Re: Listen to multiple ports on a single server?

2005-07-19 Thread Thomas MARCHESSEAU

Hi Erling,

you can do something like that :
--- radiusd.conf ---
# SERVER CONFIGURATION
listen {
   ipaddr = *
   port = 1812
   type = auth
}
listen {
   ipaddr = *
   port = 1813
   type = acct
}
listen {
   ipaddr = *
   port = 1645
   type = auth
}
listen {
   ipaddr = *
   port = 1646
   type = acct
}
listen {
   ipaddr = *
   port = 2045
   type = auth
}
listen {
   ipaddr = *
   port = 2046
   type = acct
}

--- end ---

Regards,
Thomas MARCHESSEAU



Erling Paulsen wrote:


On Mon, Jul 18, 2005 at 11:36:05AM -0400,Kevin Bonner, The Induhvidual, 
scrabbled:
 


On Monday 18 July 2005 10:10, Marcin Jessa wrote:
   

On Mon, 18 Jul 2005 15:12:00 +0200 Erling Paulsen [EMAIL PROTECTED] 
 


wrote:
   


Hello.

Right now I'm running multiple servers for listening to multiple ports,
for having the option of accomadating both NAS'es that use the old 1645
port and the ones using the newer 1812 port for requests.

Is there a possibillity to have one radiusd listen to more ports, or do I
have to reconfigure/tell all the old external participants to use the new
1812 port?


From what I can read from the docs, I guess it's not possible!


Running v.1.0.4

- Erling Paulsen
   


May I ask why do you want to do such a thing?
 

You can have freeradius running on both the old and new ports, then cutover 
your equipment and external radius clients as you please.


The listen directive in raddb.conf can do what you want.

Kevin Bonner
   



Thanks for the help.

That did the trick!

I think that perhaps I asked this question a little fast. Haven't seen the
'listen' section in the .conf before - as I was upgrading multiple servers 
from v.0.93.


Excellent feature :)

- Erling

 



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Secondary SQL accounting instance needed

2005-03-02 Thread Thomas MARCHESSEAU
Hi Mark ,
yes, you can
You dont need to log the stop ticket ? this could be usefull.
Regards
Thomas
re I go forth and break my radius and have a few thousand people
looking for me
I want to collect the current allocate IP address and username into a
separate MySql table - if it (the user (=key)) exists - update the IP,
if the user does not exist, add user and IP.
I (think that I) understand that I need to have a second instance of
'sql'..
So, inside the default 'sql.conf' file - I need to change a line near
the top of the file from sql { to something like sql sql_main {
and then add another named section such as
sql sql_catch_ip {
   driver = rlm_sql_mysql
   server = DBserver.mydomain.com
   login = radius-login
   password = radius-password
   radius_db = radius
   sqltrace = yes
   sqltracefile = ${logdir}/sqltrace_catch_ip.sql
   num_sql_socks = 5
   connect_failure_retry_delay = 60
   accounting_start_query = INSERT into ip-table (UserName, Realm,
FramedIPAddress) values('%{Stripped-User-Name}', '%{Realm}',
'%{Framed-IP-Address}')
   accounting_start_query_alt  = UPDATE ip-table SET
FramedIPAddress  = '%{Framed-IP-Address}' WHERE UserName =
'%{Stripped-User-Name}'
}
-
Then... in radiusd.conf - where ever I currently have 'sql' - I change
that to the (new) instance name sql_main , and in addition, in the
accounting section, also add a line sql_catch_ip...  
Am I missing anything else
 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Radius+Nocat

2005-02-25 Thread Thomas MARCHESSEAU
Hi Chan,
The patch is really basic :
## -- begin ---
--- /usr/local/nocat/lib/NoCat/Source/RADIUS.pm 2004-02-26 
10:46:41.0 +0100
+++ /usr/share/nocatauth/authserv/lib/NoCat/Source/RADIUS.pm
2004-06-25 13:39:12.0 +0200
@@ -85,8 +85,8 @@
   # mimic the check_pwd from Authen::Radius
   $radius-clear_attributes;
   $radius-add_attributes (
-{ Name = 1, Value = $user-id },
-{ Name = 2, Value = $user_pw }
+{ Name = 1, Value = $user-id, Type 
= 'string' },
+{ Name = 2, Value = $user_pw, Type = 
'string' }
   );

   my $radiuscheckok = 0;
## -- end ---
I do it myself
you can add all attributes you need , for example , i need the 
NAS-IP-ADDRESS to match with  huntgroup + sql back end .
If you need tips , let me know

Regards
Thomas MARCHESSEAU

Chan Min Wai wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Thomas MARCHESSEAU wrote:
 

