Re: 802.1x
On Tue, Nov 01, 2005 at 09:27:57PM -0500, Alex M wrote: What is the difference between plain Radius identification compare to 802.1x? Basically 802.1x is between client and NAS, and radius is between NAS and AAA server. So how would you compare them? Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OT: Freeradius and Redback SMS 1800
On Tue, Oct 18, 2005 at 05:11:54PM +0200, Dominik Sennfelder wrote: We are using Freeradius with two Redback SMS 1800 Authorizing and accounting works with mysql. Is it possible to log the IP-Address at the beginging of the accounting? see AOS Command Reference, AAA and Radius commands. aaa delay-start-record Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + MySQL not working after upgrade from 1.0.1
On Tue, Aug 23, 2005 at 06:30:16PM -0700, [EMAIL PROTECTED] wrote: Problem solved. I had been compiling versions 1.0.1 without enabling Ascend binary support. Are you sure you didn't edit the dictionaries? Are you sure there's no other attribute 242, of type octets? Are you sure you're using the 1.0.4 dictionaries with 1.0.4? I was in the process of removing and reinstalling freeradius, on what was already a fresh install on a new sever. to make absolute sure of all of that when I noticed a Gentoo local use flag, frascend, which appears to have been introduced in Gentoo freeradius ebuilds after version 1.0.1 which changed the default behavior for later versions to not enable what was previously enabled by default. frascend in the 1.0.4 ebuild seems to behave the same way as in my freeradius 0.9.0 ebuilds. I don't see that they changed the meaning of that use flag from my submitted ebuild over the 1.0.X versions to the 1.0.4 version. The defualt behavior is and was to only compile with-ascend-binary if the frascend use flag is present. Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Colubris-AVPairs
On Wed, Jul 27, 2005 at 03:07:00PM -0400, Andrey wrote: When I attempt to authenticate the AP, the Access-Accept response has only the first Colubris-AVPair, whichever it might be (i've tried different orders). Is there any reason for this kind of behaviour? Do attributes have to have unique names? (since all three are called Colubris-AVPair). Try the += operator. Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Defining whole networks for huntgroups matching!
On Mon, Jul 25, 2005 at 01:36:19PM +0200, Erling Paulsen wrote: I'm using huntgroups to group our NAS-boxes, and I'm wondering if it is possible to designate whole networks ala. A.B.C.D/24 - instead of listing all boxes with multiple NAS-IP-Address statements? If you can write the network as regex, it should be possible to match all your NASes in one check. Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error getting data from database
On Thu, Jul 21, 2005 at 11:34:17PM -0700, Nirmal wrote: Hi, i have installed freeradius 1.0.4 on linux 7.3 with postgresql i m getting following error !! what could be the reason ? rlm_sql: Failed to create the pair: Unknown attribute User-Password Perhaps that space at the end of the attribute string? Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error getting data from database
On Fri, Jul 22, 2005 at 04:32:56AM -0700, Nirmal wrote: Thanks for your help which file i should look into in order to remove this space ? It's in your SQL database. Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAX_PACKET_LEN setting limiting number of Cisco- Avpair's
On Tue, Jun 28, 2005 at 03:10:51PM -0700, Niall Browne wrote: Apart from this is there any other way to increase the number of Cisco-Avpair's within freeradius to be pushed to a firewall or is this the maximum ? You already seem to know the way for creating acl via radius: inacl#X An input access list definition. For IP, standard or extended access list syntax can be used, though you cannot mix them within a single list. For IPX, only extended syntax is recognized. The value of this attribute is the text that comprises the body of a named access list definition. outacl#X An output access list definition. For IP, standard or extended access list syntax can be used. For IPX, only extended syntax is recognized. The value of this attribute is the text that comprises the body of a named access list definition. But you might also use the ip:inacl/outacl without a rule number to assign a named ip access-list which is defined on the router: router: ip access-list extended No-EIGRP remark Filters EIGRP Traffic remark used with dynamic ADSL deny eigrp any any permit ip any any radius: Cisco-AVPair += ip:inacl=No-EIGRP, Cisco-AVPair += ip:outacl=No-EIGRP If you have a CCO (I think you need one for that) you could take a look at ciscos Dial Solutions Configuration Guide, which helps you with such stuff. Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radclient??
