Re: squid+freeradius
jassim El-mansori wrote: hello guys i have freeradius running on RH9 and I'm using pGina and RADIUS plug-in and they work like a charm now i need the user that was successfully authenticated brows the Internet i believe squid will do and i about to finish configuring it the question is how i can point them to each other so the allowed user can browse the Internet do i need to point radius to squid or the opposite I'm really confused to implement this.. I don't know what pGina is, but... I see three options: 1) Access to squid is controlled by another system. 2) Squid asks freeradius what do to for the user (I don't know if this is possible) 3) Freeradius controls access to squid (via an external script which changes firewall rules or configuration files) -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: kill user connection
yes, Session-Timeout is good,but will it work if i'll will add it to the data base table in moment the user is already logged in? i think no because attributes are given to user only after authentication, isn't it so? Maybe someone know how to send, for example, session-timeout=1s to user during his login? it will be fanastic good, you know:) Edgars Simon Bryden wrote: There is a RADIUS disconnect mechanism which is not standardised as far as I know and not too widely supported. In most cases you need to use SNMP or other techniques to disconnect sessions. The most standardised way of disconnecting sessions is to use Session-Timeout attribute to tell the NAS when to terminate the session. Regards, Simon. --- On Thursday 02 September 2004 14:57, Edgars wrote: is there a way to do subj. from the freeradius - i'll use this when some time is reached. Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: kill user connection
It depends what you are trying to do. If you want a constant timeout then you can add it to the database as a reply attribute. If you need something dynamic, such as what you described in your other post, then you can use rlm_exec to calculate and return the timeout at authentication time. Regards, Simon. --- On Friday 03 September 2004 08:24, Edgars wrote: yes, Session-Timeout is good,but will it work if i'll will add it to the data base table in moment the user is already logged in? i think no because attributes are given to user only after authentication, isn't it so? Maybe someone know how to send, for example, session-timeout=1s to user during his login? it will be fanastic good, you know:) Edgars Simon Bryden wrote: There is a RADIUS disconnect mechanism which is not standardised as far as I know and not too widely supported. In most cases you need to use SNMP or other techniques to disconnect sessions. The most standardised way of disconnecting sessions is to use Session-Timeout attribute to tell the NAS when to terminate the session. Regards, Simon. --- On Thursday 02 September 2004 14:57, Edgars wrote: is there a way to do subj. from the freeradius - i'll use this when some time is reached. Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Solaris 9 and pam_radius 1.3.16
Hi All, I am having trouble compiling pam_radius 1.3.16 on Solaris 9. [EMAIL PROTECTED] # CC=gcc;export CC [EMAIL PROTECTED] # make gcc -Wall -Wshadow -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Waggregate-return -c pam_radius_auth.c -o pam_radius_auth.o In file included from pam_radius_auth.h:23, from pam_radius_auth.c:63: md5.h:21: error: parse error before u_int32_t md5.h:21: warning: no semicolon at end of struct or union md5.h:22: warning: type defaults to `int' in declaration of `bits' md5.h:22: warning: data definition has no type or storage class md5.h:24: error: parse error before '}' token md5.h:29: error: parse error before buf md5.h:29: warning: function declaration isn't a prototype pam_radius_auth.c:151: warning: no previous prototype for '_int_free' pam_radius_auth.c: In function `ipstr2long': pam_radius_auth.c:179: warning: subscript has type `char' pam_radius_auth.c: In function `good_ipaddr': pam_radius_auth.c:215: warning: subscript has type `char' pam_radius_auth.c: In function `host2server': pam_radius_auth.c:271: warning: subscript has type `char' pam_radius_auth.c: In function `get_random_vector': pam_radius_auth.c:350: error: storage size of 'my_md5' isn't known pam_radius_auth.c:350: warning: unused variable `my_md5' pam_radius_auth.c: In function `get_accounting_vector': pam_radius_auth.c:382: error: storage size of 'my_md5' isn't known pam_radius_auth.c:382: warning: unused variable `my_md5' pam_radius_auth.c: In function `verify_packet': pam_radius_auth.c:400: error: storage size of 'my_md5' isn't known pam_radius_auth.c:400: warning: unused variable `my_md5' pam_radius_auth.c: In function `add_password': pam_radius_auth.c:497: error: storage size of 'md5_secret' isn't known pam_radius_auth.c:497: error: storage size of 'my_md5' isn't known pam_radius_auth.c:497: warning: unused variable `md5_secret' pam_radius_auth.c:497: warning: unused variable `my_md5' pam_radius_auth.c: In function `rad_converse': pam_radius_auth.c:1016: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1019: warning: passing arg 2 of pointer to function from incompatible pointer type pam_radius_auth.c: In function `pam_sm_authenticate': pam_radius_auth.c:1071: warning: passing arg 2 of `pam_get_user' from incompatible pointer type pam_radius_auth.c:1099: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1113: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1146: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c: In function `pam_private_session': pam_radius_auth.c:1267: warning: passing arg 2 of `pam_get_user' from incompatible pointer type pam_radius_auth.c:1288: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c: In function `pam_sm_chauthtok': pam_radius_auth.c:1374: warning: passing arg 2 of `pam_get_user' from incompatible pointer type pam_radius_auth.c:1395: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1404: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1409: warning: passing arg 3 of `pam_get_item' from incompatible pointer type make: *** [pam_radius_auth.o] Error 1 [EMAIL PROTECTED] # uname -a SunOS testbox1 5.9 Generic_117171-07 sun4u sparc SUNW,UltraAX-i2 [EMAIL PROTECTED] # gcc --version gcc (GCC) 3.4.1 Any help greatly appreciated. Darren - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: kill user connection
