Hi,
I'm having a curious problem with a vendor-specific single-byte
octets-attribute and attr_rewrite.
Essentially, I'm trying to rewrite an ascii 0 to a single-byte 0x00
value. But after this rewrite rule, a zero-byte value is returned
instead. Any way to get around this?
With \001,
Hi,
rlm_sql: Failed to create the pair: Unknown value for attribute
ChilliSpot-Max-Output-Octets
rlm_sql (sql): Error getting data from database
Fix your dictionaries. This attribute doesn't exist. Isn't it Chili, not
Chilli?
THE ACCEPT
rad_check_password: Found Auth-Type Local
auth:
hello, everyone
i use radrelay
there are errors in log from rlm_detail like
Error: rlm_detail: Couldn't open file /var/log/radius/radacct/detail-relay: Bad
file descriptor
while examine rlm_detail.c i found two places in it.
first while open (create if need) detail-file (line 204
On 2006-06-15 07:50, Stefan Winter [EMAIL PROTECTED] wrote:
Hi,
I'm having a curious problem with a vendor-specific single-byte
octets-attribute and attr_rewrite.
Essentially, I'm trying to rewrite an ascii 0 to a single-byte
0x00
value. But after this rewrite rule, a zero-byte value
Hi All,
I just want to configure freeradius with PEAP ( MS-Chap V2)
. iam new to freeradius and certificates. I just want to clear from experts
here that does I need any certificate in client side if I use my ownca with
open SSL ?
Thanks for help
Regards
Naveen
-
List
Essentially, the vendor-specific attribute value is a 1-byte unsigned
integer, not a string. Haven't done a live test yet, so I do not know
how it handles the empty value. Perhaps all goes well. I'll let you
know.
Then you are supposed to use the integer type, not octets (then, you don't
Hi
(sorry, I'm not Alan, hope you don't mind)
I just want to configure freeradius with PEAP ( MS-Chap V2) . iam new to
freeradius and certificates. I just want to clear from experts here that
does I need any certificate in client side if I use my ownca with open SSL
?
No. PEAP can do
Stefan Winter [EMAIL PROTECTED] writes:
I'm having a curious problem with a vendor-specific single-byte
octets-attribute and attr_rewrite.
Essentially, I'm trying to rewrite an ascii 0 to a single-byte 0x00
value. But after this rewrite rule, a zero-byte value is returned
instead. Any way
Mean I dont want any CA or client certificate right even if I use my ownca
by Openssl ?
-Original Message-
From: Stefan Winter [mailto:[EMAIL PROTECTED]
Sent: Thursday, June 15, 2006 5:11 PM
To: [EMAIL PROTECTED]; FreeRadius users mailing list
Subject: Re: PEAP
Hi
(sorry, I'm not
Stefan Winter [EMAIL PROTECTED] writes:
Essentially, the vendor-specific attribute value is a 1-byte unsigned
integer, not a string. Haven't done a live test yet, so I do not know
how it handles the empty value. Perhaps all goes well. I'll let you
know.
Then you are supposed to use the
Hello,
I would like to set up that kind of configuration :
EAP-PEAP(Mschapv2) Request --- AP --- Freeradius Kerberos authentication to an Active Directory
In fact i would like to use Kerberos (wich is supported by Active
Directory) instead of ntlm_auth, in freeradius features list
On 2006-06-15 11:09, Stefan Winter [EMAIL PROTECTED] wrote:
Essentially, the vendor-specific attribute value is a 1-byte
unsigned
integer, not a string. Haven't done a live test yet, so I do not
know
how it handles the empty value. Perhaps all goes well. I'll let you
know.
Then you
RFC 2865 says
Note that none of the types in RADIUS terminate with a NUL (hex
00). In particular, types text and string in RADIUS do not
terminate with a NUL (hex 00). The Attribute has a length field
and does not use a terminator. Text contains UTF-8 encoded 10646
Hi,
Mean I dont want any CA or client certificate right even if I use my ownca
by Openssl ?
sorry, I was unable to parse your question. As in: the sentence does not make
sense to me. What exactly do you want to know? I'll try my best to give a
generic answer...
The server needs one
Hi,
Then you are supposed to use the integer type, not octets
No, that would be 4 octets. A 1-octet attribute allowing any value
must be of type string (in RFC language, octets in FreeRADIUS).
Ah. Then you are in the unlucky position that you are not allowed to send a
\000 to your NAS.
Nothing forbidding a NUL here... servers and clients MUST be able to
deal with embedded nulls. A 1-byte string containing just \000 seems
perfectly valid to me.
