Re: 0.2 Remaining Bug
At 12:24 PM 8/1/2001 -0400, [EMAIL PROTECTED] wrote:
VISP Systems Administration [EMAIL PROTECTED] wrote:
Excellent release. I do notice one item we discussed earlier when I was
running 0.1 regarding the tons of duplicate Accounting requests while
proxying.
sample line:
DATE: Info: Accounting: login: entry for NAS nasname.foo.bar port 51
duplicate
The patch Chris Parker posted does a good job eliminating most of the
duplicate Info logs requests in radius.log, but it is not implemented
in 0.2.
OK...
--- BEGIN PATCH -
the 'acct.c' file:
Change:
if(pairfind(request-config_items, PW_PROXY_TO_REALM)) {
To:
if((!request-proxy) pairfind(request-config_items,
PW_PROXY_TO_REALM)) {
--- END PATCH -
I'm not sure I agree with that. The patch posted earlier this week
appeared to be a bit better.
I hadn't committed anything as I wasn't satisfied with the fix. I posted
it so that people could try it, but I'm still looking to find a cleaner
way to fix the problem.
That is, the preacct AND the accounting sections should be
executed for all modules, even if the packet is about to be proxied.
This allows the server to log the accounting information, EVEN IF it
never sees a proxied reply.
If the accounting packet is NOT proxied, OR we've seen an accounting
reply from the end server, THEN and ONLY THEN should the server
respond with an accounting response packet to the NAS.
One issue I have with this, is that this can put a load on the NAS if
for some reason the end-radius is not responding. Given my situation,
where we proxy accounting for 2200 realms to 1000 ISP's, not sending
a reply to accounting ( full disk, misconfigured server, etc. ).
My opinion is that the NAS should be replied to once the record has
been stored locally. Then the server should retry to send the accounting
packet to the remote server a configurable number of times before
dropping the packet.
Otherwise, if a large customer is having problems with their accounting
server and not replying we've just increased the load on our proxies
*and* on our NAS as both will retry. I think it's cleaner to reply
to the NAS once the record is stored locally, so that if the end-radius
fails to respond the accounting server only has to retry.
-Chris
--
\\\|||/// \ Chris Parker-Manager, Development Engineering
\ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED]
| @ @ |\ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\--
\ Without C we would have 'obol', 'basi', and 'pasal'
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed setting up Ascend with Freeradius
At 01:53 PM 8/6/2001 +0900, Watson wrote: Hey everybody; I am trying to migrate from ascend radius to Freeradius. But, I'm having alot of problems getting my present users file to work. I run a MAX 6000 and MAX 4000. In the present users file their is a User-Service Attribute. When I try to run radius with my present users file, it tells me that User-Service is an invalid attribute. So I edited dictionary.ascend and replaced Attribute 6 whitch read Service-Type and changed it to User-Service. I'm not sure if that was the right move at all... No. Change your users file, not the dictionary. It is very possible to screw up the server if you make the wrong changes to the dictionary file. It will also make it harder to perform future upgrades ( as you'll need to make the same changes to the dictionary every time vs. changing your users file once. ) Anyways now freeradius dies with Unknown Attribute Service-Type. My question is.. Is there a simple way to migrate from Ascend Radius with the User-Service Attribute to Freeradius. I would appreciate any information greatly. Change your users file to match the attributes used by Freeradius ( which are the standard names in the RFC's vs. Ascends crufty names ). -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorization
At 01:14 PM 8/9/2001 +0200, you wrote: I want to enable the authorization. I have done so on the NAS (still cisco), but cannot get authorized: If i type an inexistant login i get this: Username: inexistant Password: % Access denied If I type an existing one (with its right password ) I get : Username: userrad Password: % Authorization failed. (only if I type the right password else I get the Access denied message) My users file contain just 1 entry: userrad Auth-Type == Local, Password == testing Login-Service = Telnet, Login-TCP-Port = 23 Is this right ? why it doesn't work ? I have set up my NAS with this option: aaa authorization exec radius YOu have not configured you cisco and radius server properly. Please search Google ( http://cisco.google.com/cisco ) for configuaration examples. Cisco has lots of docs with sample configs on their website. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DNIS authentication
At 09:03 PM 8/9/2001 +0200, Thomas Jalsovsky wrote: Cisco (our Cisco AS5300) doesn't send Called-Station-ID attribute in the access request RADIUS packet, therefore you can't use it for auth. Uhm, you certainly can. If your telco sends you DNIS info the NAS will send it to you. I'd confirm with you telco that they are sending DNIS info to you. I have 200 cisco's all happily sending Called-Station-ID, so it is definitely supported. :) -Chris I think it depends on the environment. I use AS5300 for VoIP and our TCL script is in Cisco clid_col_npw_3. It doesn't sends in auth request CLID. If I rewrite the script I CAN do auth with CLID in the way of: User-Name = CLID, Password = (or something what I want). Well, see, it *is* sent. It's just not a regular radius packet, as it's VOIP auth. p.s.: I sent a couble weeks ago a cisco_vsa_hack patch. THis patch went to /dev/null or there is in a processing queue. Thanks. It may have been lost in the shuffle. Please repost it here and it'll be reviewed. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: Exec-Program[-Wait] for Accounting-Request
At 01:02 AM 8/17/2001 +0600, you wrote: How I can to execute some external program on Accounting-Request? adding lines like ... to raddb/acct_users does not work. There is no radius_exec_program() call after PW_ACCOUNTING_REQUEST received in sources. Only after PW_AUTHENTICATION_REQUEST. That's definitely a bug. Just a second, and I'll go poke at the code. Thank you! When I can download patched sources? Run CVS and 'cvs update -A -d', or wait for the nightly tarball to be created and download it tomorrow. I recommend the CVS option, and there are easy to follow instructions at: http://www.freeradius.org/development.html -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Advice on a RAS
At 11:15 AM 8/17/2001 +1000, you wrote: Hello, I've been happily using FreeRadius for a little over a month now and it's been working great. Great job to you developers, and thank you. We're a small operation way out here, and currenly we only have 3 dial in lines. These have just been served from standard serial port connections to standard modems on a machine running RH 7.0 w/ Portslave. But now we're looking at the possibilities of expanding to 8 or 16+ dial in lines. So I'm looking for advice on a RAS/NAS for purchase to handle these dialup lines. I've briefly investigated, and found that Cisco has their 2500 line of Access Server Routers, which looks like a standalone device for 4/8/16 serial lines. I've also looked at Digi's Acceleport RAS line, which looks would basically be 4/8 modems per card. These would get plugged into a PC, and I'd run Portslave on them, of course. Any advice on which way to go with this stuff, or better options. I've always been partial to the Lucent/Livingston Portmaster line for a small NAS setup. It is now discontinued by Lucent, but it is/was a solid product, IMHO. The PM2/PM25 takes external modems ( IE, it has no internal modems ). The PM3 has internal modems ( V.90 ) and terminates 2 T1/E1 PRI/CT1's. You can find these used for very cheap on various ISP Equipment lists. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius only working in debug mode
At 01:54 AM 8/17/2001 +, you wrote: Hello, I have just install free radius on Solaris 8. The problem I am haveing is that free radius will only authenticate in debug mode. If I start it like this radiusd -xxyz -l stdout works great. But when I start it like this radiusd It starts OK but rejects all users. Has anyone seen this problem before? I can post config's and debug outputs or logfiles etc. if needed. Check the section of the 'radiusd.conf' file where you set the user and group to run as. You'll probably need to change that to 'root:root' if it's not set that way already. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with MAX3030 talking to Freeradius
At 11:39 AM 8/17/2001 +0200, you wrote: Hi, Ignorning request from unknown client 203.x.x.x:1025 This client is not listed in /etc/raddb/clients. Actually that would be 'clients.conf', rather than just 'clients'. 'clients' is the old-style config file, which is supported, but is not the preferred style. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication
At 09:49 PM 8/21/2001 -0500, you wrote: Can free radius authenticate on a MAC address? if so will all of the auditing information be available? It depends on what NAS you are using, and what you mean by 'authenticate on a MAC address'. I'm going to hazard a guess you are doing some type of wireless/dsl/broadband type service. I know of a few people who are using a radius backend to authenticate users on that type of network, so I would say that in the general case it is possible. Not knowing you specific case, it's hard to state with any certainty whether it will work. Give it a try, you've got nothing to loose at this point. :) -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration questions
At 12:15 AM 8/22/2001 -0700, you wrote:
Greetings list members.
I am testing free radius currently and have a couple questions.
I use the LDAP module for authentication. I have two realms, each on
separate DN's. How can I have two separate ldap configurations?
You can declare them as two separate instances in the config file:
modules {
...
ldap LDAPONE{
server = server1.foobar.biz
# identity = cn=admin,o=My Org,c=UA
# password = mypass
basedn = o=My Org,c=UA
filter = (uid=%u)
...
}
ldap LDAPTWO{
server = server2.foobar.biz
# identity = cn=admin,o=My Org,c=UA
# password = mypass
basedn = o=My Org,c=UA
filter = (uid=%u)
...
}
...
}
Then call the modules as LDAPONE and LDAPTWO in the auth sections. See
the SQL module examples on how to do multiple instances.
It would be neat to be able to specify ldap_realma { binddn= etc..} and
then ldap_realmb { binddn= etc..}, then do a fall through type of deal in
the authenticate block. Is there current structure for this,
or do I need a second radius server/implementation to do this properly?
Read the docs, and look at the examples. This is explained in intricate
detail in 'doc/configurable_failover'.