i want such a thing - i have one additional field in radcheck table which is true/false. So i have one function which starts to work after user is authenticated for the first time. And if there is special timeout set for him (i.e. for example 1 hour) then starting from this moment his username is valid for one hour. So at this stop time i'm putting false in that file,but i am checking this file only at authentication, so i should somehow send to this user session-timeout=1s or some other way stop him for a while to make him authenticate again. Thanks! Edgars Simon Bryden wrote: It depends what you are trying to do. If you want a constant timeout then you can add it to the database as a reply attribute. If you need something dynamic, such as what you described in your other post, then you can use rlm_exec to calculate and return the timeout at authentication time. Regards, Simon. --- On Friday 03 September 2004 08:24, Edgars wrote: yes, Session-Timeout is good,but will it work if i'll will add it to the data base table in moment the user is already logged in? i think no because attributes are given to user only after authentication, isn't it so? Maybe someone know how to send, for example, session-timeout=1s to user during his login? it will be fanastic good, you know:) Edgars Simon Bryden wrote: There is a RADIUS disconnect mechanism which is not standardised as far as I know and not too widely supported. In most cases you need to use SNMP or other techniques to disconnect sessions. The most standardised way of disconnecting sessions is to use Session-Timeout attribute to tell the NAS when to terminate the session. Regards, Simon. --- On Thursday 02 September 2004 14:57, Edgars wrote: is there a way to do subj. from the freeradius - i'll use this when some time is reached. Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Seg fault in rlm_ldap on Redhat Enterprise Linux 3 - solved
For those remotely interested in this issue, the problem was actually due to an issue in OpenLDAP, as I mentioned some time ago (see below). Redhat now has a released fix for this. The bug description is shown at https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=111492, and the fix at http://rhn.redhat.com/errata/RHBA-2004-224.html. Regards Tarun -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Tarun Bhushan Sent: Tuesday, 17 August 2004 6:08 PM To: [EMAIL PROTECTED] Subject: RE: Seg fault in rlm_ldap on Redhat Enterprise Linux 3 - solved, sort of I found that the problem is within the OpenLDAP library libldap (line 845 in tls.c method-ext_free(alt);) and is the same as OpenLDAP problem 1924 (http://www.openldap.org/its/index.cgi/Software%20Bugs?id=1924;selectid=1924). This was reported and fixed back in 2002, but Redhat did not apply it to the OpenLDAP released with RHEL3 nearly a year and a half later! Anyway, by adapting the patch, I was able to fix this issue - just in case others have encountered it. In case you are interested, also see Redhat Bugzilla bugs 128364 and 111492. Patch for your reference: --- openldap-2.0.27/libraries/libldap/tls.c 2004-08-18 22:09:10.0 +1000 +++ openldap-2.0.27/libraries/libldap/tls.c 2004-08-18 22:11:09.0 +1000 @@ -816,7 +816,6 @@ int n, len1, len2; char *domain; GENERAL_NAME *gn; - X509V3_EXT_METHOD *method; len1 = strlen(name); n = sk_GENERAL_NAME_num(alt); @@ -841,8 +840,7 @@ break; } } - method = X509V3_EXT_get(ex); - method-ext_free(alt); + GENERAL_NAMES_free(alt); if (i n) /* Found a match */ ret = LDAP_SUCCESS; } Regards Tarun NOTICE This e-mail and any attachments are confidential and may contain copyright material of Macquarie Bank or third parties. If you are not the intended recipient of this email you should not read, print, re-transmit, store or act in reliance on this e-mail or any attachments, and should destroy all copies of them. Macquarie Bank does not guarantee the integrity of any emails or any attached files. The views or opinions expressed are the author's own and may not reflect the views or opinions of Macquarie Bank. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please assist in time limit
ok, will it work also in sucha case - at 16.59 user is still logged in and browsing the internet with full power. Will this you described stop his nicely browsing at 17? this is the second type of time counter i want to made:) Edgars Simon Bryden wrote: You could use rlm_exec to call a script which would check the time and return appropriately. If outside the window it can return 1 which will cause the user to be rejected. If within the window you can return zero, and also set an appropriate session limit to disconnect the user at the end of the window. Regards, Simon. --- On Thursday 02 September 2004 14:06, Edgars wrote: Hi! for example, i want some clients to give access to the internet at certain hours (9-17). How can i do that? I'm using DB for accounting. Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP works but not PAP
modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type System Please read the FAQ. CHAP doesn't work with system passwords. I use MySQL stored users and passwords for authentication. CHAP works .. PAP not modcall[authenticate]: module unix returns notfound for request 0 What is unclear about that message? Because I only use MySQL ... - Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_mschap: No User-Password configured. Cannot create LM-Password
Hi, i've a problem similar. But i stored my password in LDAP database in clear mode. So, i don't understand why it doesn't work too. Passwords are not crypted !!! the error is : rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for example with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 6 - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, September 02, 2004 9:43 PM Subject: Re: rlm_mschap: No User-Password configured. Cannot create LM-Password Erik Denny [EMAIL PROTECTED] wrote: I can auth PAP requests all day long, however, I get the following error when a CHAP term server requests auth. Thu Sep 2 13:27:40 2004 : Auth: rlm_ldap: Attribute User-Password is required for authentication. Cannot use CHAP-Password. Thu Sep 2 11:35:47 2004 : Auth: Login incorrect: [EMAIL PROTECTED]/CHAP-Password] You are setting Auth-Type := LDAP. You are setting Auth-Type := LDAP, even for CHAP requests. That's the source of the problem. This is why the server is configured by default to set Auth-Type := CHAP for CHAP requests: because no other module can do CHAP. The LDAP module sets Auth-Type = LDAP only if it has not already been set. So if you're getting that error for Access-Requests containing CHAP, it's because you've over-ridden the default configuration, and told the server to NOT use the CHAP module for CHAP requests. This is the result of a test from a term server with an account that has a clear-text password. You are confusing passwords in the LDAP database with passwords in the Access-Request. Let's look at a little matrix: authentication data in Access-Request PAP CHAP passwords in LDAPclear Auth-Type := LDAP Auth-Type := CHAP crypt Auth-Type := LDAP impossible The fact that the account has a clear-text password is IRRELEVANT. The Access-Request has a CHAP password, and LDAP doesn't do CHAP. End of story. Don't force LDAP to handle CHAP requests. Now, as far as I can see in the configs and code, we have not removed anything that would break it, AND there is no User-Password defined in the bundled schema for LDAP v3 in the doc directory. (RADIUS-LDAPv3.schema) There appears to be NO conversion from uid to User-Name anywhere that I can see, so how can this work out of the box? If the Access-Request contains a PAP password, then Auth-Type := LDAP will work. BTW- I don't see how you can test CHAP auth with anything other than a term server- radtest/radclient don't appear to support the option? $ cat radtest | sed 's/User-Password/CHAP-Password/' radchaptest $ chmod +x radchaptest And then use radchaptest to sent CHAP requests. Honestly, if PAP works for a user, then MS-CHAP works, too. Trust me in this. The problem is that many people get confused between authorization and authentication. LDAP is a *database*, not an authentication server. Let LDAP store passwords, and let FreeRADIUS do authentication. The whole problem starts when you configure FreeRADIUS to use LDAP for authenticating users. Don't do that. Use LDAP to store clear-text passwords. LDAP doesn't do CHAP, MS-CHAP, EAP, or anything other than PAP. So if there isn't a User-Password attribute in the Access-Request, packet, then setting Auth-Type := LDAP will ALWAYS FAIL. i.e. Don't list ldap in authenticate. Yes, you may discover that some things break. This means you've probably got to set Auth-Type := Local, for PAP requests. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec vs Exec-Program-Wait attribute