On Wed, Jun 01, 2005 at 11:44:07AM +0200, Sylvain Clerc wrote: On 6/1/05, Oliver Graf [EMAIL PROTECTED] wrote: On Wed, Jun 01, 2005 at 11:07:13AM +0200, Sylvain Clerc wrote: I have to use radclient with another soft but I can't arrive to run it . When I do : radclient 192.168.1.1 auth secret nothing happens, it stays always empty. radtest works successful and depends of radclient, that's why I don't understand why radclient doesn't work. Is my syntax is wrong for radclient?? What key/value pairs do you send through radclient? radclient waits for kv pairs to send on stdin and outputs the result on stdout. It must be my problem. I don't understand this concept of key/value pairs to use with radclient. I have to create a file with its but how do I write them in this file?? Can you give me an example of this file ??? echo Some-Attribute = Value | radclient 192.168.1.1 auth secret Just study radtest, and you see what it does. Its a shell script... Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and max4000
On Wed, Jun 01, 2005 at 02:37:04PM +0300, Dmitriy Milashenko wrote: When I try to connect using MAX4000, I get ip address = Framed-IP-Address+NAS-Port, but MAX4000 sends NAS-Port like 20102, so my ip address is 195.68.222.64+20102=195.69.44.198. In the same time I have analog modem pool, working with portslave that sends NAS-Port attribute in range 1-16. So the question is how to make MAX4000 send NAS-Port attribute with lower values or make freeradius to calculate ip in another way. I guess the freeradius expression syntax could help you in that case. I've heard that there is a patch for freeradius to work with MAX4000, if it is so, please tell me where can I get it. Anyway: why don't just use pools on the MAX? The MAX learns them via radius and assigns a cetrain pool to the connection. Easy, no radius magic required... Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radclient??
On Wed, Jun 01, 2005 at 11:07:13AM +0200, Sylvain Clerc wrote: I have to use radclient with another soft but I can't arrive to run it . When I do : radclient 192.168.1.1 auth secret nothing happens, it stays always empty. radtest works successful and depends of radclient, that's why I don't understand why radclient doesn't work. Is my syntax is wrong for radclient?? What key/value pairs do you send through radclient? radclient waits for kv pairs to send on stdin and outputs the result on stdout. Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius logs Connections 4 times with Acct-Delay-Time
On Thu, Nov 11, 2004 at 12:48:38PM +0100, Dominik Sennfelder wrote: the connecion Start and Stop ist logged 4 Times. That means the the Start is listed 4 times with the same Acct-Session-Id and the Stop is listet 4 times with the same for example a part of the log and my radiusd.conf Does anyone have an idea what the problem could be ? Your redback does not receive the responses of the radius server that it has received the accounting packet, so the redback resends it. This can be an ip mismatch (i.e. redback sends to x, but radius answers with y). Try to dump the packets to see whats the difference. Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius client
On Wed, Oct 13, 2004 at 03:52:08PM +0800, Yyc wrote: hi all, i will write a radius client which will be embeded in some NAS device. some one know about what program environment will be offered to me? Does the radclient of freeradius can run there? If you want to write something for an embdedded device, why don't you know its capabilities? Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ascend MAX 6000 Problems
On Sun, Oct 10, 2004 at 06:07:43PM -0400, Corey Jarvis wrote: If anyone has experienced something similar or can help it would be appreciated. I get those packets too. I just ignore them. Works like a charm. Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-Identifier check
On Mon, Oct 11, 2004 at 06:56:01AM -0700, Alex wrote: Hello, I want TTLS users to be authenticated using their login/pwd _AND_ the NAS-Identifier attribute from the Access-Req packet. It works fine with User-Password, but when I add NAS-Identifier == 'my_router' to radcheck table, freeradius says 'Auth-Type notfound'. The debug shows that 'my_router' sends the correct value for this attribute. When I change to :=, users can login even if the value is completely changed (i.e. I put his_router instead) Use AuthType := Accept Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-Identifier check
