Re: Unable to load EAP-Type/ttls, as EAP-Type/TLS is required first
Holger Schurig [EMAIL PROTECTED] wrote: Is there a technical reason that EAP-TTLS and EAP-PEAP both need EAP-TLS first? Yes. Why would it be otherwise? TTLS PEAP both involve using EAP-TLS, and then tunneling additional data in the TLS tunnel. Therefore, they both need EAP-TLS. I thought TLS is where both the server and the clients have certificates. And TTLS is where only the client has a certificate (of the server). Therefore, TTLS and PEAP need only a subset of TLS, right? Now, when I enable TTLS (and TLS because I need it) in radiusd.conf, then some client can try to authenticate/authorize with TLS. It's on, isn't it? And the client doesn't get back something like protocol not supported, but negative authentification. So I would have thought that this is possible and makes sense: # tls { # ... #} ttls { certificate_file = ${prefix}/ca/cert-srv.pem } But then again I'm absolutely not sure :-) -- Try Linux 2.6 from BitKeeper for PXA2x0 CPUs at http://www.mn-logistik.de/unsupported/linux-2.6/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem compiling rlm_eap_tls
./configure --with-openssl-includes=/usr/local/ssl/include/ --with-openssl-libraries=/usr/local/ssl/lib This one looks better, --with-openssl-libs is not supported, see the configure or configure.in file. But it still gives me the above error. Any more suggestions ? Look at your config.log file and look for the place of the error. You'll see output prepended with line numbers. Those numbers refer to the configure file. Look up what testing takes place and what the error on the compiler/link level is. Configure creates little test programs, compiles links them and looks for the result. It then concludes if something is working or not based on this info. Therefore looking at the underlaying stuff usually gives hints towards the real problem. -- Try Linux 2.6 from BitKeeper for PXA2x0 CPUs at http://www.mn-logistik.de/unsupported/linux-2.6/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: filtering attributes in proxy
Have you tried with pre-proxy and attr_rewrite? I?m trying but attr_rewrite module is not called (/usr/sbin/freeradius -x). I don?t know why. No I haven't. use -X instead -x, it'll show lot of things and have u included that in the preproxy section in radiusd.conf Sergio. but when I start the server I get this message ant the end, and server exits. Module: Instantiated attr_filter (attr_filter) radiusd.conf: attr_filter modules aren't allowed in 'pre-proxy' sections -- they have no such method. shrug Edit the source code for attr_filter to include a pre-proxy section. This is done in the latest CVS for post-proxy. I've got a patch we've used internally for pre-proxy. I'll commit it today. Has it been commited to cvs ? I just downloaded. Couldn't see the preproxy method in rlm_attr_filter. I'd appreciate it very much right now. No, I'm still working on cleaning the patch up, as well as adding accounting methods for the module. I'll post to the list when it is in CVS, which should hopefully be later today. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: filtering attributes in proxy
Until I get a working solution, i am using attr_rewrite in preacct. The attribute is always filtered, not only in requests to be proxied. I do not know if it suits well for you. Sergio. -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] nombre de denz Enviado el: miércoles, 10 de diciembre de 2003 7:37 Para: [EMAIL PROTECTED] Asunto: Re: filtering attributes in proxy Have you tried with pre-proxy and attr_rewrite? I?m trying but attr_rewrite module is not called (/usr/sbin/freeradius -x). I don?t know why. No I haven't. use -X instead -x, it'll show lot of things and have u included that in the preproxy section in radiusd.conf Sergio. but when I start the server I get this message ant the end, and server exits. Module: Instantiated attr_filter (attr_filter) radiusd.conf: attr_filter modules aren't allowed in 'pre-proxy' sections -- they have no such method. shrug Edit the source code for attr_filter to include a pre-proxy section. This is done in the latest CVS for post-proxy. I've got a patch we've used internally for pre-proxy. I'll commit it today. Has it been commited to cvs ? I just downloaded. Couldn't see the preproxy method in rlm_attr_filter. I'd appreciate it very much right now. No, I'm still working on cleaning the patch up, as well as adding accounting methods for the module. I'll post to the list when it is in CVS, which should hopefully be later today. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius with MySQL
Title: Untitled Document Hi! Don't know why but when i try to authentication an user using database don't work. I commented that's lines in file /etc/raddb/users # First setup all accounts to be checked against the UNIX /etc/passwd.# (Unless a password was already given earlier in this file).##DEFAULT Auth-Type = System# Fall-Through = 1 To force Auth-Type in databases and give this error: rad_recv: Access-Request packet from host 192.168.0.60:32799, id=228, length=61 User-Name = "aferreira" User-Password = "stag" NAS-IP-Address = 255.255.255.255 NAS-Port = 0modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0radius_xlat: '/var/log/radius/radacct/192.168.0.60/auth-detail-20031210'rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.0.60/auth-detail-20031210 modcall[authorize]: module "auth_log" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "eap" returns noop for request 0 rlm_realm: No '@' in User-Name = "aferreira", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 modcall[authorize]: module "files" returns notfound for request 0 modcall[authorize]: module "mschap" returns noop for request 0modcall: group authorize returns ok for request 0auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the userauth: Failed to validate the user.Delaying request 0 for 1 seconds Anybody know what de happend? Leandro Sant'anaMeu Provedor Tecnologias e Informática Ltda.Rua Camerino, 128 Grs. 302Centro - Rio de Janeiro - RJ - CEP 20080-010Tel.: 55 21 25181011 (PABX/FAX)Telefone Móvel - Celular: 55 21 8844-2645 mp.jpg
FreeRadius with MySQL
Leandro, See to it you included sql in authorization and accounting. Another helpful information ... http://www.frontios.com/freeradius.html = wilfredo pahilanga apellido jr. technical support mactan online bacolod city, philippines +63 34 4348311 If you can't hear me, it's because i'm in parentheses. __ Do you Yahoo!? New Yahoo! Photos - easier uploading and sharing. http://photos.yahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compilation Problem using EAP/TLS