On Thu, Sep 02, 2004 at 02:52:13PM -0400, Alan DeKok wrote: Dear Alan, though this setup you propose will work, I agree with Thor's oppinion on the matter. I believe that it would be a good idea to allow rlm_exec module return reject messages with attributes in them as Exec-Program-Wait does. In this case, we can have the good things of Exec-Program-Wait, plus the extras of rlm_exec. For now, I think that for my needs I will use Exec-Program-Wait as I find it a more elegant setup (of course I do not expect it to go away in a future version right?). Please let us know your thoughts on the matter. Thanks Kostas Kostas Zorbadelos [EMAIL PROTECTED] wrote: Autz-Type CLID{ callerid { fail=reject } } In this case when the external script returns a non zero exit code or fails I get an Access-Reject. However I cannot put any attributes inside this reject packet. So do the following: Autz-Type CLID { callerid { ok = return notfound = return ... = return fail = 1 } another_files } Make the another_files module a copy of rlm_files, and point it to different users files. It will then be run ONLY when the external scrip returns fail, and you can add replay attributes to the reject packet there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please assist in time limit
Edgars escreveu: ok, will it work also in sucha case - at 16.59 user is still logged in and browsing the internet with full power. Will this you described stop his nicely browsing at 17? this is the second type of time counter i want to made:) There is a much easier solution: The Login-Time attribute. You can set a record in your db like this: Login-Time := Al0900-1700 and your user will be authenticated from 9:00 - 17:00 and as long as your nas supports the Session-Timeout attribute (almost all should) he will be disconnected at 17:00. Hope that helps, Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with Radius-TLS
Dear Team, I was working with EAP-TLS configuration of radius server for proxim AccessPoint. I followed the steps as told in HOWTO by Raymond McKay, When I configured my Win Xp client , it is not getting connected to the Access Point. It keeps on trying to contact , but failed. Also , though I have already imported and added the certificate to the wireless network properties , message saying select a certificate is comming , But on clicking the icon its points, only the network properties dialog is opened. See below the debug message in radius server when the xp client tried to connect it. Can anyone tell me what the problem was and how to solve it. * Going to the next request Waking up in 2 seconds... rad_recv: Access-Request packet from host 192.168.111.248:6001, id=254, length=163 User-Name = whatever1 NAS-IP-Address = 192.168.111.248 Called-Station-Id = 00-20-a6-52-bc-96 Calling-Station-Id = 00-0d-54-98-e0-db NAS-Identifier = proxim2000 State = 0xc7df77b3bebde4560ea3d9dc33b8b0cef745384187c9f253275394a98ea48348839fbb21 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02060315 Message-Authenticator = 0xc9f455e5c1d3efec1b1ea8ae9a15022e modcall: entering group authorize for request 1022 modcall[authorize]: module preprocess returns ok for request 1022 rlm_eap: EAP packet type notification id 0 length 6 rlm_eap: EAP Start not found modcall[authorize]: module eap returns updated for request 1022 rlm_realm: No '@' in User-Name = whatever1, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1022 users: Matched whatever1 at 91 modcall[authorize]: module files returns ok for request 1022 modcall: group authorize returns updated for request 1022 rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate for request 1022 rlm_eap: EAP packet type notification id 0 length 6 rlm_eap: EAP Start not found rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: Unknown EAP type 21, reverting to default_eap_type rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns ok for request 1022 modcall: group authenticate returns ok for request 1022 Sending Access-Challenge of id 254 to 192.168.111.248:6001 EAP-Message = 0x010100060d20 Message-Authenticator = 0x State = 0xe99abe272deb068f6ffc1af1cf00eaa5f74538410d43b5fca7b822c8e53ef78193558777 Finished request 1022 ** -- Regards, S.Suresh Babu ' You must be the change you wish to see in the world.' -M.K.Gandhi. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please assist in time limit
Keith, thak you so much!i didn't know anything about such an attribute. But in the log file i'm getting unknown attribute Lgin-Time... Should i manuaaly ad it to dictionary file?like this ATTRIBUTE *Login-Time* 1042 string Edgars Keith Yoder wrote: Edgars escreveu: ok, will it work also in sucha case - at 16.59 user is still logged in and browsing the internet with full power. Will this you described stop his nicely browsing at 17? this is the second type of time counter i want to made:) There is a much easier solution: The Login-Time attribute. You can set a record in your db like this: Login-Time := Al0900-1700 and your user will be authenticated from 9:00 - 17:00 and as long as your nas supports the Session-Timeout attribute (almost all should) he will be disconnected at 17:00. Hope that helps, Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1.0.0 Solaris compile issues [Partially SOLVED]
On Thu, Aug 26, 2004 at 05:19:06PM +0300, Kostas Zorbadelos wrote: Hello to everyone. I had sent 2 compile issues of freeradius-1.0.0 on Solaris 2.8, gcc 2.95.3 I can see that ltdl.h is not in the include path passed to gcc but in ./libltdl/ltdl.h. The problem is solved if we use the --with-ltdl-include in the configure line This one was my problem. I had used $./configure --prefix=~/freeradius-1.0.0/BUILD in configure. The problem does not exist if I use a full path in --prefix and not the '~' shortcut of bash. However, the error regarding rlm_x99_token exists. Making static dynamic in rlm_x99_token... make[6]: Entering directory `/space/radius/freeradius-1.0.0/src/modules/rlm_x99_token' gcc -fcse-skip-blocks -fexpensive-optimizations -finline-functions -fomit-frame-pointer -O3 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG -I../../include -DX99_MODULE_NAME=\rlm_x99_token\ -DFREERADIUS -c x99_rlm.c -o x99_rlm.o In file included from x99_rlm.c:54: x99.h:26: openssl/des.h: No such file or directory I do not have openssl in the system. Shouldn't autoconf diagnose this and disable rlm_x99_token as it did in several eap modules? I solved it using --without-rlm_x99_token in the configure line. -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please assist in time limit
