Re: Referencing Ldap-Group in unlang
Jason Alderfer wrote: Well, the example above is really just a test case. For the decision I actually need to make based on Ldap-Group unlang is so much better. Well... yes. So I made a hack which solves my problem but I don't think it will work for all compare functions. I attached it here in the event it may be of some use. It would be great if this ability could be worked in eventually. I've done it a different way, and committed it to CVS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
0 Session Length, radrelay or Freeradius causing issues
Hello List, I have asked this before (http://readlist.com/lists/lists.freeradius.org/freeradius-users/1/7788.html) and Alan DeKok did say that I should place those accounting packets in a different Acct-Type, but that was when I did not wish to log the information but I now need to log the information and replicate to all radius servers. I need to know why the radrelay application stops replacation when it comes across a 0 session length packet. This morning I found a 40Mb backlog file for each server and realised that it was the 0 session-length packet again. I know FreeRadius does complain about it but it still logs this accounting packet into the sql database. So is it because FreeRadius indicates that an error (0 Session Length?). If so could I not just somehow tell FreeRadius to stop complaining and just accept the stupid packet. (As I am passing configurable triggers via 0 session length radius packets). -- Kind Regards Etienne Pretorius - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Move from text to SQL(Postgresql)
Hey Tuc, Regarding your issue, check the radiusd.conf file, in the modules{} section for the pap module settings, you probably have it set to encryption_scheme = crypt, if so, change it to clear. Also, daloRADIUS was built to be an SQL-based platform for managing everything though it is roughly tested and built on MySQL. I have attempted to keep most of the queries very ANSI SQL specific to conform with other servers like PostgreSQL. And so, if you would like to give it a chance with Postgres still then I am willing to be entirely available to you and assist you in getting things up and running as well as adding support to any changes to fit PostgreSQL. Let me know if you decided to go for it. Liran. On Tue, May 13, 2008 at 3:20 AM, Tuc at T-B-O-H.NET [EMAIL PROTECTED] wrote: Hi, I've got a new install, and I have it working fine with plain text files. I'm trying to go this time to Postgresql (Don't ask) and I'm just not having a good time of it. I don't get why its doing the following (2.0.4 with Postgresql 8.1.11) : Ready to process requests. User-Name = tuc User-Password = ICANSEE NAS-IP-Address = 192.168.3.128 NAS-Port = 1812 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = tuc, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns updated ++[files] returns noop expand: %{User-Name} - tuc rlm_sql (sql): sql_set_user escaped user -- 'tuc' rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'tuc' ORDER BY id rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'tuc' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 5 rlm_sql (sql): User found in radcheck table expand: SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = 'tuc' ORDER BY id rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = 'tuc' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 5 expand: SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority - SELECT GroupName FROM radusergroup WHERE UserName='tuc' ORDER BY priority rlm_sql_postgresql: query: SELECT GroupName FROM radusergroup WHERE UserName='tuc' ORDER BY priority rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 0 , fields = 1 rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated rad_check_password: Found Auth-Type auth: type PAP +- entering group PAP rlm_pap: login attempt with password ICANSEE rlm_pap: Using CRYPT encryption. rlm_pap: Passwords don't match ++[pap] returns reject auth: Failed to validate the user. Login incorrect (rlm_pap: CRYPT password check failed): [tuc/ICANSEE] (from client localhost port 1812) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - tuc attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Why does it head to crypt? I have in radcheck : Welcome to psql 8.1.11, the PostgreSQL interactive terminal. Type: \copyright for distribution terms \h for help with SQL commands \? for help with psql commands \g or terminate with semicolon to execute query \q to quit radius= select * from radcheck; id | username | attribute | op | value +--+++- 2 | tuc | Cleartext-Password | := | ICANSEE (1 row) radius= Thanks, Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Regards, Liran Tal. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0 Session Length, radrelay or Freeradius causing issues
Etienne Pretorius wrote: I need to know why the radrelay application stops replacation when it comes across a 0 session length packet. Because the RADIUS server says that the accounting packet was not processed, so radrelay tries to send it again. This is what a NAS does when it does not receive a reply to an accounting request. This morning I found a 40Mb backlog file for each server and realised that it was the 0 session-length packet again. I know FreeRadius does complain about it but it still logs this accounting packet into the sql database. So is it because FreeRadius indicates that an error (0 Session Length?). If so could I not just somehow tell FreeRadius to stop complaining and just accept the stupid packet. (As I am passing configurable triggers via 0 session length radius packets). You need to tell the RADIUS server that it should respond to the accounting request with 0 session length. Grab CVS head, and read raddb/sites-available/copy-acct-to-home-server It explains this. Also, in 2.0, radrelay is part of the server, and works much better than in 1.1.x. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0 Session Length, radrelay or Freeradius causing issues
Hi, Hello List, I have asked this before (http://readlist.com/lists/lists.freeradius.org/freeradius-users/1/7788.html) and Alan DeKok did say that I should place those accounting packets in a different Acct-Type, but that was when I did not wish to log the information but I now need to log the information and replicate to all radius servers. I need to know why the radrelay application stops replacation when it comes across a 0 session length packet. This morning I found a 40Mb backlog file for each server and realised that it was the 0 session-length packet again. I know FreeRadius does complain about it but it still logs this accounting packet into the sql database. So is it because FreeRadius indicates that an error (0 Session Length?). If so could I not just somehow tell FreeRadius to stop complaining and just accept the stupid packet. (As I am passing configurable triggers via 0 session length radius packets). I have similar issues (had similar issues) and my detail config now only fires stuff into the detail log for 'out of band' SQL processing if that Acct-Session-Time does not = 0. however, I believe that the latest CVS version (so this will be in 2.0.5) now handles session time of 0 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OT: java radius client libraries?
Hi Alex, i used JRadius around a year ago, and it is the way to go, JRadius only builds a layer on top of FreeRadius though, it is not a standalone RADIUS server, as is FreeRadius for example. It will allow you to create handlers written in java using the existing JRadius packages to deal with RADIUS events. If you need more specific details please let me know regards George Alex French wrote: 2008/5/12 Alan DeKok [EMAIL PROTECTED]: http://coova.org/wiki/index.php/JRadius/ClientAPI ? It's actively supported. Unless there's another jradius out there... Aha, I was looking at http://jradius-client.sourceforge.net/ which is different. Thanks for the pointers. Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeraius in debug mode
Hi! Is it possible to run freeradius in debug mode to have all debug (clients request) information in log file. It is not usable to have open console with freeradius -Xf command. Thanks Alexey - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0 Session Length, radrelay or Freeradius causing issues
Alan DeKok wrote: Etienne Pretorius wrote: I need to know why the radrelay application stops replacation when it comes across a 0 session length packet. Because the RADIUS server says that the accounting packet was not processed, so radrelay tries to send it again. This is what a NAS does when it does not receive a reply to an accounting request. This morning I found a 40Mb backlog file for each server and realised that it was the 0 session-length packet again. I know FreeRadius does complain about it but it still logs this accounting packet into the sql database. So is it because FreeRadius indicates that an error (0 Session Length?). If so could I not just somehow tell FreeRadius to stop complaining and just accept the stupid packet. (As I am passing configurable triggers via 0 session length radius packets). You need to tell the RADIUS server that it should respond to the accounting request with 0 session length. Grab CVS head, and read raddb/sites-available/copy-acct-to-home-server It explains this. Also, in 2.0, radrelay is part of the server, and works much better than in 1.1.x. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you. I'll take a look. Kind Regards Etienne Pretorius - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thank you kalik
