Re: freeradius without libtool
Arindam Roy [EMAIL PROTECTED] wrote: I know the question might sound silly, but do you know of any way of compiling freeradius without libtool, with all the modules as static modules. ./configure --disable-shared ? It still needs libtool, though. The API's used to link the modules are supplied by libtool. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius+MySql (Authorization Query) - regexp
=?iso-8859-1?q?Kiran?= [EMAIL PROTECTED] wrote:
I am using the following query for authorization and I
am getting the error 1064 from MySql (PARSE ERROR).
But when I am giving the same query replacing the
variables with values, I am getting the output. Can
someone explain me why.
Look at the SQL debug log file. It will have the queries with the
variables replaced by values.
(select id,UserName,Attribute,Value,op from
${authreply_table} where username='%{SQL-User-Name}')
union (select id,UserName, Attribute,
concat('h323-credit-time=',round(substring(value,20)/(tas_rate+charge))*60)
Value,op from ${authreply_table}, pb_tariffs,surcharge
where \%{Called-Station-Id}\ regexp
concat(^...
A double quote inside of a double-quoted string?
I am getting the error after adding 'regexp' to the
query.
Then what you added is the source of the problem.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Vs Supllicant. EAP-TLS Certificates problem
Yosi Corcia [EMAIL PROTECTED] wrote: I am triying to create the client and server certificates. I am following the Howtos: See 'scripts/CA.all'. It's a script taken from the Howto's, which will create the certificates for you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: conflicting packet problem
Simon Allard [EMAIL PROTECTED] wrote: So if I have 100 NAS's behind a proxy, since the source is the same for all of the NAS's does it compare NAS-IP-Address or does it use the IP of the proxy? It uses the IP of the proxy. The IP's of the NAS boxes are totally irrelevant. What is the most common cause for conflicting packet's and are there any easy fixes? The most common cause is that the server is taking a long time to process requests. The only fix is to find out what's taking so long, and correct the problem. I am using freeradius 0.9.0 with LDAP on a dual 2Ghz mahine. I have 3 of these load balanced behind a L4 Switch. You should upgrade to 0.9.3, bu those machines are definitely powerful enough. I am even getting dupulate records with accounting which is odd because all its doing is writing the accounting record straight to the disk. If the NAS sends two accounting packets, the server logs two. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius not responding to the user request
Shashidhara S Bapat [EMAIL PROTECTED] wrote: Please let me know what all changes I have to do for my network to work. See the FAQ, and run the server in debugging mode. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help me !!!
Prasad Yaramti [EMAIL PROTECTED] wrote: Help me how store the username and password in the server,how to authneticate ? How to pass the my username and password to server ??? Read the FAQ. It explains how to do this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Collect user's password
Roberto Fichera [EMAIL PROTECTED] wrote: how can I collect all the CHAP-Password or in general all encrypted password in a text file ? It's possible to run some script from the pre-authorization section where the plain password is available ? I don't know what you're trying to do. If you're trying to create CHAP-Passwords from plain-text passwords, you shouldn't. There's no point. If you're trying to create plain-text passwords from CHAP-Passwords, you can't. It's impossible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: conflicting packet problem
Simon Allard [EMAIL PROTECTED] wrote: Thu Dec 18 16:37:49 2003 : Error: Dropping conflicting packet from client ihug-phone:1646 - ID: 122 due to unfinished request 514640 As you can see they all from the same client. The client happens to be a /24 network. OK. The question is, does freeradius treat each nas in the /24 as being different so it knows that the ID is different even though the ID is the same for another NAS in the /24. Or does it assume its the same? The shared secrets are looked up via the 'clients.conf' file, which has a netmask. Duplicate requests are found by comparing source IP addresses. So the packets should be duplicate *only* if they're being sent from the same IP. delete_blocked_requests = no (Is this safe to turn to yes yet) No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with attr_filter
Stephan von Krawczynski [EMAIL PROTECTED] wrote: Only half answered, I'm afraid. I tried auth_log and reply_log, but it is unclear how to find out corresponding req and reply without any id logging ... shrug You've got the source code. It's only a 1-line change. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac Radius
Cris Boisvert [EMAIL PROTECTED] wrote: Is their a way to use the exported users.txt file from mac radius to import it into freeradius? Edit it by hand. The configuration files are probably quite different. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Requests appear to be from 255.255.255.255
[EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I am now seeing 2 different things that may or may not be related. 1. Some ISP's report that our requests seem to be coming from the internal IP address assigned to our radius server. Then the routing on your network needs to be fixed. You're routing internal address to the net. Or, the IP's *inside* the RADIUS packet may be IP's from your internal net. That's a different issue, and not nearly as much of a problem. 2. One ISP now reports that our requests seem to be coming from 255.255.255.255 ? Then your network is completely broken. The response can't make it back from the ISP to you, so I don't see how *anything* would work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Easy User Interface?
Cris Boisvert [EMAIL PROTECTED] wrote: Does Anyone Use an easy user interface...Webmin.. Or a script? dialup_admin? It comes with the server. Did you look? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: install EAP-ttls
=?iso-8859-1?q?santi=20baztan?= [EMAIL PROTECTED] wrote: I have radius server with EAP-TLS and I'm tryin to install eap-ttls. HAve you a howto of eap-ttls. You configure it, as it says in 'radiusd.conf'. After that, you have a client send it EAP-TTLS packets. It's that easy. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More Questions
Roy Wills [EMAIL PROTECTED] wrote: I have turned on log_auth, log_auth_badpass, and log_auth_goodpass in radiusd.conf. Having done this I am still not getting any accounting info in the database or log file. Am I missing something here? Your NAS needs to send accounting packets. Nothing you do to the server will make any difference. Also saw in radiusd.conf where i need to uncomment simul_count_query but that appears to only work if you have accounting working. Exactly. No accounting, no simultaneous-use checks. Am doing something wrong here as well? Make the NAS send accounting packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam authentication documentation
[EMAIL PROTECTED] wrote: I'm looking for some good documentation on PAM for authentication with radius or with any service. I've only been able to find documentation that is either brief or out of date. Any good books, or sites Try the PAM radius authentication module. There's really nothing else. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More Questions
Nick Davis [EMAIL PROTECTED] wrote: I guess it might be a good idea to ask Alan to put sql as a commented option in the authorize and accounting sections of the radiusd.conf. Done. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl strange behaviour problem
Aivis Olsteins [EMAIL PROTECTED] wrote: 3. when calling same script with same line from radius, it displays old perl version 5.8.0 (which is completely removed from system) No, it's not. You've linked rlm_perl to the old perl, so it's still somehow sticking around. The radius server was upgraded to 0.9.3 , it did not help. That *should* do it, if you deleted the old libperl files. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CVP3000 VSA Dictionary
Spetzler, Arne (DZ-SH) [EMAIL PROTECTED] wrote: in the process of superseding Cisco ACS with freeradius, I have enhanced the dictionary.cisco.vpn3000 ... Those attributes are already in the CVS head. They weren't included in 0.9.3, though. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco VPN3000 with freeradius
Oliver Graf [EMAIL PROTECTED] wrote: So what about a answer-delay option for sluggy NASes? ;) Yuck. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius mysql simultaneous-use question URGENT
Soujanya Rao [EMAIL PROTECTED] wrote: Can anyone tell me where I am going wrong? This is urgent and I am clueless as to what else needs to be done. Ensure that 'sql' is listed in the 'accounting' section. Run: radiusd -X Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Digital Cert + Username/Password against LDAP = ???
