date:20050330

On Tuesday 29 March 2005 17:56, Jason Frisvold wrote:
 On Tue, 29 Mar 2005 07:51:41 -0700, Kenneth Grady [EMAIL PROTECTED] wrote:
  One way to do it is to add the users allowed to the huntgroups. Example:
  huntgroups...

 Ok, so now what happens when you start dealing with other devices like
 a redback?  Can those be added into the huntgroups as well?

Yes. Huntgroups is exactly what you what...

-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: why my adsl-connect only keep 0.4 miniutes?

On Wednesday 30 March 2005 04:31,   wrote:
 each time i connect to the server,the adsl-connect only keep 0.4
 minutes,and then the modem hangup,and the auto reconnect.
 is there some attribute i didn't set a right value in mysql or other
 problem?
 thanks.

We have no idea how you are using radius, why you are using radius or with 
what equipment you are using radius. If you give us some information about 
your setup we might be able to help you.

-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: why my adsl-connect only keep 0.4 miniutes?

Is there any particular reason why you think this problem is related to 
FreeRADIUS?

Regards

Peter

On Wednesday 30 March 2005 13:26,   wrote:
 there is three machine,A install the freeradius 1.0.2 and the mysql,B just
 install pppd+radiusclient and pppoe-server,C is my pc,i adsl-connect to the
 pppd on my pc.my connect just keep 0.4 minute,and then show me that modem
 hangup and adsl-connect reconnect ,and it work correctly 0.4 minutes.
 i don't known why

 From: Peter Nixon [EMAIL PROTECTED]
 Reply-To: freeradius-users@lists.freeradius.org
 To: freeradius-users@lists.freeradius.org
 Subject: Re: why my adsl-connect only keep 0.4 miniutes?
 Date: Wed, 30 Mar 2005 13:05:58 +0300
 
 On Wednesday 30 March 2005 04:31,   wrote:
   each time i connect to the server,the adsl-connect only keep 0.4
   minutes,and then the modem hangup,and the auto reconnect.
   is there some attribute i didn't set a right value in mysql or other
   problem?
   thanks.
 
 We have no idea how you are using radius, why you are using radius or with
 what equipment you are using radius. If you give us some information about
 your setup we might be able to help you.
 
 --
 
 Peter Nixon
 http://www.peternixon.net/
 PGP Key: http://www.peternixon.net/public.asc
 
 -
 List info/subscribe/unsubscribe? See

 http://www.freeradius.org/list/users.html

 _
  MSN Hotmail  http://www.hotmail.com


 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: why my adsl-connect only keep 0.4 miniutes?

2005-03-30 Thread 黄俊源

one man said there is a option session-timeout have to set,but i do not 
known where to set...
the other said only the nas can hangup your connect,but i can't found 
why 

From: Peter Nixon [EMAIL PROTECTED]
Reply-To: freeradius-users@lists.freeradius.org
To: freeradius-users@lists.freeradius.org
Subject: Re: why my adsl-connect only keep 0.4 miniutes?
Date: Wed, 30 Mar 2005 13:32:58 +0300
Is there any particular reason why you think this problem is related to
FreeRADIUS?
Regards
Peter
On Wednesday 30 March 2005 13:26,   wrote:
 there is three machine,A install the freeradius 1.0.2 and the mysql,B 
just
 install pppd+radiusclient and pppoe-server,C is my pc,i adsl-connect to 
the
 pppd on my pc.my connect just keep 0.4 minute,and then show me that 
modem
 hangup and adsl-connect reconnect ,and it work correctly 0.4 minutes.
 i don't known why

 From: Peter Nixon [EMAIL PROTECTED]
 Reply-To: freeradius-users@lists.freeradius.org
 To: freeradius-users@lists.freeradius.org
 Subject: Re: why my adsl-connect only keep 0.4 miniutes?
 Date: Wed, 30 Mar 2005 13:05:58 +0300

 On Wednesday 30 March 2005 04:31,   wrote:
   each time i connect to the server,the adsl-connect only keep 0.4
   minutes,and then the modem hangup,and the auto reconnect.
   is there some attribute i didn't set a right value in mysql or 
other
   problem?
   thanks.

 We have no idea how you are using radius, why you are using radius or 
with
 what equipment you are using radius. If you give us some information 
about
 your setup we might be able to help you.

 --

 Peter Nixon
 http://www.peternixon.net/
 PGP Key: http://www.peternixon.net/public.asc

 -
 List info/subscribe/unsubscribe? See

 http://www.freeradius.org/list/users.html

 _
  MSN Hotmail  http://www.hotmail.com

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
--
Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html
_
 MSN Explorer:   http://explorer.msn.com/lccn/  

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Redundant Radius with Dynamic Data

2005-03-30 Thread Chris.Howarth

Title: Redundant Radius with Dynamic Data

Hello Group,

I am just about to set up a radius service and have managed to aquire 2 servers with a view to making the end product redundant.

Just to give you a little background. The radius system will be used for DSL authentication. The user will authenticate (indirectly via a cisco device) with their [EMAIL PROTECTED] password. The server will then authorise the user and respond with a single attribute - their IP address.

The IP addresses (depending on which domain they are in) will be dynamically allocated from a pool of IP addresses. So far so good.

I don't intend to perform any load balancing of the traffic to the two radius servers. Therefore I was planning to use the features on the Cisco router to treat one server as primary and one as secondary (failover).

I will most likely use rsync to syncronise the config from the primary to the secondary. My problem (and hence the reason for this post) is that the primary would be holding accounting information regarding which IP addresses have been allocated to each user from the pool - thus avoiding any IP conflict on the edge network. I do not understand how I would be able to configure the two servers so that if the Primary failed the secondary would know which IPs had been allocated and continue to allocate from the remaining pool.

I have literally only just switched the servers on. I want to get this right from the start. If I cannot find a solution to this issue I have a back out plan that involves setting each user with a static IP, not ideal.

Is an SQL backend the best method? Would a shared SQL backend maintain the integrity of the allocated IP pool? I have experience with Freeradius and would like to continue with this platform, but is it the best one for what I am attempting?

I look forward to your responses to this question.

Best Regards,

Christopher Howarth RHCE
Network Systems Development Consultant
Equinox Converged Solutions

Equinox Converged Solutions
Tel: +44 (0)1252 405 600
www.equinoxsolutions.com
Equinox Converged Solutions is a trading name of Synetrix Holdings Limited.

