you could not just use unlang with sql-xlat? Cheers -- Alexander Clouter .sigmonster says: Showing up is 80% of life. -- Woody Allen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authenticating SSH login on a Cisco IOS switch to AD
Greetings all, We have a couple of Cisco switches that we administer using SSH sessions. Now I have been asked if we can authenticate the SSH login on our Windows 2008 Active Directory using our Freeradius (2.1.10) installation. I have been looking and found: http://wiki.freeradius.org/Cisco for authenticating inbound shell users and http://deployingradius.com/documents/configuration/active_directory.html for authenticating users on AD. Now I am trying to combine those two. On the Freeradius server Samba and Kerberos are configured, the ntlm_auth returns an NT_STATUS_OK. First question: Would this at all be possible? And if so my second question: Unfortunately, when I add ntlm_auth to the authenticate section of sites-enabled/default and run freeradius -X I get an error that the ntlm_auth module could not be loaded though I have created the ntlm_auth file in the modules folder as described in the link. How should I get that to work? Help would be highly appreciated. Chris Schaatsbergen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating SSH login on a Cisco IOS switch to AD
If no one else jumps in I can he'll you out in a couple hours. - Original Message - From: Schaatsbergen, Chris [mailto:chris.schaatsber...@aleo-solar.de] Sent: Wednesday, February 09, 2011 09:24 AM To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Authenticating SSH login on a Cisco IOS switch to AD Greetings all, We have a couple of Cisco switches that we administer using SSH sessions. Now I have been asked if we can authenticate the SSH login on our Windows 2008 Active Directory using our Freeradius (2.1.10) installation. I have been looking and found: http://wiki.freeradius.org/Cisco for authenticating inbound shell users and http://deployingradius.com/documents/configuration/active_directory.html for authenticating users on AD. Now I am trying to combine those two. On the Freeradius server Samba and Kerberos are configured, the ntlm_auth returns an NT_STATUS_OK. First question: Would this at all be possible? And if so my second question: Unfortunately, when I add ntlm_auth to the authenticate section of sites-enabled/default and run freeradius -X I get an error that the ntlm_auth module could not be loaded though I have created the ntlm_auth file in the modules folder as described in the link. How should I get that to work? Help would be highly appreciated. Chris Schaatsbergen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating SSH login on a Cisco IOS switch to AD
Hi Chris, We use TACACS+ to administer our switches here and I can tell you that I had to add extra stuff to the TACACS replies to allow authorization to manage the switches. So you may be able to login via radius but somewhere you are going to have to send information to the switch on what authorization is given per user. This means that your going to have to have AD respond with this information or have some other method that will inject those values when you login. I think it is possible but I do not think it will be to easy if you are only using AD as the back-end, you may need to use local files to define groups with attributes or some scripts to inject the values Cisco wants. Hope that helps. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE On Wednesday, February 09, 2011 at 7:24 AM, in message 604AAF035805AB46B4F293945AE8F9FC182FEB879C@pzex01-07, Schaatsbergen, Chris chris.schaatsber...@aleo-solar.de wrote: Greetings all, We have a couple of Cisco switches that we administer using SSH sessions. Now I have been asked if we can authenticate the SSH login on our Windows 2008 Active Directory using our Freeradius (2.1.10) installation. I have been looking and found: http://wiki.freeradius.org/Cisco for authenticating inbound shell users and http://deployingradius.com/documents/configuration/active_directory.html for authenticating users on AD. Now I am trying to combine those two. On the Freeradius server Samba and Kerberos are configured, the ntlm_auth returns an NT_STATUS_OK. First question: Would this at all be possible? And if so my second question: Unfortunately, when I add ntlm_auth to the authenticate section of sites-enabled/default and run freeradius -X I get an error that the ntlm_auth module could not be loaded though I have created the ntlm_auth file in the modules folder as described in the link. How should I get that to work? Help would be highly appreciated. Chris Schaatsbergen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to get fractions of seconds?
