Re: Listen to multiple ports on a single server?
Hi Erling, you can do something like that : --- radiusd.conf --- # SERVER CONFIGURATION listen { ipaddr = * port = 1812 type = auth } listen { ipaddr = * port = 1813 type = acct } listen { ipaddr = * port = 1645 type = auth } listen { ipaddr = * port = 1646 type = acct } listen { ipaddr = * port = 2045 type = auth } listen { ipaddr = * port = 2046 type = acct } --- end --- Regards, Thomas MARCHESSEAU Erling Paulsen wrote: On Mon, Jul 18, 2005 at 11:36:05AM -0400,Kevin Bonner, The Induhvidual, scrabbled: On Monday 18 July 2005 10:10, Marcin Jessa wrote: On Mon, 18 Jul 2005 15:12:00 +0200 Erling Paulsen [EMAIL PROTECTED] wrote: Hello. Right now I'm running multiple servers for listening to multiple ports, for having the option of accomadating both NAS'es that use the old 1645 port and the ones using the newer 1812 port for requests. Is there a possibillity to have one radiusd listen to more ports, or do I have to reconfigure/tell all the old external participants to use the new 1812 port? From what I can read from the docs, I guess it's not possible! Running v.1.0.4 - Erling Paulsen May I ask why do you want to do such a thing? You can have freeradius running on both the old and new ports, then cutover your equipment and external radius clients as you please. The listen directive in raddb.conf can do what you want. Kevin Bonner Thanks for the help. That did the trick! I think that perhaps I asked this question a little fast. Haven't seen the 'listen' section in the .conf before - as I was upgrading multiple servers from v.0.93. Excellent feature :) - Erling - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Secondary SQL accounting instance needed
Hi Mark , yes, you can You dont need to log the stop ticket ? this could be usefull. Regards Thomas re I go forth and break my radius and have a few thousand people looking for me I want to collect the current allocate IP address and username into a separate MySql table - if it (the user (=key)) exists - update the IP, if the user does not exist, add user and IP. I (think that I) understand that I need to have a second instance of 'sql'.. So, inside the default 'sql.conf' file - I need to change a line near the top of the file from sql { to something like sql sql_main { and then add another named section such as sql sql_catch_ip { driver = rlm_sql_mysql server = DBserver.mydomain.com login = radius-login password = radius-password radius_db = radius sqltrace = yes sqltracefile = ${logdir}/sqltrace_catch_ip.sql num_sql_socks = 5 connect_failure_retry_delay = 60 accounting_start_query = INSERT into ip-table (UserName, Realm, FramedIPAddress) values('%{Stripped-User-Name}', '%{Realm}', '%{Framed-IP-Address}') accounting_start_query_alt = UPDATE ip-table SET FramedIPAddress = '%{Framed-IP-Address}' WHERE UserName = '%{Stripped-User-Name}' } - Then... in radiusd.conf - where ever I currently have 'sql' - I change that to the (new) instance name sql_main , and in addition, in the accounting section, also add a line sql_catch_ip... Am I missing anything else - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius+Nocat
Hi Chan, The patch is really basic : ## -- begin --- --- /usr/local/nocat/lib/NoCat/Source/RADIUS.pm 2004-02-26 10:46:41.0 +0100 +++ /usr/share/nocatauth/authserv/lib/NoCat/Source/RADIUS.pm 2004-06-25 13:39:12.0 +0200 @@ -85,8 +85,8 @@ # mimic the check_pwd from Authen::Radius $radius-clear_attributes; $radius-add_attributes ( -{ Name = 1, Value = $user-id }, -{ Name = 2, Value = $user_pw } +{ Name = 1, Value = $user-id, Type = 'string' }, +{ Name = 2, Value = $user_pw, Type = 'string' } ); my $radiuscheckok = 0; ## -- end --- I do it myself you can add all attributes you need , for example , i need the NAS-IP-ADDRESS to match with huntgroup + sql back end . If you need tips , let me know Regards Thomas MARCHESSEAU Chan Min Wai wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thomas MARCHESSEAU wrote: HI all, Nocat rocks with Freeradius. I just have pb with RADIUS.pm Try this one, and let me know if its ok for you . Btw , Chilli woks nice too. Regards Thomas MARCHESSEAU However, I'm using chillispot at the time... But Thank for the script, it seem to be the one that you are having is a bit different. Could you please tell me where do you get the patch? Regards, Chan Min Wai -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFCHowCV0p9slMZLW4RAgTZAKDjeFrJhlTdC2s3p+5XNpt9y5jOvwCg2IAt aT/nZ1iirOerEvlBBJoi9iA= =eg5O -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication saw web for wireless
Hi, Have a look on NoCat or Chillispot It works fine , easy to deploy you can browse seattlewireless.net for more tips or a tons of wifi website regards Thomas Paulo Afonso Ribeiro Filho wrote: Somebody knows as or what to use to make an authentication it saw web for wireless? Yours truly Paulo Afonso - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: my radiusd stops working under high load
Hi, Could you paste a bit of logs ? or somethings ? ie, Nicolas Baradakis and I , have had some problems with radsqlrelay while working in high load mode = No more threads regards Thomas MARCHESSEAU shabanip wrote: what would be the potential causes? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: huntgroup question
Hi, It woks fine here . Thomas. Kostas Kalevras wrote: On Wed, 16 Feb 2005, Dustin Doris wrote: I was wondering if you can add multiple check-items to huntgroup lines, besides Nas-Port-Id. Right now, it appears to be working for me, with Nas-Port-Type. Using something like this dialNAS-IP-Address == 127.0.0.1, Nas-Port-Type == Async isdnNAS-IP-Address == 127.0.0.1, Nas-Port-Type == ISDN It seems to be working fine for me, just wanted to check to see if that is intended behavior. I only see reference to Nas-Port-ID in the documentation, which is why I ask. I think you can. Thanks Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas KalevrasNetwork Operations Center [EMAIL PROTECTED]National Technical University of Athens, Greece Work Phone:+30 210 7721861 'Go back to the shadow'Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius - radius
Hi, Its ok to use a second sql backend , not to send the request to a second homeradius .. Regards Thomas Junior Gillespie wrote: Here's how I did it. Note that there are many ways to do this. In radiusd.conf Goto the modules section, and modify the $INCLUDE for sql.conf to look like this. $INCLUDE ${confdir}/sql1.conf $INCLUDE ${confdir}/sql2.conf # adding as many sql db as needed. Then also add right below it the following sql sql1 { } sql sql2 { } # Must reflect the $INCLUDE from above. ###The Authorize section must have something similar to the following group { sql1 { fail= 1 notfound= 2 noop= return ok = return updated = return reject = return userlock= return invalid = return handled = return } sql2 { fail= 1 notfound= 2 noop= return ok = return updated = return reject = return userlock= return invalid = return handled = return } } ## Of course this too will need to reflect the modules section. ## May also want to add it into the accounting section. This will need to be modified regardless. Will need to modify it to look at sql1 etc. You must then copy original sql.conf to sql1.conf...sql2.conf...and so on. Then modify the sql#.conf to meet your needs with db info. You will need to make the following change in the sql#.conf: sql { to sql sql1 { # This is mandatory! # Now restart radiusd with radiusd -X to see any errors you may get. This should work for you. Let me know if it does or doesnt. Junior Gillespie NOC Engineer T-SPEED Broadband Communications, Inc. 1-800-4TSpeed 972-458-0909 [EMAIL PROTECTED] http://www.t-speed.com/ The information contained in this e-mail may be privileged, confidential, and protected from disclosure. