RE: FreeRadius with Mysql under Solaris can't work

If I remember correctly the development package for MySQL that comes from sunfreeware (Bputs the files in the wrong location for freeradius to look for them. You can specify (Bthe location of the files or you can download the source and install from that. (BSolaris 8 and 9 fixed the location

EAP/MD5 and ldap

Hello,   I want to use EAP/MD5 and Ldap. EAP/MD5 config is ok, but ldap config is not Ok. Have you got example of radiusd.conf, users for EAP/MD5 and Ldap.   Thanks, 

Re: FreeRadius with Mysql under Solaris can't work

Thanks to Jeson. The MYSQL package is downloaded from sunfreeware and installed directly by pkgadd command. I am sure there are development header and lib included. Files in the lib directory are as follows: libdbug.a libmygcc.a libmysqlclient.a libmysqlclient_r.a

Re: SMUX

Nathan Kufner wrote: I was under the impression that SMUX/SNMP was integral to the radius server. It can be :) I am still unsure as to what functionality I just turned off. What does having SNMP (dis|en)abled on freeRadius mean for the radius server? What kind of functionality do I gain or lose

Re: cisco_vsa_hack (rlm_preprocess)

Hi. code from rlm_preprocess.c: if ((vp->attribute & 0x) == 1) { char *p; DICT_ATTR *dattr; p = vp->strvalue; getword(&p, newattr, sizeof(newattr));

rlm_krb5 module options?

Hi there! I am trying to set up radiusd to authenticate against kerberos (Windows 2003 AD). The rlm_krb5 module didn't compile from 0.8.1, but i got it now as i upgraded my radiusd to a cvs snapshot. What configuration options should be passed to rlm_krb5 in modules -section? Now it is there w

EAPOL-Key(WPA format) with WinXP - unsuccessful

Hi:   I''m trying to test EAPOL-Key(4-way and group key handshaking) exchange inbetween the AP and the STA (Win XP-SP1-WPA).   I'm able to do 802.1X authentication, but when I send the 1st EAPOL-Key message(as defined in WPA/11i drafts) from the AP to the STA, the STA doesn't respond back with any

Re: FreeRadius with Mysql under Solaris can't work

Hi, Please make sure you have the MySQL development package, FreeRADIUS compile the rlm_sql_mysql module need the include file from MySQL development package. Enjoy it! 　　　 　Jeson Welcome to: http://www.zyxel.com [EMAIL PROTECTED] 　　2003-06-04 === 2003-06-04 15:57:0

FreeRadius with Mysql under Solaris can't work

Hi,all I want to use freeradius with mysql support under Solaris sparc 2.7. I meet the same problem as many newbies when I start radiusd: rlm_sql (sql): Could not link driver rlm_sql_mysql: file not found rlm_sql (sql): Make sure it (and all its dependent libraries!) are

Multiple attributes

Title: Multiple attributes I am using freeradius snapshot 20030603 and the server comes up fine and will authenticate.  The problem I have is now the server will not return multiple values for one attribute.  I have 3 other servers running 0.8.1 and they will return the attributes correctly.

Re: Squid with Freeradius

Hi Dan, Excellent! It is great to know that you are using Squid with Freeradius, that's exactly what I want to do too. I want Squid to authenticate the http requests using Freeradius and I also want Squid to perform transparent proxying so that users from another network do not have to change their

Re: Squid with Freeradius

That is, if Squid receives a http request from a client, it first verifies this client with a Radius Server to make sure that this client is a valid user before servicing the http request and fetching the requested web page for the client. >>> [EMAIL PROTECTED] 06/04/03 10:55AM >>> What do you mea

radwho not show anything

I'm using lastest version of freeradius with solaris 9 It seem to worked find but radwho doesn't show anything, and radutmp siezed is zero , I enable snmp at Cisco NAS already I don't how to solve this problem somebody can help ? thank for advance Chaidan Mingmuang -

