Re: accept Simultaneous-use from specific router
Dear all: I had free radius server 0.9.3 running and every thing is going will, and the Simultaneous-use is working fine, I defined the Simultaneous-use to be 1, but I want to be allowed to skip simultaneous-use check when the radius request come from a specific router. Can I do that? Is it doable or not? If yes how can I do it? Simultaneous attribute on one database, would automatically check for ita value upon arrival of access request packets,regardless of router source.my advise for you is to have a secondary radius server with a separate database and ofcourse without simultaneous attribute on the said database. i have not yet done the things you are suggesting yet, but why remove simulataneous check attribute? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP TLS blocked: solved
Hello everyone, as you probably remember I had the following problem on the conversation between my Access Point and the client: after the EAP Change Cipher Spec message sent from the server to the client everything was blocked (I mean no more messages exchanged). However, i noted that my Windows XP client was asking me in a pop-up window wheter to accept or not the root certification authority of the server. This behaviour sounded weird to me because I had installed as usual the rootCA on the client. So can anyone explain me what was wrong? Thank you! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco-AVPair accounting
Hi all, I cant figure out what Im doing wrong with the cisco_vsa_hack = yes. I have it defined in the radiusd.conf and when starting radiusd -X I see preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = yes Module: Instantiated preprocess (preprocess) So I presume that the hack has been included. Now from some mailings Ive read http://lists.cistron.nl/pipermail/freeradius-devel/2001-August/001211.html I you follow the thread, the patch that he puts forward is exactly what Im after but Ive tried his patch but the source has changed too much since 2001 ;) What Im seeing in the logs is this rad_recv: Accounting-Request packet from host xxx.xxx.xxx.xxx:1646, id=37, length=360 NAS-IP-Address = xxx.xxx.xxx.xxx NAS-Port = 118 Cisco-NAS-Port = Async118 NAS-Port-Type = Async User-Name = wap Called-Station-Id = Calling-Station-Id = Acct-Status-Type = Stop Acct-Authentic = RADIUS Service-Type = Framed-User Acct-Session-Id = 0067 Framed-Protocol = PPP Framed-IP-Address = 10.100.1.254 Acct-Terminate-Cause = Lost-Carrier Acct-Input-Octets = 420 Acct-Output-Octets = 4565 Acct-Input-Packets = 24 Acct-Output-Packets = 77 Acct-Session-Time = 197 Cisco-AVPair = disc-cause-ext=1011 Cisco-AVPair = pre-bytes-in=78 Cisco-AVPair = pre-bytes-out=132 Cisco-AVPair = pre-paks-in=3 Cisco-AVPair = pre-paks-out=5 Cisco-AVPair = pre-session-time=4 Cisco-AVPair = nas-rx-speed=9600 Cisco-AVPair = nas-tx-speed=9600 Acct-Delay-Time = 0 when with the Cisco-AVPair all I want to log it to mysql is: pre-session-time=4 nas-rx-speed=9600 etc Is there something Im missing or have done terribly wrong? Regards Brent -- Regards, Brent /\ \ / Linux RegisteredX ASCII Ribbon Campaign User #309941 / \ Against HTML Mail PGP Key http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x01445B63 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to add multiple MySQL queries/stmts for each Acconting START/STOP packets?