hi kalik, After a long pause, I've successfully done my authorization of my radius server by using digest and perl authentication in mixed mode, as per your advice I put the digest entry first before the perl authentication in the default file, and after that I've put a line of perl code RAD_CHECK{'Cleartext-Password'} = $mypassword, where the password is fetch from the database. And finally the server starts reading the cleartext password and starts calculating the md5 encryption and sucessfully authorized a user. Lastly, I thank to all the members of this forum who are dedicated here to help solving the complex problem in a complicated environment, especially Evan Kalik who is much envolved, regarding my problems of not getting my digest attributes. Thanking you for your valuable time and consideration. With Regards, Johnson Elangbam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radiusd process vanishes on higher load
Hello! I'm using a FreeRadius setup (V 1.1.3-3 from Debian etch) with the MySQL Backend for authorize and accounting. RADIUS packets are coming from another company, which /probably/ has a Proxy for their delivery front-end servers. This setup usually works fine, but on some days I see spikes in the log, and the radiusd process vanishes; needing a restart. I've set: max_request_time = 5 cleanup_delay = 5 max_requests = 4096 sql.conf: num_sql_socks = 256 nas: nastype = other Usually, there will be a few 'stop packet with zero session length' log lines, about 1 per second or fewer. At problem/spike time, I see a lot more of these 'stop packet with zero session length' stuff (about 30 per second); and this too: Info: The maximum number of threads (256) are active, cannot spawn new thread to handle request Additionally, one of these things happen: 1) radiusd process vanishes without a log entry. 2) Error: Dropping request (4097 is too many): from client nasname:57426 - ID: 174 Info: WARNING: Please check the radiusd.conf file. ?The value for 'max_requests' is probably set too low. 3) Error: Internal error processing module entry And radiusd usually vanishes after this. With Option 3 I usually also see MySQL DB connection problems, but not all the time, and they are not always fatal (?). So - am I missing something? Is this just a very long spike (can take 10 minutes to a few hours); Are there any counters in FR that I could track? (like packets per second, etc.) Thanks, Christian -- Christian Hofstädtler InQnet GmbH Praterstraße 31 A-1020 Wien Tel.: +43 1 212 7650 523 Fax.: +43 1 212 7650 610 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeraius in debug mode
Hi, Hi! Is it possible to run freeradius in debug mode to have all debug (clients request) information in log file. It is not usable to have open console with freeradius -Xf command. redirect the output to a log file instead then... eg radiusd -X /var/log/radius-special.log 21 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd process vanishes on higher load
Hi, I'm using a FreeRadius setup (V 1.1.3-3 from Debian etch) with the MySQL Backend for authorize and accounting. RADIUS packets are coming from another company, which /probably/ has a Proxy for their delivery front-end servers. This setup usually works fine, but on some days I see spikes in the log, and the radiusd process vanishes; needing a restart. 1.1.3 (even with a few debian patches) is very very old. I would advise, if you want to stick with 1.1 train, to upgrade to 1.1.7 to fix several issues and bugs. 2.0 train - 2.0.4 would be a wiser investment of time. I've set: max_request_time = 5 cleanup_delay = 5 max_requests = 4096 sql.conf: num_sql_socks = 256 nas: nastype = other why did you increase the default max_requests from the defaul 1024? Usually, there will be a few 'stop packet with zero session length' log lines, about 1 per second or fewer. At problem/spike time, I see a lot more of these 'stop packet with zero session length' stuff (about 30 per second); and this too: Info: The maximum number of threads (256) are active, cannot spawn new thread to handle request this sounds like the number of requests coming in are overwhelming you SQL server - its not fast enough to keep up with realtime RADIUS accounting packets. this usually happens suddenly - either when tables get to certain size or when the number of incoming packets gets to something reasonable. so, options to make the SQL faster 1) change the engine - eg use innoDB for the SQL if you use MySQL 2) optimise and add keys etc to tables 3) stop using the DB for realtime accouting - use radsqlrelay/radrelay for 1.1 or the detail module in 2.0 - the server can then deal with realtime stuff and the accounting gets moved into 'almost real time' without affecting the server. Is this just a very long spike (can take 10 minutes to a few hours); Are there any counters in FR that I could track? (like packets per second, etc.) if its built with SNMP support you could always use eg RTG/MRTG to graph the counters... alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
new CVS version is a little quiet....
hi, recently upgraded a 2.0.4 CVS system to the 2.0.5 CVS and now the radius.log doesnt get populated with any OK or FAIL messages when users log in. config log{} section as per the standard distro and unchanged from the 2.0.4 - which logged these things auth = yes in the log{} section anyone else noted this? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: new CVS version is a little quiet....
[EMAIL PROTECTED] wrote: hi, recently upgraded a 2.0.4 CVS system to the 2.0.5 CVS and now the radius.log doesnt get populated with any OK or FAIL messages when users log in. config log{} section as per the standard distro and unchanged from the 2.0.4 - which logged these things auth = yes in the log{} section anyone else noted this? Whilst looking at the CVS version the other day I noticed logging changes; you might do a source-compare to see the alterations. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: new CVS version is a little quiet....
[EMAIL PROTECTED] wrote: recently upgraded a 2.0.4 CVS system to the 2.0.5 CVS and now the radius.log doesnt get populated with any OK or FAIL messages when users log in. Which messages? config log{} section as per the standard distro and unchanged from the 2.0.4 - which logged these things auth = yes in the log{} section anyone else noted this? I made some changes to make the code match the documented behavior. The default values for auth_badpass and auth_goodpass are no, which *doesn't* log anything. When I tested it, I didn't see any logs when auth=yes, and good/badpass = no. Hence the changes. If you set good/badpass to yes, you will see the log messages. Which messages specifically are you looking for? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: new CVS version is a little quiet....
Hi, Which messages? the old classic: Thu May 1 05:23:50 2008 : Auth: Login incorrect (rlm_pap: CLEAR TEXT password check failed): [nagios-2] (from client server1 port 0) Thu May 1 08:12:52 2008 : Auth: Login OK: [nagiostest] (from client amon port 0) Thu May 1 08:15:51 2008 : Auth: Login OK: [host/random-box.lboro.ac.uk] (from client Cisco-AP port 50013 cli 00-11-22-33-44-55 via TLS tunnel) I made some changes to make the code match the documented behavior. The default values for auth_badpass and auth_goodpass are no, which *doesn't* log anything. ah. i think i see what you meanand quick look at main/auth.c shows the the code now does if goodpass and the user asked to log good passwords then print if not a goodpass and the user asked to log not good passwords then print When I tested it, I didn't see any logs when auth=yes, and good/badpass = no. Hence the changes. If you set good/badpass to yes, you will see the log messages. which is logical...but i think the wording and desciption of the behaviour is wrong in the config file then...i always thought that the goodpass and badpass would actually log the passwords themselves(!) - oh...but wait, it does!!! oh. thats not good. no, we need to have a safer loggingof just like it used to be - auth logging without the password printing. just print the username/stripped-user (config option) dont print the password if its good or bad. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: new CVS version is a little quiet....
hi, further to last messageusers would choose to log the auths in radius.log but dont want to log good passwords or bad passwords... have submitted a 'bug' to handle the DIFF alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Parser problem?
