Re: possible ascend data filter problems
On Tuesday 10 January 2006 06:41 pm, Alan DeKok wrote:
Chuck [EMAIL PROTECTED] wrote:
i have been working with our upstream dialup provider for a week now and
he
has come to the conclusion that freeradius is passing the data as ascii
rather than abinary.
Hmm... that shouldn't happen. Which version are you running?
below is the entire ebuild configuration/compile section in case there is
something there that may cause this... it is freeradius 1.0.5.. also below
this is the output from radtest if that might help too. the more i look into
this the more i am confused as to why it isn't working properly.
-
src_compile() {
# export WANT_AUTOCONF=2.1
autoconf
local myconf= \
`use_with snmp` \
`use_with frascend ascend-binary` \
`use_with frxp experimental-modules` \
`use_with udpfromto` \
`use_with edirectory edir`
if useq frnothreads; then
myconf=${myconf} --without-threads
fi
#fix bug #77613
if has_version app-crypt/heimdal; then
myconf=${myconf} --enable-heimdal-krb5
fi
# kill modules we don't use
if ! use ssl; then
einfo removing rlm_eap_tls and rlm_x99_token (no use ssl)
rm -rf src/modules/rlm_eap/types/rlm_eap_tls
src/modules/rlm_x99_token
fi
if ! use ldap; then
einfo removing rlm_ldap (no use ldap)
rm -rf src/modules/rlm_ldap
fi
if ! use kerberos; then
einfo removing rlm_krb5 (no use kerberos)
rm -rf src/modules/rlm_krb5
fi
if ! use pam; then
einfo removing rlm_pam (no use pam)
rm -rf src/modules/rlm_pam
fi
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var \
--mandir=/usr/share/man \
--with-large-files --disable-ltdl-install --disable-static \
${myconf} || die
make || die
}
---
plus, when i use radtest i get this result which seems to me to be either
hex-text or the proper 'binary' they are looking for? i am not familiar with
this...
rad_recv: Access-Accept packet from host 64.113.39.5:1645, id=88, length=291
Service-Type = Framed-User
Framed-Protocol = PPP
Port-Limit = 1
Ascend-Data-Filter = 0x697020696e20666f72776172642074637020657374
Ascend-Data-Filter =
0x697020696e20666f72776172642064737469702036342e3131332e33342e302f32342030
Ascend-Data-Filter =
0x697020696e20666f72776172642064737469702036342e3131332e33362e34362f32382030
Ascend-Data-Filter =
0x697020696e2064726f702074637020647374706f7274203d203235
Ascend-Data-Filter = 0x697020696e20666f72776172642030
Ascend-Data-Filter =
0x697020696e2064726f702074637020737263706f7374203d203830
Ascend-Client-Assign-DNS = DNS-Assign-Yes
Ascend-Client-Primary-DNS = 64.113.32.54
Ascend-Client-Secondary-DNS = 64.113.39.4
Session-Timeout = 14400
That too did not change anything. In my testing If I just plug the ascend
attributes in my users file as follows
Ascend-data-filter += ip in forward tcp est,
Ascend-data-filter += ip in forward dstip 64.113.34.0/24,
Ascend-data-filter += ip in drop tcp srcport = 80,
Ascend-data-filter += ip in drop tcp dstport = 25,
Ascend-data-filter += ip in forward,
And they translate to Abinary fine. This leads me to believe it has to
do with the way sql is passing it to you radius server.