IMPORTANT NOTICE:
This message is intended solely for the use of the Individual or organisation to whom it is addressed. It may contain privileged or confidential information. If you have received this message in error, please notify the originator immediately.
If you are not the intended recipient, you should not use, copy, alter, or disclose the contents of this message. All information or opinions expressed in this message and/or any attachments are those of the author and are not necessarily those of Synetrix Holdings Limited.
Synetrix Holdings Limited accepts no responsibility for loss or damage arising from its use, including damage from virus.

RE: Authenticate users from freeradius to a Windows 2000 AD

2005-03-30 Thread Vitor Paiva da Silva


Hi,
Sorry about the late reply. I tried your suggestion, but without success. I 
don't know if I am using the right parameters in the users, the eap.conf and 
the radiusd.conf files. Have you any sample config? Or any suggested docs?

Many thanks
Vitor
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sandworm
Sent: segunda-feira, 21 de Março de 2005 2:16
To: freeradius-users@lists.freeradius.org
Subject: RE: Authenticate users from freeradius to a Windows 2000 AD 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On
 Behalf Of Vitor Paiva da Silva
 Sent: Saturday, 19 March 2005 2:58 AM
 To: freeradius-users@lists.freeradius.org
 Subject: Authenticate users from freeradius to a Windows 2000 AD


 rlm_ldap: ldap_search() failed: Operations error

 rlm_ldap: search failed

 rlm_ldap: ldap_release_conn: Release Id: 0

   modcall[authorize]: module ldap returns fail for request 0

 modcall: group authorize returns fail for request 0


This typically happens when AD referrals fail. In your LDAP
configuration you need to turn off dereferencing and referrals.
This is usually done by adding the following lines to
/etc/openldap/ldap.conf on the FreeRadius box (which is the AD LDAP
client in this case):

deref never
referrals no

Regards
-BEGIN PGP SIGNATURE-
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkI+LlYACgkQmw4BJyaatJ3fagCfbSRQwv8i98MUNtwdF7xpGuoXezUA
oKwTzeO131L0BZJ/9sf4oig7rVJ4
=oh86
-END PGP SIGNATURE-



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRADIUS Performance

2005-03-30 Thread DESETech - German P. Santillan

Hi, how many concurrent petitions (AuthRequest) can handle FreeRADIUS? This 
number can be changed? Depends of hardware?

Thanks in advance


German P. Santillan
IT Admin
DESETech


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Auth-Type=EAP and other

2005-03-30 Thread Willem Eradus

On Wed, 30 Mar 2005 18:43:12 +0800, Chan Min Wai [EMAIL PROTECTED] wrote:
 Hello all,
 
 Anyone can help me configure the Auth-type
 EAP for NAS A,b,c,d,e
 plaintext for NAS h,i,j,k
 
 regards.
 

extract from eap.conf

#
#  Whatever you do, do NOT set 'Auth-Type := EAP'.  The server
#  is smart enough to figure this out on its own.  The most
#  common side effect of setting 'Auth-Type := EAP' is that the
#  users then cannot use ANY other authentication method.
#
#   $Id: eap.conf,v 1.4 2004/04/15 18:34:41 aland Exp $
#

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Redundant Radius with Dynamic Data

2005-03-30 Thread Lewis Bergman


[EMAIL PROTECTED] said:

 Is an SQL backend the best method?  Would a shared SQL backend maintain
 the integrity of the allocated IP pool?  I have experience with Freeradius
 and would like to continue with this platform, but is it the best one for
 what I am attempting?

An SQL backend is one way to do it. I ma using the MySQL 4.1.10-Max
cluster version so any node can read or write. This gives you a true HA
RADIUS model. I haven't implimented the multiple SQL server part in
radiuks yet though. Still need to do that.

-- 
Lewis Bergman
Texas Communications
4309 Maple ST.
Abilene, TX 79602
325-691-3301

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd


Stefan Winter [EMAIL PROTECTED] wrote:
 
 Hello!
 
  I've searched and searched, and tried every hint I could find, and
  cannot seem to make it work using the Windows login name and
  password.  Is it possible?
 
 Make your users set a password for their login on the XP machine. That is the 
 username/password combination XP will use for authentication when you check 
 the box.

Yes, I knew this.  Users have been using Samba shares on my Unix/Linux
servers for a number of years.

 Then list these users with the appropriate passwords in your radiusd backend 
 (smbpasswd in your case). 

They're *all* aleady in there.  (See above.)

   Then it should work.

Not so far.  I'm wondering if I'm missing something in FreeRADIUS'
configuration?

One thing I notice is the client PC sending WINNAME\username, instead
of just username, if I tell it to use the Windows login info.

 [At least I think so; someone please correct me if I'm wrong]

Who am I to say you're wrong?  I've no idea what I'm doing ;).  But
it doesn't appear to be working.

Thanks for the follow-up.

Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at http://jimsun.linxnet.com/scform.php.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

2005-03-30 Thread Willem Eradus

On Wed, 30 Mar 2005 06:50:37 -0500 (EST), Jim Seymour
[EMAIL PROTECTED] wrote:
 
 Stefan Winter [EMAIL PROTECTED] wrote:
 
  Hello!
 
   I've searched and searched, and tried every hint I could find, and
   cannot seem to make it work using the Windows login name and
   password.  Is it possible?
 
  Make your users set a password for their login on the XP machine. That is 
  the
  username/password combination XP will use for authentication when you check
  the box.
 
 Yes, I knew this.  Users have been using Samba shares on my Unix/Linux
 servers for a number of years.
 
  Then list these users with the appropriate passwords in your radiusd backend
  (smbpasswd in your case).
 
 They're *all* aleady in there.  (See above.)
 
Then it should work.
 
 Not so far.  I'm wondering if I'm missing something in FreeRADIUS'
 configuration?
 
 One thing I notice is the client PC sending WINNAME\username, instead
 of just username, if I tell it to use the Windows login info.
 
  [At least I think so; someone please correct me if I'm wrong]

I get [WI-1\\Willem Eradus/no User-Password attribute]

# Windows sends us a username in the form of
# DOMAIN\user, but sends the challenge response
# based on only the user portion.  This hack
# corrects for that incorrect behavior.
#
#with_ntdomain_hack = no

I believe the above should take care of the domain part, and some
other attribute may hold a hash with the password. Did you try with -X
enabled to see what attributes are being provided?

 Who am I to say you're wrong?  I've no idea what I'm doing ;).  But
 it doesn't appear to be working.
 
 Thanks for the follow-up.
 
 Jim
 --
 Note: My mail server employs *very* aggressive anti-spam
 filtering.  If you reply to this email and your email is
 rejected, please accept my apologies and let me know via my
 web form at http://jimsun.linxnet.com/scform.php.
 
