Expire attribute
I want some users account to be expired starting from certain date. Someone wrote in mailing list that there are an Expire check attribute for this purpose but I can't find any doc about it. Can anyone give the detailed doc about this attribute? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius vulnerability
"Mordechai T. Abzug" <[EMAIL PROTECTED]> wrote: > The following URL says there's a vulnerability in mod_auth_radius: > http://www.net-security.org/vuln.php?id=3997 > > Is this true? If so, has a new version been released? Most of it is true, part is B.S. An attacker CANNOT spoof replies from the RADIUS server to exploit this vulnerability. The risk of this problem is extremely low. > [BTW: why does mod_auth_radius 1.5.7 source code refer to itself as > 1.5.4 in comments? Is it really 1.5.7 or 1.5.4?] Lack of due diligence. It's 1.5.7. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mod_auth_radius vulnerability
The following URL says there's a vulnerability in mod_auth_radius: http://www.net-security.org/vuln.php?id=3997 Is this true? If so, has a new version been released? [BTW: why does mod_auth_radius 1.5.7 source code refer to itself as 1.5.4 in comments? Is it really 1.5.7 or 1.5.4?] - Morty - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Free Radius and RSA/ACE Server
Has any one had experience using the 'exec-program' to fork an external script to do the authentication? Or experience using pam_securid Thanks in advance for you help Jeff Stout -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jeff Stout Sent: Wednesday, January 26, 2005 6:03 PM To: freeradius-users@lists.freeradius.org Subject: RE: Free Radius and RSA/ACE Server Has FreeRadius ever been tested with RSA/ACE servers? Has any one out there configured FreeRadius to work with RSA? Thank you in advance for your help Jeff Stout -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Alan DeKok Sent: Wednesday, January 26, 2005 5:32 PM To: freeradius-users@lists.freeradius.org Subject: Re: Free Radius and RSA/ACE Server "Jeff Stout" <[EMAIL PROTECTED]> wrote: > Is there some documentation detailing how to configure > FreeRadius to send authentication to a RSA/ACE server, Nope. If RSA supplies a command-line tool, you can use that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius & postgreSQL - stored procedures
Siderite wrote: Hello... I am trying to make freeradius authenticate some access packets using the output of SQL stored procedures (that eventually would do the billing as well). Can it be done? And if yes, how? thank you Give an example of what you're trying to do. I use the following for determining simultaneous use: simul_count_query = "SELECT get_simul_sessions FROM get_simul_sessions('%{SQL-User-Name}')" where get_simul_sessions() is a pgpsql stored procedure, and I use this to get around freeradius's limitation of just checking radgroupcheck. For users with accounts based upon time (ie they pay for 5 hours, and use 1, there's 4 remaining) I use a trigger to update their unique Session-Timeout in the radreply table. But you still could use a direct function call from freeradius by modifying the statement in postgresql.conf (as I have done for the simultaneous sessions) If code examples are required, I'd be happy to post them to the newsgroups. Thanks, Graeme - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Free Radius and RSA/ACE Server
Has FreeRadius ever been tested with RSA/ACE servers? Has any one out there configured FreeRadius to work with RSA? Thank you in advance for your help Jeff Stout -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Alan DeKok Sent: Wednesday, January 26, 2005 5:32 PM To: freeradius-users@lists.freeradius.org Subject: Re: Free Radius and RSA/ACE Server "Jeff Stout" <[EMAIL PROTECTED]> wrote: > Is there some documentation detailing how to configure > FreeRadius to send authentication to a RSA/ACE server, Nope. If RSA supplies a command-line tool, you can use that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous use
Where in the MySql database do I put the simultaneous use entry? So there is only one use permitted. Joel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Active Directory and FreeRadius
That worked like a charm! Thank you ever so much, ~Brandon -Original Message- From: Dustin Doris [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 26, 2005 3:53 PM To: freeradius-users@lists.freeradius.org Subject: RE: Active Directory and FreeRadius Comments below. > Thanks for the quick response, Dustin. > Here are entries from my users file (I removed the comments for easy > reading): > > testAuth-Type := Local, User-Password == "testing" > Service-Type = Framed-User, > Framed-Protocol = PPP, > Framed-IP-Address = 43.191.104.146, > Framed-IP-Netmask = 255.255.252.0, > Framed-Routing = Broadcast-Listen, > Framed-Filter-Id = "std.ppp", > Framed-MTU = 1500, > Framed-Compression = Van-Jacobsen-TCP-IP Try taking out this entry below which is setting Auth-Type to system. Just comment it out and then restart radius and test again. like this: #DEFAULT Auth-Type = System # Fall-Through = 1 > > DEFAULT Service-Type == Framed-User > Framed-IP-Address = 255.255.255.254, > Framed-MTU = 576, > Service-Type = Framed-User, > Fall-Through = Yes > > DEFAULT Framed-Protocol == PPP > Framed-Protocol = PPP, > Framed-Compression = Van-Jacobson-TCP-IP > > DEFAULT Hint == "CSLIP" > Framed-Protocol = SLIP, > Framed-Compression = Van-Jacobson-TCP-IP > > DEFAULT Hint == "SLIP" > Framed-Protocol = SLIP > > > /etc/raddb/radiusd.conf (authenticate section) > > > authenticate { > Auth-Type PAP { > pap > } > >Auth-Type LDAP { >ldap >} > > } > > I had a hunch I might be missing something in the users filedid I > mention this is my first foray into radius? > > Thanks in advance for any assistance, > ~Brandon > > > -Original Message- > From: Dustin Doris [mailto:[EMAIL PROTECTED] > Sent: Tuesday, January 25, 2005 6:53 PM > To: freeradius-users@lists.freeradius.org > Subject: Re: Active Directory and FreeRadius > > > > Hello all, > > I am trying to configure FreeRadius to auth against Active > > Directory. I was wondering if anyone on the list has done this > successfully. > > I thought the best way to go was to connect to A.D. as if it was an LDAP > > server, (please let me know if there is a better way). > > > > Any tips or docs would be greatly appreciated. > > Before