strange parser bug.
Hello. I'm installed FreeRADIUS 1.0.1. And got strange parse config bug
If i'm used section from wrong.conf., i'm got :
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/cakesql.conf
/etc/raddb/radiusd.conf[195]: Unexpected end of file
Errors reading radiusd.conf
If i'm used section from right.conf, i'm got :
/usr/sbin/check-radiusd-config: line 55: 14747 Killed
$sbindir/radiusd -X -p 32768 startup.log 21
Radius server configuration looks OK.
I'm don't understand this ;)
PS: Config files attached.
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
}
authenticate {
Auth-Type PAP { pap }
Auth-Type CHAP { chap }
Auth-Type MS-CHAP { mschap }
}
Re: Problem with nostrip
Alan DeKok wrote:
George Chelidze [EMAIL PROTECTED] wrote:
as I haven't specified nostrip directive I thought radius would query
database with User-Name = 'test' but it uses User-Name =
'[EMAIL PROTECTED]'. I looked at debug output and I found that 'test' is
assigned to Stripped-User-Name, 'localhost' is assigned to Realm but sql
module still uses [EMAIL PROTECTED] as User-Name.
Please read sql.conf, and look for sql_user_name
sql_user_name = %{User-Name}
but As I understatnd User-Name should be equal Stripped-User-Name, seems
I am wrong...
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Best Regards,
--
George Chelidze
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Double quoting in sql?
Hi!
I've upgraded recently from 0.9.3 to 1.0.1. There seems to be one
small problem in the sql module: a Username seems to be quoted two
times, first when setting sql_user_name, then when doing the xlat on
the whole query.
Am I just missing a config change? From the sample config I can see no
difference.
Fix: I use %{User-Name} in the queries instead of %{SQL-User-Name}
Config:
sql_user_name = %{User-Name}
authorize_check_query = SELECT id,name,attr,value,op FROM ${authcheck_table} WHERE
name = '%{SQL-User-Name}' AND kind = 'user' AND type = 'check' ORDER BY id
Debug output:
radius_xlat: 'test=23test'
rlm_sql (sql): sql_set_user escaped user -- 'test=23test'
radius_xlat: 'SELECT id,name,attr,value,op FROM radiususers WHERE name =
'test=3D23test' AND kind = 'user' AND type = 'check' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 9
rlm_sql_mysql: query: SELECT id,name,attr,value,op FROM radiususers WHERE name =
'test=3D23test' AND kind = 'user' AND type = 'check' ORDER BY id
rlm_sql (sql): User test=23test not found in radcheck
Oliver.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-GTC possible outside EAP-PEAP or EAP-TTLS ?
Hi is it possible to use EAP-GTC outside EAP-PEAP or EAP-TTLS ? My Idea would be to first authenticate user and pw over eap-md5 and then in a second step to send a GTC challenge and controll the GTC answer. Anyone has an idea ? Thank you in advance ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Double quoting in sql?
On Fri, Sep 24, 2004 at 09:39:07AM +0200, Oliver Graf wrote:
I've upgraded recently from 0.9.3 to 1.0.1. There seems to be one
small problem in the sql module: a Username seems to be quoted two
times, first when setting sql_user_name, then when doing the xlat on
the whole query.
Am I just missing a config change? From the sample config I can see no
difference.
Fix: I use %{User-Name} in the queries instead of %{SQL-User-Name}
Test Command:
/usr/bin/radtest test#test test localhost 1 testing123 1 127.0.0.1
Config:
sql_user_name = %{User-Name}
authorize_check_query = SELECT id,name,attr,value,op FROM ${authcheck_table} WHERE
name = '%{SQL-User-Name}' AND kind = 'user' AND type = 'check' ORDER BY id
Debug output:
radius_xlat: 'test=23test'
rlm_sql (sql): sql_set_user escaped user -- 'test=23test'
radius_xlat: 'SELECT id,name,attr,value,op FROM radiususers WHERE name =
'test=3D23test' AND kind = 'user' AND type = 'check' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 9
rlm_sql_mysql: query: SELECT id,name,attr,value,op FROM radiususers WHERE name =
'test=3D23test' AND kind = 'user' AND type = 'check' ORDER BY id
rlm_sql (sql): User test=23test not found in radcheck
Oliver.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Double quoting in sql?
On Fri, Sep 24, 2004 at 09:39:07AM +0200, Oliver Graf wrote:
Hi!
