[Fwd: DAViCal Server Cannot Sent Invites]
Dear All, i understand this should be addressed to DAViCal list, and i did but no one responded AT ALL third day today. i am sure someone would be defiantly using the program. kindly help if anyone have solution or idea. Original Message Subject: [Davical-general] DAViCal Server Cannot Sent Invites From:Shiv. Nath prabh...@digital-infotech.net Date:Thu, November 8, 2012 12:53 pm To: davical-gene...@lists.sourceforge.net -- Dear List Community Greetings Kindly Help, i have been given a task to implement enterprise level calendar, than i decided to go with Davical using Debain 6x. But i have stack at one stage and almost no idea. Kindly help, if someone have come across this problem remember the solution: 1.) Davical installation Successful 2.) I can login to ADMIN page, create users, groups, resources etc.. 3.) i can login to CALENDAR web interface by admin or any other user created 4.) I can create account in sunbird calendar application Successfully. 5.) I can create account in iCal calendar application Successfully. 6.) Sharing is working in clients, can see each others events Successfully Problems: I cannot send invites from either Mac iCal client or sunbird calendar application. it is fully functional mail server that DAViCal is running on with proper MX PTR. i can send emails out receive using squirrelmail application that is tested. This directive has been tried both ways $c-enable_auto_schedule = true; $c-enable_auto_schedule = false; -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_nov ___ Davical-general mailing list davical-gene...@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/davical-general Thanks / Shiv. Nath - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help:freeradius + ldap + cisco ap can not work
On Fri, Nov 09, 2012 at 04:59:44PM +0800, Manifold Yu wrote:
pap against LDAP works find,but others can not works find (eg:mschap) .
[ldap] looking for check items in directory...
[ldap] userPassword - Cleartext-Password ==
{MD5}85Q3W/VY9rt11BfdBNzdfQ==
Your password, from LDAP, is not clear text. You need clear text
passwords or NTLM (NT-Password) for mschap to work.
http://deployingradius.com/documents/protocols/compatibility.html
Matthew
--
Matthew Newton, Ph.D. m...@le.ac.uk
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, ith...@le.ac.uk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Recursive modules?
I was wondering if an unlang module in 2.2.x could call itself recursively.
For example, I have a reply list with potentially large number of
Framed-Route attributes and I want to replace each one with something else.
Could I do the following?
rewriteFramedRoutes {
if (%{reply:Framed-Route}) {
update reply {
Cisco-AVPair += ip:route=...etc...
Framed-Route -= %{reply:Framed-Route}
}
rewriteFramedRoutes
}
}
Unfortunately a quick test suggests that the module can't find itself.
/etc/freeradius/policy.conf[310]: Failed to find rewriteFramedRoutes in
the modules section.
Does this mean that module can only invoke other modules which have been
previously declared?
Regards,
Brian.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Recursive modules?
On 9 Nov 2012, at 11:51, Brian Candler b.cand...@pobox.com wrote: I was wondering if an unlang module in 2.2.x could call itself recursively. No Does this mean that module can only invoke other modules which have been previously declared? Yes -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Oddity with configurable failover
This is with freeradius 2.2.0.
Support in policy.conf I define a module:
policy {
mymodule {
update reply {
Reply-Message += boo
}
}
...
}
Now in sites-available/default, I can happily do
authorize {
mymodule
...
}
But if I write it as
authorize {
mymodule {
ok = return
}
...
}
then the server fails to load at all, and freeradius -X reports:
...
Module: Checking authorize {...} for more modules to load
/etc/freeradius/sites-enabled/default[20]: Failed to find mymodule in the
modules section.
/etc/freeradius/sites-enabled/default[19]: Errors parsing authorize section.
However,
authorize {
chap {
ok = return
}
}
is fine.
Is configurable failover not available for user-defined modules? (If so, I
couldn't find this in doc/configurable_failover.rst )
What I'm actually trying to do is run a user-defined module up to 20 times,
but stop after the first return of 'notfound' - without making a horrible
20-deep nested if statement. It's not important to do it this way, but I
was surprised I couldn't.
