Re: radutmp doesnt show any users.....

2005-03-13 Thread Rad Adm
My earlier email has the sql table which has all the data logged at radius. 
 Without worrying about sql the contents of the packets are as follows. 

UserName

NASIPAddress

AcctStartTime

AcctStopTime

These have correct values returned from my NAS to radius and radius is
successfully able to log them .

From what i understand from your email is to use this info to tell
apart the sessions. One way i can think of is to Use UserName and see
if AcctStartTime fielf has a value. If it does , that means same
UserName can not login.

Now to The issue with such an approach is that i can not limit it to 2
or 3 simultaneous use sessions. It will only be one.

Can you suggest anything. Also .. Under what circumstances does
Simultaneous-Use Attribute works and can i use it in my case.


Thanks



As i was saying earlier  When a sesison starts AcctStartTime gets a values and 
when this session ends AcctStopTime is assigned a value. 

So given this info 


On Sat, 12 Mar 2005 23:59:52 -0500, Alan DeKok [EMAIL PROTECTED] wrote:
 Rad Adm [EMAIL PROTECTED] wrote:
  The problem is that the NAS ( can not ) send NAS-Port Attribute and
  that is not changeable at the moment . So that eliminates the options
  of using  radutmp.
 
  It would appear so.
 
  Now knowing that radutmp can not work .. do you have any suggestion as
  to how i am implement User Concurrency.
 
  If your NAS sends attributes which lets you tell sessions apart,
 then you can use those attributes.
 
  Each time a user connects to my NAS , it send a Accounting Start
  packet and on user disconnect a Accounting Stop packet.
 
  That's what the standard says.
 
  Given this information what would you suggest is the best way to go
  about and implement user concurrency .
 
  I have no idea.  I don't use SQL, so I don't recall what information
 is being logged in them.
 
  The key is to look at the contents of the packets.  That's what's
 important.
 
  Alan DeKok.
 
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Problem with Windows XP Authentication

2005-03-13 Thread Zoltan Ori
On Sunday 13 March 2005 13:47, chiam kuosiang wrote:

 When i tried to lauch peap authentication with the windows xp client, the
 radius snippet keep on showing Sending Access-Challenge.

 In D-Link DWL-900AP+, log show EAP-Failure


   modcall[authenticate]: module eap returns handled for request 0
 modcall: group authenticate returns handled for request 0
 Sending Access-Challenge of id 54 to 192.168.0.50:1206
 EAP-Message = 0x010200061920
 Message-Authenticator = 0x
 State = 0x621660927c5033dae390af4ffc09dfc5
 Finished request 0
 Going to the next request
 --- Walking the entire request list ---
 Waking up in 6 seconds...
 --- Walking the entire request list ---

Your supplicant is not responding to the challenge. The conversation between 
it and the NAS may not be taking place properly. Check config on supplicant 
and NAS to make sure they agree. Do you have the latest drivers and patches 
on XP?


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


RE: Strip certain number of characters from username?

2005-03-13 Thread Brian Andrus
If you are using SQL authentication, you may want to strip the info in the
SQL call.
 


Brian Andrus
FirstSpot, Inc.
(310) 899-WiFi
[EMAIL PROTECTED]
http://www.firstspot.net
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bülent
Akdemir
Sent: Saturday, March 12, 2005 1:34 PM
To: freeradius-users@lists.freeradius.org
Subject: Strip certain number of characters from username?

Hi all,

Is it possible to retrieve only the last 5 characters of username
and then use it for authentication? I tried to do it by means of hints
file but i could only remove the matching part of usernames. My
strings(username) are like:

AXYu

and i removed the A part in the hints file since it's
identical for all usernames. But the XY part differs from username to
username and i only need the u part. I know it seems very awkward but
believe me, i need to do it. 
I'm using freeradius version 1.0.2.

Any idea would be appreciated. Thanx a lot...

Sorry for my poor English...

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


RE: SQL auth_check_query and available variables

2005-03-13 Thread Brian Andrus
I figured it out. As odd as it was, I had to restart Postgres after making
the changes to the radius configs. Once I did that, it started passing the
value rather than the variable name. 


Brian Andrus
FirstSpot, Inc.
(310) 899-WiFi
[EMAIL PROTECTED]
http://www.firstspot.net
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: Saturday, March 12, 2005 9:49 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: SQL auth_check_query and available variables 

Brian Andrus [EMAIL PROTECTED] wrote:
 What variables are available to the auth_check_query?

  All attributes that exist.

 SELECT id, username, attribute, value, op FROM radcheck WHERE username 
 = 'brian' AND allowed_NAS = '%{NAS-Identifier}'

  I'm not sure why that would happen.  I've never seen it myself.

 Are the variables from the NAS unavailable to a SQL query for auth?

  If an attribute is in the request packet, you can use it in the SQL query.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Freeradius ldap authentication sql authorization help!!

