Cannot control attribute ordering via rlm_perl
Hi,
First, the version I'm using:
# freeradius -v
freeradius: FreeRADIUS Version 2.1.8, for host x86_64-pc-linux-gnu, [...]
I'm trying to control the attribute-ordering when using rlm_perl. Thus far my
experience is that this is not possible. My theory is that this is due to the
hash-tables used as the interface between the C and Perl worlds.
Here is a small example that demonstrates the problem. I've turned on the
users and perl modules in the authorize section (in that order). These are
the important bits from the users file and the example.pl file.
(from the users file)
steve Cleartext-Password := testing
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 172.16.3.33,
Framed-IP-Netmask = 255.255.255.0,
Framed-Routing = Broadcast-Listen,
Framed-Filter-Id = std.ppp,
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP,
WiMAX-Packet-Data-Flow-Id = 1,
WiMAX-Service-Data-Flow-Id = 1,
WiMAX-Service-Profile-Id = 2
(from the example.pl)
sub authorize
{
return RLM_MODULE_NOOP;
}
The debug log of the server is below. The interesting bits are (a) the
rlm_perl: Added pair and (b) the attribute-order in the packet that the
server sends in reply - the order is changed.
The ordering is important to for me as I want those three WiMAX attributes
packed inside a parent attribute WiMAX-Packet-Flow-Descriptor. If I turn off
the perl module (or place it before the files module) the packing works as
expected.
I put all this down to the attribute-list being rebuilt (by rlm_perl) from the
%RAD_REPLY table. The hash-table has no concept of ordering, so it ends up
randomised.
The above is a contrived example - what I really want to do is add those three
WiMAX attributes in my perl script. But due to the ordering problems I think I
am wasting my time and need to come up with another solution.
Can anyone see how I can control the ordering of attributes coming out of the
perl script?
Thanks,
Claude Brown.
Vividwireless.
rad_recv: Access-Request packet from host 127.0.0.1 port 50265, id=2, length=63
User-Name = steve
User-Password = testing
Message-Authenticator = 0xc8b10e777a7ea53a261c855029fd0b58
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = steve, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry steve at line 76
++[files] returns ok
GOT CLONE -1588651264 0x1a0e160
rlm_perl: Added pair User-Name = steve
rlm_perl: Added pair User-Password = testing
rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
rlm_perl: Added pair Message-Authenticator = 0xc8b10e777a7ea53a261c855029fd0b58
rlm_perl: Added pair WiMAX-Service-Data-Flow-Id = 1
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Framed-Routing = Broadcast-Listen
rlm_perl: Added pair WiMAX-Packet-Data-Flow-Id = 1
rlm_perl: Added pair Framed-Protocol = PPP
rlm_perl: Added pair Framed-Filter-Id = std.ppp
rlm_perl: Added pair Framed-IP-Address = 172.16.3.33
rlm_perl: Added pair Framed-IP-Netmask = 255.255.255.0
rlm_perl: Added pair Framed-Compression = Van-Jacobson-TCP-IP
rlm_perl: Added pair WiMAX-Service-Profile-Id = 2
rlm_perl: Added pair Framed-MTU = 1500
rlm_perl: Added pair Cleartext-Password = testing
++[perl] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password testing
[pap] Using clear text password testing
[pap] User authenticated successfully
++[pap] returns ok
Login OK: [steve] (from client localhost port 0)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 2 to 127.0.0.1 port 50265
WiMAX-Service-Data-Flow-Id = 1
Service-Type = Framed-User
Framed-Routing = Broadcast-Listen
WiMAX-Packet-Data-Flow-Id = 1
Framed-Protocol = PPP
Framed-Filter-Id = std.ppp
Framed-IP-Address = 172.16.3.33
Framed-IP-Netmask = 255.255.255.0
Framed-Compression = Van-Jacobson-TCP-IP
WiMAX-Service-Profile-Id = 2
Framed-MTU = 1500
Finished request 0.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot control attribute ordering via rlm_perl
Claude Brown wrote: I'm trying to control the attribute-ordering when using rlm_perl. Thus far my experience is that this is not possible. My theory is that this is due to the hash-tables used as the interface between the C and Perl worlds. Quite possibly. The ordering is important to for me as I want those three WiMAX attributes packed inside a parent attribute WiMAX-Packet-Flow-Descriptor. If I turn off the perl module (or place it before the files module) the packing works as expected. Yeah. The server really needs to have a better way of handling nested attributes. Suggestions are welcome... Can anyone see how I can control the ordering of attributes coming out of the perl script? Not using Perl. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL and FreeRADIUS environment
Sorry, can you tell me where are detail file readers for examples? Thank you for your help. We apologize for any inconvenience caused -- View this message in context: http://freeradius.1045715.n5.nabble.com/MySQL-and-FreeRADIUS-environment-tp4845985p4875532.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL and FreeRADIUS environment
On 6 Oct 2011, at 09:59, tonimanel wrote: Sorry, can you tell me where are detail file readers for examples? Thank you for your help. We apologize for any inconvenience caused raddb/sites-available/buffered-sql -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message in freeradius
On 6 Oct 2011, at 04:27, gary wrote:
Hi
One more question.
