date:20110314

Re: SQL Counter Escape String !

2011-03-14 Thread Suman Dash

New Modified Query !

SELECT SUM(acctsessiontime) FROM tbl_acct where \
username = '%{%k}' AND acctstarttime BETWEEN \
(SELECT STR_TO_DATE((SELECT value FROM tbl_check \
WHERE username = '%{%k}' AND attribute =
'Activation'), '%%d %%M %%Y %%H:%%i:%%s')) \
AND (SELECT STR_TO_DATE((SELECT value FROM tbl_check
WHERE username = '%{%k}' \
AND attribute = 'Expiration'), '%%d %%M %%Y %%H:%%i:%%s'));


DEBUG :


sqlcounter_expand:  'SELECT SUM(acctsessiontime) FROM tbl_acct where
 username = '%{User-Name}' AND acctstarttime BETWEEN
 (SELECT STR_TO_DATE((SELECT value FROM tbl_check
 WHERE username = '%{User-Name}' AND attribute = 'Activation'),
 '%1298917800d %1298917800M %1298917800Y
%1298917800H:%1298917800i:%1298917800s'))
 AND (SELECT STR_TO_DATE((SELECT value FROM tbl_check
WHERE username = '%{User-Name}'
 AND attribute = 'Expiration'), '%1298917800d 
%1298917800M
%1298917800Y %1298917800H:%1298917800i:%1298917800s'));'
[monthlycounter] WARNING: Unknown variable '%1': See 'doc/variables.txt'
[monthlycounter] WARNING: Unknown variable '%1': See 'doc/variables.txt'
[monthlycounter] WARNING: Unknown variable '%1': See 'doc/variables.txt'
[monthlycounter] WARNING: Unknown variable '%1': See 'doc/variables.txt'
[monthlycounter] WARNING: Unknown variable '%1': See 'doc/variables.txt'
[monthlycounter] WARNING: Unknown variable '%1': See 'doc/variables.txt'
[monthlycounter] WARNING: Unknown variable '%1': See 'doc/variables.txt'
[monthlycounter] WARNING: Unknown variable '%1': See 'doc/variables.txt'
[monthlycounter] WARNING: Unknown variable '%1': See 'doc/variables.txt'
[monthlycounter] WARNING: Unknown variable '%1': See 'doc/variables.txt'
[monthlycounter] WARNING: Unknown variable '%1': See 'doc/variables.txt'
[monthlycounter] WARNING: Unknown variable '%1': See 'doc/variables.txt'
[monthlycounter]expand: SELECT SUM(acctsessiontime) FROM tbl_acct where
 username = '%{User-Name}' AND acctstarttime BETWEEN
 (SELECT STR_TO_DATE((SELECT value FROM 
tbl_check
 WHERE username = '%{User-Name}' AND attribute 
= 'Activation'),
 '%1298917800d %1298917800M %1298917800Y
%1298917800H:%1298917800i:%1298917800s'))
 AND (SELECT STR_TO_DATE((SELECT value FROM 
tbl_check WHERE
username = '%{User-Name}'
 AND attribute = 'Expiration'), '%1298917800d 
%1298917800M
%1298917800Y %1298917800H:%1298917800i:%1298917800s'));
 -> SELECT SUM(acctsessiontime) FROM tbl_acct 
where
 username = 'suman' AND acctstarttime BETWEEN
 (SELECT STR_TO_DATE((SELECT value FROM 
tbl_check
 WHERE username = 'suman' AND attribute = 
'Activation'),
 '%1298917800d %1298917800M %1298917800Y
%1298917800H:%1298917800i:%1298917800s'))
 AND (SELECT STR_TO_DATE((SELECT value FROM tbl_check
WHERE username = 'suman'
sqlcounter_expand:  '%{sql:SELECT SUM(acctsessiontime) FROM tbl_acct where
 username = 'suman' AND acctstarttime BETWEEN
 (SELECT STR_TO_DATE((SELECT value FROM 
tbl_check
 WHERE username = 'suman' AND attribute = 
'Activation'),
 '%1298917800d %1298917800M %1298917800Y
%1298917800H:%1298917800i:%1298917800s'))
 AND (SELECT STR_TO_DATE((SELECT value FROM 
tbl_check WHERE
username = 'suman'
 AND attribute = 'Expiration'), '%1298917800d 
%1298917800M
%1298917800Y %1298917800H:%1298917800i:%1298917800s'));}'
[monthlycounter] sql_xlat
[monthlycounter]expand: %{User-Name} -> suman
[monthlycounter] sql_set_user escaped user --> 'suman'
[monthlycounter] WARNING: Unknown variable '%1': See 'doc/variables.txt'
[monthlycounter] WARNING: Unknown variable '%1': See 'doc/variables.txt'
[monthlycounter] WARNING: Unknown variable '%1': See 'doc/variables.txt'
[monthlycounter] WARNING: Unknown variable '%1': See 'doc/variables.txt'
[monthlycounter] WARNING: Unknown variable '%1': See 'doc/variables.txt'
[monthlycounter] WARNING: Unknown variable '%1': See 'doc/variables.txt'
[monthlycounter] WARNING: Unknown variable '%1': See 'doc/variables.txt'
[monthlycounter] WARNING: Unknown variable '%1': See 'doc/variables.txt'
[monthlycounter] WARNING: Unknown variable '%1': See 'doc/variables.txt'
[monthlycounter] WARNING: Unknown variable '%1': See 'doc/variables.txt'
[monthlycounter] WARNING: Unknown variable '%1': See 'doc/variables.txt'
[monthlycounter] WARNING: Unknown variable '%1': See 'doc/variables.txt'
[monthlycounter]expand

Re: SQL Counter Escape String !

2011-03-14 Thread Alan DeKok

Suman Dash wrote:
> Please anyone advice me the way to escape run-time variables in
> freeradius. I am using STR_TO_DATE and freeradius run-time variable is
> over-riding the mysql time variables

  Yes... that's what it does.