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

Willem Eradus [EMAIL PROTECTED] wrote:
 
 On Wed, 30 Mar 2005 06:50:37 -0500 (EST), Jim Seymour
 [EMAIL PROTECTED] wrote:
  
[snip]
  
  One thing I notice is the client PC sending WINNAME\username, instead
  of just username, if I tell it to use the Windows login info.
  
   [At least I think so; someone please correct me if I'm wrong]
 
 I get [WI-1\\Willem Eradus/no User-Password attribute]
 
 # Windows sends us a username in the form of
 # DOMAIN\user, but sends the challenge response
 # based on only the user portion.  This hack
 # corrects for that incorrect behavior.
 #
 #with_ntdomain_hack = no

I tried that.  Made no discernable difference.

Note, further down, in preprocess, this:

# Windows NT machines often authenticate themselves as
# NT_DOMAIN\username
#
# If this is set to 'yes', then the NT_DOMAIN portion
# of the user-name is silently discarded.
#
# This configuration entry SHOULD NOT be used.
# See the realms module for a better way to handle
# NT domains.
with_ntdomain_hack = no

I'm not at all clear on realms or what I should be doing in that
respect, if anything.

 
 I believe the above should take care of the domain part, and some
 other attribute may hold a hash with the password. Did you try with -X
 enabled to see what attributes are being provided?

I've been running it in the foreground with -X.  That *is* what the
install docs say to do for testing, after all, and I do RTFM.  Well...
usually.  I'm not yet grokking much of what I'm seeing.

I'll keep plugging away.  Hopefully, sooner-or-later, either I'll trip
across the solution or somebody here will mention it.

Thanks for the follow-up.

Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at http://jimsun.linxnet.com/scform.php.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Auth-Type=EAP and other

2005-03-30 Thread Chan Min Wai

Mine can't if EAP was not set in the Autz-type it will fail to Auth and say 
userpassword required...

-Original Message-

From:  Willem Eradus [EMAIL PROTECTED]
Subj:  Re: Auth-Type=EAP and other
Date:  Wed 30 Mar 2005 19:45
Size:  625 bytes
To:  freeradius-users@lists.freeradius.org

On Wed, 30 Mar 2005 18:43:12 +0800, Chan Min Wai [EMAIL PROTECTED] wrote:
 Hello all,

 Anyone can help me configure the Auth-type
 EAP for NAS A,b,c,d,e
 plaintext for NAS h,i,j,k

 regards.

extract from eap.conf

#
#  Whatever you do, do NOT set 'Auth-Type := EAP'.  The server
#  is smart enough to figure this out on its own.  The most
#  common side effect of setting 'Auth-Type := EAP' is that the
#  users then cannot use ANY other authentication method.
#
#   $Id: eap.conf,v 1.4 2004/04/15 18:34:41 aland Exp $
#

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP Profiles

2005-03-30 Thread Kostas Kalevras

On Tue, 29 Mar 2005, Jarred Cleem wrote:
Thanks Dustin Doris for your reply.  I seem to be missing something
because I can not get it to work like you mentioned.  Let me provide
some data and config info in hopes that you might be able to help
further.  What I am hoping for is that it will send the profile info and
the info for the user.
For example, I am hoping to see the return attributes for jcleem/dial to
be:
radiusClientIPAddress: 172.18.5.1
radiusFramedIPNetmask: 255.255.255.0
radiusFramedProtocol: PPP
radiusFramedRouting: None
radiusServiceType: Framed-User
radiusFramedCompression: Van-Jacobson-TCP-IP
But I only get (does not include radiusClientIPAddress):
The radiusClientIPAddress attribute is a check and not a reply item. It is 
normally not included in raddb/ldap.attrmap and i don't think you wanted to use 
that in the first place. What you need to use is the radiusFramedIPAddress 
attribute:
radiusFramedIPAddress: 172.18.5.1

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS Performance

On Wednesday 30 March 2005 14:40, DESETech - German P. Santillan wrote:
 Hi, how many concurrent petitions (AuthRequest) can handle FreeRADIUS? This
 number can be changed? Depends of hardware?

Its depends completely on hardware, thread settings and operating system 
settings, however I expect a fully tuned FR server on any type of decent 
(current) hardware without the extra overhead of SQL etc would handle a few 
hundred thousand Auth requests per second withtout any trouble.
I personally have never managed to put FreeRADIUS itself under load.. (Except 
when I ran it on a 486) I have however managed to blow up a number of backend 
database servers with load generated BY FreeRADIUS!

cheers

-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd


Michael Griego [EMAIL PROTECTED] wrote:
 
 You should be
 
 Jim Seymour wrote:
  Willem Eradus [EMAIL PROTECTED] wrote:
 
 #
 #with_ntdomain_hack = no
  
  
  I tried that.  Made no discernable difference.
 
 Be sure you're using the with_ntdomain_hack in the mschap module 
 configuration, NOT the one in the preprocess module configuration.

Tried one, the other, and both.

Using separate creds in 'doze, I get this in the -X output:

rlm_passwd: Added LM-Password: 'users LM password' to config_items
rlm_passwd: Added NT-Password: 'users NT password' to config_items
rlm_passwd: Added SMB-Account-CTRL-TEXT: '[U  ]' to config_items
rlm_passwd: Adding Auth-Type = MS-CHAP
  modcall[authorize]: module etc_smbpasswd returns ok for request 0

Using WinXP's login info, I see none of that.  Instead I get:

  modcall[authorize]: module etc_smbpasswd returns notfound for request 0

Next test: I reconfigured the XP box for separate, manually-entered
creds again, entered a correct username, but invalid password.  Again
I got:

rlm_passwd: Added LM-Password: 'users LM password' to config_items
rlm_passwd: Added NT-Password: 'users NT password' to config_items
rlm_passwd: Added SMB-Account-CTRL-TEXT: '[U  ]' to config_items
rlm_passwd: Adding Auth-Type = MS-CHAP
  modcall[authorize]: module etc_smbpasswd returns ok for request 0

So clearly that output indicates a successful username match, and
just as clearly, setting with_ntdomain_hack = yes in the mschap
module does not strip the leading GARBAGE\ stuff.

Ghod I just love 'doze :/

Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at http://jimsun.linxnet.com/scform.php.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP Radius


 Does someone have a good howto on setting up Radius to make use of an LDAP
 group. I read the ldap docs at freeradius.org and that seemed like
 overkill I just want to have a group and put the user in the group to give
 them access?



