peap - works but peap + ldap -doesn't works

2005-05-09 Thread dssd dsfdsfdsf 
good morning 
i hope you can resolve my problem
peap works without ldap but when i use ldap whith peap, it doesn' work!!
in the file users for peap (when i don't use ldap)
robert Auth-Type:=EAP, User-Password =="azertyui"
in the file users i replace this line by 
robert Auth-Type:=LDAP 
because i use ldap with peap

i put my password in my ldap server but peap doesn't work with ldap?
why??


when i use eap-tls with ldap, its works 
if i put a bad cn="..." , eap-tls works. why ??
see this
thank you very much for your help
radius_xlat: 'cn=zer' -it is a bad cnradius_xlat: 'dc=chales,dc=net'rlm_ldap: ldap_get_conn: Checking Id: 0rlm_ldap: ldap_get_conn: Got Id: 0rlm_ldap: performing search in dc=chales,dc=net, with filter cn=zerrlm_ldap: object not found or got ambiguous search resultrlm_ldap: search failedrlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 4 
modcall: group authorize returns updated for request 4 rad_check_password: Found Auth-Type EAPauth: type "EAP" Processing the authenticate section of radiusd.confmodcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLSrlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 4modcall: group authenticate returns ok for request 4Login OK: [clientrad/no User-Password attribute] (from client reseaulocal port 1 cli 000e359e910e)

i dont understand why eap-tls work because there is a bad cn!!

		 
Découvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour vos mails !Créez votre Yahoo! Mail

Authorizating nt-domain users of an Active Directory Group

2005-05-09 Thread Javier Jimenez 
Hi list,
 that's my problem: I've been authenticating against an Active
Directory Server with just one domain correctly. But now I should
authenticate user of differents domains which are included in a group
of the Active Directory. The users are from differents domains, some
of them  belong Active Directory and the others belong to differents
nt-domains. The domains are managed by the differents domain
controlers (trusted domains) so I just shoud authenticate with
ntlm_auth and the option --domain. This all works fine: I can
authenticate, but the problem is that I can't find the way to filter
in my LDAP module in orther to authorize. I would like to authorize
just the members of a group, but I can't find the way to do it just
with the user-login and de group name, which are the data that I have.
   I have tried it filtering in the next way:
filter =((DN=My group DN)(member=%{mschap:User-Name}))
   But it doesn't work.
Does anybody know if I can do it via any LDAP attribute? Any othe idea?

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

difference between authorize and authenticate

2005-05-09 Thread dssd dsfdsfdsf 
Good morningWhat is the difference between authorize and authenticate
because if authorize don't return ok but authenticate returns ok, eap-tls or peap can work!
it is normal
when the module "authorize" don't return ok, is it possible to don't validate the users as "login ok: [client/no user password attribute] from ..." 
thank you very much
		 
Découvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour vos mails !Créez votre Yahoo! Mail

Strange problem authentication

2005-05-09 Thread Sylvain Clerc 
Hello,

I'm back with a very strange problem :

it's not a problem of configuration because I arrive to authenticate
users  sometimes !
I use the native client 802.1X of win XP and one time, freeradius will
authenticate the user directly (by asking active directory) and
another time, freeradius won't stop to send an Access-Challenge just
after the first Access-Request (I wait freeradius does this a moment
to see what happened : 200 requests Access-Challenge and nothing
else).

My server works fine for 2hours this morning, I authenticate 5users
correctly without stop the server and at a moment, it stops at the
Access-Challenge.

Has someone already have this type of problem??
I don't know what I can do like it works sometimes... I don't know too
if it is due to the NAS, the server or the client !

Thank you,
Sylvain Clerc.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAPOL with WinXP SP2 - long delay till Authentication starts off

2005-05-09 Thread Mark Wasmer 
Hi,

I'm using EAP-TLS machine certificates for authentication and VLAN-determination
against freeradius 1.0.2 over HP 2524  Cisco 2950 as authenticator. When
connecting XP-Clients with machine certificates installed it takes up to 60sec
or so till authentication starts. The delay with 2000SP4 is slower, with
XSupplicant there is no delay.
I remember to have read a Registry-Tweak to this XP-delay-problem, but can't
find the source again, even with google ;-)

Thank you,
 Mark Wasmer


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: strange Exec-Program problem

2005-05-09 Thread Edgars 
okey, copied the same script file to the RADIUS server's box..the same 
problem occured:
Error: Exec-Program: FAILED to execute

Does someone have working setup similar to mine using Exec-Program 
attribute?

DB_server--RADIUS_server--NAS
Edgars

Alan DeKok wrote:
Edgars [EMAIL PROTECTED] wrote:
 

On which machine is the script actually ecexuted - on the one i'm runnig 
the RADIUS server or where the DB is located?
   

 On the RADIUS server.
 Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: (no subject)

2005-05-09 Thread Kostas Kalevras 
On Fri, 6 May 2005, Alan DeKok wrote:
Babar Shafiq [EMAIL PROTECTED] wrote:
I know i can see the reject cause while running in debug mode but I
want to store the reject causes in database or logs it. so it will
be helpful in future for support people,customer support etc, so
they can inform users what is the exact cause of the rejection !!
 Then always run the server in debugging mode.
 Or, write scripts to log reasons for failure.
log_badlogins from the dialupadmin package will do what you want.
 Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Cisco SIP Authuntication

2005-05-09 Thread Abdul Lateef 
Hello,

I am trying to register Cisco SIP nas using MySql db.
But i could not. The cisco log is syaing:

SecurityDenial

Here is the format our cisco AccessRequest :

Mon May 09 12:01:21 2005, (204+538ae76f-150) ,Sent
xxx.xxx.xxx.xxx:1812Radius
AccessRequest {
 session id =  99
 UserName: 1212
 NasIpAddress: xxx.xxx.xxx.xxx
 NasPortType: 0
 ServiceType: 1
 Cisco VSA(  1): xpgk-request-type=user
 Cisco VSA(  1): xpgk-sip-auth1= xxx.xxx.xxx.xxx
 Cisco VSA(  1):
xpgk-sip-auth2=REGISTER:sip:80.231.14.197
 Cisco VSA(  1):
[EMAIL PROTECTED]
 Cisco VSA(  1):
xpgk-sip-auth4=200814479400a46bb3029d803e01e112
 SipDigestResponce: 200814479400a46bb3029d803e01e112
 SipAuth VSA(  1): xxx.xxx.xxx.xxx
 SipAuth VSA(  2): a6c5250051437f10801143ec6559@
hatifservver3.hatifsss.com
 SipAuth VSA(  3): REGISTER
 SipAuth VSA(  4): sip:80.231.14.197
}



Mon May 09 12:01:24 2005, (204+538ae76f-150) ,Recv
xxx.xxx.xxx.xxx:1812Radius 
AccessReject {
 session id =  99
  }
Mon May 09 12:01:24 2005, (204+538ae76f-150) ,Sent
xxx.xxx.xxx.xxx:1721H.225
registrationReject {
requestSeqNum = 14120
protocolIdentifier = 0.0.8.2250.0.2
rejectReason = securityDenial null
gatekeeperIdentifier =  4 characters {
  006d 0065 0072 0061  
softswitch
}
  } 

I searched in mailing list, but no luck. If will be
really appreciate if any one has this solutions.

Lateef




Discover Yahoo! 
Use Yahoo! to plan a weekend, have fun online and more. Check it out! 
http://discover.yahoo.com/

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

postgresql problem/question

2005-05-09 Thread Dave Weis 
I'm trying to use postgresql to store my radius data. I have most of it 
working except for a stored procedure to return the static 
routing/addressing information for a login. It tries to work but I don't 
get the correct output in radtest.

select * from generate_radreply('[EMAIL PROTECTED]');
   id   | username | attribute | op | 
value
+--+---++
 104032 | [EMAIL PROTECTED] | Framed-IP-Address | := | 1.2.3.4

When I run radtest:
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=59, length=56
Framed-IP-Address = 255.255.255.255
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-Routing = Broadcast-Listen
Framed-MTU = 1500
Framed-Compression = Van-Jacobson-TCP-IP
The other reply items come from radgroupreply. When I run radiusd -X I see 
this in the logs:
  modcall[post-auth]: module sql returns ok for request 0
modcall: group post-auth returns ok for request 0
Sending Access-Accept of id 59 to 127.0.0.1:57298
Framed-IP-Address BARE-WORD :=
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-Routing = Broadcast-Listen
Framed-MTU = 1500
Framed-Compression = Van-Jacobson-TCP-IP
Finished request 0

Any ideas why my data is not making it back?
Thanks
dave
--
Dave Weis
[EMAIL PROTECTED]
http://www.internetsolver.com/
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Usage of PEAP/MSCHAPv2 and Called-Station-Id in wireless LAN.