Secondly, do we have the ability to send attributes back to specific
radius clients? I like to apply SMTP filters to NAS devices via
attributes such as 242, but this becomes difficult when you have some
ascend, cisco, portmaster, and cvx boxes on your network.
I need to be able to do attributes X for client A (or maybe client group
A?) and attributes N for client B.
I have a similar need, as cisco's and pm's require slightly different
syntax for 'Filter-ID' ( appending a .in to cisco's ). For things other
than that, you can send attributes from other vendors, and they should
be ignored by other vendors. However, not all vendors read the same
RFC apparently, so this may not be the case, but that's another rant. :)
For now, there isn't a way to do what you want, but there is a need for
something similar, so have patience and it'll be there.
-Chris
--
\\\|||/// \ Chris Parker-Manager, Development Engineering
\ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED]
| @ @ |\ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\--
\ Without C we would have 'obol', 'basi', and 'pasal'
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: update and proxy
At 03:45 AM 8/22/2001 -0400, you wrote: Hellow i am new to this newgroup and hope i dont ask any question that allready has been asked i have searched the archive but did not find the answer neither on the help files the description of the product says when proxying it can add attributes to request how is that done ? what do i need to configure , what can be added ? Any attribute you want. See the standard users file, as well as the 'rlm_attr_filter' and 'rlm_attr_rewrite' modules, with selectively modify radius packets. The best way to find out is to download the server and run it. :) -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dropping conflicting authentication packet
At 12:40 PM 8/22/2001 -0700, Qinxue Chen wrote: I used two kinds of RADIUS servers. With Merit 3.6B, the server accept a lot more traffic from the NAS servers. There is no single complain. With freeradius (snapshot 08/20/01), we got a lot Dropping conflicting authentication packets messages but for only very limited test traffic. I set hostname_lookup no. You mean the NAS servers keep using the same sequence numbers or IDs for authentication packets, even though the requests may come from different users? Then the way to get around it is not to check the ID? What did the debug show? o Was the server replying to the request? o Was the NAS resending duplicate requests before the server could reply? o You aren't by chance, running on a secondary interface ip, are you? -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dropping conflicting authentication packet
At 01:58 PM 8/22/2001 -0700, Qinxue Chen wrote: From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Qinxue Chen [EMAIL PROTECTED] wrote: What did the debug show? With debug on, I couldn't see errors at all. And how long did the server take to reply? within miniseconds normally. Could the server cached the IDs somehow? o Was the server replying to the request? Definitely the newest request is dropped. That is NOT an answer to the question. Yes. In debug mode, the server will response to each single request ( I already run it for about a hour). In normal mode, I would saw the messages almost every 5 minutes. I might use tcpdump to catch in normal mode to see what's going on. truss/strace ( depding on your flavor of *nix ), will probably work too, I'd suggest strong use of grep as you'll get a *lot* of data. If it works in debug, has issues in regular, check the permissions needed to read the auth files. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dropping conflicting authentication packet
At 03:49 PM 8/22/2001 -0600, you wrote: If it works in debug, has issues in regular, check the permissions needed to read the auth files. I'm seeing basically the same thing, but I don't believe it's a permision problem. The server does work in regular mode, it's only after about 20 minutes it starts reporting Dropping conflicting authentication packet. When it does this it seems to be for every possible ID 1 to 256, suggesting to me requests arn't getting freed for some reason. Yet, I've run in debug mode for up to an hour and things are fine. That sounds like a problem then. Is this version 0.1, 0.2, or latest CVS? -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dropping conflicting authentication packet
At 05:40 PM 8/22/2001 -0700, you wrote: The problem seems to be that the new request has the same request ID, request code, source IP, source port, but different vectors (what's this?) as one of the old requests. From the problem I saw, it is not caused by the NAS end. The freeradius didn't clear some old requests properly in the buffer for whatever reasons. Some request IDs stayed for about several hours. I am not quiet sure about the whole process in the software. If Alan or Chris could explain a little bit, it will be greatly appreciated. It does sound that way. I'm currently testing a version locally to see if I can duplicate the error. It sounds like a different executation path is being taken in debug mode vs. normal mode for the request-list cleanup process. I'll post my findings, but Alan may find something sooner. :) -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dropping conflicting authentication packet
At 10:19 AM 8/23/2001 -0700, you wrote: From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Qinxue Chen [EMAIL PROTECTED] wrote: The problem seems to be that the new request has the same request ID, request code, source IP, source port, but different vectors (what's this?) It means that the request is a new one, and different from the first on. The RFC's specifically allow for this. as one of the old requests. From the problem I saw, it is not caused by the NAS end. The freeradius didn't clear some old requests properly in the buffer for whatever reasons. Some request IDs stayed for about several hours. I am not quiet sure about the whole process in the software. If Alan or Chris could explain a little bit, it will be greatly appreciated. There's not much to say. It looks like the server has a bug. But in the software, the new requests are dropped. Yesterday I modified the code (radiusd.c) a little. The whole else block for the error part was got rid of. That means the new request would be added and processed. I run it the whole night without problems. I only worried about possible memory leak. I believed that some old requests were still in the request data. From my tests with the change, memory usage was fine on the box. The way to solve the problem cleanly is to identify two cases: 1) old requests stayed for a long time in the request data. 2) server is not fast enough to handle a request and a new request with the same id/code/ip/port comes in. Case 1) can be caused by whatever reasons like threads die. For case 1), a new request can replace the old one in the request data. For my tests, all problems fall in case 1). For case 2), the possible solutions: a. drop the new request b. use new request to replace the old request. From the performance view, there is no difference between the two solutions. Then for both case 1) and 2), we can do the same thing: replace the old request with the new one. What do you think? No. Read the RFC. Understand how Authentication-Vector is used. Your case1 is correct, your case2 is handled. The reason there is a problem is old requests are for some reason not being cleared. That's all there is, don't try and make it more complex, it's a bug in the code, not a design flaw. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 128bit Proxy-State Attribute
At 11:20 AM 9/5/2001 -0700, [EMAIL PROTECTED] wrote: Hello all, I am curious if anyone has tested freeradius with a 128bit proxy attribute. Our upstream proxy requires us to be able to take and respond to the radius requests with a 128bit proxy-state attribute. Currently we are using Cistron 1.6.4 and this hasn't had any problems but I thier techs have told me that any earlier versions of Cistron code was not able to handle thier proxy-state attribute. I know that some older radius servers mangle the Proxy-State attribute in violation of the RFC ( *cough*MERIT*cough* ), but you should find that FreeRADIUS conforms to the RFC explicitly in returning the Proxy-State attribute unmolested. If Cistron 1.6.4 is safe, I very strongly suspect that FreeRADIUS will be safe as well. Of course, the only way to be 100% sure is to test it. Your upstream should be able to direct a test to a test installation on your network. -Chris Joe Modjeski Systems Administrator CommSpeed [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Solaris 8 and Cisco IOS 12.x
At 12:07 PM 9/5/2001 -0600, you wrote: Hi all I'm having a weird problem, I just compiled version 0.2 of freeradius. fill the users , radiusd.conf and other files. On our NAS we setuped the radius server until that all is fine. But when we dialed-in neither unix users or file users can log on to NAS. The term mon on the cisco revealed a failed decrypt message. Whe switched from CHAP to PAP without success. Can anybody give me some ligth.? What shows in the NAS error logs *exactly*. Also, what does the radius server show in the debug output? Please quote error message *exactly* as they are displayed, as otherwise it is not possible to provide much assistance. Off the top of my head, based on your vague description, I'd suggest checking the shared secret and reading the 'doc/cisco' file. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: trying to understand module counter?
At 01:18 PM 9/5/2001 +0200, you wrote:
Hi all
We can do this in radiusd.conf
DEFAULT Daily-Session-Time 3600, Auth-Type = Reject
Actually, you put the DEFAULT into the 'users' file, but I think you
knew that.
What are the keywords that are supported?
What do you mean by this? Can you expand your question? There are
examples and an explanation in the comments for this module in the
'radiusd.conf' file.
Can we do DEFAULT Total-Session-Time 3600, Auth-Type = Reject?
Yes, please read the docs, it tells you what you can change in the
'radiusd.conf' file.
You would want something similar to:
counter {
filename = ${raddbdir}/db.counter
key = User-Name
count-attribute = Acct-Session-Time
reset = monthly
counter-name = Daily-Session-Time
check-name = Total-Session-Time
allowed-servicetype = Framed-User
cache-size = 5000
}
Give it a try, and test it, don't be afraid to change values.
-Chris
--
\\\|||/// \ Chris Parker-Manager, Development Engineering
\ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED]
| @ @ |\ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\--
\ Without C we would have 'obol', 'basi', and 'pasal'
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: garbage dirs in radacct
At 12:33 AM 9/6/2001 +0430, you wrote:
My radius uses the default configuration for the location
of detail logs:
radacctdir = ${logdir}/radacct
detailfile = ${radacctdir}/%{Client-IP-Address}/detail
when i saw my radacctdir, surprisingly i found out that there
are many directories there that are not my clients:
[root@arian radacct]# ls
0.176.45.64 160.100.183.11 240.81.183.11 64.175.45.64 8.175.45.64
120.68.183.11 xxx.225.40.14 48.114.183.11 72.101.183.11
128.113.183.11 200.104.183.11 56.63.183.11 72.175.45.64
none of the above except the one starting with xxx, isn't my client.
it seems something like a memory leak or bug. there is a details file
in any of the above dirs that contains 1 or more radius log entiries for
our users. the interesting point is that the entries
in these detail files, all contain correct information about the
nas ip address. that's becuase clients and nases are diffrent things.
i'm using freeradius 0.2 on RH 7.1 but i had the same
problem with 0.1 on RH 6.1.
i know that a quick and dirty solution is to hard code my client's ip
address in radius.conf. that may work for me 'cause i have just one
client. but i dont know what to do if i decided to add more clients.
is there any other variable that i can use instead of %{Client-IP-Address}
in my radius.conf
Client is the server that sent you the request. You probably want
to use NAS-IP-Address if you want the records stored based on the
originating NAS.