Hi All, Is there a way to add number of SQL statements into SQL.conf to execute for each Accounting START/STOP packet? I need to update multiple tables with stats once radiusd receives accounting START or STOP packet. Please see my current SQL.CONF entries below. Can I write ? Accounting_start_query = (INSERT Statement1;Delete Statement;Update Statement) Thanks in Advance, Sagar Accounting_start_query = INSERT into ${acct_table1} (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0') accounting_start_query_alt = UPDATE ${acct_table1} SET AcctStartTime = '%S', AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}' accounting_stop_query = UPDATE ${acct_table2} SET AcctStopTime = '%S', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}', AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}' accounting_stop_query_alt = INSERT into ${acct_table2} (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S',%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}, 'seconds'), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{Acct-Delay-Time}') - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
want to reject if not in a unix group
I'm having difficulty understanding the processing of the users file. I've read it and the O'Reilly _Radius_ book but I'm still having problems. Here's my environment: I have a legacy radius server (10.1.4.51) that validates user name / password combinations. I am creating a freeradius (0.9.3) proxy server to sit between the NAS and the above user name / password validation server. Here's what I WANT to do: What I want it to do is check that if a request comes from my Lucent MAX 6000 dial-up server, that it verifies that this user is a member of a unix group called dialupgrp. I put the Lucent NAS in a huntgroup called dialserver. If the user is in the unix group dialupgrp, then check the user name / password combination by passing it request over the legacy radius server. If the user name is not in the unix group called dialupgrp, then send back a Access-Reject. My problem is that my radius server is passing the request onto the other even when it does match my users file processing and I add Auth-Type = Reject and the legacy server is saying that - sure, the name / password combination is OK by him so I'm sending back a Access-Accept. I don't want to do that if it matches the Group != dialupgrp in my user file processing. Here's my user file config: --- Snip snip snip --- # # The rest of this file contains the several DEFAULT entries. # DEFAULT entries match with all login names. # Note that DEFAULT entries can also Fall-Through (see first entry). # A name-value pair from a DEFAULT entry will _NEVER_ override # an already existing name-value pair. # # This is to authenticate Lucent dial-up users DEFAULT Huntgroup-Name == dialserver, Group != dialupgrp, Auth-Type = Reject # Service-Type = Shell-User # # First setup all accounts to be checked against the UNIX /etc/passwd. # (Unless a password was already given earlier in this file). # DEFAULT Auth-Type := System, Group == dialupgrp Fall-Through = 1 # # Set up different IP address pools for the terminal servers. # Note that the + behind the IP address means that this is the base # IP address. The Port-Id (S0, S1 etc) will be added to it. # #DEFAULTService-Type == Framed-User, Huntgroup-Name == alphen # Framed-IP-Address = 192.168.1.32+, # Fall-Through = Yes #DEFAULTService-Type == Framed-User, Huntgroup-Name == delft # Framed-IP-Address = 192.168.2.32+, # Fall-Through = Yes # # Defaults for all framed connections. # DEFAULT Service-Type == Framed-User, Group == dialupgrp Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes # # Default for PPP: dynamic IP address, PPP mode, VJ-compression. # NOTE: we do not use Hint = PPP, since PPP might also be auto-detected # by the terminal server in which case there may not be a P suffix. # The terminal server sends Framed-Protocol = PPP for auto PPP. # DEFAULT Framed-Protocol == PPP, Group == dialupgrp Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP # # Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression. # DEFAULT Hint == CSLIP Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP # # Default for SLIP: dynamic IP address, SLIP mode. # DEFAULT Hint == SLIP Framed-Protocol = SLIP # # Last default: rlogin to our main server. # #DEFAULT # Service-Type = Login-User, # Login-Service = Rlogin, # Login-IP-Host = shellbox.ispdomain.com --- Snip snip snip --- I'm testing using NTRadPing from 10.1.99.4. Here's the debug output: --- Snip snip snip --- rad_recv: Access-Request packet from host 10.1.160.1:1025, id=103, length=112 Thread 3 assigned request 2 --- Walking the entire request list --- Sending Access-Reject of id 68 to 10.1.209.54:1812 Reply-Message = Undefined person Waking up in 4 seconds... Thread 3 handling request 2, (1 handled so far) User-Name = aa0781 CHAP-Password = 0x01636e31a424f1a3eabda8bff99a922cb7 NAS-IP-Address = 10.1.160.1 NAS-Port = 20401 NAS-Port-Type = Async Service-Type = Framed-User Framed-Protocol = PPP Acct-Session-Id = 373416159 Ascend-Data-Rate = 21600 Ascend-Xmit-Rate = 21600 rad_lowerpair: User-Name now 'aa0781' modcall: entering group authorize for request 2 modcall[authorize]: module preprocess returns ok for request 2 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module chap returns ok for request 2 modcall[authorize]: module eap returns noop for request 2 rlm_realm: No '@' in User-Name = aa0781, looking up realm NULL rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = aa0781 rlm_realm: Proxying request from user aa0781 to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Preparing to proxy authentication request to realm NULL modcall[authorize]:
Re: Realms and L2TP forwarding...