Edgars wrote: ok, will it work also in sucha case - at 16.59 user is still logged in and browsing the internet with full power. Will this you described stop his nicely browsing at 17? If it is now 16:59 and you want to disconnect to user at 17:00, then send Session-Timeout = 1 -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please assist in time limit
if i could:/ maybe you know how to do that? i mean in the time when user is already logged in. Edgars Thor Spruyt wrote: Edgars wrote: ok, will it work also in sucha case - at 16.59 user is still logged in and browsing the internet with full power. Will this you described stop his nicely browsing at 17? If it is now 16:59 and you want to disconnect to user at 17:00, then send Session-Timeout = 1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
exec module
can somone explain how rlm_exec module works? i'm interested in how to run *.php program before user authentication, is this module capable of doing that? How and in what form to pass the necessary attributes to the PHP program and what should be returned? Your help will be greatly appreciated! Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: kill user connection
http://freshmeat.net/projects/radkill/ Regards Troy Comstech Systems Ph: 1300 550 664 www.comstech.com - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, September 03, 2004 10:12 AM Subject: Re: kill user connection Could you explain how to use snmp to disconnect a session, I been told you need to use snmpwalk and do some configs on NAS to autentificate, also a problem is knowing what is the channel, ofcourse obtaining it by radius to send to the NAS a line clear. I had tried to find a snmp scripts to do that specific function, without luck, I understand I need to understand better how snmp works, but taking a look on a piece of code will help a lot. Armando Leal. On 3 Sep 2004 at 0:19, Simon Bryden wrote: There is a RADIUS disconnect mechanism which is not standardised as far as I know and not too widely supported. In most cases you need to use SNMP or other techniques to disconnect sessions. The most standardised way of disconnecting sessions is to use Session-Timeout attribute to tell the NAS when to terminate the session. Regards, Simon. --- On Thursday 02 September 2004 14:57, Edgars wrote: is there a way to do subj. from the freeradius - i'll use this when some time is reached. Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Oracle bug report
OK, it seems bugs.freeradius.org is experiencing problems. I submit the bug here with the corresponding debugging outputs. When the problems are restored, I will submit it in bugs also... Short Description: Freeradius crashes upon oracle errors in accounting queries Way to reproduce: Run radiusd -X and from a shell for ((i=0;$i30; i=$i+1)); do radclient -d ~/freeradius/BUILD/etc/raddb/ -f testacct localhost acct testing123; sleep 2; done testacct file: User-Name = kzorbatest Acct-Session-Id = 123456789009876543211234567890ABCDEFGHI NAS-IP-Address = 62.103.3.155 Acct-Status-Type = Start (very big Acct-Session-Id will cause oracle error (ORA-01401: inserted value too large for column) Environment: Solaris 8, gcc 2.95.3, Oracle 8.1.7 Attached are the outputs of gdb executable core with the bt and also output of truss Kostas -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. [EMAIL PROTECTED]:~-gdb /space/radius/freeradius/BUILD/sbin/radiusd ./core GNU gdb 6.0 Copyright 2003 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as sparc-sun-solaris2.8...(no debugging symbols found)... Core was generated by `radiusd -X'. Program terminated with signal 10, Bus error. Reading symbols from /usr/lib/libcrypt_i.so.1...(no debugging symbols found)... done. Loaded symbols for /usr/lib/libcrypt_i.so.1 Reading symbols from /space/radius/freeradius/BUILD/lib/libradius-1.0.0.so...done. Loaded symbols for /space/radius/freeradius/BUILD/lib/libradius-1.0.0.so Reading symbols from /space/radius/freeradius/BUILD/lib/libltdl.so.3...done. Loaded symbols for /space/radius/freeradius/BUILD/lib/libltdl.so.3 Reading symbols from /usr/lib/libdl.so.1...done. Loaded symbols for /usr/lib/libdl.so.1 Reading symbols from /usr/lib/libnsl.so.1...done. Loaded symbols for /usr/lib/libnsl.so.1 Reading symbols from /usr/lib/libresolv.so.2...done. Loaded symbols for /usr/lib/libresolv.so.2 Reading symbols from /usr/lib/libsocket.so.1...done. Loaded symbols for /usr/lib/libsocket.so.1 Reading symbols from /usr/lib/librt.so.1...done. Loaded symbols for /usr/lib/librt.so.1 Reading symbols from /usr/lib/libpthread.so.1...done. Loaded symbols for /usr/lib/libpthread.so.1 Reading symbols from /usr/lib/libc.so.1...done. Loaded symbols for /usr/lib/libc.so.1 Reading symbols from /usr/lib/libgen.so.1...done. Loaded symbols for /usr/lib/libgen.so.1 Reading symbols from /usr/lib/libmp.so.2...done. Loaded symbols for /usr/lib/libmp.so.2 Reading symbols from /usr/lib/libaio.so.1...done. Loaded symbols for /usr/lib/libaio.so.1 Reading symbols from /usr/platform/SUNW,Sun-Fire-480R/lib/libc_psr.so.1...done. Loaded symbols for /usr/platform/SUNW,Sun-Fire-480R/lib/libc_psr.so.1 Reading symbols from /usr/lib/libthread.so.1...done. Loaded symbols for /usr/lib/libthread.so.1 Reading symbols from /usr/lib/nss_files.so.1...done. Loaded symbols for /usr/lib/nss_files.so.1 Reading symbols from /space/radius/freeradius-1.0.0/BUILD/lib/rlm_exec-1.0.0.so... done. Loaded symbols for /space/radius/freeradius-1.0.0/BUILD/lib/rlm_exec-1.0.0.so Reading symbols from /space/radius/freeradius-1.0.0/BUILD/lib/rlm_expr-1.0.0.so... done. Loaded symbols for /space/radius/freeradius-1.0.0/BUILD/lib/rlm_expr-1.0.0.so Reading symbols from /space/radius/freeradius-1.0.0/BUILD/lib/rlm_pap-1.0.0.so... done. Loaded symbols for /space/radius/freeradius-1.0.0/BUILD/lib/rlm_pap-1.0.0.so Reading symbols from /space/radius/freeradius-1.0.0/BUILD/lib/rlm_chap-1.0.0.so... done. Loaded symbols for /space/radius/freeradius-1.0.0/BUILD/lib/rlm_chap-1.0.0.so Reading symbols from /space/radius/freeradius-1.0.0/BUILD/lib/rlm_mschap-1.0.0.so...done. Loaded symbols for /space/radius/freeradius-1.0.0/BUILD/lib/rlm_mschap-1.0.0.so Reading symbols from /space/radius/freeradius-1.0.0/BUILD/lib/rlm_unix-1.0.0.so... done. Loaded symbols for /space/radius/freeradius-1.0.0/BUILD/lib/rlm_unix-1.0.0.so Reading symbols from /space/radius/freeradius-1.0.0/BUILD/lib/rlm_eap-1.0.0.so... done. Loaded symbols for /space/radius/freeradius-1.0.0/BUILD/lib/rlm_eap-1.0.0.so Reading symbols from /space/radius/freeradius-1.0.0/BUILD/lib/rlm_eap_md5-1.0.0.so...done. Loaded symbols for /space/radius/freeradius-1.0.0/BUILD/lib/rlm_eap_md5-1.0.0.so Reading symbols from /space/radius/freeradius-1.0.0/BUILD/lib/rlm_eap_leap-1.0.0.so...done. Loaded symbols for /space/radius/freeradius-1.0.0/BUILD/lib/rlm_eap_leap-1.0.0.so Reading symbols from /space/radius/freeradius-1.0.0/BUILD/lib/rlm_eap_gtc-1.0.0.so...done. Loaded symbols for
Re: Oracle bug report