I've upgraded recently from 0.9.3 to 1.0.1. There seems to be one
small problem in the sql module: a Username seems to be quoted two
times, first when setting sql_user_name, then when doing the xlat on
the whole query.
IIRC this behavour is here since SQL-User-Name attribute is handled by
rlm_sql, because it's being escaped twice. Two ways I see:
1. avoid using %{SQL-User-Name} in queries.
2. patch rlm_sql.c::sql_set_user to pass func=NULL to radius_xlat.
However, in second case, radius_xlat uses own copy function (xlat_copy),
which has FIXME: Do escaping of bad stuff! comment...
--
Fduch M. Pravking
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Double quoting in sql?
On Fri, Sep 24, 2004 at 02:31:47PM +0400, Alexander M. Pravking wrote:
On Fri, Sep 24, 2004 at 09:39:07AM +0200, Oliver Graf wrote:
Hi!
I've upgraded recently from 0.9.3 to 1.0.1. There seems to be one
small problem in the sql module: a Username seems to be quoted two
times, first when setting sql_user_name, then when doing the xlat on
the whole query.
IIRC this behavour is here since SQL-User-Name attribute is handled by
rlm_sql, because it's being escaped twice. Two ways I see:
1. avoid using %{SQL-User-Name} in queries.
2. patch rlm_sql.c::sql_set_user to pass func=NULL to radius_xlat.
It does not seem that the change which causes this is in rlm_sql.c. I
guess it is to search in variable expansion of main/xlat.c. But I
currently fail to see the change between 0.9.3 and 1.0.1 where this
happened... perhaps I will take a deeper look later.
Oliver.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free-Radius install on Solaris
Mitchell, Michael schrieb: Hi Steven, First things to check: 1) Did the eap module/sub modules actually build? Check the installation lib directory for rlm_eap*. I found that using the Sun Workshop C compiler, several modules do not build as they rely on gcc features (in particular zero length arrays). Also, using gcc to build 1.0.0, I found that using a static build of OpenSSL that's not installed in a default search path requires to run CFLAGS=-I/ssl-include-directory LDFLAGS=-L/ssl-lib-dir -lssl -lcrypto ./configure, as simply using the documented --with-openssl-something switches will silently fail to find/use OpenSSL and thus silently disable EAP thanks to the bad linking order of the checks in configure. HTH, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Double quoting in sql?
On Fri, Sep 24, 2004 at 12:39:09PM +0200, Oliver Graf wrote: It does not seem that the change which causes this is in rlm_sql.c. I guess it is to search in variable expansion of main/xlat.c. But I currently fail to see the change between 0.9.3 and 1.0.1 where this happened... perhaps I will take a deeper look later. Hmm... 0.9.3 did escaping for anything except: @abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: =/, and the default setting of safe-characters is the same now, so the '#' char should have been escaped in 0.9.3 too. Didn't you patch rlm_sql.c of 0.9.3 to modify safe char list? ;-) -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Double quoting in sql?
On Fri, Sep 24, 2004 at 03:04:56PM +0400, Alexander M. Pravking wrote: On Fri, Sep 24, 2004 at 12:39:09PM +0200, Oliver Graf wrote: It does not seem that the change which causes this is in rlm_sql.c. I guess it is to search in variable expansion of main/xlat.c. But I currently fail to see the change between 0.9.3 and 1.0.1 where this happened... perhaps I will take a deeper look later. Hmm... 0.9.3 did escaping for anything except: @abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: =/, and the default setting of safe-characters is the same now, so the '#' char should have been escaped in 0.9.3 too. Didn't you patch rlm_sql.c of 0.9.3 to modify safe char list? ;-) Nope. I have a database with test=23test instead of test#test... :) Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy accounting problem
Hi, i'm having a proxy problem with newer freeradius versions. While 0.9.2 as a proxy send an accounting response for a request which wasn't to be proxied and with an empty accounting section (in radiusd.conf), newer versions at least everything = snapshot 2004/21/06 and = 1.0.1 just ignore the request. As i'd like to just drop these (administrative) tickets or better write them to a detail file it would be good just beeing able to send an accounting response, but if i let the detail module on the proxy handle this it logs every request, not just the ones that don't get proxied. Any suggestions? Regards Stephan Jaeger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Free-Radius install on Solaris