It sounds like the original request I need to add the time spend for a particular Flow to a Logfile wants to track the 'login time' in milliseconds. I suppose one could track the time from receiving the original request to sending the authentication - or receiving the accounting packet after authentication.. but I seriously doubt the added granularity would have any real meaning. (References gettimeofday(2) for the seriously nerdy) Sounds like you'd need to write your own additions to FreeRadius and submit them as an enhancement. (I doubt the result would be worth the effort.) Cheers, -craig - Original Message - From: Ramon J. Castillo To: FreeRadius users mailing list Sent: Wednesday, February 09, 2011 8:40 AM Subject: Re: How to get fractions of seconds? I see it useful too, when specifying for example response_window that instead of be 1 One second could be 1200 as in twelve hundred milliseconds. I have found some devices that time out in 3 seconds , in these cases you still want to retry at least once . Of course here the network delay is kept under 300 milliseconds end to end. -- From: Alan DeKok al...@deployingradius.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wed, February 9, 2011 11:38:11 AM Subject: Re: How to get fractions of seconds? Stefan A. wrote: Best would be to have something like '%l', but in a resolution of milliseconds. This is impossible. The dates and elapsed times in RADIUS have a resolution down to one second, but no more. It's possible to fake adding milliseconds, but they will bear little relation to the actual session times. Network delays, processing delays, etc. will all affect the results. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Information from ESET Smart Security, version of virus signature database 5858 (20110209) __ The message was checked by ESET Smart Security. http://www.eset.com -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Information from ESET Smart Security, version of virus signature database 5858 (20110209) __ The message was checked by ESET Smart Security. http://www.eset.com __ Information from ESET Smart Security, version of virus signature database 5859 (20110209) __ The message was checked by ESET Smart Security. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authenticating SSH login on a Cisco IOS switch to AD
Authentication with ntlm-auth and require-membership-of works well for us. Right now we simply authenticate the login/vty session with AD, and the secret is authorized locally by the switch. So, each person gets the vty session with their own unique credentials validated via ntlm-auth and AD. Everyone knows the secret password. Works well. On our dev FR instance I have an FR users file to return various Cisco attribute-value pairs. This works well too. Somewhere down the road I'll go for a full authorization process with AD on the back side, or since a relatively small number of users access our gear, might just stick to users file. Guess it depends how skilled I get with LDAP/AD/unlang/whatever else... G From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Brett Littrell Sent: Wednesday, February 09, 2011 9:57 AM To: FreeRadius users mailing list Subject: Re: Authenticating SSH login on a Cisco IOS switch to AD Hi Chris, We use TACACS+ to administer our switches here and I can tell you that I had to add extra stuff to the TACACS replies to allow authorization to manage the switches. So you may be able to login via radius but somewhere you are going to have to send information to the switch on what authorization is given per user. This means that your going to have to have AD respond with this information or have some other method that will inject those values when you login. I think it is possible but I do not think it will be to easy if you are only using AD as the back-end, you may need to use local files to define groups with attributes or some scripts to inject the values Cisco wants. Hope that helps. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE On Wednesday, February 09, 2011 at 7:24 AM, in message 604AAF035805AB46B4F293945AE8F9FC182FEB879C@pzex01-07, Schaatsbergen, Chris chris.schaatsber...@aleo-solar.de wrote: Greetings all, We have a couple of Cisco switches that we administer using SSH sessions. Now I have been asked if we can authenticate the SSH login on our Windows 2008 Active Directory using our Freeradius (2.1.10) installation. I have been looking and found: http://wiki.freeradius.org/Cisco for authenticating inbound shell users and http://deployingradius.com/documents/configuration/active_directory.html for authenticating users on AD. Now I am trying to combine those two. On the Freeradius server Samba and Kerberos are configured, the ntlm_auth returns an NT_STATUS_OK. First question: Would this at all be possible? And if so my second question: Unfortunately, when I add ntlm_auth to the authenticate section of sites-enabled/default and run freeradius -X I get an error that the ntlm_auth module could not be loaded though I have created the ntlm_auth file in the modules folder as described in the link. How should I get that to work? Help would be highly appreciated. Chris Schaatsbergen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authenticating SSH login on a Cisco IOS switch to AD