On Fri, 3 Sep 2004, Kostas Zorbadelos wrote: OK, it seems bugs.freeradius.org is experiencing problems. I submit the bug here with the corresponding debugging outputs. When the problems are restored, I will submit it in bugs also... Short Description: Freeradius crashes upon oracle errors in accounting queries Way to reproduce: Run radiusd -X and from a shell for ((i=0;$i30; i=$i+1)); do radclient -d ~/freeradius/BUILD/etc/raddb/ -f testacct localhost acct testing123; sleep 2; done testacct file: User-Name = kzorbatest Acct-Session-Id = 123456789009876543211234567890ABCDEFGHI NAS-IP-Address = 62.103.3.155 Acct-Status-Type = Start (very big Acct-Session-Id will cause oracle error (ORA-01401: inserted value too large for column) That is because the session ID column is declared as a 32 character varchar. You are putting 39 characters into it. If the spec defines a maximum length of 32 characters, then you have too long of a session ID, or the column isn't large enough. dave -- Dave Weis [EMAIL PROTECTED] http://www.internetsolver.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: squid+freeradius
Below should help. If you have more specific questions about squid, I would check their documentation as they explain it pretty well on how to do external authentication. Here is a brief overview on how you can setup squid to use radius authentication. In squid.conf under the auth_param section, add something to point to your external radius authentication module. You should search the web for one that does radius, I found one that is a perl script that works well. http://www.devet.org/squid/proxy_auth/contrib/auth.pl example config: auth_param basic program /usr/local/bin/rad_auth.pl Then in your ACL configuration, you put a line to tell it to require authentication acl password proxy_auth REQUIRED Then you add that ACL to your http_access statement http_access allow password Now your squid proxy should prompt users for authentication which will then be sent over to radius. You then configure radius to authenticate the users. Make sure you add the IP of your proxy server and the secret you define in the perl script to the clients.conf file. Hope that helps Dusty Doris On Thu, 2 Sep 2004, jassim El-mansori wrote: hello guys i have freeradius running on RH9 and I'm using pGina and RADIUS plug-in and they work like a charm now i need the user that was successfully authenticated brows the Internet i believe squid will do and i about to finish configuring it the question is how i can point them to each other so the allowed user can browse the Internet do i need to point radius to squid or the opposite I'm really confused to implement this.. any help is appreciated thank u jasem ___ Do you Yahoo!? Win 1 of 4,000 free domain names from Yahoo! Enter now. http://promotions.yahoo.com/goldrush - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is there some kind of trick to make Cisco LEAP work???
Richard, Thanks for that input, it sounds very straightforward to me. I'll try your patches on Tuesday (Monday is a holiday here). Have you brought this up with Cisco? If not, I will open a case next week. I'd like to know whether Cisco's leap/eap developers intended for the ID to not increment-- or whether they've made a mistake against their own standard. I'd like to use the same freeradius server for WLSE/APs as for other non-LEAP clients, such as TLS/PEAP. Since your patch to rlm_eap.c should only kick in when reply-type.type == PW_EAP_LEAP, there should be no problem, wouldn't you say? Thanks again, Coates Carter University of Richmond On Sep 1, 2004, at 6:04 AM, Richard Timsit wrote: James, We have gotten LEAP to work with Cisco access points. My last posting on the subject might help if you haven't gotten there yet... However, we have not been able to get LEAP for Cisco's WDS worked out. All of the access points in the group authenticate successfully, but the WLSE does not. Yes, WLSE is not running exatly like an access point :-(( Comparing the answer of Cisco server radius ACS who authenticate WLSE and access points, with freeradius, we can see that ACS don't increment the EAP ID as said in doc/rfc/leap.txt : - 4. RS-AP: Access-Challenge/EAP Success (with EAP id++) + State (may be different than the satate send in 2) - So with this first patch in freeradius-1.0.0/src/modules/rlm_eap/types/rlm_eap_ leap : --- -- --- rlm_eap_leap.c.FCS 2004-08-16 18:29:23.0 +0200 +++ rlm_eap_leap.c 2004-08-16 18:34:25.0 +0200 @@ -147,7 +147,10 @@ /* * Do this only for Success. */ - handler-eap_ds-request-id = handler-eap_ds-response-id + 1; + /* RT Oops WLSE don't like CISCO LEAP standard + handler-eap_ds-request-id = handler-eap_ds-response-id + 1; */ + + handler-eap_ds-request-id = handler-eap_ds-response-id ; handler-eap_ds-set_request_id = 1; /* --- The WLSE accept the response of freeradius and send an Access-Request/EAP Request/LEAP But in stage 6 the WLSE does not accept the SUCCESS response of RS if the normal id++ so i made a second patch of eap.c in freeradius-1.0.0/src/modules/rlm_eap : --- --- eap.c.FCS 2004-08-16 18:25:05.0 +0200 +++ eap.c 2004-08-16 18:28:47.0 +0200 @@ -393,6 +393,16 @@ hdr-code = (reply-code 0xFF); hdr-id = (reply-id 0xFF); + + /* RT Oops WLSE don't like CISCO LEAP Standard ... so we make as ACS do */ + if((reply-code == PW_EAP_RESPONSE) + (reply-type.type == PW_EAP_LEAP) + (reply-type.length == 30)) { hdr-id -= 1 ;} + +DEBUG2( rlm_eap: RT Modif EAP-Type = %d EAP-LENGTH = %d, + reply-type.type,reply-type.length); +/* END MODIF RT */ + total_length = htons(total_length); memcpy(hdr-length, total_length, sizeof(uint16_t)); --- Since i have freeradius working with thousands of users with many protocols, i made a rogue_radius with this 2 bad patchs listening on port 1645 only for Cisco WDS !!! +--+ | ??? | |{O-O} Richard Timsit | | ^_ SIC STI| |/ T \_ EPFL Lausanne | | '` I 1015 Ecublens,SUISSE | | M(021) 693 22 35| | | | [EMAIL PROTECTED] | | I I | +--+ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Oracle bug report
On Fri, Sep 03, 2004 at 08:54:42AM -0500, Dave Weis wrote: On Fri, 3 Sep 2004, Kostas Zorbadelos wrote: OK, it seems bugs.freeradius.org is experiencing problems. I submit the bug here with the corresponding debugging outputs. When the problems are restored, I will submit it in bugs also... Short Description: Freeradius crashes upon oracle errors in accounting queries Way to reproduce: Run radiusd -X and from a shell for ((i=0;$i30; i=$i+1)); do radclient -d ~/freeradius/BUILD/etc/raddb/ -f testacct localhost acct testing123; sleep 2; done testacct file: User-Name = kzorbatest Acct-Session-Id = 123456789009876543211234567890ABCDEFGHI NAS-IP-Address = 62.103.3.155 Acct-Status-Type = Start (very big Acct-Session-Id will cause oracle error (ORA-01401: inserted value too large for column) That is because the session ID column is declared as a 32 character varchar. You are putting 39 characters into it. If the spec defines a maximum length of 32 characters, then you have too long of a session ID, or the column isn't large enough. dave Yes, I know. I caused the oracle error on purpose to cause the crash. Kostas -- Dave Weis [EMAIL PROTECTED] http://www.internetsolver.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: kill user connection