Say you have two groups, one that has access to dial and one that has
access to adsl.  Some users can be in both groups.  You have a NAS from
1.1.1.1 for dial and 2.2.2.2 for adsl.

-dialonly user
dn: uid=dialuser,ou=radius,dc=yourdomain,dc=com
objectclass: radiusprofile
uid: dialuser
userpassword: somepass
radiusgroupname: dial

-adslonly user
dn: uid=adsluser,...
objectclass: radiusprofile
uid: adsluser
userpassword: pass
radiusgroupname: adsl

-adsl and dial user
dn: uid=both,...
objectclass: radiusprofile
uid: both
userpassword: pass
radiusgroupname: dial
radiusgroupname: adsl

In your users file

DEFAULT NAS-IP-Address == 1.1.1.1, Ldap-Group == dial

DEFAULT NAS-IP-Address == 2.2.2.2, Ldap-Group == adsl

DEFAULT Auth-Type := Reject


Packet comes from dial NAS, checks to see if user has radiusgroupname
dial, if so it will match and then authenticate the user.  User doesn't
have dial, it will fall-through to Reject.

Packet comes from adsl NAS, checks to see if user has radiusgroupname
adsl, ...

Hope that helps,

Dusty Doris

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP Profiles


 On Tue, 29 Mar 2005, Jarred Cleem wrote:

  Thanks Dustin Doris for your reply.  I seem to be missing something
  because I can not get it to work like you mentioned.  Let me provide
  some data and config info in hopes that you might be able to help
  further.  What I am hoping for is that it will send the profile info and
  the info for the user.
 
  For example, I am hoping to see the return attributes for jcleem/dial to
  be:
  radiusClientIPAddress: 172.18.5.1
  radiusFramedIPNetmask: 255.255.255.0
  radiusFramedProtocol: PPP
  radiusFramedRouting: None
  radiusServiceType: Framed-User
  radiusFramedCompression: Van-Jacobson-TCP-IP
 
  But I only get (does not include radiusClientIPAddress):

 The radiusClientIPAddress attribute is a check and not a reply item. It
 is normally not included in raddb/ldap.attrmap and i don't think you
 wanted to use that in the first place. What you need to use is the
 radiusFramedIPAddress attribute: radiusFramedIPAddress: 172.18.5.1

 --

Kostas is correct, but if you really need to use Client-IP-Address for
some reason, then add it to ldap.attrmap as a reply item.

replyItem   Client-IP-Address   radiusClientIPAddress

-Dusty

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: why my adsl-connect only keep 0.4 miniutes?

If you are setting session-timeout to .4 minutes, then the NAS will
disconnect the user at that time.  However, you'd probably know if you set
that up.

If you don't send a session-timeout, then the problem is either your NAS
is disconnecting the user for some reason, or the modem is dropping train.
That isn't related to radius, as the radius server just records what is
sent to it.  I'd troubleshoot the NAS, Modem, phone line/pots/dslam/etc...



On Wed, 30 Mar 2005, [gb2312]   wrote:

 one man said there is a option session-timeout have to set,but i do not
 known where to set...
 the other said only the nas can hangup your connect,but i can't found
 why

 From: Peter Nixon [EMAIL PROTECTED]
 Reply-To: freeradius-users@lists.freeradius.org
 To: freeradius-users@lists.freeradius.org
 Subject: Re: why my adsl-connect only keep 0.4 miniutes?
 Date: Wed, 30 Mar 2005 13:32:58 +0300
 
 Is there any particular reason why you think this problem is related to
 FreeRADIUS?
 
 Regards
 
 Peter
 
 On Wednesday 30 March 2005 13:26,   wrote:
   there is three machine,A install the freeradius 1.0.2 and the mysql,B
 just
   install pppd+radiusclient and pppoe-server,C is my pc,i adsl-connect to
 the
   pppd on my pc.my connect just keep 0.4 minute,and then show me that
 modem
   hangup and adsl-connect reconnect ,and it work correctly 0.4 minutes.
   i don't known why
  
   From: Peter Nixon [EMAIL PROTECTED]
   Reply-To: freeradius-users@lists.freeradius.org
   To: freeradius-users@lists.freeradius.org
   Subject: Re: why my adsl-connect only keep 0.4 miniutes?
   Date: Wed, 30 Mar 2005 13:05:58 +0300
   
   On Wednesday 30 March 2005 04:31,   wrote:
 each time i connect to the server,the adsl-connect only keep 0.4
 minutes,and then the modem hangup,and the auto reconnect.
 is there some attribute i didn't set a right value in mysql or
 other
 problem?
 thanks.
   
   We have no idea how you are using radius, why you are using radius or
 with
   what equipment you are using radius. If you give us some information
 about
   your setup we might be able to help you.
   
   --
   
   Peter Nixon
   http://www.peternixon.net/
   PGP Key: http://www.peternixon.net/public.asc
   
   -
   List info/subscribe/unsubscribe? See
  
   http://www.freeradius.org/list/users.html
  
   _
MSN Hotmail  http://www.hotmail.com
  
  
   -
   List info/subscribe/unsubscribe? See
   http://www.freeradius.org/list/users.html
 
 --
 
 Peter Nixon
 http://www.peternixon.net/
 PGP Key: http://www.peternixon.net/public.asc
 
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

 _
  MSN Explorer:   http://explorer.msn.com/lccn/


 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP Profiles

Dustin Doris [EMAIL PROTECTED] wrote:
 Kostas is correct, but if you really need to use Client-IP-Address for
 some reason, then add it to ldap.attrmap as a reply item.

  Where it will do *nothing*.  Absolutely and totally *nothing*.

  It's not a real RADIUS attribute, so it will never go into a packet.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Number of Simultaneous Requests from FreeRadius

Jamal Taweel [EMAIL PROTECTED] wrote:
 Could any one tell us how many users/requests can be
 connected/transferred to FreeRADIUS at the same time through NASs for
 different issues (Authentication, Authorization, and Accounting
 purposes).

  As many as you have disk space, CPU time, and memory to handle.

  As many as your back-end database can handle.

  Without knowing the details of your system, the only possible answer
is lots.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Redundant Radius with Dynamic Data

[EMAIL PROTECTED] wrote:
 I will most likely use rsync to syncronise the config from the primary
 to the secondary. My problem (and hence the reason for this post) is
 that the primary would be holding accounting information regarding which
 IP addresses have been allocated to each user from the pool - thus
 avoiding any IP conflict on the edge network.  I do not understand how I
 would be able to configure the two servers so that if the Primary failed
 the secondary would know which IPs had been allocated and continue to
 allocate from the remaining pool.