> I have tried escaping as per the thread
> http://freeradius.1045715.n5.nabble.com/Changing-the-format-of-a-date-attribute-tt2775323.html#a2775328

What's wrong with reading the documentation?

> But no luck ..
> 
> My Entire Counter is :

  ... which doesn't follow the escaping rules of either the above
message, or the documentation.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

SQL Counter Escape String !

2011-03-14 Thread Suman Dash


Please anyone advice me the way to escape run-time variables in
freeradius. I am using STR_TO_DATE and freeradius run-time variable is
over-riding the mysql time variables

SELECT STR_TO_DATE('14 Mar 2012 21:37:23','%d %M %Y %H:%i:%s') gives
2012-03-14 21:37:23 in MySQL

Whereas in freeradius

SELECT STR_TO_DATE('14 Mar 2012 21:37:23','%d %M %Y %H:%i:%s') gives

'14 0 2011 20:001122334455:_

14 = Current Date

0 = MTU

2011 = Current Year

001122334455 = Calling-Station-ID

_ = Speed

I have tried escaping as per the thread
http://freeradius.1045715.n5.nabble.com/Changing-the-format-of-a-date-attribute-tt2775323.html#a2775328

But no luck ..

My Entire Counter is :

query = "SELECT SUM(acctsessiontime) FROM tbl_acct where \
   username = 'suman' AND acctstarttime BETWEEN \
   (SELECT STR_TO_DATE((SELECT value FROM tbl_check \
   WHERE username = 'suman' AND attribute =
'Activation'), '%d %M %Y %H:%i:%s')) \
   AND (SELECT STR_TO_DATE((SELECT value FROM tbl_check
WHERE username = 'suman' \
   AND attribute = 'Expiration'), '%d %M %Y %H:%i:%s'))"

The Above Query Ends Up Showing 14 0 2011 23:001122334455:_


Any help in this matter will be highly appreciated !

Cheers !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

need someone to set up radius

2011-03-14 Thread Matthew

I / we need someone to set up our radius.  Our old 1.0.1 freeradius took 
a dive.  We have just built a ubuntu 10.04 LTS server and install radius 
on it.  We need it to take a handoff from Covad and authenticate our 
users.  Prefer to use Mysql and dialup-admin interface.


Will Pay money via paypal or check whichever you prefer.  This is a 
contract position and will pay up to $400.00.


You can also call 1-888-510-3614 US/Can, or 480-248-3933 outside there.

E-mail is best though.

Thank you.

Go SuperNet by...
The Web OnRamp Networks LLC

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Set reject in post-auth

2011-03-14 Thread Arran Cudbard-Bell

Create the appropriate entry in raddb/modules/always

always reject {
rcode = reject
}

-Arran
On Mar 14, 2011, at 5:16 PM, paul smith wrote:

> Thanks Alan,
> 
> I had tried that already, but must be missing something. When I use:
> 
>if (!reply:Session-Timeout) {
>reject
>}
> 
> I get the following in the debug:
> 
> /etc/raddb/sites-enabled/default[209]: Failed to load module "reject".
> /etc/raddb/sites-enabled/default[209]: Failed to parse "reject" entry.
> /etc/raddb/sites-enabled/default[201]: Errors parsing post-auth section.
> 
> I have looked through all the modules (as I had removed some of them),
> but couldn't find the reference to the reject module.
> 
> thanks,
> 
> 
> On Fri, Mar 11, 2011 at 6:50 AM, Alan DeKok  wrote:
>> paul smith wrote:
>>> I've been trying to set reject in the post-auth section if a certain
>>> attribute hasn't been set, but it doesn't seem to work (obviously I've
>>> messed it up)
>> 
>> $ man unlang
>> 
>>  You can just use the word "reject"
>> 
>>  Alan DeKok.
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Set reject in post-auth

2011-03-14 Thread paul smith

Thanks Alan,

I had tried that already, but must be missing something. When I use:

if (!reply:Session-Timeout) {
reject
}

I get the following in the debug:

/etc/raddb/sites-enabled/default[209]: Failed to load module "reject".
/etc/raddb/sites-enabled/default[209]: Failed to parse "reject" entry.
/etc/raddb/sites-enabled/default[201]: Errors parsing post-auth section.

I have looked through all the modules (as I had removed some of them),
but couldn't find the reference to the reject module.

thanks,

On Fri, Mar 11, 2011 at 6:50 AM, Alan DeKok  wrote:
> paul smith wrote:
>> I've been trying to set reject in the post-auth section if a certain
>> attribute hasn't been set, but it doesn't seem to work (obviously I've
>> messed it up)
>
> $ man unlang
>
>  You can just use the word "reject"
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Calling-Station-Id problem

2011-03-14 Thread ziko

thank you guys. I will try. Thank you!





From: Brian Candler 
To: FreeRadius users mailing list 
Sent: Mon, March 14, 2011 11:42:09 AM
Subject: Re: Calling-Station-Id problem

On Sun, Mar 13, 2011 at 04:37:06AM -0700, ziko wrote:
>I tried both format together like this:
>user1  Calling-Station-Id == 00-00-00-00-00
>user1  Calling-Station-Id == 00:00:00:00:00
>but no success.

You could do a rewrite:

if (Calling-Station-Id =~ 
/^([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})$/i) {
  update request {
Calling-Station-Id = "%{1}:%{2}:%{3}:%{4}:%{5}:%{6}"
  }
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

String Escape in SQL Counter !

2011-03-14 Thread Suman Dash

Please anyone advice me the way to escape run-time variables in
freeradius. I am using STR_TO_DATE and freeradius run-time variable is
over-riding the mysql time variables

SELECT STR_TO_DATE('14 Mar 2012 21:37:23','%d %M %Y %H:%i:%s') gives
2012-03-14 21:37:23 in MySQL

Whereas in freeradius

SELECT STR_TO_DATE('14 Mar 2012 21:37:23','%d %M %Y %H:%i:%s') gives

'14 0 2011 20:001122334455:_

14 = Current Date

0 = MTU

2011 = Current Year

001122334455 = Calling-Station-ID

_ = Speed

I have tried escaping as per the thread
http://freeradius.1045715.n5.nabble.com/Changing-the-format-of-a-date-attribute-tt2775323.html#a2775328

But no luck ..