HI all,
Nocat rocks with Freeradius. I just have pb with RADIUS.pm
Try this one, and let me know if its ok for you .
Btw , Chilli woks nice too.
Regards
Thomas MARCHESSEAU
   

However, I'm using chillispot at the time...
But Thank for the script, it seem to be the one that you are having is a
bit different.
Could you please tell me where do you get the patch?
Regards,
Chan Min Wai
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFCHowCV0p9slMZLW4RAgTZAKDjeFrJhlTdC2s3p+5XNpt9y5jOvwCg2IAt
aT/nZ1iirOerEvlBBJoi9iA=
=eg5O
-END PGP SIGNATURE-
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: authentication saw web for wireless

2005-02-25 Thread Thomas MARCHESSEAU
Hi,
Have a look on NoCat or Chillispot
It works fine , easy to deploy
you can browse seattlewireless.net  for more tips
or a tons of wifi website
regards
Thomas
Paulo Afonso Ribeiro Filho wrote:
Somebody knows as or what to use to make an authentication it saw web 
for wireless?

Yours truly Paulo Afonso

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: my radiusd stops working under high load

2005-02-25 Thread Thomas MARCHESSEAU
Hi,
Could you paste a bit of logs ?
or somethings ?
ie, Nicolas Baradakis and I , have had some  problems with radsqlrelay 
while working in high load mode = No more threads

regards
Thomas MARCHESSEAU
shabanip wrote:
what would be the potential causes?
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: huntgroup question

2005-02-18 Thread Thomas MARCHESSEAU
Hi,
It woks fine here .
Thomas.
Kostas Kalevras wrote:
On Wed, 16 Feb 2005, Dustin Doris wrote:
I was wondering if you can add multiple check-items to huntgroup lines,
besides Nas-Port-Id.  Right now, it appears to be working for me, with
Nas-Port-Type.
Using something like this
dialNAS-IP-Address == 127.0.0.1, Nas-Port-Type == Async
isdnNAS-IP-Address == 127.0.0.1, Nas-Port-Type == ISDN
It seems to be working fine for me, just wanted to check to see if 
that is
intended behavior.  I only see reference to Nas-Port-ID in the
documentation, which is why I ask.

I think you can.
Thanks
Dusty Doris
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

--
Kostas KalevrasNetwork Operations Center
[EMAIL PROTECTED]National Technical University of Athens, Greece
Work Phone:+30 210 7721861
'Go back to the shadow'Gandalf
- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: radius - radius

2005-02-16 Thread Thomas MARCHESSEAU
Hi,
Its ok to use a second sql backend , not to send the request to a second 
homeradius ..

Regards
Thomas
Junior Gillespie wrote:
Here's how I did it. Note that there are many ways to do this.
In radiusd.conf
Goto the modules section, and modify the $INCLUDE for sql.conf to look like 
this.
$INCLUDE  ${confdir}/sql1.conf
$INCLUDE  ${confdir}/sql2.conf
# adding as many sql db as needed.
Then also add right below it the following
sql sql1 {
}
sql sql2 {
}
# Must reflect the $INCLUDE from above.
###The Authorize section must have something similar to the following
   group {
 sql1 {
   fail= 1
   notfound= 2
   noop= return
   ok  = return
   updated = return
   reject  = return
   userlock= return
   invalid = return
   handled = return
 }
 sql2 {
   fail= 1
   notfound= 2
   noop= return
   ok  = return
   updated = return
   reject  = return
   userlock= return
   invalid = return
   handled = return
 }
   }
## Of course this too will need to reflect the modules section.
## May also want to add it into the accounting section.  This will need to be 
modified regardless.  Will need to modify it to look at sql1 etc.
You must then copy original sql.conf to sql1.conf...sql2.conf...and so on.
Then modify the sql#.conf to meet your needs with db info.  You will need to 
make the following change in the sql#.conf:
sql {
 to 
sql sql1 {  # This is mandatory!

# Now restart radiusd with radiusd -X to see any errors you may get.
This should work for you. Let me know if it does or doesnt.
Junior Gillespie
NOC Engineer
T-SPEED Broadband Communications, Inc. 
1-800-4TSpeed
972-458-0909
[EMAIL PROTECTED]
http://www.t-speed.com/
The information contained in this e-mail may be privileged, confidential, and protected from disclosure. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or duplication of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately and delete all copies.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dmitry S. Vlasov
Sent: Monday, February 14, 2005 9:45 AM
To: freeradius-users@lists.freeradius.org
Subject: radius - radius

Hello!
How I can create following scheme:
Two freeradius servers, called A and B.
1) When User found but got Reject from server A, A try to proxy this 
request to B
or
2) When User not found on A, A proxy request to B.