anyone asks.I would love to use OpenLDAP instead, but that is > not > > my karma. > > > > I started radiusd in debug mode and here is the output I am getting: > > > > rad_recv: Access-Request packet from host 43.191.104.141:2611, id=112, > > length=48 > > User-Name = "deyoungb" > > User-Password = "secret" > > Processing the authorize section of radiusd.conf > > modcall: entering group authorize for request 0 > > modcall[authorize]: module "preprocess" returns ok for request 0 > > rlm_realm: No '@' in User-Name = "deyoungb", looking up realm NULL > > rlm_realm: No such realm "NULL" > > modcall[authorize]: module "suffix" returns noop for request 0 > > users: Matched DEFAULT at 152 > > modcall[authorize]: module "files" returns ok for request 0 > > rlm_ldap: - authorize > > rlm_ldap: performing user authorization for deyoungb > > radius_xlat: '(cn=deyoungb)' > > radius_xlat: 'DC=am,DC=sony,DC=com' > > rlm_ldap: ldap_get_conn: Checking Id: 0 > > rlm_ldap: ldap_get_conn: Got Id: 0 > > rlm_ldap: attempting LDAP reconnection > > rlm_ldap: (re)connect to 43.143.144.20:389, authentication 0 > > rlm_ldap: bind as CN=~MyAccessAccount,OU=Service > > Accounts,DC=am,DC=sony,DC=com/very_secret to 43.143.144.20:389 > > rlm_ldap: waiting for bind result ... > > rlm_ldap: Bind was successful > > rlm_ldap: performing search in DC=am,DC=sony,DC=com, with filter > > (cn=deyoungb) > > rlm_ldap: looking for check items in directory... > > rlm_ldap: looking for reply items in directory... > > rlm_ldap: user deyoungb authorized to use remote access > > rlm_ldap: ldap_release_conn: Release Id: 0 > > modcall[authorize]: module "ldap" returns ok for request 0 > > modcall: group authorize returns ok for request 0 > > Looks good up to here, then it switches to Auth-Type of System. > > > rad_check_password: Found Auth-Type System > > auth: type "System" > > ERROR: Unknown value specified for Auth-Type. Cannot perform requested > > action. > > auth: Failed to validate the user. > > Delaying request 0 for 1 seconds > > Finished request 0 > > Going to the next request > > --- Walking the entire request list --- > > Waking up in 1 seconds... > > rad_recv: Access-Request packet from host 43.191.104.141:2611, id=112, > > length=48 > > Sending Access-Reject of id 112 to 43.191.104.141:2611 > > --- Walking the entire request list --- > > Waking up in 3 seconds... > > --- Walking the entire request list --- > > Cleaning up request 0 ID 112 with timestamp 41f6f231 > > Nothing to do. Sleeping until we see a request.
Re: Only localhost works
energy <[EMAIL PROTECTED]> wrote: > Anyone who knows Freeradius code well enough to be able to tell me if maybe > Freeradius is 32 bit centric so somehow reversing the shared secret/password > fails? I've run it on 64-bit machines, and it works fine. Which version are you using? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius hangs after a HUP
Joe H <[EMAIL PROTECTED]> wrote: > The total controls that we use for dialup access seem to make one > connection to the radius server and hold it. RADIUS is UDP. There is no connection. > Seems like it's waiting for the connection to end before it closes. Find out *where* in the code it's waiting. That will tell you *why*. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free Radius and RSA/ACE Server
"Jeff Stout" <[EMAIL PROTECTED]> wrote: > Is there some documentation detailing how to configure > FreeRadius to send authentication to a RSA/ACE server, Nope. If RSA supplies a command-line tool, you can use that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Active Directory and FreeRadius
Comments below. > Thanks for the quick response, Dustin. > Here are entries from my users file (I removed the comments for easy > reading): > > testAuth-Type := Local, User-Password == "testing" > Service-Type = Framed-User, > Framed-Protocol = PPP, > Framed-IP-Address = 43.191.104.146, > Framed-IP-Netmask = 255.255.252.0, > Framed-Routing = Broadcast-Listen, > Framed-Filter-Id = "std.ppp", > Framed-MTU = 1500, > Framed-Compression = Van-Jacobsen-TCP-IP Try taking out this entry below which is setting Auth-Type to system. Just comment it out and then restart radius and test again. like this: #DEFAULT Auth-Type = System # Fall-Through = 1 > > DEFAULT Service-Type == Framed-User > Framed-IP-Address = 255.255.255.254, > Framed-MTU = 576, > Service-Type = Framed-User, > Fall-Through = Yes > > DEFAULT Framed-Protocol == PPP > Framed-Protocol = PPP, > Framed-Compression = Van-Jacobson-TCP-IP > > DEFAULT Hint == "CSLIP" > Framed-Protocol = SLIP, > Framed-Compression = Van-Jacobson-TCP-IP > > DEFAULT Hint == "SLIP" > Framed-Protocol = SLIP > > > /etc/raddb/radiusd.conf (authenticate section) > > > authenticate { > Auth-Type PAP { > pap > } > >Auth-Type LDAP { >ldap >} > > } > > I had a hunch I might be missing something in the users filedid I > mention this is my first foray into radius? > > Thanks in advance for any assistance, > ~Brandon > > > -Original Message- > From: Dustin Doris [mailto:[EMAIL PROTECTED] > Sent: Tuesday, January 25, 2005 6:53 PM > To: freeradius-users@lists.freeradius.org > Subject: Re: Active Directory and FreeRadius > > > > Hello all, > > I am trying to configure FreeRadius to auth against Active > > Directory. I was wondering if anyone on the list has done this > successfully. > > I thought the best way to go was to connect to A.D. as if it was an LDAP > > server, (please let me know if there is a better way). > > > > Any tips or docs would be greatly appreciated. > > Before anyone asks.I would love to use OpenLDAP instead, but that is > not > > my karma. > > > > I started radiusd in debug mode and here is the output I am getting: > > > > rad_recv: Access-Request packet from host 43.191.104.141:2611, id=112, > > length=48 > > User-Name = "deyoungb" > > User-Password = "secret" > > Processing the authorize section of radiusd.conf > > modcall: entering group authorize for request 0 > > modcall[authorize]: module "preprocess" returns ok for request 0 > > rlm_realm: No '@' in User-Name = "deyoungb", looking up realm NULL > > rlm_realm: No such realm "NULL" > > modcall[authorize]: module "suffix" returns noop for request 0 > > users: Matched DEFAULT at 152 > > modcall[authorize]: module "files" returns ok for request 0 > > rlm_ldap: - authorize > > rlm_ldap: performing user authorization for deyoungb > > radius_xlat: '(cn=deyoungb)' > > radius_xlat: 