Advice needed (Acct-Session-Id vs. User-Name)

[Roman Suzi]

Hi,

I need an advice. One of my collegues suggested to drop User-Name
for accounting purposes to avoid realm clashes (when CISCO
drops realms in some cases).

He suggests to store Acct-Session-Id at authorisation and
then restore User-Name at accounting stop event to make accounting.

He claims it's more accurate than to rely on User-Name.

As this is completely novel idea, I'd liked to know community opinion.
Thank you!

Sincerely yours, Roman A.Suzi
-- 
 - Petrozavodsk - Karelia - Russia - mailto:[EMAIL PROTECTED] -


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RADIUS cofiguration

[Dana Hudes]

On Thursday 28 October 2004 00:54, rajesh wrote:
> HI
> I am facing some problem in configuring RADIUS clients. I am having 2
> REDHAT LINUX (9.0 ,2.4 kernael)machines.On one machine i installed FREE
> RADIUS 1.0.1 and is working fine with local host address. How to make it
> accept requestd from other machines(linux only).When i am executing RADTEST
> command from other machines this machine is saying that COMMAND not
> found

that means that for whatever reason radtest is either not in your path or not 
installed. try /usr/local/bin/radtest and /usr/bin/radtest those are likely 
places.  Next is having your radtest send RADIUS packets to a non-local 
RADIUS server. This is no problem. Did you perhaps try to RTFM? You know,
man radtest

and you will se there the command line whcih includes radius-server so tor 
that well just fill in the name of the host that's the server.

If you can't get this working and you want someone to patiently hold your hand
and walk you through it in real-time, you can engage my professional services 
for this. I run freeradius in support of a dial-up ISP (GuyanaNet) who is a 
consulting client of mine.



.Obviously it has to say like that only. One thing we can make is add
> this machine in RADIUS CLIENTS.CONF file. But how to make requests from
> other machines.
> I gone through RADIUS FAQ.In debugging chapter it is mentioned that after
> local host configuration go for making some other machine making
> requests.But nothing more than that explanation is given.And forgot to say
> I am very new to Linux and RADIUS too. Please some body respond urgently.
> Thanks & Regards


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RADIUS cofiguration

[rajesh]

HI 
I am facing some problem in configuring RADIUS clients. I 
am having 2 REDHAT LINUX (9.0 ,2.4 kernael)machines.On one machine i installed 
FREE RADIUS 1.0.1 and is working fine with local host address. How to make 
it accept requestd from other machines(linux only).When i am executing RADTEST 
command from other machines this machine is saying that COMMAND not 
found.Obviously it has to say like that only.
One thing we can make is add this machine in RADIUS 
CLIENTS.CONF file.
But how to make requests from other machines.
I gone through RADIUS FAQ.In debugging chapter it is mentioned 
that after local host configuration go for making some other machine making 
requests.But nothing more than that explanation is given.And forgot to 
say I am very new to Linux and RADIUS too.
Please some body respond urgently.
Thanks & Regards

Re: Exec-Program-Wait question and rlm_exec

[Paul Hampson]

On Tue, Oct 26, 2004 at 05:17:57PM +0300, Kostas Zorbadelos wrote:
> On Tue, Oct 26, 2004 at 10:20:48AM -0400, Alan DeKok wrote:
> > Kostas Zorbadelos <[EMAIL PROTECTED]> wrote:
> > > First of all I have a question for Exec-Program-Wait. I need to run an
> > > external C program that expects in its environment a proper
> > > LD_LIBRARY_PATH to run. I followed the obvious solution of using a
> > > wrapper bash shell script, that sets the environment and calls the C
> > > program via exec. Can I avoid this?

> >   No.

> >   I'd suggest adding a patch to rlm_exec, so that it can take a
> > configuration directive for LD_LIBRARY_PATH, and maybe others.

> > > The second thing I want to bring up again is the rlm_exec module. Back
> > > in September (thread rlm_exec vs Exec-Program-Wait attribute)
> > > summarized in
> > > http://lists.freeradius.org/archives/freeradius-users/2004/09/frm00161.html,  
> > > a set of changes to rlm_exec were proposed to also handle the case of
> > > having attributes in access-reject.
> > > Are these changes going to be accepted finally and if so in which
> > > version?

> >   Probably, but I haven't had time to look over them yet.  If
> > sufficient people use the patch and like it, it can be added.

> Actually the conversation in that thread ended by mentioning the ideas
> rlm_exec should follow. I didn't see any patch that implemented
> them. If there is such a patch please direct me to it and I
> will test it.

My patch was here:
http://lists.freeradius.org/archives/freeradius-users/2004/09/frm00132.html
and the conversation suggested the following changes:

Return RLM_MODULE_OK when result ==0 and RLM_MODULE_FAIL when result >
RLM_MODULE_NUMCODES

Change "return 1" in src/main/exec.c line 390 to "return 2" so a failed
execute returns RLM_MODULE_FAIL rather than RLM_MODULE_REJECT. (As
suggested above the patch.)

The disadvantage of my patch is that the values returned are actually
one higher than the values in the header (eg 1-based instead of 0-based)
I did this so that programs returning 0 (The normal case) wouldn't
suddenly start failing. And I'm not happy about it, but cannot see a
better way. (If only FreeRADIUS defined RLM_MODULE_OK as 0... =^_^=)

I'm sorry, but I've not had a chance to either commit it or even give it
a thorough testing. It's a simple enough patch that I feel it is already
correct, but I'll not commit it myself until someone uses it and gives a
report that it works OK. (The use to which I intended to put it myself
is now on hold, pending business decisions. And it'll need the new-type
SQL group handling support too, and I can't recall if that's gone in yet
either. >_<)

-- 
Paul "TBBle" Hampson, on an alternate email client.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Exec-Program output: freeradius not reading response?

[Paul Hampson]

On Tue, Oct 26, 2004 at 02:54:45PM -0700, Nate M wrote:
> > 
> > I've done some troubleshooting of my own, and unsure if this is helpful or
> > not, but the process appears to be hanging indefinitely until cleaned up
> > within this section of threads.c (beginning line 1141).  The line in
> > particular it hangs on is the "rcode = ..." line.  I am not enuff of a C
> > guru to know where to go from here though.
> > 
> > re_wait:
> > rcode = sem_wait(&forkers[found].child_done);
> > if ((rcode != 0) && (errno == EINTR)) {
> > goto re_wait;
> > }
> > }

> > Your time and help in troubleshooting this has been greatly appreciated!
> > =)

> Additionally.. I just compiled 2.4.27 kernel on this machine and the problem
> stops.  2.6.5, 2.6.8.1 and 2.6.9 all vomit.  2.6 bug perhaps?