On 3 Sep 2004 at 22:36, Troy Davis wrote: http://freshmeat.net/projects/radkill/ Regards Troy Comstech Systems Ph: 1300 550 664 www.comstech.com This proggy is a simple Telnet, disconnect user and exit.. using expect, getting the actual online users from radwho. * its not a snmp connection.. that might be faster and a better option.. But even tho is an option, tnx for your advise. Armando Leal - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, September 03, 2004 10:12 AM Subject: Re: kill user connection Could you explain how to use snmp to disconnect a session, I been told you need to use snmpwalk and do some configs on NAS to autentificate, also a problem is knowing what is the channel, ofcourse obtaining it by radius to send to the NAS a line clear. I had tried to find a snmp scripts to do that specific function, without luck, I understand I need to understand better how snmp works, but taking a look on a piece of code will help a lot. Armando Leal. On 3 Sep 2004 at 0:19, Simon Bryden wrote: There is a RADIUS disconnect mechanism which is not standardised as far as I know and not too widely supported. In most cases you need to use SNMP or other techniques to disconnect sessions. The most standardised way of disconnecting sessions is to use Session-Timeout attribute to tell the NAS when to terminate the session. Regards, Simon. --- On Thursday 02 September 2004 14:57, Edgars wrote: is there a way to do subj. from the freeradius - i'll use this when some time is reached. Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ldap and Ldap-Group
Hello, freeradius-0.9.3_1 openldap-2.2.6 freebsd-4.9-p11 For some reason this isn't working. I could have sworn I got it working before doing this. But this is my setup: radius.conf: ldap dialup { server = localhost identity = cn=Manager,dc=gwi,dc=net password = basedn = ou=Users,o=gwi.net,dc=gwi,dc=net filter = (uid=%{Stripped-User-Name:-%{User-Name}}) start_tls = no tls_mode = no dictionary_mapping = ${raddbdir}/ldap-dialup.attrmap ldap_connections_number = 5 groupname_attribute = gidNumber groupmembership_filter = (uid=%{Stripped-User-Name:-%{User-Name}}) timeout = 4 timelimit = 3 net_timeout = 1 compare_check_items = no } users: # Setup Auth Attributes DEFAULT Auth-Type = LDAP, Autz-Type = LDAP Fall-Through = Yes #Regular POP connection, then check for Static IP/Subnet POP connections DEFAULT Huntgroup-Name == dialup, Autz-Type := DIALUP Fall-Through = Yes #Reject mbox accounts DEFAULT Ldap-Group == 27 Idle-Timeout = 1, Filter-Id = denied It hits the first default, hits the second default, but doesn't hit the third default. I've read that groupname_attribute should = cn, but we'd really like to just use gidNumber (that's the group their in). Here is a log of a user connecting (that should be getting the denied filter-id). For some reason it's completely ignoring my groupname_attribute and groupmembership_filter settings, and just using the defaults. rad_recv: Access-Request packet from host 127.0.0.1:4272, id=221, length=61 User-Name = celtadmin User-Password = *** NAS-IP-Address = 207.5.128.1 NAS-Port = 2 modcall: entering group authorize for request 68 modcall[authorize]: module preprocess returns ok for request 68 rlm_realm: No '@' in User-Name = celtadmin, looking up realm NULL rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = celtadmin rlm_realm: Proxying request from user celtadmin to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 68 users: Matched DEFAULT at 49 huntgroups: Matched dialup at 47 users: Matched DEFAULT at 57 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net' radius_xlat: '(uid=celtadmin)' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with filter (uid=celtadmin) ldap_release_conn: Release Id: 0 radius_xlat: '(|((objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))((objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net)))' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with filter ((cn=25)(|((objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))((objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net rlm_ldap: object not found or got ambiguous search result ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group 25 not found or user is not a member. rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net' radius_xlat: '(|((objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))((objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net)))' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with filter ((cn=26)(|((objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))((objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net rlm_ldap: object not found or got ambiguous search result ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group 26 not found or user is not a member. rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net' radius_xlat: '(|((objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))((objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net)))' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with filter ((cn=27)(|((objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))((objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net rlm_ldap: object not found or got ambiguous search result ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group 27 not found or user is not a member. rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net' radius_xlat:
Re: CHAP works but not PAP
Hi Muenz, I think your DEFAULT profile has a wrong link. Why don't you try to set DEFAULT with Auth-Type = PAP and check how it works for both CHAP and PAP? Kevin Muenz, Michael wrote: modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type System Please read the FAQ. CHAP doesn't work with system passwords. I use MySQL stored users and passwords for authentication. CHAP works .. PAP not modcall[authenticate]: module unix returns notfound for request 0 What is unclear about that message? Because I only use MySQL ... - Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec vs Exec-Program-Wait attribute
Thor Spruyt [EMAIL PROTECTED] wrote: I hope the rlm_exec module is going to be changed to enable outputting Reject attributes! If you have to run 2 scripts each time, what's the whole point of making the module? The module can be updated, once patches are supplied. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP works but not PAP
Muenz, Michael [EMAIL PROTECTED] wrote: Please read the FAQ. CHAP doesn't work with system passwords. I use MySQL stored users and passwords for authentication. CHAP works .. PAP not You are contradicting the debug log you posted to the list. What is unclear about that message? Because I only use MySQL ... You are contradicting the debug log you posted to the list. Whatever you think the server is doing is very different than what you told the server to do. The debug logs shows what you told the server to do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_mschap: No User-Password configured. Cannot create LM-Password
Alexandre Durand [EMAIL PROTECTED] wrote: i've a problem similar. But i stored my password in LDAP database in clear mode. So, i don't understand why it doesn't work too. Passwords are not crypted !!! shrug Then the server isn't obtaining the passwords from LDAP. Read the debug log to see what it's doing. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Does proxy.xonf support include files?