Re: Squid with Freeradius

We're using squid with freeradius as the authentication "engine". As far as I know, you can't have a transparent + authenticating proxy. If it's authenticating, then it has to be non-transparent. It's actually very easy. You just need to set up the Squid ACL's right (so that it requires auth

RE: Always Password Attribute and Multiple Password

Sn is not stored correctly in LDAP for a userpassword. Why would you want it to be sn anyway? If you are looking for a clear text password then store it as chappassword. LDAP will store it correctly. Userpassword needs to be userpassword. Gene Parks VIP Direct -Original Message- From:

Re: Squid with Freeradius

What do you mean by "authenticate http requests" ? Navid On 2003.06.03 21:32, Wei Ming Long wrote: Hi everyone, I would like to use the proxy server Squid to perform transparent proxying and to authenticate http requests with Freeradius and was wondering if anyone has done it and would appreciate

Squid with Freeradius

Hi everyone, I would like to use the proxy server Squid to perform transparent proxying and to authenticate http requests with Freeradius and was wondering if anyone has done it and would appreciate it if you could provide details(configuration files) of how to setup Squid and Freeradius to do just

Re: EAP-TLS ok w/ xsupplicant, WinXP not

On Mon, Jun 02, 2003 at 07:51:56AM -0700, Sepp Rudel wrote: > Hi, > > I've configured FreeRADIUS 0.8.1+OpenSSL 0.9.7b, Cisco > AP 350 and a laptop with Linux+xsupplicant and > WinXP+SP1.. With Linux+xsupplicant everything works > like a charm but with WinXPSP1 after radiusd sends > Access-Accept W

Re: FreeRadius - DLINK DWL-900+ - 802.1.X

hi Pascal as Alan already advised you, try to read the EAP/MD5 faq. what you keep on posting is NOT an error. there CAN'T be any user-password attribute with EAP/MD5 or CHAP methodes. thanks, artur Pascal PELONI wrote: > > My mistake : this is the good extract of the log file : > >

RE: How do I dynamically insert and delete users with mysql?

Then you don't have it set up correctly to use MySql. My users file is empty. All my users are in MySql, as I suspect is the case with most people who use it. There are lots of questions about MySql in the archives and lots of info in the docs to get it going. Tim > -Original Message-

Re: How do I dynamically insert and delete users with mysql?

Yes. If you put "sql" in your "authorize" section of radius.conf there should be no need to have users in the users file. Provided your sql.conf is setup correctly. Just make sure you comment out the "files" entry in your authorize section or put "sql" before "files". One you are correctly us

How do I dynamically insert and delete users with mysql?

I am using mysql to populate my users list but I still have to insert each user name into the users file in order for radius to recognize it. It there a way to set up a table in mysql and change a config setting so that I can insert users dynamically without having to use the users file at all? Th

RE: How do I dynamically insert and delete users?

And pick up a copy of the Radius book. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Steve > Fulton > Sent: Tuesday, June 03, 2003 4:30 PM > To: [EMAIL PROTECTED] > Subject: Re: How do I dynamically insert and delete users? > > > > How do I dynamical

Re: How do I dynamically insert and delete users?

> How do I dynamically insert and delete users that the radius server will > use? Modifying raddb/users each time is too cumbersome, isn't it? SQL or LDAP with a front-end of some sort. Check the archives, there has been plenty of discussion about it. -- Steve. - List info/subscribe/unsubscri

How do I dynamically insert and delete users?