'DC=am,DC=sony,DC=com' > > rlm_ldap: ldap_get_conn: Checking Id: 0 > > rlm_ldap: ldap_get_conn: Got Id: 0 > > rlm_ldap: attempting LDAP reconnection > > rlm_ldap: (re)connect to 43.143.144.20:389, authentication 0 > > rlm_ldap: bind as CN=~MyAccessAccount,OU=Service > > Accounts,DC=am,DC=sony,DC=com/very_secret to 43.143.144.20:389 > > rlm_ldap: waiting for bind result ... > > rlm_ldap: Bind was successful > > rlm_ldap: performing search in DC=am,DC=sony,DC=com, with filter > > (cn=deyoungb) > > rlm_ldap: looking for check items in directory... > > rlm_ldap: looking for reply items in directory... > > rlm_ldap: user deyoungb authorized to use remote access > > rlm_ldap: ldap_release_conn: Release Id: 0 > > modcall[authorize]: module "ldap" returns ok for request 0 > > modcall: group authorize returns ok for request 0 > > Looks good up to here, then it switches to Auth-Type of System. > > > rad_check_password: Found Auth-Type System > > auth: type "System" > > ERROR: Unknown value specified for Auth-Type. Cannot perform requested > > action. > > auth: Failed to validate the user. > > Delaying request 0 for 1 seconds > > Finished request 0 > > Going to the next request > > --- Walking the entire request list --- > > Waking up in 1 seconds... > > rad_recv: Access-Request packet from host 43.191.104.141:2611, id=112, > > length=48 > > Sending Access-Reject of id 112 to 43.191.104.141:2611 > > --- Walking the entire request list --- > > Waking up in 3 seconds... > > --- Walking the entire request list --- > > Cleaning up request 0 ID 112 with timestamp 41f6f231 > > Nothing to do. Sleeping until we see a request. > > > > > > What is in your users file and the authenticate section of radiusd.conf? > Something is making it try System instead of Ldap for authentication. > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List i
Re: Groups
Florian Prester <[EMAIL PROTECTED]> wrote: > does the radius user group has to be a UNIX-Group or is it possible to > define groups and users independent to the OS. See the "man" page for "rlm_passwd" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Groups
Hi, does the radius user group has to be a UNIX-Group or is it possible to define groups and users independent to the OS. thanks florian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius Cisco h323 Voip
Hi ; How can I send all these information to a Mysql Database ??Does anyone have any ideia that can help me ?? Sorry Joe ThanksFabioMon Aug 30 14:38:18 2004 NAS-IP-Address = 192.168.115.4 Cisco-NAS-Port = "CAS 1:0" NAS-Port-Type = Async User-Name = "351289767299" Called-Station-Id = "17863045678" Calling-Station-Id = "351212362299" Acct-Status-Type = Stop Service-Type = Login-User h323-gw-id = "h323-gw-id=Test0909" Cisco-AVPair = "h323-incoming-conf-id=D397A0 F9CA11D8 9519C3E7 31564DA6" h323-call-origin = "h323-call-origin=originate" h323-call-type = "h323-call-type=Telephony" h323-setup-time = "h323-setup-time=14:45:00.680 GMT Mon Aug 30 2004" h323-connect-time = "h323-connect-time=14:45:23.482 GMT Mon Aug 30 2004" h323-disconnect-time = "h323-disconnect-time=14:46:06.352 GMT Mon Aug 30 2004" h323-disconnect-cause = "h323-disconnect-cause=10" h323-voice-quality = "h323-voice-quality=0" h323-conf-id = "h323-conf-id=D397A0 F9CA11D8 9519C3E7 31564DA6" Acct-Session-Id = "EDD9"
Re: Freeradius hangs after a HUP
Looks like someone needs to read the rules. Don't steal my thread, start your own. On Wed, 26 Jan 2005, [iso-8859-1] Fabio Viração wrote: > Hi ; > > How can I send all these information to a Mysql Database ?? > > Does anyone have any ideia that can help me ?? > > Thanks > Fabio > > Mon Aug 30 14:38:18 2004 > NAS-IP-Address = 192.168.115.4 > Cisco-NAS-Port = "CAS 1:0" > NAS-Port-Type = Async > User-Name = "351289767299" > Called-Station-Id = "17863045678" > Calling-Station-Id = "351212362299" > Acct-Status-Type = Stop > Service-Type = Login-User > h323-gw-id = "h323-gw-id=Test0909" > Cisco-AVPair = "h323-incoming-conf-id=D397A0 F9CA11D8 9519C3E7 > 31564DA6" > h323-call-origin = "h323-call-origin=originate" > h323-call-type = "h323-call-type=Telephony" > h323-setup-time = "h323-setup-time=14:45:00.680 GMT Mon Aug 30 2004" > h323-connect-time = "h323-connect-time=14:45:23.482 GMT Mon Aug 30 > 2004" > h323-disconnect-time = "h323-disconnect-time=14:46:06.352 GMT Mon > Aug 30 2004" > h323-disconnect-cause = "h323-disconnect-cause=10" > h323-voice-quality = "h323-voice-quality=0" > h323-conf-id = "h323-conf-id=D397A0 F9CA11D8 9519C3E7 31564DA6" > Acct-Session-Id = "EDD9" > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Free Radius and RSA/ACE Server
Is there some documentation detailing how to configure FreeRadius to send authentication to a RSA/ACE server, I looked in the /DOC directory and did not find anything at a cursory glance. I want to be able to authenticate some users to a Postgress DB and some users to the RSA/ACE Server. Thank you in advance for any help or suggestions you may assist me with. Jeff Stout - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius hangs after a HUP
Hi ; How can I send all these information to a Mysql Database ?? Does anyone have any ideia that can help me ?? Thanks Fabio Mon Aug 30 14:38:18 2004 NAS-IP-Address = 192.168.115.4 Cisco-NAS-Port = "CAS 1:0" NAS-Port-Type = Async User-Name = "351289767299" Called-Station-Id = "17863045678" Calling-Station-Id = "351212362299" Acct-Status-Type = Stop Service-Type = Login-User h323-gw-id = "h323-gw-id=Test0909" Cisco-AVPair = "h323-incoming-conf-id=D397A0 F9CA11D8 9519C3E7 31564DA6" h323-call-origin = "h323-call-origin=originate" h323-call-type = "h323-call-type=Telephony" h323-setup-time = "h323-setup-time=14:45:00.680 GMT Mon Aug 30 2004" h323-connect-time = "h323-connect-time=14:45:23.482 GMT Mon Aug 30 2004" h323-disconnect-time = "h323-disconnect-time=14:46:06.352 GMT Mon Aug 30 2004" h323-disconnect-cause = "h323-disconnect-cause=10" h323-voice-quality = "h323-voice-quality=0" h323-conf-id = "h323-conf-id=D397A0 F9CA11D8 9519C3E7 31564DA6" Acct-Session-Id = "EDD9" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius hangs after a HUP