My Entire Counter is :

query = "SELECT SUM(acctsessiontime) FROM tbl_acct where \
username = 'suman' AND acctstarttime BETWEEN \
(SELECT STR_TO_DATE((SELECT value FROM tbl_check \
WHERE username = 'suman' AND attribute =
'Activation'), '%d %M %Y %H:%i:%s')) \
AND (SELECT STR_TO_DATE((SELECT value FROM tbl_check
WHERE username = 'suman' \
AND attribute = 'Expiration'), '%d %M %Y %H:%i:%s'))"

The Above Query Ends Up Showing 14 0 2011 23:001122334455:_


Any help in this matter will be highly appreciated !

Cheers !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Concurrent Sessions per user

2011-03-14 Thread Suman Dash

Please anyone advice me the way to escap run-time variables in freeradius. I
am using STR_TO_DATE and freeradius run-time variable is over-riding the
mysql time variables

SELECT STR_TO_DATE('14 Mar 2012 21:37:23','%d %M %Y %H:%i:%s') gives
2012-03-14 21:37:23 in MySQL

Whereas in freeradius

SELECT STR_TO_DATE('14 Mar 2012 21:37:23','%d %M %Y %H:%i:%s') gives

'14 0 2011 20:001122334455:_

14 = Current Date

0 = MTU

2011 = Current Year

001122334455 = Calling-Station-ID

_ = Speed

I have tried escaping as per the thread
http://freeradius.1045715.n5.nabble.com/Changing-the-format-of-a-date-attribute-tt2775323.html#a2775328

But no luck ..

Thanks in advance !!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Concurrent Sessions per user

2011-03-14 Thread Suman Dash

Yes .. Simultaneous-Use Attribute

On Mon, Mar 14, 2011 at 10:38 PM, Moayad Mohammad  wrote:

> Dear,
>
> Is there is a way to control the concurrent sessions per user?
>
>
>
> Regards,
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Concurrent Sessions per user

2011-03-14 Thread Marc Phillips

> Is there is a way to control the concurrent sessions per user?

http://freeradius.org/radiusd/doc/Simultaneous-Use
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: DH parameter generation hanging

2011-03-14 Thread Alan DeKok

Riccardo Veraldi wrote:
> the problem is when starting freeradius, it hangs forever when
> generating DH parameters.
> Any clue on this problem ?

$ cd /etc/raddb/certs
$ ./bootstrap

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Concurrent Sessions per user

2011-03-14 Thread Moayad Mohammad

Dear,

Is there is a way to control the concurrent sessions per user?

 

Regards,

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Need help on FreeRadius+OTP+OpenLDAP integration

2011-03-14 Thread Nicolas Goutte



Am 14.03.2011 um 17:40 schrieb pradyumna dash:


Hi,


We are receiving your emails. See also 
http://lists.freeradius.org/pipermail/freeradius-users/2011-March/date.html

(Please avoid to re-send your questions minutes after sending them the  
first time.)






I need a documentation on how to implement  FreeRadius+OTP+OpenLDAP, I
have installed and configured FreeRadius+OpenLDAP before but never
used OTP, and also would like to know how OTP will be configured with
SASL and how does SASL auth store OTP parameters.

Another problem am facing is, first there is an authentication with
freeradius but the next thing that is triggered in pam.d/ssh is the
"account" section for authorization and here OpenLDAP requires
password for the second time.  So a user needs to login twice because
of this.  How to solve this issue

Please help me out to solve this issue.

Regards,
Pradyumna

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Lars Busch
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Need help on FreeRadius+OTP+OpenLDAP integration

2011-03-14 Thread pradyumna dash

Hi,

I need a documentation on how to implement  FreeRadius+OTP+OpenLDAP, I
have installed and configured FreeRadius+OpenLDAP before but never
used OTP, and also would like to know how OTP will be configured with
SASL and how does SASL auth store OTP parameters.

Another problem am facing is, first there is an authentication with
freeradius but the next thing that is triggered in pam.d/ssh is the
"account" section for authorization and here OpenLDAP requires
password for the second time.  So a user needs to login twice because
of this.  How to solve this issue

Please help me out to solve this issue.

Regards,
Pradyumna

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Need help on FreeRadius+OTP+OpenLDAP integration

2011-03-14 Thread pradyumna dash

Hi,

I need a documentation on how to implement  FreeRadius+OTP+OpenLDAP, I
have installed and configured FreeRadius+OpenLDAP before but never
used OTP, and also would like to know how OTP will be configured with
SASL and how does SASL auth store OTP parameters.

Another problem am facing is, first there is an authentication with
freeradius but the next thing that is triggered in pam.d/ssh is the
"account" section for authorization and here OpenLDAP requires
password for the second time.  So a user needs to login twice because
of this.  How to solve this issue

Please help me out to solve this issue.

/Neo

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

DH parameter generation hanging

2011-03-14 Thread Riccardo Veraldi


Hello,

freeradius 2.1.10 here on soekris net5501

radiusd: FreeRADIUS Version 2.1.10, for host i386-unknown-openbsd4.9, 
built on Mar 11 2011 at 11:20:43



the problem is when starting freeradius, it hangs forever when 
generating DH parameters.

Any clue on this problem ?

thank you

Rick


 Module: Instantiating eap-tls
   tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
CA_file = "/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/dev/arandom"
random_file = "/dev/arandom"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
   }
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
...+.Child 
PID 17850 is taking too much time: forcing failure and killing child.

...+...++.+..+...+..+
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sending accounting packets to more than one server?

2011-03-14 Thread Alan DeKok

Brian Candler wrote:
> Quite possibly using type=detail would be better. But if I were sending to,
> say, three remote servers, would I need to write to three separate detail
> files? 

  Yes.

> I'm having difficulty locating any documentation for "type = detail", and in
> particular, whether it deletes files after using them.