hello, your snapshot version of freeradius isn't the one who is mentioned in the HOWTO, and the syntax is different on this new version! I had the same problem like you, and I tested with the snapshot of the HOWTO. If you use it, you will see that your errors will diseapear and your TLS tunnel will work. But I will be very interessted in which syntax and options which could be use for new snapshots ?? of course it's not those is in the HOWTO because I tried so many time whithout results! If someone knows about it? (RedHat 6.2)Using the CVS snapshot from 20031208, I configured the MakeFile file in src/modules/rlm_eap/types/rlm_eap_tls to match the documentation provided by Raymond McKay at http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm#7. Nothing existed in the MakeFile when I accessed it with pico. The current text is: TARGET = rlm_eap_tls SRCS = rlm_eap_tls.c eap_tls.c cb.c tls.c mppe_keys.c RLM_CFLAGS = $(INCLTDL) -I../.. -I/usr/local/openssl/include HEADERS = eap_tls.h RLM_INSTALL = RLM_LDFLAGS += -L/usr/local/openssl/lib RLM_LIBS += -lssl -lcrypto $(STATIC_OBJS): $(HEADERS) $(DYNAMIC_OBJS): $(HEADERS) RLM_DIR=../../ include ${RLM_DIR}../rules.mak I have triple checked that the directories provided (/usr/local/openssl/include and lib) are the valid paths to the openssl-SNAP installation. Upon building freeRADIUS, however, when the MakeFile is reached, errors occur and the process aborts. I have installed freeRADIUS on this machine previously and am planning on installing right over the top of the 0.9.3 build so I can use PEAP/MSCHAPv2. Any ideas why this is failing? One other tidbit: Raymond's HOWTO has one check on installation of openssl-SNAP-20021027 that libssl.so and libssl.so.0 are sym linked to libssl.so.0.9.8 and that libcrypto.so libcrypto.so.0 are sym linked to libcrypto.so.0.9.8 What is sym linked? Libcrypto.so.0.9.8 and libssl.so.0.9.8 exist, but libssl.so, libssl.so.0, libcrypto.so, and libcrypto.so.0 are not contained with in /lib. Perhaps this is my problem? Thanks, Justin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Eap ttls and LDAP
Hi, I am using freeradius 0.9.3 on a linux box I have found the eap_ttls module in the CVS tree How to install it ??? Can anyone can explain me the interest to use EAP TTLS + LDAP I dont want to use personnal certificate but only the login and ldap passwd of the personn Is TTLS+LDAP it a good solution to do that ??? Anyone have test it ??? Any recommandations ??? Thanx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radrelay
Hello, I have problem with radrelay (FR 0.9.3). Sometimes, detail-combined get growing indefinitely on the two servers, and I can see the same accounting record many time in the two detail combined, one with the client-ip-address of the other and vice versa. I have problem with a broken proxy which send accounting reply with wrong signature. I have also problem with another client who's accounting server fail regulary and force FR to failover on his backup server. Could these facts make radrelay crasy ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debugging with gdb/ddd
I believe the make install target may strip the objects. gdb on the executable from the source directory. That works fine. If you use libtool in the build, gdb on the radiusd hidden in the .libs directory. Hey! Look what I found in configure generated script. # Check whether --enable-developer or --disable-developer was given. Try that flag, reconfigure, recompile and reinstall Shoujit Mitra wrote: I have a very basic question regarding debugging radiusd I guess in the top level Makefile CFLAGS= -ggdb I when I try to run radiusd as gdb radiusd GDB complains that no symbols found. I believe I am missing something somewhere. Please suggest how I can use GDB/DDD to setp through radiusd executable. Thanks, Shoujit - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 5:44 PM Subject: Freeradius-Users digest, Vol 1 #2609 - 15 msgs Send Freeradius-Users mailing list submissions to [EMAIL PROTECTED] To subscribe or unsubscribe via the World Wide Web, visit http://lists.cistron.nl/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Re: filtering attributes in proxy (denz) 2. Unable to load EAP-Type/ttls, as EAP-Type/TLS is required first (Holger Schurig) 3. RE: rlm_sql and huntgroups (Bart Van Daal) 4. username changed in-transit (Holger Schurig) 5. Re: filtering attributes in proxy (Chris Parker) 6. RE: filtering attributes in proxy (Sergio Molina) 7. Re: Unable to load EAP-Type/ttls, as EAP-Type/TLS is required first (Alan DeKok) 8. Re: rlm_sql and huntgroups (Alan DeKok) 9. Re: dialup_admin (cvs last 12-04-2003) (Guy Fraser) 10. Re: Setting attribute based on value of another attribute (Alan DeKok) 11. Re: Setting attribute based on value of another attribute (Dennis Skinner) 12. Re: username changed in-transit (Alan DeKok) 13. Re: Freeradius 0.9.3 gone nuts when auth from sql?? (Alan DeKok) 14. problem compiling rlm_eap_tls (Naman Latif) 15. Running FreeRADIUS with user other than root (Michael Shanafelt) --__--__-- Message: 1 From: denz [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: filtering attributes in proxy Date: Tue, 9 Dec 2003 11:59:54 +0600 Reply-To: [EMAIL PROTECTED] but when I start the server I get this message ant the end, and server exits. Module: Instantiated attr_filter (attr_filter) radiusd.conf: attr_filter modules aren't allowed in 'pre-proxy' sections -- they have no such method. shrug Edit the source code for attr_filter to include a pre-proxy section. This is done in the latest CVS for post-proxy. I've got a patch we've used internally for pre-proxy. I'll commit it today. Has it been commited to cvs ? I just downloaded. Couldn't see the preproxy method in rlm_attr_filter. I'd appreciate it very much right now. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --__--__-- Message: 2 To: [EMAIL PROTECTED] From: Holger Schurig [EMAIL PROTECTED] Subject: Unable to load EAP-Type/ttls, as EAP-Type/TLS is required first Date: Tue, 09 Dec 2003 08:26:00 +0100 Reply-To: [EMAIL PROTECTED] Is there a technical reason that EAP-TTLS and EAP-PEAP both need EAP-TLS first? -- Try Linux 2.6 from BitKeeper for PXA2x0 CPUs at http://www.mn-logistik.de/unsupported/linux-2.6/ --__--__-- Message: 3 From: Bart Van Daal [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: RE: rlm_sql and huntgroups Date: Tue, 9 Dec 2003 13:28:28 +0100 Reply-To: [EMAIL PROTECTED] Thanks for your pointer Alan, i've searched the list at http://www.mail-archive.com/[EMAIL PROTECTED]/ but didn't come up with an answer. When I put the Huntgroup-Name attribute in my radreply table; everything works fine. When I put it in the radgroupreply table in the same fashion; it doesn't work thanks for any help to the solution Bart -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: maandag 8 december 2003 19:27 To: [EMAIL PROTECTED] Subject: Re: rlm_sql and huntgroups Bart Van Daal [EMAIL PROTECTED] wrote: is this a problem with hunt-groups or with all other check items in the mysql radgroupcheck table? It's a problem just with huntgroups. See the list archives for a description of the problem, and the solution. Alan DeKok. - List
Re: Eap ttls and LDAP
On Wed, 10 Dec 2003, Arthur EBEL wrote: Hi, I am using freeradius 0.9.3 on a linux box I have found the eap_ttls module in the CVS tree How to install it ??? ./configure make make install Can anyone can explain me the interest to use EAP TTLS + LDAP I dont want to use personnal certificate but only the login and ldap passwd of the personn Is TTLS+LDAP it a good solution to do that ??? Yes it is. Anyone have test it ??? Any recommandations ??? It works out of the box. Just uncomment the necessary modules in the authorize/authenticate sections and configure the eap(tls/ttls) and ldap modules. Thanx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unknown proxy ?
