Re: Access-Reject in a php script

2007-10-25 Thread Patric
[EMAIL PROTECTED] wrote: Hi, echo Session-Timeout:=100; else echo Access-Reject; //NOT WORKING!! hmmm, normally/properly you dont send such attributes back - thats a server job. you should simply exit with the return code that equals reject. alan That is correct. I had

Number of requests for Free radius

2007-10-25 Thread Anoop
Hi I am using free radisu 1.1.7 and eap tls authentication.I would like to know the maximum number of users/ authentication requests that it can handle? Regards Anoop -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Thursday,

Re: Access-Reject in a php script

2007-10-25 Thread Alan DeKok
Patric wrote: But when you exit(2) in PHP, freeradius thinks that the script failed and does not respond to the access-request... It delays the Access-Reject. See the debug output. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Number of requests for Free radius

2007-10-25 Thread Alan DeKok
Anoop wrote: ... Please edit your posts to the list. It's useless to include an entire digest message. I am using free radisu 1.1.7 and eap tls authentication.I would like to know the maximum number of users/ authentication requests that it can handle? It depends on CPU, memory, etc.

A question about rlm modules

2007-10-25 Thread Ali Majdzadeh
Hello all I have written an rlm_module. It works fine. Here, we have clients which should be authenticated using CHAP passwords. In the radiusd.conf, I have mentioned my module before the CHAP module in the authentication section. Also, I have found that my module should populate the

Re: Access-Reject in a php script

2007-10-25 Thread Patric
Alan DeKok wrote: Patric wrote: But when you exit(2) in PHP, freeradius thinks that the script failed and does not respond to the access-request... It delays the Access-Reject. See the debug output. Alan DeKok. - List info/subscribe/unsubscribe? See

Re: A question about rlm modules

2007-10-25 Thread Alan DeKok
Ali Majdzadeh wrote: I have written an rlm_module. It works fine. Here, we have clients which should be authenticated using CHAP passwords. In the radiusd.conf, I have mentioned my module before the CHAP module in the authentication section. Also, I have found that my module should populate the

Re: FR-2.0.0-pre2 - doubled sql accounting

2007-10-25 Thread Alan DeKok
Tomasz Zieleniewski wrote: I have the home_server configuration which points to my localhost. Why? So the scenario is the following that when I receive the Accounting-Request with the user name of the form [EMAIL PROTECTED] I check the realm for particular domain and strip the user name

Stripping Username (EAP-TLS)

2007-10-25 Thread s3b0
Hi everyone, i am using Freeradius 1.1.7 on Suse Linux Enterprise 10. I try to authenticate user with EAP-TLS. Everything worked fine, until i activated the check of cert_cn. eap.conf: --- # This check is done only if the previous # check_cert_issuer is not set, or if # the

Sqlippool debian - sql_get_socket unresolved symbol

2007-10-25 Thread Francesco Cristofori
Hi all, I know the topic has been discussed about a year ago, but I'd like to know if it's going to be solved. I know that Alan said it's not a FR issue (http://lists.cistron.nl/pipermail/freeradius-users/2006-October/057588. html), but many people says that turning on RTLD_GLOBAL is a security

Re: A question about rlm modules

2007-10-25 Thread Ali Majdzadeh
Hello Alan Yes, I am sure that the code works correctly, because the CHAP module accepts the clear text password which I have provided in the request-config_items. Below is my code for the authorize section of the module: static int netbill_authorize (void *instance, REQUEST *request) {

Re: Are SHA-256 certificates supported?

2007-10-25 Thread hannu . lammi
Hi, I can live with this hack in my test server, but would appreciate it if FreeRADIUS added official support for SHA-256 digests. I've added the appropriate OpenSSL initialization call to the source. Alan DeKok. thank you. The CVS version seems to work with my certificates, and also

Re: A question about rlm modules

2007-10-25 Thread Alan DeKok
Ali Majdzadeh wrote: Hello Alan Yes, I am sure that the code works correctly, because the CHAP module accepts the clear text password which I have provided in the request-config_items. Below is my code for the authorize section of the module: That looks OK. Thu Oct 25 13:18:42 2007 :

Re: Sqlippool debian - sql_get_socket unresolved symbol

2007-10-25 Thread Alan DeKok
Francesco Cristofori wrote: I know that Alan said it's not a FR issue (http://lists.cistron.nl/pipermail/freeradius-users/2006-October/057588. html), but many people says that turning on RTLD_GLOBAL is a security weakness, so perhaps it's overall good to fix the code to make it work even with