How about if user name is wrong? eg: send reply message user name not found
sql
if(notfound){
update reply {
Reply-Message = 'User-name not found'
}
}
Arran Cudbard-Bell
a.cudba...@freeradius.org
Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL and FreeRADIUS environment
Arran Cudbard-Bell wrote: raddb/sites-available/buffered-sql He's already been told MULTIPLE times where to look. I can only conclude he's lazy, or he's trying to be rude. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL and FreeRADIUS environment
Sorry did not mean to cause this series of comments to me. I just found something missing, I think, by the discrepancy between files with respect to the installation I have done and what you say here. Once again I apologize. Thanks. -- View this message in context: http://freeradius.1045715.n5.nabble.com/MySQL-and-FreeRADIUS-environment-tp4845985p4875626.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL and FreeRADIUS environment
On 6 Oct 2011, at 10:19, Alan DeKok wrote: Arran Cudbard-Bell wrote: raddb/sites-available/buffered-sql He's already been told MULTIPLE times where to look. I can only conclude he's lazy, or he's trying to be rude. Ah, was in auto-help mode. Blame it on the iGrief. Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac access mixed ldap access same NAS
Alejandro Gandara agand...@optaresolutions.com wrote: does someone know if Its possible mix MAC auth with ldap AUTH in the same NAS. Depends on the NAS: http://www.digriz.org.uk/lanwarden Cisco support MAC-auth and *fallback* to 802.1X; for this to work reliably you must attempt MAC-auth first, and if that fails force the client to do 802.1X...otherwise you run into a nightmare of race conditions. For us, we do both our MAC-auth and 802.1X authentications and authorizations with LDAP so yes...it does work, rather well too. If people keep poking me, I'll put up more documentation... Cheers -- Alexander Clouter .sigmonster says: I'm having fun HITCHHIKING to CINCINNATI or FAR ROCKAWAY!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac access mixed ldap access same NAS
On 5 Oct 2011, at 13:06, Alejandro Gandara wrote: Hi list, does someone know if Its possible mix MAC auth with ldap AUTH in the same NAS. I mean, I have multiple connection to one NAS but a few users will access through mac address, and others will access trhough auth ldap + passwords. Nowadays Ive configured ldap access but I dont know how to configure freeradius to allow connect a few users(16-20) trhough mac auth. As always thanks you very much for your time and peacence. So how were you wanting to authenticate users? If it's 802.1X, you can use this example here: http://wiki.freeradius.org/Mac%20Auth#Mac-Auth+or+802.1x -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mschap group restriction
Hi all! How it is possible to add restriction on group at mschap? Just --require-membership-of=GROUP-NAME not working Thanks for the answer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pfSense with freeRadius and CHAP
On 6 Oct 2011, at 11:26, Mark wrote: Hi all, I have a weird problem, as you can see in the log below the client can successfully authenticate once and after that fails. The network structure is: 1) pfSense with freeRadius as firewall, authentication and accounting server 2) A HP ProCurve 2626 with MAC based port access 3) A wireless access point 00026f898b64 != 00026f898b62 The second request has the Mac-Address 00026f898b64, the users file only contains an entry for 00026f898b62... Coffee coffee coffee... Mac-Auth just uses the SRC address in the first Ethernet frame is sees. If your machine is sending packets with different SRC macs, then you'll have a race condition. Usually only happens if it's running vmware with bridge connections, but could also be NIC drivers or windows/linux just being weird. Don't rule out the ProCurve switch either, security features are still very buggy. Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with my radrelay configuration?