Hmm. It might be an NPTL issue... Try setting the following environment
variable for FreeRADIUS and see if that fixes it:
LD_ASSUME_KERNEL=2.4.1
(This _should_ make it run with LinuxThreads, rather than NPTL.)

(See http://people.redhat.com/drepper/assumekernel.html for details of
what LD_ASSUME_KERNEL does.)

-- 
Paul "TBBle" Hampson, on an alternate email client.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Segmentation fault when using postgres for accounting

[Capital]

 
Dear folks,

Just wondering if someone can help me. I'm using freeradius 1.01 and
Postgres 7.4.5 for accounting. (On Fedora Core2)

The NAS is a VoIP SIP server. I've tested everything works fine with flat
file, but when I used postgres, I get a segmentation fault and radius server
dropped out when caller called. I've installed another radius server to try
and gets the same response.

Any help would be most appreciated!

William Mak.

Here's an extract of radius-X:
-

[EMAIL PROTECTED] root]# radiusd -X
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/raddb/clients.conf
Config:   including file: /etc/raddb/postgresql.conf
Config:   including file: /etc/raddb/pgsql-voip.conf
 main: prefix = "/usr"
 main: localstatedir = "/var"
 main: logdir = "/var/log/radius"
 main: libdir = "/usr/local/lib:/opt/package/lib"
 main: radacctdir = "/var/log/radius/radacct"
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/var/log/radius/radius.log"
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = "/var/run/radiusd/radiusd.pid"
 main: user = "(null)"
 main: group = "(null)"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/sbin/checkrad"
 main: proxy_requests = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
Using deprecated clients file.  Support for this will go away soon.
read_config_files:  reading realms
Using deprecated realms file.  Support for this will go away soon.
radiusd:  entering modules setup
Module: Library search path is /usr/local/lib:/opt/package/lib
Module: Loaded exec
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
 pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: passwd = "(null)"
 mschap: authtype = "MS-CHAP"
Module: Instantiated mschap (mschap)
Module: Loaded System
 unix: cache = no
 unix: passwd = "(null)"
 unix: shadow = "(null)"
 unix: group = "(null)"
 unix: radwtmp = "/var/log/radius/radwtmp"
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
 eap: default_eap_type = "md5"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
Module: Instantiated eap (eap)
Module: Loaded preprocess
 preprocess: huntgroups = "/etc/raddb/huntgroups"
 preprocess: hints = "/etc/raddb/hints"
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = yes
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
 realm: format = "suffix"
 realm: delimiter = "@"
Module: Instantiated realm (suffix)
Module: Loaded files
 files: usersfile = "/etc/raddb/users"
 files: acctusersfile = "/etc/raddb/acct_users"
 files: preproxy_usersfile = "/etc/raddb/preproxy_users"
 files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
 acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
 detail: detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
 detail: detailperm = 384
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded SQL
 sql: driver = "rlm_sql_postgresql"
 sql: server = "localhost"
 sql: port = ""
 sql: login = "root"
 sql: password = "glide6432alex"
 sql: radius_db = "radius"
 sql: acct_table = "radacct"
 sql: acct_table2 = "radacct"
 sql: authcheck_table = "radcheck"
 sql: authreply_table = "radreply"
 sql: groupcheck_table = "radgroupcheck"
 sql: groupreply_table = "radgroupreply"
 sql: usergroup_table = "usergroup"
 sql: nas_table = "nas"
 sql: dict_table = "dictionary"
 sql: sqltrace = yes
 sql: sqltracefile = "/var/log/radius/sqltrace.sql"
 sql: readclients = no
 sql: delete

exec and multiline paras

[Jev]

When receiving the following request (below), I want to invoke a 
external script and pass %{Sip-Uri-User} as a command line argument, but 
all I get is the first line "\n\0068668". I'm looking for an 
alternative, but so far no good.. Is there anyway to get the request fed 
to my script via stdin? Or am I failing to see something simple?

Thanks,
-Jev
rad_recv: Access-Request packet from host 127.0.0.1:33664, id=77, length=273
User-Name = "[EMAIL PROTECTED]"
Sip-Uri-User = "\n\0068668"
Sip-Uri-User = "\001\027example.com"
Sip-Uri-User = "\002*41801109cc2d3e93d34ba9c546759aaabf5aa31c"
Sip-Uri-User = "\004 sip:[EMAIL PROTECTED]"
Sip-Uri-User = "\003\010INVITE"
Sip-Uri-User = "5a3c53c22b664a1e3b3ddaaab0ad93e5"
Service-Type = Sip-Session
Sip-Uri-User = "8668"
Cisco-AVPair = "[EMAIL PROTECTED]"
NAS-IP-Address = 127.0.0.1
NAS-Port = 5060
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: problem authing via LDAP

[Alan DeKok]

"Scott J. Wolke" <[EMAIL PROTECTED]> wrote:
> Trying to get things working here.I've successfully authenticated 
> Win XP using PEAP with a local test acct and am now trying to 
> authenticate against LDAP.  I can't get past the users files calling for 
> LDAP.  I keep getting following error. 
...
>   ERROR: Unknown value specified for Auth-Type.  Cannot perform 
> requested action.

  It looks like you didn't configure the server to use the ldap module.

...
> EAP-Message = 0x0202000b01576f6c6b6573

  And the client is using EAP.  "Auth-Type := LDAP" will NEVER WORK.

  List "ldap" in the "authorize" section.  It's already there, just
un-comment it.

  And DON'T set "Aut-Type := LDAP".

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: problem authenticating to passwd/shadow files

[Stefan . Neis]

Hi,

> once the traffic has gotten to the endpoint I would think (stepping to limb
> here) that I am dealing
> with a decrypted stream of traffic and what ever hash was completed on the
> client to the
> password.  so, if I tell the client to use mschapv2, to hash the password,
> then I would be able to
> tell freeradius to do that to "un-hash" it.