Re: Access-Reject in a php script

2007-10-25 Thread manIP
Hi, I have put exit(2) but as Patric said, freeradius thinks that the script failed and does not respond to the access-request. In the client side, there is a server time out...I don't know if that server time out is assumed as an Access-Reject? May be the problem comes from PHP and I could use

Re: Access-Reject in a php script

2007-10-25 Thread Patric
manIP wrote: Hi, I have put exit(2) but as Patric said, freeradius thinks that the script failed and does not respond to the access-request. In the client side, there is a server time out...I don't know if that server time out is assumed as an Access-Reject? No it does not assume an

Re: Access-Reject in a php script

2007-10-25 Thread Alan DeKok
manIP wrote: I have put exit(2) but as Patric said, freeradius thinks that the script failed and does not respond to the access-request. In the client side, there is a server time out...I don't know if that server time out is assumed as an Access-Reject? Set reject_delay = 0 in

RE: no DB handles

2007-10-25 Thread Doc. Caliban
Hello, I have a clean install of FreeRadius 1.1.7 with MySQL support. I have a database on a separate machine that is used for almost nothing (no traffic). I would think sockets are not an issue. I set the radius database up based on the instructions on this page:

Re: no DB handles

2007-10-25 Thread Alan DeKok
Doc. Caliban wrote: When I try an authentication test, I receive the no DB handles error. What does the full debug log say? Odds are that the DB connection parameters are wrong, and the server cannot open the DB. Alan DeKok. - List info/subscribe/unsubscribe? See

Re: no DB handles

2007-10-25 Thread Doc. Caliban
Alan DeKok wrote: What does the full debug log say? Sadly, I've joined this mailing list to ask this question, and ultimately show what an armature I am. I just found out that mysql is only listening to localhost. That's all it's ever been used for. D'oh! (I did not know that was a

limited hours per user

2007-10-25 Thread hadi golestani
Hi, I'm using freeRadius with poptop and it's logging all accounting issues well, but how can I add some rules to restrict people , e.g. how to restrict a group of users to only connect 2 hours per day? tnx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Adding users to the mySQL database

2007-10-25 Thread Doc. Caliban
The db admin here is telling me that there as to be some standardized way of adding users to the database. I don't know anything about SQL. He is talking about the ID field or something like that. What is the standard way of doing this? We have an existing db of all of the user names and

rlm_sqlcounter and user realms

2007-10-25 Thread Carlos A. Carnero Delgado
Hello, I'm trying to set rlm_sqlcounter up so that I can check for a monthly use quota. Everything works, except the checks. The NAS present the user names with a realm, which I'm processing (thus, [EMAIL PROTECTED] becomes user.) Using SQL for accounting and such is working marvelous. Now, when

Cisco NAS Password problem

2007-10-25 Thread John Morris
Hello: I am new to using Freeradius, and I am using Freeradius 1.1.6 that comes with Ubuntu Server 7.10 I have set up Freeradius with MySQL as the backend database. I set up one of my Cisco 3550 switches to use Radius as the login method. This worked fine, authentication was running

Re: Cisco NAS Password problem

2007-10-25 Thread Kevin Bonner
On Thursday 25 October 2007 17:26:10 John Morris wrote: I then added a second switch to the freeradius client configuration (nas table), and encountered a problem. The password was being rejected. So I ran Freeradius -X so I could see what was going on. On the failed password attempt

RE: Cisco NAS Password problem

2007-10-25 Thread John Morris
Debug output like this usually points to non-matching RADIUS secrets. Check the radius secret in your switch config as well as the secret configured in your nas SQL table. Freeradius only reads the nas table on startup, so if you make changes to that table, you must restart the daemon for those

Re: Cisco NAS Password problem

2007-10-25 Thread Andy Billington
Is there a way to define NAS info / secrets in a SQL database and have it as part of the standard queries? Am guessing the perl / python options would let you do it from that (pls correct me tho if not right!) but can it just be done without writing code? Tia Andy On 25/10/2007, John Morris

NAS in SQL

2007-10-25 Thread Alan DeKok
Andy Billington wrote: Is there a way to define NAS info / secrets in a SQL database Yes. See the sql.conf file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_sqlcounter and user realms

2007-10-25 Thread Alan DeKok
Carlos A. Carnero Delgado wrote: My question is, how can I modify this query definition (and the others from sqlcounter.conf) so that they really check against the stripped user name. Use the Stripped-User-Name attribute. Alan DeKok. - List info/subscribe/unsubscribe? See

Re: Cisco NAS Password problem

2007-10-25 Thread Alan DeKok
John Morris wrote: It surprises me that the debug output doesn't appear to mention the failure of the NAS secret. It does. There's a big WARNING during the authentication portion. I would have thought I would have gotten then that message and that the auth would have stopped there. It