Thank you!
 


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: freeradius ports

2005-01-14 Thread Thomas MARCHESSEAU
hahaha
5 mails ,  you seems to be really happy ;)
cya
Thom
Thomas MARCHESSEAU wrote:
Hi Esteban
a parts of radiusd.conf

listen {
  ipaddr = *
  port = 1234
type = auth
}
listen {
  ipaddr = *
  port = 
type = auth
}
-
it works fine .
cya :)

[EMAIL PROTECTED] wrote:
Is it possible to configure freeradius to run on more than one port?
Regards,
Esteban

-
Obtené tu casilla gratis con 20MB, en: http://www.aconectarse.com
- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html
 


- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Huntgroup

2005-01-06 Thread Thomas MARCHESSEAU
Hi Cris,
Huntgroups (smal parts):
#AFVALENT_09
redback NAS-IP-Address == 80.xxx.xx.1
# AGVALENT_11
redback NAS-IP-Address == 80.xx.xx.2
# A2MITRY__04
(...)
# Loopback1 de VALENTON
lns-rtc NAS-IP-Address == 213.xx.xx.226
# Loopback1 de MTY2MC7205
lns-rtc NAS-IP-Address == 213.xx.xxx.90
(..)
# Valenton 12
nas NAS-IP-Address == 195.xx.xx.5
nas NAS-IP-Address == 195.xx.xx.6
(..)
#Loopback0 de ValentonLDP3/VAL3MC7213
lns NAS-IP-Address == 213.xx.xx.14
#Loopback0 de ValentonLDP4/VAL3MC7214
lns NAS-IP-Address == 213.xxx.xxx.20
#Loopback0 de ValentonLDP5/VAL3MC7215
lns NAS-IP-Address == 213.xx.xx.21
etc 
 
The  Users file :

DEFAULT Realm == xx.net, Huntgroup-Name == bas, Autz-Type := 
autz.xx.net
DEFAULT Realm == xx.net, Huntgroup-Name == lns, Autz-Type := 
autz.xx.net
DEFAULT Realm == xx.net, Huntgroup-Name == nas, Autz-Type := 
autz.xx.net
DEFAULT Realm == xx.net, Huntgroup-Name == lns-rtc, Autz-Type := 
autz.xx.net
DEFAULT Realm == xx.net, Huntgroup-Name == redback, Autz-Type := 
autz.xx.net
DEFAULT Realm == xx.net, Huntgroup-Name == wifi, Autz-Type == 
autz.xx.net , Session-Type == wifi

I hope i helps you
Regards
Thomas MARCHESSEAU
Cris Boisvert wrote:
Can I define the attributes in the users file and leave the actual users in
the database.?
So the database will authenticate with the user/pass scenario and they read
the users file for the attributes to reply with?
Thanx
Cris
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dustin
Doris
Sent: Wednesday, January 05, 2005 10:39 AM
To: freeradius-users@lists.freeradius.org
Subject: RE: Huntgroup
 

I apologize about the plain text.
This is what I have in the huntgroup file.
Huntgroup1NAS-IP-ADDRESS == 1.2.3.4
  Group = Dialup
  Slipstream-Auth = true,
  X-Ascend-Data-Filter == ip in forward tcp est,
  X-Ascend-Data-Filter == ip in forward dstip 1.2.5.4/32,
  X-Ascend-Data-Filter == ip in drop tcp dstport = 25,
  X-Ascend-Data-Filter == ip in forward,
Huntgroup2NAS-IP-ADDRESS == 1.2.3.5
   Group =Wireless
   RB-Context-Name = local,
   Fall-Through = yes,
   

The Huntgroups file is where you list attributes that would match the
huntgroup.  The users file or sql table is where you will list the
attributes you want to reply to the user with.
 

My users file is empty because I use a Mysql database for the users names.
The database is setup like this
Usernamegroup   password
Joe Wirelesstest
Bob Dialup  test

Currently the sql group table responds based on the group I put them in..
I want it not to be that way. I want it to respond based on the NAS device
the users connects from..
   