Hi,
When I launch freeradius with -X and -n radrelay options, I get this
message:
Detail listener /var/log/freeradius/radacct/detail state unopened signalled
0 waiting 0.851083 sec
The radacct directory exists, but the detail file not exists, is it an
error? What's happened?
I post the result in debug mode.
Thanks,
root@debian:/etc/freeradius# freeradius -X -n radrelay
FreeRADIUS Version 2.1.10, for host i486-pc-linux-gnu, built on Nov 14 2010
at 20:41:03
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radrelay.conf
including configuration file /etc/freeradius/modules/always
main {
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/freeradius
libdir = @libdir@
radacctdir = /var/log/freeradius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 65536
pidfile = /var/run/radrelay/radrelay.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 0
status_server = no
}
}
radrelay: Loading Realms and Home Servers
home_server radrelay {
ipaddr = 192.168.1.130
port = 1812
type = acct
secret = testing123
response_window = 30
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = none
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 300
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool radrelay {
type = fail-over
home_server = radrelay
}
realm radrelay {
acct_pool = radrelay
}
radrelay: Loading Clients
radrelay: Instantiating modules
instantiate {
}
radrelay: Loading Virtual Servers
server { # from file /etc/freeradius/radrelay.conf
modules {
Module: Checking preacct {...} for more modules to load
} # modules
} # server
radrelay: Opening IP addresses and Ports
listen {
type = detail
listen {
filename = /var/log/freeradius/radacct/detail
load_factor = 50
poll_interval = 1
retry_interval = 30
}
}
Listening on /var/log/freeradius/radacct/detail
Detail listener /var/log/freeradius/radacct/detail state unopened signalled
0 waiting 1.00 sec
Listening on proxy address * port 1188
Waking up in 0.9 seconds.
Polling for detail file /var/log/freeradius/radacct/detail
Detail listener /var/log/freeradius/radacct/detail state unopened signalled
0 waiting 0.914341 sec
Waking up in 0.9 seconds.
Polling for detail file /var/log/freeradius/radacct/detail
Detail listener /var/log/freeradius/radacct/detail state unopened signalled
0 waiting 1.093880 sec
Waking up in 1.0 seconds.
Polling for detail file /var/log/freeradius/radacct/detail
Detail listener /var/log/freeradius/radacct/detail state unopened signalled
0 waiting 0.851083 sec
Waking up in 0.8 seconds.
^C
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Problems-with-my-radrelay-configuration-tp4876089p4876089.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Trapeze dictionary enhancement proposal
he all, Here is some possible enhancement on dictionary.trapeze +# +# For use with FreeRadius and Trapeze Networks MSS software 1.1 +# or greater. +# +# For assistance, email supp...@trapezenetworks.com. +# +# $Id$ +# +# +VENDOR Trapeze 14525 -ATTRIBUTE Trapeze-VLAN-Name 1 string -ATTRIBUTE Trapeze-Mobility-Profile2 string -ATTRIBUTE Trapeze-Encryption-Type 3 string -ATTRIBUTE Trapeze-Time-Of-Day 4 string -VENDORATTR 14525 Trapeze-SSID5 string -VENDORATTR 14525 Trapeze-End-Date6 string -VENDORATTR 14525 Trapeze-Start-Date 7 string -VENDORATTR 14525 Trapeze-URL 8 string -VENDORATTR 14525 Trapeze-User-Group-Name 9 string -VENDORATTR 14525 Trapeze-Qos-Profile10 string -VENDORATTR 14525 Trapeze-Simultaneous-Logins11 string -VENDORATTR 14525 Trapeze-COA-Replace-Username 12 string -VENDORATTR 14525 Trapeze-Audit 13 string +# Attributes for MSS 1.1 and later + +BEGIN-VENDOR Trapeze + +ATTRIBUTE Trapeze-VLAN-Name 1 string +ATTRIBUTE Trapeze-Mobility-Profile2 string +ATTRIBUTE Trapeze-Encryption-Type 3 string +ATTRIBUTE Trapeze-Time-Of-Day 4 string + +# New attributes for MSS 3.0 and later + +ATTRIBUTE Trapeze-SSID5 string +ATTRIBUTE Trapeze-End-Date6 string +ATTRIBUTE Trapeze-Start-Date 7 string +ATTRIBUTE Trapeze-URL 8 string + +END-VENDOR Trapeze Best regards, Fred MAISON - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trapeze dictionary enhancement proposal
Fred wrote: he all, Here is some possible enhancement on dictionary.trapeze Huh The VENDORATTR text was never allowed by FreeRADIUS. I have no idea where you got the original dictionary from, but it isn't from FreeRADIUS. Please send just the new file. It's small enough that a patch isn't necessary. And please look at the dictionary.trapeze file included with FreeRADIUS. It should be up to date. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trapeze dictionary enhancement proposal
Sorry Alan, I made a cut/paste of another dict format. I will post the dictionary in freeradius format ASAP... Best regards, Fred 2011/10/6 Alan DeKok al...@deployingradius.com: Fred wrote: he all, Here is some possible enhancement on dictionary.trapeze Huh The VENDORATTR text was never allowed by FreeRADIUS. I have no idea where you got the original dictionary from, but it isn't from FreeRADIUS. Please send just the new file. It's small enough that a patch isn't necessary. And please look at the dictionary.trapeze file included with FreeRADIUS. It should be up to date. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trapeze dictionary enhancement proposal
Alan, As you can see, some new attributes are not part of freeradius 2 nor 3 dictionary.trapeze defs. Best regards, Fred # -*- text -*- # # dictionary.trapeze # # For use with FreeRadius and Trapeze Networks MSS software 1.1 # or greater. # # For assistance, email supp...@trapezenetworks.com. # # $Id$ # # VENDOR Trapeze 14525 # Attributes for MSS 1.1 and later BEGIN-VENDORTrapeze ATTRIBUTE Trapeze-VLAN-Name 1 string ATTRIBUTE Trapeze-Mobility-Profile2 string ATTRIBUTE Trapeze-Encryption-Type 3 string ATTRIBUTE Trapeze-Time-Of-Day 4 string # New attributes for MSS 3.0 and later ATTRIBUTE Trapeze-SSID5 string ATTRIBUTE Trapeze-End-Date6 string ATTRIBUTE Trapeze-Start-Date 7 string ATTRIBUTE Trapeze-URL 8 string # new attributes not present in dictionary.trapeze from freeradius 2.1.2 or 3.0.0 ATTRIBUTE Trapeze-User-Group-Name 9 string ATTRIBUTE Trapeze-Qos-Profile 10 string ATTRIBUTE Trapeze-Simultaneous-Logins11 string ATTRIBUTE Trapeze-COA-Replace-Username 12 string ATTRIBUTE Trapeze-Audit 13string END-VENDOR Trapeze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: password in EAP request
Hi,
I was told there is a plugin for FreeRadius that can be used to retrieve the
username/password of the EAP request. Is this true?
Thanks,
ASM
Date: Wed, 5 Oct 2011 22:01:01 +0100
From: a.l.m.bu...@lboro.ac.uk
To: freeradius-users@lists.freeradius.org
Subject: Re: password in EAP request
Hi,
In example.pl perl script $RAD_REQUEST{'User-Name'} returns the username
of the EAP request message. How can I get the password of the
EAP request? $RAD_REQUEST{'User-Password'} won't return the password.