Patrick Mowry [EMAIL PROTECTED] wrote: I have a requirement for two stage authentication for wireless networks. Before the wireless Windows 2000/XP client is even allowed to reach the domain, it must authenticate to the network with Digital Certs issued from an iPlanet certificate server (EAP-TLS) and also a username/password against LDAP. Would this be EAP-TTLS? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrade questions
Nick Marino [EMAIL PROTECTED] wrote: Can anyone point in the direction of the best way to upgrade to Freeradius version 0.9.3 from version FreeRADIUS Version 0.8-pre with out losing my current configuration? $ make install Read the output. It warns you in big letters that it hasn't changed the configuration files. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP problem - HELP PLEASE
[EMAIL PROTECTED] wrote: In fact could someone try to look at my log, and tell me where is my problem? I would be great! The log you posted to the list contains a description of what is wrong. Another point is the configuration of the users file, for peap. I've read the list but nobody gave a real answer to this question.. how this file have to be configured?? I tried : username Auth-type := EAP , User-password == xxx or username Auth-type := Local , User-password == xxx You often don't need to do anything to the 'users' file. The simplest change to make (if you're not using LDAP or SQL), is to add the tunneled user name, with a password: tunnel-user User-Password = password That's it. rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: No LM-Password or NT-Password attribute found. Cannot perform MS-CHAP authentication. It needs a password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help
Shashidhara S Bapat [EMAIL PROTECTED] wrote: I have a windows user connected through AP600 (NAS), and it is not responding. (I ran 'radiusd' with -X option ..and found it not showing any message, when the windows-user tried to access. It's allowing user to access the NAS without asking for any password). Then it's a problem with the NAS configuration. Nothing you do to FreeRADIUS will help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with attr_filter
This is my last message on this topic, in the naive hope that you will pay attention to what I'm saying. Stephan von Krawczynski [EMAIL PROTECTED] wrote: You are not wrong, you simply don't listen or don't at least try to understand the problem, again: I have a freeradius 0.8.1 and let it send vendor attributes to a freeradius 0.9.3 proxy that tries to filter _that very same_ vendor attributes and does not recognise them. Bullshit. Total, absolute, bullshit. I explained why in my previous message. Go back and read it. _That_ is a real issue. It is likely that 0.8.1 is different somehow regarding vendor info behaviour (maybe buggy, I don't know). My expectation was you had some knowledge about this. Do you? Yes. I told you to go read dictionay.ascend. You obviously haven't. To hint again: one is a VSA, one is not. The attributes are incomparable. If the names look similar to you, that's an illusion, and has nothing to do with the problem at hand. If the attribute numbers look similar, that, too, is unimportant. .. as long as they don't belong to the _same_ dictionary, which is exactly the case here. Sorry, you're wrong. I could explain why, but you'd just argue with me again. Why does a packet come out different from 0.8.1 using the same dictionary as 0.9.3 ? drum roll Because the dictionaries have changed? And you're too damn lazy to go check? Or, you're too damn proud to follow my instructions? See, I would have thought you READ my messages, and put 2 and 2 together: 1) go read dictionary.ascend 2) if the attribute isn't being sent as a VSA, update the dictionary so that it IS sent as a VSA. You did READ the dictionary, to see if the attribute was a VSA, didn't you? You did try to update the dictionary, to make the attribute a VSA, didn't you? But I doubt you have. You're only asking questions to prove me wrong, and to avoid all of my instructions as to how to fix the problem. Something that came to my mind while debugging was: is there a (simple) way to make freeradius write a protocol of all access-packets very like the accounting packets' protocol (detail-file)? I mean besides freeradius debugging mode. That would be very handy (I really don't like tcpdump for long-term protocols). You did read 'radiusd.conf', didn't you? That question is answered there. Obviously not... Honestly, I don't know why it's so hard for you to read my responses, and do as I say. I do know that I'm wasting my time, and I don't see the point in discussing it any further. I've told you exactly what's wrong, and I've told you exactly how to fix it. Yet that isn't good enough for you. You still argue with me, ignore what I say, and tell me I'm wrong. I can only conclude that you're uninterested in solving your problem. You're only interested in social gossip on the list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrade questions
[EMAIL PROTECTED] [EMAIL PROTECTED] wrote: yeah I have done that exactly before and it did overwrite my config that is one of the reasons I am asking. That must have been a very old version of the server. The current version does not overwrite any files in raddb/ Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for Safeword tokens in synchronous mode
Szelepcsenyi Robert [EMAIL PROTECTED] wrote: I would like to replace the Safeword server with some open source software, if possible. However, we are using tokens in synchronous mode for dialup, VPN etc. Freeradius seems to support Safeword Tokens in asynchronous mode only. I would like to ask whether synchronous mode is planned sometime in the future. Nope. I have not been able to find any specs concerning the synchronous mode. I also tried to extract the counter value form import0.dat (it is the last item of a record), but encrypting it using the DES key did not yield the desirec password. Without the algorithm, it's impossible to implement. And if the algorithm is patented, it's even more impossible to implement. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Help!