Surprisingly enough, this exact fact is mentioned in the config file
right where you are talking about hardcoding:
detail {
# Note that we do NOT use NAS-IP-Address here, as that
# attribute MAY BE from the originating NAS, and NOT
# from the proxy which actually sent us the request.
# The Client-IP-Address attribute is ALWAYS the address
# of the client which sent us the request.
#
detailfile = /usr/local/var/%{Client-IP-Address}/detail
detailperm = 0600
}
-Chris
--
\\\|||/// \ Chris Parker-Manager, Development Engineering
\ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED]
| @ @ |\ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\--
\ Without C we would have 'obol', 'basi', and 'pasal'
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Questions
At 09:27 AM 9/10/2001 -0600, Scott Miller wrote: Hello all, I have recently subscribed to this group, and have been reading and following the threads that have come in the past few days or so. We are thinking about bringing our radius servers in-house (currrently outsourced) and have a couple questions, if someone doesn't mind answering them. 1. Will FreeRadius log accumulated minutes of use per user, and stick them in a file somewhere for monthly downloading? No, you'll need to use a log-parser, or better yet, store in an SQL table and then you can generate all kinds of reports/outputs to analyze your data. 2. I have not looked at the front end or the GUI of FreeRadius yet, but is it fairly simple to add/remove customers/users at will? There is no GUI to FreeRADIUS. It is configured via simple plain text files. Depending on your method for authenticating users ( from system passwords, SQL, LDAP, others ) there are numerous ways to manage users, but that is outside the scope of the Radius server. 3. Do I need anything like MySQL installed on the server I plan on using, or is FreeRadius basically self-contained? For plain-text files, it is self contained. If you want to use SQL or LDAP or something else, you'll need to have that installed, but none of those are *required* to make FreeRADIUS run. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: works in debug mode, but not in regular mode
At 11:06 PM 9/12/2001 -0600, Tim Monaghan wrote: Thats right, my freeradius works perfect in debug mode but not at all in regular mode. radiusd -x works, radiusd doesnt. Im authenticating (im an isp) via unix password. Any thoughts? First, don't send pretty messages. Green looks like baby puke to me. Second, yes, if it works in debug and it doesn't in non-debug, you need to check the user/group that you have the server running under. This is configured near the top of the radiusd.conf file. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Archive? / MAX6000 interop.
At 05:52 PM 9/14/2001 -0400, [EMAIL PROTECTED] wrote: There's probably a config flag in the Ascend NAS to allow it to listen to VSA's. See the archive from earlier this month for more information. There is indeed. It is under Ethernet-Mod Config-Auth At the bottom of the menu, change Auth-Compat from OLD to VSA -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pools
At 10:34 AM 10/1/2001 +0100, you wrote: Is there anyone out there working on a dynamic IP pool management function for FreeRadius? Can you explain what you are looking for? Currently you can assign an IP based on the NAS-Port for most general types of NAS. I'm of the school that thinks dynamic IP pool management should be and is best done on the NAS. Trying to manage IP pools in RADIUS is very iffy IMHO and prone to many more failure modes than I'm comfortable with. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco config
At 03:53 PM 10/1/2001 -0800, you wrote: Can someone tell me which config file I need to edit to add the cisco configuration options listed in the docs/cisco file? I read though the file, and it lists which configuration directives to use, but it doesn't say one word about which config file they go into. What configuration options are you referring to? The commands listed in the 'docs/cisco' file refer to the recommended commands you will need to enter into your cisco NAS. They are configured the same way you would normally configure a cisco product ( IOS based, anyway ). There are no commands configured there that can be entered into the FreeRADIUS config files. Hope this helps, -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius compile problem with ldap
At 04:28 PM 10/2/2001 +0700, you wrote: i wanna used freeradius with ldap. I start compile with these command : #./configure --prefix=/usr/local/freeradius --with-gnu-ld --enable-static-modul es --with-ldap --enable-ltdl-install out and output is configure: warning: the comm_err library isn't found! configure: warning: silently not building rlm_krb5. configure: warning: FAILURE: rlm_krb5 requires: krb5. That's not an issue unless you really want to use kerberos authentication. configure: warning: silently not building rlm_ldap. configure: warning: FAILURE: rlm_ldap requires: libldap_r. That is a bit of an issue, as you want to use ldap ( at least it looks that way ). what should i do for this problem? or What option i should have in my configure command ? Some more info is needed: o What OS? ( uname -a ) o Why are you disabling shared modules ( enable-static-module )? o What does config.log show? -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-use: bug in documentation?
At 03:52 PM 10/2/2001 +0200, you wrote: Hello, I can't get Simultaneous-Use working. I use portslave as NAS. I have ctlportslave running as fingerd. checkrad perl script works fine when I run it manually. But it is never run by freeradius. I think this is because I don't understand the meaning of :=, == and = statements. First, in /doc/Simultaneous-Use file I can see the following: For example: # # Simultaneous use restrictions. # DEFAULT Group = staff, Simultaneous-Use = 4 Fall-Through = 1 DEFAULT Group = business, Simultaneous-Use = 2 Fall-Through = 1 DEFAULT Simultaneous-Use = 1 Fall-Through = 1 That is wrong, or rather, deprecated syntax. It will be updated. Second, in man 5 users I see: Attribute = Value Not allowed as a check item. This is correct. A = V is deprecated. Third, somewhere in the list I saw: If you use the users file, you would use ':=' for Simultaneous-Use and Login-Time The 'users' file is the most up to date. Use that syntax. So, something in the documentation is incorrect. Can somebody tell me what should I change in my users file to make simultaneous logins limit working? Use the sample syntax as seen in the 'users' file. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use = 1
At 08:29 PM 10/2/2001 +0600, you wrote: On Tue, Oct 02, 2001 at 01:46:38PM +0100, Sergey V. Sichevsky wrote: MHAH Simultanous-Use and Login-Time does not work with rlm_sql modules MHAH without a minor change in source code. Can I define this parameter w/o changes in code? In ./etc/raddb/users for example? But I need auth* in sql. That's what I said! Simultaneous-Use works fine in /etc/raddb/users. But it will not work in sql. To make it work in sql, you have to make the changes I suggested. No, don't. Your changes fix the specific symptom you are experiencing, but do not properly resolve the root cause. There are patches pending that will add the functionality of allowing you to specify the comparison operator in SQL tables. This is the correct way to fix the problem. I believe this is slated for inclusion in the 0.3 release, and may even exist in the latest CVS, which if you are not running, I'd suggest upgrading to anyway. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Odd Make fatal error..
