C External Program

2013-01-11 Thread Ali Majdzadeh 
Hi

I wrote the following code to accept any user/pass in a C external program:

Main()

{

fprintf (stdout, "Auth-Type := Accept\n");

return 0;

}

It works well with PAP but does not work in CHAP/MSCHAP. I know I should
return Cleartext-Password but I want to permit any user/pass to loggin in.
So how can I do that?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: NTLM Auth Problem

2012-04-24 Thread Ali Majdzadeh 
متأسفانه فرستادم...

2012/4/24 Ali Majdzadeh 

> Yes I did. I also read rlm_mschap sources and dependent libraries.
>
>
> May lead me which section explain this function?
>
>
> 2012/4/24 Phil Mayers 
>
>> On 24/04/12 13:44, Ali Majdzadeh wrote:
>>
>>> Hi
>>>
>>> I checked that rlm_mschap converts the CHAP_CHALLENGE from radius packet
>>> into other format that used in ntlm_auth.
>>>
>>> Radius Packet: MS-CHAP-Challenge = 0x7e95c31b02cd054fd1dcacea7c2f**b358
>>>
>>> Radius –X output for Ntlm_auth: expand:
>>> --challenge=%{%{mschap:**Challenge}:-00} -> --challenge=4487f1f9d023e69b
>>>
>>> U told that is normal, based on RFC. I checked the rlm_mschap.c and
>>> rlm_exec.c and also src/main/util.c, It seems that they are copying
>>>
>>
>> Did you read the RFC?
>>
>>
>>  variable one by one from radius packet into ntlm_auth and I did not find
>>> any function to do converting. May give me more information?
>>>
>>
>> Sigh.
>>
>> See here:
>>
>> https://github.com/alandekok/**freeradius-server/blob/master/**
>> src/modules/rlm_mschap/rlm_**mschap.c#L278<https://github.com/alandekok/freeradius-server/blob/master/src/modules/rlm_mschap/rlm_mschap.c#L278>
>>
>> ...and here:
>>
>> https://github.com/alandekok/**freeradius-server/blob/master/**
>> src/modules/rlm_mschap/mschap.**c#L70<https://github.com/alandekok/freeradius-server/blob/master/src/modules/rlm_mschap/mschap.c#L70>
>>
>> ...which is an implementation of this:
>>
>> http://www.ietf.org/rfc/**rfc2759.txt<http://www.ietf.org/rfc/rfc2759.txt>
>>
>> If you actually READ the RFC, you will see it contains detailed
>> pseudo-code describing how this work, and even gives sample hex data that
>> you can test your script with.
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
>> list/users.html <http://www.freeradius.org/list/users.html>
>>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: NTLM Auth Problem

2012-04-24 Thread Ali Majdzadeh 
Yes I did. I also read rlm_mschap sources and dependent libraries.


May lead me which section explain this function?


2012/4/24 Phil Mayers 

> On 24/04/12 13:44, Ali Majdzadeh wrote:
>
>> Hi
>>
>> I checked that rlm_mschap converts the CHAP_CHALLENGE from radius packet
>> into other format that used in ntlm_auth.
>>
>> Radius Packet: MS-CHAP-Challenge = 0x7e95c31b02cd054fd1dcacea7c2f**b358
>>
>> Radius –X output for Ntlm_auth: expand:
>> --challenge=%{%{mschap:**Challenge}:-00} -> --challenge=4487f1f9d023e69b
>>
>> U told that is normal, based on RFC. I checked the rlm_mschap.c and
>> rlm_exec.c and also src/main/util.c, It seems that they are copying
>>
>
> Did you read the RFC?
>
>
>  variable one by one from radius packet into ntlm_auth and I did not find
>> any function to do converting. May give me more information?
>>
>
> Sigh.
>
> See here:
>
> https://github.com/alandekok/**freeradius-server/blob/master/**
> src/modules/rlm_mschap/rlm_**mschap.c#L278<https://github.com/alandekok/freeradius-server/blob/master/src/modules/rlm_mschap/rlm_mschap.c#L278>
>
> ...and here:
>
> https://github.com/alandekok/**freeradius-server/blob/master/**
> src/modules/rlm_mschap/mschap.**c#L70<https://github.com/alandekok/freeradius-server/blob/master/src/modules/rlm_mschap/mschap.c#L70>
>
> ...which is an implementation of this:
>
> http://www.ietf.org/rfc/**rfc2759.txt<http://www.ietf.org/rfc/rfc2759.txt>
>
> If you actually READ the RFC, you will see it contains detailed
> pseudo-code describing how this work, and even gives sample hex data that
> you can test your script with.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html <http://www.freeradius.org/list/users.html>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: NTLM Auth Problem

2012-04-24 Thread Ali Majdzadeh 
Hi



I checked that rlm_mschap converts the CHAP_CHALLENGE from radius packet
into other format that used in ntlm_auth.



Radius Packet:  MS-CHAP-Challenge = 0x7e95c31b02cd054fd1dcacea7c2fb358

Radius –X output for Ntlm_auth:   expand:
--challenge=%{%{mschap:Challenge}:-00} -> --challenge=4487f1f9d023e69b



U told that is normal, based on RFC. I checked the rlm_mschap.c and
rlm_exec.c and also src/main/util.c, It seems that they are copying
variable one by one from radius packet into ntlm_auth and I did not find
any function to do converting. May give me more information?



My problem is:



I need to call ntlm_auth from command line, not from modules/mschap. So
when I’m running via commandline with same ms-chap-challenge as radius
packet but response from LDAP is not OK.


2012/4/16 Phil Mayers 

> On 04/15/2012 09:51 PM, Ali Majdzadeh wrote:
>
>> Hi
>>
>> Tnx for Ur fast reply.
>>
>> As I explained, I know that the format is differ from the original
>> attributes. I want to know that:
>>
>> If I want to run it from commandline, how can I convert the challenge and
>> response attributes to which they can be used in command line?
>>
>
> This is documented in the MS-CHAPv2 RFC. Or read the source code in the
> server.
>
> There's no readily-available tool to "do this for you". You'll need to
> write a script.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html <http://www.freeradius.org/list/users.html>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: NTLM Auth Problem

2012-04-15 Thread Ali Majdzadeh 
Hi

Tnx for Ur fast reply.

As I explained, I know that the format is differ from the original
attributes. I want to know that:

If I want to run it from commandline, how can I convert the challenge and
response attributes to which they can be used in command line?

In other word, I want to use ntlm_auth in my own external pre_auth or
post_auth script with those attributes.