Hi, How do I dynamically insert and delete users that the radius server will use? Modifying raddb/users each time is too cumbersome, isn't it? For my purpose the user list is large and it changes very frequently. Please suggest a solution. Thanks. Regards, Brian -- ___

Having trouble getting LDAPs to Work w/FreeRadius

I'm running an LDAPs server using a self-signed certificate. For my purposes, that's OK. FreeRadius is telling me that it can't connect to the LDAP server because there's a self-signed certificate in the chain. I haven't been able to find the option to tell it that it's OK to accept a self-signed

Netscreen Dictionary

Hi, I'm pretty new to FreeRadius, but I've at least got my implementation partially working (radtest could authenticate and fail to authenticate under correct circumstances gainst my LDAP server). My next step is to set it up to authenticate XAUTH users on my Netscreen for VPN purpo

RE: SMUX

Chris, Thank you very much. I configured --with-snmp=no, make, make install and I got the server up and running right away. I was under the impression that SMUX/SNMP was integral to the radius server. I am still unsure as to what functionality I just turned off. What does having SNMP (dis|

Re: SMUX

If you don't need snmp support you can disable it in radius.cfg: snmp= no Otherwise you need to configure your snmpd for smux. Smux is used to pass information to your snmp daemon. In /etc/raddb/snmp.conf: smux_password = your_secret In /etc/snmp/snmpd.conf: smuxpeer .1.3.6.1.4.1.3317.1.

Re: Cisco re-sends packets with different ids

On Tue, Jun 03, 2003 at 12:14:58PM -0500, Chris Parker wrote: > At 09:05 PM 6/3/2003 +0400, Alexander M. Pravking wrote: > >> There is no 'wrong' or 'right'. They simply do it different ways. > > > >So is it possible to make freeradius determine both? > > For what purpose? What do you want Freer

Re: Cisco re-sends packets with different ids

On Tue, Jun 03, 2003 at 02:04:26PM -0400, Puneet B wrote: > Accounting Requests are slightly different if your NAS includes the attribute > Acct-Delay-Time. This needs to be updated in each retransmit, and since now the > contents of the packet change, a new Identifier is needed. > Here is the re

Re: Cisco re-sends packets with different ids

> > It's not a dupe because it is different, that's the point. It is not > > the same set of a/v pairs that was originally sent. I don't see anything > > violating the RFC here. > > Hmm... Maybe I'm wrong here, assuming that NAS should re-send > packet with the same id. But then what the "duplicat

Re: Can RADIUS attributes pass through to Apache?

Alan DeKok wrote: Mark Lavi <[EMAIL PROTECTED]> wrote: So long as the list of RADIUS attributes don't get sent out in the HTTP response. That's my biggest worry with the use of HTTP headers, and with Apache. I'm not sure what response you mean, the web browser/client's response to the H

Re: Cisco re-sends packets with different ids

At 09:05 PM 6/3/2003 +0400, Alexander M. Pravking wrote: On Tue, Jun 03, 2003 at 11:53:48AM -0500, Chris Parker wrote: > At 08:38 PM 6/3/2003 +0400, Alexander M. Pravking wrote: > >On Tue, Jun 03, 2003 at 08:16:52PM +0400, Alexander M. Pravking wrote: > >> Hmm... Maybe I'm wrong here, assuming that

Re: Cisco re-sends packets with different ids

On Tue, Jun 03, 2003 at 11:53:48AM -0500, Chris Parker wrote: > At 08:38 PM 6/3/2003 +0400, Alexander M. Pravking wrote: > >On Tue, Jun 03, 2003 at 08:16:52PM +0400, Alexander M. Pravking wrote: > >> Hmm... Maybe I'm wrong here, assuming that NAS should re-send > >> packet with the same id. > > > >

Re: Cisco re-sends packets with different ids

You can't apply your criteria without considering the device. If you want a NAS that delivers accounting reliably. Your reading of the RFC is correct but the RFC does not specify what a NAS does once it reaches the end of its attempt to deliver the Accounting. It does not even give guidance as t

Re: Cisco re-sends packets with different ids

At 08:38 PM 6/3/2003 +0400, Alexander M. Pravking wrote: On Tue, Jun 03, 2003 at 08:16:52PM +0400, Alexander M. Pravking wrote: > Hmm... Maybe I'm wrong here, assuming that NAS should re-send > packet with the same id. I think I'm not. Here's the PortMaster 2 example: There is no 'wrong' or 'right'