Deramus, Chris [EMAIL PROTECTED] wrote: What file(s) should I run ldd against? rlm_sql_mysql.so Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: There are no DB handles to use! skipped 0, tried to connect 0
Ripunjay Bararia [EMAIL PROTECTED] wrote: --- radius.log begin --- Mon Dec 15 12:30:23 2003 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Find out why your SQL database is slow. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Denying Access by NAS-Port-Type
NetNITCO Systems Administration [EMAIL PROTECTED] wrote: So, since dial-up gets reported as NASPortType Async and ISDN is reported as ISDN, I was wondering if populating 'radgroupcheck' for the DialUp group with 'NASPortType' Async would disallow somebody from making an 64K ISDN connection when their 'radgroup' group is set for the DialUp group. It should work. Check, though, that the NAS is actually sending Async. This should let the ISDN people also do dial-up, but will prevent the dial-up people from using ISDN. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrade questions
[EMAIL PROTECTED] [EMAIL PROTECTED] wrote: So the config files are competely the same between versions? No. Are any modifications needed on the config files after the install or will 0.9.3 run with 0.8 pre config files? Maybe. What about new fields in the mysql database are they also the same? I don't recall. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: There are no DB handles to use! skipped 0, tried to connect 0
Ripunjay Bararia [EMAIL PROTECTED] wrote: My SQL server and FR are running on the same box, will separating them be a good idea, It shouldn't matter. I need to do AAA for about 1500 concurrent users what kind of a machine would I need for FR Almost any machine available today will do this easily. and how much load will it put on the MySQL server Almost no load. Something in your SQL database is taking a long time, and preventing the server from working properly. Find out what that is, and the server will be OK. I don't know much about SQL, so I can't help you there, sorry. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco VPN3000 with freeradius
Spetzler, Arne (DZ-SH) [EMAIL PROTECTED] wrote: i'am successfully authenticate Certificate users against freeradius = 0.9.0 (from suse 9.0). BUT: only the 'first' time. That means: wait a 'long' time (av. 15 min) authenticate successfull This has nothing to do with FreeRADIUS. If the client/NAS doesn't contact the server, there's nothing that FreeRADIUS can do to speed up the process. The CISCO Access Control Server ACS did not show this behauvior. I would suggest seeing what attributes are sent back from the Cisco server, and make FreeRADIUS send back the same attributes. Whatever the problem is, that is the only fix. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with attr_filter
Stephan von Krawczynski [EMAIL PROTECTED] wrote: Huh? I don't see why that would be true. If the standard API's are used to create VP's, then the 'attribute' entry ALWAYS contains the vendor information. Hm, this was my first thought, too. But I checked the incoming data via tcpdump as a hexdump and had to find out that there was no vendor info. sigh Could you please stick to one topic? You originally said that in the SERVER, the DATA STRUCTURES didn't have the vendor information. I was confused, because that's pretty much impossible. Now, you change your mind, and say something else, about tcpdump. Stop it. It's annoying, and it makes me inclined to ignore you, until you have a consistent story. In fact this citation of mine was a bit irritating, the output was generated by radtest, but radtest falsely interpreted the vendor which was no Ascend but Bintec. Then you're *very* confused. Go read the dictionary.ascend file. Both vendors are idiots, and have put their attributes into the base 256 attributes, rather than using VSA's. THAT'S why you didn't see a vendor Id: They weren't using VSA's. If you had said that in the first place, it would have helped significantly. On Bintec this attribute is STRING. So besides the major vendor id problem, there was a problem with interpreting the attribute without vendor knowledge. This led me to the patch described below, which is just ugly. Don't bother with any patch. Fix the client so it works. Fix the client so it sends VSA's. This is the funny part: I have two setups that produce packets without vendor ids, first is freeradius-0.8.1 (I really checked the dictionary on this one, the ID is in the dictionary, but packets do not contain any). I doubt that very much. The second is some SGI-based radius server I have no hands on. This one neither sends vendor info and was configured for completely different clients than the freeradius installation. So basically we have incoming proxy-packets for two different vendors from two very different installations, both containing no vendor info at all. See? Both vendors are stupid and broken. I made a patch to replace the attribute from reply_item with the one from check_item before copying it to reply_tmp, but that is a real hack. I wonder if there is a clean solution at all, though... That change has absolutely irrelevant for the problem at hand. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freebsd vs. wireless 802.1x
=?big5?q?Vincent=20Chen?= [EMAIL PROTECTED] wrote: 1. My client is a notebook running windows xp. I can establish connection to AP using predefined key or just check 'the key is provided for me automatically'. My question is the key radius send to AP and client. How do those key generated? Will the key changed after a period just like IPSEC rekey function? If you use PEAP, the keys are generated as part of the PEAP authenticaion process. The keys will be rotated, if you set a Session-Timeout, to make the user re-authenticate. 2. I enabled radius accounting. Only start record in detail file but no stop record. It looks like this: shrug See the FAQ. If the NAS/client doesn't send a stop record, there's nothing the server can do about it. What is this 'Acct-Status-Type = 0' record? See the RFC's. http://www.freeradius.org/rfc/atributes.html It doesn't officially exist, so no one knows what it's supposed to be. Can I get bytes transfered during this session like dialup record? Read the FAQ. The server can't log what isn't sent by the NAS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with attr_filter
Stephan von Krawczynski [EMAIL PROTECTED] wrote: THAT'S why you didn't see a vendor Id: They weren't using VSA's. If you had said that in the first place, it would have helped significantly. Unfortunately it would not, If you know more about RADIUS the server than I do, why are you asking questions? Are you going to believe me, or are you going to keep telling me I'm wrong? but the situation while comparing in rlm_attr_filter is that the reply_item has no vendor info, whereas the check_item (remember: from _same_ vendor!) has one. And _that_ is the primary problem. Absolutely not. You haven't understood what I'm saying. To repeat in short, simple, words: Vendor attributes are different from non-vendor attributes. If the names look similar to you, that's an illusion, and has nothing to do with the problem at hand. If the attribute numbers look similar, that, too, is unimportant. The attributes are different. One is a VSA, and the other is not. The code will never be able to compare them as identical, because they're not identical. The RADIUS packet itself says they're different, so the server treats them as different. There will be NO patches going into the server to fix this problem. Thinking about it another possible solution may be to create a patch-dictionary where the attributes contain no vendor info and use these in attr_filter. That sounds like a reasonable no-source-patch solution to this problem. Nonsense. Total nonsense. Go READ the dictionary.ascend, like I TOLD YOU. It ALREADY lists the attributes without vendor info. And as you've seen, this causes problems. As I said in my previous message, BOTH vendors have used the same NON-VENDOR attribute space for their attributes. This is stupid of them, and is the entire source of the problem. Stop trying to fix the server by making it even more broken in ways you've already said you didn't like. Go fix the clients to send the attributes as VSA's. That will solve the problem. I'll bet a simple edit of a dictionary file is all that's needed. There are probably ways to use the server to re-write the attributes to make sense (so attr_filter works), but I don't see any point in explaining them, until it's clear that you've understood what else I've said. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with attr_filter
Stephan von Krawczynski [EMAIL PROTECTED] wrote:
1) It does not recognize at all vendor specific attributes. The reason is this
code part taken from src/modules/rlm_attr_filter/rlm_attr_filter.c :
...