Thanks,
Brian.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
different EAP methods for different users
Hi, we're currently supporting only PEAP, that is we base our security on passwords. We'd like to introduce higher security for a limited set of users this way: 1. support both PEAP and EAP/TTLS 2. configure freeradius to authenticate these users (stored in a local table) *only* if they use EAP/TTLS. They should *not* be authenticated if they used PEAP. Is this (in particular point 2.) easily achievable? Thank you very much in advance, Stefano - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regarding pam_radius_auth to be integrated with busybox
Hi Arran, On one another board, still I am getting the same error. Still should I need to change any other thing? Regards, Deep On Tue, Oct 30, 2012 at 8:31 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 30 Oct 2012, at 14:13, Deep Shah deep.s...@strixsystems.com wrote: Sorry for inconvenience. I have enabled flag of mips in md5.c file of pam_radius_auth and my issue is resolved now. Ahhh. https://github.com/FreeRADIUS/pam_radius/commit/c61a218efb2a0ec4f493bcc9fa735306f779ea64 -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: different EAP methods for different users
Stefano Zanmarchi wrote:
we're currently supporting only PEAP, that is we base our security on
passwords.
We'd like to introduce higher security for a limited set of users this way:
1. support both PEAP and EAP/TTLS
2. configure freeradius to authenticate these users (stored in a local
table)
*only* if they use EAP/TTLS. They should *not* be authenticated if
they used PEAP.
Put the users into a group. Then, in the authorize section, after
eap, do:
if ((EAP-Type == PEAP) (My-Group == notpeap)) {
reject
}
See man rlm_passwd for examples of creating a group.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Oddity with configurable failover
Brian Candler wrote:
Module: Checking authorize {...} for more modules to load
/etc/freeradius/sites-enabled/default[20]: Failed to find mymodule in the
modules section.
You can't over-ride the return codes of policies. You can only do
this for real modules.
Is configurable failover not available for user-defined modules? (If so, I
couldn't find this in doc/configurable_failover.rst )
See man unlang. It might be there.
What I'm actually trying to do is run a user-defined module up to 20 times,
but stop after the first return of 'notfound' - without making a horrible
20-deep nested if statement. It's not important to do it this way, but I
was surprised I couldn't.
I'd just nest it 20 times. Or, use a Perl script.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Concatenating/inserting strings with backslashes
Here's something weird. I'm trying to concatenate some strings which contain
backslash n (i.e. not a newline).
In a normal string literal, I have to enter four backslashes:
update reply {
Reply-Message := anb
}
(\\n gives a newline, \\\n gives backslash followed by newline)
But when I try to insert one string into another it goes completely haywire.
update reply {
Reply-Message := foonbar
}
update reply {
Reply-Message := %{reply:Reply-Message}nbaz
}
This gives me foo newline bar newline baz. That is, even the
second n is being collapsed into a newline!
Some more test cases:
update reply {
Reply-Message := foonbar
}
update reply {
Reply-Message := quxnbaz
}
correctly gives me qux backslash n baz
update reply {
Reply-Message := foonbar
}
update reply {
Reply-Message := %{Wibble:-qux}nbaz
}
gives me newline baz. In fact, I need *eight* backslashes to get a
literal backslash here:
Reply-Message := %{Wibble:-qux}nbaz
So somehow, the presence of a string expansion within a string affects the
interpretation of subsequent backslashes within that string.
Now, this works:
update reply {
Reply-Message := foonbar
}
update reply {
Reply-Message := %{reply:Reply-Message}nbaz
}
But then if I do another layer of string insertion they get translated to
newlines again.
update reply {
Reply-Message := foonbar
}
update reply {
Reply-Message := %{reply:Reply-Message}nbaz
}
update reply {
Reply-Message := %{reply:Reply-Message}
}
This seems pretty broken to me, but if someone would care to explain how to
deal with it, please do.
Or is there another way I can concatenate strings, which doesn't involve
expanding them into another string?
Thanks,
Brian.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: different EAP methods for different users
Thanks!