I don't see why. The users file reads ascii strings, and they get
packed as abinary stuff. The SQL module should be doing exactly the
same thing.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Chuck
Windows?? You mean the thirty-two bit extension and graphical shell to a
sixteen-bit patch to an eight-bit operating system originally coded for a
four-bit microprocessor which was written by a two-bit company that can't
stand one bit of competition? Oh, that... -- Lee Clarke
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: possible ascend data filter problems
On Wednesday 11 January 2006 11:31 am, Alan DeKok wrote: Chuck [EMAIL PROTECTED] wrote: plus, when i use radtest i get this result which seems to me to be either hex-text or the proper 'binary' they are looking for? i am not familiar with this... rad_recv: Access-Accept packet from host 64.113.39.5:1645, id=88, length=291 Service-Type = Framed-User Framed-Protocol = PPP Port-Limit = 1 Ascend-Data-Filter = 0x697020696e20666f72776172642074637020657374 The hex is just the ASCII string value you entered on the server. Since it's not the proper abinary format, radclient can't decode it, and instead prints it as hex. The reason for this is that the server isn't encoding the attribute as abinary before sending it. That has to be fixed. This is almost always a dictionary problem. hmm ok wish i was more an expert at this... will have a closer look at the dictionary sections and try to figure it out. thanks Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Chuck Windows?? You mean the thirty-two bit extension and graphical shell to a sixteen-bit patch to an eight-bit operating system originally coded for a four-bit microprocessor which was written by a two-bit company that can't stand one bit of competition? Oh, that... -- Lee Clarke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
possible ascend data filter problems
i have been working with our upstream dialup provider for a week now and he has come to the conclusion that freeradius is passing the data as ascii rather than abinary. his tests used flat files while we use mysql. the filters we define are listed below from our support tech's email: -- That too did not change anything. In my testing If I just plug the ascend attributes in my users file as follows Ascend-data-filter += ip in forward tcp est, Ascend-data-filter += ip in forward dstip 64.113.34.0/24, Ascend-data-filter += ip in drop tcp srcport = 80, Ascend-data-filter += ip in drop tcp dstport = 25, Ascend-data-filter += ip in forward, And they translate to Abinary fine. This leads me to believe it has to do with the way sql is passing it to you radius server. --- any idea why /how this is happening? it is affecting our entire structure since we are also a proxy for approx 25 realms and it affects many of their setups too. these need to be passed to our upstream as abinary. -- Chuck - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: possible ascend data filter problems
On Tuesday 10 January 2006 06:41 pm, Alan DeKok wrote: version 1.0.5 i may have messed up with the configuration or dictionaries i don't know. the ascend dictionary is in the directory and is included in the main dictionary. this is a gentoo installation made by simply doing emerge freeradius so i don't know what the compile options were. i suppose i can find out if that is necessary. Chuck [EMAIL PROTECTED] wrote: i have been working with our upstream dialup provider for a week now and he has come to the conclusion that freeradius is passing the data as ascii rather than abinary. Hmm... that shouldn't happen. Which version are you running? That too did not change anything. In my testing If I just plug the ascend attributes in my users file as follows Ascend-data-filter += ip in forward tcp est, Ascend-data-filter += ip in forward dstip 64.113.34.0/24, Ascend-data-filter += ip in drop tcp srcport = 80, Ascend-data-filter += ip in drop tcp dstport = 25, Ascend-data-filter += ip in forward, And they translate to Abinary fine. This leads me to believe it has to do with the way sql is passing it to you radius server. I don't see why. The users file reads ascii strings, and they get packed as abinary stuff. The SQL module should be doing exactly the same thing. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Chuck Windows?? You mean the thirty-two bit extension and graphical shell to a sixteen-bit patch to an eight-bit operating system originally coded for a four-bit microprocessor which was written by a two-bit company that can't stand one bit of competition? Oh, that... -- Lee Clarke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
confused on attrs file entries
if i just used the default in the attrs file to test our realms replies and pass them on upstream, i am confused on how to limit.. example my realm sends me a reply of Session-Timeout = 8400 tested against my attrs file, it is within range so it would be passed.. my attrs contains Session-Timeout = 14400 now... if someone sends me a value above 14400 i am under the impression that the Session-Timeout reply would be dropped and none would be sent. I would like to, if the value is over, set the max value and send my reply instead of theirs still giving them the ability to send replies of less value to be passed.. i am confused how to do this. i am aware of the := operator which would substitute my value in place of whatever theirs is and pass it on, but how do I do a conditional in this file so I only do that if it is higher? -- Chuck Windows?? You mean the thirty-two bit extension and graphical shell to a sixteen-bit patch to an eight-bit operating system originally coded for a four-bit microprocessor which was written by a two-bit company that can't stand one bit of competition? Oh, that... -- Lee Clarke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: attrs file