  See rlm_sqlippool.  Search the list archives, it's not in the server.

 Is an SQL backend the best method?  Would a shared SQL backend maintain
 the integrity of the allocated IP pool?

  Yes, but then you're back to a single point of failure.  Why not
just run one radius server?

  I have experience with Freeradius and would like to continue with
 this platform, but is it the best one for what I am attempting?

  Yes.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Auth-Type=EAP and other

Willem Eradus [EMAIL PROTECTED] wrote:
  Anyone can help me configure the Auth-type
  EAP for NAS A,b,c,d,e
  plaintext for NAS h,i,j,k
...
 extract from eap.conf
 
 #
 #  Whatever you do, do NOT set 'Auth-Type := EAP'.  The server

  That's because most people get it wrong.  There are SOME situations
where setting it may be useful.  But even in those situations, you
probably want to *reject* a particular kind of message, and not force
one kind of authentication.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

Michael Griego [EMAIL PROTECTED] wrote:
 
 Jim Seymour wrote:
 
   So clearly that output indicates a successful username match, and
   just as clearly, setting with_ntdomain_hack = yes in the mschap
   module does not strip the leading GARBAGE\ stuff.
 
 You'll have to look quite a bit further down in the debugging output to 
 see that.  Please set with_ntodomain_hack in the mschap module to 
 yes, then post the FULL debugging output.  It's too hard to guess what 
 you've got your server setup to do.

Okay, here you go:

http://jimsun.linxnet.com/misc/radiusd.out-login_creds_w_hack.txt

ADMINNB is the laptop's Windows name.  The username should be
pretty apparent ;).

Thanks for your help!

Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at http://jimsun.linxnet.com/scform.php.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

2005-03-30 Thread Michael Griego

  rlm_mschap: No User-Password configured.  Cannot create LM-Password.
  rlm_mschap: No User-Password configured.  Cannot create NT-Password.
  rlm_mschap: Told to do MS-CHAPv2 for jseymour with NT-Password
  rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
  modcall[authenticate]: module mschap returns reject for request 6
Above is where you're failing.  It looks like you had the passwd module 
called in your authorize block in one of your previous emails and 
removed it before you ran this debug, so it's no longer finding your 
users and adding their passwords to the request.  You need to add this 
back in then grab another debug output to if the problem continues and 
where it is.

--Mike
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

2005-03-30 Thread Michael Griego

I think I see what your problem is...
You need to reenable the ntdomain realm module that is preconfigured in 
the server and be sure its called before your etc_smbpasswd module in 
your authorize section.  You seem to have removed it, and, because of 
that, it can't find the correct username in your smbpasswd file.

--Mike
---
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas

Jim Seymour wrote:
Michael Griego [EMAIL PROTECTED] wrote:
  rlm_mschap: No User-Password configured.  Cannot create LM-Password.
  rlm_mschap: No User-Password configured.  Cannot create NT-Password.
  rlm_mschap: Told to do MS-CHAPv2 for jseymour with NT-Password
  rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
  modcall[authenticate]: module mschap returns reject for request 6
Above is where you're failing.  It looks like you had the passwd module 
called in your authorize block in one of your previous emails and 
removed it before you ran this debug, 
[snip]
Nope.  The only differences are:
1. Changed 'doze config back to use login stuff
2. Un-commented the ntdomain hack in mschap
Jim
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

Michael Griego [EMAIL PROTECTED] wrote:
 
 I think I see what your problem is...
 
 You need to reenable the ntdomain realm module that is preconfigured in 
 the server and be sure its called before your etc_smbpasswd module in 
 your authorize section.  You seem to have removed it, and, because of 
 that, it can't find the correct username in your smbpasswd file.

Nope.  I removed nothing.  I neither disabled not de-configured
anything.

I'm guessing that maybe what was missing was this bit?

authorize {
...
#
#  If you are using multiple kinds of realms, you probably
#  want to set ignore_null = yes for all of them.
#  Otherwise, when the first style of realm doesn't match,
#  the other styles won't be checked.
#
suffix
#   ntdomain
...
#
#  If you are using /etc/smbpasswd, and are also doing
#  mschap authentication, the un-comment this line, and
#  configure the 'etc_smbpasswd' module, above.
etc_smbpasswd
...
}

I un-commented ntdomain.  No change.  The -X output can be seen at:


http://jimsun.linxnet.com/misc/radiusd.out-login_creds_w_hack+ntdomain_realm.txt

I even tried ignore_null = yes in the realm ntdomain config.  No
difference, either.

(And yes: I'm saving the config file(s) and starting radiusd anew for
each test :).)

Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at http://jimsun.linxnet.com/scform.php.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

[EMAIL PROTECTED] (Jim Seymour) wrote:
 
 http://jimsun.linxnet.com/misc/radiusd.out-login_creds_w_hack+ntdomain_realm.txt
...
   modcall[authorize]: module etc_smbpasswd returns notfound for request 0

  The password isn't being added because the user ADMINNB\jseymour
isn't being found in the smb passwd file.  That's the root cause of
the problem.

  I suggest:

  a) adding ADMINNB\jseymour as a user in the smb passwd file

 or

  b) setting up realms, and using Stripped-User-Name as the key to
smb_passwd.

...
rlm_realm: Looking up realm ADMINNB for User-Name = ADMINNB\jseymour
rlm_realm: No such realm ADMINNB

  And therefore no Stripped-User-Name.

  If you want to use jseymour as a key for the smb passwd file,
convince the server to use that string, and not any other.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius documentation

2005-03-30 Thread Helder Lima

  I'm computer science student and I'm working in the my graduated
project. This project is about freeradius and strong authentication.
  I Would to know about some documentation for freeradius (code flow
design, description library, description project, etc). There is
something about?
  Where do i get?

Thanks
-- 
Atenciosamente
Helder Fábio Santos Lima
linux User 372369
[EMAIL PROTECTED]

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP Profiles


 Dustin Doris [EMAIL PROTECTED] wrote:
  Kostas is correct, but if you really need to use Client-IP-Address for
  some reason, then add it to ldap.attrmap as a reply item.

   Where it will do *nothing*.  Absolutely and totally *nothing*.

   It's not a real RADIUS attribute, so it will never go into a packet.

   Alan DeKok.


Good point.  Not enought coffee this morning, I guess.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

Alan DeKok [EMAIL PROTECTED] wrote:
 
 [EMAIL PROTECTED] (Jim Seymour) wrote:
  
  http://jimsun.linxnet.com/misc/radiusd.out-login_creds_w_hack+ntdomain_realm.txt
 ...
modcall[authorize]: module etc_smbpasswd returns notfound for request 0
 
   The password isn't being added because the user ADMINNB\jseymour
 isn't being found in the smb passwd file.  That's the root cause of
 the problem.