if(reply_item-attribute == check_item-attribute) {
Unfortunately check_item-attribute contains the vendor id and therefore can
never match the reply_item-attribute which does not contain vendor info.
Huh? I don't see why that would be true. If the standard API's are
used to create VP's, then the 'attribute' entry ALWAYS contains the
vendor information.
This can be dealt with through adding a 0xFF. My test shows that
this works out.
Except for USR VSA's. They need 0x. See the other code in
rlm_attr_filter.c.
2) Unfortunately this brings up another issue, the item_type seems to be
incorrect. Testing the stuff above shows server reply containing:
X-Ascend-IPX-Alias = 3134307025
which obviously :-) reads bad1bad1 in hex.
See src/lib/radiusd.c. The attribute in the *packet* is supposed to
have 4 octets of data, but doesn't.
That looks to me like the dictionaries on the server and the client
disagree about what type that attribute is.
You also haven't said *where* this attribute is coming from.
Knowing that would help.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Help!
Deramus, Chris [EMAIL PROTECTED] wrote: I have checked and verified the LD_LIBRARY_PATH variable, I have updated ld.so.conf as well. I've tried multiple configuration options, including disable-shared. Something isn't adding up. Any suggestions would be most appreciated. Thanks and have a good weekend. 'ldd' should tell you which libraries are needed. Maybe MySQL needs additional libraries, which somehow aren't loaded. I don't know how else to help you. The server core doesn't know *anything* about modules/libraries, other than it asks the system to load them. If that doesn't work, there isn't much else the server can do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth: Login incorrect:
Joe Bonow [EMAIL PROTECTED] wrote: I am using dialup admin to check for bad logins and after reviewing the script it seems that the ip99 response should be more long the lines of say nameofnas or nameofnas.domain. The 'ip99' is the 'short name' of the client. If you don't like it, edit the 'short name' to be the name you want logged. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Kill -HUP in debug mode eats all CPU
ZORBADELOS KONSTANTINOS [EMAIL PROTECTED] wrote: As I have seen in a previous post a bug that occasionaly crashed the server when it received a HUP signal has been fixed. After compiling the latest release (0.9.3) on a SUN Ultra 100 (Solaris 8) I noticed that when I start the server in debug mode (radiusd -X) and send it a HUP signal I'll put a fix into the latest CVS snapshot. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error in the Oracle driver from the CVS
Andrea Gabellini [EMAIL PROTECTED] wrote: I'm tring 0.9.3 using the Oracle driver from the CVS. From the version 1.32 of sql_oracle.c there is the check that the number of columns is 5. This doesn't works with the simultaneous use checking queries. Why? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius EAP/TLS authentication chooses wrong cipher suite
Obermeier Markus ICM MP PD TS [EMAIL PROTECTED] wrote: How does Freeradius choose the cipher suite? It doesn't. It lets SSL pick it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 0.9.3 with mysql
Graeme Hinchliffe [EMAIL PROTECTED] wrote: Will a HUP force a reload of the config? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM with freeRadius
Jean-Philippe Duval [EMAIL PROTECTED] wrote: Is EAP-SIM authentication available with freeRadius ? The latest CVS snapshot has EAP-SIM. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL falls through to users file
Gary Algier [EMAIL PROTECTED] wrote: I have some basic SQL functionality working, but I discovered that if the SQL module returns ok, FreeRadius still falls through to the users file. Is there any way to prevent this? doc/configurable_failover Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: response-authenticator decrypt fail
Bo [EMAIL PROTECTED] wrote: I installed the FreeRadius 0.9.3 on Redhat 8.0 and did some tests with the Cisco AS5400 for authenticating the dial-up users. From the server side, everything was OK and it sent the Access-Accept back. But unfortunately I got the following error message on AS5400. Your shared secret is wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS/EAP Implementation Out of virtual memory!
Justin Bailey [EMAIL PROTECTED] wrote: I have been using Raymond McKay's document to get TLS/EAP running with freeRADIUS. (Thus, I am using freeradius-snapshot-20021028.) My system has 50MB of RAM and 20GB hard drive. When I launch freeRADIUS (run-radiusd -X -A) as Raymond suggests, a long period passes and then I receive the message: bash: Out of virtual memory! I would suggest getting more memory for your machine, or increasing the swap size Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 0.9.3 with mysql
Dan Monjar [EMAIL PROTECTED] wrote: Were you able to address the occasional server crash in response to the HUP? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Eap ttls and LDAP
Kostas Kalevras [EMAIL PROTECTED] wrote: I am using freeradius 0.9.3 on a linux box I have found the eap_ttls module in the CVS tree How to install it ??? ./configure make make install And watch the server dies as soon as it receives an EAP-TTLS request. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: expr problems
Nikolas Geyer [EMAIL PROTECTED] wrote:
ERROR: Cannot find a configuration entry for module expr.
In my radiusd.conf I have the following;
expr {
}
Where? The location of that configuration entry matters.
See the default 'radiusd.conf' for examples of where that
configuration entry should go.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unable to load EAP-Type/ttls, as EAP-Type/TLS is required first
Holger Schurig [EMAIL PROTECTED] wrote:
I thought TLS is where both the server and the clients have certificates.