2005-05-09 Thread YAMAWAKI Hisashi 
Dear sir,
(B
(BI am constructing a wireles LAN system for office usage.
(BIn the system, I want to make availabe two types of access, one for guests 
(Band another for staffs.
(BTo provide two types of access, I use APs which can treat multiple 
(Bcombination of ESSID 
(Band tagged-VLAN.
(BIn current state, I succeed wireless connection by PEAP/MSCHAPv2, with 
(Bfreeradius's
(Busers file below (FreeBSD_5.3 and pre-compiled freeradius-1.0.2). 
(B
(B user-idUser-Password == "password_for_user-id"
(B
(BTo distinguish guest's access and staff's access on the system, I want to 
(Buse following users file,
(Bbut don't work.
(B
(B staff-idUser-Password == "password_for_staff", Called-Station-Id 
(B== "string_including_ssid-for-staff"
(B guest-idUser-Password == "password_for_guest", Called-Station-Id 
(B== "string_including_ssid-for-guest"
(B
(BIn requests from AP, Called-Station-Id = "string_including_ssid-for-*" are 
(Bincluded exactly.
(B
(BMy questions are 1) combination of PEAP/MSCHAPv2 and Called-Station-Id is 
(Ballowed or 
(Bnot allowed in freeradius-1.0.2, and 2) if allowed, how can I do for the 
(Bproblem? 
(B
(BI tried many variation of *.conf and users files. Any kind of comments are 
(Bappliciated.
(B
(BThank you.
(B
(BH. Yamawaki
(B
(B
(B
(B- 
(BList info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: strange Exec-Program problem

2005-05-09 Thread Jandre Olivier 
Hi Edgars,
I use the Exec-Program attribute in my /etc/raddb/acct_users for extra 
features

DEFAULT Acct-Status-Type == Start
Exec-Program = /bin/bash /usr/local/scripts/radius/radius.sh
hope this helps
Edgars wrote:
okey, copied the same script file to the RADIUS server's box..the same 
problem occured:
Error: Exec-Program: FAILED to execute

Does someone have working setup similar to mine using Exec-Program 
attribute?

DB_server--RADIUS_server--NAS
Edgars

Alan DeKok wrote:
Edgars [EMAIL PROTECTED] wrote:
 

On which machine is the script actually ecexuted - on the one i'm 
runnig the RADIUS server or where the DB is located?
  

 On the RADIUS server.
 Alan DeKok.
- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

 

- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

--
Regards
Jandre
Some people are alive only because
 it is illegal to kill them.
_

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: strange Exec-Program problem

2005-05-09 Thread Seferovic Edvin 
Hi,

is it possible to have a username passed to the Exec-Program script on
Accounting-Update packets?

Regards,

Edvin Seferovic

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jandre
Olivier
Sent: Montag, 09. Mai 2005 15:25
To: freeradius-users@lists.freeradius.org
Subject: Re: strange Exec-Program problem

Hi Edgars,

I use the Exec-Program attribute in my /etc/raddb/acct_users for extra 
features

DEFAULT Acct-Status-Type == Start
Exec-Program = /bin/bash /usr/local/scripts/radius/radius.sh

hope this helps

Edgars wrote:

 okey, copied the same script file to the RADIUS server's box..the same 
 problem occured:
 Error: Exec-Program: FAILED to execute

 Does someone have working setup similar to mine using Exec-Program 
 attribute?

 DB_server--RADIUS_server--NAS

 Edgars



 Alan DeKok wrote:

 Edgars [EMAIL PROTECTED] wrote:
  

 On which machine is the script actually ecexuted - on the one i'm 
 runnig the RADIUS server or where the DB is located?
   


  On the RADIUS server.

  Alan DeKok.

 - List info/subscribe/unsubscribe? See 
 http://www.freeradius.org/list/users.html


  


 - List info/subscribe/unsubscribe? See 
 http://www.freeradius.org/list/users.html


-- 
Regards
 Jandre

Some people are alive only because
 it is illegal to kill them.

_




- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Authorizating nt-domain users of an Active Directory Group

2005-05-09 Thread Javier Jimenez 
Hi list,
 that's my problem: I've been authenticating against an Active
Directory Server with just one domain correctly. But now I should
authenticate user of differents domains which are included in a group
of the Active Directory. The users are from differents domains, some
of them  belong Active Directory and the others belong to differents
nt-domains. The domains are managed by the differents domain
controlers (trusted domains) so I just shoud authenticate with
ntlm_auth and the option --domain. This all works fine: I can
authenticate, but the problem is that I can't find the way to filter
in my LDAP module in orther to authorize. I would like to authorize
just the members of a group, but I can't find the way to do it just
with the user-login and de group name, which are the data that I have.
   I have tried it filtering in the next way:
filter =((DN=My group DN)(member=%{mschap:User-Name}))
   But it doesn't work.
Does anybody know if I can do it via any LDAP attribute? Any othe idea?
Thanks in advance for any help!!!

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IP Pools distributed on multiple FreeRADIUS Servers

2005-05-09 Thread Kostas Kalevras 
On Sat, 7 May 2005, Nizar Shana'ah wrote:
Hello all,
I have two freeRADIUS Server, the second one is used for redundancy,
how can i distribute the IP pools and have full redundancy, I am
afraid of the conflicts that this may cause, I dont want them leasing
the same IP to multiple clients when something happens and the other
server is down.
See bug #46 http://bugs.freeradius.org/show_bug.cgi?id=46
rlm_ippool should also renew ip address leasing informatio on accounting-start 
packets to achieve full redundancy (as long as accounting relaying works fine).

Right now the lease databases are only synchronized on accounting-stop packets 
which means that a backup server *may* give out an ip already taken.


BR
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

daily limit

2005-05-09 Thread avudz 
Hello,

  i'm realy happy my rlm_sqlcounter now run as i hope :-) but now i
  have 3 another case, i have three model voucher. 1st for 4 hours and
  the voucher valid for 2 days, 2nd 8 hours, valid for four days, last
  is one day, valid for 24 hours, so when the user log in, *maybe* the
  radius will log the user start time and will close the session when
  the session is over limit. how can i make like that ? what should i
  read ? please advice.

-- 
Best regards,
 ./avd  mailto:[EMAIL PROTECTED]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Need to restrict group of users

2005-05-09 Thread E L 
I have two groups of users adsl-1 accessing the network trough 
hunt-adsl-1 huntgroup and adsl-2 accessing the network trough 
hunt-adsl-2 huntgroup. Need to block adsl-2 users going trough 
hunt-adsl-1 huntgroup. I have this in the users file:

DEFAULT Ldap-Group == disabled, Auth-Type := Reject
   Reply-Message = Account disabled.  Please call the helpdesk.
DEFAULT Huntgroup-Name == hunt-adsl-1, Ldap-Group == adsl-1, User-Profile := 
uid=adsl-1,ou=profiles,dc=domain,dc=net
   Fall-Through = no

DEFAULT Huntgroup-Name == hunt-adsl-2, Ldap-Group == adsl-2, User-Profile := 
uid=adsl-2,ou=profiles,dc=domain,dc=net
   Fall-Through = no

DEFAULT Auth-Type := Reject
   Reply-Message = Access Denied! You are not a PPP subscriber!
I need to make sure that this configuration works before I go online. I 
apreciate any help.

P4P
_
Don't just search. Find. Check out the new MSN Search! 
http://search.msn.com/

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: daily limit

2005-05-09 Thread Seferovic Edvin 
Hm... maybe you should set the SQL statements in your sqlcounter.conf file
that can be usually found in /etc/raddb or /usr/local/etc/raddb depending on
distribution... 