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or duplication of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately and delete all copies. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dmitry S. Vlasov Sent: Monday, February 14, 2005 9:45 AM To: freeradius-users@lists.freeradius.org Subject: radius - radius Hello! How I can create following scheme: Two freeradius servers, called A and B. 1) When User found but got Reject from server A, A try to proxy this request to B or 2) When User not found on A, A proxy request to B. Thank you! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius ports
hahaha 5 mails , you seems to be really happy ;) cya Thom Thomas MARCHESSEAU wrote: Hi Esteban a parts of radiusd.conf listen { ipaddr = * port = 1234 type = auth } listen { ipaddr = * port = type = auth } - it works fine . cya :) [EMAIL PROTECTED] wrote: Is it possible to configure freeradius to run on more than one port? Regards, Esteban - Obtené tu casilla gratis con 20MB, en: http://www.aconectarse.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroup
Hi Cris, Huntgroups (smal parts): #AFVALENT_09 redback NAS-IP-Address == 80.xxx.xx.1 # AGVALENT_11 redback NAS-IP-Address == 80.xx.xx.2 # A2MITRY__04 (...) # Loopback1 de VALENTON lns-rtc NAS-IP-Address == 213.xx.xx.226 # Loopback1 de MTY2MC7205 lns-rtc NAS-IP-Address == 213.xx.xxx.90 (..) # Valenton 12 nas NAS-IP-Address == 195.xx.xx.5 nas NAS-IP-Address == 195.xx.xx.6 (..) #Loopback0 de ValentonLDP3/VAL3MC7213 lns NAS-IP-Address == 213.xx.xx.14 #Loopback0 de ValentonLDP4/VAL3MC7214 lns NAS-IP-Address == 213.xxx.xxx.20 #Loopback0 de ValentonLDP5/VAL3MC7215 lns NAS-IP-Address == 213.xx.xx.21 etc The Users file : DEFAULT Realm == xx.net, Huntgroup-Name == bas, Autz-Type := autz.xx.net DEFAULT Realm == xx.net, Huntgroup-Name == lns, Autz-Type := autz.xx.net DEFAULT Realm == xx.net, Huntgroup-Name == nas, Autz-Type := autz.xx.net DEFAULT Realm == xx.net, Huntgroup-Name == lns-rtc, Autz-Type := autz.xx.net DEFAULT Realm == xx.net, Huntgroup-Name == redback, Autz-Type := autz.xx.net DEFAULT Realm == xx.net, Huntgroup-Name == wifi, Autz-Type == autz.xx.net , Session-Type == wifi I hope i helps you Regards Thomas MARCHESSEAU Cris Boisvert wrote: Can I define the attributes in the users file and leave the actual users in the database.? So the database will authenticate with the user/pass scenario and they read the users file for the attributes to reply with? Thanx Cris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dustin Doris Sent: Wednesday, January 05, 2005 10:39 AM To: freeradius-users@lists.freeradius.org Subject: RE: Huntgroup I apologize about the plain text. This is what I have in the huntgroup file. Huntgroup1NAS-IP-ADDRESS == 1.2.3.4 Group = Dialup Slipstream-Auth = true, X-Ascend-Data-Filter == ip in forward tcp est, X-Ascend-Data-Filter == ip in forward dstip 1.2.5.4/32, X-Ascend-Data-Filter == ip in drop tcp dstport = 25, X-Ascend-Data-Filter == ip in forward, Huntgroup2NAS-IP-ADDRESS == 1.2.3.5 Group =Wireless RB-Context-Name = local, Fall-Through = yes, The Huntgroups file is where you list attributes that would match the huntgroup. The users file or sql table is where you will list the attributes you want to reply to the user with. My users file is empty because I use a Mysql database for the users names. The database is setup like this Usernamegroup password Joe Wirelesstest Bob Dialup test Currently the