Hello, Collegues! I'm using freeradius-0.7.1. I'm trying to configure this freeradius as proxy server to remote. -- rad_recv: Access-Reject packet from host 195.123.5.10:1288, id=1, length=48 Ignoring request from unknown proxy 195.123.5.10:1288 -- Host 195.123.5.10 was configured in proxy.conf In naslist too. Tell me, please, what I forgot to do? ;) -- Alex Radetsky AR2657-RIPE RAD-UANIC - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unknown proxy ?
Hi Alex, did u check clients.conf ? Thomas . Alex Radetsky wrote: Hello, Collegues! I'm using freeradius-0.7.1. I'm trying to configure this freeradius as proxy server to remote. -- rad_recv: Access-Reject packet from host 195.123.5.10:1288, id=1, length=48 Ignoring request from unknown proxy 195.123.5.10:1288 -- Host 195.123.5.10 was configured in proxy.conf In naslist too. Tell me, please, what I forgot to do? ;) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unknown proxy ?
On Wed, Dec 10, 2003 at 03:56:45PM +0200, Alex Radetsky wrote: Hello, Collegues! I'm using freeradius-0.7.1. I'm trying to configure this freeradius as proxy server to remote. -- rad_recv: Access-Reject packet from host 195.123.5.10:1288, id=1, length=48 Ignoring request from unknown proxy 195.123.5.10:1288 -- Host 195.123.5.10 was configured in proxy.conf In naslist too. Tell me, please, what I forgot to do? ;) what about clients ? -- Alexey Balabushevich nic-hdl: AB433-RIPE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unknown proxy ?
On Wed, Dec 10, 2003 at 03:11:42PM +0100, Thomas MARCHESSEAU wrote: Hi Alex, did u check clients.conf ? [EMAIL PROTECTED] bin]# grep 195.123.5.10 /usr/local/radius-proxy/etc/raddb/* clients: 195.123.5.10 123 clients.conf: client 195.123.5.10 { proxy.conf: authhost= 195.123.5.10:1812 proxy.conf: accthost= 195.123.5.10:1645 Yes, I do. Ok, I'll search this message in sources and will find what I got to do. Thanks! ;) Thomas . Alex Radetsky wrote: Hello, Collegues! I'm using freeradius-0.7.1. I'm trying to configure this freeradius as proxy server to remote. -- rad_recv: Access-Reject packet from host 195.123.5.10:1288, id=1, length=48 Ignoring request from unknown proxy 195.123.5.10:1288 -- Host 195.123.5.10 was configured in proxy.conf In naslist too. Tell me, please, what I forgot to do? ;) -- Alex Radetsky AR2657-RIPE RAD-UANIC - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unknown proxy ?
On Wed, Dec 10, 2003 at 04:18:30PM +0200, Alexey Balabushevich wrote: I'm using freeradius-0.7.1. I'm trying to configure this freeradius as proxy server to remote. -- rad_recv: Access-Reject packet from host 195.123.5.10:1288, id=1, length=48 Ignoring request from unknown proxy 195.123.5.10:1288 -- Host 195.123.5.10 was configured in proxy.conf In naslist too. Tell me, please, what I forgot to do? ;) what about clients ? clients conf configured. Please see latest message. -- Alexey Balabushevich nic-hdl: AB433-RIPE Wow. Very glad to see you. :) -- Alex Radetsky AR2657-RIPE RAD-UANIC - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unknown proxy ? part 2
Hello! I found this in files.c : -- REALM *cl; /* * Note that we do NOT check for inactive realms! * * If we get a packet from an end server, then we mark it * as active, and return the realm. */ for(cl = realms; cl != NULL; cl = cl-next) if ((ipaddr == cl-ipaddr) (port == cl-auth_port)) { cl-active = TRUE; return cl; } else if ((ipaddr == cl-acct_ipaddr) (port == cl-acct_port)) { cl-acct_active = TRUE; return cl; } return NULL; -- So, if radius got packet from remote server with configured source_ip and port, radiusd marks it as active. But in my case, radius got packet from configured source_ip, but another port. What does it mean? Does some one proxy exist between my and remote radius? Is it correct? PS. I can rewrite this code to create workaround. But I do not know, may be it will not correct. -- Alex Radetsky AR2657-RIPE RAD-UANIC - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Running FreeRADIUS with user other than root
On Tuesday 09 December 2003 17:25, Chris Parker wrote: At 05:18 PM 12/9/2003, Michael Shanafelt wrote: I actually already tried that, but still got the same error. Do I need to change the owner of radiusd to the user I want to run it as? What *is* the error message you get. Posting that might be helpful. Also note that you can start radiusd as root, and have it switch to a different user. See the comments in 'radiusd.conf'. You will also want to ensure that the user you are trying to run this as has appropriate permissions to read all of the config files, etc. in /path/to/raddb Just another reminder, that user needs access to write to the log files and rad[wu]tmp too! Nick -- Nick Davis Associate Systems Administrator [EMAIL PROTECTED] Internet Exposure, Inc. http://www.iexposure.com (612)676-1946 Web Development-Web Marketing-ISP Services - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
One suggestion about the default config file
The FreeRadius default config file is pretty much complete and working right out of the box. It's only that for some more advanced features the admin *must* make some local changes. I've noticed that a lot of questions asked here are due to people not having the patience to read the config file in full, or beeing confused by options not relevant to te problem thay are trying to solve. I propose a sollution to this, one that's easy to implement on one hand, but will reduce the confusion some people have about configuring freeradius: I think the config file should be split in several smaller files, inculded by the main file (for ex. eap.conf, ldap.conf ...) sql.conf is a good exaple how this actually works. just my $0.02 -- Damjan Georgievski jabberID: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with MySQL
Please read the FAQ before posting again. Turn off your Graphic and html. Leandro Sant'ana wrote: A bunch of html with a graphic covering the text - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unknown proxy ?