I rather figured that.

 
   I suggest:
 
   a) adding ADMINNB\jseymour as a user in the smb passwd file

That's not practical.  ADMINNB is that specific laptops NETBIOS
name.  I'd have to have duplicated smbpasswd entries for every laptop
each user might choose to use--for every user.  Be far easier to do
what people seem to always do in my situation: Tell the end-users
they'll have to auth to the WLAN separately.

 
  or
 
   b) setting up realms, and using Stripped-User-Name as the key to
 smb_passwd.
 
 ...
 rlm_realm: Looking up realm ADMINNB for User-Name = ADMINNB\jseymour
 rlm_realm: No such realm ADMINNB
 
   And therefore no Stripped-User-Name.

Separate realms for every laptop in the building would likewise be
impractical.

 
   If you want to use jseymour as a key for the smb passwd file,
 convince the server to use that string, and not any other.

Is there a way I can do it irrespective of the supposed domain?

Thanks for the follow-up, Alan.

Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at http://jimsun.linxnet.com/scform.php.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius documentation

Helder Lima [EMAIL PROTECTED] wrote:
   I'm computer science student and I'm working in the my graduated
 project. This project is about freeradius and strong authentication.
   I Would to know about some documentation for freeradius (code flow
 design, description library, description project, etc). There is
 something about?

  There's no real documentation for how the server works internally.

  If you do write some, submit it, and we'll include it in the server.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

[EMAIL PROTECTED] (Jim Seymour) wrote:
a) adding ADMINNB\jseymour as a user in the smb passwd file
 
 That's not practical.  ADMINNB is that specific laptops NETBIOS
 name.

  testing != deployment

  First, get it to work.  Then, get it to work in a real deployment.

If you want to use jseymour as a key for the smb passwd file,
  convince the server to use that string, and not any other.
 
 Is there a way I can do it irrespective of the supposed domain?

  In hints:

DEFAULT User-Name =~ \\(.*)$
My-Local-User-Name = %{1}

  Then, in smb_passwd, use My-Local-User-Name as the key.  You will
have to define it in the dictionaries, too.

  That should work, I think.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

Alan DeKok [EMAIL PROTECTED] wrote:
 
 [EMAIL PROTECTED] (Jim Seymour) wrote:
 a) adding ADMINNB\jseymour as a user in the smb passwd file
  
  That's not practical.  ADMINNB is that specific laptops NETBIOS
  name.
 
   testing != deployment
 
   First, get it to work.  Then, get it to work in a real deployment.

Valid point :).  Okay, if I pre-pend ADMINNB\ to my username in
smbpasswd, it works like a champ.

 
 If you want to use jseymour as a key for the smb passwd file,
   convince the server to use that string, and not any other.
  
  Is there a way I can do it irrespective of the supposed domain?
 
   In hints:
 
 DEFAULT   User-Name =~ \\(.*)$
   My-Local-User-Name = %{1}
 
   Then, in smb_passwd, use My-Local-User-Name as the key.  You will
 have to define it in the dictionaries, too.
 
   That should work, I think.

Nope.  Failure mode identical.

Jim

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

Michael Griego [EMAIL PROTECTED] wrote:
 
 Or you could make sure your DEFAULT realm is set up.  Your current 
 configuration should work if you have a DEFAULT realm in your 
 proxy.conf.  If it doesn't work using the default realm, change your 
 etc_smbpasswd line to use the Stripped-User-Name, but I think it should 
 already attempt to use it if its present.  It's not present, though, 
 because no realm is found.  The DEFAULT realm will catch all realm 
 instances that aren't specifically set up.

I did this in proxy.conf:

#
#  This realm is for ALL OTHER requests.
#
realm DEFAULT {
type= radius
authhost= LOCAL
accthost= LOCAL
}

I did this in radiusd.conf:

passwd etc_smbpasswd {
filename = /usr/local/samba/private/smbpasswd
format = *Stripped-User-Name::LM-Password:...

No joy.

Jim

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

Michael Griego [EMAIL PROTECTED] wrote:
 
 Or you could make sure your DEFAULT realm is set up.  

Actually, a NULL realm was what I think you meant.

   Your current 
 configuration should work if you have a DEFAULT realm in your 
 proxy.conf.  If it doesn't work using the default realm, change your 
 etc_smbpasswd line to use the Stripped-User-Name, but I think it should 
 already attempt to use it if its present.  It's not present, though, 
 because no realm is found.  The DEFAULT realm will catch all realm 
 instances that aren't specifically set up.

The NULL realm caught it, but the Stripped-User-Name is not stripped of
the stupid 'doze garbage pre-pended to it :(.  Observe:

  modcall[authorize]: module mschap returns noop for request 6
rlm_realm: No '@' in User-Name = ADMINNB\jseymour, looking up realm NULL
rlm_realm: Found realm NULL
rlm_realm: Adding Stripped-User-Name = ADMINNB\jseymour
rlm_realm: Proxying request from user ADMINNB\jseymour to realm NULL
rlm_realm: Adding Realm = NULL
rlm_realm: Authentication realm is LOCAL.

*sigh*

I hate 'doze.

What rather astonishes me is that this either hasn't come up before,
tho I have a private email that indicates something like it has, or
that nobody's pursued it to the bitter end.  One would almost think
that Unix/Linux + Samba + Wireless + WPA + (Free)RADIUS was an unusual
combination.

Or maybe it is...  (That might explain a *lot*.)

Jim

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Accouting Problems

2005-03-30 Thread Sebastian Steinhauer

Hi.
I'm working an wireless network for our local city. I'm using freeRadius
1.0.1 on a Debian server and Alchemy 6.0 with ChilliSpot on Linksys
accesspoints. Everything's working fine but I've a little problem with
the accouting function on freeRadius.

Everything (including the radacct) is stored in a MySQL database. Every
user is in a group with following attributes in radgroupreply:
Session-Timeout := 10800
Idle-Timeout := 900

Now I've following problem. If a user disconnects without loggin off
from the system over the CilliSpot Logoff-URL the user will be kept
online (AcctStopTime = 0) in the radacct. Even the Session-Timeout seems
not to work properly. May it be I've forgotten a special setting or an
another attribute?

But I had an interesting experience. A Session-Timeout about 5-10
minutes seems to work, but the current Session-Timeout doesn't work.

Perhaps someone can help me out...that would be fine.