I don't want the module saneusername to be executed, when the username either contains HOST or ends with .net or contains @. Therefore in 2.0.4 I have this code in sites-available/default: authorize { if (!( %{User-Name} =~ /HOST/ || %{User-Name} =~ /.net/ || %{User-Name} =~ /@/ )) { saneusername } .. Starting radiusd -X ... rad_recv: Access-Request packet from host 149.246.185.169 port 60938, id=0, length=168^M User-Name = HOST/02G1-67.us002.mycompany.net^M NAS-IP-Address = 10.10.20.77^M Calling-Station-Id = 00-00-00-00-00-02^M Framed-MTU = 1400^M NAS-Port-Type = Wireless-802.11^M Connect-Info = CONNECT 11Mbps 802.11b^M EAP-Message = 0x022301484f53542f303247312d36372e75733030322e7369656d656e732e6e6574^M Message-Authenticator = 0x1836592939950fab657ec0d5568883c4^M With that User-Name I would expect the module not be executed. +- entering group authorize^M ++? if (!( %{User-Name} =~ /HOST/ || %{User-Name} =~ /.net/ || %{User-Name} =~ /@/ ))^M expand: %{User-Name} - HOST/02G1-67.us002.mycompany.net^M ?? Evaluating (%{User-Name} =~ /HOST/) - TRUE^M ? Converting !TRUE - FALSE^M expand: %{User-Name} - HOST/02G1-67.us002.mycompany.net^M ? Evaluating (%{User-Name} =~ /.net/) - TRUE^M Skipping (%{User-Name} =~ /@/)^M ++? if (!( %{User-Name} =~ /HOST/ || %{User-Name} =~ /.net/ || %{User-Name} =~ /@/ )) - TRUE^M ++- entering if (!( %{User-Name} =~ /HOST/ || %{User-Name} =~ /.net/ || %{User-Name} =~ /@/ ))^M expand: [-] - [-]^M saneusername: Changed value for attribute User-Name from 'HOST/02G1-67.us002.mycompany.net' to 'HOST/02G167.us002.mycompany.net'^M Now unfortunately the username has been changed. +++[saneusername] returns ok^M ++- if (!( %{User-Name} =~ /HOST/ || %{User-Name} =~ /.net/ || %{User-Name} =~ /@/ )) returns ok^M ++? if (%{sqlnastype:SELECT UserName from usergroup where UserName = '%{User-Name}' } == )^M What do I have to change to make it work as expected? Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Move from text to SQL(Postgresql)
Hey Tuc, Regarding your issue, check the radiusd.conf file, in the modules{} section for the pap module settings, you probably have it set to encryption_scheme = crypt, if so, change it to clear. No, its the standard : pap { auto_header = no } I had followed (I thought) : http://wiki.freeradius.org/SQL_HOWTO just like I did (I think) for MySQL and had that working straight off. [Discussion of his sourceforge project that comes with just about every reply he does deleted] So not sure whats happening or not happening.. Tuc Liran. On Tue, May 13, 2008 at 3:20 AM, Tuc at T-B-O-H.NET [EMAIL PROTECTED] wrote: Hi, I've got a new install, and I have it working fine with plain text files. I'm trying to go this time to Postgresql (Don't ask) and I'm just not having a good time of it. I don't get why its doing the following (2.0.4 with Postgresql 8.1.11) : Ready to process requests. User-Name = tuc User-Password = ICANSEE NAS-IP-Address = 192.168.3.128 NAS-Port = 1812 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = tuc, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns updated ++[files] returns noop expand: %{User-Name} - tuc rlm_sql (sql): sql_set_user escaped user -- 'tuc' rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'tuc' ORDER BY id rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'tuc' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 5 rlm_sql (sql): User found in radcheck table expand: SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = 'tuc' ORDER BY id rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = 'tuc' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 5 expand: SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority - SELECT GroupName FROM radusergroup WHERE UserName='tuc' ORDER BY priority rlm_sql_postgresql: query: SELECT GroupName FROM radusergroup WHERE UserName='tuc' ORDER BY priority rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 0 , fields = 1 rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated rad_check_password: Found Auth-Type auth: type PAP +- entering group PAP rlm_pap: login attempt with password ICANSEE rlm_pap: Using CRYPT encryption. rlm_pap: Passwords don't match ++[pap] returns reject auth: Failed to validate the user. Login incorrect (rlm_pap: CRYPT password check failed): [tuc/ICANSEE] (from client localhost port 1812) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - tuc attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Why does it head to crypt? I have in radcheck : Welcome to psql 8.1.11, the PostgreSQL interactive terminal. Type: \copyright for distribution terms \h for help with SQL commands \? for help with psql commands \g or terminate with semicolon to execute query \q to quit radius= select * from radcheck; id | username | attribute | op | value +--+++- 2 | tuc | Cleartext-Password | := | ICANSEE (1 row) radius= Thanks, Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Load testing tool recommendation
Nope, no wireless involved. Good thought though! :) //anders - Original Message - From: Marinko Tarlac [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Sunday, May 11, 2008 4:01:57 PM GMT +00:00 GMT Britain, Ireland, Portugal Subject: Re: Load testing tool recommendation Wireless could be the problem if you have some wireless links between radius server and your NAS. Alan DeKok wrote: Anders Holm wrote: In my tests, radclient has been /slower/ the radtest processes forked from a Perl script. 100 requests using my forking Perl script takes 2.2 seconds to complete. 100 requests using radclient takes ~8x, i.e 16.7+ seconds to complete. You can run radclient -x to see what it's doing. Printing the sent/received packets slows it down, but not that much. When I run radclient -q -c 1, I can easily run 5k packets/s to the local machine. My tests from remote machines are a little slower, but not 5 packets/s. I'd say there's something wrong in your network, but I'm not sure where. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Move from text to SQL(Postgresql)
Hi, Hey Tuc, Regarding your issue, check the radiusd.conf file, in the modules{} section for the pap module settings, you probably have it set to encryption_scheme = crypt, if so, change it to clear. No, its the standard : pap { auto_header = no } change this to 'yes' so that the PAP module can be more clever I copied the configs from a working MySQL backended 2.0.3 system. I changed mysql to postgresql anywhere needed... Still wasn't working. I put in this suggestion, and : rad_check_password: Found Auth-Type auth: type PAP +- entering group PAP rlm_pap: login attempt with password ICANSEE rlm_pap: Using CRYPT encryption. rlm_pap: Passwords don't match ++[pap] returns reject auth: Failed to validate the user. Login incorrect (rlm_pap: CRYPT password check failed): [tuc/ICANSEE] (from client localhost port 1812) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - tuc attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated I don't get it.. Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Move from text to SQL(Postgresql)
Tuc at T-B-O-H.NET wrote: No, its the standard : pap { auto_header = no } It looks like you have something else in the system adding a Crypt-Password for the user... before the SQL module is called. Check the unix module. It WILL say something in debug mode about this. RAGAFRASSEN BIDDA FRIGINA.. How the heck come this doesn't do it on the OTHER system. I have a local unix user there called tuc too, but I had tuc User-Password:=ICANSEE on the Linux system (This is FreeBSD) and it never tripped me up there! SIGH Thank you very much for pointing out my stupidity. I'll try to be more aware to look at ALL the debug in the future. Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Move from text to SQL(Postgresql)
Hi, Hey Tuc, Regarding your issue, check the radiusd.conf file, in the modules{} section for the pap module settings, you probably have it set to encryption_scheme = crypt, if so, change it to clear. No, its the standard : pap { auto_header = no } change this to 'yes' so that the PAP module can be more clever alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Move from text to SQL(Postgresql)
Tuc at T-B-O-H.NET wrote: No, its the standard : pap { auto_header = no } It looks like you have something else in the system adding a Crypt-Password for the user... before the SQL module is called. Check the unix module. It WILL say something in debug mode about this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Load testing tool recommendation
Hi, Nope, no wireless involved. Good thought though! :) its not doing DNS lookups each time is it? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Parser problem?
