C External Program
Hi I wrote the following code to accept any user/pass in a C external program: Main() { fprintf (stdout, "Auth-Type := Accept\n"); return 0; } It works well with PAP but does not work in CHAP/MSCHAP. I know I should return Cleartext-Password but I want to permit any user/pass to loggin in. So how can I do that? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NTLM Auth Problem
متأسفانه فرستادم... 2012/4/24 Ali Majdzadeh > Yes I did. I also read rlm_mschap sources and dependent libraries. > > > May lead me which section explain this function? > > > 2012/4/24 Phil Mayers > >> On 24/04/12 13:44, Ali Majdzadeh wrote: >> >>> Hi >>> >>> I checked that rlm_mschap converts the CHAP_CHALLENGE from radius packet >>> into other format that used in ntlm_auth. >>> >>> Radius Packet: MS-CHAP-Challenge = 0x7e95c31b02cd054fd1dcacea7c2f**b358 >>> >>> Radius –X output for Ntlm_auth: expand: >>> --challenge=%{%{mschap:**Challenge}:-00} -> --challenge=4487f1f9d023e69b >>> >>> U told that is normal, based on RFC. I checked the rlm_mschap.c and >>> rlm_exec.c and also src/main/util.c, It seems that they are copying >>> >> >> Did you read the RFC? >> >> >> variable one by one from radius packet into ntlm_auth and I did not find >>> any function to do converting. May give me more information? >>> >> >> Sigh. >> >> See here: >> >> https://github.com/alandekok/**freeradius-server/blob/master/** >> src/modules/rlm_mschap/rlm_**mschap.c#L278<https://github.com/alandekok/freeradius-server/blob/master/src/modules/rlm_mschap/rlm_mschap.c#L278> >> >> ...and here: >> >> https://github.com/alandekok/**freeradius-server/blob/master/** >> src/modules/rlm_mschap/mschap.**c#L70<https://github.com/alandekok/freeradius-server/blob/master/src/modules/rlm_mschap/mschap.c#L70> >> >> ...which is an implementation of this: >> >> http://www.ietf.org/rfc/**rfc2759.txt<http://www.ietf.org/rfc/rfc2759.txt> >> >> If you actually READ the RFC, you will see it contains detailed >> pseudo-code describing how this work, and even gives sample hex data that >> you can test your script with. >> >> - >> List info/subscribe/unsubscribe? See http://www.freeradius.org/** >> list/users.html <http://www.freeradius.org/list/users.html> >> > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NTLM Auth Problem
Yes I did. I also read rlm_mschap sources and dependent libraries. May lead me which section explain this function? 2012/4/24 Phil Mayers > On 24/04/12 13:44, Ali Majdzadeh wrote: > >> Hi >> >> I checked that rlm_mschap converts the CHAP_CHALLENGE from radius packet >> into other format that used in ntlm_auth. >> >> Radius Packet: MS-CHAP-Challenge = 0x7e95c31b02cd054fd1dcacea7c2f**b358 >> >> Radius –X output for Ntlm_auth: expand: >> --challenge=%{%{mschap:**Challenge}:-00} -> --challenge=4487f1f9d023e69b >> >> U told that is normal, based on RFC. I checked the rlm_mschap.c and >> rlm_exec.c and also src/main/util.c, It seems that they are copying >> > > Did you read the RFC? > > > variable one by one from radius packet into ntlm_auth and I did not find >> any function to do converting. May give me more information? >> > > Sigh. > > See here: > > https://github.com/alandekok/**freeradius-server/blob/master/** > src/modules/rlm_mschap/rlm_**mschap.c#L278<https://github.com/alandekok/freeradius-server/blob/master/src/modules/rlm_mschap/rlm_mschap.c#L278> > > ...and here: > > https://github.com/alandekok/**freeradius-server/blob/master/** > src/modules/rlm_mschap/mschap.**c#L70<https://github.com/alandekok/freeradius-server/blob/master/src/modules/rlm_mschap/mschap.c#L70> > > ...which is an implementation of this: > > http://www.ietf.org/rfc/**rfc2759.txt<http://www.ietf.org/rfc/rfc2759.txt> > > If you actually READ the RFC, you will see it contains detailed > pseudo-code describing how this work, and even gives sample hex data that > you can test your script with. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/** > list/users.html <http://www.freeradius.org/list/users.html> > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NTLM Auth Problem
Hi I checked that rlm_mschap converts the CHAP_CHALLENGE from radius packet into other format that used in ntlm_auth. Radius Packet: MS-CHAP-Challenge = 0x7e95c31b02cd054fd1dcacea7c2fb358 Radius –X output for Ntlm_auth: expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=4487f1f9d023e69b U told that is normal, based on RFC. I checked the rlm_mschap.c and rlm_exec.c and also src/main/util.c, It seems that they are copying variable one by one from radius packet into ntlm_auth and I did not find any function to do converting. May give me more information? My problem is: I need to call ntlm_auth from command line, not from modules/mschap. So when I’m running via commandline with same ms-chap-challenge as radius packet but response from LDAP is not OK. 2012/4/16 Phil Mayers > On 04/15/2012 09:51 PM, Ali Majdzadeh wrote: > >> Hi >> >> Tnx for Ur fast reply. >> >> As I explained, I know that the format is differ from the original >> attributes. I want to know that: >> >> If I want to run it from commandline, how can I convert the challenge and >> response attributes to which they can be used in command line? >> > > This is documented in the MS-CHAPv2 RFC. Or read the source code in the > server. > > There's no readily-available tool to "do this for you". You'll need to > write a script. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/** > list/users.html <http://www.freeradius.org/list/users.html> > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NTLM Auth Problem
Hi Tnx for Ur fast reply. As I explained, I know that the format is differ from the original attributes. I want to know that: If I want to run it from commandline, how can I convert the challenge and response attributes to which they can be used in command line? In other word, I want to use ntlm_auth in my own external pre_auth or post_auth script with those attributes. 2012/4/15 Phil Mayers > > > > > >with radius –X , I saw that the challenge and response is differ from > >that > >I got in auth_log in same session. So if I run ntlm_auth with new > >values, > >it’s OK! what’s wrong? > > Freeradius processes the mschapv2 challenge into a different format > required by samba. There's nothing "wrong". This is expected. > -- > Sent from my phone. Please excuse brevity and typos. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
auth_log problem
