AW: SUSPENSION OF ACCOUNT
Hi, Perhaps you can write a shellscript which edits /etc/raddb/users ...it's just an idea. Cheers Marc -Ursprngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von maruna Gesendet: Dienstag, 25. Oktober 2005 10:48 An: 'FreeRadius users mailing list' Betreff: SUSPENSION OF ACCOUNT Thank you all, I use FreeRadius v 1.0.5 with postgresql 7.3.4 on redhat Linux ES3 and its been working well. However, I want to create accounts where these accounts will be suspended after let say a month and this suspension continue until the account is renewed manually. Can someone give me idea of how this could be achieved? Thank you, goksie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Allowing any NAS to connect to my radiusd.
From the security point of it would be easier to launch some type of non-repudiation attacks without the need of spoofing I think. The shared secret can easily be recovered by sniffing some RADIUS traffic and decrypting it. I think this is even mentioned in the RFC. So removing one lock and only leaving an unsecure lock isn't a good idea I think... Rgds Marc -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Marcin Jessa Gesendet: Freitag, 15. Juli 2005 13:10 An: FreeRadius users mailing list Cc: [EMAIL PROTECTED] Betreff: Re: Allowing any NAS to connect to my radiusd. On Fri, 15 Jul 2005 11:42:57 +0100 Guy Davies [EMAIL PROTECTED] wrote: Hi Marcin, You can create a subnet in clients.conf (e.g. 10.10.10.0/24) that can use the same key. I think that doing 0.0.0.0/0 would be a very bad plan since it only requires that an attacker know the shared key to be able to send valid requests. Since all your devices are matched by a single entry then *all* your devices by definition must use the same key Good point, they'd need the same key. and it becomes more likely that the knowledge of that key will get out and you'll have the tedious task (if you even notice) of changing the secret key on every single NAS. If you can constrain it to a small subnet, then that's slightly better (although still somewhat risky). The best method is to have individual clients listed with *unique* keys per client (yes, I know this is a real pain but if you want security this is about the best you can do with the limited security afforded by the shared key). I know how things work, I was just wondering about the approach since that would make some things easier for me. What other risks does one run when others to query your radiusd ? I dont think dictionary checks are that useful since passwords and username are all pretty long and use special characters. Could this have a more serious impact on the server like DOS or such ? Rgds, Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marcin Jessa Sent: 15 July 2005 11:29 To: FreeRadius Subject: Allowing any NAS to connect to my radiusd. Hi. I would like to allow any NAS IP to connect to my radius server restricting connections from NAS only with shared secret - username and password. Is it possible to use 0.0.0.0 or ANY in clients.conf/SQL nas table ? What are the security issues having an open setup like that ? Cheers Marcin Jessa. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This e-mail is private and may be confidential and is for the intended recipient only. If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed. If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it. We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free. You should undertake your own virus checking. The right to monitor e-mail communications through our network is reserved by us. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: suggested readings for newbies
http://www.freeradius.org/faq/ ;-) -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von marc racal Gesendet: Dienstag, 5. April 2005 09:23 An: freeradius-users@lists.freeradius.org Betreff: suggested readings for newbies hello list, any good (friendly) readings for newbies who want to setup freeradius? -marc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: start freeradius on boot
which linux-distribution do you use? Marc Am Montag, 29. März 2004 13:51 schrieb Sander Groenhaut: Hello, I would like FreeRadius to boot automatically when the system starts, but I don't get it. Does anybody know how to make it? Sander Encuentra lo que buscas en la Guía de Empresas y Profesionales LYCOS-QDQ http://qdq.lycos.es/buscador.cfm?pCliente=lycos -- Marc Werner [EMAIL PROTECTED] ICQ#190044536 http://tuxxy.in.itzehoe.de - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting question
an idea: turn log_auth_badpass = on and write a shellscript which read out the logfile and delete the user who tried to login with a bad pazzword. i wrote a similar script to delete users by expiring date, using sed. ciao marc werner Am Dienstag, 23. März 2004 08:47 schrieb Tim Bots: As I am trying to tell is that my nas CAN disconnect users and block them from that time on. The only thing is that freeradius doesn't log this and as soon as they are logged out they can login again and the user gets again 5 hours. This is not a thing I like. I guess that I have to use a database or something to log this. I hope someone can help me, Tim Bots -- Marc Werner [EMAIL PROTECTED] ICQ#190044536 http://tuxxy.in.itzehoe.de - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR doesn't know my users
hi group!