Norbert Wegener wrote: I don't want the module saneusername to be executed, when the username either contains HOST or ends with .net or contains @. Therefore in 2.0.4 I have this code in sites-available/default: authorize { if (!( %{User-Name} =~ /HOST/ || %{User-Name} =~ /.net/ || %{User-Name} =~ /@/ )) { But brackets around everything. The parser is *horrible*. if (!((User-Name =~ /HOST/) || (User-Name =~ /\.net$/) || (User-Name =~ /@/))) { i.e. all on one line, which brackets around every condition. This should also work: if (User-Name !~ /HOST|\.net$|@/) { What do I have to change to make it work as expected? Brackets. The parser really needs to be updated to use something sane... like yacc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
stripping domain from username (for wifi authentication on Windows XP)
Hello everyone, I am using freeradius to have my wifi network use my LDAP credentials for authentication. However, Windows has this glorious default setting that automatically passes the domain username and password to the radius server to authenticate for wifi access. While I can easily uncheck a box to make that behavior not happen, it would be great if I could just have radius accept those credentials. The windows domain and radius both use the same LDAP directory. The only issue is Windows sends the username as DOMAIN\\username. Is it possible to have freeradius ignore the DOMAIN\\ part of the username? Thanks in advance. Ryan Pugatch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS + PAP with external script
I'm trying to use an external php script to authenticate users connecting to an Access Point. Protocol used is EAP-TTLS with PAP as inner authentication protocol. The relevant parts of config file i use is: ** radiusd.conf * modules { pap { auto_header = yes } exec test { wait = yes program = /usr/local/bin/php -f /etc/raddb/radiusaccess.php input_pairs = request output_pairs = reply } } authorize { preprocess suffix eap pap } authenticate { Auth-Type PAP { test } eap } * END radiusd.conf ** When i try to connect the TTLS comunication seems to work fine but this is the relevan ouput of radiusd -X at the final steps radiusd -X * Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 9 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. TTLS: Got tunneled request User-Name = testa User-Password = testb FreeRADIUS-Proxied-To = 127.0.0.1 TTLS: Sending tunneled request User-Name = testa User-Password = testb FreeRADIUS-Proxied-To = 127.0.0.1 Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Id = wlan1 Calling-Station-Id = 00-13-49-71-85-68 Called-Station-Id = 00-80-48-47-6B-E1:comune_segrate_milano_oltre NAS-Identifier = AP2 NAS-IP-Address = 192.168.11.168 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 9 modcall[authorize]: module preprocess returns ok for request 9 rlm_realm: No '@' in User-Name = testa, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 9 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 9 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 9 modcall: leaving group authorize (returns ok) for request 9 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. TTLS: Got tunneled reply RADIUS code 3 TTLS: Got tunneled Access-Reject rlm_eap: Handler failed in EAP/ttls rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 9 modcall: leaving group authenticate (returns invalid) for request 9 auth: Failed to validate the user. Delaying request 9 for 1 seconds Finished request 9 END radiusd -X ** As you can see there is the message: rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 9 So the php script for pap authorization is not even executed. Maybe there is something i missed in configuration? Thanx Maccari Dario _ Discover the new Windows Vista http://search.msn.com/results.aspx?q=windows+vistamkt=en-USform=QBRE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: stripping domain from username (for wifi authentication on Windows XP)
Hi, Hello everyone, I am using freeradius to have my wifi network use my LDAP credentials for authentication. However, Windows has this glorious default setting that automatically passes the domain username and password to the radius server to authenticate for wifi access. While I can easily uncheck a box to make that behavior not happen, it would be great if I could just have radius accept those credentials. The windows domain and radius both use the same LDAP directory. The only issue is Windows sends the username as DOMAIN\\username. Is it possible to have freeradius ignore the DOMAIN\\ part of the username? yes, check the configuration files for the prefix part. are you using 1.1.x or 2.0.x? if 1.1.x you can also you the rewrite module to copy User-Name to Stripped-User-Name and then blow away the DOMAIN\\ part - or any preceeding STUFF\\ if you use 2.0.x then use unlang to do the same job efficiently when and where you need it. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Move from text to SQL(Postgresql)
Hi, +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = tuc, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns updated unix returns updated does it? so , you have the unix module enabled in the authenticate section...which means its looking in /etc/password - and theres a nice entry in there for 'tuc'? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS + PAP with external script
Hi, you're not authorising the user. theres nothing to allow them access in the authorise section. modcall: entering group authorize for request 9 modcall[authorize]: module preprocess returns ok for request 9 rlm_realm: No '@' in User-Name = testa, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 9 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 9 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 9 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Move from text to SQL(Postgresql)
Hi, +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = tuc, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns updated unix returns updated does it? so , you have the unix module enabled in the authenticate section...which means its looking in /etc/password - and theres a nice entry in there for 'tuc'? Unfortunately, yup, exactly correct. The weird thing is that I took the config VERBATIM off a functioning Linux/FR2.0.3/MySQL system (Changing to postgresql) where I was ALSO a local user, and it never did that! As soon as I changed the user to be one NOT in unix, it worked. As soon as I used my unix password with tuc, it worked. Thanks... I didn't even notice it, I was concentrating too much on the sql section. Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-TTLS + PAP with external script
Isn't pap in authorize section there to do the job? How can i authorize ANY user so that they will be authenticated by the php script? Bye Dario Maccari Hi, you're not authorising the user. theres nothing to allow them access in the authorise section. _ Discover the new Windows Vista http://search.msn.com/results.aspx?q=windows+vistamkt=en-USform=QBRE- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Load testing tool recommendation
Hmm.. I *am* referencing the radius server with FQDN ... Lemme flip that switch and see what I get to play with ... Good catch .. It's letting me ship some more packets through per second.. no final figures yet, but starting to hit 5k pkts/sec, though the radius server is still not sweating nearly as much as I want it to (sitting between 12-15% CPU, and client system is maxing itself out trying to keep up, and the clients is a bigger machine than the server) ... //anders - Original Message - From: A L M Buxey [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, May 13, 2008 2:55:56 PM GMT +00:00 GMT Britain, Ireland, Portugal Subject: Re: Load testing tool recommendation Hi, Nope, no wireless involved. Good thought though! :) its not doing DNS lookups each time is it? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: stripping domain from username (for wifi authentication on Windows XP)
- Original Message - From: [EMAIL PROTECTED] Sent: 11:10 am To: FreeRadius users mailing list Subject: Re: stripping domain from username (for wifi authentication on Windows XP) Hi, Hello everyone, I am using freeradius to have my wifi network use my LDAP credentials for authentication. However, Windows has this glorious default setting that automatically passes the domain username and password to the radius server to authenticate for wifi access. While I can easily uncheck a box to make that behavior not happen, it would be great if I could just have radius accept those credentials. The windows domain and radius both use the same LDAP directory. The only issue is Windows sends the username as DOMAIN\\username. Is it possible to have freeradius ignore the DOMAIN\\ part of the username? yes, check the configuration files for the prefix part. are you using 1.1.x or 2.0.x? if 1.1.x you can also you the rewrite module to copy User-Name to Stripped-User-Name and then blow away the DOMAIN\\ part - or any preceeding STUFF\\ if you use 2.0.x then use unlang to do the same job efficiently when and where you need it. alan - Alan, Thanks for the response. I'm using 1.1.x. Currently, I have ldap filter definined as: filter = (uid=%{Stripped-User-Name:-%{User-Name}}) I have enabled with_ntdomain_hack on preprocess. However, since doing that, I am receiving the following error: Tue May 13 11:34:39 2008 : Error: rlm_eap: Identity does not match User-Name, setting from EAP Identity. Tue May 13 11:34:39 2008 : Auth: Login incorrect: [rpugatch] (from client aruba port 3 cli 001F3A4CE09E) This worked before enabling with_ntdomain_hack. It seems like the username is now being stripped properly, but it isn't matching something properly. Unfortunately, I don't seem to understand exactly what is going wrong. Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Regarding: FreeRADIUS sending Access-Reject if no response to proxied Access-Request
Doug Hardie [EMAIL PROTECTED] wrote: Why? What's so problematic about the Access-Rejects? Because the NAS will not switch over to the alternate radius server which is probably working properly. Ok... so does the proxying server mark *all* home servers as dead? The problem is that if the NAS is using the same RADIUS server for other purposes, (i.e. packets which are't proxied), then it can fail over to the backup, even though parts of the server still work... If there's *no* way for the server to authenticate *any* packets, then that's reasonable grounds for pretending to be dead. Any other partial live system means that your local site will have to determine what packets to reply to, and why. I'm willing to add a patch where a module can mark a packet no reply. It's then up to you to have a site-local module to mark some packets. But that knowing *when* to do that is up to you, and is *very* site-specific. Adding patches to the server core to support one site's configuration is problematic. Alan DeKok. Link to the thread above. http://lists.cistron.nl/pipermail/freeradius-users/2004-April/030887.html Hello, Anyone who knows if and where the patch mentioned above can be. I found this discussion thread, but I do not know where and how to find the the patch, if available. This would solve our problem with an unresponsive user resource management server accessed through a customised module in FreeRadius. FreeBSD version 6.3 FreeRADIUS Version 1.1.7 Best Regards, Joakim Bentholm - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Load testing tool recommendation
Hi, Hmm.. I *am* referencing the radius server with FQDN ... Lemme flip that switch and see what I get to play with ... Good catch .. It's letting me ship some more packets through per second.. no final figures yet, but starting to hit 5k pkts/sec, though the radius server is still not sweating nearly as much as I want it to (sitting between 12-15% CPU, and client system is maxing itself out trying to keep up, and the clients is a bigger machine than the server) ... :-) ah. joys. there might be issues with networking stack dealing with those numbers of new connections per sec- plenty of online resources that will tweak those aspects of the stack but you may need to launch several client threads to get this ramping up - dont forget, the server itself is multithreaded and generally its 3rd party auth bits (mysql, postgres, AD etc) that will be the deciding factor. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS can't get connected..etc.
