Authenticate just one time
Hi, does anyone know how can i disable the possibility of a user login 2 times at the same time in diferente places? TIA Pedro Amado - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
digest+ldap+radius
Hi all I'm trying to authenticate sip server with radius and ldap backend. SIP uses digest authentication, i've mede it to work without problems i i put an user directrly in /etc/freeradius/users: [EMAIL PROTECTED] Auth-Type := Digest, User-Password == 1000 Reply-Message = Authenticated if i try to authorize sip with ldap: DEFAULT Auth-Type := LDAP Fall-Through = 1 if i try to login from a standard cisco nas with a user in ldap it's working ok (i think because it's sending clear text password) it i try to login via sip: Thu May 5 12:05:21 2005 : Auth: Login incorrect: [EMAIL PROTECTED]/no User-Password attribute] (from client localhost port 5060) (in the meanwhile i see ldap looking at User-Password attribute of [EMAIL PROTECTED] ...) can sb help me? Thanks in advance, Tiziano -- Tiziano [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
C++ client wrapper / lib for radius
Does anyone know whether there exists a C++ client library or wrapper for radius. I google search has revealed no obvious standalone libs. I could write my own, but wouldn't this be reinventing the wheel? Any help would be much appreciated. Regards, Arun Mundray.
Cisco VSA
Hello, I have a problem with cisco NAS. My Cisco Nas is sending the password using following format: Cisco VSA( 1): xpgk-sip-auth4=b493b44cd7875041c11b92e638f74b2d But the radius is unable to read this password. and i am getting in cisco log that SecurityDenial. Please share me if any having some idea about it. Thank You Abdul lateef Yahoo! Mail Stay connected, organized, and protected. Take the tour: http://tour.mail.yahoo.com/mailtour.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: digest+ldap+radius
On Thu, 5 May 2005, Tiziano wrote: Hi all I'm trying to authenticate sip server with radius and ldap backend. SIP uses digest authentication, i've mede it to work without problems i i put an user directrly in /etc/freeradius/users: [EMAIL PROTECTED] Auth-Type := Digest, User-Password == 1000 Reply-Message = Authenticated if i try to authorize sip with ldap: DEFAULT Auth-Type := LDAP Fall-Through = 1 if i try to login from a standard cisco nas with a user in ldap it's working ok (i think because it's sending clear text password) it i try to login via sip: Thu May 5 12:05:21 2005 : Auth: Login incorrect: [EMAIL PROTECTED]/no User-Password attribute] (from client localhost port 5060) (in the meanwhile i see ldap looking at User-Password attribute of [EMAIL PROTECTED] ...) can sb help me? You are performing ldap authentication. Don't do that. You need to read the user password from ldap but perform authentication with the digest module. Thanks in advance, Tiziano -- Tiziano [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP compare_check_item
On Wed, 4 May 2005, Christian Meutes wrote: Hello again, at home iam playing a little bit with 802.1x and use my private ldapbackend for FreeRadius :) i want to use ldap attributes for compare checks of the incoming requests and tested the compare_check_items directive with setting it to yes. i tried to use the existing attributes for the checks and tried to use the radiusCheckItem for the checks like described in rlm_ldap. both didnt worked. i read in the maillinglist about using checkval, but checkval seems to work only for single check attributes. can somebody explain me how to get this working either with compare_check_item or with the checkval module? compare_check_items just calls paircmp which does not work as you 'd probably want in all cases. You could just use multiple instances of the checkval module to check the attributes you want. regards, Christian Meutes systems engineer -- claranet gmbh internet service provider tel +49 (0) 69 - 40 80 18 - 300 email: [EMAIL PROTECTED] http://www.claranet.de/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Snmp trap
On Thu, 5 May 2005, Yoram Baruchian wrote: Hi. I mean that the radius server send reject to the client. I want to get a trap that describe the user name that is not allowed or rejected . exec snmp_trap { wait = no program = /bin/send_trap snmp.server.addr %{User-Name} } postauth { [...] Post-Auth-Type REJECT { snmp_trap } } I believe that should work. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WARNUNG: Es WURDE EIN VIRUS AN SIE GESENDET !!!