I have noticed you have configured naslist, clients and clients.conf. The clients.conf file is all you need, and should probably move or remove the clients and naslist files since the are deprecated and may conflict. I have not looked into the source to find out what happens when you have both sets of files, but you should notice the informational messages warning you about these files in your log file. Also, whats up with the ports? It looks like you have two different radius servers running, maybe your problem is that you are looking at the wrong config files. Alex Radetsky wrote: On Wed, Dec 10, 2003 at 03:11:42PM +0100, Thomas MARCHESSEAU wrote: Hi Alex, did u check clients.conf ? [EMAIL PROTECTED] bin]# grep 195.123.5.10 /usr/local/radius-proxy/etc/raddb/* clients: 195.123.5.10 123 clients.conf: client 195.123.5.10 { proxy.conf: authhost = 195.123.5.10:1812 proxy.conf: accthost = 195.123.5.10:1645 Yes, I do. Ok, I'll search this message in sources and will find what I got to do. Thanks! ;) -- Guy Fraser Network Administrator - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how can I allow access only once?
I am giving tickets in a kiosk-environment, and would like to block an account as soon as it is used. So the username and password can only be used once; that's it. What is the easiest way? I am using SQL. Z. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Eap ttls and LDAP
Kostas Kalevras [EMAIL PROTECTED] wrote: I am using freeradius 0.9.3 on a linux box I have found the eap_ttls module in the CVS tree How to install it ??? ./configure make make install And watch the server dies as soon as it receives an EAP-TTLS request. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: expr problems
Nikolas Geyer [EMAIL PROTECTED] wrote: ERROR: Cannot find a configuration entry for module expr. In my radiusd.conf I have the following; expr { } Where? The location of that configuration entry matters. See the default 'radiusd.conf' for examples of where that configuration entry should go. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unable to load EAP-Type/ttls, as EAP-Type/TLS is required first
Holger Schurig [EMAIL PROTECTED] wrote: I thought TLS is where both the server and the clients have certificates. And TTLS is where only the client has a certificate (of the server). Yes. If you're unsure, read the RFC's. They're included with the server. Therefore, TTLS and PEAP need only a subset of TLS, right? No. They need the entire TLS protocol. Now, when I enable TTLS (and TLS because I need it) in radiusd.conf, then some client can try to authenticate/authorize with TLS. It's on, isn't it? Yes. You can turn it off. See the EAP-Type attribute. And the client doesn't get back something like protocol not supported, but negative authentification. You don't understand how RADIUS works. And it's authentication., not authentification. RADIUS returns Access-Reject, not protocol unsupported. And the wireless client doesn't even see that. So I would have thought that this is possible and makes sense: # tls { # ... #} ttls { certificate_file = ${prefix}/ca/cert-srv.pem } What what about the rest of the configuration options in the TLS module? Are you going to just throw those away? They exist for a reason, you know... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with MySQL
Leandro Sant'ana [EMAIL PROTECTED] wrote: I commented that's lines in file /etc/raddb/users ... #DEFAULT Auth-Type =3D System #Fall-Through =3D 1 To force Auth-Type in databases No. Uncommenting that line means you forced it to NOT use System authentication. But you didn't tell it what OTHER authentication method to use, so the server failed. modcall: group authorize returns ok for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Did you try setting an Auth-Type somewhere? What part of the error message is unclear? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Encrypting an Access Reply Attribute
Hello FreeRADIUS Users, I am using FreeRADIUS Version 0.9.2. Does anyone have an example that demonstrates how to encrypt an individual access reply attribute? I was going to encrypt the attribute using a custom Exec-Program-Wait function but I could not figure out how to to obtain and pass the NAS' shared secret and the authenticator to the function. I was hoping to find a macro substitution but didn't. Thank you, Tom Stoll -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Encrypting an Access Reply Attribute
Tom Stoll [EMAIL PROTECTED] wrote: Does anyone have an example that demonstrates how to encrypt an individual access reply attribute? You shouldn't have to. See the dictionary files, and look for encrypt=. If you're going to use the standard User-Password encryption, then create a dictionary file entry for your attribure like: ATTRIBUTE My-Magic-Foo250 string encrypt=1 And the server will automatically encrypt it when sending, and decrypt it when receiving. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unknown proxy ?
Alex Radetsky [EMAIL PROTECTED] wrote: I'm using freeradius-0.7.1. I'm trying to configure this freeradius as proxy server to remote. Upgrade to 0.9.3. Please. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 0.9.3 with mysql
Hi all I have freeradius 0.9.3 set up on a linux box with (presumably) mysql compiled in as well. I have the mysql-devel files installed before configure/make/make installing. I followed through the how-to found at http://www.frontios.com/freeradius.html, but, that is a set of how-to for a somewhat older version. At any rate, with the user test in the users file, it authenticates just fine. When I comment that out and add the user to the mysql table, usergroups, it does not authenticate, and I don't notice any reference to mysql in the rejection notice (I can copy/paste that notice in if it will help anybody). I did notice an extra table in the current version that was not mentioned in the how-to, and that is the table radacct. Is that where I need to be adding users, later on (when this thing actually goes live)? On a different note, has anybody used this radius daemon with the Venturi acceleration server? Any pointers on that would be helpful too! Thanks!! --===-- Justin Williams Penguin Herder Power Shift Online Services 571 South Main Street Stowe, VT 05672 877-949-9967 Who shook my snow globe?? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unknown proxy ? part 2
Alex Radetsky [EMAIL PROTECTED] wrote: So, if radius got packet from remote server with configured source_ip and port, radiusd marks it as active. But in my case, radius got packet from configured source_ip, but another port. What does it mean? It means that the server you're proxying the request to is broken. PS. I can rewrite this code to create workaround. But I do not know, may be it will not correct. It will be wrong. You should contact the people running the other server, and tell them to fix it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 0.9.3 with mysql
Justin Williams [EMAIL PROTECTED] wrote: At any rate, with the user test in the users file, it authenticates just fine. When I comment that out and add the user to the mysql table, usergroups, it does not authenticate, and I don't notice any reference to mysql in the rejection notice So run it in debugging mode to see what's going wrong. Also, you *do* need to configure 'radiusd.conf' to use the SQL module. You can't just put users into an SQL database, and hope that the server magically knows where to look. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Eap ttls and LDAP