On Tue, Oct 12, 2004 at 02:11:02AM -0700, Alex wrote: If Auth-Type is Accept, no EAP negociation occurs. What I want is TTLS established and user credentials checked and also NAS-Identifier value checked. Thai is, block some TTLS users from connecting from behind other NAS than its own. I get users accepted if TTLS user has only 'User-Password' and '==' in the radcheck. As soon as I add 'NAS-Identifier, '==', 'my_nas', it says Auth-Type not found. Ah, ok. I use huntgroups for a semiliar thing (restriction certain accounts to certain NASes). Perhaps this is something that might help you, too? Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-Identifier check
On Tue, Oct 12, 2004 at 07:10:47AM -0700, Alex wrote: OK, I defined a huntgroup testNAS-Identifier == my_nas in huntgroups file and added | eap_user| Huntgroup-Name | == | test | to radcheck table. It says No matching entry in the database for request from user [eap_user] and auth: No authenticate method (Auth-Type) configuration found for the request When op for Huntgroup-Name changes to := int radcheck, user gets authenticated no matter what it is sent in NAS-Identifier. := is assignment, it cannot work. I check NAS-IP-Address in huntgroups. Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Double quoting in sql?
On Fri, Sep 24, 2004 at 10:24:09AM -0400, Alan DeKok wrote: Oliver Graf [EMAIL PROTECTED] wrote: I've upgraded recently from 0.9.3 to 1.0.1. There seems to be one small problem in the sql module: a Username seems to be quoted two times, first when setting sql_user_name, then when doing the xlat on the whole query. Debug output: radius_xlat: 'test=23test' Something is escaping '#' to '=23', probably in the SQL module. Yeah. The Problem is that the allowed_chars string in 0.9.3 included '=', but the one in 1.0.1 does not. The pitty is that omitting '=' from allowed chars is obviously correct, cause its the char used to quote stuff. Like you need to use %% to get one %, an unescaped = should become a =3D. But cause radius_xlat (or whatever else...) does not know if a value of a pair is already escaped (as SQL-User-Name is), this creates some ugly double escaping. So the correct solution is to change the sql.conf and remove SQL-User-Name from it, cause freeradius 1.0.1 will escape pairs used inside queries always correctly, as it seems. Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Double quoting in sql?
On Wed, Sep 29, 2004 at 08:10:45AM +0200, Oliver Graf wrote: On Fri, Sep 24, 2004 at 10:24:09AM -0400, Alan DeKok wrote: Oliver Graf [EMAIL PROTECTED] wrote: Something is escaping '#' to '=23', probably in the SQL module. Yeah. The Problem is that the allowed_chars string in 0.9.3 included '=', but the one in 1.0.1 does not. But cause radius_xlat (or whatever else...) does not know if a value of a pair is already escaped (as SQL-User-Name is), this creates some ugly double escaping. So the correct solution is to change the sql.conf and remove SQL-User-Name from it, cause freeradius 1.0.1 will escape pairs used inside queries always correctly, as it seems. Wrong. Correct is: sql_set_user does NOT need to use sql_escape_func in radius_xlat. That way the SQL-User-Name pair is unescaped, as any other pair, and the radius_xlat (with sql_escape_func) that is run on the query will escape that pair correctly, as it does it for any other pair. Diff vs 1.0.1 attached. Oliver. --- freeradius-1.0.1/src/modules/rlm_sql/rlm_sql.c.orig 2004-09-29 08:15:55.0 +0200 +++ freeradius-1.0.1/src/modules/rlm_sql/rlm_sql.c 2004-09-29 08:16:37.0 +0200 @@ -459,7 +459,7 @@ if (username != NULL) { strNcpy(tmpuser, username, MAX_STRING_LEN); } else if (strlen(inst-config-query_user)) { - radius_xlat(tmpuser, sizeof(tmpuser), inst-config-query_user, request, sql_escape_func); + radius_xlat(tmpuser, sizeof(tmpuser), inst-config-query_user, request, NULL); } else { return 0; }
Double quoting in sql?