On Tue, Apr 27, 2004 at 01:13:19PM -0400, Alan DeKok wrote: Thomas Bridge [EMAIL PROTECTED] wrote: Currently I have a Cisco BAS terminating broadband customers. Most of our customers would have their PPP connection terminate on the BAS, but I would like to forward customers who specify a specific realm onto another BAS for another ISP. My customers are authenitcated using CHAP off an LDAP server. Then you want to mark proxied customers as NOT using LDAP. I used to do Auth-Type := LDAP for customers - however, I had to stop doing this in order to support CHAP. Is there something obvious in the users file I am missing? If I query [EMAIL PROTECTED], I get the correct attributes back. However, if I query [EMAIL PROTECTED], where user2 has an LDAP entry, I get the following back: Is that user2 a user in a different realm? If so, you can key off of the realms to tell them apart. If the realm is specified, then yes it would be - bear in mind I do not want to authorize the customer - I simply want to pass the PPP session through to a remote LNS and leave it to the LNS configuration to determine whether or not to authorize the customer. I'm pretty certain the Cisco will not do what I want it to with the Framed-User attribute. In anycase my question - how do I ensure it's just tunnel property configs that are returned for this realm even if the username exists in the NULL realm? First, if a user logs in *without* a realm, you should treat that differently than users logging in with a realm. Second, the reason [EMAIL PROTECTED] matches user2 from LDAP is that it's using the Stripped-User-Name in the LDAP query. Change that to something else, and it should be better. The problem I am facing though is that customers can log in with a NULL realm or our own Realm. Am I looking at Autz-Type, or something else? You can do that too. List ldap in an Autz-Type block, and key in the users file off of the *other* realm names, and set Autz-Type := LDAP. That way you can force certain realms to use LDAP, and other realms to use something else. Okay I'll look into this, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New MSCHAP winbindd code
Steve OBrien [EMAIL PROTECTED] wrote: Has anyone successfully tested the new mschap ntlm_auth code with EAP yet? Not me, but people I know. If it works for plain MS-CHAPv2, it will work for PEAP. The only problem with ntlm_auth is that it requires you to *also* be running winbindd and nmbd, both of which are non-trivial to set up. (i.e. It took more than 20 minutes for me to set up the most basic of configurations, so I did something else, instead.) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(no subject)
Hi, I am working with free radius and a cisco AS5300. Now i am only using it for accounting logs. I would like to use it as authenticar too. Could any body show me wich parameters should i set in the users file for each user of my voip gateway ?? Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authorization and authentication
Hello, I have the following problem: how can I remote authenticate (in his home network) a user and, at the same time, authorize him locally? Basically my scenario is as follows: A mobile user belonging to the network A moves to the network B. The network B proxies the authentication request to the network A in order to have proof of user's identity. But how can the network A set the permission for the user in its local network? Is that possible, or we must proxy even the authorization request? Thank you for you help - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pam_radius_auth FAQ
Hi I have downloaded and installed pam_radius_auth on a Gentoo Linux box. It sort-of works, however not always as I expect. Before I bore the list with trivial questions which might have been answered previously, perhaps someone can point me in the direction of an FAQ or some more background information than just http://www.freeradius.org/pam_radius_auth/. Any advise appreciated. Thanks in advance. Best regards, Simon Wesche - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschap ntlm_auth
Steve OBrien [EMAIL PROTECTED] wrote: When trying to test this with PEAP I occasionally get the ntlm_auth attempting to use winbindd but mostly I just see the EAP conversation(which is known good). If there's a User-Password available, the MS-CHAP module will use that. To force ntlm_auth, set: MS-CHAP-Use-NTLM-Auth = 1 DEFAULT Auth-Type := mschap Fall-Through = 1 You shouldn't need that, even for testing. Try it with plain MS-CHAPv2 first, and then move to PEAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco-Avpair
How to enable Cisco-Avpair attribute? How to enable Cisco dictionary? Thanks in advance for your help, I'm inexpert! Monica M. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to add multiple MySQL queries/stmts for each Acconting START/STOP packets?