2012/4/15 Phil Mayers 

> >
> >
> >with radius –X , I saw that the challenge and response is differ from
> >that
> >I got in auth_log in same session. So if I run ntlm_auth with new
> >values,
> >it’s OK!  what’s wrong?
>
> Freeradius processes the mschapv2 challenge into a different format
> required by samba. There's nothing "wrong". This is expected.
> --
> Sent from my phone. Please excuse brevity and typos.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

auth_log problem

2012-04-14 Thread Ali Majdzadeh 
Hi



I’m using FreeRadius 1.2.12 for about 50.000 concurrent users coming from
about 50 NAS. I found that  More than 40% of radius packets (1812/1813) was
seen by tcpdump but not seen in auth_log or acct detail log files. What’s
wrong? Does freeradius have limitation for such case? radiusd.conf is as
follows:



  start_servers = 5

max_servers = 128

min_spare_servers = 3

max_spare_servers = 128

max_requests_per_server = 0

max_request_time = 60

cleanup_delay = 5
max_requests = 256000
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

NTLM Auth Problem

2012-04-14 Thread Ali Majdzadeh 
Hi



I’m using FreeRadius 2.1.12 wih mschap and  ntlm_auth external execution
module as follows:



ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}"



I want to run ntlm_auth from command line so enabled auth_log  to get
challenge and response:



MS-CHAP-Challenge = 0x8f89ccd88332fd05b75cd39a9d08c296

MS-CHAP2-Response =
0x0100a6a4eb77926c3f1e7f78254b08f720a82a0c1f094749304c3d11cdc8376cbe4373de0d61c2823011



I’m running ntlm_auth from command line with those parameters:



/usr/bin/ntlm_auth --request-nt-key –username=kimia-mo
 --challenge=8f89ccd88332fd05b75cd39a9d08c296
 
--nt-response=0100a6a4eb77926c3f1e7f78254b08f720a82a0c1f094749304c3d11cdc8376cbe4373de0d61c2823011





And Got error:



hex decode of 8f89ccd88332fd05b75cd39a9d08c296 failed! (only got 16 bytes)


with radius –X , I saw that the challenge and response is differ from that
I got in auth_log in same session. So if I run ntlm_auth with new values,
it’s OK!  what’s wrong?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: External Authentication program problem

2011-11-28 Thread Ali Majdzadeh 
FYI: This is not a perl script. It’s a compiled C program. Just its
extension is .pl!

For more  information:



This is my module config:



exec netbill_pre_auth{

wait = yes

program = /etc/netbill/preauth.pl"

input_pairs = request

output_pairs = config

packet_type = Access-Request

}

exec netbill_post_auth {

wait = yes

program = /etc/netbill/auth.pl"

input_pairs = request

output_pairs = reply

packet_type = Access-Request

}

exec netbill_acct {

wait = yes

program = /etc/netbill/acct.pl"

input_pairs = request

output_pairs = reply

packet_type = Accounting-Request

}



So I need to use with exec-wait becos the external programs need to wait
util authentication/authorization/accounting done!

Also plz note that auth.pl forks another exec program per authenticated
user (named calc) and will live till user stopped. So if I’ve 20.000 online
users, I’ve also 20.000 calc process.



It works for about 20.000 online user and after this threshold, it stops!



What is ur recommendation?

Another Q:


Is there any way to call nebtill_acct with wait=no?

2011/11/27 Alan DeKok 

> Ali Majdzadeh wrote:
> > A while after radius up, it reports:
> >
> > Sat Nov 26 13:02:03 2011 : Error: Couldn't fork /etc/netbill/acct.pl
> > : Cannot allocate memory
>
>   Hmmm... you're probably using "exec wait', right?  And starting many,
> many, external programs.
>
>  That's probably the issue.  There may be a bug in the server, but
> there is a better way to run the script.  Use the rlm_perl module.
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

External Authentication program problem

2011-11-26 Thread Ali Majdzadeh 
Hi



I’m using freeradius 2.1.12 with external program calling for auth,
pre-auth and acct

A while after radius up, it reports:



Sat Nov 26 13:02:03 2011 : Error: Couldn't fork /etc/netbill/acct.pl:
Cannot allocate memory



The machine is:



12 G ram, CentOS 5.4, Kernel  2.6.18-164.el5PAE  32 bits



Vmstat shows at least 6.8G FREE:



procs ---memory-- ---swap-- -io --system--
-cpu--

r  b   swpd   free   buff  cache   si   sobibo   in   cs us sy id
wa st

1  0  0 6864832  17424 55339200 0 0 3707 7184  1  2 98
0  0

0  0  0 6863840  17424 55388000 0   164 4532 8138  0  2 98
0  0

0  0  0 6863592  17432 55435600 0  2192 4106 6809  0  1 98
0  0



And /proc/meminfo:



-bash-3.1# cat /proc/meminfo

MemTotal: 12464608 kB

MemFree:   6945096 kB

Buffers: 16732 kB

Cached: 486116 kB

SwapCached:  0 kB

Active:3929056 kB

Inactive:58056 kB

HighTotal:11655356 kB

HighFree:  6889628 kB

LowTotal:   809252 kB

LowFree: 55468 kB

SwapTotal: 2008116 kB

SwapFree:  2008116 kB

Dirty:  259036 kB

Writeback:   0 kB

AnonPages: 3484324 kB

Mapped:  12016 kB

Slab:   653076 kB

PageTables: 773364 kB

NFS_Unstable:0 kB

Bounce:  0 kB

CommitLimit:  11979800 kB

Committed_AS: 11642520 kB

VmallocTotal:   116728 kB

VmallocUsed:  9040 kB

VmallocChunk:   107296 kB

HugePages_Total: 0

HugePages_Free:  0

HugePages_Rsvd:  0

Hugepagesize: 2048 kB





Raduisd.conf:



Max_servers=32

Min_start_servers=32

min_spare_servers = 0
max_spare_servers = 32
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRADIUS Strange action (unfinished request/dropping conflict packet)

2011-09-15 Thread Ali Majdzadeh 
Hi



I’m running freeradius 1.1.8 with rlm_exec. External program on ACCTOUNTING
packets runs and my external program returns OK! And printout the following
in its logfile:



(PID  5036) 2011-09-15 18:24:28  Packet: updt UserName:
hhsde0100413@tct9   187923@172.31.3.7   10320 Sec 3993228/61717432 Bytes



FreeRADIUS Debugging shows log as the following and shows everything goes
fine for that request.



Thu Sep 15 18:24:28 2011 : Debug: Thread 1 handling request 175, (31 handled
so far)

User-Name = "hhsde0100413@tct9"

NAS-Port = 136339956

NAS-IP-Address = 172.31.3.7

Framed-IP-Address = 2.179.17.211

Filter-Id = "tct9"

Class =
0x68687364653031303034313340746374397c387c3137322e33312e332e377c31636137623036653264

rad_recv: Accounting-Request packet from host 172.31.3.7:1813,
id=92, length=530

NAS-Identifier = "KJ-RJ-ME60X16-01"

Acct-Status-Type = Interim-Update

Acct-Delay-Time = 0

Acct-Input-Octets = 3993228

Acct-Output-Octets = 61717432

Acct-Session-Id = "KJ-RJ-M0820605000890a6e187923"

Acct-Authentic = RADIUS

Acct-Session-Time = 10320

Acct-Input-Packets = 45602

Acct-Output-Packets = 50322

Acct-Input-Gigawords = 0

Acct-Output-Gigawords = 0

Thu Sep 15 18:24:28 2011 : Debug: Thread 1 handling request 175, (31 handled
so far)

Thu Sep 15 18:24:28 2011 : Debug: modcall: entering group preacct for
request 175

Thu Sep 15 18:24:28 2011 : Debug:   modsingle[preacct]: calling preprocess
(rlm_preprocess) for request 175

Acct-Session-Time = 10320Thu Sep 15 18:24:28 2011 : Debug:
modsingle[preacct]: returned from preprocess (rlm_preprocess) for request
175