Is it possible that an active connection to the radius server could hold the radius process from stopping or restarting properly? The total controls that we use for dialup access seem to make one connection to the radius server and hold it. I'm wondering if this could be causing the problem with what looks like looping. Seems like it's waiting for the connection to end before it closes. If this is the case, is there a way to make it force the close of the connection, kind of like how a kill -9 does, only more graceful. Joe H. On Tue, 25 Jan 2005 [EMAIL PROTECTED] wrote: > Joe H schrieb: > > I updated all the server to freebsd 4.10 > (snipp) > > Program received signal SIGTERM, Terminated. > > 0x10250654 in __sys_poll () from /usr/lib/libc_r.so.4 > > > > I'm not sure how helpful that will be to anyone but it's > > all the information it showed. > > Sounds like it's telling you that everything is OK... > Some very wild guessing: > I'm wondering if there might be some problem with > signal handling. IIRC there are some subtle differences > between BSD and System V signal handling. > Maybe ignoring the TERM signal during cleanup > doesn't work quite as intended or something similar? > Doing some experiments with other signal > processing functions (sigprocmask,sigaction) to > replace "signal(SIGTERM, SIG_IGN);" or adding > some output to the signal handling functions so > you do see when they are called during shutdown > might turn up something... > > HTH, > Stefan > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Only localhost works
I am still having problems with authenticating to freeradius with LDAP as the backend except from the localhost. Utilizing any other client and running radiusd in debug mode gives me the shared secret error. The server that Freeradius is running on is 64 bit. All of the clients ! have tested with (radtest on 32 bit and NTRadPing) are 32 bit. Radtest from the localhost works fine. Anyone who knows Freeradius code well enough to be able to tell me if maybe Freeradius is 32 bit centric so somehow reversing the shared secret/password fails? I am really baffled at this point. Thanks for any help - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: assign eap method
Marc-Henri Boisis-Delavaud <[EMAIL PROTECTED]> wrote: > All ssid use the same radius, but I want to use different eap > authentication like this: > ssid1: eap_ttls > ssid2:eap_tls > How can I block ssid1 for authenticate with eap_tls and inverse? If the SSID is in a RADIUS attribute, you can look for it, and set "EAP-Type = EAP-TTLS". See the "dictionary" file for a full list of EAP types. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
assign eap method
Hello I have some Wireless AccessPoint Cisco aironet with multiple ssid , each ssid is associated to a polulation with services. All ssid use the same radius, but I want to use different eap authentication like this: ssid1: eap_ttls ssid2:eap_tls How can I block ssid1 for authenticate with eap_tls and inverse? Thanks Marc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP + CHAP problem
"Sébastien Cantos" <[EMAIL PROTECTED]> wrote: > I'm trying to figure out how to make freeradius work with LDAP and CHAP > authentification. LDAP should supply clear-text passwords to the server. CHAP will work. > rlm_chap: Could not find clear text password for user Your LDAP module did not give the server a clear-text password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: performance of freeradius when access-request
"Leo Lei" <[EMAIL PROTECTED]> wrote: > i write a script calling the radclient, named aaaload as the following: ... > echo "UserOrg = \"myorg.org\"" > echo "ClientType = 4" Those are not any RADIUS attributes the server, or client, knows about. > i run the script aaaload twices: (200 users) > time ./aaaload > > OUTPUT1: > real0m13.320s Part of the time is spent by the client loading dictionaries. The server is more than fast enough for most situations. If it's slow, then something in your local configuration is slowing the server down. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP authentication
"Jacques VUVANT" <[EMAIL PROTECTED]> wrote: > I've test EAP/TLS authentication with freeradius wich work well. But it > seems to work as well when username (same name as installed certificate > on PC mobile) is removed on users.conf file, ie. EAP authentication > still Ok for this certificate removed on users.conf. There is no "user.conf" file. The "users" file is not required for authentication or authorization. You can put all of the users in LDAP, and that will work, even if they're not listed in "users". > Does it mean that EAP doesn't use users.conf ? It would appear that way. > Why radwho doesn't work with EAP connections ? Does your NAS send accounting packets to the server? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HTTP Request for Authentication
"Stefan" <[EMAIL PROTECTED]> wrote: > Would it be possible, to retrieve information, needed for authentication at > a HTTP Server? > > The Flow would be like this: ... Yes. Run an external program which talks HTTP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setup apache2 with pam_radius_auth on Debain
Hi Rizwan, You could replace AuthPAM_Enabled with AuthRadiusAuthoritative and try. Regards, Raza.Rizwan Khan <[EMAIL PROTECTED]> wrote: Hi all,I am trying to configure pam_radius_auth module with apache2on Debian (why not mod_auth_radius specially made for apache?because if this works then eventually I plan to setup the PAM modulewith BOA-Webserver used at my company).I have the Radius server up and running on ServerA and apache runningon the NAS. Then I built the pam_radius_auth module that exists under/lib/security/, The module works fine with remote console login on theNAS using remote Radius Auth (/etc/pam.d/login)Eventually, I created a file /etc/pam.d/httpd for use by Apache serveron the NAS and added the entry:auth required pam_radius_auth.so (so that Apache can usethe PAM module)Then, I added the following entries to /etc/apache2/apache2.confAuthType BasicAuthName "Radius Authentication"AuthAuthoritative offAuthPAM_Enabled onAuthRadiusCookieValid 5AuthRadiusActive On#require valid-user (optional)But, when I start apache server..if gives the following warning:Invalid Command 'AuthPAM_Enabled'Which means that the command is not recognizedand I don't get anypassword prompt to access the secure html page!!!Can anyone kindly tell me the right command set to be added toapache2.conf (or .htaccess file ) ?Is there anything else I will have to fixThanks.Rizwan Khan- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Do you Yahoo!? Yahoo! Mail - now with 250MB free storage. Learn more.