Hi I’m using FreeRadius 1.2.12 for about 50.000 concurrent users coming from about 50 NAS. I found that More than 40% of radius packets (1812/1813) was seen by tcpdump but not seen in auth_log or acct detail log files. What’s wrong? Does freeradius have limitation for such case? radiusd.conf is as follows: start_servers = 5 max_servers = 128 min_spare_servers = 3 max_spare_servers = 128 max_requests_per_server = 0 max_request_time = 60 cleanup_delay = 5 max_requests = 256000 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NTLM Auth Problem
Hi I’m using FreeRadius 2.1.12 wih mschap and ntlm_auth external execution module as follows: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" I want to run ntlm_auth from command line so enabled auth_log to get challenge and response: MS-CHAP-Challenge = 0x8f89ccd88332fd05b75cd39a9d08c296 MS-CHAP2-Response = 0x0100a6a4eb77926c3f1e7f78254b08f720a82a0c1f094749304c3d11cdc8376cbe4373de0d61c2823011 I’m running ntlm_auth from command line with those parameters: /usr/bin/ntlm_auth --request-nt-key –username=kimia-mo --challenge=8f89ccd88332fd05b75cd39a9d08c296 --nt-response=0100a6a4eb77926c3f1e7f78254b08f720a82a0c1f094749304c3d11cdc8376cbe4373de0d61c2823011 And Got error: hex decode of 8f89ccd88332fd05b75cd39a9d08c296 failed! (only got 16 bytes) with radius –X , I saw that the challenge and response is differ from that I got in auth_log in same session. So if I run ntlm_auth with new values, it’s OK! what’s wrong? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: External Authentication program problem
FYI: This is not a perl script. It’s a compiled C program. Just its extension is .pl! For more information: This is my module config: exec netbill_pre_auth{ wait = yes program = /etc/netbill/preauth.pl" input_pairs = request output_pairs = config packet_type = Access-Request } exec netbill_post_auth { wait = yes program = /etc/netbill/auth.pl" input_pairs = request output_pairs = reply packet_type = Access-Request } exec netbill_acct { wait = yes program = /etc/netbill/acct.pl" input_pairs = request output_pairs = reply packet_type = Accounting-Request } So I need to use with exec-wait becos the external programs need to wait util authentication/authorization/accounting done! Also plz note that auth.pl forks another exec program per authenticated user (named calc) and will live till user stopped. So if I’ve 20.000 online users, I’ve also 20.000 calc process. It works for about 20.000 online user and after this threshold, it stops! What is ur recommendation? Another Q: Is there any way to call nebtill_acct with wait=no? 2011/11/27 Alan DeKok > Ali Majdzadeh wrote: > > A while after radius up, it reports: > > > > Sat Nov 26 13:02:03 2011 : Error: Couldn't fork /etc/netbill/acct.pl > > : Cannot allocate memory > > Hmmm... you're probably using "exec wait', right? And starting many, > many, external programs. > > That's probably the issue. There may be a bug in the server, but > there is a better way to run the script. Use the rlm_perl module. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
External Authentication program problem
Hi I’m using freeradius 2.1.12 with external program calling for auth, pre-auth and acct A while after radius up, it reports: Sat Nov 26 13:02:03 2011 : Error: Couldn't fork /etc/netbill/acct.pl: Cannot allocate memory The machine is: 12 G ram, CentOS 5.4, Kernel 2.6.18-164.el5PAE 32 bits Vmstat shows at least 6.8G FREE: procs ---memory-- ---swap-- -io --system-- -cpu-- r b swpd free buff cache si sobibo in cs us sy id wa st 1 0 0 6864832 17424 55339200 0 0 3707 7184 1 2 98 0 0 0 0 0 6863840 17424 55388000 0 164 4532 8138 0 2 98 0 0 0 0 0 6863592 17432 55435600 0 2192 4106 6809 0 1 98 0 0 And /proc/meminfo: -bash-3.1# cat /proc/meminfo MemTotal: 12464608 kB MemFree: 6945096 kB Buffers: 16732 kB Cached: 486116 kB SwapCached: 0 kB Active:3929056 kB Inactive:58056 kB HighTotal:11655356 kB HighFree: 6889628 kB LowTotal: 809252 kB LowFree: 55468 kB SwapTotal: 2008116 kB SwapFree: 2008116 kB Dirty: 259036 kB Writeback: 0 kB AnonPages: 3484324 kB Mapped: 12016 kB Slab: 653076 kB PageTables: 773364 kB NFS_Unstable:0 kB Bounce: 0 kB CommitLimit: 11979800 kB Committed_AS: 11642520 kB VmallocTotal: 116728 kB VmallocUsed: 9040 kB VmallocChunk: 107296 kB HugePages_Total: 0 HugePages_Free: 0 HugePages_Rsvd: 0 Hugepagesize: 2048 kB Raduisd.conf: Max_servers=32 Min_start_servers=32 min_spare_servers = 0 max_spare_servers = 32 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS Strange action (unfinished request/dropping conflict packet)
Hi I’m running freeradius 1.1.8 with rlm_exec. External program on ACCTOUNTING packets runs and my external program returns OK! And printout the following in its logfile: (PID 5036) 2011-09-15 18:24:28 Packet: updt UserName: hhsde0100413@tct9 187923@172.31.3.7 10320 Sec 3993228/61717432 Bytes FreeRADIUS Debugging shows log as the following and shows everything goes fine for that request. Thu Sep 15 18:24:28 2011 : Debug: Thread 1 handling request 175, (31 handled so far) User-Name = "hhsde0100413@tct9" NAS-Port = 136339956 NAS-IP-Address = 172.31.3.7 Framed-IP-Address = 2.179.17.211 Filter-Id = "tct9" Class = 0x68687364653031303034313340746374397c387c3137322e33312e332e377c31636137623036653264 rad_recv: Accounting-Request packet from host 172.31.3.7:1813, id=92, length=530 NAS-Identifier = "KJ-RJ-ME60X16-01" Acct-Status-Type = Interim-Update Acct-Delay-Time = 0 Acct-Input-Octets = 3993228 Acct-Output-Octets = 61717432 Acct-Session-Id = "KJ-RJ-M0820605000890a6e187923" Acct-Authentic = RADIUS Acct-Session-Time = 10320 Acct-Input-Packets = 45602 Acct-Output-Packets = 50322 Acct-Input-Gigawords = 0 Acct-Output-Gigawords = 0 Thu Sep 15 18:24:28 2011 : Debug: Thread 1 handling request 175, (31 handled so far) Thu Sep 15 18:24:28 2011 : Debug: modcall: entering group preacct for request 175 Thu Sep 15 18:24:28 2011 : Debug: modsingle[preacct]: calling preprocess (rlm_preprocess) for request 175 Acct-Session-Time = 10320Thu Sep 15 18:24:28 2011 : Debug: modsingle[preacct]: returned from preprocess (rlm_preprocess) for request 175 Thu Sep 15 18:24:28 2011 : Debug: modcall[preacct]: module "preprocess" returns noop for request 175 Thu Sep 15 18:24:28 2011 : Debug: modsingle[preacct]: calling acct_unique (rlm_acct_unique) for request 175 Thu Sep 15 18:24:28 2011 : Debug: modsingle[preacct]: returned from acct_unique (rlm_acct_unique) for request 175 Thu Sep 15 18:24:28 2011 : Debug: modcall[preacct]: module "acct_unique" returns ok for request 175 Thu Sep 15 18:24:28 2011 : Debug: modcall: leaving group preacct (returns ok) for request 175 Thu Sep 15 18:24:28 2011 : Debug: modcall: entering group accounting for request 175 Thu Sep 15 18:24:28 2011 : Debug: modsingle[accounting]: calling detail (rlm_detail) for request 175 Thu Sep 15 18:24:28 