  It does.  For documentation, patches are welcome.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sending accounting packets to more than one server?

2011-03-14 Thread Brian Candler

On Sun, Mar 13, 2011 at 09:25:23AM +0100, Alan DeKok wrote:
> >  We use it for teeing off accounting to various packet
> > shapers.
> 
>   Which do... what?

Some sort of class-of-service stuff, I believe, which requires knowing which
username is on which (dynamic) IP.  There is periodic interim accounting, so
if the occasional stop or start packet is lost, eventually it will correct
itself.

Quite possibly using type=detail would be better. But if I were sending to,
say, three remote servers, would I need to write to three separate detail
files?  A comment in the 'robust-proxy-accounting' example says:

#  Note that you can have only ONE "listen" section reading
#  detail files from a particular directory. ...

#  ...  Having two "listen" sections reading detail files
#  from the same directory WILL cause problems.  The packets
#  may be read by one, the other, or both "listen" sections.

I'm having difficulty locating any documentation for "type = detail", and in
particular, whether it deletes files after using them.  Digging around I
found src/main/detail.c and as far as I can see it first renames the detail
file, then deletes it when complete.

Regards,

Brian.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Sending attribute with sub-attributes

2011-03-14 Thread David Peterson

I think I may be getting closer.  What should I define this as in the
dictionary:

TLV ID

1 for Ref-R3-IF-Name TLV

Description

Reference name to bind the specified DHCP option with the particular
R3-IF-Descriptor/ Service Group - specific for Multi-host scenario.

Length

2 + Variable

Value

ASCII string

I am currently using "string" and getting an unhandled integer length (which
may just be a wireshark issue)

David

-Original Message-
From:
freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org
[mailto:freeradius-users-bounces+david.peterson=acc-corp.net@lists.freeradiu
s.org] On Behalf Of David Peterson
Sent: Monday, March 14, 2011 9:08 AM
To: FreeRadius users mailing list
Subject: RE: Sending attribute with sub-attributes

AHh ok great!  

It appears  I am on v2.2.  Should I be on 3.0 to support the sub-sub tlvs
needed for this NAS?

David

-Original Message-

From:

freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.or

freeradius-users-bounces+g

[mailto:freeradius-users-bounces+david.peterson=acc-corp.net@lists.freeradiu

s.org] On Behalf Of Alan DeKok

Sent: Monday, March 14, 2011 9:05 AM

To: David Peterson-WirelessConnections; FreeRadius users mailing list

Subject: Re: Sending attribute with sub-attributes

David Peterson wrote:

> I am working on the same issue, likely with the same NAS vendor.  Is 

> the order important?

  Yes.  List them in order of attribute number, lowest to highest.

  Basically, the same order that they are in the dictionary.

> I am also seeing some "uknown attributes" in my pcap file.

  No... the pcap *viewer* you're using doesn't support the WiMAX attributes.

This is not surprising.  Wireshark grabbed the dictionaries from FreeRADIUS
a few years ago, and haven't updated them since.

>  Perhaps I

> am on the wrong build.  How do I verify if I am compiling 3.0 version?

$ radiusd -v

  Alan DeKok.

-

List info/subscribe/unsubscribe? See

http://www.freeradius.org/list/users.html

-

List info/subscribe/unsubscribe? See

http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Packet tracing web interface

2011-03-14 Thread Brian Candler

On Mon, Mar 14, 2011 at 12:47:36PM +, Phil Mayers wrote:
> Ok, correct usage is:
> 
> radmin
> > inject to (auth|acct) dstip dstport

Aha. The 'help' message is decidedly unhelpful there (so is the error
"Unknown socket type").  It works when I add 'auth', thank you.

> > inject from srcip
> > inject file input output

And it turns out radiusd forces a prepend onto the output path, but not the
input path:

++[exec] returns noop
Failed to send injected file to 
/v/build/fr/var/log/radius//home/brian/test.out: No such file or directory

It would be nice to allow '-' for input and output, so you didn't have to
mess with temporary files, but that would involve sending the request and
response across the socket.

I'll probably stick to radclient + loopbacks for now, although the ability
to set an arbitrary source IP using radmin inject is nice.

Simple GUI app attached. It's quite neat what you can do in 70 lines of ruby
:-)

Regards,

Brian.

---
require 'rubygems'
require 'sinatra'
require 'haml'

RADCLIENT = "/usr/bin/radclient"
RADIUSD = "/usr/sbin/freeradius"

# List available loopback interfaces [Label, IP address, secret]
SOURCES = [
  ['Default', '127.0.0.1', 'testing123'],
  ['Test LAC', '192.0.2.1', 'anothersecret'],
]

$radiusd = IO.popen("#{RADIUSD} -X -i 127.0.0.1 -p 18123","w+")
begin
  exit unless (line = $radiusd.gets)
  print line
end until line =~ /Ready to process requests/

set :lock, true   # prevent concurrent requests

get '/' do
  haml :root
end

post '/' do
  # Flush any remaining debug info
  $radiusd.gets while select([$radiusd], nil, nil, 0)
  @radclient = ""
  @radiusd = ""
  source = SOURCES.find { |src| src[1] == params[:source] } || SOURCES.first
  IO.popen("#{RADCLIENT} -x 127.0.0.1:18123 auth '#{source[2]}' 2>&1","w+") do 
|io|
io.puts "Packet-Src-IP-Address = #{source[1]}"
io.puts params[:avp]
io.close_write
loop do
  ready, _ = select([io, $radiusd], nil, nil, 10)
  unless ready
@radiusd << "** TIMEOUT **"
break
  end
  if ready.include?(io)
break unless (line = io.gets)
@radclient << line
  end
  if ready.include?($radiusd)
exit unless (line = $radiusd.gets)
@radiusd << line
  end
end
  end
  haml :root
end

__END__

@@ root
%html
  %head
%title radtest GUI
  %body
%form{:action=>'/',:method=>'post'}
  %ul
- SOURCES.each do |label, ip, secret|
  %li

%input{:type=>'radio',:name=>'source',:value=>ip,:checked=>params[:source]==ip}&=
 label
  %textarea{:name=>'avp',:rows=>12, :cols=>60}&= params[:avp]
  %input{:type=>'submit'}
- if @radclient
  %h1 radclient response
  %pre&= @radclient
- if @radiusd
  %h1 radiusd debug output
  %pre&= @radiusd
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sending attribute with sub-attributes

2011-03-14 Thread Kristoffer Milligan


Yep :)

git clone git://git.freeradius.org/freeradius-server.git

- Kristoffer

On 03/14/2011 02:08 PM, David Peterson wrote:

AHh ok great!