I wonder what has been so unclear about my original posting.
Once the password has been obfuscated (either by e.g. MD5 or DES, i.e.
Unix hash or by CHAP or MS-CHAP), there is _no_possibility_at_all_to_
_get_back_to_the_original_password!
It's impossible in theory and in practice (unless you're willing to
spend a couple of CPU-years on brute force attacks or the password
was a particularly bad one which can be cracked by a dictionary
attack, but even then, it's typically going to take at least some
hours to get them).

You can _either_ send clear text password over the (possibly encrypted)
connection (using PAP) [then you can "obfuscate" the password according
to your system's needs and see if the obfuscated password matches the
one stored on your system] _or_ you can send "obfuscated" passwords
((MS-)CHAP) [then you have to have the clear-text password stored on
your server, so it can obfuscate the clear-text password and see
if that matches the obfuscated password].
There is no way you can use obfuscated both the transfered passwords
and the stored password as then it's impossible to compare them.

Regards,
Stefan



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with /usr/sbin/checkrad - it is not used at all

[Kevin Bonner]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Wednesday 27 October 2004 13:33, Florian Taeger wrote:
> I want to limit simultaneous logins for users and because of this, the
> /usr/sbin/checkrad should be executed.
>
> The point is, freeradius should execute /usr/sbin/checkrad when a new user
> want's to log in. But it does not. is there a known bug or something else ?

Not a bug, but probably not fully configured.  Did you add a nastype entry in 
clients.conf (or the old naslist file) for each client entry?  That tells the 
checkrad script how to query the device to verify that the sessions listed in 
radutmp (or sql) are still active.  Look at the source for checkrad and find 
the option which works for your equipment.

Kevin Bonner
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBgAat/9i/ml3OBYMRApMpAJ4qfH+H1sDommg2Bzq0BkSV+cYU8QCfa8b9
BjmwvOA7LpUSOneeeWw4zSo=
=Us0z
-END PGP SIGNATURE-

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: What am I missing??

[Chris Knipe]

Anyone?!?!?! :((
I tried using userfiles instead of SQL for the useracounts as well, same 
thing happens

Snippet from the usersfile
4017-5589-8633-5320 Auth-Type := Local, Pool-Name := ippool-prepaid, 
Max-All-Session := 3600, Simultaneous-Use := 1, User-Password == "149861"
   Framed-Compression = Van-Jacobson-TCP-IP,
   Framed-Routing = Broadcast-Listen,
   Framed-Protocol = PPP,
   Service-Type = Framed-User,
   Rate-Limit = 64k/64k,
   Acct-Interim-Interval = 60

I'm getting semi desperate here :(
--
Chris

Lo all,
Below is a full debug output of a authentication request.  I am trying to 
get rlm_sqlcounter to work - from what I can see, all the attributes are 
in place, but the module simply ignores them?? I'd appreciate some 
assistance, it must be something silly(tm) again...

--- Walking the entire request list ---
Cleaning up request 0 ID 138 with timestamp 417e7aa9
Nothing to do.  Sleeping until we see a request.
rad_recv: Access-Request packet from host x.x.x.x:1029, id=55, length=250
  Service-Type = Framed-User
  Framed-Protocol = PPP
  NAS-Identifier = "pptp-gw01.nas"
  NAS-Port = 55
  NAS-Port-Type = Virtual
  User-Name = "[EMAIL PROTECTED]"
  Calling-Station-Id = "y.y.y.y"
  Called-Station-Id = "x.x.x.x"
  MS-CHAP-Domain = "whatever"
  MS-CHAP-Challenge = 0x0437345f654a85c9
  MS-CHAP-Response = 
0x01014bde361ff118c8c37b1bb35919665a633466ec05a9c54401
  NAS-IP-Address = x.x.x.x
 Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
 modcall[authorize]: module "preprocess" returns ok for request 1
 modcall[authorize]: module "chap" returns noop for request 1
 modcall[authorize]: module "attr_filter" returns noop for request 1
   rlm_realm: Looking up realm "whatever" for User-Name = 
"[EMAIL PROTECTED]"
   rlm_realm: Found realm "cenergynetworks.com"
   rlm_realm: Adding Stripped-User-Name = "6622-5505-5719-5980"
   rlm_realm: Proxying request from user 6622-5505-5719-5980 to realm 
whatever
   rlm_realm: Adding Realm = "whatever"
   rlm_realm: Authentication realm is LOCAL.
 modcall[authorize]: module "suffix" returns noop for request 1
radius_xlat:  '[EMAIL PROTECTED]'
rlm_sql (sql): sql_set_user escaped user --> 
'[EMAIL PROTECTED]'
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM RadiusCheck 
WHERE Username = '[EMAIL PROTECTED]' ORDER BY id'
## RETURN:
## 
++--+--+++
## | id | UserName | Attribute| Value  | 
op |
## 
++--+--+++
## | 62 | [EMAIL PROTECTED] | User-Password| 653106 | 
== |
## | 63 | [EMAIL PROTECTED] | Simultaneous-Use | 1  | 
:= |
## | 64 | [EMAIL PROTECTED] | Huntgroup-Name   | pptp   | 
:= |
## | 66 | [EMAIL PROTECTED] | Max-All-Session-Time | 30 | 
:= |  <- ATTRIBUTE IN QUESTION
## 
++--+--+++
## 4 rows in set (0.00 sec)

rlm_sql (sql): Reserving sql socket id: 23
radius_xlat:  'SELECT 
RadiusGroupCheck.id,RadiusGroupCheck.GroupName,RadiusGroupCheck.Attribute,RadiusGroupCheck.Value,RadiusGroupCheck.op 
FROM RadiusGroupCheck,RadiusUsers WHERE RadiusUsers.Username = 
'[EMAIL PROTECTED]' AND RadiusUsers.isActive='y' AND 
RadiusUsers.GroupName = RadiusGroupCheck.GroupName ORDER BY 
RadiusGroupCheck.id'
## RETURN:
## +++---+--++
## | id | GroupName  | Attribute | Value| op |
## +++---+--++
## | 10 | CENPPTP064 | NAS-Port-Type | Ethernet | := |
## | 11 | CENPPTP064 | Pool-Name | pptp | := |
## +++---+--++
## 2 rows in set (0.00 sec)

radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM RadiusReply 
WHERE Username = '[EMAIL PROTECTED]' ORDER BY id'
## RETURN:
## NONE

radius_xlat:  'SELECT 
RadiusGroupReply.id,RadiusGroupReply.GroupName,RadiusGroupReply.Attribute,RadiusGroupReply.Value,RadiusGroupReply.op 
FROM RadiusGroupReply,RadiusUsers WHERE RadiusUsers.Username = 
'[EMAIL PROTECTED]' AND RadiusUsers.isActive='y' AND 
RadiusUsers.GroupName = RadiusGroupReply.GroupName ORDER BY 
RadiusGroupReply.id'
## RETURN:
## +++---+---++
## | id | GroupName  | Attribute | Value | op |
## +++---+---++
## | 25 | CENPPTP064 | Framed-IP-Netmask | 255.255.255.0 | =  |
## | 27 | CENPPTP064 | Acct-Interim-Interval | 60| =  |
## | 28 | CENPPTP064 | Rate-Limit| 64k/64k   | =  |
## | 29 | CENPPTP064 | Service-Type  | Framed-User   | =  |
## | 30 | CENPPTP064 | Framed-Protocol   | PPP   | =  |
## +++---+---++
## 5 rows in set (0.01 sec)

rlm_sql (sql): Released sql s

problem authing via LDAP

[Scott J. Wolke]

Hey All,
Trying to get things working here.I've successfully authenticated 
Win XP using PEAP with a local test acct and am now trying to 
authenticate against LDAP.  I can't get past the users files calling for 
LDAP.  I keep getting following error. 

 rad_check_password:  Found Auth-Type LDAP
auth: type "LDAP"
 ERROR: Unknown value specified for Auth-Type.  Cannot perform 
requested action.

auth: Failed to validate the user.

Any idea's guys? Here is a quick run down of the system I'm running.
OpenBSD 3.5 running Freeradius 1.0.1 trying to auth against SunONE 
Directory Server via LDAP

below is debugging followed by the conf files.
*Debugging***
rad_recv: Access-Request packet from host 10.6.3.19:1024, id=91, length=109
   NAS-IP-Address = 10.6.3.19
   NAS-Port-Type = Ethernet
   Service-Type = Framed-User
   Message-Authenticator = 0xc88be5ded4b4f5bc79837c4c6e94615e
   NAS-Port = 11
   Framed-MTU = 1490
   User-Name = "Wolkes"
   Calling-Station-Id = " 0- F-1F-15-67-F1"
   EAP-Message = 0x0202000b01576f6c6b6573
 Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
 modcall[authorize]: module "preprocess" returns ok for request 0
 modcall[authorize]: module "chap" returns noop for request 0
 modcall[authorize]: module "mschap" returns noop for request 0
   rlm_realm: No '@' in User-Name = "Wolkes", looking up realm NULL
   rlm_realm: No such realm "NULL"
 modcall[authorize]: module "suffix" returns noop for request 0
 rlm_eap: EAP packet type response id 2 length 11
 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
 modcall[authorize]: module "eap" returns updated for request 0
   users: Matched DEFAULT at 152
   users: Matched DEFAULT at 155
   users: Matched DEFAULT at 174
 modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns updated for request 0
 rad_check_password:  Found Auth-Type LDAP
auth: type "LDAP"
 ERROR: Unknown value specified for Auth-Type.  Cannot perform 
requested action.

auth: Failed to validate the user.
Login incorrect: [Wolkes] (from client bsd port 11 cli  0- F-1F-15-67-F1)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...

*users**

#
# The rest of this file contains the several DEFAULT entries.
# DEFAULT entries match with all login names.
# Note that DEFAULT entries can also Fall-Through (see first entry).
# A name-value pair from a DEFAULT entry will _NEVER_ override
# an already existing name-value pair.
#
#
# First setup all accounts to be checked against the UNIX /etc/passwd.
# (Unless a password was already given earlier in this file).
#
DEFAULT Auth-Type = System
   Fall-Through = 1
DEFAULT Auth-Type := LDAP
   Fall-Through = 1
#
# Set up different IP address pools for the terminal servers.
# Note that the "+" behind the IP address means that this is the "base"
# IP address. The Port-Id (S0, S1 etc) will be added to it.
#
#DEFAULTService-Type == Framed-User, Huntgroup-Name == "alphen"
#   Framed-IP-Address = 192.168.1.32+,
#   Fall-Through = Yes
#DEFAULTService-Type == Framed-User, Huntgroup-Name == "delft"
#   Framed-IP-Address = 192.168.2.32+,
#   Fall-Through = Yes
#
# Defaults for all framed connections.
#
DEFAULT Service-Type == Framed-User
   Framed-IP-Address = 255.255.255.254,
   Framed-MTU = 576,
   Service-Type = Framed-User,
   Fall-Through = Yes
#
# Default for PPP: dynamic IP address, PPP mode, VJ-compression.
# NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected
#   by the terminal server in which case there may not be a "P" suffix.
#   The terminal server sends "Framed-Protocol = PPP" for auto PPP.
#
DEFAULT Framed-Protocol == PPP
   Framed-Protocol = PPP,
   Framed-Compression = Van-Jacobson-TCP-IP
#
# Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
#
DEFAULT Hint == "CSLIP"
   Framed-Protocol = SLIP,
   Framed-Compression = Van-Jacobson-TCP-IP
#
# Default for SLIP: dynamic IP address, SLIP mode.
#
DEFAULT Hint == "SLIP"
   Framed-Protocol = SLIP
#
# Last default: rlogin to our main server.
#
#DEFAULT
#   Service-Type = Login-User,
#   Login-Service = Rlogin,
#   Login-IP-Host = shellbox.ispdomain.com
# #
# # Last default: shell on the local terminal server.
# #
# DEFAULT
#   Service-Type = Shell-User
# On no match, the user is denied access.
wolke   Auth-Type := EAP, User-Password == "sukhoi"

***radius.conf***
   # Lightweight Directory Access Protocol (LDAP)
   #
   #  This module definition allows you to use LDAP for
   #  authorization and authentication (Auth-Type := LDAP)
   #
   #  See doc/rlm_ldap for description of configuration options
   #  and sample authorize{

Re: Problem with /usr/sbin/checkrad - it is not used at all

[Alan DeKok]

"Florian Taeger" <[EMAIL PROTECTED]> wrote:
> The point is, freeradius should execute /usr/sbin/checkrad when a new user
> want's to log in. But it does not. is there a known bug or something else ?