2011 : Debug: modsingle[accounting]: returned from detail (rlm_detail) for request 175 Thu Sep 15 18:24:28 2011 : Debug: modcall[accounting]: module "detail" returns ok for request 175 Thu Sep 15 18:24:28 2011 : Debug: modsingle[accounting]: calling netbill_acct (rlm_exec) for request 175 Tcpdump shows the accounting packet issued and returned back to the RAS: IP 172.31.3.7.radius-acct > 172.26.60.3.radius-acct: RADIUS, Accounting Request (4), id: 0xx length: 527 IP 172.26.60.3.radius-acct > 172.31.3.7.radius-acct: RADIUS, Accounting Response (5), id: 0xxx length: 20 But after about 30 secound, I got the following error in freeRADIUS’s log Thu Sep 15 18:24:59 2011 : Error: WARNING: Unresponsive child (id 3086457744) for request 175 (in component accounting module rlm_exec) hhsde0100413@tct9Thu Sep 15 18:24:59 2011 : Debug: Server rejecting request 175. And then shows: Thu Sep 15 18:43:54 2011 : Error: Dropping conflicting packet from client 172.31.3.7:1646 - ID: 151 due to unfinished request 175 My external program returns 0 (means OK) and freeRADIUS getting it and returns back to the BRAS, so why freeradius gives such error?! Kind Regards, Ali Majdzadeh Kohbanani - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
HUAWEI MA5200G and Vendor Specific Attributes
Hello All I’m using freeradius 1.1.8 with a C external program for auth/acct. I’m sending attributes to RAS by printf . RAS type is HUAWEI MA5200G And I send attributes as follows: printf("Session-Timeout=%d",session_time); printf(",\nInput-Peak-Rate=%d",(int)rx_burst); printf (",\nInput-Average-Rate=%d",(int)rx_rate); printf(",\nOutput-Peak-Rate=%d",(int)tx_burst); printf(",\nOutput-Average-Rate=%d",(int)tx_burst); the last 4 lines are HUAWEI vendor specific attributes. MA5200G RAS Debug does not show any attributes inside of auth request. I remove the HUAWEI vendor specific attributes (the last 4 lines), RAS shows the standard attributes correctly. What is the problem? HUAWEI says it support only radius 1.1, So does freeradius support 1.1 when sending attributes by printf via external program or not? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about NAS-Port attribute when using freeradiusclient
Alan, Sorry for this third post, I managed to instruct PPTP VPN server (NAS) to send Interim-Update packet by adding the following line to /etc/radiusclient/dictionary: ATTRIBUTEAcct-Interim-Interval 85 integer Of course, I had set Acct-Interim-Interval attribute to 60 for the specific test user in users file of the RADIUS server. Is this OK? Why the above definition is not added to freeradiusclient's dictionary? Warm Regards Ali Majdzadeh Kohbanani 2010/10/8 Ali Majdzadeh > Alan, > Sorry for this extra post, but, what about Interim-Update attribute? Is > there anyway to instruct the PPTP VPN connection to send interim accounting > packets to the RADIUS server? > > > Warm Regards > Ali Majdzadeh Kohbanani > > 2010/10/8 Ali Majdzadeh > > Alan, >> Thanks a lot. >> >> >> Warm Regards >> Ali Majdzadeh Kohbanani >> >> 2010/10/8 Alan DeKok >> >> Ali Majdzadeh wrote: >>> > Hello All >>> > I am using freeradiusclient in combination with PPP in order to setup >>> > RADIUS authentication for PPTP users. Actually, I managed to >>> > authenticate users using RADIUS but I noticed that the NAS-Port >>> > attribute which is sent to RADIUS server is always 0. Is this normal? >>> Is >>> > there any way to generate proper values for NAS-Port? Is this attribute >>> > set by radiusclient or is it extracted from somewhere else? (PPP, >>> maybe?) >>> >>> It's set by the code in PPP that calls radiusclient. >>> >>> If you want it changed, go fix PPP. >>> >>> Alan DeKok. >>> - >>> List info/subscribe/unsubscribe? See >>> http://www.freeradius.org/list/users.html >>> >> >> > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about NAS-Port attribute when using freeradiusclient
Alan, Sorry for this extra post, but, what about Interim-Update attribute? Is there anyway to instruct the PPTP VPN connection to send interim accounting packets to the RADIUS server? Warm Regards Ali Majdzadeh Kohbanani 2010/10/8 Ali Majdzadeh > Alan, > Thanks a lot. > > > Warm Regards > Ali Majdzadeh Kohbanani > > 2010/10/8 Alan DeKok > > Ali Majdzadeh wrote: >> > Hello All >> > I am using freeradiusclient in combination with PPP in order to setup >> > RADIUS authentication for PPTP users. Actually, I managed to >> > authenticate users using RADIUS but I noticed that the NAS-Port >> > attribute which is sent to RADIUS server is always 0. Is this normal? Is >> > there any way to generate proper values for NAS-Port? Is this attribute >> > set by radiusclient or is it extracted from somewhere else? (PPP, >> maybe?) >> >> It's set by the code in PPP that calls radiusclient. >> >> If you want it changed, go fix PPP. >> >> Alan DeKok. >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about NAS-Port attribute when using freeradiusclient
Alan, Thanks a lot. Warm Regards Ali Majdzadeh Kohbanani 2010/10/8 Alan DeKok > Ali Majdzadeh wrote: > > Hello All > > I am using freeradiusclient in combination with PPP in order to setup > > RADIUS authentication for PPTP users. Actually, I managed to > > authenticate users using RADIUS but I noticed that the NAS-Port > > attribute which is sent to RADIUS server is always 0. Is this normal? Is > > there any way to generate proper values for NAS-Port? Is this attribute > > set by radiusclient or is it extracted from somewhere else? (PPP, maybe?) > > It's set by the code in PPP that calls radiusclient. > > If you want it changed, go fix PPP. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about NAS-Port attribute when using freeradiusclient
Hello All I am using freeradiusclient in combination with PPP in order to setup RADIUS authentication for PPTP users. Actually, I managed to authenticate users using RADIUS but I noticed that the NAS-Port attribute which is sent to RADIUS server is always 0. Is this normal? Is there any way to generate proper values for NAS-Port? Is this attribute set by radiusclient or is it extracted from somewhere else? (PPP, maybe?) Warm Regards Ali Majdzadeh Kohbanani - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about radiusclient
Hello All In the radiusclient configuration file there is an option called auth_order which accepts two values (local, radius). If we set this option as follows: auth_order radius,local doesn't it means that if the authentication fails using RADIUS it should be performed using the /etc/passwd file? In other words, if we define all those users, which are not mentioned as radius users, as local users of the machine where radiusclient runs, it should be OK. Is that right? I have tested the so-called scenario, but it does not work. Does anyone have any experiences regarding this issue? Warm Regards Ali Majdzadeh Kohbanani - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strange problem regarding PPTP and FreeRADIUS