Hi Everyone, I installed the Freeradius 2.0.4 as Mr. Alan DeKok had suggested I browse www.freeradius.org and run below command. #cvs -d :pserver:[EMAIL PROTECTED]:/source login CVS password: anoncvs nothing happen and return to # #cvs -d :pserver:[EMAIL PROTECTED]:/source checkout radiusd then under #/usr/share/doc/radiusd ..run #./configure --with-openssl-includes=/usr/include/openssl --with-openssl-libraries=/usr/lib/libxm --with-prefix=/usr/local/radius # make #make install got some errors btool: install: error: cannot install rlm_acctlog.la to a directory not ending in /usr/local/lib/lib gmake[6]: *** [install] Error1 gmake[6]: Leaving dictory '/usr/share/doc/radiusd/src/modules/rlm_acctog' gmake[5]: *** Error 2 gmake[5]: Leaving directory '/usr/share/doc/radiusd/src/modules' gmake[4]: *** Error 2 gmake[4]: Leaving directory '/usr/share/doc/radiusd/src/modules' gmake[3]: *** Error 2 gmake[3]: Leaving directory '/usr/share/doc/radiusd/src' gmake[2]: *** Error 2 gmake[2]: Leaving directory '/usr/share/doc/radiusd/src' gmake[1]: *** Error 2 gmake[1]: Leaving directory '/usr/share/doc/radiusd' make: *** [install] Error 2 I checked the version in /usr/share/doc/radius/VERSION and it shows 2.0.2 (installed before) Have I installed freeradius-2.0.4? where it's located? If I want to uninstall or remove previous version such Freeradius-1.1.7 ..what command I should run or just simply delete the folder in Freeradius? thanks in advance. - Original Message From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Friday, May 9, 2008 7:50:34 PM Subject: Re: EAP-TLS can't get connected..etc. Kwok Sianbin wrote: I am newbie to linux and recently I try to implement wireless connnection with EAP-TLS encryption. I am using Freeradius-1.1.7 installed into Red Hat Enterprise 4. You should really use 2.0.4. Here I encounter problems that I can't solve it alone hence I need advice guru from this forum. the problem is client just can't get connected and keep request. ... Sending Access-Challenge of id 15 to 192.168.0.206 port 1025 ... Going to the next request Waking up in 6 seconds... This is in the FAQ. It's also documented in the eap.conf file in 2.0.4. Here I post the CA.certs execution result as I suppect that the errors might be due to certificate error. When I run ./CA.certs and I got a few errors. 2.0.4 also contains new scripts for certificate creation. They're MUCH better than what's in 1.1.7. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS can't get connected..etc.
Hi, I installed the Freeradius 2.0.4 as Mr. Alan DeKok had suggested I browse www.freeradius.org and run below command. #cvs -d :pserver:[EMAIL PROTECTED]:/source login CVS password: anoncvs nothing happen and return to # 'nothing' should happen as all you've done is log into a CVS session #cvs -d :pserver:[EMAIL PROTECTED]:/source checkout radiusd this will download the latest CVS version - '2.0.5' from the main site into a directory called 'radiusd' - which will be put into whereever you were when you ran the command compile problems could be due to having the latest CVS code which might have a problem in it at any time. was there a specific reason not to use eg 2.0.4.tar.bz2 download from the freeradius.org site? I checked the version in /usr/share/doc/radius/VERSION and it shows 2.0.2 (installed before) Have I installed freeradius-2.0.4? not from what i've seen you type. what does eg 'radiusd -v' tell you? If I want to uninstall or remove previous version such Freeradius-1.1.7 ..what command I should run or just simply delete the folder in Freeradius? how did you install it? from RPM or APT etc? or from source? if from source, you will need to look in the binary and library directories for all the files it will have installed...usually /location/to/bin/rad* /location/to/lib/rlm_* /local/to/lib/radius* and then a whole load of things in /usr/share/radius etc etc (just do eg 'make -n install' to see what it puts where. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple instances of attribute in tunnelled reply
Hi, I think that I have a similar problem when freeradius has to send Access-Accept with multiple Cisco-AVPair=ssid=... entries. Do you think it will be fixed in the near future ? Thanks. Konstantin _ Konstantin KABASSANOV LIP6/CNRS 104, avenue du Président Kennedy, 75016 Paris, France Phone: +33 (0) 1 44 27 71 26 Fax: +33 (0) 1 44 27 74 95 E-mail: [EMAIL PROTECTED] Web: http://www.kabassanov.com Certificate: http://igc.services.cnrs.fr/CNRS-Standard/recherche.html _ smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE:huntgroups are failing auth - missing Chap Password
FreeRadius users mailing list freeradius-users@lists.freeradius.org writes: I must be missing something here, likely due to my limited experience with FreeRADIUS. No, all you have to do is to be able to read. With care and understanding. OK, I'll Re-read again. After re-reading the instructions in the users file the only thing I can see that is relevant when using huntgroups is an entry for a user that has no User-Password attribute assigned which I assume means that the default Auth-Type System will kick in and look the password up in an other file someplace. What I don't know is the location of this file and how to go about adding the password for my users. Forget hungroups. That part is fine. Password attribute is the problem. So you have re-read instructions in users file. Did you find User-Password used in any of the examples? Or perhaps some other password attribute? The one that debug suggests is missing? As I said before, the only example of using a huntgroup I can see in the users file does not list a password attribute at all. so assuming that I should set the attribute to either CHAP-Password ==password or Cleartext-Password == password I tried both and of course neither works. testuser Huntgroup-Name ==testgroup, CHAP-Password == password yields the same error as having used Cleartext-Password, User-Password or no password at all. Is the use of a huntgroups file the best way for me to accomplish what I am trying to do? I want to limit user Bob so that he can only login from one specific access point. For a single device NAS-IP-Address should be better (avoiding use of huntgroups). For a groups of devices hungroups work well as long as the (hunt)groups don't overlap. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: huntgroups are failing auth - missing Chap Password
Terry Pelley wrote: As I said before, the only example of using a huntgroup I can see in the users file does not list a password attribute at all. Because the huntgroups file isn't about setting the password. i.e. it doesn't *do* that. It's not *supposed* to do that. Is the use of a huntgroups file the best way for me to accomplish what I am trying to do? I want to limit user Bob so that he can only login from one specific access point. users file: bob Client-IP-Address != 1.2.3.4, Auth-Type := Reject That's it. No huntgroups are necessary. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regarding: FreeRADIUS sending Access-Reject if no response to proxied Access-Request
Joakim Bentholm wrote: Anyone who knows if and where the patch mentioned above can be. I found this discussion thread, but I do not know where and how to find the the patch, if available. This would solve our problem with an unresponsive user resource management server accessed through a customised module in FreeRadius. FreeBSD version 6.3 FreeRADIUS Version 1.1.7 No new features are going into 1.1.7. This could be investigated for 2.0. i.e. the code in 2.0 makes this *much* easier to do than the code in 1.1.x. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS can't get connected..etc.
Kwok Sianbin wrote: ... got some errors btool: install: error: cannot install rlm_acctlog.la to a directory not ending in /usr/local/lib/lib In 10 years of fighting libtool, I have *never* seen this error. I have no idea what this means. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: stripping domain from username (for wifi authentication on Windows XP)
Ryan Pugatch wrote: ... Thanks for the response. I'm using 1.1.x. Currently, I have ldap filter definined as: filter = (uid=%{Stripped-User-Name:-%{User-Name}}) I have enabled with_ntdomain_hack on preprocess. Don't. Use: filter = (uid=%{mschap:User-Name:-%{User-Name}} The MS-CHAP module is smart enough to know about horrible Microsoft DOMAIN\user things. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: stripping domain from username (for wifi authentication on Windows XP)
- Original Message - From: Alan DeKok Sent: 02:32 pm To: FreeRadius users mailing list Subject: Re: stripping domain from username (for wifi authentication on Windows XP) Ryan Pugatch wrote: ... Thanks for the response. I'm using 1.1.x. Currently, I have ldap filter definined as: filter = (uid=%{Stripped-User-Name:-%{User-Name}}) I have enabled with_ntdomain_hack on preprocess. Don't. Use: filter = (uid=%{mschap:User-Name:-%{User-Name}} The MS-CHAP module is smart enough to know about horrible Microsoft DOMAIN\user things. Alan DeKok. - Worked like a charm. Thank you, Alan. Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OpenSSL Security in Debian Ubuntu since 2006
If you have generated SSL certificates on Debian or Ubuntu since 2006, you should seriously consider re-creating them. http://lists.debian.org/debian-security-announce/2008/msg00152.html https://lists.ubuntu.com/archives/ubuntu-security-announce/2008-May/000705.html This applies to SSH keys, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE:huntgroups are failing auth - missing Chap Password
How difficult can it be to follow clearly written instructions? As I said before, the only example of using a huntgroup I can see in the users file does not list a password attribute at all. so assuming that I should set the attribute to either CHAP-Password ==password or Cleartext-Password == password I tried both and of course neither works. No. It doesn't. Why? Let's have a look at the password entry from users file: Cleartext-Password := testing Can you see *any* difference between that and what you were using? Fix it and it will work. testuser Huntgroup-Name ==testgroup, CHAP-Password == password yields the same error as having used Cleartext-Password, User-Password or no password at all. like no password at all - exactly. Your password entry is wrong. Use entries that documentation suggests. Stop hanging hopelessly to the way it used to be - I think that you have established by now that the old way doesn't work. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS can't get connected..etc.
