What does radiusd –X tells you?
Can you post more info from your
accounting and post-auth section?
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, July 15, 2005 7:42
AM
To: freeradius-users@lists.freeradius.org
Subject: ippool prob
Hi. I'm using attr_rewrite to add a Class attribute in my auth-
reply packets. I need to include a binary null-byte in the value, but
I cannot figure out how to do so. If I add a verbatim null-byte in
radiusd.conf, the string is truncated there in the reply packet (seems
like the code int
Hi.
I would like to allow any NAS IP to connect to my radius server restricting
connections from NAS only with shared secret - username and password.
Is it possible to use 0.0.0.0 or ANY in clients.conf/SQL nas table ?
What are the security issues having an open setup like that ?
Cheers
Marcin J
radius -X doesn´t show any error
or warning until the end (Segmentation fault). You can see the result of
my last execution:
Starting - reading configuration files
...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file
Hi Marcin,
You can create a subnet in clients.conf (e.g. 10.10.10.0/24) that can
use the same key. I think that doing 0.0.0.0/0 would be a very bad plan
since it only requires that an attacker know the shared key to be able
to send valid requests. Since all your devices are matched by a single
e
Its like sharing your NAS resources to anybody who wants it
I guess its like laying down your chicken's neck to somebody else who wants
to chop it! ;)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Marcin
Jessa
Sent: Friday, July 15, 2005 11:29 AM
To: Fr
On Fri, 15 Jul 2005 11:43:43 +0100
"milver nisay" <[EMAIL PROTECTED]> wrote:
>
> Its like sharing your NAS resources to anybody who wants it
I am awayre of that which is why I asked about the risks of such approach.
> I guess its like laying down your chicken's neck to somebody else who wants
> t
On Fri, 15 Jul 2005 11:42:57 +0100
"Guy Davies" <[EMAIL PROTECTED]> wrote:
> Hi Marcin,
>
> You can create a subnet in clients.conf (e.g. 10.10.10.0/24) that can
> use the same key. I think that doing 0.0.0.0/0 would be a very bad plan
> since it only requires that an attacker know the shared ke
Hi.
Is /usr/local/var/log/radius/radutmp existing and is rw for radius ?
Cheers,
Marcin.
On Fri, 15 Jul 2005 12:04:55 +0200
[EMAIL PROTECTED] wrote:
> radius -X doesn´t show any error or warning until the end (Segmentation
> fault). You can see the result of my last execution:
>
> Starting
> > The best method is to have individual clients listed with *unique*
> > keys per client (yes, I know this is a real pain but if you want
> > security this is about the best you can do with the limited
> security
> > afforded by the shared key).
>
> I know how things work, I was just wonderi
>From the security point of it would be easier to launch some type of
>non-repudiation attacks without the need of spoofing I think. The shared
>secret can easily be recovered by sniffing some RADIUS traffic and decrypting
>it. I think this is even mentioned in the RFC.
So removing one lock and
GOOD DAY.
I use freeradius-snapshot-20050624.
I want to use External authentication
My radiusd.conf:
exec echo {
wait = yes
program = "/usr/local/etc/raddb/radius.auth"
input_pairs = request
output_pairs = reply
}
.
authorize {
Hello,
i just installed freeradius-1.0.4 on MDK 10.1, each time i run the
radius always appear "Segmentation fault", in instalation and
configuration didn't display any error message. the weird again is
radius running well with rpm format. any idea ?
here is end of error radiusd -X
sq
Hi,
I can now get Chillispot to reach the CGI login on my server. The
application loads and runs, but times out while trying to process the
login. FreeRadius isn't getting any requests from Chilli but does
process local requests from radtest.
This is the way my network is structured.
DSL modem
>
> If the AP's are wireless, then CPU is more important, as
> EAP uses SSL, which has a large CPU impact.
>
Would FreeRADIUS take advantage of a Dual CPU system?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Check user access and access permissions from
radiusd.conf and from
the files and folders
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Friday, July 15, 2005 11:05
AM
To: [EMAIL PROTECTED]; FreeRadius users mailing list
Subject: RE: ippool problem
radius -X
Hey List,
Quick question about AVPair. I have a Colubris Access Point which wants me to
use the Colubris-AVPair attribute. The attribute is defined in a dictionary
file, which is included in the main dictionary. This is what it looks like:
# Colubris dictionary - dictionary.colubris
#
# Ena
Srinivasa Rao Chigurupati <[EMAIL PROTECTED]> wrote:
> What are the different authentication methods requiring Access-Challenge
> supported by freeRadius?
> Can anyone give atleast one real time example where Access-Challenge is
> seen?
Look on google for Access-Challenge.
Alan DeKok.
-
Li
[EMAIL PROTECTED] wrote:
> When I start the server I get always the error "Segmentation Fault" after
> loading radutmp, just when it tries to load the ippool in the "accounting"
See doc/bugs
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Tore Anderson <[EMAIL PROTECTED]> wrote:
> Hi. I'm using attr_rewrite to add a Class attribute in my auth-
> reply packets. I need to include a binary null-byte in the value, but
> I cannot figure out how to do so.
That's why the Class attribute is "octets" in the dictionary file.
Class
Marcin Jessa <[EMAIL PROTECTED]> wrote:
> What are the security issues having an open setup like that ?