Phil, Hi Yes, you are right. radius.so breaks when I insert radius_deadtime option in radiusclient.conf, it seems that what I have used to configure the previous radiusclient is not compatible with this new version. By the way, I use pppd-2.4.5. Thanks a lot. Warm Regards Ali Majdzadeh Kohbanani 2010/9/12 Phil Mayers > On 09/11/2010 09:20 PM, Ali Majdzadeh wrote: > >> Edvin, >> Hi >> Thanks for your response. FreeRADIUS is running on Debian Lenny and >> PopTop Server is running on a RedHat-based distribution. >> By the way, in pptpd's logs, I mentioned the following: >> >> /etc/radiusclient/radiusclient.conf: line 16: unrecognized keyword: >> radius_deadtime >> >> I know that pppd uses radius.so plugin to perform PAP, CHAP, MS-CHAP and >> MS-CHAPv2 authentication against a RADIUS server. >> Might this be the issue? >> > > That might be it. It looks like you might have mangled the configs in > /etc/radiusclient. This isn't a FreeRadius problem. > > We use poptop/pppd/radius.so on RHEL4 x86 and RHEL5 x86_64, and the > combination works reliably for us. > > Where did you get your /etc/radiusclient configs from? Is the pppd package > the standard one which comes with your RHEL distro - which pppd rpm version? > Which version and CPU architecture are you running RHEL on? > > I suggest you go back to the original versions of /etc/radiusclient configs > and make small changes one-by-one until it either works or breaks. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strange problem regarding PPTP and FreeRADIUS
Alan Hi Thanks for your response. I was using radiusclient and I replaced it by the latest version from FreeRADIUS. Fortunately, the problem solved but I could not manage to solve the following issue which I found in pptpd's logs: /etc/radiusclient/radiusclient.conf: line 16: unrecognized keyword: radius_deadtime I think it is related to radius.so plugin which pppd uses. Does this mean that radius.so and radiusclient are not compatible? Warm Regards Ali Majdzadeh Kohbanani 2010/9/12 Alan DeKok > Ali Majdzadeh wrote: > > Hello All > > I have configured PopTop server to work with FreeRADIUS. pptpd is > > configured to use mschap-v2 and mppe-128 and I have enabled the > > corresponding module in FreeRADIUS. When I turn on the debugging mode of > > FreeRADIUS, I get the following: > > > > rad_recv: Access-Request packet from host 192.168.1.15 port 55483, > > id=227, length=153 > > Service-Type = Framed-User > > Framed-Protocol = PPP > > User-Name = "\000ila" > > That's wrong. > > > MS-CHAP-Challenge = 0x78b650db2a6af8bc8bc3435c7a385905 > > MS-CHAP2-Response = > > > 0x6e009982bf378318ac706da61a063b70682de3dbbe517ba9dc7a18dfe5660208bdc1f370b5d7836516f8 > > NAS-IP-Address = > 0x0f01a8c0e85adab7e41be2bf081ce2bfb005dab7e41be2bf32 > > That's *very* wrong. > > > Please note those two highlighted lines, the User-Name is "\000ila" > > while what I have used as the username is "ali". Also, NAS-IP-Address is > > somehow encrypted. > > I searched a lot, but I could not find any similar problem. Any ideas? > > Whoever implemented the RADIUS client did it wrong. Very, very, wrong. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strange problem regarding PPTP and FreeRADIUS
Edvin, Hi Thanks for your response. FreeRADIUS is running on Debian Lenny and PopTop Server is running on a RedHat-based distribution. By the way, in pptpd's logs, I mentioned the following: /etc/radiusclient/radiusclient.conf: line 16: unrecognized keyword: radius_deadtime I know that pppd uses radius.so plugin to perform PAP, CHAP, MS-CHAP and MS-CHAPv2 authentication against a RADIUS server. Might this be the issue? Warm Regards Ali Majdzadeh Kohbanani 2010/9/12 Edvin Seferovic | Kolpinghaus St.Pölten > Might this be a PopTop issue? What platform are you using? > > >Please note those two highlighted lines, the User-Name is "\000ila" while > what I have used as the username is "ali". Also, NAS-IP-Address is somehow > >encrypted. > >I searched a lot, but I could not find any similar problem. Any ideas? > > Regards, > E.S. > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Strange problem regarding PPTP and FreeRADIUS
Hello All I have configured PopTop server to work with FreeRADIUS. pptpd is configured to use mschap-v2 and mppe-128 and I have enabled the corresponding module in FreeRADIUS. When I turn on the debugging mode of FreeRADIUS, I get the following: rad_recv: Access-Request packet from host 192.168.1.15 port 55483, id=227, length=153 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "\000ila" MS-CHAP-Challenge = 0x78b650db2a6af8bc8bc3435c7a385905 MS-CHAP2-Response = 0x6e009982bf378318ac706da61a063b70682de3dbbe517ba9dc7a18dfe5660208bdc1f370b5d7836516f8 NAS-IP-Address = 0x0f01a8c0e85adab7e41be2bf081ce2bfb005dab7e41be2bf32 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok [suffix] No '@' in User-Name = "", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Please note those two highlighted lines, the User-Name is "\000ila" while what I have used as the username is "ali". Also, NAS-IP-Address is somehow encrypted. I searched a lot, but I could not find any similar problem. Any ideas? Warm Regards Ali Majdzadeh Kohbanani - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about authenticating CHAPclientsusinganexternalprogram-Adifferent case
Ivan, Thanks for your reply. I think I should start writing my own module, because the AAA system itself is in C. In other words, all of our external programs are C programs. Thanks again for your patience and guidance. Kind Regards Ali Majdzadeh Kohbanani - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about authenticating CHAPclientsusinganexternalprogram-A different case
Ivan, Hello Thanks for your reply. Sorry if my question is elementary, but this is the last one. What is the difference between creating a customized module to do Authorization/Post-Authentication and using external programs as instances of rlm_exec module to the so-called functionalities? Kind Regards Ali Majdzadeh Kohbanani - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about authenticating CHAP clientsusinganexternalprogram-A different case