On Wednesday 07 December 2005 12:56 am, Alan DeKok wrote: now why didn't i see that yesterday? guess i was reading too much :) thank you kind sir! Chuck Chuck [EMAIL PROTECTED] wrote: I have a need on one of my radius servers to pass every reply attribute my realms I proxy for send up to me regardless of what they are. I then pass these replies upstream. Everything I read describing the default 'realm' in the attrs file mention adding attributes I want to pass on. However in this one instance I would have to list every dictionary attribute. Is there not a way to tell radius to pass everything, maybe with a * on a single line or maybe nothing in the default section? Or must I list every single one? Don't use the attrs module. The default in the server is to pass all of the attributes. The attrs module filters out attributes. Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Chuck Windows?? You mean the thirty-two bit extension and graphical shell to a sixteen-bit patch to an eight-bit operating system originally coded for a four-bit microprocessor which was written by a two-bit company that can't stand one bit of competition? Oh, that... -- Lee Clarke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting question
we keep getting a lot of missed stop packets that we never had problems with when we ran icradius. I don't know what the problem could be but I am getting ready to turn accounting off for us. However I have a major concern with this. We are using the mysql option with freeradius including the nas table. We use a flat file, proxy.conf, for our remote realm configurations. We proxy for a number of remote realms running their own radius authentication and they receive accounting information we receive from our upstream passed on to them. If I turn accounting off, is there a way we can still pass accounting through to our remote realms, or is it a global on/off switch that affects everyone? I just don't want to keep track of it locally until we can figure out what is causing this. I do notice a number of error messages about 0 length stop packets being received and I assume they are rejected. I have also contacted our upstream provider and asked them to be sure all is well with what they pass us. We use 1645:1646 and have those ports in iptables to freely accept.. are there possibly other ports I should be putting in there? -- Chuck - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting question
On Thursday 10 November 2005 05:44 pm, Alan DeKok wrote: would it also do the same thing if I removed the simultaneous-use=1 check statement from the user group? until i can figure this out that would be my easiest thing still allowing writing to accounting for other purposes. Chuck [EMAIL PROTECTED] wrote: If I turn accounting off, is there a way we can still pass accounting through to our remote realms, or is it a global on/off switch that affects everyone? Yes. You can delete the detail and sql entries from accounting, and it won't log accounting to the local machine, but it will still proxy packets. I do notice a number of error messages about 0 length stop packets being received and I assume they are rejected. Yes. That shouldn't affect anything, though. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Chuck Windows?? You mean the thirty-two bit extension and graphical shell to a sixteen-bit patch to an eight-bit operating system originally coded for a four-bit microprocessor which was written by a two-bit company that can't stand one bit of competition? Oh, that... -- Lee Clarke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
adding a stop packet
We are using freeradius with mysql. Is there some kind of script to easily add a fake stop date/time to a user when one gets missed? Currently I am looking them up in the accounting table and manually editing the entry. Would like to find something that just takes username as input and creates a stop based on current date/time. We don't use the accounting for anything other than getting usage reports so if a few users are incorrect , no matter. This happens frequently ( several times a week) that we don't get stop packets from our upstream. Then when users attempt a login, simultaneous use check item kicks in and denies them. They claim there is nothing they can do about it. -- Chuck - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: adding a stop packet
On Tuesday 25 October 2005 03:54 pm, Alan DeKok wrote: Thanks all of you for the suggestions! Chuck [EMAIL PROTECTED] wrote: We are using freeradius with mysql. Is there some kind of script to easily add a fake stop date/time to a user when one gets missed? radzap. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Chuck Windows?? You mean the thirty-two bit extension and graphical shell to a sixteen-bit patch to an eight-bit operating system originally coded for a four-bit microprocessor which was written by a two-bit company that can't stand one bit of competition? Oh, that... -- Lee Clarke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
specific realm accounting
Is there a way to have only 2 particular realms get entered into our local accounting database? We proxy for 34 realms and presently all their data as well as our 2 local auth realms are being posted into accounting which makes our accounting database really huge. I want to pass any accounting data I receive on to the downstream realms without keeping a record of it locally. I only want our 2 local domains to be in the accounting table. As long as all info we receive is passed along, we hae no need or desire to maintain data on any of our proxied realms other than the auth lines in radius.log. Is there a way to do this? We use mysql but soon will be converting to postgresql. -- Chuck - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Logging Abilities