You can define the different counters for your vouchers that will count time
or traffic by defining them in the file I mentioned... 

I dont know, but maybe you should take a look at
/usr/share/doc/packages/freeradius/rlm_sqlcounter if you already didnt do
that...

Regards,

Edvin Seferovic

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of avudz
Sent: Montag, 09. Mai 2005 16:03
To: freeradius-users@lists.freeradius.org
Subject: daily limit

Hello,

  i'm realy happy my rlm_sqlcounter now run as i hope :-) but now i
  have 3 another case, i have three model voucher. 1st for 4 hours and
  the voucher valid for 2 days, 2nd 8 hours, valid for four days, last
  is one day, valid for 24 hours, so when the user log in, *maybe* the
  radius will log the user start time and will close the session when
  the session is over limit. how can i make like that ? what should i
  read ? please advice.

-- 
Best regards,
 ./avd  mailto:[EMAIL PROTECTED]


- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: peap - works but peap + ldap -doesn't works

2005-05-09 Thread Vladimir Vuksan 
dssd dsfdsfdsf wrote:
good morning
i hope you can resolve my problem
peap works without ldap but when i use ldap whith peap, it doesn' work!!
in the file users for peap (when i don't use ldap)
robert Auth-Type:=EAP, User-Password ==azertyui
in the file users i replace this line by
robert Auth-Type:=LDAP
because i use ldap with peap
 
i put my password in my ldap server but peap doesn't work with ldap?
why??

The only way PEAP will work with LDAP if you have the NT/LM hashes or 
plain-text passwords stored in the LDAP database. For example if you 
used Samba LDAP backend you would likely have NT/LM hashes. If you don't 
have NT/LM hashes or plain-text passwords you will need to use EAP-TTLS 
with PAP for inner tunnel authentication. I have a write-up on how to 
set up FreeRADIUS with OpenLDAP at

http://vuksan.com/linux/dot1x/802-1x-LDAP.html
Vladimir
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: postgresql problem/question

2005-05-09 Thread Joel Eddy 
Dave,
Not sure if I'll be much help on this one, but I'll do my best.
In my radgroupreply I have Auth-Type := Local
I don't know if that will fix it or not.
Also, I think freeradius had a file sql.conf that had to have stuff 
uncommented
to get it to record certain info. Yours should be postgresql.conf. You also 
need to tell
radiusd.conf to use that file if you haven't already.

Have you been down through the radiusd.conf file to uncomment things in 
there too?
I remember having to read over it and make changes there.

Hope this helps. If I think of anything else I'll let you know.
Nice activation interface.
Also when you get time this today give me a call. I want to get with you on 
the
DSL lines for us and put together a plan of attack.

SQL result
Host: localhost
Database: radius
Generation Time: May 09, 2005 at 10:02 AM
Generated by: phpMyAdmin 2.6.0-pl2 / MySQL 3.23.58
SQL-query: SELECT * FROM `radgroupreply` LIMIT 0, 30;
Rows: 8
 id  GroupName  Attribute  op  Value  prio
 1 dialin Framed-Compression := Van-Jacobsen-TCP-IP 0
 2 dialin Framed-Protocol := PPP 0
 3 dialin Service-Type := Framed-User 0
 4 dialin Auth-Type := Local 0
 5 dialin Framed-MTU := 1500 0
 6 dialin Session-Timeout := 14400 0
 7 dialin Idle-Timeout := 1200 0
 8 dialin Port-Limit := 1 0

- Original Message - 
From: Dave Weis [EMAIL PROTECTED]
To: freeradius-users@lists.freeradius.org
Sent: Monday, May 09, 2005 6:58 AM
Subject: postgresql problem/question


I'm trying to use postgresql to store my radius data. I have most of it 
working except for a stored procedure to return the static 
routing/addressing information for a login. It tries to work but I don't 
get the correct output in radtest.

select * from generate_radreply('[EMAIL PROTECTED]');
   id   | username | attribute | op | value
+--+---++
 104032 | [EMAIL PROTECTED] | Framed-IP-Address | := | 1.2.3.4
When I run radtest:
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=59, length=56
Framed-IP-Address = 255.255.255.255
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-Routing = Broadcast-Listen
Framed-MTU = 1500
Framed-Compression = Van-Jacobson-TCP-IP
The other reply items come from radgroupreply. When I run radiusd -X I see 
this in the logs:
  modcall[post-auth]: module sql returns ok for request 0
modcall: group post-auth returns ok for request 0
Sending Access-Accept of id 59 to 127.0.0.1:57298
Framed-IP-Address BARE-WORD :=
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-Routing = Broadcast-Listen
Framed-MTU = 1500
Framed-Compression = Van-Jacobson-TCP-IP
Finished request 0

Any ideas why my data is not making it back?
Thanks
dave
--
Dave Weis
[EMAIL PROTECTED]
http://www.internetsolver.com/
- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Need to restrict group of users

2005-05-09 Thread Kenneth Grady 
If you enable log_auth you will get an auth_detail... file that has the
requests from the adsl-1 and adls-2 that you could use with radclient to
verify that it will do what you want. 

make a backup of all files you were going to change.
make changes.
(like the old radiusd -X -p 1645)
Modify radiusd.conf to change port = 0 to port = 1645
radiusd -X 21RAD-test 
change back to port = 0
tail RAD-test (look for Ready fix any errors {kill the test radisud -X
process} and repeat)

radclient -t1 radius.master:1645 auth SECRET
data_from_auth_detail... 
look in RAD-test to see everything that happened





On Mon, 2005-05-09 at 08:19, E L wrote:
 I have two groups of users adsl-1 accessing the network trough 
 hunt-adsl-1 huntgroup and adsl-2 accessing the network trough 
 hunt-adsl-2 huntgroup. Need to block adsl-2 users going trough 
 hunt-adsl-1 huntgroup. I have this in the users file:
 
 DEFAULT Ldap-Group == disabled, Auth-Type := Reject
 Reply-Message = Account disabled.  Please call the helpdesk.
 
 DEFAULT Huntgroup-Name == hunt-adsl-1, Ldap-Group == adsl-1, User-Profile := 
 uid=adsl-1,ou=profiles,dc=domain,dc=net
 Fall-Through = no
 
 DEFAULT Huntgroup-Name == hunt-adsl-2, Ldap-Group == adsl-2, User-Profile := 
 uid=adsl-2,ou=profiles,dc=domain,dc=net
 Fall-Through = no
 
 DEFAULT Auth-Type := Reject
 Reply-Message = Access Denied! You are not a PPP subscriber!
 
 I need to make sure that this configuration works before I go online. I 
 apreciate any help.
 
 P4P
 
 _
 Don't just search. Find. Check out the new MSN Search! 
 http://search.msn.com/
 
 
 - 
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Post-Proxy attr_rewrite based on an if condition

2005-05-09 Thread wilduty 








Hello,



Is there a way that I could add a new attribute if I receive a specific
attribute from a proxy radius.



For example:



Proxy radius sends a packet which contains an idle-timeout of 30s.
However based on this condition I want to send a session-timeout of 180s. (
There is a change in the actual attribute, not just value and the idles-timeout
is not forwarded to the access-server.)



Modules {




if(idle-timeout == 30){


attr_rewrite test {



searchfor = 


searchin
= reply



replacewith = 180


new_attribute = yes



attribute = Session-Timeout

 }

}



}



post-proxy {

 test

}





Thank you,



Wilhelm

Re: Need to restrict group of users

2005-05-09 Thread Alan DeKok 
E L [EMAIL PROTECTED] wrote:
 I need to make sure that this configuration works before I go online. I 
 apreciate any help.

  Set up a test server, and run it in debugging mode.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problems with 1.0.2

2005-05-09 Thread Alan DeKok 
Paul Seaman [EMAIL PROTECTED] wrote:
 Hey, I'm trying to compile 1.0.2, and I get the following errors (snipped at 
 the end for brevity) - it seems to be related to EAP, is the simple way to 
 fix this or maybe an easy way to tell it I'm not interested in the EAP 
 module?