In einer der angehaengten Dateien wurde ein Virus gefunden. Dieser infizierte EMail wurde geloescht. Bitte beachten Sie, dass die Absenderadresse durch den Virus gefaelscht sein kann und nicht dem tatsaechlichen Absender entsprechen muss! Mailserver:mail.schnell-im-netz.de Absender:[EMAIL PROTECTED] Virusname:[Outlook 'CR' Vulnerability] Dateiname:[No attachment] QuarantäneName:D1fca124c011abf6e.SMD Betreff:RE: Snmp trap \ Dieser Service von schnell-im-netz ist kostenfrei. Falls Sie Fragen zu diesem Service haben, so können Sie gerne von Mo-Fr. 8:00 Uhr bis 17:00 Uhr unter 0800 / 94 94 94 5 zurückrufen, oder eine E-Mail an [EMAIL PROTECTED] senden. IHR SCHNELL-IM-NETZ TEAM IMMER AKTUELL, IMMER VORN DABEI http://schnell-im-netz.de D1fca124c011abf6e.SMD === [Deleted due to dangerous content] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: digest+ldap+radius
Il giorno gio, 05-05-2005 alle 15:09 +0300, Kostas Kalevras ha scritto: Thu May 5 12:05:21 2005 : Auth: Login incorrect: [EMAIL PROTECTED]/no User-Password attribute] (from client localhost port 5060) (in the meanwhile i see ldap looking at User-Password attribute of [EMAIL PROTECTED] ...) can sb help me? You are performing ldap authentication. Don't do that. You need to read the user password from ldap but perform authentication with the digest module. ok, i was thinking about this... but how to read password from ldap and authenticate with digest? (speaking about configuration i mean) i haven't found docs about this... Thanks for help, Tiziano -- Tiziano [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: digest+ldap+radius
Hi, check out the ldapattr.map file ( I think its called like that ). There you will find which attributes are mapped to some attributes in LDAP. You will find User-Password attribute mapped to Password I think. You can adjust this to fit your needs. Regards, Edvin Seferovic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tiziano Sent: Donnerstag, 05. Mai 2005 15:55 To: freeradius-users@lists.freeradius.org Subject: Re: digest+ldap+radius Il giorno gio, 05-05-2005 alle 15:09 +0300, Kostas Kalevras ha scritto: Thu May 5 12:05:21 2005 : Auth: Login incorrect: [EMAIL PROTECTED]/no User-Password attribute] (from client localhost port 5060) (in the meanwhile i see ldap looking at User-Password attribute of [EMAIL PROTECTED] ...) can sb help me? You are performing ldap authentication. Don't do that. You need to read the user password from ldap but perform authentication with the digest module. ok, i was thinking about this... but how to read password from ldap and authenticate with digest? (speaking about configuration i mean) i haven't found docs about this... Thanks for help, Tiziano -- Tiziano [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: digest+ldap+radius
Hi, Il giorno gio, 05-05-2005 alle 16:03 +0200, Seferovic Edvin ha scritto: check out the ldapattr.map file ( I think its called like that ). There you will find which attributes are mapped to some attributes in LDAP. You will find User-Password attribute mapped to Password I think. You can adjust this to fit your needs. working perfectly! Thanks a lot! -- Tiziano [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WARNUNG: Es WURDE EIN VIRUS AN SIE GESENDET !!!