On Fri, Nov 9, 2012 at 3:12 PM, Alan DeKok al...@deployingradius.comwrote:
Stefano Zanmarchi wrote:
we're currently supporting only PEAP, that is we base our security on
passwords.
We'd like to introduce higher security for a limited set of users this
way:
1. support both PEAP and EAP/TTLS
2. configure freeradius to authenticate these users (stored in a local
table)
*only* if they use EAP/TTLS. They should *not* be authenticated if
they used PEAP.
Put the users into a group. Then, in the authorize section, after
eap, do:
if ((EAP-Type == PEAP) (My-Group == notpeap)) {
reject
}
See man rlm_passwd for examples of creating a group.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regarding pam_radius_auth to be integrated with busybox
On 9 Nov 2012, at 14:07, Deep Shah deep.s...@strixsystems.com wrote: Hi Arran, On one another board, still I am getting the same error. Still should I need to change any other thing? Apparently MIPS and SPARC CPU's have configurable endianess, so the __sparc and __mips checks are probably wrong. I know autoconf has a macro for this, probably should add an autoconf script and use that instead of the compiler definitions. could you remove: #elif defined(__sparc) || defined(__mips) #define HIGHFIRST in md5.c and check that this fixes the issue. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Concatenating/inserting strings with backslashes
Brian Candler writes:
Or is there another way I can concatenate strings, which doesn't involve
expanding them into another string?
The workaround I've used for this is to feed the value through a regexp
match to get it into %{1}, which does not seem to be subject to unescaping.
try:
if (%{reply:Reply-Message} =~ /(.*)/) {
update reply {
Reply-Message = stuff %{1}
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
redundant with ldap and sql not working
Hi all,
I'm trying to do failoverusing redundant section but it seems not working:
file : site-enable/eduroam (here the redundant section works fine)
authorize {
preprocess
if (%{User-Name} == L3Test) {
redundant {
sql_l3Test
files
}
}
mschap
suffix
eap {
ok = return
}
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
radutmp
sql_acct
exec
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
file : site-enable/eduroam-inner-tunnel where the redundant section
doesn't work
server eduroam-inner-tunnel {
listen {
ipaddr = 127.0.0.1
port = 18120
type = auth
}
authorize {
chap
mschap
suffix
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
redundant {
ldap
sql_auth
}
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
eap
}
session {
radutmp
}
post-auth {
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
}
Maybe it is not possible?
Thanks.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Concatenating/inserting strings with backslashes
On 09/11/12 15:39, Brian Candler wrote:
Here's something weird. I'm trying to concatenate some strings which contain
backslash n (i.e. not a newline).
Uh oh... here be dragons!
In a normal string literal, I have to enter four backslashes:
update reply {
Reply-Message := anb
}
(\\n gives a newline, \\\n gives backslash followed by newline)
Yeah; I think there is a similar thing happening here to the regexp
stuff I discussed on -devel recently.
I think what happens in the code is this:
1. lib/token.c:gettoken loads the config file and performs backslash
processing on any quoted strings
2. conffile.c:cf_pairtovp loads the VP update list at config load
time, and sets the do_xlat flag on any that are double-quoted
3. modcall.c:modcall calls radius_update_attrlist
4. evaluate.c:radius_update_attrlist checks the do_xlat flag on the
VP, which was set at config load, and calls expand_string (which calls
radius_xlat) followed by pairparsevalue.
The net effect is that:
update x {
Foo = an
}
...is de-escaped many times:
* into abackslashbackslashn by the gettoken / config file loader
* into abackslashn by radius_xlat
* into anewline by pairparsevalue (on the result of radius_xlat)
This kind of thing is pretty common - exim has a similar problem. It's
difficult to know what to do about it in a manner that's universally
satisfactory.
One solution is to not process \x anywhere except loading from config
files, but that's likely a very significant backwards compatibility
break... you also might *want* to provide a way for people to interpret
escapes again (though this can be done with an xlat e.g.
%{unescape:%{something-that-returns-backslash-n}} == newline
Others options exist. Personally I find the existing behaviour quite
surprising, but it's also something I very seldom run into, so don't
worry too much about.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ChilliSpot-UAM-Allowed on witch mysql table ?