If you need more information please ask for them, I'll give it to you.

Thankyou,
Sebastian Steinhauer 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Accouting Problems

2005-03-30 Thread Artur Hecker

sorry for this response but the failure in that specific scenario is 
very unlikely to be on the server.

the Session-Timeout value and the Accounting events have to be 
respected/generated at the client. so, if you don't have the Accounting 
Stop for a disconnected user, then the client is no good. if the client 
does not follow the Session-Timeout which it has previously received in 
the Access Accept, then, once again, it's the fault of the client.

try to ask ChilliSpot or Linksys people - wherever you are sending the 
Accept to.

ciao
artur
Sebastian Steinhauer wrote:
Hi.
I'm working an wireless network for our local city. I'm using freeRadius
1.0.1 on a Debian server and Alchemy 6.0 with ChilliSpot on Linksys
accesspoints. Everything's working fine but I've a little problem with
the accouting function on freeRadius.
Everything (including the radacct) is stored in a MySQL database. Every
user is in a group with following attributes in radgroupreply:
Session-Timeout := 10800
Idle-Timeout := 900
Now I've following problem. If a user disconnects without loggin off
from the system over the CilliSpot Logoff-URL the user will be kept
online (AcctStopTime = 0) in the radacct. Even the Session-Timeout seems
not to work properly. May it be I've forgotten a special setting or an
another attribute?
But I had an interesting experience. A Session-Timeout about 5-10
minutes seems to work, but the current Session-Timeout doesn't work.
Perhaps someone can help me out...that would be fine.
If you need more information please ask for them, I'll give it to you.
Thankyou,
Sebastian Steinhauer 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

[EMAIL PROTECTED] (Jim Seymour) wrote:
 The NULL realm caught it, but the Stripped-User-Name is not stripped of
 the stupid 'doze garbage pre-pended to it :(.  Observe:

  The DEFAULT realm *should* do this.  The NULL realm is don't do
realms, which isn't what you want.

  Hmm... the reason the hints thing didn't work is that the regex
function expects '\' to be escaped, too.  This works for me:

DEFAULT  User-Name =~ (.*)$
 My-Local-User-Name = %{1}

 What rather astonishes me is that this either hasn't come up before,
 tho I have a private email that indicates something like it has, or
 that nobody's pursued it to the bitter end.  One would almost think
 that Unix/Linux + Samba + Wireless + WPA + (Free)RADIUS was an unusual
 combination.

  No, but having the machine name in the User-Name attribute isn't
common.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius + LDAP + Segmentation Fault

2005-03-30 Thread Luis Daniel Lucio Quiroz

Helo,


Im using Freeradius 1.0.2, and when I tray tu radtest configuration it breaks 
down

logs shows taht autenticacion was made, and it says : auth... correct
then, next line,
Segmentation Fault

I have configurate only LDAP, get rid of EAP, UNIX, PAM, CHAP, CHAPv2, PAP

some sugestion,

Now, I working with PAM (that is authenticate with LDAP) but Im loossing 
capabilities.  

Sugestions?

LD

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: why my adsl-connect only keep 0.4 miniutes?

2005-03-30 Thread 黄俊源

i found the reason,in the /etc/sysconfig/network-scripts/ifcfg-ppp0 ,there 
are two options
PPPOE_TIMEOUT and CONNECT_TIMEOUT,both i set 0,now it works fine 

From: Peter Nixon [EMAIL PROTECTED]
Reply-To: freeradius-users@lists.freeradius.org
To: freeradius-users@lists.freeradius.org
Subject: Re: why my adsl-connect only keep 0.4 miniutes?
Date: Wed, 30 Mar 2005 13:32:58 +0300
Is there any particular reason why you think this problem is related to
FreeRADIUS?
Regards
Peter
On Wednesday 30 March 2005 13:26,   wrote:
 there is three machine,A install the freeradius 1.0.2 and the mysql,B 
just
 install pppd+radiusclient and pppoe-server,C is my pc,i adsl-connect to 
the
 pppd on my pc.my connect just keep 0.4 minute,and then show me that 
modem
 hangup and adsl-connect reconnect ,and it work correctly 0.4 minutes.
 i don't known why

 From: Peter Nixon [EMAIL PROTECTED]
 Reply-To: freeradius-users@lists.freeradius.org
 To: freeradius-users@lists.freeradius.org
 Subject: Re: why my adsl-connect only keep 0.4 miniutes?
 Date: Wed, 30 Mar 2005 13:05:58 +0300

 On Wednesday 30 March 2005 04:31,   wrote:
   each time i connect to the server,the adsl-connect only keep 0.4
   minutes,and then the modem hangup,and the auto reconnect.
   is there some attribute i didn't set a right value in mysql or 
other
   problem?
   thanks.

 We have no idea how you are using radius, why you are using radius or 
with
 what equipment you are using radius. If you give us some information 
about
 your setup we might be able to help you.

 --

 Peter Nixon
 http://www.peternixon.net/
 PGP Key: http://www.peternixon.net/public.asc

 -
 List info/subscribe/unsubscribe? See

 http://www.freeradius.org/list/users.html

 _
  MSN Hotmail  http://www.hotmail.com

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
--
Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html
_
 MSN Hotmail  http://www.hotmail.com  

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: No FreeRADIUS on Debian in the future ?

2005-03-30 Thread Paul Hampson

On Wed, Mar 30, 2005 at 06:28:46PM +, Mark Wasmer wrote:
 Today i've read the Debian-Weekly-News March 29th, 2005 and got worried :
 
 Build-Dependency against libtool 1.4. Andrew Pollock noticed that five
 packages still declare a build-dependency against libtool 1.4 which is
 orphaned and will be removed. Frank Lichtenheld proposed to open bug
 reports against packages that use libtool 1.4 files to upgrade to
 version 1.5 which was considered a good idea. Henrique de Moraes
 Holschuh also suggested to force the use of newer libtool, autoconf and
 gettext utilities.

 FreeRADIUS depends on this package - can someone tell me what this means
 to me in the future as i like to use FreeRADIUS on Debian Sarge ?

There is already a bug report open against FreeRADIUS in Debian about
libtool 1.4. The decision the release managers and myself came to was
that forward-porting FreeRADIUS 1.0 to autoconf2.5/libtool1.5 was not
feasable, and we do not want a non-released (CVS pull) FreeRADIUS in
Debian/stable (ie. Sarge when its released). Post-sarge, I'm expecting
FreeRADIUS 1.1 will be out, and we can get rid of libtool1.4.