In einer der angehaengten Dateien wurde ein Virus gefunden. Dieser infizierte EMail wurde geloescht. Bitte beachten Sie, dass die Absenderadresse durch den Virus gefaelscht sein kann und nicht dem tatsaechlichen Absender entsprechen muss! Mailserver:mail.schnell-im-netz.de Absender:[EMAIL PROTECTED] Virusname:[Outlook 'CR' Vulnerability] Dateiname:[No attachment] QuarantäneName:D2ddc14a700f4c46a.SMD Betreff:RE: Snmp trap \ Dieser Service von schnell-im-netz ist kostenfrei. Falls Sie Fragen zu diesem Service haben, so können Sie gerne von Mo-Fr. 8:00 Uhr bis 17:00 Uhr unter 0800 / 94 94 94 5 zurückrufen, oder eine E-Mail an [EMAIL PROTECTED] senden. IHR SCHNELL-IM-NETZ TEAM IMMER AKTUELL, IMMER VORN DABEI http://schnell-im-netz.de D2ddc14a700f4c46a.SMD === [Deleted due to dangerous content] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Snmp trap
Hi Does the snmp_trap utility is part of the operating system? Can I download it thanks ---BeginMessage--- On Thu, 5 May 2005, Yoram Baruchian wrote: Hi. I mean that the radius server send reject to the client. I want to get a trap that describe the user name that is not allowed or rejected . exec snmp_trap { wait = no program = /bin/send_trap snmp.server.addr %{User-Name} } postauth { [...] Post-Auth-Type REJECT { snmp_trap } } I believe that should work. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ---End Message---
RE: Exec-Program-Wait vs rlm_exec
[EMAIL PROTECTED] wrote: On Tue, May 03, 2005 at 10:23:05AM -0600, [EMAIL PROTECTED] wrote: Hi, what do you consider the best solution wheen you need to run an external program to make aditional checks when an access request in received, exec-program-wait or rlm_exec, im using exec-program-wait, sould i use rlm_exec instead, the script check some item like credit amount and returns 0 or 1 if success or fail , thanks I like rlm_exec because it gives you more control over _where_ the execution happens, and also you can have more than one, and control the output attribute's destination and (with the eventual 1.1.0 release) you can control the quoting of the environment variables and actually get to return an RLM_-type result so it can participate in failover. And exec-program-wait is deprecated. ^_^ deprecated ?, Ok, i must have to pay more atention to the mailling list, In my config, i run diferent scripts depending on the group of the username (table usergroup), can be this be done using rlm_exec?, you can point me on some docuemtation on the options of rlm_exec, i cant found anything on the web. The exec echo example is very basic, thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Questions and feature request...
Hi List, I love this best and wonderfull Radius and I found it great as compare to any other Radius. But I have two little problems in freeradius 1) Multiple Calling-Station-Id I want to use more then one Calling-Station-Id, I searched whole google, freeradius archives but not found any solution for this, only little that we can use it with =~ I tried this 1 | babar | Calling-Station-Id | =~ | 0212929234 2 | babar | Calling-Station-Id | =~ | 0212229234 without luck then I found it can be done by doing this 1 | babar | Calling-Station-Id | =~ | 0212929234|0212229234 Whats the correct way to do this ? 2) Reject Cause (feature request) Free radius is not informing when it rejects any user if found a condition false in radgroupcheck or in radcheck only send reject (reply:Packet-Type), is it possible to give reject with attributes so we will know which attribute is the cause of reject, i think its a feature request , i know i can do this with external script, but it wil be very good feature if radius just inform reject-Bad-Calling-Sation-Id,reject-Bad-Simultaneous-Use and reject-Bad-Password etc etc !! so we can get some informative information from the reject reply. or this is already supported ?? is there is any thing i can get from reject reply ? %{reply:Packet-Type} this give me 'reject' only but i need some informative answer, how to do that thing ? Thanks for the good work. Regards, Babar Shafiq God is a great Programmer __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authenticate just one time
Read the Simultaneous-Use file. Be sure you look through the documentation before posting. Others will flame you to death. - Brian J. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pedro Amado Sent: Thursday, May 05, 2005 2:35 AM To: freeradius-users@lists.freeradius.org Subject: Authenticate just one time Hi, does anyone know how can i disable the possibility of a user login 2 times at the same time in diferente places? TIA Pedro Amado - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Snmp trap