Re: FreeRadius, MS-CHAP, mppe, and 128-bit encryption

Dear Steven Fries, 128-bit encryption is possible, because it's implemented in a way it works, not in a way RFC says to do. RFC authors acknowledged problem in RFC. --Tuesday, June 3, 2003, 9:54:47 PM, you wrote to [EMAIL PROTECTED]: SF> After reading one of the files that is in the docs/ d

FreeRadius, MS-CHAP, mppe, and 128-bit encryption

After reading one of the files that is in the docs/ directory, it says 128-bit encryption with mppe is not possible because of some confusion with the Cisco RFCIs this true? And if so, are there any current versions beyond 0.8.1? I'm trying to use Radius to validate VPN PPTP users and am

Re: Cisco re-sends packets with different ids

On Tue, Jun 03, 2003 at 08:16:52PM +0400, Alexander M. Pravking wrote: > Hmm... Maybe I'm wrong here, assuming that NAS should re-send > packet with the same id. I think I'm not. Here's the PortMaster 2 example: rad_recv: Accounting-Request packet from host pm2:1026, id=168, length=129 Sun Jun 1

Re: Cisco re-sends packets with different ids

On Tue, Jun 03, 2003 at 10:52:45AM -0500, Chris Parker wrote: > At 07:45 PM 6/3/2003 +0400, Alexander M. Pravking wrote: > It's not a dupe because it is different, that's the point. It is not > the same set of a/v pairs that was originally sent. I don't see anything > violating the RFC here. Hmm

RE: User attributes

Using Ascend gear here is what works at our site: Service-Type = Framed-User, Framed-Protocol = PPP, Ascend-Bridge = Bridge-Yes, Ascend-DHCP-Reply = DHCP-Reply-Yes, Ascend-DHCP-Pool-Number = 3, Ascend-Assign-IP-Pool = 3, Framed-Netmask = 255.255.255.255, Ascend-Link

Re: FreeRadius - DLINK DWL-900+ - 802.1.X

My mistake : this is the good extract of the log file : Auth: Login incorrect: [tst1/] At 17:24 03/06/2003 +0200, you wrote: I forget to say that : 1. the authentication works well with radtest ! $ radtest tst1 pp 127.0.0.1 1 test Sending Access-Request of id 68 to 127.0

Re: Cisco re-sends packets with different ids

At 07:45 PM 6/3/2003 +0400, Alexander M. Pravking wrote: On Tue, Jun 03, 2003 at 09:14:01AM -0500, Chris Parker wrote: > At 05:53 PM 6/3/2003 +0400, Alexander M. Pravking wrote: > >I discovered that our Cisco 5200 resends acct-requests (not sure about > >auth-requests) with different request identi

Re: Cisco re-sends packets with different ids

On Tue, Jun 03, 2003 at 07:06:38AM -0700, Jim Underwood wrote: > That's what those acct-session-ids are for... Don't think developers will hack radius for this very Cisco's bug :) -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: User attributes

Hola: It depends on which hardware you use. We have Ascend MAX 6x/TNTs and these attributes seem to work (not using them currently, but did in the past): [EMAIL PROTECTED] radius]# grep DNS /etc/raddb/dictionary.ascend ATTRIBUTE X-Ascend-Client-Primary-DNS 135 ipaddr ATTRIBU

Re: Cisco re-sends packets with different ids

On Tue, Jun 03, 2003 at 09:14:01AM -0500, Chris Parker wrote: > At 05:53 PM 6/3/2003 +0400, Alexander M. Pravking wrote: > >I discovered that our Cisco 5200 resends acct-requests (not sure about > >auth-requests) with different request identifiers, which violates > >RFC 2866. Here is sample debug o

Re: FreeRadius - DLINK DWL-900+ - 802.1.X

I forget to say that : 1. the authentication works well with radtest ! $ radtest tst1 pp 127.0.0.1 1 test Sending Access-Request of id 68 to 127.0.0.1:1812 User-Name = "tst1" User-Password = "\323\366\273\363\371Z\250]\231(w\265?\346G\253"