Arthur EBEL [EMAIL PROTECTED] wrote: I am using freeradius 0.9.3 on a linux box I have found the eap_ttls module in the CVS tree How to install it ??? You install a snapshot. You can't use EAP-TTLS with 0.9.3. I dont want to use personnal certificate but only the login and ldap passwd of the personn EAP-TTLS doesn't require personal certificates. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: One suggestion about the default config file
Damjan [EMAIL PROTECTED] wrote: The FreeRadius default config file is pretty much complete and working right out of the box. It's only that for some more advanced features the admin *must* make some local changes. Yup. I've noticed that a lot of questions asked here are due to people not having the patience to read the config file in full, or beeing confused by options not relevant to te problem thay are trying to solve. If they're not willing to read the configuration file, then they're probably not willing to read answers to their questions on the list. See previous flamewars. I propose a sollution to this, one that's easy to implement on one hand, but will reduce the confusion some people have about configuring freeradius: I think the config file should be split in several smaller files, inculded by the main file (for ex. eap.conf, ldap.conf ...) sql.conf is a good exaple how this actually works. I'm not sure that would help, and I don't see it as necessary. Apache has one large http.conf file, and no one seems to have problems with it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius 0.9.3 with mysql
Already running in debugging mode, but, too ignorant of what it all means. If there is a reference you recommend that would help me learn more about radius, in general, I'll be happy to go hunting in there too. I added sql to the accounting section in radius.conf, but I did not add it into the authorize section... Added that and will hope that it works... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, December 10, 2003 1:30 PM To: [EMAIL PROTECTED] Subject: Re: Freeradius 0.9.3 with mysql Justin Williams [EMAIL PROTECTED] wrote: At any rate, with the user test in the users file, it authenticates just fine. When I comment that out and add the user to the mysql table, usergroups, it does not authenticate, and I don't notice any reference to mysql in the rejection notice So run it in debugging mode to see what's going wrong. Also, you *do* need to configure 'radiusd.conf' to use the SQL module. You can't just put users into an SQL database, and hope that the server magically knows where to look. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius 0.9.3 with mysql
Bingo... That worked... I was missing the sql entry in the authorize section... Would still love to go read up on radius, though! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Justin Williams Sent: Wednesday, December 10, 2003 1:43 PM To: [EMAIL PROTECTED] Subject: RE: Freeradius 0.9.3 with mysql Already running in debugging mode, but, too ignorant of what it all means. If there is a reference you recommend that would help me learn more about radius, in general, I'll be happy to go hunting in there too. I added sql to the accounting section in radius.conf, but I did not add it into the authorize section... Added that and will hope that it works... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, December 10, 2003 1:30 PM To: [EMAIL PROTECTED] Subject: Re: Freeradius 0.9.3 with mysql Justin Williams [EMAIL PROTECTED] wrote: At any rate, with the user test in the users file, it authenticates just fine. When I comment that out and add the user to the mysql table, usergroups, it does not authenticate, and I don't notice any reference to mysql in the rejection notice So run it in debugging mode to see what's going wrong. Also, you *do* need to configure 'radiusd.conf' to use the SQL module. You can't just put users into an SQL database, and hope that the server magically knows where to look. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 0.9.3 with mysql
Justin Williams [EMAIL PROTECTED] wrote: Bingo... That worked... I was missing the sql entry in the authorize section... That's good to hear. Would still love to go read up on radius, though! Buy the RADIUS book. See the web site for details. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius 0.9.3 with mysql
Thank you! By the way, I did not see a command in the man pages to restart radiusd after making config changes. Is there such? Thanks again! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, December 10, 2003 1:48 PM To: [EMAIL PROTECTED] Subject: Re: Freeradius 0.9.3 with mysql Justin Williams [EMAIL PROTECTED] wrote: Bingo... That worked... I was missing the sql entry in the authorize section... That's good to hear. Would still love to go read up on radius, though! Buy the RADIUS book. See the web site for details. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 0.9.3 with mysql
Justin Williams [EMAIL PROTECTED] wrote: By the way, I did not see a command in the man pages to restart radiusd after making config changes. Is there such? Huh? It's a normal program. You just kill it, and re-start it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Your Selection to Who's Who
Dear WHO'S WHO Candidate, On behalf of International WHO'S WHO of Professionals, I am pleased to inform you that you have been selected as a potential candidate. We congratulate you. Nomination to WHO'S WHO is an honor in itself. WHO'S WHO has over 20,000 members in 154 countries. It is the most elite professional network in the world. The members assist each other daily with business and career opportunities. It is in times like these that such a network is most valuable and we are seeing members help other members expand their businesses, find new positions, even relocate to another country. If selected into WHO'S WHO, you will also be listed in the 2004-2005 edition of International WHO'S WHO of Professionals. This is the definitive work on the world's leaders in commerce, economics, policy, and trade. We do require additional information to complete the selection process and ask that you provide your biographical data by accessing the form on our website at: http://internationalwhoswho.com/fax/FE524C.htm Our editorial deadline is quickly approaching. I urge you to act today. If you delay, I cannot guarantee the committee will have ample time to review your submission. Sincerely, Brooke O. Filger Membership Director P.S. There is no cost or obligation to be listed in the International WHO'S WHO of Professionals. To ensure your biographical data is received in time, please complete the online form at http://internationalwhoswho.com/fax/FE524C.htm by January 1, 2004. Upon review, our Membership Selection Committee will be in touch with you. TradeLion.com is the e-commerce affiliate of Global Services Foundation, Inc. ("GSF"). You have received this e-mail because our records indicate you (1) are or have been a buyer of GSF consulting or trade lead services; (2) originally subscribed to GSF's PASSPORT TO THE NEW GLOBAL ECONOMY and its periodic updates; or (3) attended seminars co-sponsored by GSF or its affiliates. If you believe you received this message in error, please click here to opt-out automatically. If your e-mail system does not recognize HTML links, please copy the following URL and paste it to your browser to run: http://clk.etracks.com/r/r0.4?2C3SWx9PdfQwVqLBwpyJr2C395FGmz1qk7ecGEJu-W-aLg6pt1HpVqG2EV6dMIzHYtRnh0OoL58905 Thank you. TradeLion, TradeLion.com, TradeLion.com international, PASSPORT TO THE NEW GLOBAL ECONOMY and accompanying design are trademarks of TradeLion.com, Inc. 2003 TradeLion.com, Inc. All rights reserved.