Subject: RE: Free-Radius install on Solaris Date: Fri, 24 Sep 2004 09:49:29 +1000 From: Mitchell, Michael [EMAIL PROTECTED] To: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Hi Steven, First things to check: 1) Did the eap module/sub modules actually build? Check the installation lib directory for rlm_eap*. I found that using the Sun Workshop C compiler, several modules do not build as they rely on gcc features (in particular zero length arrays). That was the problems, when I went over the output from .configure, I saw that it was silently not building the eap related modules because it could not find openssl/ssl.h, I fixed this and both 0.9.3 and 1.0.1 will run. Which brings me to my net problem. Using 0.9.3 I can get a couple of APs to authenticate to my radius server, but this does not work under 1.0.1. Since I have a working version with 0.9.3, I am going to use this and complete the rest of my network setup and once this is done, I will try and figure out what has changed between 0.9.3 and 1.0.1. Thanks for the input. Stephen Donovan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_eap_tls compilation problem
Hi, anybody can help me with the compilation of rlm_eap_tls ? Freeradius version is 0.9.3, latest-snapshot of openssl: openssl-0.9.7-stable-SNAP-20040923.tar.gz $ LDFLAGS "-L/usr/local/openssl/lib" CPPFLAGS="-I/usr/local/openssl/include" ./configure --localstatedir=/var --sysconfdir=/etc --prefix=/opt seems that openssl lib and include files are found: configuring in ./types/rlm_eap_tlsrunning /bin/sh ./configure --localstatedir=/var --sysconfdir=/etc --prefix=/opt --enable-ltdl-install --cache-file=../../../../.././config.cache --srcdir=.loading cache ../../../../.././config.cachechecking for gcc... (cached) gccchecking whether the C compiler (gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -L/usr/local/openssl/lib) works... yeschecking whether the C compiler (gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -L/usr/local/openssl/lib) is a cross-compiler... nochecking whether we are using GNU C... (cached) yeschecking whether gcc accepts -g... (cached) yeschecking for openssl/ssl.h... yeschecking for DH_new in -lcrypto... yeschecking for SSL_new in -lssl... yeschecking how to run the C preprocessor... (cached) gcc -E But compilation failed... $ ./make Making static in rlm_eap_tls...gmake[8]: Entering directory `/usr/local/freeradius-0.9.3/src/modules/rlm_eap/types/rlm_eap_tls'gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -I../../../../include -I../.. -DOPENSSL_NO_KRB5 -c rlm_eap_tls.c -o rlm_eap_tls.oIn file included from rlm_eap_tls.c:27:eap_tls.h:52:25: openssl/err.h: No such file or directoryeap_tls.h:54:28: openssl/engine.h: No such file or directoryIn file included from eap_tls.h:56, from rlm_eap_tls.c:27:/usr/local/openssl/include/openssl/ssl.h:168:27: openssl/e_os2.h: No such file or directory/usr/local/openssl/include/openssl/ssl.h:171:26: openssl/comp.h: No such file or directory/usr/local/openssl/include/openssl/ssl.h:174:25: openssl/bio.h: No such file or directory/usr/local/openssl/include/openssl/ssl.h:177:26: openssl/x509.h: No such file or directory/usr/local/openssl/include/openssl/ssl.h:179:26: openssl/kssl.h: No such file or directory/usr/local/openssl/include/openssl/ssl.h:180:31: openssl/safestack.h: No such file or directory/usr/local/openssl/include/openssl/ssl.h:181:30: openssl/symhacks.h: No such file or directory/usr/local/openssl/include/openssl/ssl.h:316:28: openssl/crypto.h: No such file or directory/usr/local/openssl/include/openssl/ssl.h:317:27: openssl/lhash.h: No such file or directory/usr/local/openssl/include/openssl/ssl.h:318:28: openssl/buffer.h: No such file or directory/usr/local/openssl/include/openssl/ssl.h:319:25: openssl/pem.h: No such file or directory/usr/local/openssl/include/openssl/ssl.h:938:26: openssl/ssl2.h: No such file or directory/usr/local/openssl/include/openssl/ssl.h:939:26: openssl/ssl3.h: No such file or directory/usr/local/openssl/include/openssl/ssl.h:940:71: openssl/tls1.h: No such file or directory/usr/local/openssl/include/openssl/ssl.h:941:27: openssl/ssl23.h: No such file or directorygmake[8]: *** [rlm_eap_tls.o] Error 1gmake[8]: Leaving directory `/usr/local/freeradius-0.9.3/src/modules/rlm_eap/types/rlm_eap_tls'gmake[7]: *** [common] Error 1gmake[7]: Leaving directory `/usr/local/freeradius-0.9.3/src/modules/rlm_eap/types'gmake[6]: *** [static] Error 2gmake[6]: Leaving directory `/usr/local/freeradius-0.9.3/src/modules/rlm_eap/types'gmake[5]: *** [common] Error 1gmake[5]: Leaving directory `/usr/local/freeradius-0.9.3/src/modules/rlm_eap'gmake[4]: *** [static] Error 2gmake[4]: Leaving directory `/usr/local/freeradius-0.9.3/src/modules/rlm_eap'gmake[3]: *** [common] Error 1gmake[3]: Leaving directory `/usr/local/freeradius-0.9.3/src/modules'gmake[2]: *** [all] Error 2gmake[2]: Leaving directory `/usr/local/freeradius-0.9.3/src/modules'gmake[1]: *** [common] Error 1gmake[1]: Leaving directory `/usr/local/freeradius-0.9.3/src'make: *** [all] Error 2 Any idea ? Thanks. lara La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit- Guy de Maupassant - Do you Yahoo!?vote.yahoo.com - Register online to vote today!