  Run the server in debugging mode to see why it's not running checkrad.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Problem with /usr/sbin/checkrad - it is not used at all

[Florian Taeger]

Hello everybody again.

I have a problem with the /usr/sbin/checkrad script.

I want to limit simultaneous logins for users and because of this, the
/usr/sbin/checkrad should be executed.

The point is, freeradius should execute /usr/sbin/checkrad when a new user
want's to log in. But it does not. is there a known bug or something else ?

# freeradius -v
freeradius: FreeRADIUS Version 1.0.1, for host , built on Oct 15 2004 at
02:01:31
Copyright (C) 2000-2003 The FreeRADIUS server project.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.

There is a checkrad entry in my radiusd.conf and a Simultaneous-Use := 1 in
my users file. The limitation itself works fine, but i the script is not
executed at all.


Regards

F.Taeger


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

preproxy_users

[Rick Macdougall]

Hi,

How does one go about using the preproxy_users file ?

We need it in this case because

1 - I have a attr_rewrite setup to add the domain to a user if there
is no domain part specified based on the DNIS (which works just fine)

2 - We have one domain we are proxying for with the default STRIP
option enabled in the proxy.conf file

3 - What happens when a user of that domain calls a number that we are
using the DNIS attr_rewrite on is that the user name gets stripped
(due to the proxy.conf file) then the user name gets re-written with
the incorrect domain added due to the attr_rewrite and then sent over
the wire to the proxied server

So, I'd like to use the preproxy_users file to replace the user-name
with the stripped-user-name.

Of course, if anyone has a better way to do this I'm all ears.

Regards,

Rick

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Setup Help: freeradius + cisco catalist + linux & windows clients

[Alan DeKok]

Adrian Turcu <[EMAIL PROTECTED]> wrote:
> Could someone point me to some comprehensive howto's about how should I
> configure the freeradius to authenticate the clients based on their mac
> address with the catalyst in the middle?

  There's no "howto" for that.  Instead, the documentation describes
generally how to configure the server, and what to do.

> i get this messages on the screen and the client is never authenticated:
> 
> rad_recv: Access-Request packet from host 192.168.10.10:1812, id=77,
> length=122
...
> Calling-Station-Id = "00-10-a4-99-8c-c4"
> EAP-Message = 0x02150159424e494e5445524e4154494f4e414c

  The workstation is using EAP, not MAC address authentication.

> in users i have addded
> 
> someuserAuth-Type := Local

  Which will ensure EAP doesn't work.  You also need to supply a
password for he user, otherwise the server has no idea how to
authenticate them.

> for the above debug i used linux workstation with its mac-address
> 00-10-a4-99-8c-c4

  And xsupplicant is configured to do EAP, not MAC address authentication.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: multiple NASes using just one RADIUS server

[Alan DeKok]

"Roy G Davis" <[EMAIL PROTECTED]> wrote:
> i am storing user login info in mysql db.
> how/where would i create another db and integrate it into
> radius config files?  sql-1, sql-2, sql-3?

  You can, but you don't have to.  The SQL queries are configurable.
So long as you have a column in he DB saying which "set" of users they
belong to, you'll only need one copy of the SQL module.

> if use client ip wld that eliminate need for realms?

  Yes.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: use exec to modify request attributes (Oops small mistake)

[Jose Guevarra]

The exec formatmac module should have this instead of what was shown
below

exec formatmac {
wait = yes
program = "/home/jose/formatmac %{Calling-Station-Id}"
   input_pairs = request
output_pairs = request
}


On Tue, 2004-10-26 at 23:47, Jose Guevarra wrote:
> Hi,
> 
>  I have an exec module (formatmac) that would take in the
> Client-Station-Id, pass it to a perl script (formatmac), which would
> then set the User-Name of the request packet to a formatted version of
> the Client-Station-Id.  This works but, the sql authentication module
> then complains that
> 
> ""rlm_sql (sql): zero length username not permitted ""
> 
> How should I pass the User-Name = 'formatted mac address' attribute pair
> from the formatmac perl script?  If I don't use ':=' when I print the
> attribute then the change to User-Name is ignored if I do use ':=' as
> shown it erases the User-Name value.  I've tried no, single and double
> quotes around 'formatted mac address' with no luck.
> 
> 
> This is what my config, script, and debug look like
> 
> 
> under modules section of radius.conf:
> -
> exec formatmac {
> wait = yes
> program = "/home/jose/formatmac %{Client-Station-Id}"
> input_pairs = request
> output_pairs = request
>   }
> 
> 
> if have 'formatmac' in the authorize section of radius.conf
> 
> 
> formatmac perl script:
> --
> 
> my $inmac = $ARGV[0];
> 
> $inmac =~ s/\://g;
> 
> print "User-Name := \'$inmac\'";
> 
> 
> radius -X output:
> -
> 
> radius_xlat:  '/home/jose/formatmac 00:22:11:45:ff:43'
> Exec-Program: /home/jose/formatmac 00:22:11:45:ff:43
> Exec-Program output: User-Name := '00221145ff43'
> Exec-Program-Wait: value-pairs: User-Name := '00221145ff43'
> Exec-Program: returned: 0
>   modcall[authorize]: module "formatmac" returns ok for request 0
> rlm_sql (sql): zero length username not permitted 
>   modcall[authorize]: module "sql" returns invalid for request 0
> modcall: group authorize returns invalid for request 0
> Delaying request 0 for 1 seconds
> 
> 
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

rlm_eap_tls: Received unexpected tunneled data after successful handshake.