Thu Sep 15 18:24:28 2011 : Debug:   modcall[preacct]: module
"preprocess" returns noop for request 175

Thu Sep 15 18:24:28 2011 : Debug:   modsingle[preacct]: calling acct_unique
(rlm_acct_unique) for request 175

Thu Sep 15 18:24:28 2011 : Debug:   modsingle[preacct]: returned
from acct_unique (rlm_acct_unique) for request 175

Thu Sep 15 18:24:28 2011 : Debug:   modcall[preacct]: module
"acct_unique" returns ok for request 175

Thu Sep 15 18:24:28 2011 : Debug: modcall: leaving group preacct
(returns ok) for request 175

Thu Sep 15 18:24:28 2011 : Debug: modcall: entering group accounting
for request 175

Thu Sep 15 18:24:28 2011 : Debug:   modsingle[accounting]: calling
detail (rlm_detail) for request 175

Thu Sep 15 18:24:28 2011 : Debug:   modsingle[accounting]: returned from
detail (rlm_detail) for request 175

Thu Sep 15 18:24:28 2011 : Debug:   modcall[accounting]: module "detail"
returns ok for request 175

Thu Sep 15 18:24:28 2011 : Debug:   modsingle[accounting]: calling
netbill_acct (rlm_exec) for request 175



Tcpdump shows the accounting packet issued and returned back to the RAS:





IP 172.31.3.7.radius-acct > 172.26.60.3.radius-acct: RADIUS, Accounting
Request (4), id: 0xx length: 527

IP 172.26.60.3.radius-acct > 172.31.3.7.radius-acct: RADIUS, Accounting
Response (5), id: 0xxx length: 20



But after about 30 secound, I got the following error in freeRADIUS’s
log



Thu Sep 15 18:24:59 2011 : Error: WARNING: Unresponsive child (id
3086457744) for request 175 (in component accounting module rlm_exec)
hhsde0100413@tct9Thu Sep 15 18:24:59 2011 : Debug: Server rejecting
request 175.



And then shows:



Thu Sep 15 18:43:54 2011 : Error: Dropping conflicting packet from client
172.31.3.7:1646 - ID: 151 due to unfinished request 175


My external program returns 0 (means OK) and freeRADIUS getting it and
returns back to the BRAS, so why freeradius gives such error?!


Kind Regards,
Ali Majdzadeh Kohbanani
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

HUAWEI MA5200G and Vendor Specific Attributes

2011-05-17 Thread Ali Majdzadeh 
Hello All
I’m using freeradius 1.1.8 with a C external program for auth/acct. I’m
sending attributes to RAS by printf . RAS type is HUAWEI MA5200G And I send
attributes as follows:



printf("Session-Timeout=%d",session_time);

printf(",\nInput-Peak-Rate=%d",(int)rx_burst);

printf (",\nInput-Average-Rate=%d",(int)rx_rate);

printf(",\nOutput-Peak-Rate=%d",(int)tx_burst);

printf(",\nOutput-Average-Rate=%d",(int)tx_burst);



the last 4 lines are HUAWEI vendor specific attributes. MA5200G RAS Debug
does not show any attributes inside of auth request. I remove the HUAWEI
vendor specific attributes (the last 4 lines), RAS shows the standard
attributes correctly. What is the problem? HUAWEI says it support only
radius 1.1, So does freeradius support 1.1 when sending attributes by printf
via external program or not?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question about NAS-Port attribute when using freeradiusclient

2010-10-08 Thread Ali Majdzadeh 
Alan,
Sorry for this third post, I managed to instruct PPTP VPN server (NAS) to
send Interim-Update packet by adding the following line to
/etc/radiusclient/dictionary:

ATTRIBUTEAcct-Interim-Interval   85   integer

Of course, I had set Acct-Interim-Interval attribute to 60 for the specific
test user in users file of the RADIUS server.
Is this OK? Why the above definition is not added to freeradiusclient's
dictionary?

Warm Regards
Ali Majdzadeh Kohbanani

2010/10/8 Ali Majdzadeh 

> Alan,
> Sorry for this extra post, but, what about Interim-Update attribute? Is
> there anyway to instruct the PPTP VPN connection to send interim accounting
> packets to the RADIUS server?
>
>
> Warm Regards
> Ali Majdzadeh Kohbanani
>
> 2010/10/8 Ali Majdzadeh 
>
> Alan,
>> Thanks a lot.
>>
>>
>> Warm Regards
>> Ali Majdzadeh Kohbanani
>>
>> 2010/10/8 Alan DeKok 
>>
>> Ali Majdzadeh wrote:
>>> > Hello All
>>> > I am using freeradiusclient in combination with PPP in order to setup
>>> > RADIUS authentication for PPTP users. Actually, I managed to
>>> > authenticate users using RADIUS but I noticed that the NAS-Port
>>> > attribute which is sent to RADIUS server is always 0. Is this normal?
>>> Is
>>> > there any way to generate proper values for NAS-Port? Is this attribute
>>> > set by radiusclient or is it extracted from somewhere else? (PPP,
>>> maybe?)
>>>
>>>   It's set by the code in PPP that calls radiusclient.
>>>
>>>  If you want it changed, go fix PPP.
>>>
>>>  Alan DeKok.
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>>
>>
>>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question about NAS-Port attribute when using freeradiusclient

2010-10-08 Thread Ali Majdzadeh 
Alan,
Sorry for this extra post, but, what about Interim-Update attribute? Is
there anyway to instruct the PPTP VPN connection to send interim accounting
packets to the RADIUS server?

Warm Regards
Ali Majdzadeh Kohbanani

2010/10/8 Ali Majdzadeh 

> Alan,
> Thanks a lot.
>
>
> Warm Regards
> Ali Majdzadeh Kohbanani
>
> 2010/10/8 Alan DeKok 
>
> Ali Majdzadeh wrote:
>> > Hello All
>> > I am using freeradiusclient in combination with PPP in order to setup
>> > RADIUS authentication for PPTP users. Actually, I managed to
>> > authenticate users using RADIUS but I noticed that the NAS-Port
>> > attribute which is sent to RADIUS server is always 0. Is this normal? Is
>> > there any way to generate proper values for NAS-Port? Is this attribute
>> > set by radiusclient or is it extracted from somewhere else? (PPP,
>> maybe?)
>>
>>   It's set by the code in PPP that calls radiusclient.
>>
>>  If you want it changed, go fix PPP.
>>
>>  Alan DeKok.
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question about NAS-Port attribute when using freeradiusclient

2010-10-08 Thread Ali Majdzadeh 
Alan,
Thanks a lot.

Warm Regards
Ali Majdzadeh Kohbanani

2010/10/8 Alan DeKok 

> Ali Majdzadeh wrote:
> > Hello All
> > I am using freeradiusclient in combination with PPP in order to setup
> > RADIUS authentication for PPTP users. Actually, I managed to
> > authenticate users using RADIUS but I noticed that the NAS-Port
> > attribute which is sent to RADIUS server is always 0. Is this normal? Is
> > there any way to generate proper values for NAS-Port? Is this attribute
> > set by radiusclient or is it extracted from somewhere else? (PPP, maybe?)
>
>   It's set by the code in PPP that calls radiusclient.
>
>  If you want it changed, go fix PPP.
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Question about NAS-Port attribute when using freeradiusclient

2010-10-07 Thread Ali Majdzadeh 
Hello All
I am using freeradiusclient in combination with PPP in order to setup RADIUS
authentication for PPTP users. Actually, I managed to authenticate users
using RADIUS but I noticed that the NAS-Port attribute which is sent to
RADIUS server is always 0. Is this normal? Is there any way to generate
proper values for NAS-Port? Is this attribute set by radiusclient or is it
extracted from somewhere else? (PPP, maybe?)