At 02:10 PM 10/4/2001 -0400, you wrote: Solaris 8... ld: fatal: library -llber: not found ld: fatal: library -lldap_r: not found ld: fatal: File processing errors. No output written to .libs/rlm_ldap.so.0.0.0 make[6]: *** [rlm_ldap.la] Error 1 Why is it not able to find those libraries? It says in the configure that it sees them fine, right? run these commands: $ echo $LD_LIBRARY_PATH $ find /usr -name *lber* -print $ find /usr -name *ldap* -print Most likely LD_LIBRARY_PATH isn't set correctly. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Questions
At 08:25 AM 10/18/2001 -0600, you wrote: Does FreeRadius have some type of web-based interface that will allow us to add and remove users easily? Also, does it create a user's mailbox at the same time? I looked all over on the freeradius.org site, and found answers to other questions, but not these two. No, it does not, as that is outside the scope of RADIUS. freeRadius is a radius server. It is not a user/account management suite. For that, you may want to look at something like Webmin, which is available at: http://www.webmin.com/webmin/ -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Questions
At 09:31 AM 10/18/2001 -0600, you wrote: I do have webmin installed - so you are saying that it can be used to manage the users? Then do I need to have any type of DB installed to store the user/pass or can it take them from the normal passwd file? I don't know, I've not used webmin. Try asking on the webmin mailing list? Freeradius can authenticate from any of the methods listed at: http://www.freeradius.org/features.html -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql size and performance radacct
At 07:52 PM 10/22/2001 -0400, you wrote: Hi all, Not being a MySql guru, I figured I'd see if someone here had any thoughts to this issue. I'm developing freeradius with mysql support to replace our aging cistron radius, which is currently logging accounting data to flat files. Now I'm setting up freeradius with mysql support to handle my authentication and accounting, but the more I think about it, the sheer size of the radacct table gives me worries. Looking at my old accounting log files, I figure the radacct table would grow to about 25,000,000 rows in about a year time. Can mysql handle this? Yes. We do more than that volume each month, to mysql. :) Rolling tables monthly is also a good idea, rather than trying to keep it all in one huge table. Won't inserts and updates and selects start getting really slow? Are there any mysql table types I should be using for the radacct table? Any kinds of optimizations I will need to perform? Any other cool database/mysql tricks I could use? MySQL with Innobase tables. With innobase tables you get true row-level locking ( meaning that concurrent inserts from a threaded server won't block each other ), which is huge step over table-level locking. Innobase tables are much much different beast than the standard tables, but that's probabaly straying off-topic for this list. :) Not to be tooting just one DB, postgres is probably worth taking a look at. There's a lot of people using it quite successfully. I don't have personal experience with that however. What are solutions some of you out there haved used to address this situation. I know there has to be others out there with as big or bigger accounting tables. I'd like to have a solution to this now, rather then wait 6 months after deployment and have freeradius grind itself to a halt. Thoughts? Try mysql. Try mysql with innobase tables. Try postgres. Run the same benchmark on all of them, see which one performs better. :) -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP Auth
At 09:48 AM 10/23/2001 -0400, you wrote: Is it possible to do CHAP authentication and PAP using the unix auth module? Currently it does not seem to support it. I setup the NAS as a ascend which in the ascend dictionary seems to support CHAP but it did not fix the problem. Any suggestions? http://www.freeradius.org/faq/#4.4 Read the FAQ. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP Auth
At 05:18 PM 10/23/2001 -0400, Russell Enderby wrote: The FAQ says to do this: So, if you're using CHAP, for each user entry you must use: Auth-Type = Local, Password = stealme If you're using only PAP, you can get away with: Auth-Type = System In the users file I changed the default line from Auth-Type=System to Auth-Type := Local, Password == stealme and by doing this all users have to use 'stealme' as their password then to authenticate. Certainly this is not how CHAP protocol is supposed to work. What I need is to be able to do PAP and CHAP using the System to check the unix shadow file for their password to authenticate correctly. It seems this change does no do that. Does anyone else know how to do this kind of authentication? Read further. You can't. In order to do CHAP you *must* store the passwords in plaintext locally in the users file ( or sql database ). You *CANNOT* use CHAP authentication with encrypted system passwords. Sorry, that's how CHAP was designed. If you want to support both, you need to cater to the least common denominator, and that's CHAP. PAP: Works with encrypted and non-encrypted passwords. CHAP: Works with non-encrypted passwords. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP Auth
go and read the shadow file and we send it down to the NAS and it needs to do a md5 encode on the password handed to it by the user and again do a text compare of the two strings. No. Utterly wrong once again. Go read the FAQ. CHAP requires access to a plain text password, and you CANNOT use /etc/passwd, or /etc/shadow for CHAP authentication. Anyone who tells you different is lying. Saying the same thing over and over gets you know where. So does claiming you know how CHAP works when you obviously don't. Go understand CHAP. Try Google ( www.google.com ). You can come back when you can admit you were wrong about CHAP and stop arguing with everyone that tells you you are wrong. Goodbye, and good luck, my patience with you is at an end. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Errors Under High Load ( Including the Drop dup auth packet err)
At 01:54 AM 10/25/2001 -0500, you wrote: in the meanwhile, I noticed that the server was occasionally dying on sig 11's after having the hailstorm of drop dup auth packet error, so I turned core dumping on, and maybe I'll be able to get a core file with some useful info in it.. Yes please share it here if you do. :) -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problems starting radiusd
At 09:59 AM 10/25/2001 -0400, you wrote: Perhaps until we have a non-beta release, we should set the default option to allow coredumps, since right now the primary focus is on getting to a stable production-ready release. Those who really are paranoid enough, can certainly disable coredumps. Any ideas on what I can try to get this thing running again? Tried yesterday's CVS. No dice :( Try starting radiusd from GDB : gdb radiusd (gdb) run Or, a litle easier but a lot more verbose, run it with 'strace' ala: 'strace radiusd' and you'll see the system calls where it stops. Start there and see if that sheds any more light on it. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problems starting radiusd
At 11:21 AM 10/25/2001 -0400, Jason Lixfeld wrote: Here's everything from my radiusd.conf in the modules section: This sets up the modules, doesn't mean they are all used. What does your autorize/authenticate sections look like? -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problems starting radiusd
At 11:01 AM 10/26/2001 -0400, you wrote: Progress! Thank you for the GDB info. Half of my problem is I have no idea how to run it! Ok, attached is the gdb info from the latest CVS with the extra option Alan told me to add into threads.c. Please advise.. And here it is: rad_recv: Access-Request packet from host 216.7.221.25:2082, id=0, length=44 User-Name = test Password = \034\344b(--\215\355\000\200\256\256\311\342zt modcall: entering group authorize Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1024 (LWP 3674)] 0x40019f00 in rad_mangle () at eval.c:41 41 eval.c: No such file or directory. in eval.c Now, the funny thing is, I cannot find 'eval.c' anywhere in the source. I'd suggest nuking all of the 'rlm' libs installed on your system and doing a full re-install. I suspect you may have an older (and incompatible) radius module lib somewhere. rad_mangle() exists in 'src/modules/rlm_preprocess' in the current builds. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WARNING: Unprintable characters in the password
At 05:50 PM 10/26/2001 +, you wrote: I can't authenticate a user whith radius. THis is the parameter for user pippo: pippo Auth-Type = Local, Password = otto try Auth-Type := Local WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! Pay attention to this warning, and follow what it is telling you. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radclient question
At 02:00 PM 10/30/2001 -0600, jason wrote: that's what i was hoping for.. having an odd problem with these hiperarc NAS's setting Framed-IP's for people and I'm wondering what's different between the packet from our cistron server and from the freeradius server.. See latest versions of tcpdump. You can do some really cool stuff. I patched it to clean up the attribute printing format slightly ( just added \t and \n to the print statements ). But, basically you can get it to output what you are looking for with: # tcpdump -s 0 -X host x.y.z.a # tcpdump -V tcpdump version 3.6 libpcap version 0.6 -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radclient question
At 04:17 PM 10/30/2001 -0600, jason wrote: But the packets are not *exactly* identical, though the part i truncated was identical. The portion I attatched to my last mailing had differences, which due to my limited knowledge of how the radius packet is formatted, I am unable to understand. there is a 'vector' that is calculated on per-client basis. I'm perfectly willing to believe that is in fact the hiperarc's that are at fault somehow, but I need some information of what is going on. Whether the fault be with the hyperarc or the radius server. Try a recent version of tcpdump that will display the attributes that are being sent. I don't read radius attributes in hex yet ( though I'm closer than I'd like ). -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radclient question
At 05:43 PM 10/30/2001 -0500, [EMAIL PROTECTED] wrote: jason [EMAIL PROTECTED] wrote: But the packets are not *exactly* identical, though the part i truncated was identical. The portion I attatched to my last mailing had differences, which due to my limited knowledge of how the radius packet is formatted, I am unable to understand. From my examination, they seemed to be pretty much the same. I dislike the format that 'tcpdump' uses to print the packet, as it makes comparisons more difficult. I made it much more readable by modifying 'print-radius.c' as follows: radius.c.new 752c752 printf( %s,attr_type[rad_attr-type].name); --- printf(\n\t%s,attr_type[rad_attr-type].name); -Chris Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS/Radius discrepancy
At 11:37 PM 10/31/2001 +1100, Bogdan wrote: I was wondering, I still use users file for DEFAULTs, because we don't change them so often and it seems to work OK, (when i change login times it stops user from login) wouldn't smnpget module check the NAS username and state and report no login for that user on the fly, I though that this what the sample said, that radius checks for user login in the radutmp first and then confirms with NAS that user is or is not loged in, but i am just a beginnner with radius, so i'm probably wrong. That is how the Simultaneous-Use checking is supposed to work, yes. :) Alan have mentioned about the patch, if it is possible could i get a copy, please? I believe this was just committed to the current source, so you might want to try the latest snapshot/cvs version. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: example ascend l2tp users
At 03:45 PM 10/31/2001 +0100, you wrote: Hi there Could someone post me an example of the users file when trying to setup an L2TP Tunnnel between an Ascend Max2000/Max6000 and a cisco box, whilst the max is the LAC Box?? Full Tunnel Support is currently being added to the server. Try back in a couple days, and it should be fully possible. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration of radius to Authenticate from Oracle
At 01:19 PM 10/31/2001 +0500, Smirk Smirk wrote: Dear All, I am a trying to use Free-Radius. I downloaded it Last week. But I am failed to get the authentication from oracle. Do any body knows how to put an entry in the Radiusd.Conf for Oracle further in the Users file and SQL.Conf. What types of errors or failures are you getting? Running the server in debug mode: radiusd -x -x will give you a lot of information on what it is doing at each stage. Also, you may want to try running one of the latest snapshots, as they have more things fixed than the 0.3 release. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MPPE
At 10:00 AM 10/31/2001 -0500, Matt Nowina wrote: Hi Again, I've finally succeeded in successfully setting up MS-CHAP authentication for pptp clients (Thanks to Alan for his assistance with the rlm_mschap module), Excellent! :) but I have hit a snag negotiating mppe encryption. It appears that the cisco router doesn't understand or is not receiving mppe keys from the radius server. In looking through the RFC for MS-CHAP, it states that the access-accept packet should contain one or no instances of the following: 7 MS-MPPE-Encryption-Policy 8 MS-MPPE-Encryption-Type 12 MS-CHAP-MPPE-Keys 16 MS-MPPE-Send-Key 17 MS-MPPE-Recv-Key Although I can set these values under the 'users' file to send back during the negotiation, I cant seem to figure out the proper syntax to declare them in octet form. What are the dictionary entires you have currently, and what does your users file look like now for the value? The 2 other questions I had were first, is the des function included with rlm_mschap able to negotiate 40bit 128bit encryption or is it limited to 56-bit? Not sure on this one, as I'm not as familiar with that module. And secondly whether there is a way to use the radius server only for authentication and then punt the encryption process back to the router after a user has been successfully authenticated? Not quite sure what you mean by this. Can you elaborate a little more? -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: core dumps where?