[Patrick Fröger]

Hello everybody,
I'm new to the list and didn't find any solution to my problem while 
browsing through the archives and using google, so I'll post my problem 
here (although I'm not sure if it's a freeRadius problem or more a 
hostapd problem):

I'm trying to set up a wireless access point using eap/tls to 
authenticate the clients with certificates. I'm using freeRadius 1.0.1. 
Authentication from a Linux client (without WEP enabled) works without 
any problems, but when trying to authenticate with a WinXP SP2 machine 
(WEP rekeying enabled), i'm getting this error:


auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 50
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/tls
  rlm_eap: processing type tls
  rlm_eap_tls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
  eaptls_process returned 7
  rlm_eap_tls: Received unexpected tunneled data after successful 
handshake.
 rlm_eap: Handler failed in EAP/tls
  rlm_eap: Failed in EAP select
  modcall[authenticate]: module "eap" returns invalid for request 50
modcall: group authenticate returns invalid for request 50
auth: Failed to validate the user.
Login incorrect: [user 1/] (from client 
localhost port 1 cli 00-02-2D-66-79-7F)
Delaying request 50 for 1 seconds
Finished request 50
Going to the next request
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:32769, id=29, length=198
Sending Access-Reject of id 29 to 127.0.0.1:32769
EAP-Message = 0x04120004
Message-Authenticator = 0x
--- Walking the entire request list ---
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 45 ID 24 with timestamp 417fa793
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 46 ID 25 with timestamp 417fa794
Cleaning up request 47 ID 26 with timestamp 417fa794
Cleaning up request 48 ID 27 with timestamp 417fa794
Cleaning up request 49 ID 28 with timestamp 417fa794
Cleaning up request 50 ID 29 with timestamp 417fa794
Nothing to do.  Sleeping until we see a request.


What does that "rlm_eap_tls: Received unexpected tunneled data after 
successful handshake." error mean? I didn't find any useful information 
concerning this error. It could be a problem of hostapd, which I'm using 
as access point, but it would be nice if someone could point me in the 
direction i have to go further to solve that problem.

Or is it a problem with my WinXP SP2 and is there any patch for that? 
The Windows and Linux clients both use Lucent/Orinoco Gold cards.

In advance, thanks for your help!
Patrick Froeger
PS: here is the complete freeRadius log:
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/raddb/proxy.conf
Config:   including file: /etc/raddb/clients.conf
Config:   including file: /etc/raddb/snmp.conf
Config:   including file: /etc/raddb/eap.conf
Config:   including file: /etc/raddb/sql.conf
 main: prefix = "/usr/local"
 main: localstatedir = "/usr/local/var"
 main: logdir = "/usr/local/var/log/radius"
 main: libdir = "/usr/local/lib"
 main: radacctdir = "/usr/local/var/log/radius/radacct"
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/usr/local/var/log/radius/radius.log"
 main: log_auth = yes
 main: log_auth_badpass = yes
 main: log_auth_goodpass = yes
 main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
 main: user = "(null)"
 main: group = "(null)"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/local/sbin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = yes
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
 pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instanti

Setup Help: freeradius + cisco catalist + linux & windows clients

[Adrian Turcu]

Hello list,

I'm completely new on this field with the concept of radius
authentication. For the last 2 weeks i read tons of docs about this
concept. I am confused. My task looks like a simple one:
 - linux workstations running xsupplicant 1.0 (wired mode)
 - windows XP and 2000 with 802.1x support
 - cisco catalyst 3550 switch SMI license
 - freeradius 1.0.1 that have to authenticate each workstation on the
network when plugged into the switch based on their mac address.

Could someone point me to some comprehensive howto's about how should I
configure the freeradius to authenticate the clients based on their mac
address with the catalyst in the middle?

I have compiled and installed freeradius with no errors. The
configuration files are the default ones, with the following additions:

in clients.conf i have added

192.168.10.10 {
secret  = 1234567
shortname   = ciscocatalyst
nastype = cisco

}


in users i have addded

someuserAuth-Type := Local
Service-Type = Framed-User


the cisco catalyst is configured for radius:


aaa new-model
aaa authentication dot1x default enable group radius
radius-server host 192.168.10.217 auth-port 1812 acct-port 1813
radius-server retransmit 3
radius-server key 1234567
!
! freeradius connected to FE 0/1
!
interface FastEthernet0/1
 switchport access vlan 100
 switchport mode access
 no cdp enable
 spanning-tree portfast
!
! client connected to FE0/2
!
interface FastEthernet0/2
 switchport access vlan 100
 switchport mode access
 dot1x port-control auto

With radius running from the cmd line "radiusd -A -X"
i get this messages on the screen and the client is never authenticated:

rad_recv: Access-Request packet from host 192.168.10.10:1812, id=77,
length=122
NAS-IP-Address = 192.168.10.10
NAS-Port-Type = Async
User-Name = "someuser"
Service-Type = Framed-User
Framed-MTU = 1500
Calling-Station-Id = "00-10-a4-99-8c-c4"
EAP-Message = 0x02150159424e494e5445524e4154494f4e414c
Message-Authenticator = 0x914c5e809544da2aacf9babe83e2542b
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 8
  modcall[authorize]: module "preprocess" returns ok for request 8
  modcall[authorize]: module "chap" returns noop for request 8
  modcall[authorize]: module "mschap" returns noop for request 8
rlm_realm: No '@' in User-Name = "someuser", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 8
  rlm_eap: EAP packet type response id 0 length 21
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 8
users: Matched DEFAULT at 152
users: Matched DEFAULT at 171
users: Matched someuser at 219
  modcall[authorize]: module "files" returns ok for request 8
modcall: group authorize returns updated for request 8
  rad_check_password:  Found Auth-Type Local
auth: type Local
auth: No User-Password or CHAP-Password attribute in the request
auth: Failed to validate the user.
Delaying request 8 for 1 seconds
Finished request 8
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 77 to 192.168.10.10:1812
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 8 ID 77 with timestamp 417fb130
Nothing to do.  Sleeping until we see a request.


for the above debug i used linux workstation with its mac-address
00-10-a4-99-8c-c4


Please help.