Ok i get farther, solving dictionary missing attribute. The problem is that this doesn't give what i was looking for. this attribute is only available for granted user, and tried to solve the uamallowed issue under DD-WRT box. I mean i want to replace the UAM allowed embed in DD-WRT chillispot with those provide by server before to grant users Le mercredi 07 novembre 2012 à 00:33 +0100, yzy-oui-fi a écrit : OOps i meant radcheck or radreply, but radgroupreply will be my choice...Thanks for your reply Le samedi 27 octobre 2012 à 19:05 +0100, Phil Mayers a écrit : On 10/27/2012 05:03 PM, yzy-oui-fi wrote: Hi, I just wonder if this parameter should be set on Raddact or radreply or what ever. Attributes you want to send go in radreply or radgroupreply, if you're using groups. Attributes never go in radacct; radacct stores accounting info. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Concatenating/inserting strings with backslashes
try:
if (%{reply:Reply-Message} =~ /(.*)/) {
update reply {
Reply-Message = stuff %{1}
}
}
Nice idea, but it appears to suffer the same expansion problem.
As you have written it gives this error:
Bare %{...} is invalid in condition at: %{reply:Reply-Message} =~ /(.*)/)
Adding the double quotes:
update reply {
Reply-Message := foo
}
if (%{reply:Reply-Message} =~ /(.*)/) {
update reply {
Reply-Message := %{1}nbar
}
}
if (%{reply:Reply-Message} =~ /(.*)/) {
update reply {
Reply-Message := %{1}nbaz
}
}
This gives foo newline bar newline baz
update reply {
Reply-Message := foo
}
if (%{reply:Reply-Message} =~ /(.*)/) {
update reply {
Reply-Message := %{1}nbar
}
}
if (%{reply:Reply-Message} =~ /(.*)/) {
update reply {
Reply-Message := %{1}nbaz
}
}
This gives foo newline bar backslash n baz
Regards,
Brian.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Aliased IPs
I have a freeradius server which has multiple IPs aliased on the same
interface. This works if I specify each IP explicitly in its own listen {
} section but if I try to listen on * all responses are sent from the same
IP regardless of which IP the request was received on.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Concatenating/inserting strings with backslashes
Brian Candler wrote
try:
if (%{reply:Reply-Message} =~ /(.*)/) {
update reply {
Reply-Message = stuff %{1}
}
}
Nice idea, but it appears to suffer the same expansion problem.
As you have written it gives this error:
Bare %{...} is invalid in condition at: %{reply:Reply-Message} =~ /(.*)/)
Adding the double quotes:
Oh right.
I usually do this with e.g. User-Name without having to specify the attribute
list
explicitly; I forget whether syntax works to do that with a raw variable.
I know outer.VarName works raw, so maybe just reply:Reply-Message
without the braces or quotes?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic IP Allocation
Hi
I'm trying to get dynamic ip allocation working. I ran a test via radtest:
[root@freerad raddb]# radtest billtest2 this#x7g localhost 0 mysecret
Sending Access-Request of id 53 to 192.168.111.55 port 1812
User-Name = billtest2
User-Password = this#x7g
NAS-IP-Address = 192.168.111.55
NAS-Port = 0
Message-Authenticator = 0x
rad_recv: Access-Accept packet from host 192.168.111.55 port 1812, id=53,
length=32
Framed-IP-Address = 192.168.1.215
Framed-IP-Netmask = 255.255.255.0
and I'm getting a IP that's not from my pool. Here is the pertinent
section in radiud.conf:
ippool main_pool {
range-start = 204.101.13.2
range-stop = 204.101.13.252
netmask = 255.255.255.0
}
which is within the modules section. Database wise the billtest2 user is
a user that belongs to a group linked to this pool.
The default site file has this pool in the post auth section.
Below is the radius log? What am I missing?