Yep, simple auth should be no problem, I was referring to pushing the authorization out to the switch. So for us, we login and are automatically at the enable level we defined in TACACS. When I was researching this, I believe it said you could get all the same stuff with Radius, the only real difference is that TACACS encrypts more of the authentication requests then Radius and does better accounting. Of course it only really works on Cisco which is a major draw back. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE On Wednesday, February 09, 2011 at 8:11 AM, in message 9938_1297267879_4d52bca7_9938_1_2_d9b37353831173459fdaa836d3b43499af0fa...@wadpmbxv0.waddell.com, Gary Gatten ggat...@waddell.com wrote: Authentication with ntlm-auth and *require-membership-of* works well for us. Right now we simply authenticate the login/vty session with AD, and the secret is *authorized* locally by the switch. So, each person gets the vty session with their own unique credentials validated via ntlm-auth and AD. Everyone knows the secret password. Works well. On our *dev* FR instance I have an FR users file to return various Cisco attribute-value pairs. This works well too. Somewhere down the road I*ll go for a full authorization process with AD on the back side, or since a relatively small number of users access our gear, might just stick to users file. Guess it depends how skilled I get with LDAP/AD/unlang/whatever else* G From:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Brett Littrell Sent: Wednesday, February 09, 2011 9:57 AM To: FreeRadius users mailing list Subject: Re: Authenticating SSH login on a Cisco IOS switch to AD Hi Chris, We use TACACS+ to administer our switches here and I can tell you that I had to add extra stuff to the TACACS replies to allow authorization to manage the switches. So you may be able to login via radius but somewhere you are going to have to send information to the switch on what authorization is given per user. This means that your going to have to have AD respond with this information or have some other method that will inject those values when you login. I think it is possible but I do not think it will be to easy if you are only using AD as the back-end, you may need to use local files to define groups with attributes or some scripts to inject the values Cisco wants. Hope that helps. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE On Wednesday, February 09, 2011 at 7:24 AM, in message 604AAF035805AB46B4F293945AE8F9FC182FEB879C@pzex01-07, Schaatsbergen, Chris chris.schaatsber...@aleo-solar.de wrote: Greetings all, We have a couple of Cisco switches that we administer using SSH sessions. Now I have been asked if we can authenticate the SSH login on our Windows 2008 Active Directory using our Freeradius (2.1.10) installation. I have been looking and found: http://wiki.freeradius.org/Cisco for authenticating inbound shell users and http://deployingradius.com/documents/configuration/active_directory.html for authenticating users on AD. Now I am trying to combine those two. On the Freeradius server Samba and Kerberos are configured, the ntlm_auth returns an NT_STATUS_OK. First question: Would this at all be possible? And if so my second question: Unfortunately, when I add ntlm_auth to the authenticate section of sites-enabled/default and run freeradius -X I get an error that the ntlm_auth module could not be loaded though I have created the ntlm_auth file in the modules folder as described in the link. How should I get that to work? Help would be highly appreciated. Chris Schaatsbergen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating SSH login on a Cisco IOS switch to AD
On Wed, Feb 09, 2011 at 04:24:05PM +0100, Schaatsbergen, Chris wrote: We have a couple of Cisco switches that we administer using SSH sessions. Now I have been asked if we can authenticate the SSH login on our Windows 2008 Active Directory using our Freeradius (2.1.10) installation. The solution I have built is to configure freeradius as a proxy, and install IAS on the Windows AD server. You can use AD groups to configure specific reply attributes for specific users in IAS. Windows AD is limited to 50 clients (unless you have Enterprise edition) - but that is client IPs. Your freeradius server counts as only one, no matter how many Cisco boxes are authenticating through it. Regards, Brian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Authenticating SSH login on a Cisco IOS switch to AD
Greetings Gary, Well, this does sound like what I would like to achieve, we only have 3 users to administer the Cisco switches, though all domain admins (7) could do it. We currently have one admin user account and all domain admins know the password. To go to priv level (enable) we will continue to use one password, we only would like the SSH login to be authenticated against AD. I am in no hurry (going home now anyway) but would love to hear your solution a little more detailed. Chris Von: freeradius-users-bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org [mailto:freeradius-users-bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im Auftrag von Gary Gatten Gesendet: Mittwoch, 9. Februar 2011 17:11 An: 'FreeRadius users mailing list' Betreff: RE: Authenticating SSH login on a Cisco IOS switch to AD Authentication with ntlm-auth and require-membership-of works well for us. Right now we simply authenticate the login/vty session with AD, and the secret is authorized locally by the switch. So, each