RE: Active Directory and FreeRadius
Thanks for the quick response, Dustin. Here are entries from my users file (I removed the comments for easy reading): testAuth-Type := Local, User-Password == "testing" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 43.191.104.146, Framed-IP-Netmask = 255.255.252.0, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = "std.ppp", Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP DEFAULT Auth-Type = System Fall-Through = 1 DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "SLIP" Framed-Protocol = SLIP /etc/raddb/radiusd.conf (authenticate section) authenticate { Auth-Type PAP { pap } Auth-Type LDAP { ldap } } I had a hunch I might be missing something in the users filedid I mention this is my first foray into radius? Thanks in advance for any assistance, ~Brandon -Original Message- From: Dustin Doris [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 25, 2005 6:53 PM To: freeradius-users@lists.freeradius.org Subject: Re: Active Directory and FreeRadius > Hello all, > I am trying to configure FreeRadius to auth against Active > Directory. I was wondering if anyone on the list has done this successfully. > I thought the best way to go was to connect to A.D. as if it was an LDAP > server, (please let me know if there is a better way). > > Any tips or docs would be greatly appreciated. > Before anyone asks.I would love to use OpenLDAP instead, but that is not > my karma. > > I started radiusd in debug mode and here is the output I am getting: > > rad_recv: Access-Request packet from host 43.191.104.141:2611, id=112, > length=48 > User-Name = "deyoungb" > User-Password = "secret" > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 0 > modcall[authorize]: module "preprocess" returns ok for request 0 > rlm_realm: No '@' in User-Name = "deyoungb", looking up realm NULL > rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop for request 0 > users: Matched DEFAULT at 152 > modcall[authorize]: module "files" returns ok for request 0 > rlm_ldap: - authorize > rlm_ldap: performing user authorization for deyoungb > radius_xlat: '(cn=deyoungb)' > radius_xlat: 'DC=am,DC=sony,DC=com' > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: attempting LDAP reconnection > rlm_ldap: (re)connect to 43.143.144.20:389, authentication 0 > rlm_ldap: bind as CN=~MyAccessAccount,OU=Service > Accounts,DC=am,DC=sony,DC=com/very_secret to 43.143.144.20:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: Bind was successful > rlm_ldap: performing search in DC=am,DC=sony,DC=com, with filter > (cn=deyoungb) > rlm_ldap: looking for check items in directory... > rlm_ldap: looking for reply items in directory... > rlm_ldap: user deyoungb authorized to use remote access > rlm_ldap: ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns ok for request 0 > modcall: group authorize returns ok for request 0 Looks good up to here, then it switches to Auth-Type of System. > rad_check_password: Found Auth-Type System > auth: type "System" > ERROR: Unknown value specified for Auth-Type. Cannot perform requested > action. > auth: Failed to validate the user. > Delaying request 0 for 1 seconds > Finished request 0 > Going to the next request > --- Walking the entire request list --- > Waking up in 1 seconds... > rad_recv: Access-Request packet from host 43.191.104.141:2611, id=112, > length=48 > Sending Access-Reject of id 112 to 43.191.104.141:2611 > --- Walking the entire request list --- > Waking up in 3 seconds... > --- Walking the entire request list --- > Cleaning up request 0 ID 112 with timestamp 41f6f231 > Nothing to do. Sleeping until we see a request. > > What is in your users file and the authenticate section of radiusd.conf? Something is making it try System instead of Ldap for authentication. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RE: mysql ?
No it will just return them back in the order the database has them. All in a row. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joel Eddy Sent: Wednesday, January 26, 2005 10:52 AM To: freeradius-users@lists.freeradius.org Subject: Re: RE: mysql ? If they are set to 0 would that then not return them back to the nas? Joel - Original Message - From: "Cris Boisvert" <[EMAIL PROTECTED]> To: Sent: Wednesday, January 26, 2005 9:39 AM Subject: RE: RE: mysql ? >I think its for priority of the response.. > Some attributes need to be given back in sequence or they won't work > Ascend data filters are one of them.. > > So you can set the prio to be 0,1,2,3,4,5,6 etc > As you want the to be given back to the nas... > > I may be wrong if so someone please correct me.. > > Thanx > Cris > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Joel > Eddy > Sent: Wednesday, January 26, 2005 10:27 AM > To: freeradius-users@lists.freeradius.org > Subject: Re: RE: mysql ? > > Thanks for the info. Does someone know what it's purpose in life is? I've > got the Radius book by O'Reilly > and there is no metnion of it. > > > > Joel > > > - Original Message - > From: <[EMAIL PROTECTED]> > To: > Sent: Tuesday, January 25, 2005 9:50 PM > Subject: Re: RE: mysql ? > > > I have zero "0" in mine... > and all works well. > > > > Original Message > > ==> From: " Joel Eddy" <[EMAIL PROTECTED]> > ==> Date: Tue, 25 Jan 2005 17:41:21 -0600 > > I hate to be the one that asks the stupid question of the day but > here goes. In the Table radgroupreply in database radius what goes in > the prio entry? > > Joel > > - List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > -- > Internal Virus Database is out-of-date. > Checked by AVG Anti-Virus. > Version: 7.0.300 / Virus Database: 265.7.1 - Release Date: 1/19/2005 > > > -- > Internal Virus Database is out-of-date. > Checked by AVG Anti-Virus. > Version: 7.0.300 / Virus Database: 265.7.1 - Release Date: 1/19/2005 > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Internal Virus Database is out-of-date. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.7.1 - Release Date: 1/19/2005 -- Internal Virus Database is out-of-date. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.7.1 - Release Date: 1/19/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RE: mysql ?