Ivan, Hello Thanks for your reply. I have got some questions to ask. We have different types of clients (Or, connections) in our system; Dial-Up, ADSL, VoIP, CHAP, MS-CHAP, MS-CHAPv2 and ... . Each of these clients need different authorization method. Now, where should our authorization code reside? Shall we create an authorization external program as an instance of the rlm_exec module and call it in the Authorization section of radiusd.conf? Shall we create our customized module and form our code as the authorization function? What about authentication, I completely understood the idea of post-auth, but how it should be implemented? Do we need another instance of the rlm_module placed in the post-auth section of radiusd.conf or we should implement post-auth functionalities as post-auth function in our customized module? In general, what should be our strategy, developing a customized module and implementing our logic as it's functions, or using multiple instances of rlm_exec module and placing them in the appropriate sections of the radiusd.conf? Thanks again for your kind attention. Kind Regards Ali Majdzadeh Kohbanani - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about authenticating CHAP clientsusinganexternalprogram- A different case
Ivan, Thanks for your attention. Yes, you are right, we should organize our system regarding the structure of freeradius. I have lots of questions to ask. I am going to coherently form them; would you please trace this thread? Kind Regards Ali Majdzadeh Kohbanani - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about authenticating CHAP clients usinganexternalprogram- A different case
Ivan, Thanks for your reply. The problem is time. We should find an immediate solution. Anyway, thanks again. Kind Regards Ali Majdzadeh Kohbanani - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about authenticating CHAP clients using anexternalprogram- A different case
Ivan, Hello Thanks for your reply. You are right and I do know that this is not the right way to get things done, but what we have got here is a sophisticated and feature-balloted AAA system which is totally based on external programs. As a mid-term solution we should try to respond to our numerous clients who are using CHAP, MS-CHAP and MS-CHAPv2 connections. Please please, let me know if there exists any solution to implement these features in an external authentication program. Kind Regards Ali Majdzadeh Kohbanani - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about authenticating CHAP clients using an externalprogram- A different case
Ivan, Hello Problem solved. I have mentioned my solution below, but now comes another question, sorry :) How is it possible to authenticate CHAP clients using an external program and not the rlm_chap module? I made two instances of the rlm_exec module. One as the authorization external program and one as the authentication external program. The point is that the Cleartext-Password should be sent out as a configuration item in the authorization external program, in other words, what the authorization program outputs should be configuration items (in this case). Well, in my previous configuration, the authorization program has been output attribute-value pairs as reply messages and that was wrong. Using radiusd.conf, I changed the output type of the authorization external program to config items. Now I can access User-Name, CHAP-Password, CHAP-Challenge attribute-value pairs in my authentication external program. By the way, the authorization external program sets my customized Auth-Type so that in the authentication section, I can use it to authenticate clients using my authentication external program which is another instance of the rlm_exec module (the second one). The main problem is the way that authentication should take place for CHAP, MS-CHAP and MS-CHAPv2 clients in the authentication external program. Kind Regards Ali Majdzadeh Kohbanani - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about authenticating CHAP clients using an external program- A different case
Ivan, Hello Thanks for your attention, but I have tested what you had suggested. The result is the same, with both attributes the CHAP module throws the same error. Any ideas? Kind Regards Ali Majdzadeh Kohbanani 2009/2/24 > >I am using freeradius-1.1.7. In order to authenticate users using an > >external program, I have created an instance of the rlm_exec module which > >contains the properties of the external program. In the radiusd.conf, I > have > >called the instance in the authentication section. Now, as I want to > >authenticate CHAP clients, I need to pass their clear text passwords to > the > >rlm_chap module. The passwords are stored in the database (MySQL) and are > >fetched in the external program. In the external program, I have simply > >output User-Password = ### as the user's clear text password, but the > >rlm_chap module says: "Could not find clear text password for user ...". > >What is wrong? Any ideas? > > Attribute for clear text password is - Cleartext-Password. And operator > should be :=. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about authenticating CHAP clients using an external program - A different case
Hello All, I am using freeradius-1.1.7. In order to authenticate users using an external program, I have created an instance of the rlm_exec module which contains the properties of the external program. In the radiusd.conf, I have called the instance in the authentication section. Now, as I want to authenticate CHAP clients, I need to pass their clear text passwords to the rlm_chap module. The passwords are stored in the database (MySQL) and are fetched in the external program. In the external program, I have simply output User-Password = ### as the user's clear text password, but the rlm_chap module says: "Could not find clear text password for user ...". What is wrong? Any ideas? Kind Regards Ali Majdzadeh Kohbanani - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debugging RLM modules
Hello Doug Thanks a lot for your usefull points. I am going to give it a try. Kind Regards Ali 2008/2/3, Doug Hardie <[EMAIL PROTECTED]>: > > > On Feb 2, 2008, at 01:14, Alan DeKok wrote: > > > Ali Majdzadeh wrote: > >> Is there any way to debug an RLM module using gdb? > > > > Yes. The modules are just shared libraries. See the gdb manual for > > how to deal with shared libraries. > > Some additional info may be helpful. You can attach to a running > radiusd with gdb and the -i option and set breakpoints for the module > you want to debug. However, if this is an operational server you will > quickly get into big issues. You really ought to get either another > instance running or use a test server and start it with gdb -i radiusd > -X. Then set your breakpoints and run the test. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Debugging RLM modules