Did you read what I wrote about embedded vs terminating? I'm closing this
incredibly pointless discussion, don't expect to hear from
Hi,
this is again an example where a RadSec extension would come in extremely
handy. Short wrapup: RadSec establishes connections via TCP and TLS and
transports the RADIUS payload over it, so clients can be identified by
their TLS certificate; IPs and shred secrets become obsolete.
Stefan Winter [EMAIL PROTECTED] writes:
RFC 2865 says
Note that none of the types in RADIUS terminate with a NUL (hex
00). In particular, types text and string in RADIUS do not
terminate with a NUL (hex 00). The Attribute has a length field
and does not use a
On 2006-06-15 12:05, Stefan Winter [EMAIL PROTECTED] wrote:
Hi,
Then you are supposed to use the integer type, not octets
No, that would be 4 octets. A 1-octet attribute allowing any value
must be of type string (in RFC language, octets in FreeRADIUS).
Ah. Then you are in the
Stefan Winter [EMAIL PROTECTED] writes:
Nothing forbidding a NUL here... servers and clients MUST be able to
deal with embedded nulls. A 1-byte string containing just \000 seems
perfectly valid to me.
Did you read what I wrote about embedded vs terminating? I'm closing this
incredibly
Hi,
So I must do source-level hacks to be able to send a 1-octet \000
attribute, with current FreeRADIUS? Have I understood you correctly?
At least, a more pragmatic reply. :-) Yes, in my understanding of the FR code,
this would need source code modifications. Still my opinion is to instead
Erik Bolsø [EMAIL PROTECTED] writes:
So I must do source-level hacks to be able to send a 1-octet \000
attribute, with current FreeRADIUS? Have I understood you correctly?
Seems to work here, as long as the attribute is of type octets.
This test file:
[EMAIL PROTECTED]:/usr/local/test$ cat
On 2006-06-15 14:00, Bjørn Mork [EMAIL PROTECTED] wrote:
Erik Bolsø [EMAIL PROTECTED] writes:
So I must do source-level hacks to be able to send a 1-octet \000
attribute, with current FreeRADIUS? Have I understood you correctly?
Seems to work here, as long as the attribute is of type
the problem is that my wifi card (Cisco Aironet) doesn't support the TTLS i'll try to find one which support it .
About TTLS is it that kind of EAP authentification with :
Step 1 : TLS handshake , 1 certificat on radius server and 1 certificate on supplicant ?
Step 2 : Kerberos or any other kind
Hi,
Seems to work here, as long as the attribute is of type octets.
Hm, what exactly do you mean?
Calling-Station-Id =\000
results in:
Calling-Station-Id =
This is the behaviour I described as fine (the \000 is kicked since it is the
last character, and what remains is a
Erik Bolsø [EMAIL PROTECTED] writes:
On 2006-06-15 14:00, Bjørn Mork [EMAIL PROTECTED] wrote:
Seems to work here, as long as the attribute is of type octets.
Calling-Station-Id is a FreeRADIUS string, not to be confused with
a RFC2865 string. MS-CHAP-Challenge is a FreeRADIUS octets type.
Stefan Winter [EMAIL PROTECTED] writes:
Seems to work here, as long as the attribute is of type octets.
Hm, what exactly do you mean?
Calling-Station-Id =\000
results in:
Calling-Station-Id =
This is the behaviour I described as fine (the \000 is kicked since it is the
last
Notice the MS-CHAP-Challenge. That's why I said as long as the
attribute is of type octets.
Calling-Station-Id is truncated at the first NUL.
MS-CHAP-Challenge is transmitted, even if it contains just a single
NUL octet
Okay, could you try to put 0x00 into the Calling-Station-Id and \000
Alan DeKok [EMAIL PROTECTED] wrote:
A simple solution would be to go to the bottom of rlm_sqlippool.c,
and change it from RLM_TYPE_THREAD_SAFE to RLM_TYPE_THREAD_UNSAFE.
Then re-compile re-install.
That would be the case if I only had one single radiusd running, however as
already mentioned
Stefan Winter [EMAIL PROTECTED] writes:
Notice the MS-CHAP-Challenge. That's why I said as long as the
attribute is of type octets.
Calling-Station-Id is truncated at the first NUL.
MS-CHAP-Challenge is transmitted, even if it contains just a single
NUL octet
Okay, could you try to put
Great, thanks. Then my guess is that xlat (which is invoked in radiusd to
mangle strings) strips the value, while things work good on the client side,
which doesn't use xlat. I think xlat also isn't involved with Proxy-State and
friends, so these are untouched.
But this is getting beyond my
So I must do source-level hacks to be able to send a 1-octet \000
attribute, with current FreeRADIUS? Have I understood you correctly?
No. Use the octets type, and set the value to 0x00.