Re: Encrypting an Access Reply Attribute
On Wed, 2003-12-10 at 12:26, Alan DeKok wrote: Tom Stoll [EMAIL PROTECTED] wrote: Does anyone have an example that demonstrates how to encrypt an individual access reply attribute? You shouldn't have to. See the dictionary files, and look for encrypt=. If you're going to use the standard User-Password encryption, then create a dictionary file entry for your attribure like: ATTRIBUTE My-Magic-Foo250 string encrypt=1 And the server will automatically encrypt it when sending, and decrypt it when receiving. Alan DeKok. Thank you, that is exactly what I was looking for, but missed. Regards, Tom Stoll - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius 0.9.3 with mysql
Thanks! Was thinking in terms of daemons like httpd, which have their own start/stop commands. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, December 10, 2003 1:57 PM To: [EMAIL PROTECTED] Subject: Re: Freeradius 0.9.3 with mysql Justin Williams [EMAIL PROTECTED] wrote: By the way, I did not see a command in the man pages to restart radiusd after making config changes. Is there such? Huh? It's a normal program. You just kill it, and re-start it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Relocation Error - Checked the SSL versions, but still apear
Hi, I was using an old snap version of freeradius, compiled with an old snap version of OpenSSL, it was working fine with EAP-TLS, but I wanted to try the TTLS, so I tried to set the OpenSSL to the latest stable version 0.9.7c and use the SNAPSHOT version of Freeradius to get the TTLS. Now I'm getting the error: ./radiusd: relocation error: /usr/local/radius//lib/rlm_eap_tls-1.0.0-pre0.so: undefined symbol: SSL_set_msg_callback as soon as a client tries to get in. An old posted message said to be a problem with OpenSSL versions. I'm not good with this linux installations. So what I did was to remove the old directory where the snapshot were, and I used again to install the stable version. As soon as it finished, anyway I replaced the libcrypto.so and libssl.so in the /usr/lib to point to the new ones. (also openssl file by it self). - I'm using RH8 and I think I also have the 0.9.6 (engine) which I just renamed as openssl.old. I thought that was enough to fix the problem and make the freeradius point to the 0.9.7c version, but still I compiled and executed getting this error. Probably I'm doing all wrong, but still I don't know what it is. If you can help me out showing me the path, that would be awesome!! Thanks a lot for your help, Ivan Barrera - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with attributes of date type in attr_rewrite
freeradius version: 0.9.3 So i'm trying to rewrite an attribute Event-Timestamp, which has a type of date, according to the dictionary file. This is a new attribute, and i'm adding this to requests that I proxy. This attr_rewrite module works great if I change the type of Event-Timestamp to integer, but does not work when it's type is date. radiusd -X says the attribute was added successfully, but the attribute is not present. So tracing through the code, I see that the problem starts when pairmake() is called in do_attr_rewrite() in rlm_attr_rewrite.c. Within pairmake(), if the type of an attribute is 'date', the method gettime() is called on it to apparently parse out a valid time_t structure from a specifically formatted date (day \t month \t year \t). The problem I have with this, is the date string i'm sending is in seconds from 1970, so more like '100203823823'. So what ends up happening, is gettime() fails, returns -1, and pairmake doesn't actually create the valuepair. This eventually bubbles back up to do_attr_rewrite(), which tries to add the attribute, and happily prints out the success message, even though the process failed. I've dug up an old (2001) message in the mailing list archives that specifically talks about this dual nature of how dates should be specified, but there was no definite answer. So what is the fix for this? Should gettime() realize which type of date is passed to it? Thanks, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with attributes of date type in attr_rewrite
James Nedila [EMAIL PROTECTED] wrote: Within pairmake(), if the type of an attribute is 'date', the method gettime() is called on it to apparently parse out a valid time_t structure from a specifically formatted date (day \t month \t year \t). The problem I have with this, is the date string i'm sending is in seconds from 1970, so more like '100203823823'. Submit a patch to gettime(), which accepts integer dates. So what ends up happening, is gettime() fails, returns -1, and pairmake doesn't actually create the valuepair. This eventually bubbles back up to do_attr_rewrite(), which tries to add the attribute, and happily prints out the success message, even though the process failed. Submit a patch to do_attr_rewrite(), so that it checks if the attribute was created, and erros if not. So what is the fix for this? Should gettime() realize which type of date is passed to it? It should be more accepting of what the input it receives. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Relocation Error - Checked the SSL versions, but still apear
Ivan Barrera [EMAIL PROTECTED] wrote: version of OpenSSL, it was working fine with EAP-TLS, but I wanted to try the TTLS, so I tried to set the OpenSSL to the latest stable version 0.9.7c and use the SNAPSHOT version of Freeradius to get the TTLS. That should work. Now I'm getting the error: ./radiusd: relocation error: /usr/local/radius//lib/rlm_eap_tls-1.0.0-pre0.so: undefined symbol: SSL_set_msg_callback The server was compiled using the OLD version of OpenSSL, but you linked it against the NEW version of OpenSSL. An old posted message said to be a problem with OpenSSL versions. I'm not good with this linux installations. So what I did was to remove the old directory where the snapshot were, and I used again to install the stable version. It's not a problem with FreeRADIUS. It's a problem with OpenSSL. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Relocation Error - Checked the SSL versions, but still apear - HELP
Hi, I was using an old snap version of freeradius, compiled with an old snap version of OpenSSL, it was working fine with EAP-TLS, but I wanted to try the TTLS, so I tried to set the OpenSSL to the latest stable version 0.9.7c and use the SNAPSHOT version of Freeradius to get the TTLS. Now I'm getting the error: ./radiusd: relocation error: /usr/local/radius//lib/rlm_eap_tls-1.0.0-pre0.so: undefined symbol: SSL_set_msg_callback as soon as a client tries to get in. An old posted message said to be a problem with OpenSSL versions. I'm not good with this linux installations. So what I did was to remove the old directory where the snapshot were, and I used it again to install the stable version. As soon as it finished, anyway I replaced the libcrypto.so and libssl.so in the /usr/lib to point to the new ones. (also openssl file by it self). - I'm using RH8 and I think I also have the 0.9.6 (engine) which I just renamed as openssl.old. I thought that was enough to fix the problem and make the freeradius point to the 0.9.7c version, but still I compiled and executed getting this error. I regenerated the certificates, I removed the whole radius directory and installed it again, but it doesn't work. Is there any way to check what are the versions I'm trying to use? Is there a way to uninstall correctly whether freeradius or Openssl? Probably I'm doing all wrong, but still I don't know what it is. If you can help me out showing me the path, that would be awesome!! Thanks a lot for your help, Ivan D. Barrera - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Relocation Error - Checked the SSL versions, but still apear - HELP