Hi, Kwok Sianbin wrote: ... got some errors btool: install: error: cannot install rlm_acctlog.la to a directory not ending in /usr/local/lib/lib In 10 years of fighting libtool, I have *never* seen this error. I have no idea what this means. http://lists.gnu.org/archive/html/libtool/2006-09/msg00066.html ? there are various weird issues with libtool - one of the nasty gotchas is if DESTDIR and prefix clash in some way , the usage of --with-libdir= is then thrown into the mix bets not to play with random paths in the ./configure stage just take a simple directory location and have the libs within in - like the default build does... alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OpenSSL Security in Debian Ubuntu since 2006
hi, thankyou Alan for your responsible reporting of this issue, as anyone using FreeRADIUS with EAP-TLS etc will be using OpenSSL anyone on any platform with a weak key method needs to know this issue. I note that various OpenSSL-using tools are being updated to detect such weak keys - eg OpenVPN on ubuntu - and if they detect them, they wont start (reporting a direct error about such keys) - will FreeRADIUS also adopt this policy? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OpenSSL Security in Debian Ubuntu since 2006
[EMAIL PROTECTED] wrote: thankyou Alan for your responsible reporting of this issue, as anyone using FreeRADIUS with EAP-TLS etc will be using OpenSSL anyone on any platform with a weak key method needs to know this issue. I've updated the main web page, too. I note that various OpenSSL-using tools are being updated to detect such weak keys - eg OpenVPN on ubuntu - and if they detect them, they wont start (reporting a direct error about such keys) - will FreeRADIUS also adopt this policy? Er... send a patch? A quick look at the documentation for openssl-vulnkey and friends isn't helpful. They check a key against a list of blacklisted keys... and don't give much more information about blacklisting keys. i.e. it's up to you to generate the list of blacklisted keys. The tool can then be used to check the key. For RADIUS purposes, I don't see much use in this. There's usually only one server key, and maybe a self-signed cert key. Once those are re-generated and deployed, you're done. There's not much need to check blacklists for keys. The blacklist is more useful for client software like a supplicant. And even there, it's likely easier just to replace the old RADIUS server key with the new one. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User-Password formats
Hi, I have a setup with freeradius where it is launching an external script to authenticate users. When doing PAP authentication against the radius server I receive the %{User-Password} and pass it to my script. However when using a cisco wireless lan controller it seems not to pass User-Password as the text, it encodes it in another format. I'm wondering if anyone knows what format this is. From a radiusd -X I get the following when it works rad_recv: Access-Request packet from host 10.10.76.3:32769, id=12, length=119 User-Name = [EMAIL PROTECTED] User-Password = password Service-Type = Login-User NAS-IP-Address = 10.10.76.2 NAS-Identifier = Franciscan-2 Airespace-Wlan-Id = 1 Calling-Station-Id = 10.10.76.135 Called-Station-Id = 10.10.76.3 So it passes my script the password in plain text and when I use the Cisco WLC it fails and I get rad_recv: Access-Request packet from host 10.10.76.2:32769, id=12, length=119 User-Name = [EMAIL PROTECTED] User-Password = ]\313\347C\223\240\350\351\275!\307L\300\210 Service-Type = Login-User NAS-IP-Address = 10.10.76.2 NAS-Identifier = Franciscan-2 Airespace-Wlan-Id = 1 Calling-Station-Id = 10.10.76.135 Called-Station-Id = 10.10.76.2 My script obviously gets passed ]\313\347C\223\240\350\351\275!\307L\300\210 Does anyone know what format this is? Or how I can convert it to get the password in plain text format? thanks, niall - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
A way to use LDAP only for authentication
Hello, Using PEAP/mschapv2 with openldap through freeradius, I'd like to know if there is a way to allow all users in the authorize section of radiusd.conf (without doing ldap requests) and make the ldap request only in the authenticate section. It is useful for instance to avoid multiple ldap requests during authorization process in particular when a number of radius-request/challenges are exchanged between Access points and radius server. Thanks. Konstantin _ Konstantin KABASSANOV LIP6/CNRS 104, avenue du Président Kennedy, 75016 Paris, France Phone: +33 (0) 1 44 27 71 26 Fax: +33 (0) 1 44 27 74 95 E-mail: [EMAIL PROTECTED] Web: http://www.kabassanov.com Certificate: http://igc.services.cnrs.fr/CNRS-Standard/recherche.html _ smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius 1.1.3 with MySQL
I'm attempting to have multiple realms use individual mysql tables in order to seperate the usernames. I've read how to get multiple sql instances going, but how do I tell which realm to use which sql instance?- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User-Password formats
hi, incorrect shared secret between FR server and WLC? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User-Password formats
thanks alan, much appreciated. I think you may be right. Its just strange the FR server doesn't mention this - or would it not know and only the radius client know this? thanks again, On Tue, May 13, 2008 at 10:02 PM, [EMAIL PROTECTED] wrote: hi, incorrect shared secret between FR server and WLC? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
error freeradius-client-1.1.6.tar.bz2
Hello Fedora core 5 rpm -Uvh freeradius-client-1.1.6-0.i386.rpm /var/tmp/rpm-tmp.72946: line 1: fg: no job control error: %post(freeradius-client-1.1.6-0.i386) scriptlet failed, exit status 1 rpm -e freeradius-client /var/tmp/rpm-tmp.45576: line 1: fg: no job control error: %postun(freeradius-client-1.1.6-0.i386) scriptlet failed, exit status 1 - radiusclient.spec 1.rename freeradius-client-snapshot freeradius-client 2.marking #%doc doc/* BUGS COPYRIGHT README README.radexample rpmbuild -bb radiusclient.spec - Summary: FreeRADIUS Client Software Name: freeradius-client Version: 1.1.6 Release: 0 Obsoletes: radiusc radiusclient radiusclient-ng Group: Productivity/Networking/Radius/Clients License: Artistic License Packager: Peter Nixon URL: http://www.freeradius.org/ Source0: %{name}-%{version}.tar.bz2 BuildRoot: %{_tmppath}/%{name}-%{version}-build Prefix: %{_prefix} Requires: %{name}-libs = %{version}-%{release} %description A portable, easy-to-use and standard compliant library suitable for developing free and commercial software that need support for a RADIUS protocol (RFCs 2128 and 2139). %package libs Summary: A portable, easy-to-use and standard compliant library for RADIUS protocol (RFCs 2128 and 2139). Group: Development/Libraries %description libs The package contains the shared library of FreeRADIUS Client %package devel Summary: Header files, libraries and development documentation for %{name}. Group: Development/Libraries Requires: %{name}-libs = %{version}-%{release} %description devel This package contains the header files, static libraries and development documentation for %{name}. You need to install %{name}-devel if you want to develop applications using %{name}. %if 0%{?suse_version} 930 %debug_package %endif %prep %setup -q %build %define localstatedir /var/lib rm missing %if 0%{?suse_version} 900 %{suse_update_config -f} %endif libtoolize --force aclocal automake -ac autoconf CFLAGS=$RPM_OPT_FLAGS -Wall \ CXXFLAGS=$RPM_OPT_FLAGS -Wall -fmessage-length=0 \ %configure \ --localstatedir=%{localstatedir} \ --enable-shadow \ --with-secure-path make %install [ %{buildroot} != / ] rm -rf %{buildroot} make DESTDIR=$RPM_BUILD_ROOT install rm -f $RPM_BUILD_ROOT/%{_sbindir}/login.radius rm -f login.radius/Makefile* rm -f login.radius/migs/Makefile* rm -f %{buildroot}%{_libdir}/*.la %post %{run_ldconfig} %postun %{run_ldconfig} %clean [ %{buildroot} != / ] rm -rf %{buildroot} %files %defattr(-, root, root) #%doc doc/* BUGS COPYRIGHT README README.radexample %dir %{_sysconfdir}/radiusclient %{_sysconfdir}/radiusclient/dictionary %{_sysconfdir}/radiusclient/dictionary.