And TTLS is where only the client has a certificate (of the server).
Yes. If you're unsure, read the RFC's. They're included with the
server.
Therefore, TTLS and PEAP need only a subset of TLS, right?
No. They need the entire TLS protocol.
Now, when I enable TTLS (and TLS because I need it) in radiusd.conf, then
some client can try to authenticate/authorize with TLS. It's on, isn't it?
Yes. You can turn it off. See the EAP-Type attribute.
And the client doesn't get back something like protocol not supported,
but negative authentification.
You don't understand how RADIUS works. And it's authentication.,
not authentification.
RADIUS returns Access-Reject, not protocol unsupported. And the
wireless client doesn't even see that.
So I would have thought that this is possible and makes sense:
# tls {
# ...
#}
ttls {
certificate_file = ${prefix}/ca/cert-srv.pem
}
What what about the rest of the configuration options in the TLS
module? Are you going to just throw those away? They exist for a
reason, you know...
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with MySQL
Leandro Sant'ana [EMAIL PROTECTED] wrote: I commented that's lines in file /etc/raddb/users ... #DEFAULT Auth-Type =3D System #Fall-Through =3D 1 To force Auth-Type in databases No. Uncommenting that line means you forced it to NOT use System authentication. But you didn't tell it what OTHER authentication method to use, so the server failed. modcall: group authorize returns ok for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Did you try setting an Auth-Type somewhere? What part of the error message is unclear? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Encrypting an Access Reply Attribute
Tom Stoll [EMAIL PROTECTED] wrote: Does anyone have an example that demonstrates how to encrypt an individual access reply attribute? You shouldn't have to. See the dictionary files, and look for encrypt=. If you're going to use the standard User-Password encryption, then create a dictionary file entry for your attribure like: ATTRIBUTE My-Magic-Foo250 string encrypt=1 And the server will automatically encrypt it when sending, and decrypt it when receiving. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unknown proxy ?
Alex Radetsky [EMAIL PROTECTED] wrote: I'm using freeradius-0.7.1. I'm trying to configure this freeradius as proxy server to remote. Upgrade to 0.9.3. Please. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unknown proxy ? part 2
Alex Radetsky [EMAIL PROTECTED] wrote: So, if radius got packet from remote server with configured source_ip and port, radiusd marks it as active. But in my case, radius got packet from configured source_ip, but another port. What does it mean? It means that the server you're proxying the request to is broken. PS. I can rewrite this code to create workaround. But I do not know, may be it will not correct. It will be wrong. You should contact the people running the other server, and tell them to fix it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 0.9.3 with mysql
Justin Williams [EMAIL PROTECTED] wrote: At any rate, with the user test in the users file, it authenticates just fine. When I comment that out and add the user to the mysql table, usergroups, it does not authenticate, and I don't notice any reference to mysql in the rejection notice So run it in debugging mode to see what's going wrong. Also, you *do* need to configure 'radiusd.conf' to use the SQL module. You can't just put users into an SQL database, and hope that the server magically knows where to look. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Eap ttls and LDAP
Arthur EBEL [EMAIL PROTECTED] wrote: I am using freeradius 0.9.3 on a linux box I have found the eap_ttls module in the CVS tree How to install it ??? You install a snapshot. You can't use EAP-TTLS with 0.9.3. I dont want to use personnal certificate but only the login and ldap passwd of the personn EAP-TTLS doesn't require personal certificates. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: One suggestion about the default config file
Damjan [EMAIL PROTECTED] wrote: The FreeRadius default config file is pretty much complete and working right out of the box. It's only that for some more advanced features the admin *must* make some local changes. Yup. I've noticed that a lot of questions asked here are due to people not having the patience to read the config file in full, or beeing confused by options not relevant to te problem thay are trying to solve. If they're not willing to read the configuration file, then they're probably not willing to read answers to their questions on the list. See previous flamewars. I propose a sollution to this, one that's easy to implement on one hand, but will reduce the confusion some people have about configuring freeradius: I think the config file should be split in several smaller files, inculded by the main file (for ex. eap.conf, ldap.conf ...) sql.conf is a good exaple how this actually works. I'm not sure that would help, and I don't see it as necessary. Apache has one large http.conf file, and no one seems to have problems with it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 0.9.3 with mysql
Justin Williams [EMAIL PROTECTED] wrote: Bingo... That worked... I was missing the sql entry in the authorize section... That's good to hear. Would still love to go read up on radius, though! Buy the RADIUS book. See the web site for details. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 0.9.3 with mysql
Justin Williams [EMAIL PROTECTED] wrote: By the way, I did not see a command in the man pages to restart radiusd after making config changes. Is there such? Huh? It's a normal program. You just kill it, and re-start it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Relocation Error - Checked the SSL versions, but still apear
Ivan Barrera [EMAIL PROTECTED] wrote: version of OpenSSL, it was working fine with EAP-TLS, but I wanted to try the TTLS, so I tried to set the OpenSSL to the latest stable version 0.9.7c and use the SNAPSHOT version of Freeradius to get the TTLS. That should work. Now I'm getting the error: ./radiusd: relocation error: /usr/local/radius//lib/rlm_eap_tls-1.0.0-pre0.so: undefined symbol: SSL_set_msg_callback The server was compiled using the OLD version of OpenSSL, but you linked it against the NEW version of OpenSSL. An old posted message said to be a problem with OpenSSL versions. I'm not good with this linux installations. So what I did was to remove the old directory where the snapshot were, and I used again to install the stable version. It's not a problem with FreeRADIUS. It's a problem with OpenSSL. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Relocation Error - Checked the SSL versions, but still apear - HELP
Ivan Dario Barrera [EMAIL PROTECTED] wrote: ... You do READ the list, don't you? http://lists.cistron.nl/pipermail/freeradius-users/2003-December/026413.html Is there any way to check what are the versions I'm trying to use? ldd. See the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unable to load EAP-Type/ttls, as EAP-Type/TLS is required first
Holger Schurig [EMAIL PROTECTED] wrote: Is there a technical reason that EAP-TTLS and EAP-PEAP both need EAP-TLS first? Yes. Why would it be otherwise? TTLS PEAP both involve using EAP-TLS, and then tunneling additional data in the TLS tunnel. Therefore, they both need EAP-TLS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting attribute based on value of another attribute
Dennis Skinner [EMAIL PROTECTED] wrote: I'm trying to set the value of a custom attribute based on the value of one passed in the packet from the client/nas (specifically Client-IP-Address). Something akin to this if it were allowed: DEFAULT Client-IP-Address =~ 10.1.1. Custom-Attr := network1 It's allowed. The reason it doesn't work for you is that 10.1.1. isn't a useful regular expression. Try ^10\.1\.1\., and it should work. If necessary, I could just use the client-ip attr directly in the radcheck db, but if the IP addresses change for the clients, or new ones are added, I would have to change everyone's entry in radcheck. Why not use rlm_passwd? Have a passwd style file, looking up the client IP, and returning your Custom-Attr. That way, there's only one file to manage. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: username changed in-transit
Holger Schurig [EMAIL PROTECTED] wrote: [ALL] Frame to be sent : 00 02 2D 81 77 8E 00 10 - C6 19 27 09 88 8E 01 00 ..-.w.'. 00 0B 02 00 00 0B 01 3F - 00 4D 4E 43 49 00 00 00 ...?.MNCI... ... In which RFC is the format of this packet described? Look for EAP. rad_recv: Access-Request packet from host 192.168.233.220:1988, id=15, length=128 User-Name = ?\000MNCI See the packet trace. The ?\000 is in the EAP packet, so the program sending that EAP packet is probably the one to blame. Here the username became suddenly ?\000MNCI. It doesn't look that way to me. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 0.9.3 gone nuts when auth from sql??