Not that I know of using standard methods. If you were using PostGreSQL you could use 'rules' for inserts and updates that could invoke additional actions. See: http://www.postgresql.org/docs/7.4/interactive/rules-update.html FreeRadius does work with PostGreSQL. [EMAIL PROTECTED] wrote: Hi All, Is there a way to add number of SQL statements into SQL.conf to execute for each Accounting START/STOP packet? I need to update multiple tables with stats once radiusd receives accounting START or STOP packet. Please see my current SQL.CONF entries below. Can I write ? Accounting_start_query = (INSERT Statement1;Delete Statement;Update Statement) Thanks in Advance, Sagar Accounting_start_query = INSERT into ${acct_table1} (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0') accounting_start_query_alt = UPDATE ${acct_table1} SET AcctStartTime = '%S', AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}' accounting_stop_query = UPDATE ${acct_table2} SET AcctStopTime = '%S', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}', AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}' accounting_stop_query_alt = INSERT into ${acct_table2} (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S',%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}, 'seconds'), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{Acct-Delay-Time}') - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html . -- Guy Fraser Network Administrator The Internet Centre 780-450-6787 , 1-888-450-6787 There is a fine line between genius and lunacy, fear not, walk the line with pride. Not all things will end up as you wanted, but you will certainly discover things the meek and timid will miss out on. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
configuring the NAS
Hello, I have the freeradius server v0.9.3 installed. It works with PAM clients under Linux, and with W2K dial-in via a NAS Windows (under W2K server). I'm now trying to configure a switch Catalyst 3750 to be the NAS, but it still doesn't work. Here is the actual configuration of the switch: aaa new-model aaa authentication ppp default if-needed group radius local aaa authorization network default group radius aaa accounting update newinfo aaa accounting exec default start-stop group radius aaa accounting network default wait-start group radius aaa accounting connection default start-stop group radius radius-server host 192.168.9.200 radius-server key secret What do I have to do more ? The w2K dial-in is connecting to the switch via PPTP or L2TP. Thank you very much for answering me as soon as possible, = = Déborah Malka Yahoo! Mail : votre e-mail personnel et gratuit qui vous suit partout ! Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ Dialoguez en direct avec vos amis grâce à Yahoo! Messenger !Téléchargez Yahoo! Messenger sur http://fr.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco config to use two radius servers
Morning folks, Im trying to get accounting data to go to our billing radius server, and our authentication/authorization to go to be requested. I tried inputting: radius-dev(config)#radius-server host 4.3.2.1 auth 1812 radius-dev(config)#radius-server host 1.2.3.4 acct 1813 but I ended up with: radius-server host 4.3.2.1 auth-port 1812 acct-port 1646 radius-server host 1.2.3.4 auth-port 1645 acct-port 1813 I havent been able to find any docs on this. Anybody have the same problem? TIA, Rob I also want to set up a second authentication radius box, but first things first!
Re: Cisco-AVPair accounting
Brent Geach [EMAIL PROTECTED] wrote: when with the Cisco-AVPair all I want to log it to mysql is: pre-session-time=4 nas-rx-speed=9600 Do those attributes exist in the dictionary.cisco file? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco-AVPair accounting
Not sure if caps is important but they are there eg ATTRIBUTE Cisco-PreSession-Time 198 integer Cisco Or should I edit this (left this as the original standard was) to reflect pre-session-time ? On Wed, 28 Apr 2004, Alan DeKok wrote: Brent Geach [EMAIL PROTECTED] wrote: when with the Cisco-AVPair all I want to log it to mysql is: pre-session-time=4 nas-rx-speed=9600 Do those attributes exist in the dictionary.cisco file? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regards, Brent /\ \ / Linux RegisteredX ASCII Ribbon Campaign User #309941 / \ Against HTML Mail PGP Key http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x01445B63 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco config to use two radius servers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wednesday 28 April 2004 10:53, RH List Account wrote: radius-dev(config)#radius-server host 4.3.2.1 auth 1812 radius-dev(config)#radius-server host 1.2.3.4 acct 1813 Use this: radius-server host 4.3.2.1 auth-port 1812 acct-port 0 radius-server host 1.2.3.4 auth-port 0 acct-port 1813 Kevin Bonner -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFAj+Ud/9i/ml3OBYMRAteAAJ9dcSbiiSoVIetX9oIoG0eT6/DHVACfcyQU FC1/atJcOZvmd9nFZEPRjLs= =Ot9A -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco config to use two radius servers
Title: Re: Cisco config to use two radius servers On Wed, 2004-04-28 at 10:53, RH List Account wrote: Morning folks, Im trying to get accounting data to go to our billing radius server, and our authentication/authorization to go to be requested. I tried inputting: radius-dev(config)#radius-server host 4.3.2.1 auth 1812 radius-dev(config)#radius-server host 1.2.3.4 acct 1813 but I ended up with: radius-server host 4.3.2.1 auth-port 1812 acct-port 1646 radius-server host 1.2.3.4 auth-port 1645 acct-port 1813 I havent been able to find any docs on this. Anybody have the same problem? TIA, Rob I also want to set up a second authentication radius box, but first things first! A little iptables prerouting action may be helpful if you are running on Linux. Ted DISCLAIMER e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me and permanently delete the original and any copy of any e-mail and any printout thereof. E-mail transmission cannot be guaranteed to be secure or error-free. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. REGARDING PRIVACY AND CONFIDENTIALITY Crown Financial Group may, at its discretion, monitor and review the content of all e-mail communications.