Yoram Baruchian [EMAIL PROTECTED] wrote: Hi Does the snmp_trap utility is part of the operating system? Can I download it thanks Do you suppose you could stop sending this garbage: From [EMAIL PROTECTED] Thu May 5 10:30:16 2005 Message-Id: [EMAIL PROTECTED] From: [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Subject: WARNUNG: Es WURDE EIN VIRUS AN SIE GESENDET !!! X-Declude-Sender: [EMAIL PROTECTED] [127.0.0.1] X-Declude-Spoolname: D2ddd0de0aee0.GSC X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. Reply-To: freeradius-users@lists.freeradius.org X-Reply-To: [EMAIL PROTECTED] Date: Thu, 5 May 2005 16:29:49 +0200 X-Bogosity: No, tests=bogofilter, spamicity=0.299055, version=0.9.1.2 In einer der angehaengten Dateien wurde ein Virus gefunden. Dieser infizierte EMail wurde geloescht. Bitte beachten Sie, dass die Absenderadresse durch den Virus gefaelscht sein kann und nicht dem tatsaechlichen Absender entsprechen muss! Mailserver:mail.schnell-im-netz.de Absender:[EMAIL PROTECTED] Virusname:[Outlook 'CR' Vulnerability] Dateiname:[No attachment] QuarantäneName:D2ddc14a700f4c46a.SMD Betreff:RE: Snmp trap \ Dieser Service von schnell-im-netz ist kostenfrei. Falls Sie Fragen zu diesem Service haben, so können Sie gerne von Mo-Fr. 8:00 Uhr bis 17:00 Uhr unter 0800 / 94 94 94 5 zurückrufen, oder eine E-Mail an [EMAIL PROTECTED] senden. IHR SCHNELL-IM-NETZ TEAM IMMER AKTUELL, IMMER VORN DABEI http://schnell-im-netz.de D2ddc14a700f4c46a.SMD === [Deleted due to dangerous content] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html to the mailing list? (While you're at it, I note that the server that's sending that is not the same one from which the email to which I'm replying originated. It's not in the same country. the same Internet domain, or the same block of network addresses. Furthermore: It HELO's as team-co.il but is really mail.schnell-im-netz.de, so the HELO is broken by RFC.) Thank you, Jim -- Note: My mail server employs *very* aggressive anti-spam filtering. If you reply to this email and your email is rejected, please accept my apologies and let me know via my web form at http://jimsun.linxnet.com/scform.php. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate just one time
Pedro Amado wrote: Hi, does anyone know how can i disable the possibility of a user login 2 times at the same time in diferente places? I believe there is a default attribute is Simulatenous-Use, but I know that I use Ascend-Maximum-Channels for my dialup boxes, but this requires accounting information to be available (i believe on the same server) to calculate current usage. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrading freeradius 1.0.2 with freeradius-snapshot-20050502
[EMAIL PROTECTED] (Paul Hampson) wrote: Which will give you the current 1.0.3 candidate. Then you can cvs update whenever something else comitted to it. We should probably release 1.0.3 soon. you won't get the files that Debian cannot distribute as free software... That's only later RFCs as I recall. That still bugs me. The documents say if you edit them you can't claim they're RFC's. Other than that, distribution is unlimited. There is no conflict with the GPL. Oh well. There have been enough flame wars about this on the debian lists already. I think the CVS snapshots at the moment are in flux... If not, you're the second person I've seen hit this, so... Hmm. It's fixed. The CVS snapshot now does IPv6, among other changes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait vs rlm_exec
[EMAIL PROTECTED] wrote: you can point me on some docuemtation on the options of rlm_exec, i cant found anything on the web. The exec echo example is very basic, The rest of radiusd.conf contains more documentation about rlm_exec. Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Questions and feature request...
Babar Shafiq [EMAIL PROTECTED] wrote: I love this best and wonderfull Radius and I found it great as compare to any other Radius. Thanks. We're hearing that more and more, and a number of commercial companies are dropping their proprietary RADIUS servers, and moving to FreeRADIUS. without luck then I found it can be done by doing this 1 | babar | Calling-Station-Id | =~ | 0212929234|0212229234 Whats the correct way to do this ? That works. 2) Reject Cause (feature request) Free radius is not informing when it rejects any user if found a condition false in radgroupcheck or in radcheck only send reject (reply:Packet-Type), is it possible to give reject with attributes so we will know which attribute is the cause of reject, No. Even if you did that, the user being rejected wouldn't see the information. The RADIUS clients won't show it to them. Also, showing this information to a user is a potential security risk. You can use Reply-Message to give the users a message, but you can't use any other attribute. If you, as administrator, want to see why a user is rejected, run the server in debugging mode. %{reply:Packet-Type} this give me 'reject' only but i need some informative answer, how to do that thing ? Run the server in debugging mode. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Blank Password