it certainly wont for PEAPv0/MSCHAPv2 which is what your request looks
like - hint, its a challenge response mechanism, the password is never
disclosed
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: password in EAP request
On 06/10/11 14:06, Alex rsm wrote: Hi, I was told there is a plugin for FreeRadius that can be used to retrieve the username/password of the EAP request. Is this true? No. As others have said, EAP does not usually send the password. I would advise you go and read up on EAP, and how EAP methods work. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: password in EAP request
I agreed, the EAP message sent from Access Point does not send the password. The client sends the encrypted password. I think I should ask, how FreeRadius can retrieve the password in 802.1x authentication mechanism. Date: Thu, 6 Oct 2011 14:11:34 +0100 From: p.may...@imperial.ac.uk To: freeradius-users@lists.freeradius.org Subject: Re: password in EAP request On 06/10/11 14:06, Alex rsm wrote: Hi, I was told there is a plugin for FreeRadius that can be used to retrieve the username/password of the EAP request. Is this true? No. As others have said, EAP does not usually send the password. I would advise you go and read up on EAP, and how EAP methods work. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with my radrelay configuration?
On 6 Oct 2011, at 14:12, tonimanel wrote: Hi, When I launch freeradius with -X and -n radrelay options, I get this message: Detail listener /var/log/freeradius/radacct/detail state unopened signalled 0 waiting 0.851083 sec The radacct directory exists, but the detail file not exists, is it an error? What's happened? Yes... you need to actually write data to /var/log/freeradius/radacct/detail, else radrelay isn't going to send any packets... Use an rlm_detail instance to write out packet data in the accounting section... Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: password in EAP request
On Thu, Oct 6, 2011 at 8:06 PM, Alex rsm alex-...@hotmail.com wrote: Hi, I was told there is a plugin for FreeRadius that can be used to retrieve the username/password of the EAP request. Is this true? There are two EAP mechanism that sends user password in clear-text: EAP-GTC and EAP-TTLS + PAP. Both of which is not supported by Windows client. If you use one of those two mechanism then you can easily get user's cleartext password. If you use EAP-MSCHAPv2 (the most widely used) then no plugin or software can retrieve the plaintext password from the access-request packet. It's simply not possible. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: password in EAP request
I was told there is a plugin for FreeRadius that can be used to retrieve the username/password of the EAP request. Is this true? No...? There's http://www.willhackforsushi.com/FreeRADIUS_WPE.html, but it's not a complete solution in itself... -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trapeze dictionary enhancement proposal
Arran, Juniper vendor code is 2636 I did not heard about vendor code renumbering when Juniper acquired Trapeze. I just looked at http://www.juniper.net/techpubs/en_US/release-independent/wireless/information-products/topic-collections/wireless-lan/software/mss-75-config.pdf#search=%22trapeze%20dictionary%20radius%22 At the moment, there is no changes, vendor code for Trapeze is still 14525, not 2636, and new attrs nuber 8 to 12 are there, as in my previous post When Juniper acquired Netscreen many years ago, they have maintained until now the original Netscreen vendor code 3224. Best regards 2011/10/6 Arran Cudbard-Bell a.cudba...@freeradius.org: On 6 Oct 2011, at 14:15, Fred wrote: he all, Here is some possible enhancement on dictionary.trapeze Shouldn't this be dictionary.juniper now anyway? Can someone to check whether the rebranded juniper stuff uses the same Vendor ID as before? I'm glad Belden sold them to a company that could actually do something good with the product line. I always liked Trapeze :) -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: password in EAP request
On 06/10/11 14:19, Alex rsm wrote: I agreed, the EAP message sent from Access Point does not send the password. The client sends the encrypted password. I think I should ask, how FreeRadius can retrieve the password in 802.1x authentication mechanism. FreeRADIUS can read the password from SQL, LDAP, csv files, or users-style files. It can read the plaintext password, or several formats of encrypted password (which must be compatible with the EAP method) See: http://deployingradius.com/documents/protocols/compatibility.html For one specific EAP mechanism (EAP-MSCHAPv2 - possibly inside PEAP) FreeRADIUS can also delegate the password check to a windows AD controller. Is this what you are asking? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rewriting wimax calling-station-id with perl