Kind Regards,
Adrian


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: multiple NASes using just one RADIUS server

[Roy G Davis]

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On 
> Behalf Of Alan DeKok
> Sent: Wednesday, October 27, 2004 8:35 AM
> To: [EMAIL PROTECTED]
> Subject: Re: multiple NASes using just one RADIUS server 
> 
> 
> "Roy G Davis" <[EMAIL PROTECTED]> wrote:
> > we are using freeradius for auth on a pix firewall.  right 
> now it is 
> > just one firewall going to one radius server.  what would 
> be the best 
> > way to add several firewalls (each of which would probably have a 
> > different set of users etc) to same radius server?  is this where 
> > REALMs would be used?
> 
>   That would work.
> 
>   The next question is: where do you store the users login 
> information?
> 
>   You should be able to use the Client-IP-Address to select 
> requests from the different firewalls, and have them look at 
> different databases to authenticate the users.
> 
>   Alan DeKok.
> 
thx alan
i am storing user login info in mysql db.
how/where would i create another db and integrate it into
radius config files?  sql-1, sql-2, sql-3?
if use client ip wld that eliminate need for realms?
thx again.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: problem authenticating to passwd/shadow files

[Alan DeKok]

"Cameron Birky" <[EMAIL PROTECTED]> wrote:
> but, this leads to the question I asked earlier.  is fr comparing a mschapv2 
> hashed password with
> a unix md5 hashed password and failing?

  Yes.  I'm pretty sure I've said that previously on this thread.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

add new attribute

[Nick 'TARANTUL' Novikov]

Hello!
I want add new attribute, if one (may be more) of present attribute have 
specified value.
For example, if NAS-Port-Type="Virtual", I want add attribute Group="pppoe".
How I can do it?

--
TARANTUL
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: multiple NASes using just one RADIUS server

[Alan DeKok]

"Roy G Davis" <[EMAIL PROTECTED]> wrote:
> we are using freeradius for auth on a pix firewall.  right now it is
> just one firewall going to one radius server.  what would be the best
> way to add several firewalls (each of which would probably have a
> different set of users etc) to same radius server?  is this where REALMs
> would be used?

  That would work.

  The next question is: where do you store the users login information?

  You should be able to use the Client-IP-Address to select requests
from the different firewalls, and have them look at different
databases to authenticate the users.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Exec-Program output: freeradius not reading response?

[Alan DeKok]

"Nate M" <[EMAIL PROTECTED]> wrote:
> Additionally.. I just compiled 2.4.27 kernel on this machine and the problem
> stops.  2.6.5, 2.6.8.1 and 2.6.9 all vomit.  2.6 bug perhaps?

  Looks like it.  If the FreeRADIUS code works on other platforms, and
other versions of Linux, then I'm inclined to say that the FreeRADIUS
code is correct, and 2.6 isn't.

  As to how to fix it, I'm not sure I can suggest anything other than
bugging the Linux people.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Dialup Admin

[Kostas Kalevras]

On Tue, 26 Oct 2004, Edward Rempala wrote:
I am having a problem creating groups under dialupadmin. When I create a
group and then save it, DA says I have no groups. But then I look in the
database and the info I just put in is there. Is this a bug in DA? If so is
there a way around it?
You 're probably creating a group without any members. Make sure you add some 
members. In any case you can use the group admin page to edit the group.

Edward.

 _
avast! Antivirus  : Outbound message clean.
Virus Database (VPS): 0444-0, 10/26/2004
Tested on: 10/26/2004 6:56:15 PM
avast! - copyright (c) 2000-2004 ALWIL Software.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Simultaneous-Use problem

[Florian Taeger]

Hi everybody.

I got a simple question about the Simultaneous-Use parameter.

We use freeradius for accounting of our ppp server. it work's fine at the
moment but from now on i want to restrict users to only one or two
simultanous logins.

So i implemented the Simultaneous-Use parameter to the "users" file (look
below for my users file) and first everything seemed to work properly, but
yesterday some user weren't able to login.

in the radutmp file i can find the username of the involved users, but
radwho doesn't print this usernames. So it seemes that freeradius believes,
this user is logged in at the moment but he is not.

my users-file looks like this:

"USERNAME" Auth-Type := Local, User-Password == "PASSWORD", Simultaneous-Use
:= 1
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = IP-ADDRESS,
Framed-MTU = 1492


This is the only change i made for the Simultaneous-Use parameter. And at
the beginning it seemed to work fine.

Can anybody tell me, how to tell freeradius, the user is NOT logged in any
more ?? Why does freeradius not recognize this issue??

Thanks for your help

Florian Taeger


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 3 LDAP questions!

[Kostas Kalevras]

On Wed, 27 Oct 2004, Ilia Chipitsine wrote:
In ldap you have only *one* record for each user. If you need different 
Framed-IP-Address attributes for each user depending on the NAS then you 
need to either:

Create multiple user entries and use a filter to find them:
(&(uid=%u)(nasipaddress=%{NAS-IP-Address}))
Create multiple ldap module instances with different attribute mappings 
and depending on the NAS select the corresponding instance:

DEFAULT	NAS-IP-Address == 192.168.201.1, Autz-Type := ldap1
two different LDAP servers ?
No, different instances with different attribute mappings (different
hmm... different instances of WHAT ?
Of the ldap module. See a few lines above in this mail.

attribute mappings file). I never said anything about two different LDAP 
servers.



Cheers,
Ilia Chipitsine
- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: (no subject)

[Geissbühler Johannes]

radtest and radclient come 
together with the freeradius Server
 
enter man radtest or man 
radclient for more information
 
depending on your configuration 
radclient ist installed in /opt/gnu/bin/radclient
 

  -Original Message-From: rajesh 
  [mailto:[EMAIL PROTECTED]Sent: Mittwoch, 27. Oktober 
  2004 12:05To: 
  [EMAIL PROTECTED]Subject: (no 
  subject)
  Hi,
  Where can i get a RADIUS client like 
  RADTEST,RADCLIENT to test with RADIUS server
  I have to test MY RADIUS server with another machine 
  (client).For that i need this client application.
  More over both my machiens r Linux 
  machines.
  Thanks & Regards
  Rajesh.Ch
  

Re: error while running radius

[[EMAIL PROTECTED]]

Hamad Al Marzooqi wrote:
Hi,
 

When try to run radius I get this error:
 

Error: radiusd.conf: "SQL" modules aren't allowed in 'post-auth' 
sections -- they have no such method

 

Please advice on what to do?
 
go to radiusd.conf and remove SQL module from 'post-auth' section
Michal
--
Velux - okna do poddaszy. Tylko do 31 października promocja okien GGU. Ponadto nowe kolekcje, produkty instalacyjne, szybszy i pewniejszy montaz. Wszystko na stronie http://dom.gazeta.pl/dom/0,58821.html 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