Hello all, I am testing FreeRADIUS, it is very excellent, thaks for all the guys who contributed to this great software. Everything is very good so far. but I am having two issues that you guys may help me with: 1. How to make FreeRADIUS accept blank user/password, i.e without user/password for FREE ADSL internet offering. 2. tried to make FreeRADIUS assign IPs, but it didn't work, when Windows user tries to connect the authentication phase is successful, and FreeRADIUS assign the Framed-IP-Address but Windows doesn seem to get that IP, I am using Cisco router as BRAS, could it be the Cisco router? TIA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL Accounting in Freeradius
Hi, I have a question about the uniqueness of the AcctUniqueId field. Everytime the user connects, the id is always the same. AcctSessionId is always the same as well. All that would be fine, except that the times get messed up by being updated to the last AcctStopTime. The update query is as follows: UPDATE radacct SET AcctStopTime = '2005-05-05 16:08:00', AcctSessionTime = '', AcctInputOctets = '', AcctOutputOctets = '', AcctTerminateCause = '', AcctStopDelay = '', ConnectInfo_stop = '' WHERE AcctSessionId = '00-0f-3d-52-2b-13' AND UserName = 'dialup_username' AND NASIPAddress = 'x.x.x.x' which consequently updates all the records from before that have the same AcctSessionId (i.e. all the previous logins by that user). Is this the way it was intended to work? For some reason I doubt it, but thought I'd ask just to make sure. If that's a bug, how would I go about fixing it? Thanks for your time! -Andrey - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Accounting in Freeradius
Andrey [EMAIL PROTECTED] wrote: I have a question about the uniqueness of the AcctUniqueId field. Everytime the user connects, the id is always the same. AcctSessionId is always the same as well. Then there isn't much you can do. Some NAS vendors re-use Acct-Session-Id's, even though the RFC's say the Id's should be unique. In order to work around this, we wrote the acct_unique module, which takes *additional* data, and tries to create a more unique Id. If the AcctUniqueId field is always the same, then the accounting request contain all the same information, or are missing some information. See the acct_unique configuration for a list of attributes it's using. For some reason I doubt it, but thought I'd ask just to make sure. If that's a bug, how would I go about fixing it? Get your NAS to send real accounting data. Barring that, there's nothing you can do. As a related question: Pretend you're the RADIUS server, looking at two or more accounting requests. How can you tell different sessions apart of the Acct-Session-Id is the same, and all other information is the same? If you can't tell the difference, neither can FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco VSA
Abdul Lateef [EMAIL PROTECTED] wrote: My Cisco Nas is sending the password using following format: Cisco VSA( 1): xpgk-sip-auth4=b493b44cd7875041c11b92e638f74b2d But the radius is unable to read this password. I've never heard of this before. I suggest finding out why this attribute is being sent, and what piece of software is creating it. Then ask the authors of that software what it means. Alan DEKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
free radius + dependencies
Hello as you people suggested me to use free radius rpm I installed it.the version is freeradius-1.0.1-1.x86_64.rpm.Now when I issue the command rpm ivh freeradius-1.0.1-1.x86_64.rpm. Then it shows me dependencies as following error: Failed dependencies: libc.so.6()(64bit) is needed by freeradius-1.0.1-1 libc.so.6(GLIBC_2.2.5)(64bit) is needed by freeradius-1.0.1-1 libc.so.6(GLIBC_2.3)(64bit) is needed by freeradius-1.0.1-1 libc.so.6(GLIBC_2.3.4)(64bit) is needed by freeradius-1.0.1-1 libcom_err.so.2()(64bit) is needed by freeradius-1.0.1-1 libcrypt.so.1()(64bit) is needed by freeradius-1.0.1-1 libcrypto.so.4()(64bit) is needed by freeradius-1.0.1-1 libdl.so.2()(64bit) is needed by freeradius-1.0.1-1 libgdbm.so.2()(64bit) is needed by freeradius-1.0.1-1 libk5crypto.so.3()(64bit) is needed by freeradius-1.0.1-1 libkrb5.so.3()(64bit) is needed by freeradius-1.0.1-1 liblber-2.2.so.7()(64bit) is needed by freeradius-1.0.1-1 libldap_r-2.2.so.7()(64bit) is needed by freeradius-1.0.1-1 libltdl.so.3()(64bit) is needed by freeradius-1.0.1-1 libnsl.so.1()(64bit) is needed by freeradius-1.0.1-1 libpam.so.0()(64bit) is needed by freeradius-1.0.1-1 libpthread.so.0()(64bit) is needed by freeradius-1.0.1-1 libpthread.so.0(GLIBC_2.2.5)(64bit) is needed by freeradius-1.0.1-1 libresolv.so.2()(64bit) is needed by freeradius-1.0.1-1 libsasl2.so.2()(64bit) is needed by freeradius-1.0.1-1 libssl.so.4()(64bit) is needed by freeradius-1.0.1-1 Now where can I get the listed dependencies. thankyou