Hi! I've upgraded recently from 0.9.3 to 1.0.1. There seems to be one small problem in the sql module: a Username seems to be quoted two times, first when setting sql_user_name, then when doing the xlat on the whole query. Am I just missing a config change? From the sample config I can see no difference. Fix: I use %{User-Name} in the queries instead of %{SQL-User-Name} Config: sql_user_name = %{User-Name} authorize_check_query = SELECT id,name,attr,value,op FROM ${authcheck_table} WHERE name = '%{SQL-User-Name}' AND kind = 'user' AND type = 'check' ORDER BY id Debug output: radius_xlat: 'test=23test' rlm_sql (sql): sql_set_user escaped user -- 'test=23test' radius_xlat: 'SELECT id,name,attr,value,op FROM radiususers WHERE name = 'test=3D23test' AND kind = 'user' AND type = 'check' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 9 rlm_sql_mysql: query: SELECT id,name,attr,value,op FROM radiususers WHERE name = 'test=3D23test' AND kind = 'user' AND type = 'check' ORDER BY id rlm_sql (sql): User test=23test not found in radcheck Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Double quoting in sql?
On Fri, Sep 24, 2004 at 09:39:07AM +0200, Oliver Graf wrote: I've upgraded recently from 0.9.3 to 1.0.1. There seems to be one small problem in the sql module: a Username seems to be quoted two times, first when setting sql_user_name, then when doing the xlat on the whole query. Am I just missing a config change? From the sample config I can see no difference. Fix: I use %{User-Name} in the queries instead of %{SQL-User-Name} Test Command: /usr/bin/radtest test#test test localhost 1 testing123 1 127.0.0.1 Config: sql_user_name = %{User-Name} authorize_check_query = SELECT id,name,attr,value,op FROM ${authcheck_table} WHERE name = '%{SQL-User-Name}' AND kind = 'user' AND type = 'check' ORDER BY id Debug output: radius_xlat: 'test=23test' rlm_sql (sql): sql_set_user escaped user -- 'test=23test' radius_xlat: 'SELECT id,name,attr,value,op FROM radiususers WHERE name = 'test=3D23test' AND kind = 'user' AND type = 'check' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 9 rlm_sql_mysql: query: SELECT id,name,attr,value,op FROM radiususers WHERE name = 'test=3D23test' AND kind = 'user' AND type = 'check' ORDER BY id rlm_sql (sql): User test=23test not found in radcheck Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Double quoting in sql?
On Fri, Sep 24, 2004 at 02:31:47PM +0400, Alexander M. Pravking wrote: On Fri, Sep 24, 2004 at 09:39:07AM +0200, Oliver Graf wrote: Hi! I've upgraded recently from 0.9.3 to 1.0.1. There seems to be one small problem in the sql module: a Username seems to be quoted two times, first when setting sql_user_name, then when doing the xlat on the whole query. IIRC this behavour is here since SQL-User-Name attribute is handled by rlm_sql, because it's being escaped twice. Two ways I see: 1. avoid using %{SQL-User-Name} in queries. 2. patch rlm_sql.c::sql_set_user to pass func=NULL to radius_xlat. It does not seem that the change which causes this is in rlm_sql.c. I guess it is to search in variable expansion of main/xlat.c. But I currently fail to see the change between 0.9.3 and 1.0.1 where this happened... perhaps I will take a deeper look later. Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Double quoting in sql?
