CVP3000 VSA Dictionary

2003-12-17 Thread Spetzler, Arne \(DZ-SH\) 
Hi,

in the process of superseding Cisco ACS with freeradius, I have
enhanced the 

dictionary.cisco.vpn3000

with

ATTRIBUTE   CVPN3000-Authorization-type 65  integer
ATTRIBUTE   CVPN3000-Succ-author-requirement66  integer
ATTRIBUTE   CVPN3000-DN-Fields-String   67  string

this is needed for controlling authorization of external groups.

Is there any official way to make this public available??

regards,

Arne Spetzler

PS.: These atts are *not* documented by Cisco. I got them by analysing the debug of
 the VPN3000 talking with the ACS - but it works :)


 -Ursprüngliche Nachricht-
 Von: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Auftrag von
 [EMAIL PROTECTED]
 Gesendet: Mittwoch, 17. Dezember 2003 05:43
 An: [EMAIL PROTECTED]
 Betreff: Freeradius-Users digest, Vol 1 #2639 - 8 msgs
 
 
 Send Freeradius-Users mailing list submissions to
   [EMAIL PROTECTED]
 
 To subscribe or unsubscribe via the World Wide Web, visit
   http://lists.cistron.nl/mailman/listinfo/freeradius-users
 or, via email, send a message with subject or body 'help' to
   [EMAIL PROTECTED]
 
 You can reach the person managing the list at
   [EMAIL PROTECTED]
 
 When replying, please edit your Subject line so it is more specific
 than Re: Contents of Freeradius-Users digest...
 
 
 Today's Topics:
 
1. freeradius mysql simultaneous-use question URGENT (Soujanya Rao)
2. Re: freeradius mysql simultaneous-use question URGENT 
 (Alan DeKok)
3. Re: Freeradius Ip address assignation (Kostas Kalevras)
4. RE: Freeradius Ip address assignation (Anson Rinesmith)
5. Turk kizlar vaoemae (Mustafa)
6. A  excite game (cdangelo)
7. Re: Custom SQL Query (Amgaabaatar Purevjal)
8. Help needed. (Shashidhara S Bapat)
 
 --__--__--
 
 Message: 1
 Date: Tue, 16 Dec 2003 13:14:18 -0800 (PST)
 From: Soujanya Rao [EMAIL PROTECTED]
 Subject: freeradius mysql simultaneous-use question URGENT
 To: [EMAIL PROTECTED]
 Reply-To: [EMAIL PROTECTED]
 
 --0-395077745-1071609258=:12985
 Content-Type: text/plain; charset=us-ascii
 
 Hi,
 I am new to freeradius. I need some help in using 
 simultaneous-use for detecting double logins using mysql 
 only. Here is my current set up:
  
  select * from radgroup check
 ++--- +---++---+
 | id | GroupName | Attribute   | op  | Value |
 +++++---+
 |  2 | static | Auth-Type  | == | Local |
 +++++---+
 |  4 | static  | Simultaneous-Use | :=  |  1   |
 ++++-++
  
  select * from usergroup
 ++-+-+
 | id  | UserName  | GroupName |
 ++-+-+
 | 33 | PW006 | static |
 ++--++
 
  select * from radcheck
 ++---+++--+
 | id  | UserName | Attribute   | op | Value  |
 ++---+++--+
 | 18 | PW006  | Password  | == | abcd  |
 ++---++-+-+
 
 In my radius.conf I have a set up like this:
  
 session {
 sql
 }
  
 In sql.conf, the Simultaneous Use Checking Queries are uncommented
  
 I am using NTRadping to test for simultaneous-use and am 
 failing to do so!
 I am doing an accounting start using NTRadPing for the same 
 user with a different NAS-IP-Address (Additional RADIUS 
 attributes) and a different port NAS-Port (additional RADIUS 
 attribute). Though simultaneous-use is setup the user is not 
 stopped for double login at all. It creates two entries in 
 the radaact table and when I run accounting stop it updates 
 the relevant radacct records with the AcctStopTime.
  
 Can anyone tell me where I am going wrong? This is urgent and 
 I am clueless as to what else needs to be done. The 
 sqltrace.log does not show that the uncommented statements in 
 sql.conf are executed. How do I make sure that they get 
 executed. Also please let me know if this is a correct 
 procedure for testing the same.
  
 Thanks in advance,
 Soujanya
 .
 