  Delete the rlm_eap directory, and do ./configure, etc.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RadZap

2005-05-09 Thread Alan DeKok 
Sarkis Gabriel [EMAIL PROTECTED] wrote:
 I have just checked out 1.0.2 and found out RadZap does not work i
 even did what was said to copy the radzap.c from CVS to 1.0.2 and
 compile it, but still no Joy with radzap and i do rely on that on a
 daily bases.

  You couldn't have copied radzap.c from the CVS head to 1.0.2,
because it doesn't exist in the CVS head.

  Copy radwho.c  radzap.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco SIP auth problem

2005-05-09 Thread Alan DeKok 
Abdul Lateef [EMAIL PROTECTED] wrote:
 xpgk-sip-auth4=b493b44cd7875041c11b92e638f74b2d
 
 But the Radius is not responding for this request and
 the log apearing 
 SecurityDenial null

  Posting the same message multiple times, and ignoring a previous
answer is rude.

  Go ask your NAS vendor what this means.  No one here knows.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Strange problem authentication

2005-05-09 Thread Alan DeKok 
Sylvain Clerc [EMAIL PROTECTED] wrote:
 I use the native client 802.1X of win XP and one time, freeradius will
 authenticate the user directly (by asking active directory) and
 another time, freeradius won't stop to send an Access-Challenge just
 after the first Access-Request

  FreeRADIUS does things only when the NAS asks.  So if FreeRADIUS is
sending Access-Challenges, it's because the NAS (or winxp client) is
asking it to.

  For some reason, the client doesn't like the response from
FreeRADIUS, and is starting the authentication process over from
scratch.  Find out why the client is doing this, cand you will be able
to solve the problem.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: postgresql problem/question

2005-05-09 Thread Alan DeKok 
Dave Weis [EMAIL PROTECTED] wrote:
 The other reply items come from radgroupreply. When I run radiusd -X I see 
 this in the logs:
modcall[post-auth]: module sql returns ok for request 0
 modcall: group post-auth returns ok for request 0
 Sending Access-Accept of id 59 to 127.0.0.1:57298
  Framed-IP-Address BARE-WORD :=

  It looks like the SQL module is giving the wrong value to the
create attribute function.  From looking as your example, your data
doesn't match the schema FreeRADIUS expects.

 select * from generate_radreply('[EMAIL PROTECTED]');
 id   | username | attribute | op | 
 value

  That should be ... attribute value op

  See the SQL schema included with the server.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Usage of PEAP/MSCHAPv2 and Called-Station-Id in wireless LAN.

2005-05-09 Thread Alan DeKok 
YAMAWAKI Hisashi [EMAIL PROTECTED] wrote:
 To distinguish guest's access and staff's access on the system, I want to 
 use following users file,
 but don't work.

  See the FAQ for problems like it doesn't work

 My questions are 1) combination of PEAP/MSCHAPv2 and Called-Station-Id is 
 allowed or 
 not allowed in freeradius-1.0.2, and 2) if allowed, how can I do for the 
 problem? 

  Yes, it's allowed.  And since you didn't describe the problem, it's
impossible to say what the solution is.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: postgresql problem/question

2005-05-09 Thread Dave Weis 
Alan DeKok wrote:
Dave Weis [EMAIL PROTECTED] wrote:
The other reply items come from radgroupreply. When I run radiusd -X I see 
this in the logs:
  modcall[post-auth]: module sql returns ok for request 0
modcall: group post-auth returns ok for request 0
Sending Access-Accept of id 59 to 127.0.0.1:57298
Framed-IP-Address BARE-WORD :=
  It looks like the SQL module is giving the wrong value to the
create attribute function.  From looking as your example, your data
doesn't match the schema FreeRADIUS expects.
select * from generate_radreply('[EMAIL PROTECTED]');
   id   | username | attribute | op | 
value
  That should be ... attribute value op
  See the SQL schema included with the server.
I'm looking at db_postgresql.sql and see this:
CREATE TABLE radreply (
id  SERIAL PRIMARY KEY,
UserNameVARCHAR(30) DEFAULT '' NOT NULL,
Attribute   VARCHAR(30),
op  VARCHAR(2) NOT NULL DEFAULT '=',
Value   VARCHAR(40)
);
which is what I used for the layout. It looks the same in db_mysql.sql also.
Is it position sensitive or does it use column names?
Thanks
dave
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Incorrect NAS Name Being Sent By Client

2005-05-09 Thread jeffrey . jackson 

I've installed freeradius-1.0.1-1.RHEL3 and have recently
configured an RHAS 3.0 server as a radius client.

I've configured the client server so ssh login requests will go authenticate
to a RADIUS server.

Is there a configuration file I can edit so that my client will send the
correct NAS name (client hostname) instead of the daemon (sshd)
that's authenticating to the RADIUS server?

Thanks In Advance!

Re: RadZap

2005-05-09 Thread Sarkis Gabriel 
Sorry i meant radzap and radwho.c, i copied them both and did ./configure 
--with-
experimental-modules and then make but i noticed it broke during the make 
process and 
that is what i got during the weekend.

/usr/include/bits/socket.h:275: parse error before '' token
In file included from /usr/include/_G_config.h:44,
 from /usr/include/libio.h:32,
 from /usr/include/stdio.h:72,
 from ../include/libradius.h:30,
 from ../include/radiusd.h:10,
 from radwho.c:51:
/usr/include/gconv.h: At top level:
/usr/include/gconv.h:72: parse error before size_t
/usr/include/gconv.h:88: parse error before size_t
/usr/include/gconv.h:97: parse error before size_t
/usr/include/gconv.h:174: parse error before size_t
/usr/include/gconv.h:177: parse error before '}' token
In file included from /usr/include/libio.h:32,
 from /usr/include/stdio.h:72,
 from ../include/libradius.h:30,
 from ../include/radiusd.h:10,
 from radwho.c:51:
/usr/include/_G_config.h:47: field `__cd' has incomplete type
/usr/include/_G_config.h:50: field `__cd' has incomplete type
/usr/include/_G_config.h:52: confused by earlier errors, bailing out
gmake[4]: *** [radwho.o] Error 1
gmake[4]: Leaving directory `/root/freeradius-1.0.2/src/main'
gmake[3]: *** [common] Error 1

Anyideas?


-- Original Message ---
From: Alan DeKok [EMAIL PROTECTED]
To: freeradius-users@lists.freeradius.org
Sent: Mon, 09 May 2005 13:30:15 -0400
Subject: Re: RadZap 

 Sarkis Gabriel [EMAIL PROTECTED] wrote:
  I have just checked out 1.0.2 and found out RadZap does not work i
  even did what was said to copy the radzap.c from CVS to 1.0.2 and
  compile it, but still no Joy with radzap and i do rely on that on a
  daily bases.
 
   You couldn't have copied radzap.c from the CVS head to 1.0.2,
 because it doesn't exist in the CVS head.
 
   Copy radwho.c  radzap.
 
   Alan DeKok.
 
 - 
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--- End of Original Message ---


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: postgresql problem/question

2005-05-09 Thread Alan DeKok 
Dave Weis [EMAIL PROTECTED] wrote:
 which is what I used for the layout. It looks the same in db_mysql.sql also.
 
 Is it position sensitive or does it use column names?

  Hmm... The queries in SQL.conf select id, username, attribute,
value, op.  So it should work, unless you edited the queries.

  But the problem is still that the op field from SQL is being into
the value for the attribute, and vice-versa.  Fix that, and the
problem will go away.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Incorrect NAS Name Being Sent By Client

2005-05-09 Thread Alan DeKok 
[EMAIL PROTECTED] wrote:
 I've installed freeradius-1.0.1-1.RHEL3 and have recently
 configured an RHAS 3.0 server as a radius client.

  Using... what as a radius client?

 Is there a configuration file I can edit so that my client will send the
 correct NAS name (client hostname) instead of the daemon (sshd)
 that's authenticating to the RADIUS server?