I didn't read the Debian Weekly News article, and unless this thread
appeared on Debian-Devel in the last couple of days, it's not been
discussed anywhere I'm party to. So it's a bit of a surprise to me.

In short, I think this is an issue that was dealt with last year, and
I full expect Sarge will include libtool1.4, as agreed previously.

Of course, if FreeRADIUS 1.1 is out before Sarge ships, I will consider
trying to get it into Sarge. But that is not to my mind very likely to
occur. We'll burn that bridge when we come to it.

-- 
Paul TBBle Hampson, on an alternate email client.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

2005-03-30 Thread Stefan Winter

Hi,

 authorize {
 ...
 #
 #  If you are using multiple kinds of realms, you probably
 #  want to set ignore_null = yes for all of them.
 #  Otherwise, when the first style of realm doesn't match,
 #  the other styles won't be checked.
 #
 suffix
 #   ntdomain
 ...
 #
 #  If you are using /etc/smbpasswd, and are also doing
 #  mschap authentication, the un-comment this line, and
 #  configure the 'etc_smbpasswd' module, above.
 etc_smbpasswd
 ...
 }

 I un-commented ntdomain.  No change.  The -X output can be seen at:

Hope you haven't given up yet. In a later message you write:

 modcall[authorize]: module mschap returns noop for request 6
  rlm_realm: No '@' in User-Name = ADMINNB\jseymour, looking up realm NULL
  rlm_realm: Found realm NULL
  rlm_realm: Adding Stripped-User-Name = ADMINNB\jseymour
  rlm_realm: Proxying request from user ADMINNB\jseymour to realm NULL
  rlm_realm: Adding Realm = NULL
  rlm_realm: Authentication realm is LOCAL.

Which makes me think that both suffix and ntdomain are active in 
rlm_realms. Try turning off suffix, because suffix operates only on names 
formatted like [EMAIL PROTECTED] In your case I think it tries to find a 
suffix, doesn't, and then uses realm NONE because no realm delimiter is 
found. If you turn suffix off, the delimiter \ is found and the request is 
set to the DEFAULT realm. Hopefully.

Greetings,

Stefan Winter

-- 
Stefan WINTER

Fondation RESTENA - Rseau Tlinformatique de l'Education Nationale et de 
la Recherche
Ingnieur rseau et systme

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
email: [EMAIL PROTECTED]   tl.:   +352 424409-33
http://www.restena.lu   fax:   +352 422473

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

attr_rewrite

2005-03-30 Thread Denis Shaposhnikov

Hi!

I try to use attr_rewrite and a little confused. From my radiusd.conf:

modules {
...
attr_rewrite normalize_card {
attribute = User-Name
searchin  = packet
searchfor = .{4}-([0-9]{8})-.{4}
replacewith   = %{1}
ignore_case   = yes
new_attribute = no
max_matches   = 1
append= no
}
...
}

authorize {
preprocess
normalize_card
...
}

preacct {
preprocess
normalize_card
...
}

I'am trying to rewrite -- to just  with
radtest but got:

Thu Mar 31 11:41:27 2005 : Auth: Login incorrect: [-/12345678] 
(from client localhost port 0)

Don't worry about Login incorrect it doesn't matter, look at
username. It's - instead of just . I can't
undestand what's wrong?

-- 
DSS5-RIPE DSS-RIPN 2:550/[EMAIL PROTECTED] 2:550/[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] http://neva.vlink.ru/~dsh/

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AW: Redundant Radius with Dynamic Data

2005-03-30 Thread Markus.Wintruff

Title: Nachricht



Hello 
Christopher,

here 
is another suggestion:

dont 
use ippools on radius, use it on the nacs. Then you let the radius decide wich 
ippool to use on the nac by name.
The 
bad thing is you have to care about pools on nacs, the good one is you haven't 
to care about pool snyc.

It 
works because you can name pools on nacs an the radius can tell the nac wich 
pool to use.

Hope 
that helps.

Best Regards,

Markus

  -Ursprüngliche Nachricht-Von: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] Im Auftrag von 
  [EMAIL PROTECTED]Gesendet: Mittwoch, 30. März 
  2005 12:46An: 
  freeradius-users@lists.freeradius.orgBetreff: Redundant Radius with 
  Dynamic Data
  Hello Group,I am just about to set up a radius service 
  and have managed to aquire 2 servers with a view to making the end product 
  redundant.Just to give you a little background. The radius 
  system will be used for DSL authentication. The user will authenticate 
  (indirectly via a cisco device) with their [EMAIL PROTECTED]  
  password. The server will then authorise the user and respond with a 
  single attribute - their IP address.The IP addresses (depending on 
  which domain they are in) will be dynamically allocated from a pool of IP 
  addresses. So far so good.I don't intend to perform any load 
  balancing of the traffic to the two radius servers. Therefore I was 
  planning to use the features on the Cisco router to treat one server as 
  primary and one as secondary (failover).I will most likely use rsync 
  to syncronise the config from the primary to the secondary. My problem (and 
  hence the reason for this post) is that the primary would be holding 
  accounting information regarding which IP addresses have been allocated to 
  each user from the "pool" - thus avoiding any IP conflict on the edge 
  network. I do not understand how I would be able to configure the two 
  servers so that if the Primary failed the secondary would know which IPs had 
  been allocated and continue to allocate from the remaining pool.I have 
  literally only just switched the servers on. I want to get this right 
  from the start. If I cannot find a solution to this issue I have a back 
  out plan that involves setting each user with a static IP, not 
  ideal.Is an SQL backend the best method? Would a shared SQL 
  backend maintain the integrity of the allocated IP pool? I have 
  experience with Freeradius and would like to continue with this platform, but 
  is it the best one for what I am attempting?I look forward to your 
  responses to this question.Best Regards,Christopher Howarth 
  RHCENetwork  Systems Development ConsultantEquinox Converged 
  Solutions 
  
  
  Equinox Converged SolutionsTel: +44 (0)1252 405 600www.equinoxsolutions.comEquinox 
  Converged Solutions is a trading name of Synetrix Holdings Limited. 
  IMPORTANT NOTICE:This message is intended solely for the use of 
  the Individual or organisation to whom it is addressed. It may contain 
  privileged or confidential information. If you have received this message in 
  error, please notify the originator immediately. If you are not the intended 
  recipient, you should not use, copy, alter, or disclose the contents of this 
  message. All information or opinions expressed in this message and/or any 
  attachments are those of the author and are not necessarily those of Synetrix 
  Holdings Limited. Synetrix Holdings Limited accepts no responsibility for loss 
  or damage arising from its use, including damage from virus.

Re: Accouting Problems