Re: Cisco config to use two radius servers
hi rob, try this: radius-server host [ip-first-auth] auth 1812 acct 0 radius-server host [ip-fallback-auth] auth 1812 acct 0 radius-server host [ip-first-acct] auth 0 acct 1813 radius-server host [ip-fallback-acct] auth 0 acct 1813 -- gerald - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuring the NAS
Title: Re: configuring the NAS Try setting the ports on the switches config, I will bet you are running on 1812 and 1813 and the switch is using 1645 and 1646. Ted On Wed, 2004-04-28 at 10:53, deborha malka wrote: Hello, I have the freeradius server v0.9.3 installed. It works with PAM clients under Linux, and with W2K dial-in via a NAS Windows (under W2K server). I'm now trying to configure a switch Catalyst 3750 to be the NAS, but it still doesn't work. Here is the actual configuration of the switch: aaa new-model aaa authentication ppp default if-needed group radius local aaa authorization network default group radius aaa accounting update newinfo aaa accounting exec default start-stop group radius aaa accounting network default wait-start group radius aaa accounting connection default start-stop group radius radius-server host 192.168.9.200 radius-server key secret What do I have to do more ? The w2K dial-in is connecting to the switch via PPTP or L2TP. Thank you very much for answering me as soon as possible, = = Dborah Malka Yahoo! Mail : votre e-mail personnel et gratuit qui vous suit partout ! Crez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ Dialoguez en direct avec vos amis grce Yahoo! Messenger !Tlchargez Yahoo! Messenger sur http://fr.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html DISCLAIMER e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me and permanently delete the original and any copy of any e-mail and any printout thereof. E-mail transmission cannot be guaranteed to be secure or error-free. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. REGARDING PRIVACY AND CONFIDENTIALITY Crown Financial Group may, at its discretion, monitor and review the content of all e-mail communications.
losing my mind
I believe I've lost my mind. I have a NAS unit (USR Netserver PRI) that will not authenticate on a radius server running on OpenBSD/sparc64. The shared secret and password decoding is the problem - Freeradius thinks the secret is wrong. I compiled Freeradius-0.9.3 identically under NetBSD 1.6.2 and got it to work. The Netserver will also authenticate against freeradius on Solaris. I then copied the clients.conf and radiusd.conf (the only files I modified) from the working NetBSD system onto the OpenBSD system and it doesn't work - thinks the shared secret is wrong. I've actually tried alternate radius servers: cistron, livingston/lucent, DTC radius, and perl radius modules and they all have the shared-secret problem under OpenBSD. Finally, I tried having it authenticate against a OpenBSD/i386 system that is working with a Cisco AS5200 and again it failed. I should add that it works fine for accounting - the problem is really only with the shared secret for auth. I compile Freeradius on *BSD like so: ./configure --disable-shared --enable-static --without-rlm_krb5 \ make make install My clients.conf: client 127.0.0.1 { secret = test shortname = localhost nastype = other } client 216.191.240.4 { secret = secret shortname = ottawa } My radiusd.conf is defaults except the port = 1645, and I commented out the eap stuff (radiusd on openbsd bombs on the eap modules). Have I lost my mind? -- Andre Dalle [EMAIL PROTECTED] Gone Bonkers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco config to use two radius servers
Perfect. Thanks all. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gerald Krause Sent: Wednesday, April 28, 2004 2:37 PM To: [EMAIL PROTECTED] Subject: Re: Cisco config to use two radius servers hi rob, try this: radius-server host [ip-first-auth] auth 1812 acct 0 radius-server host [ip-fallback-auth] auth 1812 acct 0 radius-server host [ip-first-acct] auth 0 acct 1813 radius-server host [ip-fallback-acct] auth 0 acct 1813 -- gerald - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: how to do accounting with mysql?