The problem comes because you're either using string type, or
you're using octets, but assigning a
Robles Rodriguez,Alejandro [EMAIL PROTECTED] wrote:
That would be the case if I only had one single radiusd running, however as
already mentioned this solution encompasses a number of radius servers each
with its
own mysql server adn the same storage (NDB cluster) behind the scenes i.e.
=?iso-8859-1?Q?Bj=F8rn_Mork?= [EMAIL PROTECTED] wrote:
Stripping NULs off the end of a string is interpreting them as string
terminators. The RFC forbids this.
No, it doesn't. And even if it did, who cares?
It demands that implementations deal with embedded NULs. If
FreeRADIUS strips
Nicolas Baradakis [EMAIL PROTECTED] wrote:
I think the fixes are in CVS head but they were never included in any
stable release.
Whoops, that's a bug. It should be fixed in both rlm_Detail
radrelay.
Alan DEKok.
-
List info/subscribe/unsubscribe? See
Greetings,
I have FreeRadius 1.1.0 working on Debian 3.1 on an Intel box.
When using rlm_perl, the authenticate() sub does its job and, eventually,
calls a method to send an email to a certain address before returning OK.
The problem is that this SMTP connection can take longer than wished,
On Thu, Jun 15, 2006 at 05:42:45PM +0200, [EMAIL PROTECTED] said:
Greetings,
I have FreeRadius 1.1.0 working on Debian 3.1 on an Intel box.
When using rlm_perl, the authenticate() sub does its job and, eventually,
calls a method to send an email to a certain address before returning OK.
[EMAIL PROTECTED] wrote:
By itself, this works and no zombies are left behind, as expected. However,
when used with FreeRadius, zombies are left behind.
FreeRADIUS has a wrapper around fork() that modules are expected to
use. The reason is that the server is threaded, and some modules want
Alan DeKok wrote:
Tavis P [EMAIL PROTECTED] wrote:
mysql SELECT id,UserName,Attribute,Value,op FROM radius_check WHERE
Username = '200110005339' ORDER BY id;
++--+--+--++
| id | UserName | Attribute| Value
I have freeradius running on a machine with 2 IPs. I have it binding
to all available IPs.
xxx.xxx.xxx.44 is the main IP of the machine
xxx.xxx.xxx.26 is the secondary IP. (eth0:1)
When a request comes in on .26 freeradius processes it and THEN sends
the reply out .44! Is this the way it is
That fixed it, thank you Alan
Tavis, could you please fill a 1.4.2 paragraph in the wiki that
describes your FR setup with an SQL backend?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Matt wrote:
I have freeradius running on a machine with 2 IPs. I have it binding
to all available IPs.
xxx.xxx.xxx.44 is the main IP of the machine
xxx.xxx.xxx.26 is the secondary IP. (eth0:1)
When a request comes in on .26 freeradius processes it and THEN sends
the reply out .44! Is
On Thursday 15 June 2006 13:20, Matt wrote:
I have freeradius running on a machine with 2 IPs. I have it binding
to all available IPs.
xxx.xxx.xxx.44 is the main IP of the machine
xxx.xxx.xxx.26 is the secondary IP. (eth0:1)
When a request comes in on .26 freeradius processes it and THEN
AHHHA! I did *not* use with-udpfromto... DOH!
On 6/15/06, Kevin Bonner [EMAIL PROTECTED] wrote:
On Thursday 15 June 2006 13:20, Matt wrote:
I have freeradius running on a machine with 2 IPs. I have it binding
to all available IPs.
xxx.xxx.xxx.44 is the main IP of the machine
Hi,
We use FreeRadius with unixODBC and the rlm_sql to connect to a
Microsoft SQL database. All works great... except if the SQL database
goes down, firewall has the translate table, someone trips over a
network cable anything that causes the connection between the
radius and SQL to be
running: Redhat Enterprise Linux version 4
Openvpn 2.0.7 (server)
freeradius pam_radius-1.3.16 (client)
Using the above the Openvpn server will authenticate an Openvpn
client using a radius server on a remote machine.
The above ONLY works when the username supplied by the
Hello,
I have been
researching the use of FreeRADIUS on my network for the past few days. I'm
not sure if FreeRADIUS can do what I want. Here is a list of my
requirements:
-Authentication
through LDAP
-Authorization
through LDAP
-Accounting through
MySQL
I have multiple
Cisco and
-Authentication through LDAP
YES. Using it currently !
-Authorization through LDAP
YES. See above :)
-Accounting through MySQL
YES. Doing traffic accounting.
I have multiple Cisco and Foundry devices on my network. The RADIUS server
will primarily be used for AAA for Telnet/SSH logins and
48 matches
Mail list logo