I've got it set to 0 on a radius server here, and the server sends the attributes in the order they appear in the reply table. Rob. -Original Message- From: Joel Eddy [mailto:[EMAIL PROTECTED] Sent: 26 January 2005 15:52 To: freeradius-users@lists.freeradius.org Subject: Re: RE: mysql ? If they are set to 0 would that then not return them back to the nas? Joel - Original Message - From: "Cris Boisvert" <[EMAIL PROTECTED]> To: Sent: Wednesday, January 26, 2005 9:39 AM Subject: RE: RE: mysql ? >I think its for priority of the response.. > Some attributes need to be given back in sequence or they won't work > Ascend data filters are one of them.. > > So you can set the prio to be 0,1,2,3,4,5,6 etc > As you want the to be given back to the nas... > > I may be wrong if so someone please correct me.. > > Thanx > Cris > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Joel > Eddy > Sent: Wednesday, January 26, 2005 10:27 AM > To: freeradius-users@lists.freeradius.org > Subject: Re: RE: mysql ? > > Thanks for the info. Does someone know what it's purpose in life is? I've > got the Radius book by O'Reilly > and there is no metnion of it. > > > > Joel > > > - Original Message - > From: <[EMAIL PROTECTED]> > To: > Sent: Tuesday, January 25, 2005 9:50 PM > Subject: Re: RE: mysql ? > > > I have zero "0" in mine... > and all works well. > > > > Original Message > > ==> From: " Joel Eddy" <[EMAIL PROTECTED]> > ==> Date: Tue, 25 Jan 2005 17:41:21 -0600 > > I hate to be the one that asks the stupid question of the day but > here goes. In the Table radgroupreply in database radius what goes in > the prio entry? > > Joel > > - List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > -- > Internal Virus Database is out-of-date. > Checked by AVG Anti-Virus. > Version: 7.0.300 / Virus Database: 265.7.1 - Release Date: 1/19/2005 > > > -- > Internal Virus Database is out-of-date. > Checked by AVG Anti-Virus. > Version: 7.0.300 / Virus Database: 265.7.1 - Release Date: 1/19/2005 > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Setup apache2 with pam_radius_auth on Debain
Hi all, I am trying to configure pam_radius_auth module with apache2 on Debian (why not mod_auth_radius specially made for apache? because if this works then eventually I plan to setup the PAM module with BOA-Webserver used at my company). I have the Radius server up and running on ServerA and apache running on the NAS. Then I built the pam_radius_auth module that exists under /lib/security/, The module works fine with remote console login on the NAS using remote Radius Auth (/etc/pam.d/login) Eventually, I created a file /etc/pam.d/httpd for use by Apache server on the NAS and added the entry: authrequired pam_radius_auth.so (so that Apache can use the PAM module) Then, I added the following entries to /etc/apache2/apache2.conf AuthType Basic AuthName "Radius Authentication" AuthAuthoritative off AuthPAM_Enabled on AuthRadiusCookieValid 5 AuthRadiusActive On #require valid-user (optional) But, when I start apache server..if gives the following warning: Invalid Command 'AuthPAM_Enabled' Which means that the command is not recognizedand I don't get any password prompt to access the secure html page!!! Can anyone kindly tell me the right command set to be added to apache2.conf (or .htaccess file ) ? Is there anything else I will have to fix Thanks. Rizwan Khan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Two radiusd daemons in the same PC...
The location is not the problem, the main problem is the port in which the daemon is listening. You have to configure the second daemon to listen in another port. Jon On Wed, 26 Jan 2005 [EMAIL PROTECTED] wrote: > > How may i'm get the "radiusd" in other location different to > "/usr/local/sbin" or > "/usr/local/bin" at compiling time in olther to have two diferents daemons > radiusd > running in the same PC ? > Is that's possible? > Thanks you > > - > Este mensaje fue enviado usando el servicio de correo en web de Infomed > http://webmail.sld.cu > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: nas table in sql module
Hi! > also, if you want to stop using clients.conf altogether, I think you must > comment it out from the radiusd.conf. when I commented out all the clients > in the clients.conf radius refused to start so I added a bogus one. I wrote a patch so that you don't have to set up an ugly dummy entry. I posted it on -devel some weeks ago and re-posted it today after not getting any feedback. Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingénieur réseau et système 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg email: [EMAIL PROTECTED] tél.: +352 424409-33 http://www.restena.lu fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE: mysql ?