  Since you didn't way what RADIUS client you're using, I have no idea.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RadZap

2005-05-09 Thread Alan DeKok 
Sarkis Gabriel [EMAIL PROTECTED] wrote:
 Sorry i meant radzap and radwho.c, i copied them both and did ./configure 
 --with-
 experimental-modules and then make but i noticed it broke during the make 
 process and 
 that is what i got during the weekend.

  shrug Try grabbing a copy of the pre-release for 1.0.3 from CVS.
See recent messages on the list for details.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RadZap

2005-05-09 Thread Alan DeKok 
Sarkis Gabriel [EMAIL PROTECTED] wrote:
 just to confirm is it this cvs command
 cvs -d :pserver:[EMAIL PROTECTED]:/source checkout -j release_1_0 radiusd 

  No.

 that is the one i got and i tried to compile it from scratch but it fails on 
 ./configure

  I hate playing twenty questions.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

0 being added to every second line of asscend data filter

2005-05-09 Thread John Fergusson 
This one has me curious.

Do I have a config error?  If so where?

When I use radtest I get an the following.

[EMAIL PROTECTED] doc]# radtest fred wilma localhost:1812 17  testing123
Sending Access-Request of id 64 to 127.0.0.1:1812
User-Name = fred
User-Password = wilma
NAS-IP-Address = radius.redlineservices.local
NAS-Port = 17
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=64,
length=216
Framed-Compression = Van-Jacobson-TCP-IP
Framed-Protocol = PPP
Service-Type = Framed-User
Framed-MTU = 1500
Idle-Timeout = 600
Session-Timeout = 28800
Ascend-Data-Filter = ip in forward tcp est
Ascend-Data-Filter = ip in forward dstip 209.248.244.128/25 0
Ascend-Data-Filter = ip in drop tcp dstport = 25
Ascend-Data-Filter = ip in forward 0

Debug output from the server is the same.

rad_recv: Access-Request packet from host 127.0.0.1:32770, id=64,
length=56
User-Name = fred
User-Password = wilma
NAS-IP-Address = 255.255.255.255
NAS-Port = 17
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
  modcall[authorize]: module preprocess returns ok for request 3
  modcall[authorize]: module chap returns noop for request 3
  modcall[authorize]: module mschap returns noop for request 3
rlm_realm: No '@' in User-Name = fred, looking up realm NULL
rlm_realm: No such realm NULL
  modcall[authorize]: module suffix returns noop for request 3
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module eap returns noop for request 3
users: Matched entry DEFAULT at line 152
  modcall[authorize]: module files returns ok for request 3
radius_xlat:  'fred'
rlm_sql (sql): sql_set_user escaped user -- 'fred'
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'fred' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 3
radius_xlat:  'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgrou
pcheck.Value,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE
usergroup.Username = 'fred' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = 'fred' ORDER BY id'
radius_xlat:  'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrou
preply.Value,radgroupreply.op  FROM radgroupreply,usergroup WHERE
usergroup.Username = 'fred' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 3
  modcall[authorize]: module sql returns ok for request 3
modcall: group authorize returns ok for request 3
  rad_check_password:  Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password
  Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 3
rlm_sql (sql): Processing sql_postauth
radius_xlat:  'fred'
rlm_sql (sql): sql_set_user escaped user -- 'fred'
radius_xlat:  'INSERT into radpostauth (id, user, pass, reply, date)
values ('', 'fred', 'wilma', 'Access-Accept', NOW())'
rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id,
user, pass, reply, date) values ('', 'fred', 'wilma', 'Access-Accept',
NOW())
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
  modcall[post-auth]: module sql returns ok for request 3
modcall: group post-auth returns ok for request 3
Sending Access-Accept of id 64 to 127.0.0.1:32770
Framed-Compression := Van-Jacobson-TCP-IP
Framed-Protocol := PPP
Service-Type := Framed-User
Framed-MTU := 1500
Idle-Timeout := 600
Session-Timeout = 28800
Ascend-Data-Filter += ip in forward tcp est
Ascend-Data-Filter += ip in forward dstip 209.248.244.128/25 0
Ascend-Data-Filter += ip in drop tcp dstport = 25
Ascend-Data-Filter += ip in forward 0
Finished request 3
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 3 ID 64 with timestamp 427fb66a

If I query the output dirrectly from my sql I don't get the extra 0's
being added.

mysql Select
radgroupreply.id,radgroupreply.Groupname,radgroupreply.Attribute,radgrou
preply.Value,radgroupreply.Op FROM radgroupreply,usergroup WHERE
usergroup.Username = 'fred' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id;
++---++-
---++
| id | Groupname | Attribute  | Value
| Op |
++---++-
---++
| 34 | dynamic   | Framed-Compression | Van-Jacobsen-TCP-IP
| := |
| 35 | dynamic   | Framed-Protocol| PPP
| := |
| 36 | dynamic   | Service-type   | Framed-User
| := |
| 37 | dynamic

Re: Incorrect NAS Name Being Sent By Client

2005-05-09 Thread jeffrey . jackson 

Sorry for the confusion.

 Using... what as a radius client?

The client is a RedHat AS 3.0 box with 
freeradius-1.0.1-1.RHEL3 installed.
When users attempt to ssh to the Redhat
client it authenticates to a different
RADIUS server. The RADIUS client is sending
an incorrect NAS name to the RADIUS server.
The NAS name that's being sent from the client
to the server is that of the daemon (sshd)
that's serving login requests on the client.

 Is there a configuration file I can edit so that my client will send the
 correct NAS name (client hostname) instead of the daemon (sshd)

Re: RadZap

2005-05-09 Thread Sarkis Gabriel 
To be honest i have spent a lot of time working out cvs and i do not know how 
to check 
for the version on cvs the only thing i found in the archive about cvs and 
1.0.3 is the 
one below posted few days back and pointing out that it is the current 
candidate for 
the official 1.0.3 and it is called release_1_0.

I know you dont like playing twenty question but if i have not tried, I would 
not be 
asking, i just need to get this new system compiled and working so i can drop 
version 
0.9.3.

Thank you once more

Sarky
-- Original Message ---
From: Alan DeKok [EMAIL PROTECTED]
To: freeradius-users@lists.freeradius.org
Sent: Mon, 09 May 2005 14:53:24 -0400
Subject: Re: RadZap

 Sarkis Gabriel [EMAIL PROTECTED] wrote:
  just to confirm is it this cvs command
  cvs -d :pserver:[EMAIL PROTECTED]:/source checkout -j release_1_0 radiusd
 
   No.
 
  that is the one i got and i tried to compile it from scratch but it fails 
on ./configure
 
   I hate playing twenty questions.
 
   Alan DeKok.
 
 - 
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--- End of Original Message ---

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: postgresql problem/question

2005-05-09 Thread Dave Weis 
Alan DeKok [EMAIL PROTECTED] said:

 Dave Weis [EMAIL PROTECTED] wrote:
  which is what I used for the layout. It looks the same in db_mysql.sql 
also.
  
  Is it position sensitive or does it use column names?
 
   Hmm... The queries in SQL.conf select id, username, attribute,
 value, op.  So it should work, unless you edited the queries.
 
   But the problem is still that the op field from SQL is being into
 the value for the attribute, and vice-versa.  Fix that, and the
 problem will go away.

I changed the format of the records that I was returning to match what you 
described and it seems to be working.

Thanks
dave



-- 
Dave Weis
Internet Solver, Inc
http://www.internetsolver.com/




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RadZap

2005-05-09 Thread Alan DeKok 
Sarkis Gabriel [EMAIL PROTECTED] wrote:
 To be honest i have spent a lot of time working out cvs and i do not
 know how to check for the version on cvs the only thing i found in
 the archive about cvs and 1.0.3 is the one below posted few days
 back and pointing out that it is the current candidate for the
 official 1.0.3 and it is called release_1_0.

  It will work if you follow the instructions in that message.

 I know you dont like playing twenty question but if i have not
 tried, I would not be asking, i just need to get this new system
 compiled and working so i can drop version 0.9.3.

  I would like to be able to help you, but you keep saying something
went wrong, and giving NO information.

  I'm not a mind reader, and I *hate* having to play the twenty
questions game.  if you want someone to help you, then give them
enough information so that they can understand what you're doing.  If
you don't, then you're forcing people to ask you question after
question of OK, and what EXACTLY went wrong?

  If you never say anything other than something went wrong, then no
one will be able to help you.  Ever.  And no one will want to help
you, either.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Incorrect NAS Name Being Sent By Client

2005-05-09 Thread Alan DeKok 
[EMAIL PROTECTED] wrote:
 The client is a RedHat AS 3.0 box with 
 freeradius-1.0.1-1.RHEL3 installed.