Bill
/usr/sbin/radiusd -X
FreeRADIUS Version 2.1.10, for host x86_64-redhat-linux-gnu, built on Mar 25
2011 at 10:54:38
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/relay_detail
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/dialup.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default.orig
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/copy-acct-to-home-server
including configuration file /etc/raddb/sites-enabled/default
main {
user = radiusd
group = radiusd
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
prefix = /usr
Re: Dynamic IP Allocation
Any help on this? I have deleted the db.ippool and db.ipindex files,
restarted the server... But I get the same result. Different ip but from
a private address range.
Bill
On 11/9/2012 12:31 PM, Bill Schoolfield wrote:
Hi
I'm trying to get dynamic ip allocation working. I ran a test via radtest:
[root@freerad raddb]# radtest billtest2 this#x7g localhost 0 mysecret
Sending Access-Request of id 53 to 192.168.111.55 port 1812
User-Name = billtest2
User-Password = this#x7g
NAS-IP-Address = 192.168.111.55
NAS-Port = 0
Message-Authenticator = 0x
rad_recv: Access-Accept packet from host 192.168.111.55 port 1812,
id=53, length=32
Framed-IP-Address = 192.168.1.215
Framed-IP-Netmask = 255.255.255.0
and I'm getting a IP that's not from my pool. Here is the pertinent
section in radiud.conf:
ippool main_pool {
range-start = 204.101.13.2
range-stop = 204.101.13.252
netmask = 255.255.255.0
}
which is within the modules section. Database wise the billtest2 user is
a user that belongs to a group linked to this pool.
The default site file has this pool in the post auth section.
Below is the radius log? What am I missing?
Bill
/usr/sbin/radiusd -X
FreeRADIUS Version 2.1.10, for host x86_64-redhat-linux-gnu, built on
Mar 25 2011 at 10:54:38
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/counter
including configuration file
/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/relay_detail
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/dialup.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default.orig
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file
/etc/raddb/sites-enabled/copy-acct-to-home-server
including
Best way to capture RADIUS passwords
I am migrating from one RADIUS setup that checks against a flat file with usernames and passwords inside it . Over to a RADIUS server with and LDAP backend. I have used JTR to crack most of the passwords but I still have some left over that JTR cant crack. I was thinking of trying to run a packet capture to get the remaining usernames and passwords. What would be the best way to do this? Run RADIUS in debug mode Radius -X? Or try to use tcpdump and pick it up that way or is it even possible to do? I have been trolling the internet for a few days and have not come up with a good way to do it. I setup tcpdump to dump to a file (tcpdump -i eth0 -n -s0 port radius -w rad-capture.lpc) , but when I check it out with wireshark I am unable to see the password (just the username). Am I going about this the wrong way? Thanks, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic IP Allocation
Please disregard this thread. I have solve my problem. Setup (as you
probably guessed) mistake.
Bill
On 11/9/2012 1:20 PM, Bill Schoolfield wrote:
Any help on this? I have deleted the db.ippool and db.ipindex files,
restarted the server... But I get the same result. Different ip but from
a private address range.
Bill
On 11/9/2012 12:31 PM, Bill Schoolfield wrote:
Hi
I'm trying to get dynamic ip allocation working. I ran a test via
radtest:
[root@freerad raddb]# radtest billtest2 this#x7g localhost 0 mysecret
Sending Access-Request of id 53 to 192.168.111.55 port 1812
User-Name = billtest2
User-Password = this#x7g
NAS-IP-Address = 192.168.111.55
NAS-Port = 0
Message-Authenticator = 0x
rad_recv: Access-Accept packet from host 192.168.111.55 port 1812,
id=53, length=32
Framed-IP-Address = 192.168.1.215
Framed-IP-Netmask = 255.255.255.0
and I'm getting a IP that's not from my pool. Here is the pertinent
section in radiud.conf:
ippool main_pool {
range-start = 204.101.13.2
range-stop = 204.101.13.252
netmask = 255.255.255.0
}
which is within the modules section. Database wise the billtest2 user is
a user that belongs to a group linked to this pool.
The default site file has this pool in the post auth section.
Below is the radius log? What am I missing?