Hello All Is there any way to debug an RLM module using gdb? Kind Regards Ali Majdzadeh Kohbanani - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: A question about rlm modules
Hello Alan Thanks for your reply. Would you please tell me whether the scenario is correct or not? 1) We obtain the clear text password in the authorization section of our module. 2) We populate the request->config_items with the clear text password. 3) The CHAP module authenticates the user using the supplied clear text password. Best Regards Ali Majdzadeh 2007/10/25, Alan DeKok <[EMAIL PROTECTED]>: > > Ali Majdzadeh wrote: > > Hello Alan > > Yes, I am sure that the code works correctly, because the CHAP module > > accepts the clear text password which I have provided in the > > request->config_items. Below is my code for the authorize section of the > > module: > > That looks OK. > > > Thu Oct 25 13:18:42 2007 : Debug: rlm_chap: Using clear text password > > "123456" for user ali authentication. > > Thu Oct 25 13:18:42 2007 : Debug: rlm_chap: Password check failed > > The password doesn't match what the user entered. There isn't much > that can go wrong here. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: A question about rlm modules
Hello Alan Yes, I am sure that the code works correctly, because the CHAP module accepts the clear text password which I have provided in the request->config_items. Below is my code for the authorize section of the module: static int netbill_authorize (void *instance, REQUEST *request) { VALUE_PAIR *password; VALUE_PAIR *clear_text_password; instance = instance; request = request; clear_text_password = pairmake ("User-Password", "123456", T_OP_EQ); pairadd (&request->config_items, clear_text_password); return RLM_MODULE_OK; } And this is the server's log: Thu Oct 25 13:18:42 2007 : Debug: modcall: entering group CHAP for request 1 Thu Oct 25 13:18:42 2007 : Debug: modsingle[authenticate]: calling chap (rlm_chap) for request 1 Thu Oct 25 13:18:42 2007 : Debug: rlm_chap: login attempt by "ali" with CHAP password Thu Oct 25 13:18:42 2007 : Debug: rlm_chap: Using clear text password "123456" for user ali authentication. Thu Oct 25 13:18:42 2007 : Debug: rlm_chap: Password check failed Thu Oct 25 13:18:42 2007 : Debug: modsingle[authenticate]: returned from chap (rlm_chap) for request 1 Thu Oct 25 13:18:42 2007 : Debug: modcall[authenticate]: module "chap" returns reject for request 1 Thu Oct 25 13:18:42 2007 : Debug: modcall: leaving group CHAP (returns reject) for request 1 Thu Oct 25 13:18:42 2007 : Debug: auth: Failed to validate the user. Thanks in advance. 2007/10/25, Alan DeKok <[EMAIL PROTECTED]>: > > Ali Majdzadeh wrote:> I have written an rlm_module. It works fine. Here, > we have clients which > > should be authenticated using CHAP passwords. In the radiusd.conf, I > > have mentioned my module before the CHAP module in the authentication > > section. Also, I have found that my module should populate the > > request->config_items field of the request with the clear text password > > so that the CHAP module can process the request. I have added the > > required code to do so, but the CHAP module complains about the size of > > the password. > > Would it be possible to post the error message? Are you sure that > your code correctly creates the clear-text password? > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
A question about rlm modules
Hello all I have written an rlm_module. It works fine. Here, we have clients which should be authenticated using CHAP passwords. In the radiusd.conf, I have mentioned my module before the CHAP module in the authentication section. Also, I have found that my module should populate the request->config_items field of the request with the clear text password so that the CHAP module can process the request. I have added the required code to do so, but the CHAP module complains about the size of the password. I want to know, is there something that I have missed? By the way, is the concept right at all? Thanks in advance. Regards Ali Majdzadeh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about rlm modules
Hi allIs it possible to send Vendor Specific Attributes through an rlm module?I use the following method to send standard attributes through an rlm module:(As suggested by the template itself) reply = pairmake ("User-Name", "root", T_OP_EQ);pairadd (&request->reply->vps, reply);request->reply->code = PW_USER_NAME;DEBUG ("rlm_cmod: Sending User-Name"); What specific code should I use when for example I want to send h323-credit-amount attribute to a NAS?Best RegardsAli - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Cisco VoIP
Hi Gef I solved the problem through C and rlm_modules. Anyway, Thanks a lot. Regards On 9/21/06, Geoffrey Cauchi <[EMAIL PROTECTED]> wrote: Hello AliI do not know whether you managed to solve your issue, however using a perlscript, the format to send these AV Pairs is: #!/usr/bin/perlprint "Cisco-AVPair += \"h323-return-code=0\"\,\n";print "Cisco-AVPair += \"h323-credit-amount=30\"\,\n";print "Cisco-AVPair += \"h323-credit-time=200\"\n"; exit(0);And now the script works.Obviously the h323-credit-time and h323-credit-amount need to be calculatedin real time, but the above can be used as a test to allow you to utilisethe cisco TCL script with freeradius Hope this helpsGefFrom: freeradius-users-bounces+agcauchi=[EMAIL PROTECTED][mailto: [EMAIL PROTECTED]rg] On Behalf Of Ali MajdzadehSent: 07 September 2006 10:06 To: FreeRadius users mailing list; [EMAIL PROTECTED]Subject: Re: Freeradius + Cisco VoIPHi AlanI replied Geoffrey with all I knew about AV pairs expected by a Cisco VoIP gateway. But I have another problem.I am using rlm_example to develop a module to handle VoIP stuff.My question is, how should I pack and send those AV piars expected by thegateway?For example, in example_authenticate function, I should return a number of AV pairs to the gateway in order to authenticate the user. How should I dothat?Best RegardsAliOn 9/6/06, Alan DeKok <[EMAIL PROTECTED]> wrote: "Geoffrey Cauchi" <[EMAIL PROTECTED]> wrote:> Can anyone provide a sample config of the AV Pairs required by a ciscoVoIP> gateway to accept a user? See the NAS documentation.Alan DeKok.--http://deployingradius.com - The web site of the bookhttp://deployingradius.com/blog/ - The blog-List info/subscribe/unsubscribe? Seehttp://www.freeradius.org/list/users.html-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to return AV pairs from within an rlm module?