Warm Regards
Ali Majdzadeh Kohbanani
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Question about radiusclient

2010-09-15 Thread Ali Majdzadeh 
Hello All
In the radiusclient configuration file there is an option called auth_order
which accepts two values (local, radius). If we set this option as follows:
auth_order radius,local
doesn't it means that if the authentication fails using RADIUS it should be
performed using the /etc/passwd file? In other words, if we define all those
users, which are not mentioned as radius users, as local users of the
machine where radiusclient runs, it should be OK. Is that right?
I have tested the so-called scenario, but it does not work. Does anyone have
any experiences regarding this issue?

Warm Regards
Ali Majdzadeh Kohbanani
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Strange problem regarding PPTP and FreeRADIUS

2010-09-12 Thread Ali Majdzadeh 
Phil,
Hi
Yes, you are right. radius.so breaks when I insert radius_deadtime option in
radiusclient.conf, it seems that what I have used to configure the previous
radiusclient is not compatible with this new version. By the way, I use
pppd-2.4.5. Thanks a lot.

Warm Regards
Ali Majdzadeh Kohbanani

2010/9/12 Phil Mayers 

> On 09/11/2010 09:20 PM, Ali Majdzadeh wrote:
>
>> Edvin,
>> Hi
>> Thanks for your response. FreeRADIUS is running on Debian Lenny and
>> PopTop Server is running on a RedHat-based distribution.
>> By the way, in pptpd's logs, I mentioned the following:
>>
>> /etc/radiusclient/radiusclient.conf: line 16: unrecognized keyword:
>> radius_deadtime
>>
>> I know that pppd uses radius.so plugin to perform PAP, CHAP, MS-CHAP and
>> MS-CHAPv2 authentication against a RADIUS server.
>> Might this be the issue?
>>
>
> That might be it. It looks like you might have mangled the configs in
> /etc/radiusclient. This isn't a FreeRadius problem.
>
> We use poptop/pppd/radius.so on RHEL4 x86 and RHEL5 x86_64, and the
> combination works reliably for us.
>
> Where did you get your /etc/radiusclient configs from? Is the pppd package
> the standard one which comes with your RHEL distro - which pppd rpm version?
> Which version and CPU architecture are you running RHEL on?
>
> I suggest you go back to the original versions of /etc/radiusclient configs
> and make small changes one-by-one until it either works or breaks.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Strange problem regarding PPTP and FreeRADIUS

2010-09-12 Thread Ali Majdzadeh 
Alan
Hi
Thanks for your response. I was using radiusclient and I replaced it by the
latest version from FreeRADIUS. Fortunately, the problem solved but I could
not manage to solve the following issue which I found in pptpd's logs:

/etc/radiusclient/radiusclient.conf: line 16: unrecognized keyword:
radius_deadtime

I think it is related to radius.so plugin which pppd uses. Does this mean
that radius.so and radiusclient are not compatible?

Warm Regards
Ali Majdzadeh Kohbanani

2010/9/12 Alan DeKok 

> Ali Majdzadeh wrote:
> > Hello All
> > I have configured PopTop server to work with FreeRADIUS. pptpd is
> > configured to use mschap-v2 and mppe-128 and I have enabled the
> > corresponding module in FreeRADIUS. When I turn on the debugging mode of
> > FreeRADIUS, I get the following:
> >
> > rad_recv: Access-Request packet from host 192.168.1.15 port 55483,
> > id=227, length=153
> >   Service-Type = Framed-User
> >   Framed-Protocol = PPP
> >   User-Name = "\000ila"
>
>   That's wrong.
>
> >   MS-CHAP-Challenge = 0x78b650db2a6af8bc8bc3435c7a385905
> >   MS-CHAP2-Response =
> >
> 0x6e009982bf378318ac706da61a063b70682de3dbbe517ba9dc7a18dfe5660208bdc1f370b5d7836516f8
> >   NAS-IP-Address =
> 0x0f01a8c0e85adab7e41be2bf081ce2bfb005dab7e41be2bf32
>
>   That's *very* wrong.
>
> > Please note those two highlighted lines, the User-Name is "\000ila"
> > while what I have used as the username is "ali". Also, NAS-IP-Address is
> > somehow encrypted.
> > I searched a lot, but I could not find any similar problem. Any ideas?
>
>   Whoever implemented the RADIUS client did it wrong.  Very, very, wrong.
>
>  Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Strange problem regarding PPTP and FreeRADIUS

2010-09-11 Thread Ali Majdzadeh 
Edvin,
Hi
Thanks for your response. FreeRADIUS is running on Debian Lenny and PopTop
Server is running on a RedHat-based distribution.
By the way, in pptpd's logs, I mentioned the following:

/etc/radiusclient/radiusclient.conf: line 16: unrecognized keyword:
radius_deadtime

I know that pppd uses radius.so plugin to perform PAP, CHAP, MS-CHAP and
MS-CHAPv2 authentication against a RADIUS server.
Might this be the issue?

Warm Regards
Ali Majdzadeh Kohbanani

2010/9/12 Edvin Seferovic | Kolpinghaus St.Pölten 

> Might this be a PopTop issue? What platform are you using?
>
> >Please note those two highlighted lines, the User-Name is "\000ila" while
> what I have used as the username is "ali". Also, NAS-IP-Address is somehow
> >encrypted.
> >I searched a lot, but I could not find any similar problem. Any ideas?
>
> Regards,
> E.S.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Strange problem regarding PPTP and FreeRADIUS

2010-09-11 Thread Ali Majdzadeh 
Hello All
I have configured PopTop server to work with FreeRADIUS. pptpd is configured
to use mschap-v2 and mppe-128 and I have enabled the corresponding module in
FreeRADIUS. When I turn on the debugging mode of FreeRADIUS, I get the
following:

rad_recv: Access-Request packet from host 192.168.1.15 port 55483, id=227,
length=153
  Service-Type = Framed-User
  Framed-Protocol = PPP
  User-Name = "\000ila"
  MS-CHAP-Challenge = 0x78b650db2a6af8bc8bc3435c7a385905
  MS-CHAP2-Response =
0x6e009982bf378318ac706da61a063b70682de3dbbe517ba9dc7a18dfe5660208bdc1f370b5d7836516f8
  NAS-IP-Address = 0x0f01a8c0e85adab7e41be2bf081ce2bfb005dab7e41be2bf32
  NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] returns ok
[suffix] No '@' in User-Name = "", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for  with NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject

Please note those two highlighted lines, the User-Name is "\000ila" while
what I have used as the username is "ali". Also, NAS-IP-Address is somehow
encrypted.
I searched a lot, but I could not find any similar problem. Any ideas?