Hi, Apologies for the late response. Our mail system went down at a terrible time! From: Johan Meiringjmeir...@pcservices.co.za Subject: Re: Rewriting wimax calling-station-id with perl Which version of debian do you need packages for? I am trying to install it on ubuntu 11.04 server. If there are rpm packages suitable for CentOS 5.x prebuilt with wimax and mysql, i would take that! With respect to Alan's observation: But why worry about a deb package? Just install it from source. That works. Alan DeKok. Installing from source also dies when I make with the same libtool error on my ubuntu server 11.04 install. I know i have to add 'rlm_wimax' to src/modules/stable to have it compile, but the Make fails with or without this entry. Adding the suggestive -DIE_LIBTOOL_DIE to CFLAGS makes no difference Regards JamesTM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: password in EAP request
Hi, I was told there is a plugin for FreeRadius that can be used to retrieve the username/password of the EAP request. Is this true? No...? There's http://www.willhackforsushi.com/FreeRADIUS_WPE.html, but it's not a complete solution in itself... Uh, what a lame thing. It will only work on the assumption that the user does not check the server certificate, which really bad practice. The rest is a setup of FreeRADIUS which is designed to be compatible with as many EAP types as possible; so as not to disturb the end user experience. It also can't figure out if the user entered his real credentials or had a typo/intentionally put in something different. The patch is a few sample clients, nothing more. A nice exercise, for sure, but calling this Pwnage Edition is somewhat exaggerated. As I read the headline, I expected more bang for the buck :-) Greetings, Stefan Winter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rewriting wimax calling-station-id with perl
On Thu, Oct 6, 2011 at 9:42 PM, James T. Mugauri ja...@africonnect.co.zm wrote: Installing from source also dies when I make with the same libtool error on my ubuntu server 11.04 install. I know i have to add 'rlm_wimax' to src/modules/stable to have it compile, but the Make fails with or without this entry. Adding the suggestive -DIE_LIBTOOL_DIE to CFLAGS makes no difference You mean even in the default config (without editing src/modules/stable) the make fails? Something's wrong with your system then. What was the error message? Did you try latest 2.1.12? Did you have build-essential installed? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rewriting wimax calling-station-id with perl
On 10/06/2011 10:42 AM, James T. Mugauri wrote: I am trying to install it on ubuntu 11.04 server. If there are rpm packages suitable for CentOS 5.x prebuilt with wimax and mysql, i would take that! Of course there are. In RHEL5 the package is called freeradius2 and is prebuilt with wimax an mysql. The current version is 2.1.7, but if you wait a little while for the 5.8 update the latest 2.1.12 will be available. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
canceling/redirecting realm in pre-proxy ?
There seems to be some comments about being able to cancel a proxy in the pre-proxy section.. # When the server decides to proxy a request to a home server, # the proxied request is first passed through the pre-proxy # stage. This stage can re-write the request, or decide to # cancel the proxy. What I really want to do is test some variables (unlang) and based on the outcome, I want to actually handle the request locally rather than proxy. Maybe this is obvious, but I am not seeing it ? Thanks, Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: canceling/redirecting realm in pre-proxy ?
On 6 Oct 2011, at 20:19, Robert Roll wrote:
There seems to be some comments about being able
to cancel a proxy in the pre-proxy section..
# When the server decides to proxy a request to a home server,
# the proxied request is first passed through the pre-proxy
# stage. This stage can re-write the request, or decide to
# cancel the proxy.
What I really want to do is test some variables (unlang) and based
on the outcome, I want to actually handle the request locally
rather than proxy. Maybe this is obvious, but I am not seeing it ?
update control {
Proxy-To-Realm := 'local'
}
Maybe... I'm not sure if it'll work. Why don't you just avoid starting the
proxy in the first place...
-Arran
Arran Cudbard-Bell
a.cudba...@freeradius.org
Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rewriting wimax calling-station-id with perl
On Thu, Oct 6, 2011 at 9:42 PM, James T. Mugauri ja...@africonnect.co.zm wrote: I am trying to install it on ubuntu 11.04 server. If there are rpm packages suitable for CentOS 5.x prebuilt with wimax and mysql, i would take that! I've updated the package on https://launchpad.net/~freeradius/+archive/stable (the update is Natty-only for now), which adds freeradius-experimental package. It has rlm_wimax, rlm_sql_sqlite, rlm_caching, and more. If you're still having problem compiling yourself and don't mind using unsupported ppa, you can use that. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