Hi Josh Thanks a lot. I am going to give it a try. Best Regards Ali On 9/14/06, Josh Howlett <[EMAIL PROTECTED]> wrote: Add your attributes to the reply structure. FreeRADIUS will take care ofthe rest.josh.Ali Majdzadeh wrote:> Hi all> I want to return AV pairs (Cisco VoIP) from within an rlm module. I > tried to printf them into stdout, but it didn't work.> Should I use the structures accessible within the rlm module? for> example, REQUEST.> Then, how should I pass them to Cisco?>> Regards > Ali>>> >> -> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to return AV pairs from within an rlm module?
Hi allI want to return AV pairs (Cisco VoIP) from within an rlm module. I tried to printf them into stdout, but it didn't work.Should I use the structures accessible within the rlm module? for example, REQUEST. Then, how should I pass them to Cisco?RegardsAli - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about rlm modules
Hi againBy the way, the better approach to catch attributes' values is through the usage of the following function:vp_prints_value(char *out, int outlen, VALUE_PAIR *vp,int delimitst);RegardsAli On 9/12/06, Ali Majdzadeh <[EMAIL PROTECTED]> wrote: Hi ShankarYes, of course.code:char USER_NAME[128];VALUE_PAIR *vp_iterator;vp_iterator = request->packet->vps;while (vp_iterator){ if (strcmp (vp_iterator->name, "User-Name") == 0) strcpy (USER_NAME, vp_iterator->strvalue); vp_iterator = vp_iterator->next;}This method also works for vendor specific attributes like Cisco-AVPAIR and ... .RegardsAli On 9/12/06, Shankar Ganesh C < [EMAIL PROTECTED]> wrote: Hi Ali, Could you let me know how did u capture the vendor specfic attributes in the rlm_module ? like the one you have described earlier getenv(USER_NAME) , getnev(Cisco_AVP) ? Rgds, Shankar ganesh -Original Message-From: freeradius-users-bounces+shankarganesh=[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ]On Behalf Of Ali MajdzadehSent: Tuesday, September 12, 2006 5:10 PMTo: FreeRadius users mailing listSubject: Question about rlm modulesHi allWhat is(are) the coresponding function pointer(s) for start and stop packets in an rlm module? (Something like xxx_authenticate)Should I define my own custome funtion pointers? Then, How can I test them?Best RegardsAli -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about rlm modules
Hi ShankarYes, of course.code:char USER_NAME[128];VALUE_PAIR *vp_iterator;vp_iterator = request->packet->vps;while (vp_iterator){ if (strcmp (vp_iterator->name, "User-Name") == 0) strcpy (USER_NAME, vp_iterator->strvalue); vp_iterator = vp_iterator->next;}This method also works for vendor specific attributes like Cisco-AVPAIR and ... .RegardsAli On 9/12/06, Shankar Ganesh C <[EMAIL PROTECTED]> wrote: Hi Ali, Could you let me know how did u capture the vendor specfic attributes in the rlm_module ? like the one you have described earlier getenv(USER_NAME) , getnev(Cisco_AVP) ? Rgds, Shankar ganesh -Original Message-From: freeradius-users-bounces+shankarganesh=[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ]On Behalf Of Ali MajdzadehSent: Tuesday, September 12, 2006 5:10 PMTo: FreeRadius users mailing listSubject: Question about rlm modulesHi allWhat is(are) the coresponding function pointer(s) for start and stop packets in an rlm module? (Something like xxx_authenticate)Should I define my own custome funtion pointers? Then, How can I test them?Best RegardsAli -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about rlm modules
Hi allWhat is(are) the coresponding function pointer(s) for start and stop packets in an rlm module? (Something like xxx_authenticate)Should I define my own custome funtion pointers? Then, How can I test them? Best RegardsAli - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to enable session-timeout in freeradius
Hi RanjeetIf you want to send AV pairs to a NAS, just print them to stdout.RegardsAliOn 9/11/06, Ranjeet Kumar < [EMAIL PROTECTED]> wrote: Peter, Can you please tell me how to send it (session–timeout) as reply item to NAS? Thanks, Ranjeet Date: Sat, 9 Sep 2006 15:40:01 + From: Peter Nixon <[EMAIL PROTECTED]> Subject: Re: How to enable session-timeout in freeradius To: FreeRadius users mailing listMessage-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="iso-8859-15" On Sat 09 Sep 2006 12:24, Ranjeet Kumar wrote: > Hi, > > I am using freeradius and backend as mysql. > > Can you tell how to enable session-timeout? Simply send it as a reply item to your NAS. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc -- next part -- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : https://list.xs4all.nl/pipermail/freeradius-users/attachments/20060909/8630a4fa/attachment-0001.bin The information contained in, or attached to, this e-mail, contains confidential information and is intended solely for the use of the individual or entity to whom they are addressed and is subject to legal privilege. If you have received this e-mail in error you should notify the sender immediately by reply e-mail, delete the message from your system and notify your system manager. Please do not copy it for any purpose, or disclose its contents to any other person. The views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of the company. The recipient should check this e-mail and any attachments for the presence of viruses. The company accepts no liability for any damage caused, directly or indirectly, by any virus transmitted in this email. www.aztecsoft.com -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about Multiple-valued attributes
Hi Alan Thanks for your help. Best RegardsOn 9/7/06, Alan DeKok <[EMAIL PROTECTED]> wrote: "Ali Majdzadeh" <[EMAIL PROTECTED]> wrote:> Is it possible to catch Multiple-valued attributes through a C program?> I can fetch, for example, User-Name attribute by calling USER_NAME = getenv > (USER_NAME);> but how should I fetch something like Cisco-AVPair? You don't. You write a module in the server, that has completeaccess to everything. Alan DeKok.-- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiiple values in an attribute
Ah sorry,By the way, in the C code, please change Cisco-AVPair to CISCO_AVPAIR. This is the transformation which freeradius makes with regard to its environment variables and you should take care of the issue in your shell scripts or C code. Best RegardsAliOn 9/7/06, Ali Majdzadeh <[EMAIL PROTECTED]> wrote: Hi FonciThanks for your attention.I consulted the freeradius documentation about the problem.They have mentioned that the AV pairs which contain multiple values are maintained using arrays. These arrays are available in, for example, shell scripts: example:%{Cisco-AVPair[0]} references the value of the *first* Cisco-AVPair attribute (if it exists) in the request packet.You can pass these values as command line arguments to your program.But my problem was about fetching these types of AV pairs using getenv() in C. Example:char *Cisco-AVPair;if (getenv ("Cisco-AVPair")){ Cisco-AVPair = getenv ("Cisco-AVPair");}Hope this information can help.Best Regards Ali On 9/7/06, Fonci <[EMAIL PROTECTED]> wrote: Hi Ali!I've seen your mail in the freeradius mailing list. I thinkwe have the same problem. Let me write here mine:So I get accounting requests from a client, which containsan attribute whit these TLV parameters: Type : PC_HeaderLength: 76 bytesThe Problem:Value : 003ab54687bcc3029a(152 hexadecimal numbers)parts : message ID. | Event type | The message ID is a random number. But I need to know the event type. But all of this are together in one attribute. Iwant to separate these.How can I catch this value, and separate them? You mentioneda C program or something. Can you give me an advice, how to try, or where to find information?Thank you, andRegards:F._Kamatmentes vásárlás 45 napig! Különleges mindennapok az [origo] klikkbank hitelkártyával. http://www.klikkbank.hu/lakossagi/termekek/hitelkartya/index.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiiple values in an attribute