sql group table responds based on the group I put them in.. I want it not to be that way. I want it to respond based on the NAS device the users connects from.. Using huntgroups and users files you can do this. You could also store the reply attributes in a mysql group, but I've never done that, so can't help much on that. huntgroups group1 NAS-IP-Address == 1.1.1.1 group2 NAS-IP-Address == 2.2.2.2 users DEFAULT Huntgroup-Name == group1 X-Ascend-Data-Filter == ip in forward tcp est, Reply-Attribute2 = value, Reply-Attribute3 = value DEFAULT Huntgroup-Name == group2 Reply-Attribute = value So, when a user comes in it will search the users file. If it comes from 1.1.1.1 it will match huntgroup-name group1. Then it is told to send those particular reply attributes. If the user does not come in from huntgroup1, it won't match and will continue searching the users file until there is a match. I think you just need to simplify your setup. Hope that helps. Remember, in the huntgroups file you just define what matches a huntgroup. You have to define what reply attributes will be returned somewhere else, such as the users file, sql table, ldap, etc... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: UDPFROMTO and Proxy Problem
Hi Raimund, Nicolas and I did some test on proxy forwarding , we use this model : CLIENT 172.16.69.1 | vlan 69 | 172.16.69.3 (virtual ip handled by keepalived) | 172.16.69.2 (eth2) | +-+ | PROXY with udpfromto| | and bind_addr * | | ldflag = round_robin| +-+ | | eth0 eth3 192.168.7.241 10.17.1.243 | | | | +-vlan7-+ +-vlan1017--+ | | | | +--+ +--+ | Radius Srv | | Radius Srv | | 192.168.7.243| | 10.17.10.242 | +--+ +--+ We hope that it match with your goal . 1/ rad_recv: Access-Request packet from host 172.16.69.1:32914, id=15, length=77 User-Name = [EMAIL PROTECTED] User-Password = 24r3iis NAS-IP-Address = 1.2.3.4 NAS-Port-Type = xDSL NAS-Port = 0 Sending Access-Request of id 0 to 192.168.7.243:1812 User-Name = [EMAIL PROTECTED] User-Password = 24r3iis NAS-IP-Address = 1.2.3.4 NAS-Port-Type = xDSL NAS-Port = 0 Proxy-State = 0x3135 rad_recv: Access-Accept packet from host 192.168.7.243:1812, id=0, length=103 Tunnel-Server-Endpoint:0 = 172.16.128.1 Tunnel-Assignment-Id:0 = 172.16.128.1 Service-Type = Framed-User Framed-Protocol = PPP Tunnel-Type:0 = L2TP Tunnel-Medium-Type:0 = IP Tunnel-Password:0 = secret Proxy-State = 0x3135 Login OK: [EMAIL PROTECTED]/24r3iis] (from client lodoss port 0) Sending Access-Accept of id 15 to 172.16.69.1:32914 Tunnel-Server-Endpoint:1 = 172.16.128.1 Tunnel-Assignment-Id:1 = 172.16.128.1 Service-Type = Framed-User Framed-Protocol = PPP Tunnel-Type:1 = L2TP Tunnel-Medium-Type:1 = IP Tunnel-Password:1 = secret 2/ rad_recv: Access-Request packet from host 172.16.69.1:32914, id=13, length=77 User-Name = [EMAIL PROTECTED] User-Password = 24r3iis NAS-IP-Address = 1.2.3.4 NAS-Port-Type = xDSL NAS-Port = 0 Sending Access-Request of id 0 to 10.17.1.11:1812 User-Name = [EMAIL PROTECTED] User-Password = 24r3iis NAS-IP-Address = 1.2.3.4 NAS-Port-Type = xDSL NAS-Port = 0 Proxy-State = 0x3133 rad_recv: Access-Accept packet from host 10.17.1.11:1812, id=0, length=103 Tunnel-Server-Endpoint:0 = 172.16.128.1 Tunnel-Assignment-Id:0 = 172.16.128.1 Service-Type = Framed-User Framed-Protocol = PPP Tunnel-Type:0 = L2TP Tunnel-Medium-Type:0 = IP Tunnel-Password:0 = secret Proxy-State = 0x3133 Login OK: [EMAIL PROTECTED]/24r3iis] (from client lodoss port 0) Sending Access-Accept of id 13 to 172.16.69.1:32914 Tunnel-Server-Endpoint:1 = 172.16.128.1 Tunnel-Assignment-Id:1 = 172.16.128.1 Service-Type = Framed-User Framed-Protocol = PPP Tunnel-Type:1 = L2TP Tunnel-Medium-Type:1 = IP Tunnel-Password:1 = secret As you can see above , the proxy receives response on both Interfaces . we dont find any problems with this kind of setup , you might check again if its really a problem with Freeradius or your network config [ iptables , routing problems, tcpwrapper ... ] We re using freeradius 1.0.1 + udpfromto patch, on debian sid + 2.4.26-grsec Regards Nicolas , Thomas . Raimund Sacherer wrote: Here is our Scenario which is working now: Some Partners depend on an IPSec tunnel. +--+ | Our | | RadiusServer | +--+ | | eth0:1 eth0 10.0.0.10 62.62.62.62 | | | | | | | | +-IPSec Tunnel--+ +-Internet--+ | | | | +--+