Re: strange parser bug.
Norguhtar [EMAIL PROTECTED] wrote: If i'm used section from right.conf, i'm got : /usr/sbin/check-radiusd-config: line 55: 14747 Killed Don't run check-radiusd-config. It won't work in 1.0.x, and should have been deleted. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with nostrip
George Chelidze [EMAIL PROTECTED] wrote:
Please read sql.conf, and look for sql_user_name
sql_user_name = %{User-Name}
but As I understatnd User-Name should be equal Stripped-User-Name, seems
I am wrong...
No. They are different attributes.
Go back and read the REST of sql.conf, and KEEP LOOKING for
sql_user_name. There are instructions in the comments which tell
you how to solve your problem.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Double quoting in sql?
Oliver Graf [EMAIL PROTECTED] wrote:
I've upgraded recently from 0.9.3 to 1.0.1. There seems to be one
small problem in the sql module: a Username seems to be quoted two
times, first when setting sql_user_name, then when doing the xlat on
the whole query.
Am I just missing a config change? From the sample config I can see no
difference.
I spent some time fixing xlat.c, so that it would only quote things
ONCE. The issue I saw was escaping of backslashes, and doing:
User-Name = DOMAIN\\user
Filter-Id = %{User-Name}
would get Filter-Id = DOMAINuser, which is wrong.
That *shouldn't* have affected anything else.
Debug output:
radius_xlat: 'test=23test'
Something is escaping '#' to '=23', probably in the SQL module.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-GTC possible outside EAP-PEAP or EAP-TTLS ?
=?iso-8859-1?Q?Geissb=FChler=2C_Hannes?= [EMAIL PROTECTED] wrote: is it possible to use EAP-GTC outside EAP-PEAP or EAP-TTLS ? Yes. But it hasn't been well tested. My Idea would be to first authenticate user and pw over eap-md5 and then in a second step to send a GTC challenge and controll the GTC answer. That won't work. EAP has the wireless client contact the server. It's impossible for the server to contact the client, and send an EAP-GTC challenge. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy accounting problem
Stephan Jaeger [EMAIL PROTECTED] wrote:
i'm having a proxy problem with newer freeradius versions. While 0.9.2
as a proxy send an accounting response for a request which wasn't to be
proxied and with an empty accounting section (in radiusd.conf), newer
versions at least everything = snapshot 2004/21/06 and = 1.0.1 just
ignore the request.
Yes. That's because the accounting section returns noop, which
means nothing was done with the packet, which means it wasn't
accounted for, and the server shouldn't respond.
As i'd like to just drop these (administrative) tickets or better write
them to a detail file it would be good just beeing able to send an
accounting response, but if i let the detail module on the proxy handle
this it logs every request, not just the ones that don't get proxied.
The simplest way to fix this would be to configure rlm_detail to use
the realm name for the detail file:
detailfile = /detail-%{Realm:-LOCAL}
You will get a detail file per realm, and another detail file
containing only local requests.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap_tls compilation problem
Lara Adianto [EMAIL PROTECTED] wrote: anybody can help me with the compilation of rlm_eap_tls ? Freeradius version is 0.9.3, latest-snapshot of openssl: openssl-0.9.7-stable-SNAP-20040923.tar.gz Why are you using 0.9.3? Use 1.0.1 Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with nostrip
Hello Alan,
Alan DeKok wrote:
George Chelidze [EMAIL PROTECTED] wrote:
Please read sql.conf, and look for sql_user_name
sql_user_name = %{User-Name}
but As I understatnd User-Name should be equal Stripped-User-Name, seems
I am wrong...