David [EMAIL PROTECTED] wrote: Is $INCLUDE supported in proxy.conf ? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Orinoco AP2000 - Logout Entry Has Wrong ID?
Brian Sumpter [EMAIL PROTECTED] wrote: I'm getting these errors in the logs from a few of the AP units: Error: rlm_radutmp: Logout entry for NAS Reaves Hill 2.4 port 2 has wrong ID That's saying that the user logged in with one Acct-Session-Id, and is logging out with another. The most common reason is that the server missed an accounting stop packet. When this happens, the server no longer shows anyone on that particular AP as being logged on, although they are according to the AP themselves. That's weird. I do have a couple of AP units that are not exhibiting this behavior, and I've found the common denominator. The AP units that appear to work properly only have one user per AP - I never have the accounting errors from those AP's and session times are working as expected. But if I connect another client to them, sure enough I get the error and accounting stats go down the tubes again. Then it sounds like a bug in the AP's. Try watching the detail file, to see what's in the accounting start/stop packets. That's the only way of knowing what's really happening. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP segmentation fault
Hi All, I am running Freeradius 1.0.0 and I can autheticate a client fine with LEAP but with PEAP I get the following segmentation fault. Any help is greatly appreciated. rad_recv: Access-Request packet from host 172.30.2.7:21649, id=101, length=117 User-Name = baig Framed-MTU = 1400 Called-Station-Id = 0002.8aa3.02d8 Calling-Station-Id = 000c.412d.01bd Service-Type = Login-User Message-Authenticator = 0x854872664931c4fe56aae3c58b93f6b4 EAP-Message = 0x020100090162616967 NAS-Port-Type = Wireless-802.11 NAS-Port = 1226 NAS-IP-Address = 172.30.2.7 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = baig, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 1 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched baig at 96 radius_xlat: 'Hello, baig' modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type leap rlm_eap_leap: Stage 2 rlm_eap_leap: Issuing AP Challenge rlm_eap_leap: Successfully initiated modcall[authenticate]: module eap returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 101 to 172.30.2.7:21649 Reply-Message = Hello, baig EAP-Message = 0x01020014110100084b6521fd17dff5de62616967 Message-Authenticator = 0x State = 0x79c0c87bca1119fca67d5070537af5fd Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 172.30.2.7:21649, id=102, length=132 User-Name = baig Framed-MTU = 1400 Called-Station-Id = 0002.8aa3.02d8 Calling-Station-Id = 000c.412d.01bd Service-Type = Login-User Message-Authenticator = 0x092bec1c33d1923277c4244deee5c7e6 EAP-Message = 0x020200060319 NAS-Port-Type = Wireless-802.11 NAS-Port = 1226 State = 0x79c0c87bca1119fca67d5070537af5fd NAS-IP-Address = 172.30.2.7 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = baig, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 1 users: Matched baig at 96 radius_xlat: 'Hello, baig' modcall[authorize]: module files returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 102 to 172.30.2.7:21649 Reply-Message = Hello, baig EAP-Message = 0x010300061920 Message-Authenticator = 0x State = 0xfcdfe17825640d3c8e02641648f22dbf Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 172.30.2.7:21649, id=103, length=224 User-Name = baig Framed-MTU = 1400 Called-Station-Id = 0002.8aa3.02d8 Calling-Station-Id = 000c.412d.01bd Service-Type = Login-User Message-Authenticator = 0x2d6ed31d2c2b0e7f8bd8a8f63a02eb50 EAP-Message = 0x02030062198000581603010053014f03014138bce1851ca58cff10d6e22bcb085a a5006530deaaf18a3cae07c0955a46402800160013006600150012000a00050004000900 6300650060006200610064001400110003000600080100 NAS-Port-Type = Wireless-802.11 NAS-Port = 1226
Re: PEAP segmentation fault
What OS are you using? Do you have any GDB output? Can you also provide the ldd output for your radiusd binary? --Mike On Fri, 2004-09-03 at 14:01, Baig wrote: Hi All, I am running Freeradius 1.0.0 and I can autheticate a client fine with LEAP but with PEAP I get the following segmentation fault. Any help is greatly appreciated. rad_recv: Access-Request packet from host 172.30.2.7:21649, id=101, length=117 User-Name = baig Framed-MTU = 1400 Called-Station-Id = 0002.8aa3.02d8 Calling-Station-Id = 000c.412d.01bd Service-Type = Login-User Message-Authenticator = 0x854872664931c4fe56aae3c58b93f6b4 EAP-Message = 0x020100090162616967 NAS-Port-Type = Wireless-802.11 NAS-Port = 1226 NAS-IP-Address = 172.30.2.7 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = baig, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 1 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched baig at 96 radius_xlat: 'Hello, baig' modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type leap rlm_eap_leap: Stage 2 rlm_eap_leap: Issuing AP Challenge rlm_eap_leap: Successfully initiated modcall[authenticate]: module eap returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 101 to 172.30.2.7:21649 Reply-Message = Hello, baig EAP-Message = 0x01020014110100084b6521fd17dff5de62616967 Message-Authenticator = 0x State = 0x79c0c87bca1119fca67d5070537af5fd Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 172.30.2.7:21649, id=102, length=132 User-Name = baig Framed-MTU = 1400 Called-Station-Id = 0002.8aa3.02d8 Calling-Station-Id = 000c.412d.01bd Service-Type = Login-User Message-Authenticator = 0x092bec1c33d1923277c4244deee5c7e6 EAP-Message = 0x020200060319 NAS-Port-Type = Wireless-802.11 NAS-Port = 1226 State = 0x79c0c87bca1119fca67d5070537af5fd NAS-IP-Address = 172.30.2.7 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = baig, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 1 users: Matched baig at 96 radius_xlat: 'Hello, baig' modcall[authorize]: module files returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 102 to 172.30.2.7:21649 Reply-Message = Hello, baig EAP-Message = 0x010300061920 Message-Authenticator = 0x State = 0xfcdfe17825640d3c8e02641648f22dbf Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 172.30.2.7:21649, id=103, length=224 User-Name = baig Framed-MTU = 1400 Called-Station-Id = 0002.8aa3.02d8 Calling-Station-Id = 000c.412d.01bd Service-Type = Login-User Message-Authenticator = 0x2d6ed31d2c2b0e7f8bd8a8f63a02eb50 EAP-Message =
Re: Ldap and Ldap-Group
--On Friday, September 03, 2004 11:16 AM -0400 Lew A [EMAIL PROTECTED] wrote: Hello, freeradius-0.9.3_1 openldap-2.2.6 freebsd-4.9-p11 Just as an aside, I'll note that Openldap-2.2.6 is a rather old and unstable release. --Quanah -- Quanah Gibson-Mount Principal Software Developer ITSS/Shared Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec module
Ok, this is not tested but hopefully should help you get started: In your radiusd.conf you need to define an exec module: modules { ... exec allow9to5 { wait = yes program = /usr/bin/php -f /somedir/allow9-5.php input_pairs = request output_pairs = reply packet_type = Access-Request } ... } Then for the module itself (allow9-5.php): ?php // you might need this with earlier versions of php which // always spit out http headers. This will buffer all of // that and later we will throw it away ob_start(); // just in case you want to read some // attributes ... $nasip = $_ENV['NAS_IP_ADDRESS']; $nasid = $_ENV['NAS_IDENTIFIER']; // throw away anything already in the output buffer ob_end_clean(); // Now to the meat, first see if we are within the window // get current date $date = getdate(); $curhour = $date['hour']; if ($curhour 9 || $curhour = 17) { // current unix timestamp $curtime = time(); // unix timestamp at 17:00 $fivepm = mktime (17, 00, 00, $date['month'], $date['day'], $date['year']); // seconds until 17:00 $seconds = $fivepm - $curtime; $minutes = $seconds / 60; // return this as an attribute echo Session-Timeout := \$minutes\; // zero return means accept $retval = 0; } else { // otherwise reject $retval = 1; } exit ($retval); ? Note that some 4.x phps print the return value to stdout - beware of this. Also note that the responsibility of disconnecting is with the NAS - you are telling it how long to allow the session which if our arithmetic is correct is until 5pm. At that time you are at the mercy of your NAS - make sure it is configured to do this. Hope this helps, Regards, Simon. --- On Friday 03 September 2004 14:56, Edgars wrote: can somone explain how rlm_exec module works? i'm interested in how to run *.php program before user authentication, is this module capable of doing that? How and in what form to pass the necessary attributes to the PHP program and what should be returned? Your help will be greatly appreciated! Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
None Stop timer?