It appears  I am on v2.2.  Should I be on 3.0 to support the sub-sub tlvs
needed for this NAS?

David

-Original Message-
From:
freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org
[mailto:freeradius-users-bounces+david.peterson=acc-corp.net@lists.freeradiu
s.org] On Behalf Of Alan DeKok
Sent: Monday, March 14, 2011 9:05 AM
To: David Peterson-WirelessConnections; FreeRadius users mailing list
Subject: Re: Sending attribute with sub-attributes

David Peterson wrote:

I am working on the same issue, likely with the same NAS vendor.  Is
the order important?

   Yes.  List them in order of attribute number, lowest to highest.

   Basically, the same order that they are in the dictionary.


I am also seeing some "uknown attributes" in my pcap file.

   No... the pcap *viewer* you're using doesn't support the WiMAX attributes.
This is not surprising.  Wireshark grabbed the dictionaries from FreeRADIUS
a few years ago, and haven't updated them since.


  Perhaps I
am on the wrong build.  How do I verify if I am compiling 3.0 version?

$ radiusd -v

   Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sending attribute with sub-attributes

2011-03-14 Thread Kristoffer Milligan

You could run a radiusd -v to check the version that's installed.

if we are using the same vendor, it's likely that the unknown attributes 
are unknown simply because the vendor have messed them up .. :)

- Kristoffer

On 03/14/2011 01:54 PM, David Peterson wrote:

I am working on the same issue, likely with the same NAS vendor.  Is 
the order important?

I am also seeing some "uknown attributes" in my pcap file.   Perhaps I 
am on the wrong build.  How do I verify if I am compiling 3.0 version?

David

-Original Message-
From: 
freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org 
[mailto:freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org] 
On Behalf Of Alan DeKok

Sent: Monday, March 14, 2011 6:48 AM
To: FreeRadius users mailing list
Subject: Re: Sending attribute with sub-attributes

Kristoffer Milligan wrote:

> Attribute

> R3-IF-Descriptor

> Sub-TLV

> R3-IF-Name

> R3-IF-ID

> PDFID

>

> These are all exposed in the dictionary .. but running a MySQL based

> freeradius configuration, how do I return this type of packet when a

> user requests access?

R3-IF-Name = "foo"

R3-IF-ID = 1234

...

  The server will take care of encapsulating them into the 
R3-IF-Descriptor when it sends a packet.  Until then, don't worry 
about it. :)

  Alan DeKok.

-

List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Sending attribute with sub-attributes

2011-03-14 Thread David Peterson

AHh ok great!  

It appears  I am on v2.2.  Should I be on 3.0 to support the sub-sub tlvs
needed for this NAS?

David

-Original Message-
From:
freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org
[mailto:freeradius-users-bounces+david.peterson=acc-corp.net@lists.freeradiu
s.org] On Behalf Of Alan DeKok
Sent: Monday, March 14, 2011 9:05 AM
To: David Peterson-WirelessConnections; FreeRadius users mailing list
Subject: Re: Sending attribute with sub-attributes

David Peterson wrote:
> I am working on the same issue, likely with the same NAS vendor.  Is 
> the order important?

  Yes.  List them in order of attribute number, lowest to highest.

  Basically, the same order that they are in the dictionary.

> I am also seeing some "uknown attributes" in my pcap file.

  No... the pcap *viewer* you're using doesn't support the WiMAX attributes.
This is not surprising.  Wireshark grabbed the dictionaries from FreeRADIUS
a few years ago, and haven't updated them since.

>  Perhaps I
> am on the wrong build.  How do I verify if I am compiling 3.0 version?

$ radiusd -v

  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Packet tracing web interface

2011-03-14 Thread Brian Candler

On Mon, Mar 14, 2011 at 10:27:00AM +, Alan Buxey wrote:
> radmin can indeed inject packets and give you reply
>  ie 
> 
> radmin> inject ?
> inject to   - Inject packets to the destination IP and port.
> inject from  - Inject packets as if they came from 
> inject file   - Inject packet from input-file>, with 
> results sent to 

Thank you. For what it's worth, I *did* go and read the manpage, carefully,
before replying.  The 'inject' option is not mentioned there.

Have you got an example of its use? It seems rather broken to me. I do
have mode=rw set.

radmin> inject
inject to   - Inject packets to the destination IP and port.
inject from  - Inject packets as if they came from 
inject file   - Inject packet from input-file>, with 
results sent to 
radmin> inject to 127.0.0.1 1812
ERROR: Unknown socket type
radmin> inject from 127.0.0.1
ERROR: You must specify "inject to" before using "inject from"
radmin> inject file /home/brian/test.in /home/brian/test.out

$ 

Meanwhile, radiusd -X running in a different window shows:

radmin> inject to 127.0.0.1 1812
Ready to process requests.
radmin> inject from 127.0.0.1
Ready to process requests.
radmin> inject file /home/brian/test.in /home/brian/test.out
Segmentation fault
$ 

The contents of /home/brian/test.in are simply:

User-Name = "steve"
User-Password = "testing"

If I rerun radiusd -X under gdb, here's where it crashes:

Ready to process requests.
radmin> inject file /home/brian/test.in /home/brian/test.out

Program received signal SIGSEGV, Segmentation fault.
0x00411b74 in command_inject_file (listener=0x7b11b0, 
argc=, argv=0x7fffdaf0)
at /usr/include/bits/string3.h:52
52return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest));
(gdb) bt
#0  0x00411b74 in command_inject_file (listener=0x7b11b0, 
argc=, argv=0x7fffdaf0)
at /usr/include/bits/string3.h:52
#1  0x00415fc5 in command_domain_recv (listener=0x7b11b0, 
pfun=, prequest=)
at command.c:2196
#2  0x0042a050 in event_socket_handler (xel=, 
fd=, ctx=) at event.c:3423
#3  0x77bd1bdb in fr_event_loop (el=0x7a8810) at event.c:411
#4  0x0041c74a in main (argc=2, argv=)
at radiusd.c:406
(gdb) 

Regards,

Brian.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sending attribute with sub-attributes

2011-03-14 Thread Alan DeKok

David Peterson wrote:
> I am working on the same issue, likely with the same NAS vendor.  Is the
> order important?