Warm Regards
Ali Majdzadeh Kohbanani
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question about authenticating CHAPclientsusinganexternalprogram-Adifferent case

2009-02-26 Thread Ali Majdzadeh 
Ivan,
Thanks for your reply. I think I should start writing my own module, because
the AAA system itself is in C. In other words, all of our external programs
are C programs. Thanks again for your patience and guidance.

Kind Regards
Ali Majdzadeh Kohbanani
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question about authenticating CHAPclientsusinganexternalprogram-A different case

2009-02-26 Thread Ali Majdzadeh 
Ivan,
Hello
Thanks for your reply. Sorry if my question is elementary, but this is the
last one. What is the difference between creating a customized module to do
Authorization/Post-Authentication and using external programs as instances
of rlm_exec module to the so-called functionalities?

Kind Regards
Ali Majdzadeh Kohbanani
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question about authenticating CHAP clientsusinganexternalprogram-A different case

2009-02-26 Thread Ali Majdzadeh 
Ivan,
Hello
Thanks for your reply. I have got some questions to ask. We have different
types of clients (Or, connections) in our system; Dial-Up, ADSL, VoIP, CHAP,
MS-CHAP, MS-CHAPv2 and ... . Each of these clients need different
authorization method. Now, where should our authorization code reside? Shall
we create an authorization external program as an instance of the rlm_exec
module and call it in the Authorization section of radiusd.conf? Shall we
create our customized module and form our code as the authorization
function? What about authentication, I completely understood the idea of
post-auth, but how it should be implemented? Do we need another instance of
the rlm_module placed in the post-auth section of radiusd.conf or we should
implement post-auth functionalities as post-auth function in our customized
module? In general, what should be our strategy, developing a customized
module and implementing our logic as it's functions, or using multiple
instances of rlm_exec module and placing them in the appropriate sections of
the radiusd.conf?
Thanks again for your kind attention.

Kind Regards
Ali Majdzadeh Kohbanani
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question about authenticating CHAP clientsusinganexternalprogram- A different case

2009-02-24 Thread Ali Majdzadeh 
Ivan,
Thanks for your attention. Yes, you are right, we should organize our system
regarding the structure of freeradius. I have lots of questions to ask. I am
going to coherently form them; would you please trace this thread?

Kind Regards
Ali Majdzadeh Kohbanani
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question about authenticating CHAP clients usinganexternalprogram- A different case

2009-02-24 Thread Ali Majdzadeh 
Ivan,
Thanks for your reply. The problem is time. We should find an immediate
solution. Anyway, thanks again.

Kind Regards
Ali Majdzadeh Kohbanani
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question about authenticating CHAP clients using anexternalprogram- A different case

2009-02-24 Thread Ali Majdzadeh 
Ivan,
Hello
Thanks for your reply. You are right and I do know that this is not the
right way to get things done, but what we have got here is a sophisticated
and feature-balloted AAA system which is totally based on external programs.
As a mid-term solution we should try to respond to our numerous clients who
are using CHAP, MS-CHAP and MS-CHAPv2 connections. Please please, let me
know if there exists any solution to implement these features in an external
authentication program.

Kind Regards
Ali Majdzadeh Kohbanani
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question about authenticating CHAP clients using an externalprogram- A different case

2009-02-24 Thread Ali Majdzadeh 
Ivan,
Hello
Problem solved. I have mentioned my solution below, but now comes another
question, sorry :)
How is it possible to authenticate CHAP clients using an external program
and not the rlm_chap module?
I made two instances of the rlm_exec module. One as the authorization
external program and one as the authentication external program. The point
is that the Cleartext-Password should be sent out as a configuration item in
the authorization external program, in other words, what the authorization
program outputs should be configuration items (in this case). Well, in my
previous configuration, the authorization program has been output
attribute-value pairs as reply messages and that was wrong. Using
radiusd.conf, I changed the output type of the authorization external
program to config items. Now I can access User-Name, CHAP-Password,
CHAP-Challenge attribute-value pairs in my authentication external program.
By the way, the authorization external program sets my customized Auth-Type
so that in the authentication section, I can use it to authenticate clients
using my authentication external program which is another instance of the
rlm_exec module (the second one). The main problem is the way that
authentication should take place for CHAP, MS-CHAP and MS-CHAPv2 clients in
the authentication external program.

Kind Regards
Ali Majdzadeh Kohbanani
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question about authenticating CHAP clients using an external program- A different case

2009-02-24 Thread Ali Majdzadeh 
Ivan,
Hello
Thanks for your attention, but I have tested what you had suggested. The
result is the same, with both attributes the CHAP module throws the same
error. Any ideas?

Kind Regards
Ali Majdzadeh Kohbanani

2009/2/24 

> >I am using freeradius-1.1.7. In order to authenticate users using an
> >external program, I have created an instance of the rlm_exec module which
> >contains the properties of the external program. In the radiusd.conf, I
> have
> >called the instance in the authentication section. Now, as I want to
> >authenticate CHAP clients, I need to pass their clear text passwords to
> the
> >rlm_chap module. The passwords are stored in the database (MySQL) and are
> >fetched in the external program. In the external program, I have simply
> >output User-Password = ### as the user's clear text password, but the
> >rlm_chap module says: "Could not find clear text password for user ...".
> >What is wrong? Any ideas?
>
> Attribute for clear text password is - Cleartext-Password. And operator
> should be :=.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Question about authenticating CHAP clients using an external program - A different case

2009-02-23 Thread Ali Majdzadeh 
Hello All,
I am using freeradius-1.1.7. In order to authenticate users using an
external program, I have created an instance of the rlm_exec module which
contains the properties of the external program. In the radiusd.conf, I have
called the instance in the authentication section. Now, as I want to
authenticate CHAP clients, I need to pass their clear text passwords to the
rlm_chap module. The passwords are stored in the database (MySQL) and are
fetched in the external program. In the external program, I have simply
output User-Password = ### as the user's clear text password, but the
rlm_chap module says: "Could not find clear text password for user ...".
What is wrong? Any ideas?

Kind Regards
Ali Majdzadeh Kohbanani
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Debugging RLM modules

2008-02-03 Thread Ali Majdzadeh 
Hello Doug
Thanks a lot for your usefull points. I am going to give it a try.

Kind Regards
Ali

2008/2/3, Doug Hardie <[EMAIL PROTECTED]>:
>
>
> On Feb 2, 2008, at 01:14, Alan DeKok wrote:
>
> > Ali Majdzadeh wrote:
> >> Is there any way to debug an RLM module using gdb?
> >
> >  Yes.  The modules are just shared libraries.  See the gdb manual for
> > how to deal with shared libraries.
>
> Some additional info may be helpful.  You can attach to a running
> radiusd with gdb and the -i option and set breakpoints for the module
> you want to debug.  However, if this is an operational server you will
> quickly get into big issues.  You really ought to get either another
> instance running or use a test server and start it with gdb -i radiusd
> -X. Then set your breakpoints and run the test.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Debugging RLM modules

2008-02-01 Thread Ali Majdzadeh 
Hello All
Is there any way to debug an RLM module using gdb?

Kind Regards
Ali Majdzadeh Kohbanani
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: A question about rlm modules

2007-10-27 Thread Ali Majdzadeh 
Hello Alan
Thanks for your reply.
Would you please tell me whether the scenario is correct or not?
1) We obtain the clear text password in the authorization section of our
module.
2) We populate the request->config_items with the clear text password.
3) The CHAP module authenticates the user using the supplied clear text
password.

