date:20050511


Monday, May 9, 2005, 9:34:05 PM, you wrote:

SE Hm... maybe you should set the SQL statements in your sqlcounter.conf file
SE that can be usually found in /etc/raddb or
SE /usr/local/etc/raddb depending on
SE distribution... 

SE You can define the different counters for your vouchers that will count time
SE or traffic by defining them in the file I mentioned... 

SE I dont know, but maybe you should take a look at
SE /usr/share/doc/packages/freeradius/rlm_sqlcounter if you already didnt do
SE that...

hello, i still cant solve the problem about 1 day limit. now im thinking to put 
in
sqlcounter.conf :

sqlcounter hourcounter {
counter-name = Max-Hour-Session-Time
check-name = Max-Hour-Session
sqlmod-inst = sql
key = User-Name
reset = never
query = SELECT SUM(AcctSessionTime - GREATEST((%b -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime  '%b'
}

and i set 86400 in radgroupcheck, and input :

INSERT INTO radgroupcheck (id,GroupName,Attribute,Value,op)
- VALUES
('','plan_name','Password-Expire','86400',':=');

is it will work regard to my case ? the point is, customer cant login
after next day, the login voucher will valid for twenty four hours
from the first time login. please advice. thanks


-- 
Best regards,
 avudz


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re[2]: daily limit

You dont understand the way the counter works.
As stated in the experimental.conf:

 #  The 'reset' parameter defines when the counters are all
#  reset to zero.  It can be hourly, daily, weekly, monthly or
#  never.  It can also be user defined. It should be of the
#  form:
#   num[hdwm] where:
#   h: hours, d: days, w: weeks, m: months
#   If the letter is ommited days will be assumed. In example:
#   reset = 10h (reset every 10 hours)
#   reset = 12  (reset every 12 days)

In your case you should change reset=never to reset=1h if you want to reset the 
counter every hour.
But in that case it would not make sense to call it Max-Hour-Session-Time since 
the counter would be reset after the user's time is off and then she would be 
able to login again...

What do you exactly wanna do? Your config as it is now does not make any sense.
Your SQL says you want to allow your users to stay on 24 hours a day. But then 
you want to reset the counter every hour?
That would make sense if the reset value was greater than the corresponding 
value of your Max-XYZ-Session.


Here is my sqlcounter I use for daily, weekly, monthly and unlimited resets:
http://www.yazzy.org/configs/linux/freeradius/sqlcounter.conf

And btw, the Attribute field in the radgroupcheck table must be the same as the 
value of check-name, e.g:
INSERT INTO radgroupcheck (id,GroupName,Attribute,op,Value) VALUES 
(1,'01hour','Max-Daily-Session',':=','3600');


On Wed, 11 May 2005 13:55:55 +0700
avudz [EMAIL PROTECTED] wrote:

 
 Monday, May 9, 2005, 9:34:05 PM, you wrote:
 
 SE Hm... maybe you should set the SQL statements in your sqlcounter.conf file
 SE that can be usually found in /etc/raddb or
 SE /usr/local/etc/raddb depending on
 SE distribution... 
 
 SE You can define the different counters for your vouchers that will count 
 time
 SE or traffic by defining them in the file I mentioned... 
 
 SE I dont know, but maybe you should take a look at
 SE /usr/share/doc/packages/freeradius/rlm_sqlcounter if you already didnt do
 SE that...
 
 hello, i still cant solve the problem about 1 day limit. now im thinking to 
 put in
 sqlcounter.conf :
 
 sqlcounter hourcounter {
 counter-name = Max-Hour-Session-Time
 check-name = Max-Hour-Session
 sqlmod-inst = sql
 key = User-Name
 reset = never
 query = SELECT SUM(AcctSessionTime - GREATEST((%b -
 UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND
 UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime  '%b'
 }
 
 and i set 86400 in radgroupcheck, and input :
 
 INSERT INTO radgroupcheck (id,GroupName,Attribute,Value,op)
 - VALUES
 ('','plan_name','Password-Expire','86400',':=');
 
 is it will work regard to my case ? the point is, customer cant login
 after next day, the login voucher will valid for twenty four hours
 from the first time login. please advice. thanks
 
 
 -- 
 Best regards,
  avudz
 
 
 - 
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re[4]: daily limit

Hello Marcin,

Wednesday, May 11, 2005, 2:54:09 PM, you wrote:

MJ In your case you should change reset=never to reset=1h if you
MJ want to reset the counter every hour.
MJ But in that case it would not make sense to call it
MJ Max-Hour-Session-Time since the counter would be reset after the
MJ user's time is off and then she would be able to login again...