No. They are different attributes.
I know they are different, and I think you mean to use
sql_user_name = %{Stripped-User-Name:-%{User-Name:-DEFAULT}}
instead of
sql_user_name = %{User-Name}
The only thing I don't understand in this case is the following comments
from proxy.conf
# A standard realm entry. A request from [EMAIL PROTECTED] will be
# sent to radius.company.com as user, unless the 'nostrip'
# configuration item is specified. If the 'nostrip' configuration
# item is specified, then the request will be proxied as
# [EMAIL PROTECTED]
doesn't that mean that User-Name which is [EMAIL PROTECTED] before
proxying will became test in proxy request?
Go back and read the REST of sql.conf, and KEEP LOOKING for
sql_user_name. There are instructions in the comments which tell
you how to solve your problem.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Best Regards,
--
George Chelidze
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free-Radius install on Solaris
On Fri 24-Sep-04 at 1032 EDT, Alan DeKok wrote:
Stephen Donovan [EMAIL PROTECTED] wrote:
Check the installation lib directory for rlm_eap*. I found that using
the Sun Workshop C compiler, several modules do not build as they rely
on gcc features (in particular zero length arrays).
Can you say which files?
I can't see any examples of that.
I think this was the only one of those we ran into on Solaris:
src/modules/rlm_passwd/rlm_passwd.c, line 33 (in v1.0.1), var 'field':
struct mypasswd {
struct mypasswd *next;
char *listflag;
char *field[0];
};
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap-smartcard
Hi, Somebody known if freeradius have (plans for) support it: http://ietfreport.isoc.org/ids/draft-urien-eap-smartcard-06.txt Thanks, ./nelson -murilo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy accounting problem
Hi,
thanks, for your fast answer.
On Fri, 2004-09-24 at 10:29 -0400, Alan DeKok wrote:
Stephan Jaeger [EMAIL PROTECTED] wrote:
i'm having a proxy problem with newer freeradius versions. While 0.9.2
as a proxy send an accounting response for a request which wasn't to be
proxied and with an empty accounting section (in radiusd.conf), newer
versions at least everything = snapshot 2004/21/06 and = 1.0.1 just
ignore the request.
Yes. That's because the accounting section returns noop, which
means nothing was done with the packet, which means it wasn't
accounted for, and the server shouldn't respond.
That makes sense :)
As i'd like to just drop these (administrative) tickets or better write
them to a detail file it would be good just beeing able to send an
accounting response, but if i let the detail module on the proxy handle
this it logs every request, not just the ones that don't get proxied.
The simplest way to fix this would be to configure rlm_detail to use
the realm name for the detail file:
detailfile = /detail-%{Realm:-LOCAL}
You will get a detail file per realm, and another detail file
containing only local requests.
But it's not possible to get only one detail file with the local
tickets? Currently the detail files are written on the home servers not
on the proxy server.
Regards
Stephan Jaeger
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free-Radius install on Solaris
Mike Markowski [EMAIL PROTECTED] wrote: I think this was the only one of those we ran into on Solaris: src/modules/rlm_passwd/rlm_passwd.c, line 33 (in v1.0.1), var 'field': Fixed, thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy accounting problem
Stephan Jaeger [EMAIL PROTECTED] wrote:
But it's not possible to get only one detail file with the local
tickets?
Yes. You can set Acct-Type for the non-proxied requests, and have a
sub-section of accounting{}, with that Acct-Type, and put detail
inside of it.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy accounting problem
On Fri, 2004-09-24 at 11:10 -0400, Alan DeKok wrote:
Stephan Jaeger [EMAIL PROTECTED] wrote:
But it's not possible to get only one detail file with the local
tickets?
Yes. You can set Acct-Type for the non-proxied requests, and have a
sub-section of accounting{}, with that Acct-Type, and put detail
inside of it.
Great, works like a charme, thanks a lot.