person gets the vty session with their own unique credentials validated via ntlm-auth and AD. Everyone knows the secret password. Works well. On our dev FR instance I have an FR users file to return various Cisco attribute-value pairs. This works well too. Somewhere down the road I'll go for a full authorization process with AD on the back side, or since a relatively small number of users access our gear, might just stick to users file. Guess it depends how skilled I get with LDAP/AD/unlang/whatever else... G From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Brett Littrell Sent: Wednesday, February 09, 2011 9:57 AM To: FreeRadius users mailing list Subject: Re: Authenticating SSH login on a Cisco IOS switch to AD Hi Chris, We use TACACS+ to administer our switches here and I can tell you that I had to add extra stuff to the TACACS replies to allow authorization to manage the switches. So you may be able to login via radius but somewhere you are going to have to send information to the switch on what authorization is given per user. This means that your going to have to have AD respond with this information or have some other method that will inject those values when you login. I think it is possible but I do not think it will be to easy if you are only using AD as the back-end, you may need to use local files to define groups with attributes or some scripts to inject the values Cisco wants. Hope that helps. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE On Wednesday, February 09, 2011 at 7:24 AM, in message 604AAF035805AB46B4F293945AE8F9FC182FEB879C@pzex01-07, Schaatsbergen, Chris chris.schaatsber...@aleo-solar.de wrote: Greetings all, We have a couple of Cisco switches that we administer using SSH sessions. Now I have been asked if we can authenticate the SSH login on our Windows 2008 Active Directory using our Freeradius (2.1.10) installation. I have been looking and found: http://wiki.freeradius.org/Cisco for authenticating inbound shell users and http://deployingradius.com/documents/configuration/active_directory.html for authenticating users on AD. Now I am trying to combine those two. On the Freeradius server Samba and Kerberos are configured, the ntlm_auth returns an NT_STATUS_OK. First question: Would this at all be possible? And if so my second question: Unfortunately, when I add ntlm_auth to the authenticate section of sites-enabled/default and run freeradius -X I get an error that the ntlm_auth module could not be loaded though I have created the ntlm_auth file in the modules folder as described in the link. How should I get that to work? Help would be highly appreciated. Chris Schaatsbergen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: Authenticating SSH login on a Cisco IOS switch to AD
I had a look into this and as far as I could tell, the conversation between the switch and the radius server was not encrypted unless you use TACACS. Does anyone know if this conversation can be encrypted while using Freeradius, as otherwise the domain login details are presumably being sent over the network in clear text? Oli On 09/02/11 16:30, Schaatsbergen, Chris wrote: Greetings Gary, Well, this does sound like what I would like to achieve, we only have 3 users to administer the Cisco switches, though all domain admins (7) could do it. We currently have one admin user account and all domain admins know the password. To go to priv level (enable) we will continue to use one password, we only would like the SSH login to be authenticated against AD. I am in no hurry (going home now anyway) but would love to hear your solution a little more detailed. Chris *Von:*freeradius-users-bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org [mailto:freeradius-users-bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] *Im Auftrag von *Gary Gatten *Gesendet:* Mittwoch, 9. Februar 2011 17:11 *An:* 'FreeRadius users mailing list' *Betreff:* RE: Authenticating SSH login on a Cisco IOS switch to AD Authentication with ntlm-auth and “require-membership-of” works well for us. Right now we simply authenticate the login/vty session with AD, and the secret is “authorized” locally by the switch. So, each person gets the vty session with their own unique credentials validated via ntlm-auth and AD. Everyone knows the secret password. Works well. On our “dev” FR instance I have an FR users file to return various Cisco attribute-value pairs. This works well too. Somewhere down the road I’ll go for a full authorization process with AD on the back side, or since a relatively small number of users access our gear, might just stick to users file. Guess it depends how skilled I get with LDAP/AD/unlang/whatever else… G *From:*freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] *On Behalf Of *Brett Littrell *Sent:* Wednesday, February 09, 2011 9:57 AM *To:* FreeRadius users mailing list *Subject:* Re: Authenticating SSH login on a Cisco IOS switch to AD Hi Chris, We use TACACS+ to administer our switches here and I can tell you that I had to add extra stuff to the TACACS replies to allow authorization to manage the switches. So you may be able to login via radius but somewhere you are going to have to send information to the switch on what authorization is given per user. This means that your going to have to have AD respond with this information or have some other method that will inject those values when you login. I think it is possible but I do not think it will be to easy if you are only using AD as the back-end, you may need to use local files to define groups with attributes or some scripts to inject the values Cisco wants. Hope that helps. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE On Wednesday, February 09, 2011 at 7:24 AM, in message 604AAF035805AB46B4F293945AE8F9FC182FEB879C@pzex01-07, Schaatsbergen, Chris chris.schaatsber...@aleo-solar.de wrote: Greetings all, We have a couple of Cisco switches that we administer using SSH sessions. Now I have been asked if we can authenticate the SSH login on our Windows 2008 Active Directory using our Freeradius (2.1.10) installation. I have been looking and found: http://wiki.freeradius.org/Cisco for authenticating inbound shell users and http://deployingradius.com/documents/configuration/active_directory.html for authenticating users on AD. Now I am trying to combine those two. On the Freeradius server Samba and Kerberos are configured, the ntlm_auth returns an NT_STATUS_OK. First question: Would this at all be possible? And if so my second question: Unfortunately, when I add ntlm_auth to the authenticate section of sites-enabled/default and run freeradius -X I get an error that the ntlm_auth module could not be loaded though I have created the ntlm_auth file in the modules folder as described in the link. How should I get that to work? Help would be highly appreciated. Chris Schaatsbergen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Oliver Elliott Network Specialist
RE: AW: Authenticating SSH login on a Cisco IOS switch to AD
I *think* you are correct. Between FR and AD it may just be a one-way-hash of the pw, but not sure. FR can't support anything the NAS doesn't. Well, it could but what good would it do? I remember reading about a new / different flavor of RADIUS that includes encryption, but I forget what it's called. And again, no Cisco stuff I'm using supports it so I didn't really put much effort into it. We don't necessarily have ssh everywhere so obviously unencrypted passwords are a possibility. I can think of severalwhat's the opposite of elegant F'd up ways to encrypt this - but not pretty. Network isolation (VLAN's) with strict ACL's would at least be a good start - ie:, an authentication vlan. If the data can't be accessed on the wire, then it doesn't really matter if it's encrypted - right? Yeah, I know - better encrypted and some compliance issues may pop up as a result on unencrypted stuff flying around. Interesting -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Oliver Elliott Sent: Wednesday, February 09, 2011 11:05 AM To: freeradius-users@lists.freeradius.org Subject: Re: AW: Authenticating SSH login on a Cisco IOS switch to AD I had a look into this and as far as I could tell, the conversation between the switch and the radius server was not encrypted unless you use TACACS. Does anyone know if this conversation can be encrypted while using Freeradius, as otherwise the domain login details are presumably being sent over the network in clear text? Oli On 09/02/11 16:30, Schaatsbergen, Chris wrote: Greetings Gary, Well, this does sound like what I would like to achieve, we only have 3 users to administer the Cisco switches, though all domain admins (7) could do it. We currently have one admin user account and all domain admins know the password. To go to priv level (enable) we will continue to use one password, we only would like the SSH login to be authenticated against AD. I am in no hurry (going home now anyway) but would love to hear your solution a little more detailed. Chris *Von:*freeradius-users-bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org [mailto:freeradius-users-bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] *Im Auftrag von *Gary Gatten *Gesendet:* Mittwoch, 9. Februar 2011 17:11 *An:* 'FreeRadius users mailing list' *Betreff:* RE: Authenticating SSH login on a Cisco IOS switch to AD Authentication with ntlm-auth and require-membership-of works well for us. Right now we simply authenticate the login/vty session with AD, and the secret is authorized locally by the switch. So, each person gets the vty session with their own unique credentials validated via ntlm-auth and AD. Everyone knows the secret password. Works well. On our dev FR instance I have an FR users file to return various Cisco attribute-value pairs. This works well too. Somewhere down the road I'll go for a full authorization process with AD on the back side, or since a relatively small number of users access our gear, might just stick to users file. Guess it depends how skilled I get with LDAP/AD/unlang/whatever else... G *From:*freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] *On Behalf Of *Brett Littrell *Sent:* Wednesday, February 09, 2011 9:57 AM *To:* FreeRadius users mailing list *Subject:* Re: Authenticating SSH login on a Cisco IOS switch to AD Hi Chris, We use TACACS+ to administer our switches here and I can tell you that I had to add extra stuff to the TACACS replies to allow authorization to manage the switches. So you may be able to login via radius but somewhere you are going to have to send information to the switch on what authorization is given per user. This means that your going to have to have AD respond with this information or have some other method that will inject those values when you login. I think it is possible but I do not think it will be to easy if you are only using AD as the back-end, you may need to use local files to define groups with attributes or some scripts to inject the values Cisco wants. Hope that helps. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE On Wednesday, February 09, 2011 at 7:24 AM, in message 604AAF035805AB46B4F293945AE8F9FC182FEB879C@pzex01-07, Schaatsbergen, Chris chris.schaatsber...@aleo-solar.de wrote: Greetings all, We have a couple of Cisco switches that we administer using SSH sessions. Now I have been asked if we can authenticate the SSH login on our Windows 2008 Active Directory using our Freeradius (2.1.10) installation. I have been looking and found: http://wiki.freeradius.org/Cisco for
