2011/11/10 Phil Mayers <[email protected]>
> On 10/11/11 08:15, Alejandro Gandara wrote:
>
>> Hi Alan,
>>
>> Thanks for your answers and excuse me for my english fill of mistakes.
>>
>> 2011/11/10 Alan DeKok <[email protected]
>> <mailto:aland@deployingradius.**com <[email protected]>>>
>>
>>
>> Alejandro Gandara wrote:
>> > I'm authenticating users in RADIUS against LDAP, if I login from
>> > computer with 802.1x configured and users and password taken from
>> domain
>> > automatic. Im getting wrong authenticated because the login has the
>> > following chain.
>> >
>> > DOMAIN\\Users
>> >
>> > How can i avoid that radius read the prefix?
>>
>> You should be able to authenticate using just the user name, using
>> ntlm_auth. See the examples in raddb/modules/ntlm_auth
>>
>>
>> Im reading about it. Thanks for this information.
>>
>>
>> > I've tried to introduce the option prefix in
>> /etc/sites-enable/default ,
>> > but its getting me back errors because of wrong way to introduce
>> that line.
>>
>> Yes. Don't define a realm. It won't work.
>>
>> Post the debug output. That helps, too.
>>
>>
>> This is my debug output:
>>
>> rad_recv: Access-Request packet from host 172.20.40.28 port 1025,
>> id=112, length=218
>> Framed-MTU = 1480
>> NAS-IP-Address = 172.20.40.28
>> NAS-Identifier = "SW-INT-1-3"
>> User-Name = "PRIVATE\\usertest"
>>
>
> Have you edited this debug?
>
>
> Service-Type = Framed-User
>> Framed-Protocol = PPP
>> NAS-Port = 32
>> NAS-Port-Type = Ethernet
>> NAS-Port-Id = "32"
>> Called-Station-Id = "f0-62-81-05-33-40"
>> Calling-Station-Id = "f0-4d-a2-bc-77-cd"
>> Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
>> Tunnel-Type:0 = VLAN
>> Tunnel-Medium-Type:0 = IEEE-802
>> Tunnel-Private-Group-Id:0 = "1"
>> EAP-Message = 0x020a0012014f50544152455c6272**6f75636f
>>
>
> This decodes as:
>
> \x02\n\x00\x12\x01OPTARE\\**brouco
>
> Message-Authenticator = 0x055981a2c542df52f4c292042c89**a019
>>
>> Found Auth-Type = EAP
>> # Executing group from file /etc/freeradius/sites-enabled/**default
>> +- entering group authenticate {...}
>> *[eap] Identity does not match User-Name, setting from EAP Identity.*
>>
>
> This claims MSCHAP and Radius username don't match.
>
> Did you edit the debug?
>
> Don't do that.
>
Ok sorry
>
> Please provide a full debug, like so:
>
> radiusd -X | tee log.txt
> # run a test auth
> # ctrl+c
> # email log.txt
>
> I've attached it
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html <http://www.freeradius.org/list/users.html>
>
FreeRADIUS Version 2.1.10, for host i486-pc-linux-gnu, built on Nov 14 2010 at
20:41:03
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
main {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = yes
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client 172.20.40.27 {
require_message_authenticator = no
secret = "choptare"
shortname = "privradius"
nastype = "other"
}
client 172.20.40.28 {
require_message_authenticator = no
secret = "choptare"
shortname = "privradius"
nastype = "other"
}
client 172.20.40.11 {
require_message_authenticator = no
secret = "choptare"
shortname = "privradius"
nastype = "other"
}
client 172.20.52.210 {
require_message_authenticator = no
secret = "choptare"
shortname = "OpenVpn"
nastype = "other"
}
client 127.0.0.1 {
require_message_authenticator = no
secret = "choptare"
shortname = "openvpn"
nastype = "other"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/freeradius/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/freeradius/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/etc/freeradius/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/etc/freeradius/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
}
Module: Linked to module rlm_ldap
Module: Instantiating module "ldap" from file /etc/freeradius/modules/ldap
ldap {
server = "172.20.52.206"
port = 389
password = "Lpp1LdC"
identity = "cn=admin,dc=optare,dc=loc"
net_timeout = 1
timeout = 4
timelimit = 3
tls_mode = no
start_tls = no
tls_require_cert = "allow"
tls {
start_tls = no
require_cert = "allow"
}
basedn = "dc=optare,dc=loc"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=posixAccount)"
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = "radiusGroupName"
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
dictionary_mapping = "/etc/freeradius/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
edir_account_policy_check = no
set_auth_type = yes
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP roomNumber mapped to RADIUS Pool-Name
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
Tunnel-Private-Group-Id
conns: 0x9472708
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server.key"
certificate_file = "/etc/freeradius/certs/server.pem"
CA_file = "/etc/freeradius/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/freeradius/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/freeradius/certs/bootstrap"
cache {
enable = yes
lifetime = 24
max_entries = 255
}
verify {
}
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = yes
}
Module: Checking authorize {...} for more modules to load
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file /etc/freeradius/modules/detail
detail {
detailfile =
"/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file
/etc/freeradius/modules/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from file
/etc/freeradius/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/freeradius/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Linked to module rlm_ippool
Module: Instantiating module "infraestructuras" from file
/etc/freeradius/modules/ippool
ippool infraestructuras {
session-db = "/etc/freeradius/ips/db.ippoolinfra"
ip-index = "/etc/freeradius/ips/db.ipindexinfra"
key = "%{NAS-IP-Address} %{NAS-Port}"
range-start = 10.1.0.8
range-stop = 10.1.0.90
netmask = 255.255.255.0
cache-size = 800
override = yes
maximum-timeout = 0
}
Module: Instantiating module "pruebas" from file /etc/freeradius/modules/ippool
ippool pruebas {
session-db = "/etc/freeradius/ips/db.ippoolpruebas"
ip-index = "/etc/freeradius/ips/db.ipindexpruebas"
key = "%{NAS-IP-Address} %{NAS-Port}"
range-start = 10.92.0.5
range-stop = 10.92.0.6
netmask = 255.255.255.0
cache-size = 800
override = no
maximum-timeout = 0
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file
/etc/freeradius/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/freeradius/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server { # from file /etc/freeradius/radiusd.conf
modules {
Module: Checking authenticate {...} for more modules to load
Module: Instantiating module "attr_filter.access_challenge" from file
/etc/freeradius/modules/attr_filter
attr_filter attr_filter.access_challenge {
attrsfile = "/etc/freeradius/attrs.access_challenge"
key = "%{User-Name}"
}
Module: Linked to module rlm_always
Module: Instantiating module "handled" from file /etc/freeradius/modules/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file
/etc/freeradius/modules/preprocess
preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = yes
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file /etc/freeradius/modules/digest
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/etc/freeradius/modules/acct_unique
acct_unique {
key = "Stripped-User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 172.20.52.206
port = 1812
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on authentication address 172.20.52.206 port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address 172.20.52.206 port 1814
Ready to process requests.