Regards
Stephan Jaeger
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting errors with pppd
I got darkness on this question Thursday, thought I'd give it another try today?? We are running freeradius 1.0.0 on an AMD box. We are authenticating PPD session on the local machine. PPP Users are getting authenticated and allowed through the box: however, when the PPP session goes down PPP is not clearing them in RadAcct. They are allowed back in, and a radwho shows two sessions for the same user, but a ps on the system only shows the current actually up connection. I have the same version of freeradius running on another box talking to Portmasters and 6096 boxes with no issues. It's only when it's authenticating PPP. Any thoughts or hints would be appreciated Other Data: Mandrake 10.0 with all security patches Marco scratching his head. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wireless Network
You can use a wireless access point that supports 802.1q. I know that the HP J8130A WAP 420 supports this, and I believe the Cisco's and some 3Com do as well. Assign your private network users some additional attributes. For example, the following 3 additional attributes will direct the WAP to tunnel your private network users to VLAN# 20. Tunnel-Private-Group-Id: 20 Tunnel-Medium-Type: 802 Tunnel-Type: VLAN Users who don't get these attributes will be on the default (internet connected) vlan for the AP. Check dictionary.tunnel for more information. Or you can set it up in reverse, depending on your needs. If you want unauthenticated wireless users stuck on a private network (not Internet connected), set that VLAN as the default for the AP. In this case, only authenticated users get tunneled on to the internet connected VLAN 20. Or you can set up the AP to require authentication and tunnel individual users to their specified VLAN. Dean. [EMAIL PROTECTED] wrote: Hi all and thanks for the answers, I'll explain in a better way. I would like to have: a user A who can access to Internet with username A and password A (and that's ok, it works); a user B who can access to Private Network (no Internet) with username B and password B. Both connecting to the same AP. Both users have a pc with a wireless card. The AP (Colubris) is connected to Private Network through cabled LAN where the Radius works and the Private Network is connected to Internet. I tried in different ways and I read quiet all docs, but nobody seems to have this problem. Maybe there's no solution with one AP. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting errors with pppd
Marco C. Coelho [EMAIL PROTECTED] wrote: I got darkness on this question Thursday, thought I'd give it another try today?? It's a problem with PPPd. Nothing you do to FreeRADIUS can fix it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: raddump RADIUS packet analyzer
Jonathan Moore [EMAIL PROTECTED] wrote: I'd like to announce the availability of the raddump RADIUS packet analyzer which may be useful for debugging your RADIUS infrastructure. Please see the project homepage at https://sourceforge.net/projects/raddump/ for more details. Doesn't tcpdump decode RADIUS packets? Or, what benefits do people gain by using radddump, over tcpdump? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-smartcard
Nelson, maybe this link help you, http://www.infres.enst.fr/~urien/security/ Badra - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segfault in radrelay on FR 1.0.1
Kevin Bonner [EMAIL PROTECTED] wrote: I sent radrelay a TERM and saw that there were a few records left in the detail file that needed to be pushed. Installed version 1.0.1, and radrelay kept segfaulting when trying to start. Running through gdb, I tracked it down to an invalid entry in the radrelay detail file. What part of radrelay failed? Is there a patch to fix the problem? The entry it died onD was: Framed-Protocol =3D MP Looks like version 1.0.1 changed some of the Framed-Protocol values in=20 dictionary.ascend. MP changed to Ascend-MP. Yes. There were multiple conflicting attributes values, which were cleaned up. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: raddump RADIUS packet analyzer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ah, you are right -- tcpdump does decode them (I hadn't realized this when I wrote raddump). If I may say so, though, having just looked at tcpdump's output, it doesn't decode them in a way that's particularly easy to read. That's clearly a matter of taste. Fortunately, raddump is pretty easy to combine with tcpdump in a pipeline: $ tcpdump -s 1500 -w - udp port 1812 | raddump -v So I would encourage people to try it out to see if they like it. And furthermore to provide feedback! Future releases of raddump will also let people specify customized dictionaries for additional attributes (for example, here at UPenn, we make use of our own VSAs for certain applications). Finally, raddump also supports snoop packet capture, for those Solaris folks out there. Jon On Sep 24, 2004, at 2:19 PM, Alan DeKok wrote: Jonathan Moore [EMAIL PROTECTED] wrote: I'd like to announce the availability of the raddump RADIUS packet analyzer which may be useful for debugging your RADIUS infrastructure. Please see the project homepage at https://sourceforge.net/projects/raddump/ for more details. Doesn't tcpdump decode RADIUS packets? Or, what benefits do people gain by using radddump, over tcpdump? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - -- Jon Moore ISC Networking Telecommunications University of Pennsylvania -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (Darwin) iD8DBQFBVG2Nx8TaElR3qMMRAlQdAKCn89f9onLG6chk1joThSmjyHH3uACgpemQ mbZHOkU3TKOINblrghrIT5Y= =yKYV -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Secret as variable
Hello, has Secret its variable? Alan DeKok wrotes that every available variable is showed by freeradius -x, but User-Password (as well as Secret?) is not showed in debug. Maybe because of security. I red doc/variables.txt also and it looks not. Regards, Zdenek Svarc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
no User-Password attribute with Digest
Hello, I'm setting up a SER (sip express router) box. I've got FreeRadius 0.9.3 using MySQL for the backend. I've uncommented the digest lines in the radiusd.conf file and appended the dictionary.ser to the main dictionary file. Here are my tables: radcheck: UserName: [EMAIL PROTECTED] Attribute: User-Password op: == Value: test radgroupcheck: GroupName: phone Attribute: Auth-Type op: := Value: Digest usergroup: UserName: [EMAIL PROTECTED] GroupName: phone So when I try to register my SIP Phone I get this in the radius log: rad_recv: Access-Request packet from host 127.0.0.1:38555, id=31, length=249 User-Name = [EMAIL PROTECTED] Digest-Attributes = \n\006test Digest-Attributes = \001\02010.10.50.52 Digest-Attributes = \002*41547685a3d48602db4cca03c745d46c0c7fe0f9 Digest-Attributes = \004\024sip:10.10.50.52 Digest-Attributes = \003\nREGISTER Digest-Response = 2badc7fccc223775a7bc12cbacca4a68 Service-Type = Sip-Session Sip-URI-User = test Cisco-AVPair = [EMAIL PROTECTED] NAS-IP-Address = 127.0.0.1 NAS-Port-Id = 5060 modcall: entering group authorize for request 2 modcall[authorize]: module preprocess returns ok for request 2 modcall[authorize]: module chap returns noop for request 2 modcall[authorize]: module eap returns noop for request 2 rlm_digest: Converting Digest-Attributes to something sane... Digest-User-Name = test Digest-Realm = 10.10.50.52 Digest-Nonce = 41547685a3d48602db4cca03c745d46c0c7fe0f9 Digest-URI = sip:10.10.50.52 Digest-Method = REGISTER rlm_digest: Adding Auth-Type = DIGEST modcall[authorize]: module digest returns ok for request 2 radius_xlat: '[EMAIL PROTECTED]' rlm_sql (sql): sql_set_user escaped user -- '[EMAIL PROTECTED]' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 2 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '[EMAIL PROTECTED]' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module sql returns ok for request 2 rlm_realm: Looking up realm 10.10.50.52 for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm DEFAULT rlm_realm: Adding Stripped-User-Name = test rlm_realm: Proxying request from user test to realm DEFAULT rlm_realm: Adding Realm = DEFAULT rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 2 modcall[authorize]: module files returns notfound for request 2 modcall[authorize]: module mschap returns noop for request 2 modcall: group authorize returns ok for request 2 rad_check_password: Found Auth-Type Digest auth: type digest modcall: entering group authenticate for request 2 A1 = test:10.10.50.52:test A2 = REGISTER:sip:10.10.50.52 KD = 4d384009e03edfce7bab0866e13fab7f:41547685a3d48602db4cca03c745d46c0c7fe0f9:87ed77f9f0c3af1df63cd35c7ccd110c modcall[authenticate]: module digest returns ok for request 2 modcall: group authenticate returns ok for request 2 Login OK: [EMAIL PROTECTED]/no User-Password attribute] (from client localhost port 5060) Sending Access-Accept of id 31 to 127.0.0.1:38555 Finished request 2 Going to the next request - I'm not sure why it's saying Login OK ? It just keeps repeating this over and over again. Any ideas why I get the no User-Password attribute message? Thanks, - Darren - List info/subscribe/unsubscribe? See
Re: accounting errors with pppd
Hi, PPP Users are getting authenticated and allowed through the box: however, when the PPP session goes down PPP is not clearing them in RadAcct. They are allowed back in, and a radwho shows two sessions for the same user, but a ps on the system only shows the current actually up connection. Maybe pppd is not sending accounting packets at all? Try to find out what's in the accounting packets (if there are any) on logon and logoff and compare them... HTH, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