Nikolas Geyer [EMAIL PROTECTED] wrote: I just upgraded to FreeRadius 0.9.3 from 0.9.2 and am having a problem. Our users authenticate against a MySQL database, which used to work just fine. Now hoever it doesn't return a reply, and when running fr in debug mode it just shows multiple requests and floods the server. Ok.. Below is an excerpt of what its doing. It just repeats whats pasted over and over again until it does it 200 times (takes about half a minute or less) until its blocked. Until the whole server blocks? rlm_realm: Preparing to proxy authentication request to realm infinite.net.au That would seem to be relevant. rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns ok for request 0 It's not an SQL problem. modcall: group authorize returns updated for request 0 Sending Access-Request of id 1 to 210.9.75.200:1645 User-Name = [EMAIL PROTECTED] It's proxying the request to another server. What part of that debug output was unclear? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : eap/ttls
Arthur EBEL [EMAIL PROTECTED] wrote: I would like to know Where I can find the rlm_eap_ttls module and how to install it Grab the latstes CVS snapshot. Have you tried that? Have u dot an idea how to mix eap ttls and ldap authentication ??? You don't need to do anything special. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: time session
=?iso-8859-1?Q?Andr=E9s_de_Barros?= [EMAIL PROTECTED] wrote: I need do connections with predetermined times, ex, one hours. It is possible with radius. Yes. Have some examples. Read 'radiusd.conf'. Look for the counter' module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wireless 802.1x using MS-CHAPv2 WinXP
Justin Bailey [EMAIL PROTECTED] wrote: I made the suggested changes. Now when attempting to startup FreeRADIUS in debugging mode I receive the message: Rlm_eap: Unable to load EAP-Type/PEAP, as EAP-Type/TLS is required first. I assume this means I have to set up TLS. Yes. Is there an easy way to do this...it appears I need a certificate? I'm sure it can't be too difficult. Is there a good howto on doing this, or can someone step me through it? There are a few howto's on http://www.freeradius.org/doc/ There's a Perl script in the distribution: scripts/CA.all which can be used to generate certificates. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql and huntgroups
Bart Van Daal [EMAIL PROTECTED] wrote: is this a problem with hunt-groups or with all other check items in the mysql radgroupcheck table? It's a problem just with huntgroups. See the list archives for a description of the problem, and the solution. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with ldap and pap
Rick Whitley [EMAIL PROTECTED] wrote: I am running freeradius snapshot 20030922. I need to get pap working with ldap. How do I set the password attribute for pap? Where do I look in the docs to provide this info? doc/rlm_ldap should be a place to start. users: DEFAULT Auth-Type := pap Don't do that. rad_recv: Access-Request packet from host 10.5.50.115:1645, id=164, length=126 ... EAP-Message = 0x0201000c01696e7374616c6c EAP messages don't contain PAP passwords. So setting Auth-Type := PAP won't work. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with ldap and pap
arg sent previous message too soon modcall: group authorize returns ok rad_check_password: Found Auth-Type pap auth: type PAP modcall: entering group authtype rlm_pap: Attribute Password is required for authentication. modcall[authenticate]: module pap returns invalid modcall: group authtype returns invalid auth: Failed to validate the user. See? That won't work. Why don't you try authenticating the user *without* editing the users file, to see if it works? Odds are that once you point the server to an LDAP database, then PAP, EAP, and everything else will work automatically. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with ldap and pap
Rick Whitley [EMAIL PROTECTED] wrote: Thanks for the info...should I comment out the eap module in radiusd? Huh? Can you explain to me why you would think that was necessary? Your client is sending EAP packets. How are you going to authenticate them, if you don't use the EAP module? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with ldap and pap
Rick Whitley [EMAIL PROTECTED] wrote: Please forgive my ignorance here. There is much about this I do not understand. I am using the AlfaAriss client. Please pick a subject, ONE subject, and stick to it. Also, if you're not going to answer my questions, there isn't much incentive for me to help you, is there? If it is sending eap packetts and those packetts do not contain a pap password does that mean I can't use pap? Should I consider another method? It means that what I told you was correct. Now go do as I said, and stop asking irrelevant questions. Instead, *educate* yourself as to what's going on. Buy the RADIUS book. Read all of the documentation, and all of the comments in 'radiusd.conf' before asking more questions. Also, describe *problems*, not *solutions*. You're stuck on PAP because you don't know how the server works. Stop trying to figure out how to use PAP to solve a problem you don't understand. If you configure the LDAP module to pull a password out of an LDAP database for a user, then almost all of the authentication methods in the server will work AUTOMATICALLY. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SOLVED?! ( was Re: BUG?! (was Re: date type attribute not added to accounting request using attr_rewrite)
Paul Sijben [EMAIL PROTECTED] wrote: I found now WHY a change in attr_rewrite when used in pre-Proxy does not work. It operates on request-packet rather than request-proxy. That should be fixed. Now the question is which ought to be fixed; the call to pre-proxy in procy.c Absolutely not. I don't know what you would change there, or why. or the pre-proxy chain that uses standard calls to operate on the request? I don't know what you mean by that, either. You said the module doesn't do what you expect. Why not change the module? The configuration for the module currently allows it to search in the packet, config, or reply. Why not add proxy and prpxy_reply' to that list? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Automatically proxy?