i have a problem with my free-radiusserver. the radiusd starts normally but i
cannot log on with a username and password defined in /etc/raddb/users. the
client is a cisco-router 1720. below you find some logs i made. perhaps you
can pick out what went wrong. thanks for your help!!!
ciao marc werner
/etc/raddb/clients.conf:
client 10.0.0.1 {
secret = meinsecret
shortname = 1720 }
output from tcpdump:
09:39:00.304215 10.0.0.1.sightline radius.radius: rad-access-req 72 [id 1]
Attr[ NAS_ipaddr{10.0.0.1} NAS_port{0} NAS_port_type{Async} User{$enab15$} [|
radius]
09:39:05.304134 10.0.0.1.sightline radius.radius: rad-access-req 72 [id 1]
Attr[ NAS_ipaddr{10.0.0.1} NAS_port{0} NAS_port_type{Async} User{$enab15$} [|
radius]
09:39:05.304742 arp who-has 10.0.0.1 tell radius
09:39:05.305353 arp reply 10.0.0.1 is-at 0:b0:c2:89:d6:58
09:39:05.305370 radius.radius 10.0.0.1.sightline: rad-access-reject 20 [id
1] (DF)
09:39:05.305377 radius.radius 10.0.0.1.sightline: rad-access-reject 20 [id
1] (DF)
/var/log/radius/radius.log:
Fri Mar 19 09:02:35 2004 : Info: Using deprecated naslist file. Support for
this will go away soon.
Fri Mar 19 09:02:35 2004 : Info: Using deprecated clients file. Support for
this will go away soon.
Fri Mar 19 09:02:35 2004 : Info: Using deprecated realms file. Support for
this will go away soon.
Fri Mar 19 09:02:35 2004 : Info: HASH: Reinitializing hash structures and
lists for caching...
Fri Mar 19 09:02:35 2004 : Info: HASH: Stored 17 entries from /etc/passwd
Fri Mar 19 09:02:35 2004 : Info: HASH: Stored 36 entries from /etc/group
Fri Mar 19 09:02:35 2004 : Info: Listening on IP address 10.0.0.2, ports 1812/
udp and 1813/udp, with proxy on 1814/udp.
Fri Mar 19 09:02:35 2004 : Info: Ready to process requests.
Fri Mar 19 09:05:07 2004 : Auth: Login incorrect: [$enab15$/sususe8710] (from
client 1720 port 0)
Fri Mar 19 09:39:00 2004 : Auth: Login incorrect: [$enab15$/sususe8710] (from
client 1720 port 0)
output from debug-mode:
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = /
main: localstatedir = //var
main: logdir = //var/log/radius
main: libdir = /usr/lib
main: radacctdir = //var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = //var/log/radius/radius.log
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = //var/run/radiusd.pid
main: bind_address = 10.0.0.2 IP address [10.0.0.2]
main: user = root
main: group = root
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
Using deprecated clients file. Support for this will go away soon.
read_config_files: reading realms
Using deprecated realms file. Support for this will go away soon.
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded System
unix: cache = yes
unix: passwd = /etc/passwd
unix: shadow = /etc/shadow
unix: group = /etc/group
unix: radwtmp = //var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
HASH: Reinitializing hash structures and lists for caching...
HASH: user root found in hashtable bucket 11726
HASH: user bin found in hashtable bucket 86651
HASH: user daemon found in hashtable bucket 11668
HASH: user lp found in hashtable bucket 54068
HASH: user mail found in hashtable bucket 79471
HASH: user news found in hashtable bucket 5375
HASH: user uucp found in hashtable bucket 38541
HASH: user games found in hashtable bucket 47657
HASH: user man found in hashtable bucket 50534
HASH: user wwwrun found in hashtable bucket 21080
HASH: user ftp found in hashtable bucket 56226
HASH: user nobody found in hashtable bucket 99723
HASH: user at found in hashtable bucket 67095
HASH: user sshd found in hashtable bucket 71560
HASH: user postfix found in hashtable bucket 23093
HASH: user radiusd found in hashtable bucket 55046
HASH: user ntp found in hashtable bucket 21418
HASH: Stored 17 entries