On Monday 03 October 2005 08:18 pm, Alan DeKok wrote: Chuck [EMAIL PROTECTED] wrote: What i want to see in radius.log is an entry like this showing the nas-ip host/node name instead of radius client: Fri Sep 30 20:04:37 2005: Auth: Login OK: [EMAIL PROTECTED] (from nas nas5.tempe1.az.us.da.qwest.net/S7428) socket 0 (0 sec) For now, source code mods are required to change this text. oh boy. fun time then. thankfully that mod shouldn't be too major. I tried commenting out the detail area to eliminate accounting logs, but then radius complained bitterly about not having a detail section. Comment out the *rest* of the references to the detail module. i thought i did, but then again i did that early in the am after just waking up and still on my first coffee (when about all i can do correctly is push the red button so the light goes on to make coffee), so... will try again :) thanks! Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Chuck Windows?? You mean the thirty-two bit extension and graphical shell to a sixteen-bit patch to an eight-bit operating system originally coded for a four-bit microprocessor which was written by a two-bit company that can't stand one bit of competition? Oh, that... -- Lee Clarke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius Logging Abilities
I am totally lost here. I am getting this type entry in my radius.log listing the radius server contacting us. Sat Oct 1 12:05:07 2005 : Auth: Login OK: [EMAIL PROTECTED] (from client upstream-radius5 port 7490 cli 2199340456) and I have a lot of useless (to us) account log directories in the radacct logging directory. What I want to do is lower the amount of detail in the accounting logs to a single file that can be rotated or just do away with it. We run 90% as a proxy server anyway, and the accounting tables in the database provide us with any reports we need. What i want to see in radius.log is an entry like this showing the nas-ip host/node name instead of radius client: Fri Sep 30 20:04:37 2005: Auth: Login OK: [EMAIL PROTECTED] (from nas nas5.tempe1.az.us.da.qwest.net/S7428) socket 0 (0 sec) I have searched through the examples and text in every config file in the /etc/raddb and cannot find a way to accomplish this. The FreeRadius logging options look quite powerful so I am assuming there is a reasonably easy way of doing this that I am missing and/or not comprehending. I tried commenting out the detail area to eliminate accounting logs, but then radius complained bitterly about not having a detail section. Any clues how to accomplish this goal? The wanted format for radius.log is an absolute must. The entire log is useless to us showing the contacting radius client. We need to know the network node they dialed into. -- Chuck - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP and clear text
Thanks to all whom replied for your insight and direction. Regards, Chuck On Fri, 2005-09-16 at 20:10, [EMAIL PROTECTED] wrote: Hi, You must have missed the information in RFC 2865 (RADIUS), which is also a Fine Manual. The PAP password is XOR'd with the MD5 hash of the shared secret and the authenticator. Yes, that's a bit clearer than saying the password is hashed, since it also shows that the process is reversible and you can easily obtain the cleartext password from the obfuscated password. You've been reading about the protocol prior to the RADIUS client's involvment. The same thing applies to CHAP, just to head you off. No, not quite. Here, the password is (essentially) used as a key to compute the hash value of a challenge. Most notably, this means you (or the server) have no way whatsoever to get back to the clear text password from what is transmitted to the server. Regards, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAP and clear text
Hi All. I have a few freeRADIUS newbie questions for you. I have always read and been told that PAP is insecure because it transmits passwords in clear text. However, If I sniff the communication between my NAS and server when PAP is used, the password is indeed obfuscated. It appears to be hashed. So my questions are: 1) First and foremost, am I interpreting this correctly? 2) If so, is it the shared secret defined in the clients.conf file that is used as a key for the hash? 3) If not, any clue as to what I am seeing, and in that case, what is the shared secret used for? As you can see, I am looking for some basic info about the flow of the connection. I have taken an honest shot at RTFM, but have not come across these details yet. Can someone please explain or point me to an explanation? Thanks in advance. Chuck - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user account expiration question
On Tuesday 25 January 2005 04:38 am, Albert Miles Enabe wrote: That one is of type date with the following attribute: # date- 32 bit value in big endian order - seconds since # 00:00:00 GMT, Jan. 1, 1970 I'm looking for something I can set date such as 02/02/2005 or some such syntax Try the Expiration attribute in radcheck table. Chuck [EMAIL PROTECTED] wrote: is there something easier to use than the Expire check item to expire users on or afer a certain date to trigger a deny response? No one in his right mind is going to sit there and even use a calculator for the number of seconds since some date in 1970! Isn't there some check item where I can just enter a normal date format? -- Chuck Windows?? You mean the thirty-two bit extension and graphical shell to a sixteen-bit patch to an eight-bit operating system originally coded for a four-bit microprocessor which was written by a two-bit company that can't stand one bit of competition? Oh, that... -- Lee Clarke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- Chuck Windows?? You mean the thirty-two bit extension and graphical shell to a sixteen-bit patch to an eight-bit operating system originally coded for a four-bit microprocessor which was written by a two-bit company that can't stand one bit of competition? Oh, that... -- Lee Clarke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user account expiration question