  You said that already.  Did you think no one read it?

 When users attempt to ssh to the Redhat
 client it authenticates to a different
 RADIUS server. The RADIUS client is sending
 an incorrect NAS name to the RADIUS server.

  You said that already, too.

 The NAS name that's being sent from the client
 to the server is that of the daemon (sshd)
 that's serving login requests on the client.

  You said that already, too.

  I can play this game, too.

  What are you using as a RADIUS client?

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 0 being added to every second line of asscend data filter

2005-05-09 Thread Alan DeKok 
John Fergusson [EMAIL PROTECTED] wrote:
 Do I have a config error?  If so where?

  Nope.  The Ascend binary attributes are *not* text.  Therefore, when
they're read from a DB and put into a RADIUS attribute, they may not
print in debug mode as exactly the same string as you put in the DB.

 If I query the output dirrectly from my sql I don't get the extra 0's
 being added.

  Exactly.  What you put into the DB is one thing.  What goes into the
packet (or printed in debug mode) is another.

  There's no problem.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RadZap

2005-05-09 Thread Sarkis Gabriel 
I think it is best to start all over again.
I have been using 0.9.3 basicaly since that was the current version and it is 
working 
fine, now i want to upgrade and go for the newer version so i downloaded 1.0.2 
and 
found out that radzap is not working properly.
After looking in the MAN pages found out that radzap is a script which uses 
radwho/radclient to do its job Simple Term that is.
So checking up on it, found out that few users had similar problem and in the 
archive I 
located a message stating that it will be fixed in 1.0.3 or you can download 
the cvs 
and swap files then compile once more.
The CVS command i used was the one advising someone else to use and i got 
radiusd, 
copied the files and got a compile error when it got to radwho.c

I recently downloaded the snapshot - freeradius-snapshot-20050509.tar.gz - and 
compiled 
it, bearing in mind the version which is still on the system is 0.9.3.
I copied over radzap, radwho, radclient thinking that it might work in place of 
original radzap so i can see if it works with the current version then change 
all the 
scripts i already have in place to the new command line before the upgrade, but 
no joy, 
i think it is incompatibility.

Sorry once more to go on and on but i think the above gives a better view of 
what i 
have done .

Sarky


-- Original Message ---
From: Alan DeKok [EMAIL PROTECTED]
To: freeradius-users@lists.freeradius.org
Sent: Mon, 09 May 2005 16:51:23 -0400
Subject: Re: RadZap 

 Sarkis Gabriel [EMAIL PROTECTED] wrote:
  To be honest i have spent a lot of time working out cvs and i do not
  know how to check for the version on cvs the only thing i found in
  the archive about cvs and 1.0.3 is the one below posted few days
  back and pointing out that it is the current candidate for the
  official 1.0.3 and it is called release_1_0.
 
   It will work if you follow the instructions in that message.
 
  I know you dont like playing twenty question but if i have not
  tried, I would not be asking, i just need to get this new system
  compiled and working so i can drop version 0.9.3.
 
   I would like to be able to help you, but you keep saying something
 went wrong, and giving NO information.
 
   I'm not a mind reader, and I *hate* having to play the twenty
 questions game.  if you want someone to help you, then give them
 enough information so that they can understand what you're doing.  If
 you don't, then you're forcing people to ask you question after
 question of OK, and what EXACTLY went wrong?
 
   If you never say anything other than something went wrong, then no
 one will be able to help you.  Ever.  And no one will want to help
 you, either.
 
   Alan DeKok.
 
 - 
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--- End of Original Message ---


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RadZap

2005-05-09 Thread Alan DeKok 
Sarkis Gabriel [EMAIL PROTECTED] wrote:
 The CVS command i used was the one advising someone else to use and
 i got radiusd, copied the files and got a compile error when it got
 to radwho.c

  If you grab the 1.0.x candidate from CVS, you don't have to copy
over radwho.c.  The previous messages in the list archive say that.

  And didn't you say in your previous message that it failed in
configure?  Are you sure you know what's going on in your system?

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Incorrect NAS Name Being Sent By Client

2005-05-09 Thread jeffrey . jackson 

 What are you using as a RADIUS client?

I'm using pam_radius-1.3.16 as my radius client
package.

Sorry for the previous confusion on my part. 
Yes I know I said that already too ;)

Freeradius install problem

2005-05-09 Thread Software Development Group 


Hello,
I´ve installed and compiled freeradius on my Linux ubuntu Warty Warthog
4.10 everything went Ok. I run freeradius on debug mode (radiusd -X) ant
it seems to work fine:
[EMAIL PROTECTED]:/home/maxo # radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file:
/usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /usr/local/var
main: logdir = /usr/local/var/log/radius
main: libdir = /usr/local/lib
main: radacctdir =
/usr/local/var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file =
/usr/local/var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile =
/usr/local/var/run/radiusd/radiusd.pid
main: user = (null)
main: group = (null)
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away
soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = /usr/local/var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = md5
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password: 
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups =
/usr/local/etc/raddb/huntgroups
preprocess: hints = /usr/local/etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = /usr/local/etc/raddb/users
files: acctusersfile =
/usr/local/etc/raddb/acct_users
files: preproxy_usersfile =
/usr/local/etc/raddb/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = User-Name, Acct-Session-Id,
NAS-IP-Address, Client-IP-Address, NAS-Port
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename =
/usr/local/var/log/radius/radutmp
radutmp: username = %{User-Name}
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests. 
then I connect the server to the network and my Internet
Service Controller (NAS) also to the network and a client PC to the
Internet Service Controller

Re: Freeradius install problem

2005-05-09 Thread Terry J Fike Jr 
when you set up the client in the clients.conf
did you put all the client info inside {} ?
client ip {
  secret = nosecret
  shortname = mycomputer
}
it didn't look that way in the message, but that may have just been for 
ease of writing...
--
Terry J Fike Jr
System Administrator
MTA Solutions
907-793-4100
[EMAIL PROTECTED]

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Incorrect NAS Name Being Sent By Client

2005-05-09 Thread Alan DeKok 
[EMAIL PROTECTED] wrote:
 I'm using pam_radius-1.3.16 as my radius client
 package.

  Then it should add a NAS-IP-Address attribute, with the IP address
of the host.  If it doesn't, then it can't find the address of the
host.

  The only way to work around that is to edit the source.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius install problem

2005-05-09 Thread Alan DeKok 
Software Development Group [EMAIL PROTECTED] wrote:
 Ignoring request from unknown client 172.18.21.100:10005
...
 I added a line in the clients.conf file with the details of the ISS:
 
 client 192.10.25.100 (ISS's IP address)

  That isn't the same IP address that the server sees.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RadZap

2005-05-09 Thread Sarkis Gabriel 
Okie i got the CVS once more, i think the way i got it the first time was wrong 
hence i 
got the ./configure error.
I noticed that i was talking about another email in the archive and not the one 
originated from you, now i got the cvs and compiled it tomorrow when my brain 
is 
functioning properly i will install and configure and play around with radzap.

Sorry for the confusion, and thanks for the help.

Sarky


-- Original Message ---
From: Alan DeKok [EMAIL PROTECTED]
To: freeradius-users@lists.freeradius.org
Sent: Mon, 09 May 2005 17:19:13 -0400
Subject: Re: RadZap 

 Sarkis Gabriel [EMAIL PROTECTED] wrote:
  The CVS command i used was the one advising someone else to use and
  i got radiusd, copied the files and got a compile error when it got
  to radwho.c
 
   If you grab the 1.0.x candidate from CVS, you don't have to copy
 over radwho.c.  The previous messages in the list archive say that.
 
   And didn't you say in your previous message that it failed in
 configure?  Are you sure you know what's going on in your system?
 
   Alan DeKok.
 