Lots. DoS attacks, people *easily* getting the shared secret, etc.
FreeRADIUS allows it, but it's a bad idea.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.o
avudz <[EMAIL PROTECTED]> wrote:
> i just installed freeradius-1.0.4 on MDK 10.1, each time i run the
> radius always appear "Segmentation fault", in instalation and
> configuration didn't display any error message. the weird again is
> radius running well with rpm format. any idea ?
You
sean <[EMAIL PROTECTED]> wrote:
> DSL Modem has pinholes set up directing traffic coming to the static ip
> out to the same ports on 192.168.1.2 IE 82.141.232.132:1812 sent to
> 192.168.1.2:1812
> This works fine for Kannel, Apache etc.
Are the pinholes set up for TCP or UDP?
> Radius
> can't
"King, Michael" <[EMAIL PROTECTED]> wrote:
> Would FreeRADIUS take advantage of a Dual CPU system?
If you run it in multi-threaded mode, yes.
But unless your server is *very* busy, dual CPU's are overkill.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/u
You should not edit the main dictionary file. You should create this as
a separate file (called dictionary.colubris) with all the other
dictionary.foo files (normally in /usr/local/share/freeradius/). Then
look in the file called dictionary in the same directory and make sure
(as it says in the c
Andrey <[EMAIL PROTECTED]> wrote:
> When I try to authenticate, I get "unknown-vendor 8744, size 30 = '' " for my
> attributes dump. What am I missing? Is there a separate file for defining
> vendors?
That message is not coming from FreeRADIUS.
The message means that the client is being sent
DH Alan,
Friday, July 15, 2005, 10:53:39 PM, you wrote:
AD> You probably have two incompatible copies of the server on the same
AD> platform.
--- i don't know if i can run 2 or more radius on my machine ? and
listen to another port, range from 1812-1814, 1815-1817 etc.. the
condition is, my c
Hi,
Perhaps you dont have them opened for UDP traffic or maybe the chilli
client is set up to use the old non-standard ports of 1645/1646/1647
instead of the official 1812/1813/1814 ones? Old clients defaulted to
1645, and though I figure you checked the port first, just thought I'd
mention
On Fri, 2005-07-15 at 18:10 +0200, freeradius-users-
[EMAIL PROTECTED] wrote:
> > DSL Modem has pinholes set up directing traffic coming to the static
> ip
> > out to the same ports on 192.168.1.2 IE 82.141.232.132:1812 sent to
> > 192.168.1.2:1812
> > This works fine for Kannel, Apache etc.
>
>
avudz <[EMAIL PROTECTED]> wrote:
> i don't know if i can run 2 or more radius on my machine ?
Yes, you can. You don't need two *installations*, though. Just
install one, and configure two services.
> and
> listen to another port, range from 1812-1814, 1815-1817 etc.. the
> condition is,
sean <[EMAIL PROTECTED]> wrote:
> What I'm trying to understand is the sequence of events. When
> the hospotlogin.cgi script gets a request from a Chillispot user from
> the AP, does the cgi script initiate the Radius request?
I would presume so. See the Chillispot docs for how it works.
Ala
I am new to tweaking freeradius code. Since I am having trouble forming the information to be encrypted by SSL and then sent to the wpa_supplicant (bad decryptopmn or bad mac error on the wpa_supplicant side, and also sometimes on the server side) I want to put in some printf's in freeradius, p
> I have setup pinholes for both tcp and udp on ports 1812, 1813 and 1814.
> They all point to the Radius server on 192.168.1.2. The Chillispot on
> 192.168.1.6 can direct traffic to the CGI login but sends nothing to
> Radius. What I'm trying to understand is the sequence of events. When
> the ho
DALE REAMER <[EMAIL PROTECTED]> wrote:
> I am new to tweaking freeradius code. Since I am having trouble
> forming the information to be encrypted by SSL and then sent to the
> wpa_supplicant (bad decryptopmn or bad mac error on the
> wpa_supplicant side, and also sometimes on the server side) I wa
I have recently install Freeradius 1.0.4 on
Freebsd 5.4 and I have a question about the logging method. I need to
log ALL output log in MySQL but freeradius seems logger only some
items. It's possible to logging all the details ?
PS: sorry for my bad english.
-Michel
Example of the details w
In tls.c I want to add some code to tls_handshake_send:
int tls_handshake_send(tls_session_t *ssn){ int err;
/* * If there's un-encrypted data in 'clean_in', then write * that data to the SSL session, and then call the BIO function * to get that encrypted data from the SSL session, into
On Fri, 2005-07-15 at 20:58 +0200, freeradius-users-
[EMAIL PROTECTED] wrote:
> > I have setup pinholes for both tcp and udp on ports 1812, 1813 and
> 1814.
> > They all point to the Radius server on 192.168.1.2. The Chillispot
> on
> > 192.168.1.6 can direct traffic to the CGI login but sends noth
All,
What can cause dictionry permissions even if
/etc/freeradius/dictionnary has rwxrwxrwx as
permissions setting
I am getting the following:
radclient: dict_init: Couldn't open dictionary
"/etc/freeradius/dictionary": Permission denied
The call of radclient is done from a cgi script .
Apache
38 matches
Mail list logo