At 12:09 PM 10/31/2001 -0500, Matt Rose wrote: where does freeradius core-dump to? If you have core dumps enabled, it should be to the directory you were in when you launched 'radiusd'. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radclient question w/ pretty tcpdumps
At 01:28 PM 10/31/2001 -0600, jason wrote: Indeed it is more readable, here are the cleaned up versions.. one thing I did notice is that tcpdump shows (DF) after the freeradius's version of the reply packet? I have no idea what that means tho. DF == Don't Fragment. The attributes being sent back appear identical to tcpdump. Not sure what else we can look at. I suspect the NAS, as we've now verified that the packets contain the same attribute/value pairs. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about Segmentation fault
At 01:55 PM 11/1/2001 +0800, =?gb2312?B?1qO3ybPx?= wrote: Hi I run freeradius0.2 on redhat linux as thread.It error Segmentation fault. Upgrade to 0.3 ( latest version ) or the latest CVS builds. 0.2 is old. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: example ascend l2tp users
At 01:47 PM 11/1/2001 +1100, David Woolley wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In what way does the present release (0.3)of freeradius not handle l2tp? As of last night's CVS snapshot is support 'tagging' of attributes according to RFC 2868. It does not however support at this time the decryption/reencryption of Tunnel-Password attribute. Other than that, it now supports all other Tunnel attributes specified in RFC 2868. Tunnel-Password support is being worked on now, and should be completed shortly. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users digest, Vol 1 #315 - 21 msgs
At 07:16 AM 11/1/2001 +, globe wrote: currently i am using cistron radius 1.5.but i want to use ascend-Data -filter.it is not suppporting.therefore i installed freeradius 1.3 .i i try to connect dial users to the system it is generating log as follows Date Time :Error :Ignoring request from unknown client 193.220.28.9:1025 Check your entries in the 'clients.conf' file. It appears that this client is not entered there correctly. Also, please do not include the *entire* digest if you are going to reply to the list. It's rather rude. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: writting accounting script
At 10:14 AM 11/1/2001 +0800, Daniel Yeung wrote: Hi All I have a task in office to write radius accounting script. It is possible to call an external program in file /etc/raddb/acct_users. How the radius pass the accounting packet to the external program ? Authentication packet is passed as variable %s %u ... any idea ? Check the docs and look a the sample files. There are examples for calling an external program from radius on receipt of a packet. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy and without user@real issue
At 01:41 AM 11/1/2001 -0800, Morgan M wrote: Hi Guys, Two questions: 1. Is it possible to proxy authentication and accounting packets to a remote server if a user logs in without a realm i.e. user logging in as only username not username@realm? Create a realm entry 'DEFAULT' in proxy.conf. Note, this will send all requests to that server unless they match a specific realm prior to the DEFAULT entry. 2. Is it possible to do Exec-Program when user logs out? If I mention: Default Service-Type = Framed-User Exec-Program = /path/to/program/program %u, Fall-Through = 1 then, will freeradius run this program for every user on every STOP? You'll want to make the appropriate entries into ~/etc/raddb/acct_users to set that up. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Use it in a commercial product
At 04:36 PM 11/1/2001 +0200, Sotiris P. Christodoulou wrote: We would like to use the freeRadius, integrated in a commercial product. What we have to do? I'd suggest starting by reading LICENSE in the server root directory. Also, read and understand all of the implications of that LICENSE at: http://www.fsf.org/licenses/licenses.html#TOCGPL -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Auth failures
At 11:48 AM 11/1/2001 -0500, Jason Lixfeld wrote: Here's the failure: Making static dynamic in rlm_counter... gmake[6]: Entering directory `/source/radius/freeradius-snapshot-20011101/src/modules/rlm_counter' gcc -g -O2 -D_REENTRANT -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -I../../include -c rlm_counter.c -o rlm_counter.o rlm_counter.c: In function `counter_instantiate': rlm_counter.c:246: too few arguments to function `dict_addattr' rlm_counter.c:264: too few arguments to function `dict_addattr' gmake[6]: *** [rlm_counter.o] Error 1 Hmmm, looks like i missed a module that calls dict_addattr. I'm correcting this now. dict_addattr was updated to take the the 'ATTR_FLAGS' argument, which rlm_counter wasn't updated to know about. ( oh to have c++ function overloading... ) -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: default and attributes
At 10:56 AM 11/1/2001 -0600, Tech wrote: Hello, Once again many thanks for the free radius server and all the hard work you have put into it. I am using version .3 and find it very stable for my simple usage. My question is about the users file and how I can set all users to use a default that sends all reply attributes for all users. Presently my users file has an entry looks this for every user: joe Auth-Type := local, Password == mary5985 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP, Framed-MTU = 1500, X-Ascend-Data-Filter += ip in forward tcp est, X-Ascend-Data-Filter += ip in forward dstip xx.xx.202.196/24, X-Ascend-Data-Filter += ip in drop tcp dstport = 25, X-Ascend-Data-Filter += ip in forward, X-Ascend-Idle-Limit += 1200, X-Ascend-Maximum-Time += 10800, Fall-Through = No I would like to change it to this: joe Auth-Type := local, Password == mary5985 Fall-Through = Yes Default Try changing this to all caps. Yes, it is case sensitive. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How i can import my dictionary files in my mySQL Database ?
At 10:51 AM 11/2/2001 -0500, Jason Lixfeld wrote: Hmm, but in order to use the icradius radius.cgi, the dictionary needs to be imported or else you cannot successfully add users. It is important to note that icradius is not FreeRADIUS. Trying to use scripts from another server with FreeRADIUS is done at your own peril. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How i can import my dictionary files in my mySQL Database ?
At 11:57 AM 11/2/2001 -0500, Jason Lixfeld wrote: I'm using them, and they do work, for the most part. All icradius' management cgis, user and accouting import scripts work, with the exeption of of the userimport.pl and the latest CVS due to the new op field being added. I can send submit all the icradius stuff I've used and modified thus far. That would be excellent. We can then make them FreeRADIUS specific so that they continue to work with FreeRADIUS since it's no longer quite the same thing as ICRadius. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program[-Wait] for Accounting-Request
At 06:56 PM 11/8/2001 -0500, [EMAIL PROTECTED] wrote: Nathan Miller [EMAIL PROTECTED] wrote: (gdb) print *request Cannot access memory at address 0xdeadbeef That's the official 'this memory doesn't exist' address. I'd say there's a serious problem on your system somewhere. Have you installed the server multiple times, from multiple versions? If so, then the rlm_FOO may access data structures which no longer exists. This exact problem was seen by another member of the list, in that an old lib was being loaded, and causing crashes. Delete all binaries, and re-install. The main thing here is to 'rm /usr/local/lib/rlm*', so that you nuke all of the various libs, which generally are the culprits in this case. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Benchmark in FreeRadius
At 03:06 PM 11/9/2001 +0800, Kenneth Tang wrote: Dear all, I am now evaluating Radius Server. Regarding to the performance issue, Does anyone have info. in benchmark or stat. about FreeRadius? (e.g. number of authentication per second..) The latter depends completely on the system and configuration that you are running. See 'doc/performance-testing' in the source distribution for more info. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: new Tunnel-* issue in CVS
At 05:00 PM 11/12/2001 +0300, Fabrice LABORIE wrote: Hi ! here is the trace output for freeradius-0.3 Attr-67 = 212.46.32.49 Attr-66 = 192.168.238.1 Attr-90 = sbm.net.sa Attr-91 = inet-row-tnt3 Attr-68 = 25 and here is the equivalent trace output for freeradius-snapshot-2002 Tunnel-Server-Endpoint:0 = 12.46.32.49 Tunnel-Client-Endpoint:0 = 92.168.237.1 Tunnel-Client-Auth-Id:0 = bm.net.sa Tunnel-Server-Auth-Id:0 = net-row-tnt2 Acct-Tunnel-Connection = 4 see the difference??? 1) the Attributes now have names ( cf change in the dictionnary) GD BUT 2) the 1st caracter is GONE !! Whatever is sending those attributes is not following the RFC. Please see RFC-2868. The first character of the strings and the MSB of the integers is defined to be sent as a TAG. You can remove the 'have_tag' portion of the entry in the 'dictionary.tunnel' file, but it'd be better to have the originating radius properly send the TAG formatted attributes per the RFC. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with MySQL setup!
At 11:03 AM 11/14/2001 -0800, Robert Abbate wrote: Hi. I am getting this error when setting up MySQL 3.23 to run on FreeRadius 0.3: [root@localhost internetsubmit]# /usr/local/sbin/radiusd start radiusd: Starting - reading configuration files ... radiusd: radiusd.conf[4]: sql: Module instantiation failed. Try running it with 'radiusd -X' so that it will print debugging to the screen. It will give you very helpful messages about what it cannot load/instatiate. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with MySQL setup!