 - 
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--- End of Original Message ---


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

problems with digest and ser

2005-05-09 Thread Lucas Aimaretto 
Hi all,

I'm having trouble at authentication using radius and digest. Look at
radius output. The rare thing is that some phones get registered nicely,
but others no. The ones who get registered are X-Lite softphones and
grandstream. The ones that not, are the ATAs from voip solutions,
MTA-V102. Any help would be appreciated. The user is 1991106 and has NO
PASSWORD assigned ... ( but all of the users have NO PASSWORD ). Has
this no-password thing have something to do with all this ???

rad_recv: Access-Request packet from host IP_SER:33483, id=196,
length=269
User-Name = [EMAIL PROTECTED]
Digest-Attributes = 0x0a0931393931313036
Digest-Attributes = 0x01103230382e3232312e3136392e3838
Digest-Attributes =
0x022a343237666563656136633030666366653433376234396139363436643036663733
63396635353639
Digest-Attributes = 0x04147369703a3230382e3232312e3136392e3838
Digest-Attributes = 0x030a5245474953544552
Digest-Response = 9b256af89daa817caf568f682e1d15a6
Service-Type = IAPP-Register
X-Ascend-PW-Lifetime = 0x31393931313036
Cisco-AVPair =
[EMAIL PROTECTED]
NAS-IP-Address = IP_SER
NAS-Port = 5060
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 213
  modcall[authorize]: module preprocess returns ok for request 213
  modcall[authorize]: module attr_filter returns noop for request 213
  modcall[authorize]: module chap returns noop for request 213
rlm_digest: Converting Digest-Attributes to something sane...
Digest-User-Name = 1991106
Digest-Realm = IP_SER
Digest-Nonce = 427fecea6c00fcfe437b49a9646d06f73c9f5569
Digest-URI = sip:IP_SER
Digest-Method = REGISTER
rlm_digest: Adding Auth-Type = DIGEST
  modcall[authorize]: module digest returns ok for request 213
rlm_realm: Looking up realm IP_SER for User-Name =
[EMAIL PROTECTED]
rlm_realm: Found realm IP_SER
rlm_realm: Adding Stripped-User-Name = 1991106
rlm_realm: Proxying request from user 1991106 to realm IP_SER
rlm_realm: Adding Realm = IP_SER
rlm_realm: Authentication realm is LOCAL.
  modcall[authorize]: module suffix returns noop for request 213
radius_xlat:  '1991106'
rlm_sql (sql): sql_set_user escaped user -- '1991106'
radius_xlat:  'rad_authorize_check_query '1991106''
rlm_sql (sql): Reserving sql socket id: 1
radius_xlat:  ''
radius_xlat:  'rad_authorize_reply_query '1991106','''
radius_xlat:  ''
rlm_sql (sql): Released sql socket id: 1
  modcall[authorize]: module sql returns ok for request 213
modcall: group authorize returns ok for request 213
  rad_check_password:  Found Auth-Type DIGEST
auth: type digest
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 213
A1 = 1991106:IP_SER:
A2 = REGISTER:sip:IP_SER
KD =
b3b6936f2a09f4749902ff9f6e0f1b71:427fecea6c00fcfe437b49a9646d06f73c9f556
9:962db7ab8b0547fc8fbaa6408dd6
rlm_digest: FAILED authentication
  modcall[authenticate]: module digest returns reject for request 213
modcall: group authenticate returns reject for request 213
auth: Failed to validate the user.
Sending Access-Reject of id 196 to IP_SER:33483

... any ideas ??

Look at this NGREP's ...

U IP_UA:60975 - IP_SER:5060
REGISTER sip:IP_SER SIP/2.0.
Via: SIP/2.0/UDP 10.0.0.5:5070;branch=z9hG4bK2952116395.
From: sip:[EMAIL PROTECTED];tag=2375800474.
To: sip:[EMAIL PROTECTED].
Call-ID: [EMAIL PROTECTED]
CSeq: 15158 REGISTER.
Contact: sip:[EMAIL PROTECTED]:5070.
Expires: 120.
Max-Forwards: 70.
User-Agent: SIP-ICSG102-1.372-icablesystem/v2.0_enabled.
Content-Length: 0.

U IP_SER:5060 - IP_UA:60975
SIP/2.0 401 Unauthorized.
Via: SIP/2.0/UDP
10.0.0.5:5070;branch=z9hG4bK2952116395;rport=60975;received=64.32.92.159
.
From: sip:[EMAIL PROTECTED];tag=2375800474.
To: sip:[EMAIL PROTECTED];tag=6f0d146d94c4cb042663ff3cf87e2e72.527a.
Call-ID: [EMAIL PROTECTED]
CSeq: 15158 REGISTER.
WWW-Authenticate: Digest realm=IP_SER,
nonce=427feab914e565fceccf1852a2b0ae3b69cb.
Content-Length: 0.
Warning: 392 IP_SER:5060 Noisy feedback tells:  pid=5366
req_src_ip=IP_UA req_src_port=60975 in_uri=sip:IP_SER out_uri=sip:IP_SER
via_cnt==1.

U IP_UA:60975 - IP_SER:5060
REGISTER sip:IP_SER SIP/2.0.
Via: SIP/2.0/UDP 10.0.0.5:5070;branch=z9hG4bK2608934381.
From: sip:[EMAIL PROTECTED];tag=1079893788.
To: sip:[EMAIL PROTECTED].
Call-ID: [EMAIL PROTECTED]
CSeq: 15159 REGISTER.
Contact: sip:[EMAIL PROTECTED]:5070.
Expires: 120.
Authorization: Digest username=1991106, realm=IP_SER,
nonce=427feab914e565fceccf1852a2b0ae3b69cb, uri=sip:IP_SER,
response=c7dc44af5d16f48c410813a7f4dc98f2.
Max-Forwards: 70.
User-Agent: SIP-ICSG102-1.372-icablesystem/v2.0_enabled.
Content-Length: 0.

U IP_SER:5060 - IP_UA:60975
SIP/2.0 401 Unauthorized.
Via: SIP/2.0/UDP
10.0.0.5:5070;branch=z9hG4bK2608934381;rport=60975;received=64.32.92.159
.
From: sip:[EMAIL PROTECTED];tag=1079893788.
To: sip:[EMAIL

Re: problems with digest and ser

2005-05-09 Thread Alan DeKok 
Lucas Aimaretto [EMAIL PROTECTED] wrote:
 I'm having trouble at authentication using radius and digest. Look at
 radius output. The rare thing is that some phones get registered nicely,
 but others no. The ones who get registered are X-Lite softphones and
 grandstream. The ones that not, are the ATAs from voip solutions,
 MTA-V102. Any help would be appreciated. The user is 1991106 and has NO
 PASSWORD assigned ... ( but all of the users have NO PASSWORD ). Has
 this no-password thing have something to do with all this ???

  Could be.  And I don't think that having no password is a good idea.
In any case, if there *wasn't* a password, then the digest module
would complain.

 rlm_digest: FAILED authentication
...
 ... any ideas ??

  The client isn't using the correct digest algorithm?

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

ntlm_auth not working

2005-05-09 Thread Graham, Robert 
Title: ntlm_auth not working






Hello all,


I seem to have a problem getting freeradius to authenticate users from Active Directory. I have installed and configured Samba and have added the server to the NT domain. I can use: net ads info, wbinfo -g, wbinfo -u successfully. I have modified the necessary freeradius files: radiusd.conf, eap.conf, users, and clients.conf. When I run NTRadPing or radtest I can authenticate local users successfully, but when I try to test users from AD it always fails. I have included the debugging output from the server and client:


[EMAIL PROTECTED] raddb]# radiusd -X

Starting - reading configuration files ...