Just wondering is there a way of when a user is restricted to 2 hours browsing time, the account expires after 2 hours from the time the user logs in? for example: User logs in at 1:00pm and logs off at 1:30pmthen he tries to logon again at 3:01 the account will have expired. that is a requirement of a hotel. Thank you Sarky - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: None Stop timer?
On Fri, 3 Sep 2004, sarky wrote: Just wondering is there a way of when a user is restricted to 2 hours browsing time, the account expires after 2 hours from the time the user logs in? for example: User logs in at 1:00pm and logs off at 1:30pmthen he tries to logon again at 3:01 the account will have expired. that is a requirement of a hotel. Typically in a hotel one purchases access by the room-night. The account expires at checkout time even if the user is online at the time (and even if they have arranged late checkout or even if they're staying another night). It certainly can be done to sell blocks of time in hours and probably this is a more customer-friendly approach. I personally stayed at the Four Seasons Aviara in 2002 and bought Internet access only when I got up in the AM but it expired at 2pm checkout time anyway even though I was staying the next night -- but would not be using the Internet the next day. An interesting approach would be the Internet cafe model where one pays for time used -- one registers, then signs out and one's credit card or hotel tab is charged. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius kerberosV lookups
I have grabbed the debian freeradius and freeraduis-krb5 packages, and dropped them onto my system. However, I don't see any documentation that explains how to set up freeradius so that it will take an incoming user request and validate their user id against my KDC. Does someone have documentation on this somewhere, or pointers? Thanks, Quanah -- Quanah Gibson-Mount Principal Software Developer ITSS/Shared Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP segmentation fault
Mike, I am using RedHat 9.0 This is my gdb output ]0;[EMAIL PROTECTED]:/usr/local/[EMAIL PROTECTED] sbin]# gdb GNU gdb Red Hat Linux (5.3post-0.20021129.18rh) Copyright 2003 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as i386-redhat-linux-gnu. (gdb) quit This my ldd output libcrypt.so.1 = /lib/libcrypt.so.1 (0x40023000) libnsl.so.1 = /lib/libnsl.so.1 (0x4005) libresolv.so.2 = /lib/libresolv.so.2 (0x40065000) libpthread.so.0 = /lib/tls/libpthread.so.0 (0x40077000) libcrypto.so.4 = /lib/libcrypto.so.4 (0x40084000) libssl.so.4 = /lib/libssl.so.4 (0x40175000) libradius-1.0.0.so = /usr/local/lib/libradius-1.0.0.so (0x401ab000) libltdl.so.3 = /usr/lib/libltdl.so.3 (0x401be000) libdl.so.2 = /lib/libdl.so.2 (0x401c5000) libc.so.6 = /lib/tls/libc.so.6 (0x4200) /lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x4000) libgssapi_krb5.so.2 = /usr/kerberos/lib/libgssapi_krb5.so.2 (0x401c8000) libkrb5.so.3 = /usr/kerberos/lib/libkrb5.so.3 (0x401db000) libk5crypto.so.3 = /usr/kerberos/lib/libk5crypto.so.3 (0x4023a000) libcom_err.so.3 = /usr/kerberos/lib/libcom_err.so.3 (0x4024a000) libz.so.1 = /usr/lib/libz.so.1 (0x4024c000) Thanks Baig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP segmentation fault
On Fri, 2004-09-03 at 16:41, Baig wrote: Mike, I am using RedHat 9.0 This is my gdb output Read docs/bugs for more info on how to get proper debugging output from gdb, then post your results again. Thanks. -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius accounting
hello I'm using NTRadping as test utility and it works like a charm I'm wondering guys about why radius sends the accounting * Accounting-response unlike the when doing authentication it sends * Access-Accept what does it mean i cant get it really is just an initial response and there is another action has to come afterward any advice thank vary much indeed ___ Do you Yahoo!? Win 1 of 4,000 free domain names from Yahoo! Enter now. http://promotions.yahoo.com/goldrush - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and dialup_admin
maybe this will help ... ? phpinfo() ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and dialup_admin
I have checked php.ini, but I really dont know what I am looking for in there. I dont see any configuration parameter that makes reference to mysql, so I dont know whether that means it is enabled or not. regards Herbert. apellido jr., wilfredo p. wrote: maybe this will help ... ? phpinfo() ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and dialup_admin
create php script with this code .. ? phpinfo() ? and this will show it mysql is enabled ... thanks - Original Message - From: Herbert Maosa [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, September 04, 2004 11:22 AM Subject: Re: Freeradius and dialup_admin I have checked php.ini, but I really dont know what I am looking for in there. I dont see any configuration parameter that makes reference to mysql, so I dont know whether that means it is enabled or not. regards Herbert. apellido jr., wilfredo p. wrote: maybe this will help ... ? phpinfo() ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html