 
 
 
 -
 Do you Yahoo!?
 New Yahoo! Photos - easier uploading and sharing
 --0-395077745-1071609258=:12985
 Content-Type: text/html; charset=us-ascii
 
 DIVHi,/DIV
 DIVI am new to freeradius. I need some help in using 
 simultaneous-use for detecting double logins using mysql 
 only. Here is my current set up:/DIV
 DIVnbsp;/DIV
 DIVgt; select * from radgroup check/DIV
 DIV++--- 
 +---++---+BR| id | 
 GroupName | 
 Attributenbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp
 ;nbsp;nbsp;nbsp; nbsp; | opnbsp; | Value

Re: Cisco VPN3000 with freeradius

2003-12-16 Thread Spetzler, Arne \(DZ-SH\) 
Alan DeKok [EMAIL PROTECTED] wrote:

 From: Alan DeKok [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Subject: Re: Cisco VPN3000 with freeradius 
 Date: Mon, 15 Dec 2003 14:39:46 -0500
 Reply-To: [EMAIL PROTECTED]
 
 Spetzler, Arne (DZ-SH) [EMAIL PROTECTED] wrote:
  i'am successfully authenticate Certificate users against 
 freeradius =
  0.9.0 (from suse 9.0).
  
  BUT:  only the 'first' time. That means:
  
  wait a 'long' time (av. 15 min)
  
  authenticate successfull
 
   This has nothing to do with FreeRADIUS.  If the client/NAS doesn't
 contact the server, there's nothing that FreeRADIUS can do to speed up
 the process.
 
  The CISCO Access Control Server ACS did not show this behauvior.
 
   I would suggest seeing what attributes are sent back from the Cisco
 server, and make FreeRADIUS send back the same attributes.
 
   Whatever the problem is, that is the only fix.
 
   Alan DeKok.
 

Hi, Alan,

no, this is _not_ the only fix ;)

I have found the problem now:

the VPN3000 Concentrator has a timing problem:

if the answer from the radius server is _fast_ ( 200ms) _and_ a lot 
of debugging is enabled - then the vpn3000 may lost the udp packet which
contains the answer.

The FREERADIUS _is_ fast - in our environement the answers came after
30-180 ms. So packets get lost.

Because the CISCO ACS is not so fast ( 300ms) this did not happen with ACS.


regards,

Arne Spetzler
 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Cisco VPN3000 with freeradius

2003-12-15 Thread Spetzler, Arne \(DZ-SH\) 
Hello there,

i'am successfully authenticate Certificate users against freeradius 0.9.0 (from suse 
9.0).

BUT:  only the 'first' time. That means:

wait a 'long' time (av. 15 min)

authenticate successfull

wait a very short time

authentication fails

wait

authentication fails

wait 'long' time

authentication successfull


The debugg from the radius shows nothing special:


---

rad_recv: Access-Request packet from host 10.1.50.10:1064, id=38, length=125
User-Name = TC_TEST
User-Password = 12345
NAS-Port = 0
Service-Type = Framed-User
Framed-Protocol = PPP
Called-Station-Id = 10.1.50.10
Calling-Station-Id = 10.1.3.132
Tunnel-Client-Endpoint:0 = 10.1.3.132
Attr-201588758 = 0x0001
NAS-IP-Address = 10.1.50.10
NAS-Port-Type = Virtual
modcall: entering group authorize
  modcall[authorize]: module preprocess returns ok
  modcall[authorize]: module chap returns noop
rlm_eap: EAP-Message not found
  modcall[authorize]: module eap returns noop
rlm_realm: No '@' in User-Name = TC_TEST, looking up realm NULL
rlm_realm: No such realm NULL
  modcall[authorize]: module suffix returns noop
users: Matched TC_TEST at 76
  modcall[authorize]: module files returns ok
  modcall[authorize]: module mschap returns noop
modcall: group authorize returns ok
  rad_check_password:  Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password
Sending Access-Accept of id 38 to 10.1.50.10:1064
CVPN3000-IPSec-Banner1 = Authenticated by FREERADIUS
Class = 0x46524545524144495553
Finished request 4
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 4 ID 38 with timestamp 3fde1931
Nothing to do.  Sleeping until we see a request.

-

The CISCO Access Control Server ACS did not show this behauvior.

I search the archive and the FAQ and did't find anything...


Has someone seen this before?

regards,

Arne


---
 
Datenzentrale Schleswig-Holstein
Altenholzer Str. 10-14, 24161 Altenholz, Germany
http://www.dzsh.de/ mailto:[EMAIL PROTECTED]
Tel: +49.431.3295.6840 Fax: +49.431.3295.410






-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html