reread_config: reading radiusd.conf

Config: including file: /usr/local/etc/raddb/proxy.conf

Config: including file: /usr/local/etc/raddb/clients.conf

Config: including file: /usr/local/etc/raddb/snmp.conf

Config: including file: /usr/local/etc/raddb/eap.conf

Config: including file: /usr/local/etc/raddb/sql.conf

main: prefix = /usr/local

main: localstatedir = /usr/local/var

main: logdir = /usr/local/var/log/radius

main: libdir = /usr/lib/freeradius

main: radacctdir = /usr/local/var/log/radius/radacct

main: hostname_lookups = no

main: max_request_time = 30

main: cleanup_delay = 5

main: max_requests = 1024

main: delete_blocked_requests = 0

main: port = 0

main: allow_core_dumps = no

main: log_stripped_names = no

main: log_file = /usr/local/var/log/radius/radius.log

main: log_auth = no

main: log_auth_badpass = no

main: log_auth_goodpass = no

main: pidfile = /usr/local/var/run/radiusd/radiusd.pid

main: user = (null)

main: group = (null)

main: usercollide = no

main: lower_user = no

main: lower_pass = no

main: nospace_user = no

main: nospace_pass = no

main: checkrad = /usr/local/sbin/checkrad

main: proxy_requests = yes

proxy: retry_delay = 5

proxy: retry_count = 3

proxy: synchronous = no

proxy: default_fallback = yes

proxy: dead_time = 120

proxy: post_proxy_authorize = yes

proxy: wake_all_if_all_dead = no

security: max_attributes = 200

security: reject_delay = 1

security: status_server = no

main: debug_level = 0

read_config_files: reading dictionary

read_config_files: reading naslist

Using deprecated naslist file. Support for this will go away soon.

read_config_files: reading clients

read_config_files: reading realms

radiusd: entering modules setup

Module: Library search path is /usr/lib/freeradius

Module: Loaded exec

exec: wait = yes

exec: program = (null)

exec: input_pairs = request

exec: output_pairs = (null)

exec: packet_type = (null)

rlm_exec: Wait=yes but no output defined. Did you mean output=none?

Module: Instantiated exec (exec)

Module: Loaded expr

Module: Instantiated expr (expr)

Module: Loaded PAP

pap: encryption_scheme = crypt

Module: Instantiated pap (pap)

Module: Loaded CHAP

Module: Instantiated chap (chap)

Module: Loaded MS-CHAP

mschap: use_mppe = yes

mschap: require_encryption = no

mschap: require_strong = no

mschap: with_ntdomain_hack = no

mschap: passwd = (null)

mschap: authtype = MS-CHAP

mschap: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}

Module: Instantiated mschap (mschap)

Module: Loaded System

unix: cache = no

unix: passwd = (null)

unix: shadow = (null)

unix: group = (null)

unix: radwtmp = /usr/local/var/log/radius/radwtmp

unix: usegroup = no

unix: cache_reload = 600

Module: Instantiated unix (unix)

Module: Loaded eap

eap: default_eap_type = peap

eap: timer_expire = 60

eap: ignore_unknown_eap_types = no

eap: cisco_accounting_username_bug = no

rlm_eap: Loaded and initialized type md5

rlm_eap: Loaded and initialized type leap

gtc: challenge = Password: 

gtc: auth_type = PAP

rlm_eap: Loaded and initialized type gtc

tls: rsa_key_exchange = no

tls: dh_key_exchange = yes

tls: rsa_key_length = 512

tls: dh_key_length = 512

tls: verify_depth = 0

tls: CA_path = (null)

tls: pem_file_type = yes

tls: private_key_file = /usr/local/etc/raddb/certs/cert-srv.pem

tls: certificate_file = /usr/local/etc/raddb/certs/cert-srv.pem

tls: CA_file = /usr/local/etc/raddb/certs/demoCA/cacert.pem

tls: private_key_password = whatever

tls: dh_file = /usr/local/etc/raddb/certs/dh

tls: random_file = /dev/urandom

tls: fragment_size = 1024

tls: include_length = yes

tls: check_crl = no

tls: check_cert_cn = (null)

rlm_eap: Loaded and initialized type tls

peap: default_eap_type = mschapv2

peap: copy_request_to_tunnel = no

peap: use_tunneled_reply = no

peap: proxy_tunneled_request_as_eap = yes

rlm_eap: Loaded and initialized type peap

mschapv2: with_ntdomain_hack = no

rlm_eap: Loaded and initialized type mschapv2

Module: Instantiated eap (eap)

Module: Loaded preprocess

preprocess: huntgroups = /usr/local/etc/raddb/huntgroups

preprocess: hints = /usr/local/etc/raddb/hints

preprocess: with_ascend_hack = no

preprocess:

Re: ntlm_auth not working

2005-05-09 Thread Michael Griego 
ntlm_auth is really only useful for people who must do an MSCHAP 
authentication against a Windows domain.  If you are doing a straight 
User-Password authentication (as you show below in your example), then 
it might be just as well to set up LDAP authentication against AD as 
that will work in this case.  Using ntlm_auth in that case is really 
overkill.

--Mike
Graham, Robert wrote:
Hello all,
I seem to have a problem getting freeradius to authenticate users from 
Active Directory.  I have installed and configured Samba and have 
added the server to the NT domain.  I can use: net ads info,  
wbinfo -g, wbinfo -u successfully.  I have modified the necessary 
freeradius files: radiusd.conf, eap.conf, users, and clients.conf.  
When I run NTRadPing or radtest I can authenticate local users 
successfully, but when I try to test users from AD it always fails.  I 
have included the debugging output from the server and client:

[EMAIL PROTECTED] raddb]# radiusd -X
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /usr/local/etc/raddb/proxy.conf
Config:   including file: /usr/local/etc/raddb/clients.conf
Config:   including file: /usr/local/etc/raddb/snmp.conf
Config:   including file: /usr/local/etc/raddb/eap.conf
Config:   including file: /usr/local/etc/raddb/sql.conf
 main: prefix = /usr/local
 main: localstatedir = /usr/local/var
 main: logdir = /usr/local/var/log/radius
 main: libdir = /usr/lib/freeradius
 main: radacctdir = /usr/local/var/log/radius/radacct
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = /usr/local/var/log/radius/radius.log
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = /usr/local/var/run/radiusd/radiusd.pid
 main: user = (null)
 main: group = (null)
 main: usercollide = no
 main: lower_user = no
 main: lower_pass = no
 main: nospace_user = no
 main: nospace_pass = no
 main: checkrad = /usr/local/sbin/checkrad
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = yes
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
 exec: wait = yes
 exec: program = (null)
 exec: input_pairs = request
 exec: output_pairs = (null)
 exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
 pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: with_ntdomain_hack = no
 mschap: passwd = (null)
 mschap: authtype = MS-CHAP
 mschap: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key 
--username=%{mschap:User-Name} --domain=%{mschap:NT-Domain} 
--challenge=%{mschap:Challenge:-00} 
--nt-response=%{mschap:NT-Response:-00}

Module: Instantiated mschap (mschap)
Module: Loaded System
 unix: cache = no
 unix: passwd = (null)
 unix: shadow = (null)
 unix: group = (null)
 unix: radwtmp = /usr/local/var/log/radius/radwtmp
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
 eap: default_eap_type = peap
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 gtc: challenge = Password: 
 gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
 tls: rsa_key_exchange = no
 tls: dh_key_exchange = yes
 tls: rsa_key_length = 512
 tls: dh_key_length = 512
 tls: verify_depth = 0
 tls: CA_path = (null)
 tls: pem_file_type = yes
 tls: private_key_file = /usr/local/etc/raddb/certs/cert-srv.pem
 tls: certificate_file = /usr/local/etc/raddb/certs/cert-srv.pem
 tls: CA_file = /usr/local/etc/raddb/certs/demoCA/cacert.pem
 tls: private_key_password = whatever
 tls: dh_file = /usr/local/etc/raddb/certs/dh
 tls: random_file = /dev/urandom
 tls: fragment_size = 1024
 tls: include_length = yes
 tls: check_crl = no
 tls: check_cert_cn = (null)
rlm_eap: Loaded and initialized type tls
 peap: default_eap_type = mschapv2
 peap: copy_request_to_tunnel = no
 peap: use_tunneled_reply = no
 peap: proxy_tunneled_request_as_eap =

Re: problems with digest and ser

2005-05-09 Thread Abdul Lateef 
Hello,

I am facing the same problem. My case is all H.323 IP
Phones are able to registered successfully. But I have
problem only with SIP IP Phones, which cannot be
registered.

I searched in the mailing list and i found that Digest
type of authuntication can solve the problem. i did
the configuration according to
draft-sterman-aaa-sip-00.txt. 

But no luck :)

If you find your solutions please let us know to solve
others problem.

Thank You



Yahoo! Mail
Stay connected, organized, and protected. Take the tour:
http://tour.mail.yahoo.com/mailtour.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html