2005-03-13 Thread Jamie Crawford
Hello,
To make it short, is it possible to authenticate users through ldap
(which I can do right now), but limit which ports they can login to (16)
on a port by port basis through sql with having to store their password
in the db or modifying my ldap schema?

Currently I have freeradius authenticating users through NIS and
authorizing users to port numbers with the users file.  This works great
until the list starts changing daily on who can and cannot use ras.

I'm wondering if anyone has setup freeradius to authenticate through
ldap and authorize through a postgress db.  All the documentation that I
have read says that I need the users username and password in the
database, or that I need to modify my ldap schema.  

Thanks,
jamie





- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Freeradius ldap authentication sql authorization help!!

2005-03-13 Thread Alan DeKok
Jamie Crawford [EMAIL PROTECTED] wrote:
 I'm wondering if anyone has setup freeradius to authenticate through
 ldap and authorize through a postgress db.

  Yes.  I haven't done it myself, but FreeRADIUS is *designed* to have
that kind of flexibility.

   All the documentation that I have read says that I need the users
 username and password in the database, or that I need to modify my
 ldap schema.

  If you're authorizing via SQL, your LDAP schema shouldn't need changes.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


AVPair

2005-03-13 Thread Mike Chamberlain
Hi.

I am using various Quintum boxes to communicate with our FreeRadius
server.  My question concerns the attributes:

Quintum-AVPair = =

What we need to know is... what's the deal with that?  What is the
difference between an AVPair attribute and the other standard
name-value attributes such as:

Quintum-h323-gw-id = h323-gw-id=au-syd-wentworth
Quintum-h323-call-origin = h323-call-origin=answer

It seems that there are multiple values that could be passed as the
AVPair, but FreeRadius only seems to be able to access.  For instance,
reading the FreeRadius log, during authentication, the AVPair contains
h323-ivr-out=ACCESSCODE:, but then later during authorization it
contains h323-ivr-out=FOLLOW_ON_FLAG:0.  Then, on the stop call
message, it contains h323-incoming-conf-id=33383732 61306336 38390064
393862B3.  Why can the AVPair values not all be sent through in the
latter format?  Why could these attributes not be passed on their own,
rather than lumped into this AVPair affair?  If I want to access the
h323-incoming-conf-id when it is not presented as its own attribute,
is it accessible through the AVPair?

Basically, if anyone can point me to some documentation that explains
this whole AVPair ridiculousness then that would be great.

Mike C

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


dialup_admin.crfon

2005-03-13 Thread zack musa
Hi 
I try to run the script (dialup_admin.cron) to allow
auto update the totacct and mtotacct table. But what
happen is I still need to run the totacct and mtotacct
script manually or the .cron script;daily, to make an
update in my database. I disable some script such
truncate radacct, clean radacct from executing. Do I
miss something to get this auto upodate done?
Thanks. 



__ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/ 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: how to enable EAP-TTLS inner PAP

2005-03-13 Thread TAYLAN KIRAN
Thank you for your response,
   What should I wite instead of EAP. When I write Local or System it
didnt work.


  I have one more question. 
When I add user named test  in users file as following,

test Auth-Type := EAP, User-Password == 11
Filter-Id = Enterasys:version=1:mgmt=su:policy=cit

  802.1x authentication is successful. But I need to authenticate users
on edirectory via LDAP.
Ldap servwer vi have field postoffice box which 
Enterasys:version=1:mgmt=su:policy=cit
field is stored. We want that freeradius will get postofficebox vlaue
of user and send to NAS 
it as Filter-Id = Enterasys:version=1:mgmt=su:policy=cit.


  But this authentication should be in  EAP-TTLS inner PAP method.

We can do ot in Steel-Belted radius server. But securew2 didnt work
with steel-belted.

How can I do it?

Thanks,





Taylan KIRAN
NetworkSystem Specialist
Koc University



 [EMAIL PROTECTED] 03/11 8:18 PM 
TAYLAN  KIRAN [EMAIL PROTECTED] wrote:
 You say You we only need to enable EAP-TTLS but  it does not work.
You
 can find debug log as following.
...
 users: Matched entry deneme at line 152
   modcall[authorize]: module files returns ok for request 4
 modcall: group authorize returns ok for request 4
   rad_check_password:  Found Auth-Type EAP
 auth: type EAP
   Processing the authenticate section of radiusd.conf
 modcall: entering group authenticate for request 4
 rlm_eap: EAP-Message not found
 rlm_eap: Malformed EAP Message
   modcall[authenticate]: module eap returns fail for request 4
 modcall: group authenticate returns fail for request 4

  You are setting Auth-Type := EAP in line 152 of the users file.

  DO NOT DO THAT.  IT IS NOT NECESSARY.

  Please read eap.conf.  It EXPLAINS THIS.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html