If they are set to 0 would that then not return them back to the nas? Joel - Original Message - From: "Cris Boisvert" <[EMAIL PROTECTED]> To: Sent: Wednesday, January 26, 2005 9:39 AM Subject: RE: RE: mysql ? I think its for priority of the response.. Some attributes need to be given back in sequence or they won't work Ascend data filters are one of them.. So you can set the prio to be 0,1,2,3,4,5,6 etc As you want the to be given back to the nas... I may be wrong if so someone please correct me.. Thanx Cris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joel Eddy Sent: Wednesday, January 26, 2005 10:27 AM To: freeradius-users@lists.freeradius.org Subject: Re: RE: mysql ? Thanks for the info. Does someone know what it's purpose in life is? I've got the Radius book by O'Reilly and there is no metnion of it. Joel - Original Message - From: <[EMAIL PROTECTED]> To: Sent: Tuesday, January 25, 2005 9:50 PM Subject: Re: RE: mysql ? I have zero "0" in mine... and all works well. Original Message ==> From: " Joel Eddy" <[EMAIL PROTECTED]> ==> Date: Tue, 25 Jan 2005 17:41:21 -0600 I hate to be the one that asks the stupid question of the day but here goes. In the Table radgroupreply in database radius what goes in the prio entry? Joel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Internal Virus Database is out-of-date. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.7.1 - Release Date: 1/19/2005 -- Internal Virus Database is out-of-date. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.7.1 - Release Date: 1/19/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to define freeradius as a proxy radius server and not a home server (listening on proxy :1814 ??
hello I want to use Proxy Freeradius features. I have 2 proxy with 2 server A & B (primary). Home Radius A <-> Proxy A <---> Proxy B <-> Home Radius B when i use radtest testuser password proxya auth secret. It works ! but when i use radtest testuser password proxya:1814 auth secret . Proxy A tell me : "Ignoring request from unknown home server 130.130.93.13:32779" When i would like to use attr_rewrite in order to modify packets from Proxy B, Proxy A see packet "proxy_reply" as reply. NOT PROXY_REPLY !! I think proxy A see Proxy B as a simple Home server. HOW to declare Proxy A and PROXY B as PROXY RADIUS SERVER and not home server. please help me ___[ Pub ] Envie de discuter gratuitement avec vos amis ? Téléchargez Yahoo! Messenger http://yahoo.ifrance.com _ Envie de discuter gratuitement avec vos amis ? Téléchargez Yahoo! Messenger http://yahoo.ifrance.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Two radiusd daemons in the same PC...
How may i'm get the "radiusd" in other location different to "/usr/local/sbin" or "/usr/local/bin" at compiling time in olther to have two diferents daemons radiusd running in the same PC ? Is that's possible? Thanks you - Este mensaje fue enviado usando el servicio de correo en web de Infomed http://webmail.sld.cu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RE: mysql ?
I think its for priority of the response.. Some attributes need to be given back in sequence or they won't work Ascend data filters are one of them.. So you can set the prio to be 0,1,2,3,4,5,6 etc As you want the to be given back to the nas... I may be wrong if so someone please correct me.. Thanx Cris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joel Eddy Sent: Wednesday, January 26, 2005 10:27 AM To: freeradius-users@lists.freeradius.org Subject: Re: RE: mysql ? Thanks for the info. Does someone know what it's purpose in life is? I've got the Radius book by O'Reilly and there is no metnion of it. Joel - Original Message - From: <[EMAIL PROTECTED]> To: Sent: Tuesday, January 25, 2005 9:50 PM Subject: Re: RE: mysql ? I have zero "0" in mine... and all works well. Original Message ==> From: " Joel Eddy" <[EMAIL PROTECTED]> ==> Date: Tue, 25 Jan 2005 17:41:21 -0600 I hate to be the one that asks the stupid question of the day but here goes. In the Table radgroupreply in database radius what goes in the prio entry? Joel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Internal Virus Database is out-of-date. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.7.1 - Release Date: 1/19/2005 -- Internal Virus Database is out-of-date. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.7.1 - Release Date: 1/19/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE: mysql ?
Thanks for the info. Does someone know what it's purpose in life is? I've got the Radius book by O'Reilly and there is no metnion of it. Joel - Original Message - From: <[EMAIL PROTECTED]> To: Sent: Tuesday, January 25, 2005 9:50 PM Subject: Re: RE: mysql ? I have zero "0" in mine... and all works well. Original Message ==> From: " Joel Eddy" <[EMAIL PROTECTED]> ==> Date: Tue, 25 Jan 2005 17:41:21 -0600 I hate to be the one that asks the stupid question of the day but here goes. In the Table radgroupreply in database radius what goes in the prio entry? Joel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: nas table in sql module
Pe 26 Jan 2005, la 16:33, Vincent Chen <[EMAIL PROTECTED]> a scris: > >Hi, all > >I am using freeradius 1.0 on mandrake linux 10.1. It seems that this version >totally ignored nas table in database. Is this true? I can only add nas to >clients.conf. > >If nas table was ignored, is 1.0.1 using it now? I used the latest source and compiled it and it works. You must add this to the configuration: readclients=yes and in the NAS table you must have: column | value id | ip address of client shortname | a short name for the client secret | the radius secret plain text nasname | again the ip address of client type | i used 'cisco' also, if you want to stop using clients.conf altogether, I think you must comment it out from the radiusd.conf. when I commented out all the clients in the clients.conf radius refused to start so I added a bogus one. Home, no matter how far... http://www.home.ro - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
nas table in sql module
Hi, all I am using freeradius 1.0 on mandrake linux 10.1. It seems that this version totally ignored nas table in database. Is this true? I can only add nas to clients.conf. If nas table was ignored, is 1.0.1 using it now? Thanks, Vincent Chen - Yahoo!奇摩造型精靈 最新的造型精靈簽名檔,讓信件獨具個人色彩! http://tw.avatar.yahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Calling own program in freeradius