On Fri, Sep 24, 2004 at 03:04:56PM +0400, Alexander M. Pravking wrote: On Fri, Sep 24, 2004 at 12:39:09PM +0200, Oliver Graf wrote: It does not seem that the change which causes this is in rlm_sql.c. I guess it is to search in variable expansion of main/xlat.c. But I currently fail to see the change between 0.9.3 and 1.0.1 where this happened... perhaps I will take a deeper look later. Hmm... 0.9.3 did escaping for anything except: @abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: =/, and the default setting of safe-characters is the same now, so the '#' char should have been escaped in 0.9.3 too. Didn't you patch rlm_sql.c of 0.9.3 to modify safe char list? ;-) Nope. I have a database with test=23test instead of test#test... :) Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Antwort: Re: Open Radius and Novell Certification Server
On Tue, Jul 20, 2004 at 10:11:17AM +0200, [EMAIL PROTECTED] wrote: Excuse me which is the right one ? It's no good sign if you don't know the radius server you want to use... ;) Google thinks this is openradius: http://www.xs4all.nl/~evbergen/openradius/index.html Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Antwort: Re: Antwort: Re: Open Radius and Novell Certification Server
On Tue, Jul 20, 2004 at 11:26:41AM +0200, [EMAIL PROTECTED] wrote: Ok i like to use http://www.xs4all.nl/~evbergen/openradius/index.html ;) Is it possible that it works with Novell Certificate Server . I think thats a very heavy scenario ... ;) The Server manage and create Certifactes and radius work with it that is my problem about the interface beetwen the two servers. Ok, now you know the webpage of OpenRadius. Next step: try to send your question to the OPENradius mailingslist, cause this here is the FREEradius mailinglist. Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP and CHAP
On Thu, Jul 15, 2004 at 03:07:44PM +0200, Oliver Graf wrote: On Thu, Jul 15, 2004 at 02:35:03PM +0200, Daniel Eyholzer wrote: Mitchell, Michael [EMAIL PROTECTED] wrote: Well its not a standard feature of freeRADIUS, and quite possibly shouldn't be, so probably never will be. ;-) Why isn't it a standard feature? Is there an obvious reason? Are you all storing your password in clear text in LDAP or whatever backend you use? Or are you just not using CHAP for authentication? I use such a thing for our mysql store. Just put the encrypted stuff in the database and change rad_ktk_decodepw in lib/radius.c to decrypt the password (I just check the length of the encryted password, cause this clearly identifies them in my case). I can give a more concrete example, but I won't expose my reversible crypt algorithm :) I could also provide a stub freeradius auth rlm as example. Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I have MySql. Do I need CHAP, PAP, EAP or rlm_unix??
On Sat, Jan 24, 2004 at 10:07:11AM -0800, Jeff wrote: I have Freeradius 0.9.3 up and running with Gentoo Linux on x86 hardware. I had to comment out every instance of the unix module in radiusd.conf to get Freeradius to compile on Gentoo (for some reason 'rlm_unix' module doesn't compile on Gentoo). Authentication is done with encrypted passwords in MySql. did you use the 0.9.3 ebuild or did you do it on your own? I made the ebuild, and I see no problems on any of my systems, so a more complete description would be helpful. 2) Since I authenticate thru MySql, do I need CHAP, PAP or EAP? If you need PAP, CHAP or EAP depends on the type of auth you want to do, not on the type of storage backend... Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I have MySql. Do I need CHAP, PAP, EAP or rlm_unix??
On Sun, Jan 25, 2004 at 03:24:50PM +0100, Ciolo_-^DusT^-_WebMaster wrote: the secret... the secret word is given or I have to create it on my own... and if I have have to create it or declare it... where... there are some particular suggestions in how to create a secret key... Well... Let your head smash down on your keyboard and roll it to the left or to the right. Works well for me. Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html