I've set up sqlcounter and I'm on testing right now, the next step is prepaid cards and still dont know how to do them Rogelio Alvarado Anchisi Ing. de Sistemas Galaxy Communications Corp. Tel. +507-2000128 Fax.+507-2000132 Cel. +507-6744093 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Berry Sent: Martes, 27 de Abril de 2004 11:14 To: [EMAIL PROTECTED] Subject: RE: how to do accounting with mysql? The NAS has the fake response off, so it is sending the packages. How do I check if it is sending them? I want to have another reference. Other thing. I put the sqlcounter stuff but I don't have any sqlcounter.so or something like that on my lib. What do I have to do to download it and put it on my lib? I am doing accounting with MySQL without sqlcounter (since I'm not limiting my user's connection time). Have you been able to get this to work? Do you still need any help? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to do accounting with mysql?
I've set up sqlcounter and I'm on testing right now, the next step is prepaid cards and still dont know how to do them read the subscription list - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to do accounting with mysql using the radacct table?
Ok, I set up sqlcounter and made my tests. And it keeps doing failures because the sqltrace never shows the sql sentences for accounting. I don't know if it's the table or if it could be something else that is jamming my stuff. Questions: How do I have to fill the radcheck and userinfo in order to make accounting? As far I've done I just put password and pool-name attributes, what am I missing? All the documentation I find doesnt explains it. How do I fill the radacct? Rogelio Alvarado Anchisi Ing. de Sistemas Galaxy Communications Corp. Tel. +507-2000128 Fax.+507-2000132 Cel. +507-6744093 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Milver S. Nisay Sent: Miércoles, 28 de Abril de 2004 14:34 To: [EMAIL PROTECTED] Subject: Re: how to do accounting with mysql? I've set up sqlcounter and I'm on testing right now, the next step is prepaid cards and still dont know how to do them read the subscription list - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Vendor Specific attribute in authorization packet
I am sending an authorization packet from radclient with vendor specific attribute: Cisco-AVPair=ip:xxx along with username and correct password.RADIUS server authorizes the user with access-accept packet with Cisco-AVPair=ip:yyy, which confuses me. Because in the users file on server side I have Cisco-AVPair=ip:yyy and I send request with Cisco-AVPair=ip:xxx. I am confused about vendor specific attributes treatment by RADIUS. Also, I have one small confusion about vendor specific attribute.What exactly RADIUS server does if vendor-specific attribute is recieved in access-request packet. Can someone throw some light to clear my confusion?? Thanks, Nishant - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: losing my mind
Andre Dalle [EMAIL PROTECTED] wrote: I have a NAS unit (USR Netserver PRI) that will not authenticate on a radius server running on OpenBSD/sparc64. The shared secret and password decoding is the problem - Freeradius thinks the secret is wrong. I recall OpenBSD issues... I've actually tried alternate radius servers: cistron, livingston/lucent, DTC radius, and perl radius modules and they all have the shared-secret problem under OpenBSD. Yup. OpenBSD is magic. I don't recall what they're doing, but it certainly seems to be an issue. Have I lost my mind? Using OpenBSD? I won't comment. See bugs.freeradius.org for a pointer to patches for OpenBSD. They may help. Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Why is username blank in MySql w/ bad password attempt?
Hello all,I am using Freeradius 0.9.3 on a X86 machine runningGentoo Linux. I compiled Freeradius myself fromsource. I am using Ascend Max for NAS. We are authenticating users from authentication data in a MySql database. I am also using the PHP interface called "Dialup Admin". I need to collect bad password attempts daily. If someone types their correct username and a bad passwordto begintheir dialup session, the termination cause gets logged in the radacct table in mysql with a blankusername. The radius.log flat file logsa message stating 'Login incorrect'with the username, but I'd rather get it from mysql with the termination cause. Is this a bug in Freeradius? In Mysql? Is this a feature? Thanks in advance, Jeff Do you Yahoo!?Win a $20,000 Career Makeover at Yahoo! HotJobs
Re: Vendor Specific attribute in authorization packet
Shah, Nishant B [EMAIL PROTECTED] wrote: I am sending an authorization packet from radclient with vendor specific attribute: Cisco-AVPair=ip:xxx Ok... I don't see why, though. RADIUS server authorizes the user with access-accept packet with Cisco-AVPair=ip:yyy, which confuses me. That's probably what you told it to do. Because in the users file on server side I have Cisco-AVPair=ip:yyy There you go. You told it to send that response. and I send request with Cisco-AVPair=ip:xxx. I am confused about vendor specific attributes treatment by RADIUS. There's nothing special about vendor-specific attributes. You're getting confused because the reply isn't a copy of the request. It's not supposed to be. The problem is in your expectations, not in what the server is doing. Also, I have one small confusion about vendor specific attribute.What exactly RADIUS server does if vendor-specific attribute is recieved in access-request packet. It does lots of things. Do you have a more specific question? As a general answer, the server treates vendor-specific attributes just like normal attributes. There really is no difference between the two, except which dictionary file they sit in. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: want to reject if not in a unix group