At 11:56 AM 11/14/2001 -0800, Robert Abbate wrote: Ah! Thanks. Here's what I got that looked like an error: rlm_sql: Could not link driver rlm_sql_mysql: file not found rlm_sql: Make sure it (and all its dependent libraries!) are in the search path of your system's ld. radiusd.conf[4]: sql: Module instantiation failed. I located a directory under the distribution. Should I move this directory to the raddb directory, or just point to it? /root/freeradius-0.3/src/modules/rlm_sql/drivers/rlm_sql_mysql No, when it is installed, it should be found automatically and will be located in a place like '/usr/local/lib'. Did you change any of the paths when you ran 'configure'? Also, try changing to the 'rlm_sql' director and run 'make'. I suspect that it did not compile and install properly which is why the server can't find it when you try to run it. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how can I compile radius using gcc
At 01:15 PM 11/16/2001 +1100, Julie Xu wrote: Hi, I have RS6k/AIX 4.2.0, using cc for aix to compile Radius failed. I also have gcc in system. but, the it refuse to use gcc. why? HOw can I compile radius using gcc, not aix cc. Set and export an environment variable called CC to the path to gcc prior to running the 'configure' script. Something like: system# CC=/usr/local/bin/gcc system# export CC system# ./configure other options -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No password at /var/log/radiusd.log
At 08:56 PM 11/19/2001 +0100, Hans van Kilsdonk wrote: Hi everyone, I have setup Freeradius on my Cobalt RAQ4r webserver using the following command line: /usr/sbin/radiusd -z -f -A -y -p portnr -d /usr/local/etc/raddb As you can see I included the -z option so I can see which password the users use to login. When I look at my log file at /var/log/radiusd.log, I only can see the following: Try changing the 'raddb/radiusd.conf' file to allow displaying passwords. Apart from the command line, the config file must also be set properly. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No password at /var/log/radiusd.log
At 09:24 PM 11/19/2001 +0100, Hans van Kilsdonk wrote:
Well, I checked the config file, and I think everything is ok. The following
values are set:
-
# Log authentication requests to the log file.
#
# allowed values: {no, yes}
log_auth = yes
# Log passwords with the authentication requests.
# log_auth_badpass - logs password if it's rejected
# log_auth_goodpass - logs password if it's correct
#
# allowed values: {no, yes}
log_auth_badpass = yes
log_auth_goodpass = yes
-
Do I set more variables to let the password show up into my logfiles?
Nope, that should do it. Hmmm, it may be that the password is not
printed to the logfiles, only to the terminal in debug mode.
I'd look at the code in 'src/main/auth.c' and try playing with that. From
what I can tell it should be working.
You are running the latest version? Also, what do you see if you run the
server in debug mode?
-Chris
--
\\\|||/// \ Chris Parker-Manager, Development Engineering
\ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED]
| @ @ |\ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\--
\ Without C we would have 'obol', 'basi', and 'pasal'
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS and NAS
At 02:23 PM 11/20/2001 +0200, Nikos Markolefas wrote: I have a Network Access Server(Cisco 2509,IOS version 12.0) working with my RADIUS server(freeRADIUS 0.2).I want to configure RADIUS attributes on the NAS's side,through the IOS software of NAS.In other words,I want NAS to send to the RADIUS server(besides user name,password,elapsed time)input and output bytes for each user(or session id number)in interim update packets.The default settings of IOS don't send that information to the RADIUS server. http://www.cisco.com/warp/public/793/access_dial/index.html I know that it is not a problem from the RADIUS point of view,but any help would be valuable,since I'm at a deadend.Also,if someone has any manual for IOS software,that would be very helpful,because I have downloaded too much junk stuff from the Cisco's site. Try searching using: http://cisco.google.com/cisco -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Busy Radius/SQL auth rejected
At 08:11 AM 11/20/2001 -0800, Rodney wrote: Okay, I've been work on getting Freeradius-0.3 to always return constantly the right Reject or Ok. My setup is simple. Linux (Slack-8.0) Kernel-2.4.14 PostgreSQL-7.1.3 ix86-PIII-1000 256MB RAM (IBM) for Radius ix86-PIII-1000 1GB RAM (IBM) for PostgreSQL Only using SQL w/PostgreSQL just to auth and then runs an 'Exec-Program-Wait' that returns a 'Reply-Message' I have a perl script that runs .. basically the same as in my application .. that will send my (load) radius server many requests (about 5000 in 15 minutes). Sometimes I get all request Ok and sometimes some fail (Reject) ... My perl script handle the errored and bad responses from the radius server. This is what is happening. I'm hoping this is a bug ... if the sql server sockets are full it will give a reject instead on an error. No, it does give an error, in the logs. It can't give an error to the user autheticating, as it has two choices. Accept or Reject. If it cannot Accept, then it *MUST* send a Reject. There is no other option. And I have tried to increase the sockets to 30 but the radius server does not do anything does not answer ANY request ??? That sounds like a bug. What do you mean by 'does not answer ANY request'? What does the server do when you run it in debug mode with number of sockets increased to 30? -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Newbie question - apache radius - redundancy
At 08:40 AM 11/20/2001 -0800, George Genovezos wrote: Hi all I just installed the mod_auth_radius-1.5.2. Beautiful piece of software. Everything works great. My question is how do I add another radius authentication server to apache's mod_auth_radius module? I don't know if the mod_auth_radius can do this on it's own. This way when the NT radius server fails my boxes will still continue running. Run your radius servers on a *nix platform? Put the radius servers behind a load-balancer? ( It is udp and non-stateful as long as you aren't doing any proxying so this would work ). Another way, would be to point 'mod_auth_radius' at a radius server running on 'localhost', and have the failover done by the 'localhost' server. Freeradius does now support failover, so you could run that on the web-server. No, it's not pretty, but it'd work. Apache can failover to another auth method, but not to another instance of mod_auth_radius. You could probably take a look at the Freeradius failover code, and patch that into mod_auth_radius. If it works, submit it back and it could be patched in. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait Responce
At 12:55 PM 11/20/2001 -0800, Nathan Miller wrote: Brings up a good Question. Does anybody have a list or know where to locate a list of what Windows will respond to the customer when recieveing a message other than Access denied? Absolutely nothing usefull, unless you dial with a 'Post-Dial Terminal Window'. It'd sure be nice to send msg back to windows user saying You have exceeded your time limit. Or Your account is suspended, contact xxx-xxx- It sure would, but unfortunately, that's not possible to do with windows unless you use some type of custom dialer possibly. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: limiting to async only
At 03:17 PM 11/21/2001 +0200, cj wrote: hi i want to limit a certain domain to only async calls no ISDN ... what Cisco-AV-Pair would you suggest i use (or redirection to any documentation would be helpfull aswell) I would use a check item in the users file/sql table, etc. Realm is a valid internal attribute. DEFAULTAuth-Type := Reject, Realm == noisdn, NAS-Port-Type == ISDN DEFAULTAuth-Type := System Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254 -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: installation problem in solaris2.7
At 07:21 PM 11/20/2001 -0800, sunil kathait wrote: Hi all, i was getting problem in installation.but i reinstall the solaris2.7 GNUgcc.2.95.2. now installation is done. but when i am starting the radius server # /usr/local/sbin/radiusd -x ld.so.1: /usr/local/sbin/radiusd: fatal: libltdl.so.3: open failed: No such file Killed # I can almost guarantee that your LD_LIBRARY_PATH variable does not contain /usr/local/lib, which is where the FreeRADIUS libs are installed. Try updating this to include /usr/local/lib, then start radiusd. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pairs do not match
At 03:23 PM 11/21/2001 +1000, Mark Constable wrote: Could anyone please explain what might be going on here and which Pairs do not match ? rlm_sql: Pairs do not match [[EMAIL PROTECTED]] It looks like you are storing a plaintext password in a Crypt password container. Either store the encrypted password in the table, or change the attribute name to 'User-Password'. And why might I be seeing doubled up reply pairs ? This has been going on for a while. It looks like series of debugging statements that should be commented out somewhere, as the server is iterating through a loop. Not that there is a definite pattern to this series, as if it's printing the a/v pair list each time through a loop: Pass 1: Service-Type = Framed-User Pass 2: Service-Type = Framed-User Framed-Protocol = PPP Pass 3: Service-Type = Framed-User Framed-Protocol = PPP Framed-Netmask = 255.255.255.255 Pass 4: Service-Type = Framed-User Framed-Protocol = PPP Framed-Netmask = 255.255.255.255 Framed-MTU = 1500 Pass 5: Service-Type = Framed-User Framed-Protocol = PPP Framed-Netmask = 255.255.255.255 Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP So it's a cosmetic bug, unless you are seeing the reply being sent with that many attributes out from the NAS. I'd look at the SQL module for this, if you want to clean it up. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: setting idle-time based on port
At 01:46 AM 9/28/2001 -0400, you wrote: Hello, I'm trying to configure freeradius to send a rule to allow a max idle time in an session to be 20 min for a certain port. So, if a user comes in to port 0, his/her idle times is 20 min If a user comes in anohter port. his/her idle time is unlimmited. is this dooable? You could put something along the lines of this in the 'users' file, with a Fall-Through. Any attribute that is sent in an Access-Request may be used as a Check-Item. If NAS-Port is sent by your NAS in the Access-Request you could try something like: DEFAULT NAS-Port == 0 Idle-Timeout = 20, Fall-Through = 1 DEFAULT Auth-Type := System ... standard attriubtes here ... -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pairs do not match
At 06:09 PM 11/22/2001 +1000, Mark Constable wrote:
On Thu, 22 Nov 2001 00:45, Chris Parker wrote:
It looks like you are storing a plaintext password in a Crypt
password container. Either store the encrypted password in the
table, or change the attribute name to 'User-Password'.
Oh oh, where does User-Password come from ? I've been
using either just Password for plain text entries or
Crypt-Password for encrypt('pw')ed entries.
User-Password and Password would be the same thing. Password is
what's defined in the dictionary, so use that.