Best Regards
Ali Majdzadeh

2007/10/25, Alan DeKok <[EMAIL PROTECTED]>:
>
> Ali Majdzadeh wrote:
> > Hello Alan
> > Yes, I am sure that the code works correctly, because the CHAP module
> > accepts the clear text password which I have provided in the
> > request->config_items. Below is my code for the authorize section of the
> > module:
>
>   That looks OK.
>
> > Thu Oct 25 13:18:42 2007 : Debug:   rlm_chap: Using clear text password
> > "123456" for user ali authentication.
> > Thu Oct 25 13:18:42 2007 : Debug:   rlm_chap: Password check failed
>
>   The password doesn't match what the user entered.  There isn't much
> that can go wrong here.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: A question about rlm modules

2007-10-25 Thread Ali Majdzadeh 
Hello Alan
Yes, I am sure that the code works correctly, because the CHAP module
accepts the clear text password which I have provided in the
request->config_items. Below is my code for the authorize section of the
module:

static int netbill_authorize (void *instance, REQUEST *request)
{
VALUE_PAIR *password;
VALUE_PAIR *clear_text_password;

instance = instance;
request = request;

clear_text_password = pairmake ("User-Password", "123456", T_OP_EQ);
pairadd (&request->config_items, clear_text_password);

return RLM_MODULE_OK;
}

And this is the server's log:

Thu Oct 25 13:18:42 2007 : Debug: modcall: entering group CHAP for request 1
Thu Oct 25 13:18:42 2007 : Debug:   modsingle[authenticate]: calling chap
(rlm_chap) for request 1
Thu Oct 25 13:18:42 2007 : Debug:   rlm_chap: login attempt by "ali" with
CHAP password
Thu Oct 25 13:18:42 2007 : Debug:   rlm_chap: Using clear text password
"123456" for user ali authentication.
Thu Oct 25 13:18:42 2007 : Debug:   rlm_chap: Password check failed
Thu Oct 25 13:18:42 2007 : Debug:   modsingle[authenticate]: returned from
chap (rlm_chap) for request 1
Thu Oct 25 13:18:42 2007 : Debug:   modcall[authenticate]: module "chap"
returns reject for request 1
Thu Oct 25 13:18:42 2007 : Debug: modcall: leaving group CHAP (returns
reject) for request 1
Thu Oct 25 13:18:42 2007 : Debug: auth: Failed to validate the user.

Thanks in advance.



2007/10/25, Alan DeKok <[EMAIL PROTECTED]>:
>
> Ali Majdzadeh wrote:> I have written an rlm_module. It works fine. Here,
> we have clients which
> > should be authenticated using CHAP passwords. In the radiusd.conf, I
> > have mentioned my module before the CHAP module in the authentication
> > section. Also, I have found that my module should populate the
> > request->config_items field of the request with the clear text password
> > so that the CHAP module can process the request. I have added the
> > required code to do so, but the CHAP module complains about the size of
> > the password.
>
>   Would it be possible to post the error message?  Are you sure that
> your code correctly creates the clear-text password?
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

A question about rlm modules

2007-10-25 Thread Ali Majdzadeh 
Hello all
I have written an rlm_module. It works fine. Here, we have clients which
should be authenticated using CHAP passwords. In the radiusd.conf, I have
mentioned my module before the CHAP module in the authentication section.
Also, I have found that my module should populate the request->config_items
field of the request with the clear text password so that the CHAP module
can process the request. I have added the required code to do so, but the
CHAP module complains about the size of the password.
I want to know, is there something that I have missed? By the way, is the
concept right at all?
Thanks in advance.

Regards
Ali Majdzadeh
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Question about rlm modules

2006-10-29 Thread Ali Majdzadeh 
Hi allIs it possible to send Vendor Specific Attributes through an rlm module?I use the following method to send standard attributes through an rlm module:(As suggested by the template itself)
reply = pairmake ("User-Name", "root", T_OP_EQ);pairadd (&request->reply->vps, reply);request->reply->code = PW_USER_NAME;DEBUG ("rlm_cmod: Sending User-Name");
What specific code should I use when for example I want to send h323-credit-amount attribute to a NAS?Best RegardsAli
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + Cisco VoIP

2006-09-21 Thread Ali Majdzadeh 
Hi Gef
I solved the problem through C and rlm_modules.
Anyway, Thanks a lot.
 
Regards 
On 9/21/06, Geoffrey Cauchi <[EMAIL PROTECTED]> wrote:
Hello AliI do not know whether you managed to solve your issue, however using a perlscript, the format to send these AV Pairs is:
#!/usr/bin/perlprint "Cisco-AVPair += \"h323-return-code=0\"\,\n";print "Cisco-AVPair += \"h323-credit-amount=30\"\,\n";print "Cisco-AVPair += \"h323-credit-time=200\"\n";
   exit(0);And now the script works.Obviously the h323-credit-time and h323-credit-amount need to be calculatedin real time, but the above can be used as a test to allow you to utilisethe cisco TCL script with freeradius
Hope this helpsGefFrom: freeradius-users-bounces+agcauchi=[EMAIL PROTECTED][mailto:
[EMAIL PROTECTED]rg] On Behalf Of Ali MajdzadehSent: 07 September 2006 10:06
To: FreeRadius users mailing list; [EMAIL PROTECTED]Subject: Re: Freeradius + Cisco VoIPHi AlanI replied Geoffrey with all I knew about AV pairs expected by a Cisco VoIP
gateway. But I have another problem.I am using rlm_example to develop a module to handle VoIP stuff.My question is, how should I pack and send those AV piars expected by thegateway?For example, in example_authenticate function, I should return a number of
AV pairs to the gateway in order to authenticate the user. How should I dothat?Best RegardsAliOn 9/6/06, Alan DeKok <[EMAIL PROTECTED]> wrote:
"Geoffrey Cauchi" <[EMAIL PROTECTED]> wrote:> Can anyone provide a sample config of the AV Pairs required by a ciscoVoIP> gateway to accept a user?
See the NAS documentation.Alan DeKok.--http://deployingradius.com - The web site of the bookhttp://deployingradius.com/blog/
 - The blog-List info/subscribe/unsubscribe? Seehttp://www.freeradius.org/list/users.html-List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to return AV pairs from within an rlm module?

2006-09-14 Thread Ali Majdzadeh 
Hi Josh
Thanks a lot.
I am going to give it a try.

Best Regards
Ali
On 9/14/06, Josh Howlett <[EMAIL PROTECTED]> wrote:
Add your attributes to the reply structure. FreeRADIUS will take care ofthe rest.josh.Ali Majdzadeh wrote:> Hi all> I want to return AV pairs (Cisco VoIP) from within an rlm module. I
> tried to printf them into stdout, but it didn't work.> Should I use the structures accessible within the rlm module? for> example, REQUEST.> Then, how should I pass them to Cisco?>> Regards
> Ali>>> >> -> List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

How to return AV pairs from within an rlm module?