* %config(noreplace) %{_sysconfdir}/radiusclient/radiusclient.conf %config(noreplace) %{_sysconfdir}/radiusclient/issue %config(noreplace) %{_sysconfdir}/radiusclient/port-id-map %config(noreplace) %{_sysconfdir}/radiusclient/servers %{_sbindir}/* %files libs %defattr(-, root, root) %{_libdir}/*.so.* %{_libdir}/*.so %files devel %defattr(-, root, root) %{_libdir}/*.a %{_includedir}/*.h %changelog * Sun Jan 06 2008 Peter Nixon - Update to match upcoming freeradius-client release * Sun Nov 19 2006 Peter Nixon - Converted spec from radiusclient package to work with FreeRADIUS Client - Split out separate -devel and -libs packages * Wed Jan 25 2006 - [EMAIL PROTECTED] - converted neededforbuild to BuildRequires * Thu Nov 18 2004 - [EMAIL PROTECTED] - fixed file list * Sat Jan 10 2004 - [EMAIL PROTECTED] - add %%defattr * Thu Jul 31 2003 - [EMAIL PROTECTED] - use %%run_ldconfig * Thu May 29 2003 - [EMAIL PROTECTED] - remove Makefiles from documentation * Wed May 28 2003 - [EMAIL PROTECTED] - update to 0.3.2 - move localstatedir to /var/lib - remove unpackaged files from buildroot * Wed Apr 02 2003 - [EMAIL PROTECTED] - fixed patch radiusclient-0.3.1-fix.dif * Tue Apr 02 2002 - [EMAIL PROTECTED] - fixed to compile with autoconf-2.53 * Wed Mar 20 2002 - [EMAIL PROTECTED] - secfix (VU#589523 -buffer overflow in the function that calculates message digests) - fixed login.expamle, README.SuSE * Thu Jan 10 2002 - [EMAIL PROTECTED] - use %%{_libdir} * Tue Nov 06 2001 - [EMAIL PROTECTED] - fixed to compile with automake 1.5 * Wed Jun 06 2001 - [EMAIL PROTECTED] - fixed to compile with new libtool * Mon Mar 26 2001 - [EMAIL PROTECTED] - moved whole files from dif - fixed to compile * Wed Nov 29 2000 - [EMAIL PROTECTED] - renamed: raduisc = radiusclient * Wed May 24 2000 - [EMAIL PROTECTED] - fixed to compile - added BuildRoot * Sun Apr 09 2000 - [EMAIL PROTECTED] - added suse update config macro * Mon Sep 13 1999 - [EMAIL PROTECTED] - ran old prepare_spec on spec file to switch to new prepare_spec. * Thu Jun 10 1999 - [EMAIL PROTECTED] - Remove %%dir for doc tree * Sun Mar 01 1998 -
Re: User-Password formats
Threre is a Unprintable characters ... warning about the potential shared secret mismatch in the debug. Ivan Kalik Kalik Informatika ISP Dana 13/5/2008, niall el-assaad [EMAIL PROTECTED] piše: thanks alan, much appreciated. I think you may be right. Its just strange the FR server doesn't mention this - or would it not know and only the radius client know this? thanks again, On Tue, May 13, 2008 at 10:02 PM, [EMAIL PROTECTED] wrote: hi, incorrect shared secret between FR server and WLC? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User-Password formats
Thanks Ivan, I don't have this message in the debug output, is this possibly because I'm running an external script? Or is there a chance that its not a mismatched secret? thanks, 2008/5/14 Ivan Kalik [EMAIL PROTECTED]: Threre is a Unprintable characters ... warning about the potential shared secret mismatch in the debug. Ivan Kalik Kalik Informatika ISP Dana 13/5/2008, niall el-assaad [EMAIL PROTECTED] piše: thanks alan, much appreciated. I think you may be right. Its just strange the FR server doesn't mention this - or would it not know and only the radius client know this? thanks again, On Tue, May 13, 2008 at 10:02 PM, [EMAIL PROTECTED] wrote: hi, incorrect shared secret between FR server and WLC? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius 1.1.3 with MySQL
Create multiple sql instances. Create Autz-Type entry for each in authorize section. Then add something like this in users file. DEFAULT Real == whatever, Autz-Type = sqlwhatever This is much simpler with unlang in 2.0 (no Autz-Type entries needed, just a switch block in authorize). Ivan Kalik Kalik Informatika ISP Dana 13/5/2008, Brad Furst [EMAIL PROTECTED] piše: I'm attempting to have multiple realms use individual mysql tables in order to seperate the usernames. I've read how to get multiple sql instances going, but how do I tell which realm to use which sql instance? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: A way to use LDAP only for authentication
Yes. List ldap only in inner-tunel. Ivan Kalik Kalik Informatika ISP Dana 13/5/2008, Konstantin KABASSANOV [EMAIL PROTECTED] piše: Hello, Using PEAP/mschapv2 with openldap through freeradius, I'd like to know if there is a way to allow all users in the authorize section of radiusd.conf (without doing ldap requests) and make the ldap request only in the authenticate section. It is useful for instance to avoid multiple ldap requests during authorization process in particular when a number of radius-request/challenges are exchanged between Access points and radius server. Thanks. Konstantin _ Konstantin KABASSANOV LIP6/CNRS 104, avenue du Président Kennedy, 75016 Paris, France Phone: +33 (0) 1 44 27 71 26 Fax: +33 (0) 1 44 27 74 95 E-mail: [EMAIL PROTECTED] Web: http://www.kabassanov.com Certificate: http://igc.services.cnrs.fr/CNRS-Standard/recherche.html _ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User-Password formats
Are you using -X (capital X) or something else? Ivan Kalik Kalik Informatika ISP Dana 13/5/2008, niall el-assaad [EMAIL PROTECTED] piše: Thanks Ivan, I don't have this message in the debug output, is this possibly because I'm running an external script? Or is there a chance that its not a mismatched secret? thanks, 2008/5/14 Ivan Kalik [EMAIL PROTECTED]: Threre is a Unprintable characters ... warning about the potential shared secret mismatch in the debug. Ivan Kalik Kalik Informatika ISP Dana 13/5/2008, niall el-assaad [EMAIL PROTECTED] piše: thanks alan, much appreciated. I think you may be right. Its just strange the FR server doesn't mention this - or would it not know and only the radius client know this? thanks again, On Tue, May 13, 2008 at 10:02 PM, [EMAIL PROTECTED] wrote: hi, incorrect shared secret between FR server and WLC? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User-Password formats
Yes capital X as in -X thanks, 2008/5/14 Ivan Kalik [EMAIL PROTECTED]: Are you using -X (capital X) or something else? Ivan Kalik Kalik Informatika ISP Dana 13/5/2008, niall el-assaad [EMAIL PROTECTED] piše: Thanks Ivan, I don't have this message in the debug output, is this possibly because I'm running an external script? Or is there a chance that its not a mismatched secret? thanks, 2008/5/14 Ivan Kalik [EMAIL PROTECTED]: Threre is a Unprintable characters ... warning about the potential shared secret mismatch in the debug. Ivan Kalik Kalik Informatika ISP Dana 13/5/2008, niall el-assaad [EMAIL PROTECTED] piše: thanks alan, much appreciated. I think you may be right. Its just strange the FR server doesn't mention this - or would it not know and only the radius client know this? thanks again, On Tue, May 13, 2008 at 10:02 PM, [EMAIL PROTECTED] wrote: hi, incorrect shared secret between FR server and WLC? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User-Password formats
freeradius version? Ivan Kalik Kalik Informatika ISP Dana 14/5/2008, niall el-assaad [EMAIL PROTECTED] piše: Yes capital X as in -X thanks, 2008/5/14 Ivan Kalik [EMAIL PROTECTED]: Are you using -X (capital X) or something else? Ivan Kalik Kalik Informatika ISP Dana 13/5/2008, niall el-assaad [EMAIL PROTECTED] piše: Thanks Ivan, I don't have this message in the debug output, is this possibly because I'm running an external script? Or is there a chance that its not a mismatched secret? thanks, 2008/5/14 Ivan Kalik [EMAIL PROTECTED]: Threre is a Unprintable characters ... warning about the potential shared secret mismatch in the debug. Ivan Kalik Kalik Informatika ISP Dana 13/5/2008, niall el-assaad [EMAIL PROTECTED] piše: thanks alan, much appreciated. I think you may be right. Its just strange the FR server doesn't mention this - or would it not know and only the radius client know this? thanks again, On Tue, May 13, 2008 at 10:02 PM, [EMAIL PROTECTED] wrote: hi, incorrect shared secret between FR server and WLC? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User-Password formats