Gary Algier [EMAIL PROTECTED] wrote: I am trying to figure out how to automatically proxy based upon criteri in the users file. Use the Proxy-To-Realm attribute: bob Proxy-To-Realm := realm I can see how I can check the NAS-IP-Address, but then I don't know how to control where the actual auth gets done. Don't use NAS-IP-Address. It can lie. Use Client-IP-Address. In case you are wondering, the other radius server is a SecureID ACE server. I want to use a FreeRadius server as a frontend for better control and accounting. g Of course. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rebind ldap authentication with chap?
Entelin [EMAIL PROTECTED] wrote: Its using CHAP, I have read a bunch about all this and know that CHAP requires the passwords to be stored as plaintext. Indeed my configuration works fine if I change the ldap password to plaintext. However I would really rather not have all my passwords stored this way. Then don't use CHAP. All my users in ldap have perms to read themselves, is it possible to have freeradius to permit baised on if a rebind as the user succeeds?. Uh... the server already does that, if you set Auth-Type := LDAP. first freeradius binds as the admin and searches for the dn of the supplied uid. gets the dialupAllow attribute. then rebinds as the dn and password, if the bind is successfull and the dialupAllow attribute exists then radius allows access. The server does that already. Authorize, then authenticate. This behavior removes the stored encryption from the equation. No, because the password used to authenticate doesn't exist. The server only has a CHAP password, which the LDAP server won't accept. Looking at the debug info, it looks like thats whats happening when you do a radiustest (which works) on it anyway? Exactly. So what's the problem? You've just described how you want the server to work, which is exactly how the server currently works. If you want CHAP to work with LDAP, you MUST store the plain-text password in LDAP, and then let the server use that to do the CHAP authentication itself. The LDAP module then does NOT authenticate the user, and the user does NOT bind to the LDAP server. Stop trying to work around CHAP. You can't. IT was designed to require a plain-text password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ippool
=?ISO-8859-1?B?Um9kcmlnbyBBLiBTaW31ZXM=?= [EMAIL PROTECTED] wrote: The 2 pools are listed in pre-auth and accounting sessions... You mean post-auth... When the 1st pool is full, the rlm_ippool don't allocate any more ip's for my customers... Any advice? Read doc/configurable_failover You've got to set it up in post-auth so that the first pool is always used, and if it fail, then use the second pool. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ippool
=?ISO-8859-1?B?Um9kcmlnbyBBLiBTaW31ZXM=?= [EMAIL PROTECTED] wrote: The 2 pool's will use the same DB files? Never. They need seperate databases. - I need to specify only 1 pool name on radgroupcheck? Hmm.. you may have to specify both. I'm not sure. ALan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WLAN + MD5
Sancho2k.net Lists [EMAIL PROTECTED] wrote: I realize the purpose of the list is not to assert correct or safe methods of operating your infrastructure, but am I mistaken in saying that EAP-MD5 in respects to WLAN authentication is not safe or recommended compared to say, EAP-(T)TLS? Yes. Read 'radiusd.conf' However, the server has to have additional things configured to use TLS or TTLS. Therefore they are not enabled by default. Once TLS TTLS are configured by the admin, any client which requests them can use them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_end patch
max [EMAIL PROTECTED] wrote: looking into rlm_pam, I noticed that pam_end is always called with the result_code =3D PAM_SUCCESS, even when user in not authenticated.This is a mistake when a pam module uses some internal data via the pam_set_data/pam_get_data calls. Ah... that does help. in attach there's a patch to solve the problem Applied, thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems while setting up PEAP
Rink Springer [EMAIL PROTECTED] wrote: Yes, it works now! Wonderful! OK, we'll try to have a fix today or tomorrow. However, a small thing remains: The Edimax access point seems to reauthenticate itself every now and then, and I lose my wireless connection then. Does anyone have a clue why that is and how to resolve it? The *AP* reauthenticates itself? Or the *wireless client* re-authenticates itself? You can send a Session-Timeout attribute back to the AP, which will then make it tell the client to re-authenticate itself... So send a Session-Timeout with some large value, and the client should be connected for long periods of time. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Maximum Simultaneous accounting sessions ??
=?iso-8859-9?B?QXJkYSBB5/1s?= [EMAIL PROTECTED] wrote: I wonder about the capacity of freeRadius server.. Like If I want to log like 1000+ calls same time, can a freeRadius server handle such a load ? It doesn't get them *quite* at the same time. But people have measured the server running at hundreds of requests per second, when logging to SQL. If you're not using SQL, that may go up even more. What is the limit of a freeRadius server for accounting voip calls etc.. CPU and memory. The server can record as many simultaneous calls as you can store in a database. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Replacing User-Name Attribute
Samuel Hill [EMAIL PROTECTED] wrote: In the detail files the User-Name shows up as the entire non stripped user name. I need the User-Name field to show up as the Stripped-User-Name instead. How can this be done? Read sql.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy Setup
Anson Rinesmith [EMAIL PROTECTED] wrote: to my proxy.conf file. It still tries to authenticate locally. I was told not to put anything in my realms file. What am I missing? Read the output of radiusd -X. It will tell you WHY it is, or is not, proxying. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Replacing User-Name Attribute
Samuel Hill [EMAIL PROTECTED] wrote: How does sql.conf help me? Ah, sorry... I thought your question was about sql. The detail file for atribute User-Name is the non-stripped username. I want to have that field state the stripped username. The answer pretty much is you can't. The detail file logs requests as-is. If there's a Stripped-User-Name in a particular entry, then you can set up your log parser to use that. If there isn't a Stripped-User-Name, then the user name wasn't stripped. If you really care, you can write a 'sed' script to delete the lines containing User-Name, and rename Stripped-User-Name to User-Name. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and SAMBA
Chris Parker [EMAIL PROTECTED] wrote: Is it possible to have FreeRadius authenticate against a SAMBA 3.x implementation? rlm_smb ? I don't know how widely used this module is, but it should do what you are looking for. Don't use the version from 0.9.3. It suffers from same bug as pam_smb. Use the latest CVS snapshot, instead. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and IPASS
Bart Van Daal [EMAIL PROTECTED] wrote: just a small question: Do I need to configure anything special to proxy to an Ipass netserver? Read 'radiusd.conf'. Look for the word IPASS Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: filtering attributes in proxy
denz [EMAIL PROTECTED] wrote: but when I start the server I get this message ant the end, and server exits. Module: Instantiated attr_filter (attr_filter) radiusd.conf: attr_filter modules aren't allowed in 'pre-proxy' sections -- they have no such method. shrug Edit the source code for attr_filter to include a pre-proxy section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CheckPoint VPN authentication with FreeRADIUS
Daniel Garcia [EMAIL PROTECTED] wrote: I'm looking for some information about how to setup my user profile file into my FreeRADIUS Server (vers 0.9.1 runing in a RedHat 7.2 box) to allow user authentication via CHECKPOINT VPN. What does the Checkpoint need? Colud somebody tell my where I colud find some example or configuration help about this. What kind of atributes may I use to do this ?? I would suggest asking Checkpoint. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Store state in self-made module?