Using huntgroups and users files you can do this.  You could also store
the reply attributes in a mysql group, but I've never done that, so can't
help much on that.
huntgroups
group1  NAS-IP-Address == 1.1.1.1
group2  NAS-IP-Address == 2.2.2.2
users
DEFAULT Huntgroup-Name == group1
X-Ascend-Data-Filter == ip in forward tcp est,
Reply-Attribute2 = value,
Reply-Attribute3 = value
DEFAULT Huntgroup-Name == group2
Reply-Attribute = value
So, when a user comes in it will search the users file.  If it comes from
1.1.1.1 it will match huntgroup-name group1.  Then it is told to send
those particular reply attributes.
If the user does not come in from huntgroup1, it won't match and will
continue searching the users file until there is a match.
I think you just need to simplify your setup.  Hope that helps.  Remember,
in the huntgroups file you just define what matches a huntgroup.  You have
to define what reply attributes will be returned somewhere else, such as
the users file, sql table, ldap, etc...

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: UDPFROMTO and Proxy Problem

2004-10-20 Thread Thomas MARCHESSEAU
Hi Raimund,
Nicolas and I did some test on proxy forwarding , we use this model :

 CLIENT 172.16.69.1
 |
   vlan 69
 |
   172.16.69.3 (virtual ip 
handled by keepalived)
 |
   172.16.69.2 (eth2)
 |
+-+
| PROXY with udpfromto|
| and bind_addr * |
| ldflag = round_robin|
+-+
   | |
  eth0  eth3
   192.168.7.241 10.17.1.243
   | |
   | |
 +-vlan7-+ +-vlan1017--+
 | |
 | |
+--+ 
+--+
| Radius Srv   | | Radius 
Srv   |
| 192.168.7.243| | 
10.17.10.242 |
+--+ 
+--+

We hope that it match with your goal .
1/
rad_recv: Access-Request packet from host 172.16.69.1:32914, id=15, 
length=77
   User-Name = [EMAIL PROTECTED]
   User-Password = 24r3iis
   NAS-IP-Address = 1.2.3.4
   NAS-Port-Type = xDSL
   NAS-Port = 0
Sending Access-Request of id 0 to 192.168.7.243:1812
   User-Name = [EMAIL PROTECTED]
   User-Password = 24r3iis
   NAS-IP-Address = 1.2.3.4
   NAS-Port-Type = xDSL
   NAS-Port = 0
   Proxy-State = 0x3135
rad_recv: Access-Accept packet from host 192.168.7.243:1812, id=0, 
length=103
   Tunnel-Server-Endpoint:0 = 172.16.128.1
   Tunnel-Assignment-Id:0 = 172.16.128.1
   Service-Type = Framed-User
   Framed-Protocol = PPP
   Tunnel-Type:0 = L2TP
   Tunnel-Medium-Type:0 = IP
   Tunnel-Password:0 = secret
   Proxy-State = 0x3135
Login OK: [EMAIL PROTECTED]/24r3iis] (from client lodoss port 0)
Sending Access-Accept of id 15 to 172.16.69.1:32914
   Tunnel-Server-Endpoint:1 = 172.16.128.1
   Tunnel-Assignment-Id:1 = 172.16.128.1
   Service-Type = Framed-User
   Framed-Protocol = PPP
   Tunnel-Type:1 = L2TP
   Tunnel-Medium-Type:1 = IP
   Tunnel-Password:1 = secret

2/
rad_recv: Access-Request packet from host 172.16.69.1:32914, id=13, 
length=77
   User-Name = [EMAIL PROTECTED]
   User-Password = 24r3iis
   NAS-IP-Address = 1.2.3.4
   NAS-Port-Type = xDSL
   NAS-Port = 0
Sending Access-Request of id 0 to 10.17.1.11:1812
   User-Name = [EMAIL PROTECTED]
   User-Password = 24r3iis
   NAS-IP-Address = 1.2.3.4
   NAS-Port-Type = xDSL
   NAS-Port = 0
   Proxy-State = 0x3133
rad_recv: Access-Accept packet from host 10.17.1.11:1812, id=0, length=103
   Tunnel-Server-Endpoint:0 = 172.16.128.1
   Tunnel-Assignment-Id:0 = 172.16.128.1
   Service-Type = Framed-User
   Framed-Protocol = PPP
   Tunnel-Type:0 = L2TP
   Tunnel-Medium-Type:0 = IP
   Tunnel-Password:0 = secret
   Proxy-State = 0x3133
Login OK: [EMAIL PROTECTED]/24r3iis] (from client lodoss port 0)
Sending Access-Accept of id 13 to 172.16.69.1:32914
   Tunnel-Server-Endpoint:1 = 172.16.128.1
   Tunnel-Assignment-Id:1 = 172.16.128.1
   Service-Type = Framed-User
   Framed-Protocol = PPP
   Tunnel-Type:1 = L2TP
   Tunnel-Medium-Type:1 = IP
   Tunnel-Password:1 = secret

As you can see above , the proxy receives response on both Interfaces . 
we dont find any problems with this kind of setup , you might check 
again if its really a problem with Freeradius  or your network config [ 
iptables , routing problems, tcpwrapper ... ]
We re using freeradius 1.0.1 + udpfromto patch, on debian sid + 2.4.26-grsec

Regards
Nicolas , Thomas .