rad_recv: Accounting-Request packet from host 172.20.40.11 port 1024, id=20,
length=152
Acct-Session-Id = "006100000002"
Acct-Status-Type = Stop
Acct-Authentic = RADIUS
Acct-Delay-Time = 0
NAS-Port = 29
Calling-Station-Id = "F0-4D-A2-BC-77-CD"
Service-Type = Framed-User
NAS-IP-Address = 172.20.40.11
NAS-Identifier = "SW-Priv-1-1"
User-Name = "brouco"
Acct-Terminate-Cause = Port-Disabled
Acct-Session-Time = 16256
Acct-Input-Gigawords = 5
Acct-Input-Octets = 1569354110
Acct-Output-Octets = 322266472
Acct-Input-Packets = 15345930
Acct-Output-Packets = 1837442
# Executing section preacct from file /etc/freeradius/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] WARNING: Attribute Stripped-User-Name was not found in request,
unique ID MAY be inconsistent
[acct_unique] Hashing 'NAS-Port = 29,Client-IP-Address =
172.20.40.11,NAS-IP-Address = 172.20.40.11,Acct-Session-Id = "006100000002",'
[acct_unique] Acct-Unique-Session-ID = "7e202597946994b0".
++[acct_unique] returns ok
# Executing section accounting from file /etc/freeradius/sites-enabled/default
+- entering group accounting {...}
[detail] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/freeradius/radacct/172.20.40.11/detail-20111110
[detail] /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands
to /var/log/freeradius/radacct/172.20.40.11/detail-20111110
[detail] expand: %t -> Thu Nov 10 13:57:00 2011
++[detail] returns ok
[radutmp] expand: /var/log/freeradius/radutmp ->
/var/log/freeradius/radutmp
[radutmp] expand: %{User-Name} -> brouco
++[radutmp] returns ok
++[exec] returns noop
[attr_filter.accounting_response] expand: %{User-Name} -> brouco
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 20 to 172.20.40.11 port 1024
Finished request 0.
Cleaning up request 0 ID 20 with timestamp +82
Going to the next request
Ready to process requests.
rad_recv: Access-Request packet from host 172.20.40.11 port 1025, id=21,
length=218
Framed-MTU = 1480
NAS-IP-Address = 172.20.40.11
NAS-Identifier = "SW-Priv-1-1"
User-Name = "OPTARE\\brouco"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 29
NAS-Port-Type = Ethernet
NAS-Port-Id = "29"
Called-Station-Id = "f0-62-81-04-4e-00"
Calling-Station-Id = "f0-4d-a2-bc-77-cd"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "2"
EAP-Message = 0x020f0012014f50544152455c62726f75636f
Message-Authenticator = 0x8ef331884bd83e6cfa61f9eaf29ea9a7
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
++[digest] returns noop
[ldap] performing user authorization for brouco
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> brouco
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=brouco)
[ldap] expand: dc=optare,dc=loc -> dc=optare,dc=loc
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to 172.20.52.206:389, authentication 0
[ldap] bind as cn=admin,dc=optare,dc=loc/Lpp1LdC to 172.20.52.206:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in dc=optare,dc=loc, with filter (uid=brouco)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] roomNumber -> Pool-Name == "infraestructuras"
[ldap] sambaNtPassword -> NT-Password ==
0x3245334230434533423046383434414238374145393237384141453730393331
[ldap] looking for reply items in directory...
[ldap] radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "01"
[ldap] radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
[ldap] radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] radiusFramedIPAddress -> Framed-IP-Address = 192.45.51.9
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] user brouco authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
[eap] EAP packet type response id 15 length 18
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Identity does not match User-Name, setting from EAP Identity.
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [brouco/<via Auth-Type = EAP>] (from client privradius port 29
cli f0-4d-a2-bc-77-cd)
Using Post-Auth-Type Reject
WARNING: Unknown value specified for Post-Auth-Type. Cannot perform
requested action.
# Executing group from file /etc/freeradius/sites-enabled/default
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 21 to 172.20.40.11 port 1025
Tunnel-Private-Group-Id:0 = "01"
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
Framed-IP-Address = 192.45.51.9
Waking up in 4.9 seconds.
Cleaning up request 1 ID 21 with timestamp +97
Ready to process requests.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