Re: freeradius 1.0.0 pre2
Hi all, There is a (great) patch submited by Jan BERKEL. (--with-udpfromto) This patch has been included in FR 1.0x , but it appears it doesnt work correctly . nbk will probably mail Freeradius's ML soon about this problem. Regards. Thomas private hehehehe /private Raimund Sacherer wrote: for further information: we need the radius server to listen on more interfaces because we have some hardware which can work only with ONE radius entry (annoyingly, one of this clients is a cisco machine *sigh*) and for this machines we want to supply a fail-over interface which is maintained and triggered via heartbeat so it swithes over to the other server on failure. with this scenario we can manage clients with work correctly with more then one radius server and also the others in a safe manner. regards raimund Am Mittwoch, den 15.09.2004, 09:37 +0200 schrieb Raimund Sacherer: Hello! we are using the freeradius server 1.0.0 pre2. we want the server to listen on 2 interfaces, but there is a problem, if i tell it to bind to * (any device) it seems to NOT sent the package out to the client on the same interface it gots in, in fact, it seems it's randomly choosing on which interface it sends the package out. so, the client send's to X.X.X.X but the reply comes from X.X.X.Y and the client does not accept the package ... is this a bug or am i missing something? thx and regards Ray - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Not authenticating only bad guys
HI Mike, remember: 1/ Its very easy to change MAC on the wifi card . 2/ If the attacker understand that your burn MAC , he could try to DoS your hotspot . As mentionned by Ted in the first reply , its probably better to authenticate only trusted users. (of course it could be by-passed by Bad guyz) Security for open wifi spot (if its your aim) is not a trivial stuff . Regards Thomas Mike Markowski wrote: For a very open wireless network, we'd like to allow everyone to connect unless we know the MAC is a bad guy. That is, if the MAC address is *in* the postgres db, don't authenticate. If it's not in the db, authenticate. Can anyone think of a way to do this, or will I need to tweak the code? Thanks! Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client member in multiple huntgroups
Hi Ame, i hope this cut/paste will help you. extract from users file: ( note that i have modifed my real realm by realm.net) DEFAULT Realm == realm.net, Huntgroup-Name == bas, Autz-Type := autz.realm1.net DEFAULT Realm == realm.net, Huntgroup-Name == lns, Autz-Type := autz.realm2.net DEFAULT Realm == realm.net, Huntgroup-Name == nas, Autz-Type := autz.realm3.net DEFAULT Realm == realm.net, Huntgroup-Name == lns-rtc, Autz-Type := autz.realm4.net DEFAULT Realm == realm.net, Huntgroup-Name == redback, Autz-Type := autz.realm5.net I check for Nas-Ip-Address to assign the correct huntgroup and the correct authentification method. Arne Brutschy wrote: Hi, I have clients that are in multiple huntgroups (ie. in dot1xswitches, used for 802.1x auth and shellaccess used to give access to the config shell of this switch. Is it possible to have a client in multiple huntgroups? Regards, Arne - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client member in multiple huntgroups