  Yes.  List them in order of attribute number, lowest to highest.

  Basically, the same order that they are in the dictionary.

> I am also seeing some "uknown attributes" in my pcap file.

  No... the pcap *viewer* you're using doesn't support the WiMAX
attributes.  This is not surprising.  Wireshark grabbed the dictionaries
from FreeRADIUS a few years ago, and haven't updated them since.

>  Perhaps I
> am on the wrong build.  How do I verify if I am compiling 3.0 version?

$ radiusd -v

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Packet tracing web interface

2011-03-14 Thread Alan DeKok

Phil Mayers wrote:
> Failure to issue "inject to" and "inject from" first results in a segfault.

People actually want this stuff to work?

  OK... I'll fix it for 2.1.11.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Proxy Request to Virtual Server using EAP

2011-03-14 Thread joao...@gmail.com

Hello Guys

I need a help to use proxy request to virtual_server using EAP-TTLS and
EAP-PEAP

I have the following scenario:

I have a Radius Sever (version 2.1.10), this server on a Linux Debian 6

This server must authenticate users of my wireless network. But my network
is interconnected with several educational institutions, and users of these
institutions are in my network.

For users who are in my company, I want to authenticate them in my radius
server, for users who are from other institutions to do routing or proxy
server.


I already have configured the authentication of my users using LDAP as a
backend.

My users will be divided into groups, each group has its own realm, each
realm and forwards the authentication to a virtual server.

If my users try to authenticate without entering the realm, it works OK.
If users try to authenticate other institutions stating the realm of the
institution, my radius is usually the proxy, and it works OK.
if my users try to authenticate informing realm, I see in debug mode the
virtual server is invoked, but the authentication does not happen, he
accuses the following error:

# Executing group from file /etc/freeradius/sites-enabled/
inner-tunnel
+- entering group authenticate {...}
[eap] Multiple levels of TLS nesting is invalid.
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
} # server inner-tunnel

Apparently he often wraps the request with TLS, and can no longer
decapsulation.

If you do a test without using EAP authentication (via radtest)
authentication with realm works.

Apparently he often wraps the request with TLS, and can no longer
decapsulation.


Enough already researched on the internet but have not found a solution.

I need to make a proxy for virtual_server using EAP.

If any can help me thank you.

Sincerely John


-- 
João Paulo de Lima Barbosa
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Sending attribute with sub-attributes

2011-03-14 Thread David Peterson

I am working on the same issue, likely with the same NAS vendor.  Is the
order important?

I am also seeing some "uknown attributes" in my pcap file.   Perhaps I am on
the wrong build.  How do I verify if I am compiling 3.0 version?

David

-Original Message-
From:
freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org
[mailto:freeradius-users-bounces+david.peterson=acc-corp.net@lists.freeradiu
s.org] On Behalf Of Alan DeKok
Sent: Monday, March 14, 2011 6:48 AM
To: FreeRadius users mailing list
Subject: Re: Sending attribute with sub-attributes

Kristoffer Milligan wrote:

> Attribute

> R3-IF-Descriptor

> Sub-TLV

> R3-IF-Name

> R3-IF-ID

> PDFID

> 

> These are all exposed in the dictionary .. but running a MySQL based 

> freeradius configuration, how do I return this type of packet when a 

> user requests access?

R3-IF-Name = "foo"

R3-IF-ID = 1234

...

  The server will take care of encapsulating them into the R3-IF-Descriptor
when it sends a packet.  Until then, don't worry about it. :)

  Alan DeKok.

-

List info/subscribe/unsubscribe? See

http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Packet tracing web interface

2011-03-14 Thread Phil Mayers

On 14/03/11 12:11, Phil Mayers wrote:

On 14/03/11 10:16, Brian Candler wrote:

On Sat, Mar 12, 2011 at 11:08:27PM +, Phil Mayers wrote:

On 03/12/2011 01:02 PM, Brian Candler wrote:

I'd like to build a "packet tracer" web interface for freeradius:
that is,
somewhere where you can paste in a set of AV pairs (perhaps caught from
radsniff), and you get back the AV responses plus all the
decision-making
logic that took place. Basically what freeradius -X shows.

Have you seen

radmin

I can't see how radmin would help here. Is it possible to use it to
inject a
test packet? I can't see how, in which case I need to use radclient
anyway.

I'll be honest - I haven't tried it! But I quickly glanced at the source
code for the "radmin inject" command I referred to, and it certainly
seemed like it would allow injection of arbitrary packets, and capture
of the replies.

Having said that, I just segfaulted the server I tested it on, so be
careful!

Ok, correct usage is:

radmin
> inject to (auth|acct) dstip dstport
> inject from srcip
> inject file input output

Failure to issue "inject to" and "inject from" first results in a segfault.

It seems to look for input & output files in "logdir" from radiusd.conf 
- the code seems to in theory handy absolute file paths, but I'm having 
trouble making that work.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Packet tracing web interface

2011-03-14 Thread Phil Mayers


On 14/03/11 10:16, Brian Candler wrote:

On Sat, Mar 12, 2011 at 11:08:27PM +, Phil Mayers wrote:

On 03/12/2011 01:02 PM, Brian Candler wrote:

I'd like to build a "packet tracer" web interface for freeradius: that is,
somewhere where you can paste in a set of AV pairs (perhaps caught from
radsniff), and you get back the AV responses plus all the decision-making
logic that took place.  Basically what freeradius -X shows.