2006-09-14 Thread Ali Majdzadeh 
Hi allI want to return AV pairs (Cisco VoIP) from within an rlm module. I tried to printf them into stdout, but it didn't work.Should I use the structures accessible within the rlm module? for example, REQUEST. 
Then, how should I pass them to Cisco?RegardsAli
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question about rlm modules

2006-09-12 Thread Ali Majdzadeh 
Hi againBy the way, the better approach to catch attributes' values is through the usage of the following function:vp_prints_value(char *out, int outlen, VALUE_PAIR *vp,int delimitst);RegardsAli
On 9/12/06, Ali Majdzadeh <[EMAIL PROTECTED]> wrote:
Hi ShankarYes, of course.code:char USER_NAME[128];VALUE_PAIR  *vp_iterator;vp_iterator = request->packet->vps;while (vp_iterator){  if (strcmp (vp_iterator->name, "User-Name") == 0)
    strcpy (USER_NAME, vp_iterator->strvalue);  vp_iterator = vp_iterator->next;}This method also works for vendor specific attributes like Cisco-AVPAIR and ... .RegardsAli

On 9/12/06, Shankar Ganesh C <
[EMAIL PROTECTED]> wrote:





Hi 
Ali,
 
Could 
you let me know how did u capture the vendor specfic attributes in the 
rlm_module ?
like 
the one you have described earlier 
getenv(USER_NAME) , getnev(Cisco_AVP) ?
 
Rgds,
Shankar ganesh

  -Original Message-From: 
  freeradius-users-bounces+shankarganesh=[EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]
]On 
  Behalf Of Ali MajdzadehSent: Tuesday, September 12, 2006 5:10 
  PMTo: FreeRadius users mailing listSubject: Question 
  about rlm modulesHi allWhat is(are) the coresponding 
  function pointer(s) for start and stop packets in an rlm module? (Something 
  like xxx_authenticate)Should I define my own custome funtion pointers? 
  Then, How can I test them?Best 
RegardsAli

-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question about rlm modules

2006-09-12 Thread Ali Majdzadeh 
Hi ShankarYes, of course.code:char USER_NAME[128];VALUE_PAIR  *vp_iterator;vp_iterator = request->packet->vps;while (vp_iterator){  if (strcmp (vp_iterator->name, "User-Name") == 0)
    strcpy (USER_NAME, vp_iterator->strvalue);  vp_iterator = vp_iterator->next;}This method also works for vendor specific attributes like Cisco-AVPAIR and ... .RegardsAli
On 9/12/06, Shankar Ganesh C <[EMAIL PROTECTED]> wrote:





Hi 
Ali,
 
Could 
you let me know how did u capture the vendor specfic attributes in the 
rlm_module ?
like 
the one you have described earlier 
getenv(USER_NAME) , getnev(Cisco_AVP) ?
 
Rgds,
Shankar ganesh

  -Original Message-From: 
  freeradius-users-bounces+shankarganesh=[EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]
]On 
  Behalf Of Ali MajdzadehSent: Tuesday, September 12, 2006 5:10 
  PMTo: FreeRadius users mailing listSubject: Question 
  about rlm modulesHi allWhat is(are) the coresponding 
  function pointer(s) for start and stop packets in an rlm module? (Something 
  like xxx_authenticate)Should I define my own custome funtion pointers? 
  Then, How can I test them?Best 
RegardsAli

-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Question about rlm modules

2006-09-12 Thread Ali Majdzadeh 
Hi allWhat is(are) the coresponding function pointer(s) for start and stop packets in an rlm module? (Something like xxx_authenticate)Should I define my own custome funtion pointers? Then, How can I test them?
Best RegardsAli
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to enable session-timeout in freeradius

2006-09-12 Thread Ali Majdzadeh 
Hi RanjeetIf you want to send AV pairs to a NAS, just print them to stdout.RegardsAliOn 9/11/06, Ranjeet Kumar <
[EMAIL PROTECTED]> wrote:















Peter,

 

Can you please tell me how to send it (session–timeout)
as reply item to NAS?

 

Thanks,

Ranjeet

 

Date: Sat,
 9 Sep 2006 15:40:01

+

From: Peter Nixon
<[EMAIL PROTECTED]>

Subject: Re: How to enable
session-timeout in freeradius

To: FreeRadius users mailing
list

  

Message-ID:
<[EMAIL PROTECTED]>

Content-Type: text/plain; charset="iso-8859-15"

 

On Sat 09 Sep 2006 12:24,
Ranjeet Kumar wrote:

> Hi,

>

> I am using freeradius
and backend as mysql.

>

> Can you tell how to
enable session-timeout?

 

Simply send it as a reply
item to your NAS.

 

-- 

 

Peter Nixon

http://www.peternixon.net/


PGP Key: http://www.peternixon.net/public.asc


-- next part
--

A non-text attachment was
scrubbed...

Name: not available

Type: application/pgp-signature

Size: 189 bytes

Desc: not available

Url : 
https://list.xs4all.nl/pipermail/freeradius-users/attachments/20060909/8630a4fa/attachment-0001.bin

 

 








The information contained in, or attached to, this e-mail, contains confidential information and is intended solely for the use of the individual or entity to whom they are addressed and is subject to legal privilege. If you have received this e-mail in error you should notify the sender immediately by reply e-mail, delete the message from your system and notify your system manager. Please do not copy it for any purpose, or disclose its contents to any other person. The views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of the company. The recipient should check this e-mail and any attachments for the presence of viruses. The company accepts no liability for any damage caused, directly or indirectly, by any virus transmitted in this email.


www.aztecsoft.com

-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question about Multiple-valued attributes

2006-09-07 Thread Ali Majdzadeh 
Hi Alan
Thanks for your help.

Best RegardsOn 9/7/06, Alan DeKok <[EMAIL PROTECTED]> wrote:
"Ali Majdzadeh" <[EMAIL PROTECTED]> wrote:> Is it possible to catch Multiple-valued attributes through a C program?> I can fetch, for example, User-Name attribute by calling USER_NAME = getenv
> (USER_NAME);> but how should I fetch something like Cisco-AVPair? You don't.  You write a module in the server, that has completeaccess to everything.  Alan DeKok.--  
http://deployingradius.com   - The web site of the book  http://deployingradius.com/blog/ - The blog-List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: multiiple values in an attribute

2006-09-07 Thread Ali Majdzadeh 
Ah sorry,By the way, in the C code, please change Cisco-AVPair to CISCO_AVPAIR. This is the transformation which freeradius makes with regard to its environment variables and you should take care of the issue in your shell scripts or C code.
Best RegardsAliOn 9/7/06, Ali Majdzadeh <[EMAIL PROTECTED]> wrote:
Hi FonciThanks for your attention.I consulted the freeradius documentation about the problem.They have mentioned that the AV pairs which contain multiple values are maintained using arrays. These arrays are available in, for example, shell scripts:
example:%{Cisco-AVPair[0]} references the value of the *first* Cisco-AVPair attribute (if it exists) in the request packet.You can pass these values as command line arguments to your program.But my problem was about fetching these types of AV pairs using getenv() in C.
Example:char  *Cisco-AVPair;if (getenv ("Cisco-AVPair")){    Cisco-AVPair = getenv ("Cisco-AVPair");}Hope this information can help.Best Regards
Ali
On 9/7/06, Fonci <[EMAIL PROTECTED]> wrote:

Hi Ali!I've seen your mail in the freeradius mailing list. I thinkwe have the same problem. Let me write here mine:So I get accounting requests from a client, which containsan attribute whit these TLV parameters:
Type   :  PC_HeaderLength: 76 bytesThe Problem:Value  : 003ab54687bcc3029a(152 hexadecimal numbers)parts  :  message ID. | Event type | The message ID is a random number. But I need to know the
event type. But all of this are together in one attribute. Iwant to separate these.How can I catch this value, and separate them? You mentioneda C program or something. Can you give me an advice, how to

try, or where to find information?Thank you, andRegards:F._Kamatmentes vásárlás 45 napig! Különleges mindennapok az [origo] klikkbank hitelkártyával.
http://www.klikkbank.hu/lakossagi/termekek/hitelkartya/index.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: multiiple values in an attribute

2006-09-07 Thread Ali Majdzadeh 
Hi FonciThanks for your attention.I consulted the freeradius documentation about the problem.They have mentioned that the AV pairs which contain multiple values are maintained using arrays. These arrays are available in, for example, shell scripts:
example:%{Cisco-AVPair[0]} references the value of the *first* Cisco-AVPair attribute (if it exists) in the request packet.You can pass these values as command line arguments to your program.But my problem was about fetching these types of AV pairs using getenv() in C.
Example:char  *Cisco-AVPair;if (getenv ("Cisco-AVPair")){    Cisco-AVPair = getenv ("Cisco-AVPair");}Hope this information can help.Best RegardsAli
On 9/7/06, Fonci <[EMAIL PROTECTED]> wrote:
Hi Ali!I've seen your mail in the freeradius mailing list. I thinkwe have the same problem. Let me write here mine:So I get accounting requests from a client, which containsan attribute whit these TLV parameters:
Type   :  PC_HeaderLength: 76 bytesThe Problem:Value  : 003ab54687bcc3029a(152 hexadecimal numbers)parts  :  message ID. | Event type | The message ID is a random number. But I need to know the
event type. But all of this are together in one attribute. Iwant to separate these.How can I catch this value, and separate them? You mentioneda C program or something. Can you give me an advice, how to
try, or where to find information?Thank you, andRegards:F._Kamatmentes vásárlás 45 napig! Különleges mindennapok az [origo] klikkbank hitelkártyával.
http://www.klikkbank.hu/lakossagi/termekek/hitelkartya/index.html
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Question about Multiple-valued attributes

2006-09-07 Thread Ali Majdzadeh 
Hi Is it possible to catch Multiple-valued attributes through a C program?I can fetch, for example, User-Name attribute by calling USER_NAME = getenv (USER_NAME); but how should I fetch something like Cisco-AVPair?
Best RegardsAli
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + Cisco VoIP

2006-09-07 Thread Ali Majdzadeh 
Hi AlanI replied Geoffrey with all I knew about AV pairs expected by a Cisco VoIP gateway. But I have another problem.I am using rlm_example to develop a module to handle VoIP stuff.My question is, how should I pack and send those AV piars expected by the gateway?
For example, in example_authenticate function, I should return a number of AV pairs to the gateway in order to authenticate the user. How should I do that?Best RegardsAli
On 9/6/06, Alan DeKok <[EMAIL PROTECTED]> wrote:
"Geoffrey Cauchi" <[EMAIL PROTECTED]> wrote:> Can anyone provide a sample config of the AV Pairs required by a cisco VoIP> gateway to accept a user?
  See the NAS documentation.  Alan DeKok.--  http://deployingradius.com   - The web site of the book  http://deployingradius.com/blog/
 - The blog-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + Cisco VoIP

2006-09-07 Thread Ali Majdzadeh 
Hi GeoffreyI am using Cisco 3600. In my case, I have found out the following issues with AV pairs:Call Leg 1:Cisco sends the following AV pairs to the radius server:User-NameUser-Passwordh323-conf-id
Cisco-AVPair=h323-ivr-outNAS-Port-Typecisco-nas-portNAS-PortCisco-AVPair=interfaceService-TypeNAS-IP-AddressCisco expects to see the following AV pairs sent by the radius server:h323-credit-amount
h323-credit-timeh323-return-codeCall Leg 2:Cisco sends the following AV pairs to the radius server:User-NameUser-Passwordh323-conf-idCisco-AVPair=h323-ivr-outCalled-Station-IdService-Type
NAS-IP-AddressCisco expects to see the following AV pairs sent by the radius server:
h323-credit-amount
h323-credit-time
h323-return-codeThe above AV pairs are for authenticating the user, after these two call legs, you should concern accounting the user. I think there are no AV pairs sent by the radius server for accounting, since it just waits until Cisco sends the stop packet. Of course, there are two different sets of AV pairs that are both have Acct-Status-Type=stop, but these two sets are for Call Leg 3 and 4, and they differ in one or two AV pairs from which you can determine the different call legs.
Hope this information can help you.Best RagrdsAliOn 9/6/06, Geoffrey Cauchi <[EMAIL PROTECTED]
> wrote:Not much mention there unfortunately.  A practical example would help me
most.ThanksGef-Original Message-From: freeradius-users-bounces+agcauchi=[EMAIL PROTECTED][mailto:
[EMAIL PROTECTED]rg] On Behalf Of Alan DeKokSent: 06 September 2006 18:00To: FreeRadius users mailing listSubject: Re: Freeradius + Cisco VoIP
"Geoffrey Cauchi" <[EMAIL PROTECTED]> wrote:> Can anyone provide a sample config of the AV Pairs required by a ciscoVoIP> gateway to accept a user?
  See the NAS documentation.  Alan DeKok.--  http://deployingradius.com   - The web site of the book  http://deployingradius.com/blog/
 - The blog-List info/subscribe/unsubscribe? Seehttp://www.freeradius.org/list/users.html-List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Question about freeradius and Cisco VoIP router

2006-09-05 Thread Ali Majdzadeh 
Hello AllI am writing a C program as an external program for freeradius to handle authentication requests recieved from a Cisco VoIP router.How can I pack attribute-value pairs and send them to the router? I can determine the attribute-value pairs transmitted by the router through environment variables, but I don't know how to send the attribute-value pairs which the router expects to recieve.
Best RegardsAli
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question about RADIUS proxy

2006-08-07 Thread Ali Majdzadeh 
Hi Alan
Thanks for your attentio.
By the way, I recently read about NOREALM attribute. I think I should make use of this and specify the servers which I want to treat requests without realms, am I right?
 
Best Regards
Ali 
On 8/6/06, Alan DeKok <[EMAIL PROTECTED]> wrote:
"Ali Majdzadeh" <[EMAIL PROTECTED]> wrote:
> Is it possible to configure a forwarding RADIUS server to broadcast a> request to all remote RADIUS servers? (I mean, without paying attention to> athentication realms)No.Alan DeKok.
--http://deployingradius.com   - The web site of the bookhttp://deployingradius.com/blog/ - The blog-List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Question about RADIUS proxy

2006-08-06 Thread Ali Majdzadeh 
Hi
I am new to freeRADIUS.
I have a question about RADIUS proxies.
Is it possible to configure a forwarding RADIUS server to broadcast a
request to all remote RADIUS servers? (I mean, without paying attention
to athentication realms)

Best Regards
Ali
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html