Its 1.1.7 (actually 1.1.7-3.1.fc6) thanks, 2008/5/14 Ivan Kalik [EMAIL PROTECTED]: freeradius version? Ivan Kalik Kalik Informatika ISP Dana 14/5/2008, niall el-assaad [EMAIL PROTECTED] piše: Yes capital X as in -X thanks, 2008/5/14 Ivan Kalik [EMAIL PROTECTED]: Are you using -X (capital X) or something else? Ivan Kalik Kalik Informatika ISP Dana 13/5/2008, niall el-assaad [EMAIL PROTECTED] piše: Thanks Ivan, I don't have this message in the debug output, is this possibly because I'm running an external script? Or is there a chance that its not a mismatched secret? thanks, 2008/5/14 Ivan Kalik [EMAIL PROTECTED]: Threre is a Unprintable characters ... warning about the potential shared secret mismatch in the debug. Ivan Kalik Kalik Informatika ISP Dana 13/5/2008, niall el-assaad [EMAIL PROTECTED] piše: thanks alan, much appreciated. I think you may be right. Its just strange the FR server doesn't mention this - or would it not know and only the radius client know this? thanks again, On Tue, May 13, 2008 at 10:02 PM, [EMAIL PROTECTED] wrote: hi, incorrect shared secret between FR server and WLC? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rpmbuild error freeradius-client-1.1.6.tar.bz2
Hello Fedora core 5 rpm -Uvh freeradius-client-1.1.6-0.i386.rpm /var/tmp/rpm-tmp.72946: line 1: fg: no job control error: %post(freeradius-client-1.1.6-0.i386) scriptlet failed, exit status 1 rpm -e freeradius-client /var/tmp/rpm-tmp.45576: line 1: fg: no job control error: %postun(freeradius-client-1.1.6-0.i386) scriptlet failed, exit status 1 - radiusclient.spec 1.rename freeradius-client-snapshot freeradius-client 2.marking #%doc doc/* BUGS COPYRIGHT README README.radexample rpmbuild -bb radiusclient.spec - Summary:FreeRADIUS Client Software Name: freeradius-client Version:1.1.6 Release:0 Obsoletes: radiusc radiusclient radiusclient-ng Group: Productivity/Networking/Radius/Clients License:Artistic License Packager: Peter Nixon URL:http://www.freeradius.org/ Source0:%{name}-%{version}.tar.bz2 BuildRoot: %{_tmppath}/%{name}-%{version}-build Prefix: %{_prefix} Requires: %{name}-libs = %{version}-%{release} %description A portable, easy-to-use and standard compliant library suitable for developing free and commercial software that need support for a RADIUS protocol (RFCs 2128 and 2139). %package libs Summary:A portable, easy-to-use and standard compliant library for RADIUS protocol (RFCs 2128 and 2139). Group: Development/Libraries %description libs The package contains the shared library of FreeRADIUS Client %package devel Summary:Header files, libraries and development documentation for %{name}. Group: Development/Libraries Requires: %{name}-libs = %{version}-%{release} %description devel This package contains the header files, static libraries and development documentation for %{name}. You need to install %{name}-devel if you want to develop applications using %{name}. %if 0%{?suse_version} 930 %debug_package %endif %prep %setup -q %build %define localstatedir /var/lib rm missing %if 0%{?suse_version} 900 %{suse_update_config -f} %endif libtoolize --force aclocal automake -ac autoconf CFLAGS=$RPM_OPT_FLAGS -Wall \ CXXFLAGS=$RPM_OPT_FLAGS -Wall -fmessage-length=0 \ %configure \ --localstatedir=%{localstatedir} \ --enable-shadow \ --with-secure-path make %install [ %{buildroot} != / ] rm -rf %{buildroot} make DESTDIR=$RPM_BUILD_ROOT install rm -f $RPM_BUILD_ROOT/%{_sbindir}/login.radius rm -f login.radius/Makefile* rm -f login.radius/migs/Makefile* rm -f %{buildroot}%{_libdir}/*.la %post %{run_ldconfig} %postun %{run_ldconfig} %clean [ %{buildroot} != / ] rm -rf %{buildroot} %files %defattr(-, root, root) #%doc doc/* BUGS COPYRIGHT README README.radexample %dir %{_sysconfdir}/radiusclient %{_sysconfdir}/radiusclient/dictionary %{_sysconfdir}/radiusclient/dictionary.* %config(noreplace) %{_sysconfdir}/radiusclient/radiusclient.conf %config(noreplace) %{_sysconfdir}/radiusclient/issue %config(noreplace) %{_sysconfdir}/radiusclient/port-id-map %config(noreplace) %{_sysconfdir}/radiusclient/servers %{_sbindir}/* %files libs %defattr(-, root, root) %{_libdir}/*.so.* %{_libdir}/*.so %files devel %defattr(-, root, root) %{_libdir}/*.a %{_includedir}/*.h %changelog * Sun Jan 06 2008 Peter Nixon - Update to match upcoming freeradius-client release * Sun Nov 19 2006 Peter Nixon - Converted spec from radiusclient package to work with FreeRADIUS Client - Split out separate -devel and -libs packages * Wed Jan 25 2006 - [EMAIL PROTECTED] - converted neededforbuild to BuildRequires * Thu Nov 18 2004 - [EMAIL PROTECTED] - fixed file list * Sat Jan 10 2004 - [EMAIL PROTECTED] - add %%defattr * Thu Jul 31 2003 - [EMAIL PROTECTED] - use %%run_ldconfig * Thu May 29 2003 - [EMAIL PROTECTED] - remove Makefiles from documentation * Wed May 28 2003 - [EMAIL PROTECTED] - update to 0.3.2 - move localstatedir to /var/lib - remove unpackaged files from buildroot * Wed Apr 02 2003 - [EMAIL PROTECTED] - fixed patch radiusclient-0.3.1-fix.dif * Tue Apr 02 2002 - [EMAIL PROTECTED] - fixed to compile with autoconf-2.53 * Wed Mar 20 2002 - [EMAIL PROTECTED] - secfix (VU#589523 -buffer overflow in the function that calculates message digests) - fixed login.expamle, README.SuSE * Thu Jan 10 2002 - [EMAIL PROTECTED] - use %%{_libdir} * Tue Nov 06 2001 - [EMAIL PROTECTED] - fixed to compile with automake 1.5 * Wed Jun 06 2001 - [EMAIL PROTECTED] - fixed to compile with new libtool * Mon Mar 26 2001 - [EMAIL PROTECTED] - moved whole files from dif - fixed to compile * Wed Nov 29 2000 - [EMAIL PROTECTED] - renamed: raduisc = radiusclient * Wed May 24 2000 - [EMAIL PROTECTED] - fixed to compile - added BuildRoot * Sun Apr 09 2000 - [EMAIL PROTECTED] - added suse update config macro * Mon Sep 13 1999 - [EMAIL PROTECTED] - ran old prepare_spec on spec file to switch to new prepare_spec. * Thu Jun 10 1999 - [EMAIL PROTECTED] - Remove %%dir for doc tree * Sun Mar 01 1998 - [EMAIL
Re: A way to use LDAP only for authentication
Konstantin KABASSANOV wrote: Using PEAP/mschapv2 with openldap through freeradius, I'd like to know if there is a way to allow all users in the authorize section of radiusd.conf (without doing ldap requests) and make the ldap request only in the authenticate section. It is useful for instance to avoid multiple ldap requests during authorization process in particular when a number of radius-request/challenges are exchanged between Access points and radius server. In 2.0.4, you can run the LDAP module only for the inner tunneled request. See raddb/sites-enabled/inner-tunnel. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius 1.1.3 with MySQL
Brad Furst wrote: I'm attempting to have multiple realms use individual mysql tables in order to seperate the usernames. I've read how to get multiple sql instances going, but how do I tell which realm to use which sql instance? I'm actually doing this in 2.0 without using multiple SQL instances. I just have a table per realm, and I update the table name in the SQL query for each realm. The SQL queries are dynamically expanded for *precisely* this reason. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help need with mysql statement in freeradius
Hi all, I am trying to do MAC insertion during post authentication section with the help of freeradius. Like during authentication section it will check in mysql database for MAC use option. If MAC use= 1 then if the user is login for the first time then grab the mac address from the login process and insert into database. If mac use is not enable i.e. MAC use=0 then go through normal process. Is is possible how can I do that? Thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html