hi, my huntgroup file (a _very_ small parts :) ) # A3MITRY__95 redback NAS-IP-Address == 80.xx.xx.2 # A6CORBAS_60 redback NAS-IP-Address == 80.xx.xx.3 # LNS # #Loopback0 de ValentonLDP3/VAL3MC7213 lns NAS-IP-Address == 213.yy.yy.14 #Loopback0 de ValentonLDP4/VAL3MC7214 lns NAS-IP-Address == 213.yy.yy.20 but , you cant have sonething like lns NAS-IP-Address == a.b.c.d bas NAS-IP-Address == a.b.c.d may be i dont understand your request :) regards Thomas MARCHESSEAU Arne Brutschy wrote: Thomas MARCHESSEAU wrote: | DEFAULT Realm == realm.net, Huntgroup-Name == bas, Autz-Type := | autz.realm1.net | DEFAULT Realm == realm.net, Huntgroup-Name == lns, Autz-Type := | autz.realm2.net | | I check for Nas-Ip-Address to assign the correct huntgroup and the | correct authentification method. | Yes, but this won't work if you have in the huntgroups file: bas == 192.168.1.1 bas == 192.168.1.2 lns == 192.168.1.1 If the client 192.168.1.1 tries to authenticate, the line DEFAULT Realm == realm.net, Huntgroup-Name == lns, Autz-Type := autz.realm2.net fails, as the huntgroup file matches on the bas group. Or did I understand your config wrong? Regards, Ar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sniff radius
Hi Gary, thx , i got it , i even patch it to match with my needs ;) cya . Thom . Gary McKinney wrote: Try searching for: radiusniff (just one 's')... gm... - Original Message - From: nsinit [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Sent: Tuesday, June 29, 2004 9:22 PM Subject: Re: Re: Sniff radius yeah i found it yesterday afet the post , thx anyway . i use radiussniff too. Hi, can you tell me where i can download radiussniff? I have searched it at google/freshmeat.net/sourceforge.net, but get nothing. thx. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sniff radius
Hi Nsinit, you can get it on ADM's ftp. adm.freelsd.net/ADM regards Thomas MARCHESSEAU nsinit wrote: yeah i found it yesterday afet the post , thx anyway . i use radiussniff too. Hi, can you tell me where i can download radiussniff? I have searched it at google/freshmeat.net/sourceforge.net, but get nothing. thx. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sniff radius
Hi, yeah i found it yesterday afet the post , thx anyway . i use radiussniff too. regards Thomas MARCHESSEA Kostas Kalevras wrote: On Mon, 28 Jun 2004, Alan DeKok wrote: Thomas MARCHESSEAU [EMAIL PROTECTED] wrote: is there any good radius sniffer ? www.tcpdump.org, and ethereal. Also radstock: http://freshmeat.net/search/?q=radstocksection=projectsGo.x=0Go.y=0 Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sniff radius
Hi all, is there any good radius sniffer ? regards Thomas MARCHESSEAU Michael Milbrat wrote: Thanks for the answer Tim. Michael - Original Message - From: Tim McCracken [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, August 16, 2003 7:07 AM Subject: RE: Which is Better LDAP or MySQL? Michael, IMHO, thats a little like asking which is better - a car or a motorcycle. It just depends on your needs. Sometimes you may need both, since LDAP doesn't have accounting abilities. (And there are other SQL databases, as well as lots of choices in LDAP servers.) The real question you need to determine is: What other systems does my RADIUS server need to interact with? Once you know that, you'll be closer to the answer to your question. Tim -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Michael Milbrat Sent: Friday, August 15, 2003 11:14 PM To: [EMAIL PROTECTED] Subject: Which is Better LDAP or MySQL? Does anyone know which is accually a better backend LDAP or MySQL? Michael Milbrat 12dollars.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Password possible?