(no subject)

[rajesh]

Hi,
Where can i get a RADIUS client like RADTEST,RADCLIENT 
to test with RADIUS server
I have to test MY RADIUS server with another machine 
(client).For that i need this client application.
More over both my machiens r Linux 
machines.
Thanks & Regards
Rajesh.Ch

Re: EAP and multiples LDAP

[Sergio Sagliocco]

Hi
thanks for the suggestion.
I achived my target in this way:
Users file:
DEFAULT NAS-IP-Address == "194.116.9.153", Autz-Type:=EAP
DEFAULT Auth-Type ==  EAP, Autz-Type:=LDAP
Radiusd file:
authorize {
   preprocess
   files
   Autz-Type EAP {
 eap
   }
   Autz-Type LDAP {
 ldap
   }
}
authenticate {
   Auth-Type MS-CHAP {
  mschap
}
eap
}
I've still problem with  1.0.0 and 1.0.1 versions.
I have compared the logs and the differences are:
in 1.0.0 / 1.0.1
 rlm_eap_tls: Received EAP-TLS ACK message
 rlm_eap_tls: No SSL info available. Waiting for more SSL data.
 eaptls_verify returned 1
 eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
in 1.0.0pre1
 rlm_eap_tls: Received EAP-TLS ACK message
 rlm_eap_tls: ack handshake is finished
 eaptls_verify returned 3
 eaptls_process returned 3
 rlm_eap_peap: EAPTLS_SUCCESS
Any idea?
Thanks
Best regards
Sergio Sagliocco
Alan DeKok wrote:
Sergio Sagliocco <[EMAIL PROTECTED]> wrote:
 

I've tried a simpler configuration but I've still problems
My users file is
DEFAULT NAS-IP-Address == 192.168.9.153, Authz-Type:=LDAP
   

 No, it's not.  There's no "Authz-Type" attribute.
 When posting to the list, DO NOT re-type the data from your
configuration files.  CUT AND PASTE it instead.  Re-typing the data is
a guaranteed way to confuse everybody, and to make it impossible to
solve your problem.
 

When I try to authenticate the log shows this errors:
.
modcall: entering group authorize for request 8
 modcall[authorize]: module "preprocess" returns ok for request 8
 modcall[authorize]: module "files" returns notfound for request 8
   

 You might want to check that.  You want it to match an entry in the
"users" file, and it's telling you that it hasn't matched anything.
 Try fixing that.
 

If  the authorize section is
authorize {
   preprocess
   eap
ldap
}
and the users file is empty it works fine
   

 Yes, because you're now telling it to call LDAP.  Previously, you
weren't telling it to call LDAP, and the server told you it wasn't
being told to call LDAP.
 Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


 

--
Sergio SAGLIOCCO
SecureLAB - System & Network Security 
CSP s.c. a r.l. 
__
Villa Gualino
Viale Settimo Severo, 63 - 10133 Torino [IT]
tel. +39 011 481 5140 - Mobile +39 348 6024078 
fax  +39 011 481 5001 
__


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

problem configuring EAP-md5

[Geissbühler, Hannes]

Hi 
I have following problems with EAP-md5 configuration:

If I have no "Auth-Type := EAP" defined in the users file (which is written in 
eap.conf)
I get following errors:

modcall: group authorize returns ok for request 1
auth: type Local
auth: No User-Password or CHAP-Password attribute in the request
auth: Failed to validate the user.

the Server somehow does not find out to use EAP-md5 by its own

moduel eap ist loaded:

Module: Loaded eap
 eap: default_eap_type = "md5"

in the authorize and the authenticate section of radiusd.conf I entered eap


If I set Auth-Type := EAP in the users file I get following error msg:

 modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns ok for request 0
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  ERROR: Unknown value specified for Auth-Type.  Cannot perform requested action.
auth: Failed to validate the user.


could anybode help my ? 

thanks a lot 
Hannes

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

error while running radius

[Hamad Al Marzooqi]

Hi,

 

When try
to run radius I get this error:

 

Error:
radiusd.conf: "SQL" modules aren't allowed
in 'post-auth' sections -- they have no such method

 

Please
advice on what to do?

 

Regards

 

 

Re: ip pool in mysql

[Lito Lampitoc]

but you are assigning ip with your NAS, I need a schema that has ip pool
provision. Honestly, I'm not sure if it will work with MySQL.

On Tue, 2004-10-26 at 04:03, Martin Jessa wrote:
> Hi.
> 
> I use Mikrotik as my NAS server and there i have configured an IP-Pool called 
> Official
> And this is my SQL:
> 
> CREATE TABLE radreply (
>   id int(11) unsigned NOT NULL auto_increment,
>   UserName varchar(64) NOT NULL default '',
>   Attribute varchar(32) NOT NULL default '',
>   op char(2) NOT NULL default '=',
>   Value varchar(253) NOT NULL default '',
>   prio int(10) unsigned NOT NULL default '0',
>   PRIMARY KEY  (id),
>   KEY UserName (UserName(32))
> ) TYPE=MyISAM;
> 
> 
> INSERT INTO radreply VALUES (341,'username','Ascend-Data-Rate','=','524288',0);
> INSERT INTO radreply VALUES (340,'username','Ascend-Data-Rate','=','524288',1);
> INSERT INTO radreply VALUES (339,'username','Port-Limit','=','1',0);
> INSERT INTO radreply VALUES 
> (338,'username','Framed-IP-Address','=','255.255.255.254',0);
> INSERT INTO radreply VALUES (402,'username','Framed-Pool',':=','Official',0);
> 
> 
> Any other values are taken care of by the NAS server.
> 
> Cheers.
> 
> 
> On Tue, 26 Oct 2004 14:09:55 -0700
> ral <[EMAIL PROTECTED]> wrote:
> 
> > Hi,
> > 
> > I'm trying to use mysql with freeradius, my problem is, it looks like ip
> > pool doesn't work, I'm not sure with my schema though, can anyone give
> > me a sample of the schema for this?
> > 
> > 
> > Thanks.
> > 
> > Lito 
> > 
> > 
> > - 
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html