User attributes

Having this basic user configuration linus Auth-Type = Local, Password = 'password' Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 192.168.28.152, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = Broadcast-Listen, Framed-M

Re: Simultaneous-Use

If configured correctly the "Simultaneous-Use =1" parameter will limit simultaneous logins into THAT RADIUS server to 1. If you have 1 or fifty NAS devices pointed at the same RADIUS server with Simultaneous-Use = 1 set for a user, that user will only be allowed to login once no matter which N

RE: Cisco re-sends packets with different ids

Hey Alex, Try using "aaa accounting delay-start"... This may help. I use it on our 5800 to get accounting IP addresses correctly from the NAS. Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alexander M. Pravking Sent: Tuesday, June 03, 2003 8:53 AM T

Re: FreeRadius - DLINK DWL-900+ - 802.1.X

I've already read the FAQ and the README's, but it still doesn't work. Here is part of my config : radiusd.conf modules { eap { default_eap_type = md5 md5 { } } } authorize { eap } authenticate { eap } cl

Re: Proxy-To-Realm and Replicate-To-Realm

On Thu, 8 May 2003, Alan DeKok wrote: > [EMAIL PROTECTED] wrote: > > support multiple Replicate-To-Realm attributes in the acct_users file? Can > > I do something like this in acct_users and is it supported?: > > The server no longer supports Replicate-To-Realm. Similar > functionality can be a

RE: radtest help

Thanks for the information. I am not sure what version I am using. It was the latest and greatest compile from the web site. I can modify the radtest to manually enter more attributes. That might work. Does anyone know how to configure the radtest script (or create a new one) to do LEAP authentica

RE: dynamic ip addresses

excellent! cheers very much! Rob. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Michael > Hardrick > Sent: 03 June 2003 14:44 > To: [EMAIL PROTECTED] > Subject: RE: dynamic ip addresses > > > Change these two. > > Framed-IP-Address = 255.255.255.2

Simultaneous-Use

Q: I have 4 usrhipers setup for dial in. If customer A dials into arc 1 and then dials in again and gets a modem on arc 2, will they be denied access if the Simultaneous-Use is set to 1. Or will it only check if they are attempting to connect to the same arc as the original connection? Jeff - L

Virus Detected by Network Associates, Inc. Webshield SMTP V4.5 MR1a

The City of Greater Sudbury has detected virus W32/[EMAIL PROTECTED] in an attachment movie.pif from <[EMAIL PROTECTED]> to <[EMAIL PROTECTED]> . Please be advised that the e-mail did not get forwarded to the recipient(s) listed above. The City of Greater Sudbury does not accept infected mail onto

Re: Cisco re-sends packets with different ids

At 05:53 PM 6/3/2003 +0400, Alexander M. Pravking wrote: I discovered that our Cisco 5200 resends acct-requests (not sure about auth-requests) with different request identifiers, which violates RFC 2866. Here is sample debug output (note the id's!): Acct-Delay-Time has changed. It is not the same

Re: Cisco re-sends packets with different ids

That's what those acct-session-ids are for... Alexander M. Pravking wrote: I discovered that our Cisco 5200 resends acct-requests (not sure about auth-requests) with different request identifiers, which violates RFC 2866. Here is sample debug output (note the id's!): rad_recv: Accounting-Request

SMUX

Hello all, I have tried to search for this problem in the lists and with google, but to no avail :( Anyway I am setting up freeRadius for the first time and when I start it I get: [snip] SMUX connect try 1 SMUX open oid: 1.3.6.1.4.1.3317.1.3.1 SMUX open progname: radiusd SMUX open password:

Cisco re-sends packets with different ids

I discovered that our Cisco 5200 resends acct-requests (not sure about auth-requests) with different request identifiers, which violates RFC 2866. Here is sample debug output (note the id's!): rad_recv: Accounting-Request packet from host cisco-5200:1646, id=205, length=119 Sun Jun 1 13:57:15 200