Hi FonciThanks for your attention.I consulted the freeradius documentation about the problem.They have mentioned that the AV pairs which contain multiple values are maintained using arrays. These arrays are available in, for example, shell scripts: example:%{Cisco-AVPair[0]} references the value of the *first* Cisco-AVPair attribute (if it exists) in the request packet.You can pass these values as command line arguments to your program.But my problem was about fetching these types of AV pairs using getenv() in C. Example:char *Cisco-AVPair;if (getenv ("Cisco-AVPair")){ Cisco-AVPair = getenv ("Cisco-AVPair");}Hope this information can help.Best RegardsAli On 9/7/06, Fonci <[EMAIL PROTECTED]> wrote: Hi Ali!I've seen your mail in the freeradius mailing list. I thinkwe have the same problem. Let me write here mine:So I get accounting requests from a client, which containsan attribute whit these TLV parameters: Type : PC_HeaderLength: 76 bytesThe Problem:Value : 003ab54687bcc3029a(152 hexadecimal numbers)parts : message ID. | Event type | The message ID is a random number. But I need to know the event type. But all of this are together in one attribute. Iwant to separate these.How can I catch this value, and separate them? You mentioneda C program or something. Can you give me an advice, how to try, or where to find information?Thank you, andRegards:F._Kamatmentes vásárlás 45 napig! Különleges mindennapok az [origo] klikkbank hitelkártyával. http://www.klikkbank.hu/lakossagi/termekek/hitelkartya/index.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about Multiple-valued attributes
Hi Is it possible to catch Multiple-valued attributes through a C program?I can fetch, for example, User-Name attribute by calling USER_NAME = getenv (USER_NAME); but how should I fetch something like Cisco-AVPair? Best RegardsAli - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Cisco VoIP
Hi AlanI replied Geoffrey with all I knew about AV pairs expected by a Cisco VoIP gateway. But I have another problem.I am using rlm_example to develop a module to handle VoIP stuff.My question is, how should I pack and send those AV piars expected by the gateway? For example, in example_authenticate function, I should return a number of AV pairs to the gateway in order to authenticate the user. How should I do that?Best RegardsAli On 9/6/06, Alan DeKok <[EMAIL PROTECTED]> wrote: "Geoffrey Cauchi" <[EMAIL PROTECTED]> wrote:> Can anyone provide a sample config of the AV Pairs required by a cisco VoIP> gateway to accept a user? See the NAS documentation. Alan DeKok.-- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Cisco VoIP
Hi GeoffreyI am using Cisco 3600. In my case, I have found out the following issues with AV pairs:Call Leg 1:Cisco sends the following AV pairs to the radius server:User-NameUser-Passwordh323-conf-id Cisco-AVPair=h323-ivr-outNAS-Port-Typecisco-nas-portNAS-PortCisco-AVPair=interfaceService-TypeNAS-IP-AddressCisco expects to see the following AV pairs sent by the radius server:h323-credit-amount h323-credit-timeh323-return-codeCall Leg 2:Cisco sends the following AV pairs to the radius server:User-NameUser-Passwordh323-conf-idCisco-AVPair=h323-ivr-outCalled-Station-IdService-Type NAS-IP-AddressCisco expects to see the following AV pairs sent by the radius server: h323-credit-amount h323-credit-time h323-return-codeThe above AV pairs are for authenticating the user, after these two call legs, you should concern accounting the user. I think there are no AV pairs sent by the radius server for accounting, since it just waits until Cisco sends the stop packet. Of course, there are two different sets of AV pairs that are both have Acct-Status-Type=stop, but these two sets are for Call Leg 3 and 4, and they differ in one or two AV pairs from which you can determine the different call legs. Hope this information can help you.Best RagrdsAliOn 9/6/06, Geoffrey Cauchi <[EMAIL PROTECTED] > wrote:Not much mention there unfortunately. A practical example would help me most.ThanksGef-Original Message-From: freeradius-users-bounces+agcauchi=[EMAIL PROTECTED][mailto: [EMAIL PROTECTED]rg] On Behalf Of Alan DeKokSent: 06 September 2006 18:00To: FreeRadius users mailing listSubject: Re: Freeradius + Cisco VoIP "Geoffrey Cauchi" <[EMAIL PROTECTED]> wrote:> Can anyone provide a sample config of the AV Pairs required by a ciscoVoIP> gateway to accept a user? See the NAS documentation. Alan DeKok.-- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog-List info/subscribe/unsubscribe? Seehttp://www.freeradius.org/list/users.html-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about freeradius and Cisco VoIP router
Hello AllI am writing a C program as an external program for freeradius to handle authentication requests recieved from a Cisco VoIP router.How can I pack attribute-value pairs and send them to the router? I can determine the attribute-value pairs transmitted by the router through environment variables, but I don't know how to send the attribute-value pairs which the router expects to recieve. Best RegardsAli - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about RADIUS proxy
Hi Alan Thanks for your attentio. By the way, I recently read about NOREALM attribute. I think I should make use of this and specify the servers which I want to treat requests without realms, am I right? Best Regards Ali On 8/6/06, Alan DeKok <[EMAIL PROTECTED]> wrote: "Ali Majdzadeh" <[EMAIL PROTECTED]> wrote: > Is it possible to configure a forwarding RADIUS server to broadcast a> request to all remote RADIUS servers? (I mean, without paying attention to> athentication realms)No.Alan DeKok. --http://deployingradius.com - The web site of the bookhttp://deployingradius.com/blog/ - The blog-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about RADIUS proxy
Hi I am new to freeRADIUS. I have a question about RADIUS proxies. Is it possible to configure a forwarding RADIUS server to broadcast a request to all remote RADIUS servers? (I mean, without paying attention to athentication realms) Best Regards Ali - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html