Hi, I want to write my own routine to maniplate Post proxy Packets and then build new proxy replies. Can anyone tell me from where to start. Regards, Aoun.Stefan <[EMAIL PROTECTED]> wrote: Would it be possible, to retrieve information, needed for authentication ata HTTP Server?The Flow would be like this:1. RADIUS Access Request Client > Freeradius2. HTTP GET Freeradius Box > HTTP Server3. Response HTTP Server > Freeradius Box4. check Result5. Accept or Reject to Client6. Accounting from Client...Thank you.Regards Stefan- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html__Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
HTTP Request for Authentication
Would it be possible, to retrieve information, needed for authentication at a HTTP Server? The Flow would be like this: 1. RADIUS Access Request Client > Freeradius 2. HTTP GET Freeradius Box > HTTP Server 3. Response HTTP Server > Freeradius Box 4. check Result 5. Accept or Reject to Client 6. Accounting from Client... Thank you. Regards Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL db failover
Rohaizam Abu Bakar wrote: >>> How can we possible do to ensure only when sql1 down.. then the >>> accounting will be sent to sql2..?? >> >> You might try a different approach: >> - store accounting in "detail" files (man rlm_detail) >> - run radsqlrelay to send accounting in the database (get it from >> a CVS snapshot) > > Thanks.. Will try it out... > > Do I need to make any addition/changes in Makefile to compile > radsqlrelay...? If yes... What changes is needed.. Indeed, radsqlrelay is something new and it is not build with the server in the current CVS. You could apply the following patch on the CVS version to build radsqlrelay, too. Index: src/main/Makefile.in === RCS file: /source/radiusd/src/main/Makefile.in,v retrieving revision 1.36 diff -u -r1.36 Makefile.in --- src/main/Makefile.in3 Dec 2004 18:24:31 - 1.36 +++ src/main/Makefile.in26 Jan 2005 10:50:22 - @@ -20,7 +20,7 @@ MODULE_OBJS= VFLAGS = -DRADIUSD_MAJOR_VERSION=$(RADIUSD_MAJOR_VERSION) VFLAGS += -DRADIUSD_MINOR_VERSION=$(RADIUSD_MINOR_VERSION) -BINARIES = radiusd radwho radzap radclient radrelay +BINARIES = radiusd radwho radzap radclient radrelay radsqlrelay LT_BIN_FLAGS = # @@ -137,6 +137,12 @@ radrelay.o: radrelay.c $(INCLUDES) $(LIBTOOL) --mode=compile $(CC) $(CFLAGS) -c radrelay.c +radsqlrelay: radsqlrelay.o mainconfig.o util.o nas.o client.o log.o conffile.o files.o xlat.o valuepair.o ../lib/libradius.la + $(LIBTOOL) --mode=link $(CC) -export-dynamic -dlopen self $(CFLAGS) $(LDFLAGS) -o radsqlrelay radsqlrelay.o mainconfig.o util.o nas.o client.o log.o conffile.o files.o xlat.o valuepair.o $(LIBLTDL) $(LCRYPT) $(LIBS) + +radsqlrelay.o: radsqlrelay.c $(INCLUDES) + $(LIBTOOL) --mode=compile $(CC) $(CFLAGS) -c radsqlrelay.c + radwho.o: radwho.c $(INCLUDES) $(LIBTOOL) --mode=compile $(CC) $(CFLAGS) -c radwho.c @@ -159,5 +165,6 @@ $(INSTALL) -m 755radlast$(R)$(bindir) $(LIBTOOL) --mode=install $(INSTALL) -m 755radclient$(EXEEXT) $(R)$(bindir) $(LIBTOOL) --mode=install $(INSTALL) -m 755radrelay$(EXEEXT) $(R)$(bindir) + $(LIBTOOL) --mode=install $(INSTALL) -m 755radsqlrelay$(EXEEXT) $(R)$(bindir) $(INSTALL) -m 755radtest$(R)$(bindir) $(INSTALL) -m 755checkrad.pl$(R)$(sbindir)/checkrad -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP + CHAP problem
Hello, I'm trying to figure out how to make freeradius work with LDAP and CHAP authentification. My user file looks like this: DEFAULT Service-Type = Framed-User Framed-Protocol = PPP, Framed-IP-Address = 192.168.10.100+, Framed-IP-Netmask = 255.255.255.0 And in my radiusd.conf I've something like this: modules { ... chap { authtype = CHAP } ldap { server = "myserver" basedn = "ou=devices,o=group,dc=toto,dc=com" filter = "(cn=%u)" ldap_connections_number = 5 password_header = "{clear}" password_attribute = userPassword timeout = 4 timelimit = 3 net_timeout = 1 } } authorize { chap ldap files } authenticate { Auth-Type CHAP { chap } Auth-Type LDAP { ldap } } Everithing is working well with the radtest utility whci sends User-Password Attribute, but when I try to authentificate a client that sends Chap-password I've the following output: rlm_ldap: user authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 users: Matched DEFAULT at 4 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type CHAP auth: type "CHAP" Processing the authenticate section of radiusd.conf modcall: entering group authtype for request 0 rlm_chap: login attempt by "" with CHAP password rlm_chap: Could not find clear text password for user modcall[authenticate]: module "chap" returns invalid for request 0 modcall: group authtype returns invalid for request 0 auth: Failed to validate the user. Login incorrect (rlm_chap: Clear text password not available): [/] (from client radiusFT port 99 cli 490760808) I've read a lot of posts and FAQs vut didn't find any solution. Can anyone help me in solving this problem please ? Thanks in advances Best regards, -- Sebastien Cantos <[EMAIL PROTECTED]> Network / System Manager Neopost DIVA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pbroblem with CRL check
Hi Dean Thanks for your answer. How should I create CRL file ? Jacques VUVANT
RE: NAS from db - add without restart
On Fri, 2005-01-21 at 08:00 +, Neil Craig wrote: > Could use cron to HUP server every so often > > >>> [EMAIL PROTECTED] 21/01/2005 00:05:09 >>> > Just floating an idea... > > Is it worth considering adding a "periodic" section to radiusd.conf > and > the radius server? Rather than retrofitting reload this, reload that, To Add: Who would need a built-in periodic reload/refresh of tables? After the usertables - which can be read live out of (My)SQL, the next most-changeable category is probably the NAS information. NAS's are usually appended to - so add that ability to SQL. What else is lightly to be changed on a daily/weekly/monthly basis?... that shouldn't really be done without the current functionality of a HUP? -- . . ___. .__ Posix Systems - Sth Africa. e.164 VOIP ready /| /| / /__ [EMAIL PROTECTED] - Mark J Elkins, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html