RE: AW: Authenticating SSH login on a Cisco IOS switch to AD
Hey Oli, I think it is always a good idea to keep the switch management on a separate management vlan, regardless of wether you encrypt the info or not. Between Cisco and Radius servers it does encrypt the password but I don't think it does much else. Gary may be right that it just hashes the password to be compared. Granted, someone may be able to see what level you login as from a Radius request, the question is wether it matters? If they do not have the password they will have to run some sort of crack on the switch that should throw up warning flags in your Radius logs and hopefully lock your AD account with a intruder lockout. Having a separate vlan for switch management is a lot like a hidden SSID, it is by no means the most secure way to protect a network but it keeps the rif-raf from trying to hack your network. People who know how to flood the arp tables can bypass vlans if need be, just as someone can get the SSID from a hidden Wireless network, that does not mean you have to make it easier for them:) Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE On Wednesday, February 09, 2011 at 9:20 AM, in message 9935_1297272057_4d52ccf9_9935_1355_2_d9b37353831173459fdaa836d3b43499af0fa...@wadpmbxv0.waddell.com, Gary Gatten ggat...@waddell.com wrote: I *think* you are correct. Between FR and AD it may just be a one-way-hash of the pw, but not sure. FR can't support anything the NAS doesn't. Well, it could but what good would it do? I remember reading about a new / different flavor of RADIUS that includes encryption, but I forget what it's called. And again, no Cisco stuff I'm using supports it so I didn't really put much effort into it. We don't necessarily have ssh everywhere so obviously unencrypted passwords are a possibility. I can think of severalwhat's the opposite of elegant F'd up ways to encrypt this - but not pretty. Network isolation (VLAN's) with strict ACL's would at least be a good start - ie:, an authentication vlan. If the data can't be accessed on the wire, then it doesn't really matter if it's encrypted - right? Yeah, I know - better encrypted and some compliance issues may pop up as a result on unencrypted stuff flying around. Interesting -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Oliver Elliott Sent: Wednesday, February 09, 2011 11:05 AM To: freeradius-users@lists.freeradius.org Subject: Re: AW: Authenticating SSH login on a Cisco IOS switch to AD I had a look into this and as far as I could tell, the conversation between the switch and the radius server was not encrypted unless you use TACACS. Does anyone know if this conversation can be encrypted while using Freeradius, as otherwise the domain login details are presumably being sent over the network in clear text? Oli On 09/02/11 16:30, Schaatsbergen, Chris wrote: Greetings Gary, Well, this does sound like what I would like to achieve, we only have 3 users to administer the Cisco switches, though all domain admins (7) could do it. We currently have one admin user account and all domain admins know the password. To go to priv level (enable) we will continue to use one password, we only would like the SSH login to be authenticated against AD. I am in no hurry (going home now anyway) but would love to hear your solution a little more detailed. Chris *Von:*freeradius-users-bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org [mailto:freeradius-users-bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] *Im Auftrag von *Gary Gatten *Gesendet:* Mittwoch, 9. Februar 2011 17:11 *An:* 'FreeRadius users mailing list' *Betreff:* RE: Authenticating SSH login on a Cisco IOS switch to AD Authentication with ntlm-auth and require-membership-of works well for us. Right now we simply authenticate the login/vty session with AD, and the secret is authorized locally by the switch. So, each person gets the vty session with their own unique credentials validated via ntlm-auth and AD. Everyone knows the secret password. Works well. On our dev FR instance I have an FR users file to return various Cisco attribute-value pairs. This works well too. Somewhere down the road I'll go for a full authorization process with AD on the back side, or since a relatively small number of users access our gear, might just stick to users file. Guess it depends how skilled I get with LDAP/AD/unlang/whatever else... G *From:*freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] *On Behalf Of *Brett Littrell *Sent:* Wednesday, February 09, 2011 9:57 AM *To:* FreeRadius users mailing list *Subject:* Re:
Re: PEAP MSCHAPv2 error..