Hi Andreas, in users file DEFAULT Realm == toto.cl, Auth-Type := Accept Tunnel-Assignment-Id := 1.2.3.4, Tunnel-Server-Endpoint := 1.2.3.4, Tunnel-Medium-Type := IP, Tunnel-Type := L2TP, Tunnel-Password := my_ultrascret_passwd, Framed-Protocol := PPP, Service-Type := Framed a l2tp tunnel is created for every user @toto.cl is ndreas wrote: I am trying to setup a radius server that should work as an accounting server only. Is this possible? I want all passwords to be accepted. I Tried to use Exec-Program-Wait, but later saw this is not called until after password has been accepted. Thanks for your time. /Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SecureID support
Hello Gary, I m really interrested by a rlm_securid module , do u have start devel ? or do u have information ? We can try to develop a SecureID module at the sitadelle team (via Nicolas Baradakis) but if someone start the job .. regards Thomas MARCHESSEAU Sitadelle Team . Gary Algier wrote: Jay Wilson wrote: I have searched the mail archive for posts on SecureID support. I found a couple of hits from back in 2001. Does FreeRADIUS support SecureID today? No (not yet?). I want the same feature. I intend to run the Ace Server's own RADIUS server (which uses its own braindead GUI/CUI/FUI, etc.) for radius access to SecurID. I then intend to use FreeRADIUS as the frontend or proxy server. When I need a login to be SecurID authenticated it can refer the work to the Ace server. Other logins can use the FreeRADIUS server directly. If I have time and can figure it out, I may try writing an rlm_securid module. How hard can that be ;-)? BTW: In my searches for a RADIUS implementation that support SecurID, the best I could find was the old Livingston code. All the derivatives seem to have dropped it. Thank You --- Jay Wilson Extreme Networks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using NAS IP as part of auth
Hi, Im not sure to understand exactly your request but im selecting the auth via the NAS-IP-Address : * first the user.conf file , i have created huntgroups (lns, bas, lns-rtc , and even wifi) - a part of user.conf - DEFAULT Realm == XXX.net, Huntgroup-Name == bas, Autz-Type := autz.XXX.net DEFAULT Realm == XXX.net, Huntgroup-Name == lns, Autz-Type := autz1.XXX.net DEFAULT Realm == XXX.net, Huntgroup-Name == nas, Autz-Type := autz2.XXX.net DEFAULT Realm == XXX.net, Huntgroup-Name == lns-rtc, Autz-Type := autz.XXX.net -end- * then here comes the huntgroups file : - a part of huntgroups - # BAS # bas NAS-IP-Address == xx.124.255.2 # a verif si existe bas NAS-IP-Address == xx.124.255.128 # LNS # lns NAS-IP-Address == xx.223.42.14 lns NAS-IP-Address == xx.223.238.197 lns-rtc NAS-IP-Address == xx.223.14.226 lns-rtc NAS-IP-Address == xx.115.111.13 # les dupont (supervision Nagios) lns-rtc NAS-IP-Address == 192.168.7.229 lns-rtc NAS-IP-Address == 192.168.7.230 *then your can find a parts of my sql.conf authorize_check_query = select USER_ID, USER_LOGIN, \User-Password\, USER_PWD, ':=' from USER where USER_LOGIN = '%{User-Name}' and USER_ETAT = 'TRUE' # utilise pour remonter la variable Post-Auth-Type, en vue de l'utilisation du loadbalancing de LNS authorize_group_check_query = select GATTR_ID, USER_LOGIN,GATTR_NOM , GATTR_VALEUR, GATTR_OPERATION \ from USER,GATTR where USER_LOGIN = '%{User-Name}' and GATTR.GROUPE_ID = USER.GROUPE_ID and GATTR_CLTTYPE = '%{Huntgroup-Name}' and GATTR_QUERYTYPE = 'check' # remonte les attributs de user authorize_reply_query = select UATTR_ID, USER_LOGIN, UATTR_NOM , UATTR_VALEUR, UATTR_OPERATION \ from USER,UATTR where USER_LOGIN = '%{User-Name}' and UATTR.USER_ID = USER.USER_ID and UATTR_CLTTYPE = '%{Huntgroup-Name}'and GATTR_QUERYTYPE = 'reply' # remonte les attributs de groupe authorize_group_reply_query = select GATTR_ID, USER_LOGIN, GATTR_NOM , GATTR_VALEUR, GATTR_OPERATION \ from USER,GATTR where USER_LOGIN = '%{User-Name}' and GATTR.GROUPE_ID = USER.GROUPE_ID and GATTR_CLTTYPE = '%{Huntgroup-Name}' and GATTR_QUERYTYPE = 'reply' } * and may be you need to have a look on radiusd.conf