Patrick Bartkus [EMAIL PROTECTED] wrote: What I want it to do is check that if a request comes from my Lucent MAX 6000 dial-up server, that it verifies that this user is a member of a unix group called dialupgrp. I put the Lucent NAS in a huntgroup called dialserver. If the user is in the unix group dialupgrp, then check the user name / password combination by passing it request over the legacy radius server. If the user name is not in the unix group called dialupgrp, then send back a Access-Reject. That's not a problem. My problem is that my radius server is passing the request onto the other even when it does match my users file processing Because the server is looking at more than the users file. rlm_realm: No '@' in User-Name = aa0781, looking up realm NULL rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = aa0781 rlm_realm: Proxying request from user aa0781 to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Preparing to proxy authentication request to realm NULL So... you've configured the NULL realm to proxy all requests to another server. So even if the users file entries match, you didn't *over-ride* that command to proxy the packet. Further, your Auth-Type configuration is inconsistent modcall[authorize]: module preprocess returns ok for request 2 rlm_chap: Setting 'Auth-Type := CHAP' So for CHAP requests, it sets Auth-Type to CHAP. You also have the following in your users file: DEFAULT Huntgroup-Name == dialserver, Group != dialupgrp, Auth-Type = Reject Note that the users file entry matches AFTER the chap module is processed. You said Auth-Type = Reject, which means Set it to reject, if not already set to something else. It's already set to CHAP, so the request to set it to REJECT is ignored. Change the entry to do Auth-Type := Reject. That will be a bit closer to what you want. You also have: # First setup all accounts to be checked against the UNIX /etc/passwd. # (Unless a password was already given earlier in this file). # DEFAULT Auth-Type := System, Group == dialupgrp Which is pointless. It means you can't do CHAP, and your authenticating the users against /etc/password, rather than proxying them to another server. So... my recommendations: - delete the NULL realm - add a realm proxy, with the information about the other server. - I don't think you need a huntgroup for the NAS, either. Delete it. - configure your users file as follows: #--- DEFAULT Client-IP-Address == ip.of.lucent.nas, Group == dialupgrp, Proxy-To-Realm := proxy DEFAULT Client-IP-Address == ip.of.lucent.nas, Group != dialupgrp, Auth-Type := Reject #--- Which pretty much does what you want. I presume that you have other users, logging in via other NASes, and doing other kinds of authentications. You can add those entries later in the users file, below those two. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Vendor Specific attribute in authorization packet
Alan DeKok [EMAIL PROTECTED] said: Shah, Nishant B [EMAIL PROTECTED] wrote: I am sending an authorization packet from radclient with vendor specific attribute: Cisco-AVPair=ip:xxx Ok... I don't see why, though. RADIUS server authorizes the user with access-accept packet with Cisco-AVPair=ip:yyy, which confuses me. That's probably what you told it to do. Because in the users file on server side I have Cisco-AVPair=ip:yyy There you go. You told it to send that response. and I send request with Cisco-AVPair=ip:xxx. I am confused about vendor specific attributes treatment by RADIUS. There's nothing special about vendor-specific attributes. You're getting confused because the reply isn't a copy of the request. It's not supposed to be. The problem is in your expectations, not in what the server is doing. Also, I have one small confusion about vendor specific attribute.What exactly RADIUS server does if vendor-specific attribute is recieved in access-request packet. It does lots of things. Do you have a more specific question? YES I DO HAVE SPECIFIC QUESTION. AS FOR EXAMPLE, If the user sends a packet with Cisco-AVPair=ip:xxx attribute and Cisco NAS is using RADIUS for authorization, what does RADIUS do besides authorization. I mean to say does it send any special attribute in access-accept packet to Cisco NAS so that Cisco-AVPair's value is used in NAS.If I am not misunderstanding, RADIUS authorizes the user with password only and not with vendor specific attribute in the packet too. As a general answer, the server treates vendor-specific attributes just like normal attributes. There really is no difference between the two, except which dictionary file they sit in. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Nishant Shah U4 Computer Engineering 979-268-0866 (M)281-222-3176 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Vendor Specific attribute in authorization packet