Thanks, Alan - got it fixed now. On 8 Feb 2011, at 21:15, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, Entered bob as username, testing123 as password I get No such realm 'NULL' So added - realm test { authhost = LOCAL accthost = LOCAL } realm LOCAL { } realm NULL { } Now I get rejected - the following from the debug output looks relevant what is your 'users' entry file like for bob? [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for bob@test with NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect have you edited the modules/mschap file? mschap { use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes #ntlm_auth = /path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --chal lenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} } do you fire off preprocess suffix ntdomain in that order, in the authorize section of inner-tunnel? I'm doing something silly, no doubt - but what? Should this config just work out of the box? it should doI'm sure I've recently (sept last year) got a fresh 2.1.x server and slapped SoH patches on and it just worked with Win7 client alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: Authenticating SSH login on a Cisco IOS switch to AD
On Wed, Feb 09, 2011 at 09:35:35AM -0800, Brett Littrell wrote: I think it is always a good idea to keep the switch management on a separate management vlan, regardless of wether you encrypt the info or not. Between Cisco and Radius servers it does encrypt the password but I don't think it does much else. For regular logins, you will get User-Password attribute which is encrypted with the RADIUS shared secret. I'm pretty sure the Cisco won't do CHAP. The response attributes will be signed using the shared secret, so they cannot be tampered with. So, the important thing is to choose strong shared secrets, and to limit access to any places where your switch configs are stored. Someone sniffing the RADIUS traffic will be able to see (a) who is logging in, and (b) what privilege level they have been given. If they are able to sniff your network then you probably have worse problems to worry about. Incidentally, it's quite reasonable to use RADIUS for authentication and authorization, and TACACS for accounting (e.g. point your aaa accounting at an instance of tac_plus). Then you have a real-time log of individual commands run. Having a management network is a good idea too though. Having a separate vlan for switch management is a lot like a hidden SSID, it is by no means the most secure way to protect a network but it keeps the rif-raf from trying to hack your network. People who know how to flood the arp tables can bypass vlans if need be It sounds like you have pretty broken switches then. VLANs are always separate, floods or no floods. Also, true switches don't care about ARP at all (as opposed to layer 3 switches). Regards, Brian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: Authenticating SSH login on a Cisco IOS switch to AD
Ya, your right, I meant the CAM table. flooding the CAM table with MAC addresses caused all the traffic to broadcast to all ports. My bad, but it is/was a fundamental flaw in the way switches work, I know Cisco had a fix out for it but it did not work with dot1x and DVlans. The moral of the story is that vlans are not the end security stop-gap, they are just one layer to keep the casual hacker at bay, just as the hidden SSID does. Thanks for the correction Brian. It sounds like you have pretty broken switches then. VLANs are always separate, floods or no floods. Also, true switches don't care about ARP at all (as opposed to layer 3 switches). Regards, Brian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating SSH login on a Cisco IOS switch to AD
Brian Candler b.cand...@pobox.com wrote: Incidentally, it's quite reasonable to use RADIUS for authentication and authorization, and TACACS for accounting (e.g. point your aaa accounting at an instance of tac_plus). Then you have a real-time log of individual commands run. I would say it is easier to send the command log over syslog, but that's just how we like to skin our cats round here. Cheers -- Alexander Clouter .sigmonster says: ... and furthermore ... I don't like your trousers. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxy Maintenance Process
Was reading (I know, scary) and came across this in the policy.conf: # # If you want the server to pretend that it is dead, # then use the do_not_respond policy. # do_not_respond { update control { Response-Packet-Type := Do-Not-Respond } handled Not sure if that would help you or not, but policy's are apparently deprecated... G -Original Message- From: Gary Gatten Sent: Monday, February 07, 2011 6:05 PM To: 'FreeRadius users mailing list' Subject: RE: Proxy Maintenance Process Perhaps some sort of access list or host (/32) null route to make the NAS think the home server is dead? -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Monday, February 07, 2011 5:27 PM To: FreeRadius users mailing list Subject: Re: Proxy Maintenance Process Brian Carpio wrote: So are there any other options then restarting radiusd? I have tried to comment out a home_server and even send a hup: radmin -e hup But that doesn't see to make freeradius reread the proxy.conf file... That won't work. Home servers aren't reloaded on HUP. I don't see in the radmin command how I can disable a server (except mark it dead but since my backend server still replies to heartbeat messages its marked alive immediately). Hmm... no, you can't disable a home server. The simplest thing would be to turn off the home server if it's not responsive. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to authorize login users using FreeRadius???
Hello friends, I am running pam_radius_auth.sonbsp;client on one machine and freeRadius server on the other machine. Authentication is happening fine for the user accounts. I want to give certain privilege levels to each user on client machine. For example network_admin, security_admin, guest etc privilages. How can i configure these previlage leves for authorization on client and server side? Thanks amp; Regards, VIJAY S.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS + Cygwin + Active Directory authentication?