Bill
/usr/sbin/radiusd -X
FreeRADIUS Version 2.1.10, for host x86_64-redhat-linux-gnu, built on
Mar 25 2011 at 10:54:38
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/counter
including configuration file
/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/relay_detail
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/dialup.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default.orig
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including
Re: Aliased IPs
James Devine fxmul...@gmail.com wrote:
I have a freeradius server which has multiple IPs aliased on the same
interface. This works if I specify each IP explicitly in its own
listen {
} section but if I try to listen on * all responses are sent from the
same
IP regardless of which IP the request was received on.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Yes. Don't do this. List each ip
Or, look at udpfromto as an argument to ./configure
--
Sent from my phone. Please excuse brevity and typos.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Best way to capture RADIUS passwords
Am I going about this the wrong way? Yes, yes you are. #1) You will REALLY want to check your local laws, you may have just committed from a class B misdemeanor to a class C felony. Here is a link for states in the US: http://www.irongeek.com/i.php?page=computerlaws/state-hacking-laws #2) It is almost always simpler to get the user to reset their password #3) A tcp dump will not give you all the info you need to crack a PW depending on the encryption method in use. To summarize: Don't crack user's passwords without the backing of a bunch of high paid lawyers and metric ton of signed notarized paperwork saying that the parties involved have given you specific permission to do so. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton TX. 76513 Fone: 254-295-4658 Phax: 254-295-4221 HTTP://WWW.UMHB.EDU From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On Behalf Of Chris Taylor Sent: Friday, November 9, 2012 1:37 PM To: freeradius-users@lists.freeradius.org Subject: Best way to capture RADIUS passwords I am migrating from one RADIUS setup that checks against a flat file with usernames and passwords inside it . Over to a RADIUS server with and LDAP backend. I have used JTR to crack most of the passwords but I still have some left over that JTR cant crack. I was thinking of trying to run a packet capture to get the remaining usernames and passwords. What would be the best way to do this? Run RADIUS in debug mode Radius -X? Or try to use tcpdump and pick it up that way or is it even possible to do? I have been trolling the internet for a few days and have not come up with a good way to do it. I setup tcpdump to dump to a file (tcpdump -i eth0 -n -s0 port radius -w rad-capture.lpc) , but when I check it out with wireshark I am unable to see the password (just the username). Am I going about this the wrong way? Thanks, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Best way to capture RADIUS passwords
Subject: Best way to capture RADIUS passwords I am migrating from one RADIUS setup that checks against a flat file with usernames and passwords inside it . Over to a RADIUS server with and LDAP backend. I have used JTR to crack most of the passwords but I still have some left over that JTR cant crack. I was thinking of trying to run a packet capture to get the remaining usernames and passwords. What would be the best way to do this? Run RADIUS in debug mode Radius -X? Or try to use tcpdump and pick it up that way or is it even possible to do? I have been trolling the internet for a few days and have not come up with a good way to do it. I setup tcpdump to dump to a file (tcpdump -i eth0 -n -s0 port radius -w rad-capture.lpc) , but when I check it out with wireshark I am unable to see the password (just the username). Am I going about this the wrong way? You can use the radpostauth and mysql... that will give you username/passwords of connected, and failed connect attempts. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Aliased IPs
On Fri, Nov 9, 2012 at 12:47 PM, Phil Mayers p.may...@imperial.ac.ukwrote:
James Devine fxmul...@gmail.com wrote:
I have a freeradius server which has multiple IPs aliased on the same
interface. This works if I specify each IP explicitly in its own
listen {
} section but if I try to listen on * all responses are sent from the
same
IP regardless of which IP the request was received on.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Yes. Don't do this. List each ip
Or, look at udpfromto as an argument to ./configure
--
Sent from my phone. Please excuse brevity and typos.
the --with-udpfromto configure option worked, thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP group child domain
Hi,
I'm in an active directory domain with child domain, tata as my primary, and
toto as my child domain.
I'm doing authorization based on LDAP group.
My User connect to freeradius using 802.1x and PEAP.
Using mschap and ntlm this is working great.
Now I want to give users access/or radius attribute based on their active
directory group.
I was able to do this using the LDAP module and users file.