The RFC gives the proper name as User-Password, so that's why I
mentioned it, however, regardless of the RFC, you need to use
Password.
-Chris
--
\\\|||/// \ Chris Parker-Manager, Development Engineering
\ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED]
| @ @ |\ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\--
\ Without C we would have 'obol', 'basi', and 'pasal'
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: prepaid card
At 11:06 AM 11/27/2001 +0300, Fabrice LABORIE wrote: Hi ! I wonder if someone would be willing to share some ideas or better code to implement prepaid cards with freeradius. - scripts to create batches of users/passwd with so many minutes - countdown of the minutes availables - online reports of minutes available - ??? Please read the documentation regarding the 'rlm_counter' module. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multi Group with multi Domain!
At 05:51 PM 11/27/2001 +0800, Tom Chan wrote: Hi Guys; Any one have experience to setup the server to support this: I have multi group users with multi domain e.g. mailto:[EMAIL PROTECTED][EMAIL PROTECTED] password:user1group1 mailto:[EMAIL PROTECTED][EMAIL PROTECTED] password:user2group1 mailto:[EMAIL PROTECTED][EMAIL PROTECTED] password:user1group2 mailto:[EMAIL PROTECTED][EMAIL PROTECTED] password: user2group2 Suppose I can put username with domain into user file, but can I use the alternative solution,e.g. You could also enable the 'user collision' functionality. There are comments in the 'raddb/radiusd.conf' file as well as a readme in 'doc/duplicate-users'. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freebsd: -lcipher
At 03:57 PM 11/27/2001 +0200, Victor Ivanov wrote:
Hi all!
I recently updated using cvs and recompiled radiusd 0.4 on my freebsd 4.4
(a recent stable). When running radiusd, libc complained about the lack
of the FreeSec functions (setkey(3), des_cipher(3), etc).
I have added this check in configure.in, and it works for me:
dnl Check for libcipher (extends LCRYPT)
AC_CHECK_LIB(cipher, setkey,
CRYPTLIB=${CRYPTLIB} -lcipher
)
Please send this as a 'diff'. See the 'doc/DIFFS', or more simply:
$ cvs diff -p configure.in
And post it here. We'll review it and commit it if it works.
Thanks!
-Chris
--
\\\|||/// \ Chris Parker-Manager, Development Engineering
\ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED]
| @ @ |\ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\--
\ Without C we would have 'obol', 'basi', and 'pasal'
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP authentication
At 02:03 AM 11/27/2001 -0800, EE Vivien wrote: Hi, I received an Access-Reject packet each time I send an Access-Request packet to freeRadius server (with Auth-Type = EAP). Anyway, if the Auth-Type = local, an Access-Accept packet will be received for the same Access-Request packet. Run the server in debug mode ( radiusd -X ), it will tell what it is doing and why it is doing it. To use EAP-Message(79) and Message-Authenticator(80) attributes, do I need to set the Auth-Type = EAP? What are the settings or configurations I need to make the EAP authentication success? I know that EAP support is still being developed, but I'm not as versed in that as I could be. Someone else with more EAP experience may want to comment on EAP configuration ( and contribute a README? ) -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: starting radiusd- need help
At 01:20 PM 11/27/2001 +, Selvam Murugesan wrote: Hi, I am newbie to Free Radius Server. I am using the latest version of Cistron Radius available in the FreeRadius site. I am trying to configure the Free Radius Server for processing simple Radius attributes. I have successfully run the configure, make and make install. I am trying to edit+rename the raddb files. In the README document in the /doc available as a part of the Server package, its being mentioned to start radiusd. But how do we build this executable message? If you didn't change any of the paths, radiusd will install itself as: /usr/local/sbin/radiusd The files in raddb are located in: /usr/local/etc/raddb by default. You can edit them in place. I'd recommend keeping backup copies of the originals ( which will also be located in the source ). As for renaming the files, that is not recommended as it will require you to change the code as well. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: can this be done....total newbie
At 11:40 AM 11/27/2001 -0400, Matt Ashfield wrote: Hey All, I'm a total newbie to radius, and I apologize ahead of time. I've read the FAQ, but things are kinda flying high over my head after a few of the questions. I'm thinking it's the right tool for what I want to do, but wanna know if it's in the realm of possibility before jumping in full-footed.. I have an Internet connection. I have say 10 drops in my building that I want users to be able to come in, plug into, authenticate and have access to the Internet. I suppose I'd give them a certain IP address if they authenticated correctly, and a non-routable one if they did it incorrectly. But what prevents them from changing tha IP address? Is that on the Radius Client (ie, the router)? Any info you can provide is greatly appreciated. Look into an Access-Server that supports PPPoE, and can authenticate via Radius. I'd recommend Redback for starters. http://www.redback.com It's not a radius thing, other than the Redback can do per user authentication to a Radius server. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Decent docs
At 10:08 AM 11/28/2001 -0500, [EMAIL PROTECTED] wrote: Mark Constable [EMAIL PROTECTED] wrote: If that is not likely to happen (huge job) then at least accepting snippets of changes and additions that anyone might want to contribute and coordinating their inclusion into current docs is a more likely procedure. That requires time, and someone with a willingness to spend that time integrating changes people send to the list. Maybe this round of emails might alert a capable someone to the task of extending the manual properly in full DocBook format. I'm willing to give you CVS commit access if you're willing to coordinate the manual. On the subject of manuals... I'm taking what Chad Miller started in docbook format, converted to HTML and integrating the current 'doc/*' contents. It's just begun, but you can view the current state and it's progress at: http://www.segv.org/freeradius/toc.html Once I've got all of the current documentation incorporated, I'll be adding it to the site www CVS. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: capacity questions
At 06:01 PM 11/28/2001 +0100, Daniel(R2M) wrote: Hi I'd like to know if someone has any real numbers of what capacity freeradius can handle. For example how many user, number of requests per second, what machine is used etc. I have done some testing and simulation but nothing beats the real thing i guess. So before I use if for real it would really help with some real life numbers. Please take a look at 'doc/performance-testing'. It depends entirely too much on what you are doing with the server, how it is configured, etc. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Decent docs
At 09:21 AM 11/28/2001 -0800, Chad Miller wrote: On Wed, Nov 28, 2001 at 09:31:51AM -0600, Chris Parker wrote: On the subject of manuals... I'm taking what Chad Miller started in docbook format, converted to HTML and integrating the current 'doc/*' contents. Ah! Something that I forgot to pass on! I have signifigant changes to the manual, that I never uploaded as they're not finished. Does someone want them? I hate committing unfinished work. Btw, Chris, 'db2html' does that rather nicely, as do 'jade' and 'openjade'. I dislike having to install additional things just to read a manual page, or to edit it. I'm just lazy I guess. :) I've got a tarball; who wants it? Fire away. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Decent docs
At 10:35 AM 11/28/2001 -0800, Bill Campbell wrote: On Wed, Nov 28, 2001 at 11:39:05AM -0600, Chris Parker wrote: ... I dislike having to install additional things just to read a manual page, or to edit it. I'm just lazy I guess. :) The whole object of SGML and DocBook is to allow one to maintain a single source from which one can produce html, text, or typeset text. Once converted to html, much of the interesting information is lost (such as the ability to create automatic indexes). I've got a script that creates normal html, single-document html (easier to search and print), and text output from DocBook SGML input. The fact that DocBook automatically handles table of contents and the Index makes it far more useful than if I had to do all this manually. TOC/Indexing automagically could be useful. However, in order to use it, I have to learn a whole new markup language. Irony of ironies, the documentation for JADE ( the editor recommended on the docbook site ) sucks. I'll keep working on expanding what I have at: http://www.segv.org/freeradius/toc.html The html editor for mozilla is actualy very well done, and that's what I'm using. You can flip on the fly between editing raw markup html and wysiwyg, which is quite cool. You can save as HTML or TEXT ( where TEXT is de-htmlized and wrapped at 80 columns ). If someone else wants to put it in docbook format and maintain it, feel free to do so. :) -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please help!! rlm_sql
At 02:14 PM 11/30/2001 -0800, Mike Machado wrote: Operators have not been implemented yet. If you wish to make a patch, perhaps this would benfit everyone. All that needs to be done is add a operator column, and have it use these operators on an authorize call. That has been done actually, and I believe is checked into the lastest CVS. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho returns blank?