I'm trying to set up a FreeRADIUS server in our organization, and the corporate preference is to run on Windows. I've got FreeRADIUS to compile and have successfully completed the PAP test (from http://deployingradius.com/documents/configuration/pap.html) to make sure it works. Now I'm looking to set up Active Directory authentication. To do that, all the documentation I've read is geared towards Linux servers running Samba. From what I gather, it uses the ntlm_auth program to authenticate to the Windows Active Directory, which returns NT_KEY output, which is needed in order for FreeRADIUS to perform MS-CHAP authentication. Is there a way I can do this on a Windows/Cygwin server? I tried to get Samba to compile and install to test if it'd work on a Windows server, but it needed Kerberos to talk to AD, and Kerberos didn't seem to want to compile without shared libraries, which apparently Cygwin doesn't support. Does anyone know any other programs that can be used to provide this authentication mechanism, that also run on Windows? Or do I need to do this on a Linux server? I've tried to Google for the answers to this without luck. Any help or pointers would be appreciated. Thanks. John H. Moe Network Support - Hatch IT HATCH Tel: +61 (7) 3166 Direct: +61 (7) 3166 7684 Fax: +61 (7) 3368 3754 Mobile: +61 438 772 425 61 Petrie Terrace, Brisbane, Queensland Australia 4011 * NOTICE - This message from Hatch is intended only for the use of the individual or entity to which it is addressed and may contain information which is privileged, confidential or proprietary. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, arrive late or contain viruses. By communicating with us via e-mail, you accept such risks. When addressed to our clients, any information, drawings, opinions or advice (collectively, information) contained in this e-mail is subject to the terms and conditions expressed in the governing agreements. Where no such agreement exists, the recipient shall neither rely upon nor disclose to others, such information without our written consent. Unless otherwise agreed, we do not assume any liability with respect to the accuracy or completeness of the information set out in this e-mail. If you have received this message in error, please notify us immediately by return e-mail and destroy and delete the message from your computer. smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + Cygwin + Active Directory authentication?
Frankly, running Free Radius on windows sounds like a bad idea, especially should you ever need to update it or have another person (maybe 5 years down the road) change it a bit. Generally, running server process under cygwin is a lot of extra work for not much convenience. I would suggest either running it on a linux server (and documenting everything you do) or running a different RADIUS server that natively runs on windows. On Wed, Feb 9, 2011 at 9:36 PM, Moe, John j...@hatch.com.au wrote: I'm trying to set up a FreeRADIUS server in our organization, and the corporate preference is to run on Windows. I've got FreeRADIUS to compile and have successfully completed the PAP test (from http://deployingradius.com/documents/configuration/pap.html) to make sure it works. Now I'm looking to set up Active Directory authentication. To do that, all the documentation I've read is geared towards Linux servers running Samba. From what I gather, it uses the ntlm_auth program to authenticate to the Windows Active Directory, which returns NT_KEY output, which is needed in order for FreeRADIUS to perform MS-CHAP authentication. Is there a way I can do this on a Windows/Cygwin server? I tried to get Samba to compile and install to test if it'd work on a Windows server, but it needed Kerberos to talk to AD, and Kerberos didn't seem to want to compile without shared libraries, which apparently Cygwin doesn't support. Does anyone know any other programs that can be used to provide this authentication mechanism, that also run on Windows? Or do I need to do this on a Linux server? I've tried to Google for the answers to this without luck. Any help or pointers would be appreciated. Thanks. John H. Moe Network Support - Hatch IT HATCH Tel: +61 (7) 3166 Direct: +61 (7) 3166 7684 Fax: +61 (7) 3368 3754 Mobile: +61 438 772 425 61 Petrie Terrace, Brisbane, Queensland Australia 4011 * NOTICE - This message from Hatch is intended only for the use of the individual or entity to which it is addressed and may contain information which is privileged, confidential or proprietary. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, arrive late or contain viruses. By communicating with us via e-mail, you accept such risks. When addressed to our clients, any information, drawings, opinions or advice (collectively, information) contained in this e-mail is subject to the terms and conditions expressed in the governing agreements. Where no such agreement exists, the recipient shall neither rely upon nor disclose to others, such information without our written consent. Unless otherwise agreed, we do not assume any liability with respect to the accuracy or completeness of the information set out in this e-mail. If you have received this message in error, please notify us immediately by return e-mail and destroy and delete the message from your computer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Random quote of the week/month/whenever i get to updating it: Quis custodiet ipsos custodes?: who shall watch the watchers themselves? - Juvenal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html