Ivan Dario Barrera [EMAIL PROTECTED] wrote: ... You do READ the list, don't you? http://lists.cistron.nl/pipermail/freeradius-users/2003-December/026413.html Is there any way to check what are the versions I'm trying to use? ldd. See the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Relocation Error - Checked the SSL versions, but still apear
So sorry, looks like the page was cached, and I never saw my message posted!, thanks I will check on that. Ivan D. Barrera Ivan Dario Barrera [EMAIL PROTECTED] wrote: ... You do READ the list, don't you? http://lists.cistron.nl/pipermail/freeradius-users/2003-December/026413.html Is there any way to check what are the versions I'm trying to use? ldd. See the FAQ. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: One suggestion about the default config file
Alan DeKok wrote: Damjan [EMAIL PROTECTED] wrote: The FreeRadius default config file is pretty much complete and working right out of the box. It's only that for some more advanced features the admin *must* make some local changes. Yup. I've noticed that a lot of questions asked here are due to people not having the patience to read the config file in full, or beeing confused by options not relevant to te problem thay are trying to solve. If they're not willing to read the configuration file, then they're probably not willing to read answers to their questions on the list. See previous flamewars. I propose a sollution to this, one that's easy to implement on one hand, but will reduce the confusion some people have about configuring freeradius: I think the config file should be split in several smaller files, inculded by the main file (for ex. eap.conf, ldap.conf ...) sql.conf is a good exaple how this actually works. I'm not sure that would help, and I don't see it as necessary. Apache has one large http.conf file, and no one seems to have problems with it. Actually this is not entirely correct, at least not with vendor supplied versions of apache. On SuSE Linux httpd.conf is actually split into about 6 different files, for standard config, vhosts, sslconfig, aditional modules etc Having said that, radius.conf is significantly shorter than httpd.conf and I am not sure if the ldap config which is currently less that one screen long in vim (at my resolution) really warrants a separate file. Cheers Peter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 0.9.3 with mysql
The init command will depend on the distribution you are using. On RH, as root it should be somthing like : /sbin/service radiusd restart On Debian : /etc/init.d/freeradius restart On Suse: /etc/init.d/radiusd restart On FreeBSD :-) /usr/local/etc/rc.d/radiusd.sh restart Good luck. Justin Williams wrote: Thanks! Was thinking in terms of daemons like httpd, which have their own start/stop commands. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, December 10, 2003 1:57 PM To: [EMAIL PROTECTED] Subject: Re: Freeradius 0.9.3 with mysql Justin Williams [EMAIL PROTECTED] wrote: By the way, I did not see a command in the man pages to restart radiusd after making config changes. Is there such? Huh? It's a normal program. You just kill it, and re-start it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius 0.9.3 with mysql
In Mandrake (very similar to redhat in most respects), service radiusd restart returned the error that radiusd was not registered as a service... For the moment, kill works... ;-) Thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Fraser Sent: Wednesday, December 10, 2003 5:46 PM To: [EMAIL PROTECTED] Subject: Re: Freeradius 0.9.3 with mysql The init command will depend on the distribution you are using. On RH, as root it should be somthing like : /sbin/service radiusd restart On Debian : /etc/init.d/freeradius restart On Suse: /etc/init.d/radiusd restart On FreeBSD :-) /usr/local/etc/rc.d/radiusd.sh restart Good luck. Justin Williams wrote: Thanks! Was thinking in terms of daemons like httpd, which have their own start/stop commands. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, December 10, 2003 1:57 PM To: [EMAIL PROTECTED] Subject: Re: Freeradius 0.9.3 with mysql Justin Williams [EMAIL PROTECTED] wrote: By the way, I did not see a command in the man pages to restart radiusd after making config changes. Is there such? Huh? It's a normal program. You just kill it, and re-start it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple values for the same integer-attribute in one RADIUS reply???
Hello everybody, Yesterday I ran into deep problems trying to configure freeradius 0.9.0 for so called authenticated switch access (asa) which is a feature of alcatel (formerly xylan) lan switches enabling them to query a radius server for user authentication. My users file looks like: ... user2 Auth-Type := Local, User-Password == testpw Alcatel-Access-Priv= Alcatel-Read-Priv, Alcatel-Access-Priv= Alcatel-Write-Priv, Alcatel-Access-Priv= Alcatel-Admin-Priv ... My vendor specific dictionary file looks like: ... ATTRIBUTE Alcatel-Access-Priv 16 integer Alcatel VALUEAlcatel-Access-Priv Alcatel-Read-Priv 1 VALUEAlcatel-Access-Priv Alcatel-Write-Priv 2 VALUEAlcatel-Access-Priv Alcatel-Admin-Priv 3 ... My configuration seems to be working fine so far, because 'user2' is authenticated by the radius server an can login to the device. But now the problem arises: I need the user to get assigned all of the three privileges that I mentioned above concurrently and not alternatively. At the moment my user only gets read, write or admin access - the actually assigned privilege depends on the sequence of privileges for user2 in my users-file (only the first privilege is assigned). Maybe there's anybody out there who got an idea of how to solve this problem and return all of the three integer values for the attribute 'Alcatel-Access-Priv' in one radius-reply. Thanks in advance. Stephan -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple values for the same integer-attribute in one RADIUS reply???
At 05:02 PM 12/10/2003, [EMAIL PROTECTED] wrote: Hello everybody, Yesterday I ran into deep problems trying to configure freeradius 0.9.0 for so called authenticated switch access (asa) which is a feature of alcatel (formerly xylan) lan switches enabling them to query a radius server for user authentication. My users file looks like: ... user2 Auth-Type := Local, User-Password == testpw Alcatel-Access-Priv= Alcatel-Read-Priv, Alcatel-Access-Priv= Alcatel-Write-Priv, Alcatel-Access-Priv= Alcatel-Admin-Priv ... See the docs, man users, the list archives from the last few days. You need the += attribute to add mutile attributes of the same type to a reply. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to implement walled garden with freeRadius?
Any recommendation on implementing walled garden with freeRadius and cisco 1100 APs. The walled garden allows wireless user to access some pre-defined websites even BEFORE they login. Has anyone done this before? The idea is to allow user visit our sign-up website and download the certificate (generated with OpenSSL). After the user has installed the certificate, freeRadius will autheticate the user with EAP-TLS and the user can access any websites after that. Is there any other free software that supports the walled garden? Any suggestions or URL refs are appreciate. Richard __ Do you Yahoo!? New Yahoo! Photos - easier uploading and sharing. http://photos.yahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to implement walled garden with freeRadius?