Have you seen

radmin


I can't see how radmin would help here. Is it possible to use it to inject a
test packet?  I can't see how, in which case I need to use radclient anyway.


I'll be honest - I haven't tried it! But I quickly glanced at the source 
code for the "radmin inject" command I referred to, and it certainly 
seemed like it would allow injection of arbitrary packets, and capture 
of the replies.


Having said that, I just segfaulted the server I tested it on, so be 
careful!

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AW: Riverbed console authentication, encrypted User-Password

2011-03-14 Thread Schaatsbergen, Chris

Hi,

Pretty weird. I set the Shared Secret again (in CLI) and had exactly the same 
results. So I tried setting the shared secret using the Riverbed web interface 
and now it works perfectly. Will write a new ticket for Riverbed support.

Sorry to have bothered you, thanks for the help.

Chris Schaatsbergen

> -Ursprüngliche Nachricht-
> Von: freeradius-users-bounces+chris.schaatsbergen=aleo-
> solar...@lists.freeradius.org [mailto:freeradius-users-
> bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im
> Auftrag von Stefan Winter
> Gesendet: Montag, 14. März 2011 11:12
> An: freeradius-users@lists.freeradius.org
> Betreff: Re: Riverbed console authentication, encrypted User-Password
> 
> Hi,
> 
> > I have been asked if our Riverbed console users can also be
> authenticated through freeRadius. Riverbed has RiOS running, which is
> almost Cisco IOS and a Radius Server can be configured so I did. In
> freeRadius I added the Riverbed as client but unfortunately it was not
> that easy (is it ever?).
> >
> > rad_recv: Access-Request packet from host 10.1.1.27 port 9538, id=37,
> length=71
> > User-Name = "username"
> > User-Password = "/\227\334\377\374\302\343\204\345\001'O\227"
> > NAS-Identifier = "webasd"
> > NAS-Port = 8513
> > NAS-Port-Type = Virtual
> > Service-Type = Authenticate-Only
> >
> > That is not the password I entered, my conclusion is that Riverbed
> encrypts the password before the entire request is encrypted using the
> shared secret.
> 
> This looks like a typical case of shared secret mismatch. Are you
> *sure* that the shared secret is exactly the same on RiOS and
> FreeRADIUS?
> 
> > I cannot find a way to change how Riverbed sends the request, though
> I am writing a ticket there as well. My question to you, can freeRadius
> work with encrypted passwords?
> 
> It can, in a multitude of ways. None of these ways is about en-
> /dycrypting the password within the User-Password attribute though.
> That is very odd. My strong guess is a shared secret mismatch instead.
> 
> Greetings,
> 
> Stefan Winter
> 
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
> de la Recherche 6, rue Richard Coudenhove-Kalergi
> L-1359 Luxembourg
> 
> Tel: +352 424409 1
> Fax: +352 422473
> 


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sending attribute with sub-attributes

2011-03-14 Thread Alan DeKok

Kristoffer Milligan wrote:
> Attribute
> R3-IF-Descriptor
> Sub-TLV
> R3-IF-Name
> R3-IF-ID
> PDFID
> 
> These are all exposed in the dictionary .. but running a MySQL based
> freeradius configuration, how do I return this type of packet when a
> user requests access?

R3-IF-Name = "foo"
R3-IF-ID = 1234
...

  The server will take care of encapsulating them into the
R3-IF-Descriptor when it sends a packet.  Until then, don't worry about
it. :)

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Sending attribute with sub-attributes

2011-03-14 Thread Kristoffer Milligan


Hello list,

I have compiled and am now running FR v3.0 and it seems to be working 
fine. I have reached the situation where I need to send attributes that 
contain sub TLVs for automatic configuration of WiMAX basestations.


With great help from list user Ben Wiechman I have a dictionary that has 
been fit to match (as best possible) the specification provided by the 
equipment vendor. For automatic configuration of the basestation, one of 
the attributes required is for example:


Attribute
R3-IF-Descriptor
Sub-TLV
R3-IF-Name
R3-IF-ID
PDFID

These are all exposed in the dictionary .. but running a MySQL based 
freeradius configuration, how do I return this type of packet when a 
user requests access?


Sincerely,
Kristoffer Milligan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Packet tracing web interface

2011-03-14 Thread Alan Buxey

Hi,

> > 
> > radmin
> 
> I can't see how radmin would help here. Is it possible to use it to inject a
> test packet?  I can't see how, in which case I need to use radclient anyway.

you seem to have slectively edited Phils reply. 

radmin can indeed inject packets and give you reply
 ie 

radmin> inject ?
inject to   - Inject packets to the destination IP and port.
inject from  - Inject packets as if they came from 
inject file   - Inject packet from input-file>, with 
results sent to 


so, to revisit your flow,

>   post AV pairs
> browser --> web app

okay. then use radmin to take those attributes and stick em into 
the running RADIUS server  (dont forget that using radiusd -X
can give interesting false results (it runs in single thread...a
real server runs in multithread mode)

get the output file from radmin and then..

>  * gen HTML  <- [debug file]
>   HTML page  * unlock
> <--

done.

you could carry on ignoring initial advice sent from knowledgeable
people but we are trying to help with your quest.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Packet tracing web interface

2011-03-14 Thread Brian Candler

On Sat, Mar 12, 2011 at 11:08:27PM +, Phil Mayers wrote:
> On 03/12/2011 01:02 PM, Brian Candler wrote:
> >I'd like to build a "packet tracer" web interface for freeradius: that is,
> >somewhere where you can paste in a set of AV pairs (perhaps caught from
> >radsniff), and you get back the AV responses plus all the decision-making
> >logic that took place.  Basically what freeradius -X shows.
> >
> 
> Have you seen
> 
> radmin

I can't see how radmin would help here. Is it possible to use it to inject a
test packet?  I can't see how, in which case I need to use radclient anyway.

radmin can turn debugging on and off, but I'd probably run a separate
instance of radiusd for the web test interface - otherwise lots of live
debugging traffic would get intermingled with it.  Hence I could leave
debugging turned on permanently.