The problem I am have now is; If I have a user group with the same name in my
primary domain (tata) and in my child domain (toto.tata), the freeradius does
not seems to see the difference (for exemple the domain users group).
In user file my LDAP policy look like that:
DEFAULT Ldap-Group == groupname
What I would like to do is write it like that:
DEFAULT Ldap-Group == cn=groupname, ou=OUofGroup, dc=toto, dc=tata
I'm pretty sure I have to work with those config in ldap:
groupname_attribute
groupmembership_filter
groupmembership_attribute
right now they are like that:
groupname_attribute = cn
groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
groupmembership_attribute = memberOf
If anyone got some insight on how to solve this problem, I would greatly
appreciate.
Thank you,
Yann
--
Ce courriel a été filtré par ModusGate et Webshield afin de le
certifier comme légitime et exempt de virus.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Best way to capture RADIUS passwords
On 9 Nov 2012, at 20:09, Steven Staples sstap...@mnsi.net wrote:
Subject: Best way to capture RADIUS passwords
I am migrating from one RADIUS setup that checks against a flat file with
usernames and passwords inside it . Over to a RADIUS server with and LDAP
backend. I have used JTR to crack most of the passwords but I still have
some left over that JTR cant crack.
I was thinking of trying to run a packet capture to get the remaining
usernames and passwords. What would be the best way to do this? Run RADIUS
in debug mode Radius -X? Or try to use tcpdump and pick it up that way or
is it even possible to do? I have been trolling the internet for a few
days
and have not come up with a good way to do it.
I setup tcpdump to dump to a file (tcpdump -i eth0 -n -s0 port radius -w
rad-capture.lpc) , but when I check it out with wireshark I am unable to
see the password (just the username). Am I going about this the wrong way?
You can use the radpostauth and mysql... that will give you
username/passwords of connected, and failed connect attempts.
post-auth {
update request {
Tmp-String-1 := `echo %{User-Password} /tmp/passwords`
}
}
Provided you're doing PAP (as your copy of the passwords are hashed i'm
guessing you are).
The reason why you don't see them in TCP dump is because the passwords are also
reversibly encrypted in the RADIUS packet.
Also, you know OpenLDAP can use a bunch of different types of password hashes
right? As in, it will even use them for validating authenticated binds. You
just add the right header onto the password string... You probably don't even
need to be cracking them.
-Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting data
My Fault, this message wasn't finish, I will continue here.: On Fri, Nov 9, 2012 at 1:09 PM, Periko Support pheriko.supp...@gmail.com wrote: Hi. Centos 5.x FreeRadius 2.1.1. I'm reading the book freeradius beginners Guide chapter 6: accounting. Page 139. Amount of Time. I have follow the book, would like to setup my freeradius and be able to manage users time per day. Following the book, it say that to test we better setup 3 files: start session stop session Make some changes to freeradius config files. Now, with this things ready, I follow the steps to see how it works: step 7) auth user. step 8) send an accounting start request. wait 30 seconds of more send a accounting stop request. step 9) auth the users again. The session time out will be 1800-30=1770. This works, but I would like to understand, I can try that steps a lot times and every time it give me the same result: 1770, doesn't suppose that every time I run the same steps the counter must be lower? If I run the start session and wait 2 minutes, the same behavior it give to me 1770. This software is new for me but I want to understand this, thanks!!! file: 4088_06_acct_start.txt Packet-Type=4 Packet-Dst-Port=1813 Acct-Session-Id = 4D2BB8AC-0098 Acct-Status-Type = Start Acct-Authentic = RADIUS User-Name = alice NAS-Port = 0 Called-Station-Id = 00-02-6F-AA-AA-AA:My Wireless Calling-Station-Id = 00-1C-B3-AA-AA-AA NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 48Mbps 802.11b File: 4088_06_acct_stop.txt Packet-Type=4 Packet-Dst-Port=1813 Acct-Session-Id = 4D2BB8AC-0098 Acct-Status-Type = Stop Acct-Authentic = RADIUS User-Name = alice NAS-Port = 0 Called-Station-Id = 00-02-6F-AA-AA-AA:My Wireless Calling-Station-Id = 00-1C-B3-AA-AA-AA NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 48Mbps 802.11b Acct-Session-Time = 30 Acct-Input-Packets = 25 Acct-Output-Packets = 7 Acct-Input-Octets = 3407 Acct-Output-Octets = 867 Acct-Terminate-Cause = User-Request Thanks!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: help with DHCP server functionality
OK, that solved my dilemma of no Pool-Name defined, thanks!