I am climbing a learning curve at the moment, and intend to provide this sort of functionality. I am looking at setting up a regional wireless ISP. I am planning on allowing everyone to associate with the wireless APs. When they open up a web browser and try to hit a page, I am going to use squid to redirect them to this walled garden page that provides limited free content and instructions on how to subscribe to our services. Paid subscribers will then be able to login and access the internet. I think there may be a few ways to achieve this, but I have been testing it using PPPoe and a RADIUS server (freeradius). When they login, a PPP tunnel will be created and routed correctly to the internet (with relevant access controls setup through squid). If anyone else has any ideas in respect to this sort of setup, I would welcome suggestions! Any recommendation on implementing walled garden with freeRadius and cisco 1100 APs. The walled garden allows wireless user to access some pre-defined websites even BEFORE they login. Has anyone done this before? The idea is to allow user visit our sign-up website and download the certificate (generated with OpenSSL). After the user has installed the certificate, freeRadius will autheticate the user with EAP-TLS and the user can access any websites after that. Is there any other free software that supports the walled garden? Any suggestions or URL refs are appreciate. Richard __ Do you Yahoo!? New Yahoo! Photos - easier uploading and sharing. http://photos.yahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to implement walled garden with freeRadius?
Check out Mikrotik (www.mikrotik.com) -- a linux-based router with Hotspot functionality. I am using it to do this exact sort of thing. Mikrotik has a built-in radius client and it works flawlessly (so far) with FreeRadius on the backend. Users are redirected to a sign-in page and once they sign in firewall rules are updated to allow them access beyond the gateway. -rob At 10:46 AM 12/11/2003 +1100, you wrote: I am climbing a learning curve at the moment, and intend to provide this sort of functionality. I am looking at setting up a regional wireless ISP. I am planning on allowing everyone to associate with the wireless APs. When they open up a web browser and try to hit a page, I am going to use squid to redirect them to this walled garden page that provides limited free content and instructions on how to subscribe to our services. Paid subscribers will then be able to login and access the internet. I think there may be a few ways to achieve this, but I have been testing it using PPPoe and a RADIUS server (freeradius). When they login, a PPP tunnel will be created and routed correctly to the internet (with relevant access controls setup through squid). If anyone else has any ideas in respect to this sort of setup, I would welcome suggestions! Any recommendation on implementing walled garden with freeRadius and cisco 1100 APs. The walled garden allows wireless user to access some pre-defined websites even BEFORE they login. Has anyone done this before? The idea is to allow user visit our sign-up website and download the certificate (generated with OpenSSL). After the user has installed the certificate, freeRadius will autheticate the user with EAP-TLS and the user can access any websites after that. Is there any other free software that supports the walled garden? Any suggestions or URL refs are appreciate. Richard __ Do you Yahoo!? New Yahoo! Photos - easier uploading and sharing. http://photos.yahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to implement walled garden with freeRadius?
It might be possible to do this using mac address access lists. You could redirect all traffic from 'unknown' mac addresses to a 'captive' site, and allow 'known' mac addresses to be routed normaly. I don't know how you would do this with the equipment you have, but it may give you an idea. [EMAIL PROTECTED] wrote: I am climbing a learning curve at the moment, and intend to provide this sort of functionality. I am looking at setting up a regional wireless ISP. I am planning on allowing everyone to associate with the wireless APs. When they open up a web browser and try to hit a page, I am going to use squid to redirect them to this walled garden page that provides limited free content and instructions on how to subscribe to our services. Paid subscribers will then be able to login and access the internet. I think there may be a few ways to achieve this, but I have been testing it using PPPoe and a RADIUS server (freeradius). When they login, a PPP tunnel will be created and routed correctly to the internet (with relevant access controls setup through squid). If anyone else has any ideas in respect to this sort of setup, I would welcome suggestions! Any recommendation on implementing walled garden with freeRadius and cisco 1100 APs. The walled garden allows wireless user to access some pre-defined websites even BEFORE they login. Has anyone done this before? The idea is to allow user visit our sign-up website and download the certificate (generated with OpenSSL). After the user has installed the certificate, freeRadius will autheticate the user with EAP-TLS and the user can access any websites after that. Is there any other free software that supports the walled garden? Any suggestions or URL refs are appreciate. Richard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
response-authenticator decrypt fail
Hi All, I installed the FreeRadius 0.9.3 on Redhat 8.0 and did some tests with the Cisco AS5400 for authenticating the dial-up users. From the server side, everything was OK and it sent the Access-Accept back. But unfortunately I got the following error message on AS5400. Dec 11 00:13:19.709: RADIUS(007E): Send Access-Request to 10.0.3.10:1812 id 21645/69, len 121Dec 11 00:13:19.713: RADIUS: authenticator 2A 32 44 04 78 53 79 6F - 5E AB EA 7F 6E 8F 94 42Dec 11 00:13:19.713: RADIUS: Framed-Protocol [7] 6 PPP [1]Dec 11 00:13:19.713: RADIUS: User-Name [1] 10 "abc123"Dec 11 00:13:19.713: RADIUS: CHAP-Password [3] 19 *Dec 11 00:13:19.713: RADIUS: Calling-Station-Id [31] 12 "3012543379"Dec 11 00:13:19.713: RADIUS: Called-Station-Id [30] 12 "8773334563"Dec 11 00:13:19.713: RADIUS: Vendor, Cisco [26] 18Dec 11 00:13:19.713: RADIUS: cisco-nas-port [2] 12 "Async1/101"Dec 11 00:13:19.713: RADIUS: NAS-Port [5] 6 317Dec 11 00:13:19.713: RADIUS: NAS-Port-Type [61] 6 Async [0]Dec 11 00:13:19.713: RADIUS: Service-Type [6] 6 Framed [2]Dec 11 00:13:19.713: RADIUS: NAS-IP-Address [4] 6 10.0.1.15Dec 11 00:13:19.717: RADIUS: Received from id 21645/69 10.0.3.10:1812, Access-Accept, len 32Dec 11 00:13:19.717: RADIUS: authenticator 8A 8E 0D 08 6E 37 AF B8 - FD D1 40 53 31 A8 82 25Dec 11 00:13:19.717: RADIUS: Service-Type [6] 6 Framed [2]Dec 11 00:13:19.717: RADIUS: Framed-Protocol [7] 6 PPP [1]Dec 11 00:13:19.717: RADIUS: response-authenticator decrypt fail, pak len 32Dec 11 00:13:19.717: RADIUS: packet dump: 024500208A8E0D086E37AFB8FDD1405331A882250606000207060001Dec 11 00:13:19.717: RADIUS: expected digest: FE0B37771CEDD5666136DC06E859F905Dec 11 00:13:19.717: RADIUS: response authen: 8A8E0D086E37AFB8FDD1405331A88225Dec 11 00:13:19.717: RADIUS: request authen: 2A3244047853796F5EABEA7F6E8F9442Dec 11 00:13:19.717: RADIUS: Response (69) failed decrypt Anyone has encountered the problem before? Your head-up is really appreciated. Thanks, BM