Shah, Nishant B [EMAIL PROTECTED] wrote: YES I DO HAVE SPECIFIC QUESTION. AS FOR EXAMPLE, No need to shout. If the user sends a packet with Cisco-AVPair=ip:xxx attribute and Cisco NAS is using RADIUS for authorization, what does RADIUS do besides authorization. I don't mean to be rude, but it does what you tell it to do. That's really the only possible answer to such a general question. I suggest you stop asking what does it do, and instead describe what you want it to do. I mean to say does it send any special attribute in access-accept packet to Cisco NAS so that Cisco-AVPair's value is used in NAS. No. That's up to you to configure. UIf I am not misunderstanding, RADIUS authorizes the user with password only and not with vendor specific attribute in the packet too. The authorization is done however you want. If you decide to reject all requests containing Cisco-AVPair, you can configure the server to do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Vendor Specific attribute in authorization packet
Alan DeKok [EMAIL PROTECTED] said: Shah, Nishant B [EMAIL PROTECTED] wrote: YES I DO HAVE SPECIFIC QUESTION. AS FOR EXAMPLE, No need to shout. I apologise for that, I didn't mean to shout. sorry if I hurt someone's feelings If the user sends a packet with Cisco-AVPair=ip:xxx attribute and Cisco NAS is using RADIUS for authorization, what does RADIUS do besides authorization. I don't mean to be rude, but it does what you tell it to do. That's really the only possible answer to such a general question. I suggest you stop asking what does it do, and instead describe what you want it to do. I mean to say does it send any special attribute in access-accept packet to Cisco NAS so that Cisco-AVPair's value is used in NAS. No. That's up to you to configure. UIf I am not misunderstanding, RADIUS authorizes the user with password only and not with vendor specific attribute in the packet too. The authorization is done however you want. If you decide to reject all requests containing Cisco-AVPair, you can configure the server to do that. Could you please give me an example of configuring the server according to following need. I have a cisco router between user sending access-request and server. I want router to route the fax request(fax machine on the network) to authorize the user's request by RADIUS. I want to put Cisco-Fax-Pages=5 in my access-request packet so that user can send only 5 fax pages. For that user needs to be authorized by RADIUS according to this vendor-specific attribute. Can you tell me ohw can I configure server to do this. I apologise if the problem is not clear. Please reply me and I will revert it. Thanks, Nishant Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Nishant Shah U4 Computer Engineering 979-268-0866 (M)281-222-3176 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuring the NAS
Kaczmarek, Thaddeus wrote: ...snip... DISCLAIMER e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me and permanently delete the original and any copy of any e-mail and any printout thereof. E-mail transmission cannot be guaranteed to be secure or error-free. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. REGARDING PRIVACY AND CONFIDENTIALITY Crown Financial Group may, at its discretion, monitor and review the content of all e-mail communications. Please do not send this cruft. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Access-Reject not in reply_log
Hi, According to the comments in radiusd.conf file for reply_log, it should be logging the Access-Rejects as well. But, I am seeing only the Access-Accept messages only. Is there anything else that I need to configure to get the Access-Rejects as well. Thanks, Htin
Re: Log problems
No.. you told it to log to stderr. That's what -lstderr means. If you don't say -lstderr, logging goes to wherever it says in radiusd.conf, usually radius.log somewhere. Unless... if you mean that the radius.log is one created by daemontools... Logging had been working fine for almost 2 years then it stops.. Something must have changed but where? I'm not sure what you're doing, so I can't say for sure. Alan DeKok. No lstderr tells svc (daemontools) to send its errors to stderr not freeradius and we are not talking about standard errors we are talking about authentication entries being added to radius.log when someone logs in auth entries are to be written via either command line options -yz or the entries in radiusd.conf. Guess I dont have to tell you that though. Anyway I solved the problem of the it not logging. The problem was that radiusd is set to run as user radius and in the config file it was set to user=radius group=radius I removed the existing radius.log file so that a new one would be created but for some reason the new log was created but as root/radius (owner root - group radius) and after radiusd got past the initial startup it starts trying to do things as user radius so when it went to write to the radius.log file that had just been created ( by root) it didnt have permission. I changed the permissions on the radius.log file to radius/radius and all is well now and it is putting in the authentication info like it is supposed to now. Maybe this will help someone in the future. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html