Raimund   Sacherer wrote:
Here is our Scenario which is working now:
Some Partners depend on an IPSec tunnel.
+--+
| Our  |
| RadiusServer |
+--+
  | |
eth0:1 eth0
  10.0.0.10  62.62.62.62
  | |
  | |
  | |
  | |
+-IPSec Tunnel--+ +-Internet--+
| |
| |
+--+

Re: freeradius 1.0.0 pre2

2004-09-15 Thread Thomas MARCHESSEAU
Hi all,
There is a (great) patch submited by Jan BERKEL. (--with-udpfromto)
This patch has been included in FR 1.0x , but it appears it doesnt work 
correctly .
nbk will probably mail Freeradius's ML soon about this problem.

Regards.
Thomas
private
hehehehe
/private

Raimund Sacherer wrote:
for further information:
we need the radius server to listen on more interfaces because we have
some hardware which can work only with ONE radius entry (annoyingly, one
of this clients is a cisco machine *sigh*) and for this machines we want
to supply a fail-over interface which is maintained and triggered via
heartbeat so it swithes over to the other server on failure.
with this scenario we can manage clients with work correctly with more
then one radius server and also the others in a safe manner.
regards
raimund
Am Mittwoch, den 15.09.2004, 09:37 +0200 schrieb Raimund Sacherer:
 

Hello!
we are using the freeradius server 1.0.0 pre2.
we want the server to listen on 2 interfaces, but there is a problem, if
i tell it to bind to * (any device) it seems to NOT sent the package out
to the client on the same interface it gots in, in fact, it seems it's
randomly choosing on which interface it sends the package out. 

so, the client send's to X.X.X.X but the reply comes from X.X.X.Y and
the client does not accept the package ...
is this a bug or am i missing something?
thx and regards
Ray
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
   

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Not authenticating only bad guys

2004-09-13 Thread Thomas MARCHESSEAU
HI Mike,
remember:
1/ Its very easy to change MAC on the wifi card .
2/ If the attacker understand that your burn MAC , he could try to DoS 
your hotspot .

As mentionned by Ted in the first reply , its probably better to 
authenticate only trusted users. (of course it could be by-passed by Bad 
guyz)

Security for open wifi spot (if its your aim) is not a trivial stuff .
Regards
Thomas
Mike Markowski wrote:
For a very open wireless network, we'd like to allow everyone
to connect unless we know the MAC is a bad guy.  That is, if
the MAC address is *in* the postgres db, don't authenticate.  If
it's not in the db, authenticate.
Can anyone think of a way to do this, or will I need to
tweak the code?
Thanks!
Mike
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Client member in multiple huntgroups

2004-07-05 Thread Thomas MARCHESSEAU
Hi Ame,
i hope this cut/paste will help you.
extract from users file: ( note that i have modifed my real realm by 
realm.net)

DEFAULT Realm == realm.net, Huntgroup-Name == bas, Autz-Type := 
autz.realm1.net
DEFAULT Realm == realm.net, Huntgroup-Name == lns, Autz-Type := 
autz.realm2.net
DEFAULT Realm == realm.net, Huntgroup-Name == nas, Autz-Type := 
autz.realm3.net
DEFAULT Realm == realm.net, Huntgroup-Name == lns-rtc, Autz-Type := 
autz.realm4.net
DEFAULT Realm == realm.net, Huntgroup-Name == redback, Autz-Type := 
autz.realm5.net

I check for Nas-Ip-Address to assign the correct huntgroup and the 
correct authentification method.


Arne Brutschy wrote:
Hi,
I have clients that are in multiple huntgroups (ie. in dot1xswitches,
used for 802.1x auth and shellaccess used to give access to the config
shell of this switch. Is it possible to have a client in multiple
huntgroups?
Regards,
Arne

- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Client member in multiple huntgroups

2004-07-05 Thread Thomas MARCHESSEAU
hi,
my huntgroup file (a _very_ small parts :) )
# A3MITRY__95
redback NAS-IP-Address == 80.xx.xx.2
# A6CORBAS_60
redback NAS-IP-Address == 80.xx.xx.3
# LNS #
#Loopback0 de ValentonLDP3/VAL3MC7213
lns NAS-IP-Address == 213.yy.yy.14
#Loopback0 de ValentonLDP4/VAL3MC7214
lns NAS-IP-Address == 213.yy.yy.20
but , you cant have sonething like
lns NAS-IP-Address == a.b.c.d
bas  NAS-IP-Address == a.b.c.d
may be i dont understand your request :)
regards
Thomas MARCHESSEAU
Arne Brutschy wrote:

Thomas MARCHESSEAU wrote:
| DEFAULT Realm == realm.net, Huntgroup-Name == bas, Autz-Type :=
| autz.realm1.net
| DEFAULT Realm == realm.net, Huntgroup-Name == lns, Autz-Type :=
| autz.realm2.net
|
| I check for Nas-Ip-Address to assign the correct huntgroup and the
| correct authentification method.
|
Yes, but this won't work if you have in the huntgroups file:
bas == 192.168.1.1
bas == 192.168.1.2
lns == 192.168.1.1
If the client 192.168.1.1 tries to authenticate, the line
DEFAULT Realm == realm.net, Huntgroup-Name == lns, Autz-Type :=
autz.realm2.net
fails, as the huntgroup file matches on the bas group. Or did I
understand your config wrong?
Regards,
Ar

- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Sniff radius

2004-06-30 Thread Thomas MARCHESSEAU
Hi Gary,
thx , i got it , i even patch it to match with my needs ;)
cya .
Thom .
Gary McKinney wrote:
Try searching for: radiusniff  (just one 's')...
gm...
- Original Message - 
From: nsinit [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
[EMAIL PROTECTED]
Sent: Tuesday, June 29, 2004 9:22 PM
Subject: Re: Re: Sniff radius

 

yeah i found it yesterday afet the post , thx anyway .
i use radiussniff too.
 

Hi, can you tell me where i can download radiussniff?
I have searched it at google/freshmeat.net/sourceforge.net,
but get nothing.
thx.

-
List info/subscribe/unsubscribe? See
   

http://www.freeradius.org/list/users.html
 

---
[This E-mail scanned for viruses by Declude Ant-Virus Scanner]
   

---
[This E-mail scanned for viruses by Declude Ant-Virus Scanner]
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Sniff radius

2004-06-30 Thread Thomas MARCHESSEAU
Hi Nsinit,
you can get it on ADM's ftp.
adm.freelsd.net/ADM
regards
Thomas MARCHESSEAU
nsinit wrote:
yeah i found it yesterday afet the post , thx anyway .
i use radiussniff too.
   

Hi, can you tell me where i can download radiussniff?
I have searched it at google/freshmeat.net/sourceforge.net,
but get nothing.
thx.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Sniff radius

2004-06-29 Thread Thomas MARCHESSEAU
Hi,
yeah i found it yesterday afet the post , thx anyway .
i use radiussniff too.
regards
Thomas MARCHESSEA

Kostas Kalevras wrote:
On Mon, 28 Jun 2004, Alan DeKok wrote:
 

Thomas MARCHESSEAU [EMAIL PROTECTED] wrote:
   

is there any good radius sniffer ?
 

 www.tcpdump.org, and ethereal.
   

Also radstock:
http://freshmeat.net/search/?q=radstocksection=projectsGo.x=0Go.y=0
 

 Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
   

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Sniff radius

2004-06-28 Thread Thomas MARCHESSEAU
Hi all,
is there any good radius sniffer ?
regards
Thomas MARCHESSEAU
Michael Milbrat wrote:
Thanks for the answer Tim.
Michael
- Original Message - 
From: Tim McCracken [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Saturday, August 16, 2003 7:07 AM
Subject: RE: Which is Better LDAP or MySQL?

 

Michael,
IMHO, thats a little like asking which is better - a car or a motorcycle.
   

It
 

just depends on your needs. Sometimes you may need both, since LDAP
   

doesn't
 

have accounting abilities. (And there are other SQL databases, as well as
lots of choices in LDAP servers.)
The real question you need to determine is: What other systems does my
RADIUS server need to interact with? Once you know that, you'll be closer
to the answer to your question.
Tim
   

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Michael
Milbrat
Sent: Friday, August 15, 2003 11:14 PM
To: [EMAIL PROTECTED]
Subject: Which is Better LDAP or MySQL?
Does anyone know which is accually a better backend LDAP or MySQL?
Michael Milbrat
12dollars.net
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
 

-
List info/subscribe/unsubscribe? See
   

http://www.freeradius.org/list/users.html
 

   


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: No Password possible?