On Tuesday 25 January 2005 11:48 am, Alan DeKok wrote: Chuck [EMAIL PROTECTED] wrote: I'm looking for something I can set date such as 02/02/2005 or some such syntax The server accepts dates like January 1 2005 12:33:44 Very often in these cases, simply trying something that might work is a good idea. Interesting. Thank you. I guess I'm a bit too literal sometimes. I read the attributes for it and consider it gospel especially when there is nothing to indicate that any other type of entry would not break it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Chuck Windows?? You mean the thirty-two bit extension and graphical shell to a sixteen-bit patch to an eight-bit operating system originally coded for a four-bit microprocessor which was written by a two-bit company that can't stand one bit of competition? Oh, that... -- Lee Clarke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
user account expiration question
is there something easier to use than the Expire check item to expire users on or afer a certain date to trigger a deny response? No one in his right mind is going to sit there and even use a calculator for the number of seconds since some date in 1970! Isn't there some check item where I can just enter a normal date format? -- Chuck Windows?? You mean the thirty-two bit extension and graphical shell to a sixteen-bit patch to an eight-bit operating system originally coded for a four-bit microprocessor which was written by a two-bit company that can't stand one bit of competition? Oh, that... -- Lee Clarke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql icradius to freeradius conversion and related questions
My boss wants me to move our icradius installation to a better radius. I believe that freeradius will do what we need, but I cannot easily find specifics on certain things and honestly am pressed against the wall for time on this. If some of these were answered in this list before i ask your indulgence. I have looked through the list archives but find only messages from 2002 and early 2003. We would install freeradius 1.0.1 with mysql support and want to use our existing icradius database since it is so large. 1. has anyone written a conversion script for this? Initial comparison of the sql.conf file showed me an op field difference, but I don't see how it is used or field type/length or what information is contained in it. 2. I noticed in some of the msgs for ver 0.8 that freeradius did not support using NAS as a proxy from the NAS mysql tables. Does it do so now? Flat files are truly not acceptable as we use this information in other programs as well. We are proxy for 26 realms below us in the dialup food chain and need to keep their info in the database. 3. If a proxied realm sends us special reply items such as ascend data filters or custom time limits, does freeradius pass that along to our upstream that queried us initially along with the authentication OK? icradius does not and we now find that we need this function.. These are my main concerns. Manually converting a database is not a good thing:) so hopefully any major differences such as field lengths or new fields etc can be had in some conversion script. -- Chuck Windows?? You mean the thirty-two bit extension and graphical shell to a sixteen-bit patch to an eight-bit operating system originally coded for a four-bit microprocessor which was written by a two-bit company that can't stand one bit of competition? Oh, that... -- Lee Clarke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql icradius to freeradius conversion and related questions
On Sunday 09 January 2005 02:22 pm, Thor Spruyt wrote: great. thank you! Chuck wrote: 1. has anyone written a conversion script for this? Initial comparison of the sql.conf file showed me an op field difference, but I don't see how it is used or field type/length or what information is contained in it. See doc/rlm_sql I suggest you make a copy of your current database and test freeradius with it to see where you need to adapt things. 2. I noticed in some of the msgs for ver 0.8 that freeradius did not support using NAS as a proxy from the NAS mysql tables. Does it do so now? Flat files are truly not acceptable as we use this information in other programs as well. We are proxy for 26 realms below us in the dialup food chain and need to keep their info in the database. 1.0.1 supports reading clients from sql Another solution would be to write a script that reads from sql and creates the clients.conf file 3. If a proxied realm sends us special reply items such as ascend data filters or custom time limits, does freeradius pass that along to our upstream that queried us initially along with the authentication OK? icradius does not and we now find that we need this function.. By default, all attributes sent by a homeserver are passed to the client unchanged. -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 Bestel nu uw exemplaar van Operationele verkoop (Walter Spruyt - Liesbeth Huysmans) via www.salesguide.be Ontdek de Telenet Hotspot service op www.telenet.be/hotspots - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Chuck Windows?? You mean the thirty-two bit extension and graphical shell to a sixteen-bit patch to an eight-bit operating system originally coded for a four-bit microprocessor which was written by a two-bit company that can't stand one bit of competition? Oh, that... -- Lee Clarke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