At 10:10 AM 12/5/2001 -0800, Douglas Brick wrote: Sorry if I'm reiterating an old question, but radwho isn't working for me. I'm using freeradius v0.2 Very old version. I'd strongly suggest upgrading to one of the nightly CVS snapshot builds, or at the very least, to 0.3. on redhat 7.0, kernel 2.4.14. radwho always returns nothing but a blank. strings shows lots of likely looking info in /var/log/radutmp, but I don't get any of it from radwho. Any suggestions? Upgrade. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting: logout: login entry for NAS tc2 port 770 not found
At 08:16 AM 12/7/2001 -1000, Gillou wrote: Ok here is the result of radiusd -X As you can see the first user toto is well authenticated (all is ok) The second user toto is well authenticated but he is disconected from my HyperARC Then the problem is your HyperARC and has nothing to do with Radius. Try a USR list for more help. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strip-User-Name leaves delimiter behind`
At 05:55 PM 12/10/2001 -0500, Joe Maimon wrote: UPDATE: Sorry for annoying everyone again..not seeing much traffic. The issue is that strip-user-name in the hints file for the realms seems to leave the realm delimiter behind, thereby only matching the user name if it has the delimiter appended/prepended to it. I installed the latest snapshot and there was no difference. Is this a feature,config issue or a bug? Since it sounds like you are trying create a Realm with the hints file, why not use the Realm functionality of the server? It's designed to do a lot more than hints ever was, and is a lot more flexible and configurable. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius performance tuning
At 11:22 AM 12/11/2001 +0800, Daniel wrote: Hi all I have one proxy radius that forward request to another freeradius radius server. The cpu usage on proxy radius is overloaded. Is there load balance feature for freeradius server ? There is currently a 'fail-over' mechanism in place. The next step to expand that functionality is to create a 'round-robin' distribution method on top of the 'fail-over' function. If you want to take a crack at it, feel free, otherwise, monitor the list and wait until someone else implements it and it gets incorporated. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Decoding VSAs
At 10:09 AM 12/11/2001 -0500, Jeremy McNamara wrote: Pardon my newbieness again. I have figured out how to get VoIP authenticating with FreeRadius but in the detail (and -X) log the VSAs are still encoded (hex?). Steel-belted radius displays them in a human readable form and our billing system expects them the same way. What attributes are these? Is this just something that someone hasn't gotten around to decoding the VSAs or is this a bug or do I need to use an undocumented switch or something? You may want to change the dictionary entries from octet to string for the attributes if you know they are being sent as human readable strings. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Decoding VSAs
At 10:32 AM 12/11/2001 -0500, Jeremy McNamara wrote: Chris Parker wrote: What attributes are these? Example from a detail file: Acct-Input-Packets = 0 Acct-Output-Packets = 0 Service-Type = 0 Vendor-Specific = 0x19da1830683332332d636f6e662d69643d3632363636332033323331333936352036313030333033312033353030 All of those Vendor-Specific Attributes are comming from a Cisco As5300 doing VoIP Then you probably need to include the appropriate vendor dictionary. As VSA can be nearly anything, if the server doesn't have a definition for the VSA being sent it displays a generic entry of type 'octet' that you see above. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS 0.4 -- RELEASE
FreeRADIUS 0.4 has been released and is posted on the website and ftp server. If you are running a release prior to this image, please upgrade to this version, as it contains many fixes and new features over the 0.3 release. The Changelog for this release contains: FreeRADIUS 0.4.0 ; urgency=low * Remove the server requirement that one of User-Password or CHAP-Password exist when doing authentication. These checks should be handled by the modules. This change also prepares us for EAP. Patch from Raghu [EMAIL PROTECTED] * Make NAS-Port-ID in radwho, raduse, etc. unsigned, instead of signed. Patch from John Morrissey [EMAIL PROTECTED] * Allow \t and \n inside of configuration strings. Frank Cusack [EMAIL PROTECTED] * X9.9 Challenge-Response token card support. For now, only CRYPTOCard tokens are supported. Frank Cusack [EMAIL PROTECTED] * Fix core dump on Solaris in radwho.c Patch from Eddie Stassen [EMAIL PROTECTED] * Fix leak / core dump in Oracle module. * Fix memory leak in rlm_counter Kostas Kalevras [EMAIL PROTECTED] * LOCAL realms do not need to have an entry in the 'clients' file. Philippe Levan [EMAIL PROTECTED] If any problems are discovered in the posted release, please let us know and we'll correct them. Thanks, -Chris Parker -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compile Errors
At 11:14 PM 12/12/2001 -0500, [EMAIL PROTECTED] wrote: Gary Barnden [EMAIL PROTECTED] wrote: How can i compile without EAP support ? rm -rf src/modules/rlm_eap And that has now been done to the 0.4 tarball on the site. It now no longer includes rlm_eap, so it should build without problems. The only difference between the tarball posted yesterday and this one is the command shown above to remove the 'src/modules/rlm_eap' directory. If you've already downloaded it, you can remove it the same way. Apologies for the confusion. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: net restrictions
At 10:51 AM 12/14/2001 +1000, Tim wrote: Thanks Mike ... but as I see it .. User dials in with user pass of something/something .. (not configured in Users or Passwd file) .. my Ascend Max (4000's) box sends the request to radius, to which radius deny's the auth request .. then Ascend drops the call . ?? I would have thought that it needed to be something in the Users file that said, OK, I can't auth you with that user/pass, so have an IP of 192.168 ??Can the Users file do this?? Am I missing something somewhere? At the end of the users-file, in your DEFAULT entry, try something like: DEFAULT Auth-Type := Accept Framed-IP-Address = 192.168.0.1 ( or use the Ascend attributes to assign from a different pool than the default ) What you are trying to do is not something that is normally done, so there isn't a predetermined way of doing it. You'll need to try playing with different types of entries in the users file, and may in fact have to write your own module or external program to do this. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Website/ftp site down ?
At 09:50 AM 12/18/2001 +1300, Simon Byrnand wrote: At 11:31 AM 17/12/01 -0500, you wrote: Simon Byrnand [EMAIL PROTECTED] wrote: Is anyone else having trouble reaching the freeradius website and ftp site ? There are often small network disconnects *somewhere* in the net. Yep, it looks like a routing problem, and 24 hours later, its still there :-( Here is a traceroute: traceroute www.freeradius.org traceroute to freeradius.org (64.24.0.50), 30 hops max, 38 byte packets 1 max3.whan.igrin.co.nz (202.49.244.250) 3.440 ms 2.506 ms 3.324 ms [ ... ] 14 p15-0.crtntx1-br1.bbnplanet.net (4.24.10.113) 284.657 ms 316.034 ms 353.938 ms That's one of Genuity ( bbnplanet.net )'s hubs, in Carrolton, TX. Genuity is one of the providers that we ( StarNet ) use for transit. In tracing back to your originating IP, I'm showing it dying in Globalcrossing in Chicago, IL: traceroute to 202.49.244.250 (202.49.244.250), 30 hops max, 40 byte packets 1 pal1-core1-f0-0.starnetinc.com (216.126.128.1) 1 ms 1 ms 1 ms 2 s11-0-1.chicago1-cr1.bbnplanet.net (4.0.194.1) 3 ms 4 ms 3 ms 3 p4-0.chicago1-nbr1.bbnplanet.net (4.0.1.113) 3 ms 3 ms 3 ms 4 p4-1.chcgil1-cr1.bbnplanet.net (4.0.2.218) 3 ms 4 ms 5 ms 5 p5-0.chcgil1-br1.bbnplanet.net (4.24.5.241) 4 ms 4 ms 3 ms 6 so-3-0-0.chcgil2-br1.bbnplanet.net (4.24.9.69) 3 ms 3 ms 4 ms 7 p1-0.chcgil2-cr1.bbnplanet.net (4.24.7.134) 4 ms 3 ms 4 ms 8 so3-2-2-155M.br2.CHI1.gblx.net (208.51.6.17) 15 ms 15 ms 15 ms 9 pos6-0-2488M.cr1.CHI1.gblx.net (208.49.59.205) 15 ms 14 ms 14 ms 10 * * * Looks like a routing problem at bbnplanet. 24 hours seems a long time for a routing problem like that. Who should I contact ? Your upstream bandwidth provider. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP and unix Passwords
At 09:38 AM 12/18/2001 -0500, Jim Greene wrote: Hey All, Can I do the following: Use LDAP for authentication, by importing my current userbase from passwd/shadow. These will be crypt'd passwords as I do nto have them inn clear text. Does anyone have a file to convert these account to LDAP if this can be done ? I'm not familiar enough with LDAP to know if this is possible. Someone else willl have to comment on this. Can I do Authentication in LDAP and acounting in mysql at the same time ? Yes. Anyone have an example config fiel doing these things ? There are lots of examples in the 'radiusd.conf' that ships by default. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Monthly-Time-Limit and Total-Time-Limit
At 02:12 PM 12/18/2001 -0800, power jessie wrote:
Thank you very much Sir Alan! you rock :)
I've successfuly configured freeradius 0.4
in my freebsd box, and it seems to be working
very well now. i have a cisco nas configured too
and the aaa via the mysql module.
My problem now is that I want to implement
ICradius' 'Monthly-Time-Limit' and 'Total-Time-Limit'
attributes but there seems to be no support yet to these
in freeradius. Am I right or is it supported already?
If not, is there a way I can do this in freeradius?
Any suggestions?
Use the 'counter' module! See the comments/example in 'radiusd.conf':
# This module takes an attribute (count-attribute), which MUST
# be an 'integer' or 'time' attribute. It also takes a key,
# and creates a counter for each unique key. The count is
# incremented when accounting packets are received by the
# server. The value of the increment is the value of the
# count-attribute.
#
# The 'reset' parameter defines when the counters are all reset to
# zero. It can be hourly, daily, weekly, or monthly.
#
# The counter-name is the name of the attribute in the 'users'
# file used to access that counter. e.g.
#
# DEFAULT Daily-Session-Time 3600, Auth-Type = Reject
# Reply-Message = You've used up more than one hour today
counter {
filename = ${raddbdir}/db.counter
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
-Chris
--
\\\|||/// \ Chris Parker-Manager, Development Engineering
\ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED]
| @ @ |\ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\--
\ Without C we would have 'obol', 'basi', and 'pasal'
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Resetting counters
At 04:30 PM 12/18/2001 +0200, Kostas Kalevras wrote: On Tue, 18 Dec 2001, Aleksandr Kuzminsky wrote: Hi. If I use counter module, can I never reset counter? In the example in 'radiusd.conf' it says: # # The 'reset' parameter defines when the counters are all reset to # zero. It can be hourly, daily, weekly, or monthly. # There is not a way to manually reset the counters. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