2004-06-21 Thread Thomas MARCHESSEAU
Hi Andreas,
in users file
DEFAULT Realm == toto.cl, Auth-Type := Accept
Tunnel-Assignment-Id := 1.2.3.4,
Tunnel-Server-Endpoint := 1.2.3.4,
Tunnel-Medium-Type := IP,
Tunnel-Type := L2TP,
Tunnel-Password := my_ultrascret_passwd,
Framed-Protocol := PPP,
Service-Type := Framed
a l2tp tunnel is created  for every user @toto.cl is
ndreas wrote:
I am trying to setup a radius server that should work as an accounting 
server only. Is this possible? I want all passwords to be accepted. I 
Tried to use Exec-Program-Wait, but later saw this is not called until 
after password has been accepted.

Thanks for your time.
/Andreas

- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: SecureID support

2004-02-09 Thread Thomas MARCHESSEAU
Hello Gary,

I m really interrested by a rlm_securid module , do u have start devel ?
or do u have information ?
We can try to develop a SecureID module at the sitadelle team (via 
Nicolas Baradakis) but if someone start the job ..

regards
Thomas MARCHESSEAU
Sitadelle Team .
Gary Algier wrote:

Jay Wilson wrote:

I have searched the mail archive for posts on SecureID support.  I 
found a
couple of hits from back in 2001.  Does FreeRADIUS support SecureID 
today?

No (not yet?).  I want the same feature.  I intend to run the Ace 
Server's
own RADIUS server (which uses its own braindead GUI/CUI/FUI, etc.) for 
radius
access to SecurID.  I then intend to use FreeRADIUS as the frontend or
proxy server.  When I need a login to be SecurID authenticated it can
refer the work to the Ace server.  Other logins can use the FreeRADIUS
server directly.

If I have time and can figure it out, I may try writing an rlm_securid 
module.
How hard can that be ;-)?

BTW: In my searches for a RADIUS implementation that support SecurID, the
best I could find was the old Livingston code.  All the derivatives seem
to have dropped it.
Thank You
---
Jay Wilson
Extreme Networks





- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Using NAS IP as part of auth

2004-01-19 Thread Thomas MARCHESSEAU
Hi,

Im not sure to understand exactly your request but im selecting the auth 
via the NAS-IP-Address :

* first the  user.conf file , i have created huntgroups (lns, bas, 
lns-rtc , and even wifi)

- a part of user.conf -
DEFAULT Realm == XXX.net, Huntgroup-Name == bas, Autz-Type := 
autz.XXX.net
DEFAULT Realm == XXX.net, Huntgroup-Name == lns, Autz-Type := 
autz1.XXX.net
DEFAULT Realm == XXX.net, Huntgroup-Name == nas, Autz-Type := 
autz2.XXX.net
DEFAULT Realm == XXX.net, Huntgroup-Name == lns-rtc, Autz-Type := 
autz.XXX.net
-end-

* then here comes the huntgroups file :

- a part of huntgroups -

# BAS #
bas NAS-IP-Address == xx.124.255.2
# a verif si existe
bas NAS-IP-Address == xx.124.255.128
# LNS #
lns NAS-IP-Address == xx.223.42.14
lns NAS-IP-Address == xx.223.238.197
lns-rtc NAS-IP-Address == xx.223.14.226
lns-rtc NAS-IP-Address == xx.115.111.13 

# les dupont (supervision Nagios)
lns-rtc NAS-IP-Address == 192.168.7.229
lns-rtc NAS-IP-Address == 192.168.7.230
*then your can find a parts of my sql.conf

authorize_check_query = select USER_ID, 
USER_LOGIN, \User-Password\, USER_PWD, ':=' from USER where USER_LOGIN 
= '%{User-Name}' and USER_ETAT = 'TRUE'

   # utilise pour remonter la variable 
Post-Auth-Type, en vue de l'utilisation du loadbalancing de LNS
   authorize_group_check_query = select GATTR_ID, 
USER_LOGIN,GATTR_NOM , GATTR_VALEUR, GATTR_OPERATION \
   from USER,GATTR where USER_LOGIN = 
'%{User-Name}' and GATTR.GROUPE_ID = USER.GROUPE_ID and GATTR_CLTTYPE = 
'%{Huntgroup-Name}' and GATTR_QUERYTYPE = 'check' 

   # remonte les attributs de user
   authorize_reply_query = select UATTR_ID, 
USER_LOGIN, UATTR_NOM , UATTR_VALEUR, UATTR_OPERATION \
   from USER,UATTR where USER_LOGIN = 
'%{User-Name}' and UATTR.USER_ID = USER.USER_ID and UATTR_CLTTYPE =  
'%{Huntgroup-Name}'and GATTR_QUERYTYPE = 'reply' 