Jon Arne Hegge [EMAIL PROTECTED] wrote: The post-auth stage looks sufficent for what this module is going to do. But im in need of some information regarding the contents of the REQUEST when in this stage. I would like to have more information available that just username/password, more specific the Calling-Station-Id. It's already there. Look at the source code for the other modules to see how they access attributes in the REQUEST data structure. Do i need to handle persistent state in my module to accomplish this? (e.g store Auth-Req's packets and compare those in the post-auth stage). No. Absolutely not. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap/ttls
David L Wolford [EMAIL PROTECTED] wrote: rlm_eap: Failed to link EAP-Type/ttls: file not found radiusd.conf[606]: eap: Module instantiation failed. In addition to removing the comments for ttls what other steps must be taken to enable eap/ttls? You've got to install the rlm_eap_ttls module. It should do that, though... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Patch for Sybase driver under freeradius
Hindrik Buining [EMAIL PROTECTED] wrote: While running freeradius with a sybase backend, I've found a few errors: ... Below is a patch to fix these problems. Ok. Please submit a patch for each seperate change, so we can see what the changes are. Also, please reead 'doc/DIFFS' for instructions on patch format. Your mailer re-formatted the whitespace in the patch, making it useless. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-0.9.3 and Digest-MD5 Authentication
Shoujit Mitra [EMAIL PROTECTED] wrote: I have a question regarding the implementation of Digest-MD5 authentication protocol as defined in 'expired' draft draft-sterman-aaa-sip-00.txt As per the everything seems to be perfect other than step-4 in the below sequence diagram. ... I would suggest asking the draft authors. 4. Issue: At step-4, FreeRADIUS Sever send Access-Accept packet to RADIUS Client, without the Digest-Authentication Response. Which is what the draft says to do, and which is what works with the Cisco SIP servers which use this protocol. As per RFC2831: Using Digest Authentication as a SASL Mechanism RADIUS Server should send a message formatted as follows: response-auth = rspauth = response-value Absolutely not. RFC 2831 says nothing at all about RADIUS. Question: 1. Hope my understanding of the flow of messages/data is correct. If not please correct me. It looks fine to me. 2. If the above flow is correct, is there any plans to make the Digest-Md5 authentication complaint to rfc2831? Why? It's compliant to the Sterman draft, not to RFC 2831. If the Sterman draft isn't compliant to RFC 2831, then I suggest emailing the authors of that draft, and asking them about it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restricting Subnet Access
Frank Everitt [EMAIL PROTECTED] wrote: I'm new to this list as well as freeradius. I've installed 0.9.3 and have been trying to figure out how to restrict access to various framed networks. I was led to believe that freeradius was capable of doing this but I haven't found anything about this capability in the docs nor scripts. Read raddb/clients.conf, there's an example of using CIDR notation for clients. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems while setting up PEAP
Rink Springer [EMAIL PROTECTED] wrote: I'm trying to set up FreeRADIUS (I used the 2003-12-03 snapshot) with PEAP/TLS for a Windows XP Service Pack 1 machine using EAP-MSCHAPv2. My certificates were generated using OpenSSL 0.9.7c (30 Sep 2003). I think there was a change yesterday to the TLS module which may have broken PEAP. If you can do CVS, try grabbing the 1.19 version of src/modules/rlm_eap/types/rlm_eap_tls/eap_tls.c, and re-building that module. It may work then. If that's the problem, we hope to have it fixed in a day or so. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and SAMBA
[EMAIL PROTECTED] wrote: Thanks for the help! Should I grab the whole snapshot or just rlm_smb? Grab rlm_smb. It should still build under 0.9.3. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-0.9.3 and chap
Leonard Childers [EMAIL PROTECTED] wrote: Tue Dec 2 13:14:23 2003 : Auth: rlm_unix: Attribute User-Password is required for authentication. Cannot use CHAP-Password. ... Here is the debug file. I know it has to be something simple that I am overlooking. The FAQ. Go read it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radwho
=?iso-8859-1?Q?Jos=E9?= Berenguer [EMAIL PROTECTED] wrote: I want to have a graph of simultaneos users with FreeRadius. I know it can be done with radwho and MRTG, but I donĀ“t know how to configure FreeRadius to maintain an active session database FreeRADIUS does this already. That's what radwho uses. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAPv2 + MySQL + group authtype failure
Josh Howlett [EMAIL PROTECTED] wrote: Thanks, this will make life a bit easier. Thanks also for helping Elliot out. This thread was started while I was out of the office, so I wasn't able to cut in and help Elliot myself. You're welcome. Would you mind naming it dictionary.university_of_bristol on the basis that the official IANA vendor code calls it this? I'll also be updating my documentation to include FreeRADIUS info, as well as spit IAS. It's dictionary.bristol now. I can change it, but I don't see it a huge reason to do so. (i.e. I'm lazy...) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