What are other operators doing to determine the appropriate pool?
Should there be some unlang in policy.conf to update the control to the
appropriate name?
Or perhaps an SQL function?
Thanks,
Duane
-Original Message-
From: freeradius-users-bounces+duanecox=gmail@lists.freeradius.org
[mailto:freeradius-users-bounces+duanecox=gmail@lists.freeradius.org
] On Behalf Of Fajar A. Nugraha
Sent: Thursday, November 01, 2012 4:58 PM
To: FreeRadius users mailing list
Subject: Re: help with DHCP server functionality
On Fri, Nov 2, 2012 at 3:19 AM, Duane Cox duane...@gmail.com wrote:
List:
Hello. I have been working on this for a few days and have turned
here for help.
The server is listening on port 67 and when a DHCP packet comes in the
server processes it, but in debug mode it give an error No Pool-Name
defined.
I have done some reading and I have added the following to the users
file (for testing purposes).
DEFAULT Pool-Name := main_pool
Fall-Through = Yes
This doesn't seem to define the Pool-Name nor do I see where the
server is processing any sql queries to determine the Pool-Name
either.
Am I mistaken? I thought that I could get a DHCP packet to be
received/processed by the server and hand out a response.
My policy.conf has this:
#
# Assign compatibility data to request for sqlippool
dhcp_sqlippool.post-auth {
# Do some minor hacks to the request so that it looks # like a RADIUS
request to the SQL IP Pool module.
update control {
Pool-Name = DHCP-default
}
update request {
#
... and my sites-available/dhcp has additional instructions:
#
# * Create sqlippool table, if you haven't done so already.
# * Import the schema (see sql/mysql/ipool.sql).
# * Populate the records. At minimum each row must have
# Framed-IP-Address and Pool-Name = 'DHCP-default' (or whatever
# you set 'Pool-Name' to on policy.conf).
# * If you want to use static IP allocation, create a row on
# radippol table with 'callingstationid' set to client's MAC
# address (e.g. '00:16:3E:02:15:6B') and expiry time far in the
# future (e.g. '3000-01-01 00:00:00').
#
Try updating your policy.conf and follow that instruction.
If that works for you, I'll probably send a git pull request to update
instructions in the included config files.
--
Fajar
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Hi all,
I am trying to configure FreeRadius 2.2.0. I am trying to test with the
radtest utility. However, when I run radtest, on my radiusd server, I get
the following error - ERROR: No authenticate method (Auth-Type) found for
the request: Rejecting the user. I know this is some issue with the
authentication part. However, I have not been able to pinpoint the problem.
Also, I haven't been able to find any relevant solutions on the web.
I have just untarred the 2.2.0 tarball, and added just one line the users
file: gokul Cleartext-Password:=abcde
Below is the output on the server and the client side:
Server:
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 47080, id=238,
length=75
User-Name = gokul
User-Password = abcde
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0xf92ae1fda2ea8f435d95c4a7294e1e55
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = gokul, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.
Using Post-Auth-Type REJECT
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - gokul
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 238 to 127.0.0.1 port 47080
Waking up in 4.9 seconds.
Cleaning up request 0 ID 238 with timestamp +19
Ready to process requests.
Client:
shravan@ubuntu:~/freeradius-server-2.2.0/raddb$ sudo radtest gokul abcde
localhost 0 testing123
[sudo] password for shravan:
Sending Access-Request of id 238 to 127.0.0.1 port 1812
User-Name = gokul
User-Password = abcde
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=238,
length=20
shravan@ubuntu:~/freeradius-server-2.2.0/raddb$
This is m first attempt at using FreeRadius, so please let me know if I
have made any rookie mistakes. :)
Thanks in advance.
Shravan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