authorize { preprocess suffix files Autz-Type autz.XXX.net { chap sql.XXX.net } Autz-Type autz.david.cl { chap sql.david.cl } Autz-Type autz.valerie.cl { chap sql.valerie.cl } } ok may be its not clear :/ if you feel it can help you tell me :) Graeme Hinchliffe wrote: Hiya I am building a centralised authentication system for our routers, we are using RADIUS (well freeRADIUS :) ) as the authentication and authorization system. Ideally we want to just have one radius server running on the machine that will be responcible for this, but there are several different types of router. So we have people that can enable on router A but not B and vice-versa. For this to work nicely I need to take into account the NAS IP address from which the auth request is comming and use a lookup in another table to determine the users access level on the router. Is this possible in freeRADIUS without using an external call? I was looking at the sql_xlat call, or am I barking up the wrong tree? thanks for any help, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using NAS IP as part of auth
Alan DeKok wrote: Thomas MARCHESSEAU [EMAIL PROTECTED] wrote: Im not sure to understand exactly your request but im selecting the auth via the NAS-IP-Address : ... - a part of huntgroups - # BAS # bas NAS-IP-Address == xx.124.255.2 I would recommend *not* using NAS-IP-Address to set policy. The reason is that it's an attribute inside of a RADIUS packet, and it can lie. That is, a client with IP address A can send a RADIUS request with NAS-IP-Address B. yes, but my BAS are proxied via 2 SMC , the BAS ip address (Client-IP-Address) is overwrited by SMC's IPs :) , and attributes are differents by BAS, this is the only tricks i found .. I would suggest using the Client-IP-Address attribute instead. It's created by FreeRADIUS, and isn't in any RADIUS packet. It's the source IP of the RADIUS packet. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Regards Thomas MARCHESSEAU Sitadelle Team . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: haevy Performance and load requirements
Dear Stefan, notes : Freeradius 0.9.2 (with some patches (by Nicolas Baradakis) + mysql Debian woody PIII 1Ghz/ 1G ram , scsi We can easily support more than 400 req/sec by server, with users in mysql DB , multiple realms , and multiple huntgroups . Note that performance are falling down when we use a radius proxy to load-balance our home radius server (i still not try the new cvs snapshot) so we decide to use a LVS box to load balance the traffic . Nicolas Baradakis send a mail with a short description of the architecture , (since this mail we just change proxies by LVS) http://lists.cistron.nl/pipermail/freeradius-devel/2003-December/006469.html with this kind of network we can reach more than 600 req/sec without any drop . if people are interested by more details about the stress of freeradius . let me know. Regards Thomas MARCHESSEAU Sitadelle Team Stefan wrote: Gurus, I'm not sure, how performant a Freeradius can be build up. Would it be possible, to set up a system, which is able to support a peak load of 500+ Access Requests/s for a time frame of about 15 s? As my users are stored in an LDAP directory (which does support about 1000 queries/s peak) the requested configuration must lookup the user there. Also, the system must be able to assign the IP addresses for the users. I will have to build a database, to store all RADIUS sessions to be able to retrieve for actual and past sessions. As of my knowledge, the main performance issues are the Database, the IP address assignment and the online database replication (for fault tolerance reasons). Is there anybody, who has build a system like that? What kind of HW do I need (wee will need 99.% system reliability) BTW: somebody in my company told me, it would all fit in a 'pizza box' ... which should mean a small SUN System How far is he away from the reality, beside the fact, that this would not meet our fault tolerance requirement? rg. Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html