I'm thinking about this design:

  post AV pairs
browser --> web app
 * lock
 * radclient  req > radiusd -X
 <--- reply ---
 * gen HTML  <- [debug file]
  HTML page  * unlock
<--

If I run radiusd -X as a child from another process I can capture its output
without writing it to a file.

Regards,

Brian.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Riverbed console authentication, encrypted User-Password

2011-03-14 Thread Stefan Winter

Hi,

> I have been asked if our Riverbed console users can also be authenticated 
> through freeRadius. Riverbed has RiOS running, which is almost Cisco IOS and 
> a Radius Server can be configured so I did. In freeRadius I added the 
> Riverbed as client but unfortunately it was not that easy (is it ever?).
>
> rad_recv: Access-Request packet from host 10.1.1.27 port 9538, id=37, 
> length=71
> User-Name = "username"
> User-Password = "/\227\334\377\374\302\343\204\345\001'O\227"
> NAS-Identifier = "webasd"
> NAS-Port = 8513
> NAS-Port-Type = Virtual
> Service-Type = Authenticate-Only
>
> That is not the password I entered, my conclusion is that Riverbed encrypts 
> the password before the entire request is encrypted using the shared secret.

This looks like a typical case of shared secret mismatch. Are you *sure*
that the shared secret is exactly the same on RiOS and FreeRADIUS?

> I cannot find a way to change how Riverbed sends the request, though I am 
> writing a ticket there as well. My question to you, can freeRadius work with 
> encrypted passwords?

It can, in a multitude of ways. None of these ways is about
en-/dycrypting the password within the User-Password attribute though.
That is very odd. My strong guess is a shared secret mismatch instead.

Greetings,

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la 
Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473




signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Riverbed console authentication, encrypted User-Password

2011-03-14 Thread Schaatsbergen, Chris

Greetings all,

I have been asked if our Riverbed console users can also be authenticated 
through freeRadius. Riverbed has RiOS running, which is almost Cisco IOS and a 
Radius Server can be configured so I did. In freeRadius I added the Riverbed as 
client but unfortunately it was not that easy (is it ever?).

rad_recv: Access-Request packet from host 10.1.1.27 port 9538, id=37, length=71
User-Name = "username"
User-Password = "/\227\334\377\374\302\343\204\345\001'O\227"
NAS-Identifier = "webasd"
NAS-Port = 8513
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only

That is not the password I entered, my conclusion is that Riverbed encrypts the 
password before the entire request is encrypted using the shared secret.

I cannot find a way to change how Riverbed sends the request, though I am 
writing a ticket there as well. My question to you, can freeRadius work with 
encrypted passwords?

Thanks in advance,

Chris Schaatsbergen

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius2 update

2011-03-14 Thread Alan DeKok

Student University wrote:
> is there anything like freeradius2.repo ,

  Read the main web page.  Click on the "download" link.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius2 update

2011-03-14 Thread Eric Doutreleau


Well i don't know if there s such a repo.
i can share with you my rpms for centos 5 for i386.

We have moved to 2.1.10 recently and we re very happy with it.

The most interesting thing is the raddebug command.
It s really a nice feature of this version

Yours

Le 14/03/2011 09:21, Student University a écrit :

Dear all ,

is there anything like freeradius2.repo ,

so we can safely use yum update to latest stable version of freeradius
2.1.10

any community have like experience ,,,

BR,




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius2 update

2011-03-14 Thread Student University

Dear all ,

is there anything like freeradius2.repo ,

so we can safely use yum update to latest stable version of freeradius
2.1.10

any community have like experience ,,,

BR,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Calling-Station-Id problem

2011-03-14 Thread Brian Candler

On Sun, Mar 13, 2011 at 04:37:06AM -0700, ziko wrote:
>I tried both format together like this:
>user1  Calling-Station-Id == 00-00-00-00-00
>user1  Calling-Station-Id == 00:00:00:00:00
>but no success.

You could do a rewrite:

if (Calling-Station-Id =~ 
/^([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})$/i) {
  update request {
Calling-Station-Id = "%{1}:%{2}:%{3}:%{4}:%{5}:%{6}"
  }
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Calling-Station-Id problem

2011-03-14 Thread Suman Dash

You need to check the Calling-Station-Id format sent by the NAS. Start
radius in debug more and send a auth request, the debug will show whether
your NAS sends Calling-Station-Id or not .

If it sends the Calling-Station-Id you can clearly see the format of the
same.

Best Regads
Suman Dash

On Sun, Mar 13, 2011 at 5:07 PM, ziko  wrote:

> Hello. I am using freeradius2 on my CentOS5.
> It's working great.
> But now I have one problem. I need to use wireless and pppoe together in my
> network.
> Users must login both in wireless and pppoe. wireless using MAC format
> 00-00-00-00-00 and pppoe 00:00:00:00:00
> How can i indicate calling-station-id for one user for both, wireless and
> pppoe?
>
> I tried both format together like this:
>
> user1  Calling-Station-Id == 00-00-00-00-00
> user1  Calling-Station-Id == 00:00:00:00:00
>
> but no success.
>
> I am using mikrotik and ubiquity products as NAS and ubiquity  as clients.
>
> Please help me.
>
> Sorry for my poor English.
> *Looking up "00-00-00-00"*... Please wait...
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Redirecting accounting packets

2011-03-14 Thread Alan DeKok

Rajkumar R wrote:
>  However, we would it like to scale up to 1million users and would like
> to know if it have performance impact on the proxy server(with the
> foresaid setup would it be enough to handle a high traffic with 1 proxy
> & 2 freeRadius servers?) as all the radius-acct messages(for ~1million
> users) from the NAS are pumped to the only proxy server.

  Proxies should be able to handle very high loads.  The back-end
servers will be limited only by the performance of the database they use.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

44 matches

Mail list logo