   # remonte les attributs de groupe
   authorize_group_reply_query = select GATTR_ID, 
USER_LOGIN, GATTR_NOM , GATTR_VALEUR, GATTR_OPERATION \
   from USER,GATTR where USER_LOGIN = 
'%{User-Name}' and GATTR.GROUPE_ID = USER.GROUPE_ID and GATTR_CLTTYPE =  
'%{Huntgroup-Name}' and GATTR_QUERYTYPE = 'reply' 
   }

* and may be you need to have a look on radiusd.conf

authorize   {
   preprocess
   suffix
   files
  
  
   Autz-Type autz.XXX.net  {
   chap
   sql.XXX.net
   }

   Autz-Type autz.david.cl {
   chap
   sql.david.cl
   }
   Autz-Type autz.valerie.cl   {
   chap
   sql.valerie.cl
   }
   }

ok may be its not clear :/
if you feel it can help you tell me :)


Graeme Hinchliffe wrote:

Hiya
I am building a centralised authentication system for our routers, we are 
using RADIUS (well freeRADIUS :) ) as the authentication and authorization system.  
Ideally we want to just have one radius server running on the machine that will be 
responcible for this, but there are several different types of router.  So we have 
people that can enable on router A but not B and vice-versa.
	For this to work nicely I need to take into account the NAS IP address from which the auth request is comming and use a lookup in another table to determine the users access level on the router.  Is this possible in freeRADIUS without using an external call? I was looking at the sql_xlat call, or am I barking up the wrong tree?

thanks for any help,

 



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Using NAS IP as part of auth

2004-01-19 Thread Thomas MARCHESSEAU
Alan DeKok wrote:

Thomas MARCHESSEAU [EMAIL PROTECTED] wrote:
 

Im not sure to understand exactly your request but im selecting the auth 
via the NAS-IP-Address :
   

...
 

- a part of huntgroups -

# BAS #
bas NAS-IP-Address == xx.124.255.2
   

 I would recommend *not* using NAS-IP-Address to set policy.  The
reason is that it's an attribute inside of a RADIUS packet, and it can
lie.  That is, a client with IP address A can send a RADIUS request
with NAS-IP-Address B.
 

yes, but my BAS are proxied via 2 SMC , the BAS ip address 
(Client-IP-Address) is overwrited by  SMC's IPs  :) , and attributes 
are  differents by BAS, this is the only tricks i found ..

 I would suggest using the Client-IP-Address attribute instead.  It's
created by FreeRADIUS, and isn't in any RADIUS packet.  It's the
source IP of the RADIUS packet.
 Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
 

Regards
Thomas MARCHESSEAU
Sitadelle Team .


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: haevy Performance and load requirements

2004-01-15 Thread Thomas MARCHESSEAU
Dear Stefan,

notes :
Freeradius 0.9.2 (with some patches (by Nicolas Baradakis) + mysql
Debian woody
PIII 1Ghz/ 1G ram , scsi
We can easily support more than 400 req/sec by server, with users in 
mysql DB , multiple realms , and multiple huntgroups .

Note that performance are falling down when we use a radius proxy to 
load-balance our home radius server (i still not try the new cvs 
snapshot) so we decide to use a LVS box to load balance the traffic .
Nicolas Baradakis send a  mail  with a short description of the 
architecture ,  (since this mail we just  change proxies by LVS)
http://lists.cistron.nl/pipermail/freeradius-devel/2003-December/006469.html
with this kind of network we can reach more than 600 req/sec  without 
any drop .

if people are interested by more details about the stress of freeradius 
. let me know.

Regards
Thomas MARCHESSEAU
Sitadelle Team




Stefan wrote:

Gurus,
 
I'm not sure, how performant a Freeradius can be build up.
 
Would it be possible, to set up a system, which is able to support a 
peak load of 500+ Access Requests/s for a time frame of about 15 s?
 
As my users are stored in an LDAP directory (which does support about 
1000 queries/s peak) the requested configuration must lookup the user 
there.
Also, the system must be able to assign the IP addresses for the users.
I will have to build a database, to store all RADIUS sessions to be 
able to retrieve for actual and past sessions.
 
As of my knowledge, the main performance issues are the Database, the 
IP address assignment and the online database replication (for fault 
tolerance reasons).
 
Is there anybody, who has build a system like that? What kind of HW do 
I need (wee will need 99.% system reliability)
 
 
BTW: somebody in my company told me, it would all fit in a 'pizza box' 
... which should mean a small SUN System How far is he away from 
the reality, beside the fact, that this would not meet our fault 
tolerance requirement? 
 
rg. Stefan


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html