--- ups, sorry. thanks for correcting my mistake.


MJ What do you exactly wanna do? Your config as it is now does not make any 
sense.
MJ Your SQL says you want to allow your users to stay on 24
MJ hours a day. But then you want to reset the counter every hour?
MJ That would make sense if the reset value was greater than the
MJ corresponding value of your Max-XYZ-Session.

--- in my case, i have 1 day voucher limited to 24 hour, the
password will expire next day after first login even the user only use 3 hours.





-- 
Best regards,
 avudz


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

difference between module authorize and authentication

2005-05-11 Thread dssd dsfdsfdsf



Good morningWhat is the difference between the module authorize and authentication in the file radiusd.conf
if authorize don't return ok but authentication returns ok, eap-tls or peap works but !
it is not normal.
When the module "authorize" don't return ok, is it possible to don't validate the users because the server displays "login ok: [client/no user password attribute] from ..." 
i want : login incorrect: [] from ... when module authorize don't return ok

thank you very much

		 
Découvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour vos mails !Créez votre Yahoo! Mail

Re: Counting number of open sessions in RADIUS

2005-05-11 Thread Florin Samareanu

this is kinda wrong, because radwho has one extra line on top, so the
output of radwho |wc -l will count +1 the actual number of users :)

On 5/10/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
  Quoting Sonali Karmarkar [EMAIL PROTECTED]:
 
  Hi
  I am using freeradius 0.9.3 with mysql on linux.
 
  What is the correct way to count number of open sessions for
  freeradius server ?
 
  [EMAIL PROTECTED] wrote:
 
  the easiest way off the top of my head would be to run:
 
  %radius_dir%/bin/radwho | grep  -c
 
 
 Or:
 %radius_dir%/bin/radwho | wc -l
 
 :)
 
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re[4]: daily limit

Hi.

As far as I know the sqlcounter will disallow furhter authentrication only if 
the user has used her time limit quota.
The Session-Timeout Attribute will kick him out when loged in and the 
Max-XYZ-Session will be checked the next time a user wants to login.
You would need an additional Attribute for user expiration date as well.


On Wed, 11 May 2005 15:07:25 +0700
avudz [EMAIL PROTECTED] wrote:

 Hello Marcin,
 
 Wednesday, May 11, 2005, 2:54:09 PM, you wrote:
 
 MJ In your case you should change reset=never to reset=1h if you
 MJ want to reset the counter every hour.
 MJ But in that case it would not make sense to call it
 MJ Max-Hour-Session-Time since the counter would be reset after the
 MJ user's time is off and then she would be able to login again...
 
 
 --- ups, sorry. thanks for correcting my mistake.
 
 
 MJ What do you exactly wanna do? Your config as it is now does not make any 
 sense.
 MJ Your SQL says you want to allow your users to stay on 24
 MJ hours a day. But then you want to reset the counter every hour?
 MJ That would make sense if the reset value was greater than the
 MJ corresponding value of your Max-XYZ-Session.
 
 --- in my case, i have 1 day voucher limited to 24 hour, the
 password will expire next day after first login even the user only use 3 
 hours.
 
 
 
 
 
 -- 
 Best regards,
  avudz
 
 
 - 
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re[6]: daily limit

Hello Marcin,

Wednesday, May 11, 2005, 4:06:52 PM, you wrote:

MJ Hi.

MJ As far as I know the sqlcounter will disallow furhter
MJ authentrication only if the user has used her time limit quota.
MJ The Session-Timeout Attribute will kick him out when loged in
MJ and the Max-XYZ-Session will be checked the next time a user wants
MJ to login.
MJ You would need an additional Attribute for user expiration date as well.

--- mm i c, so i think i need external script to do this ?? like
Exec-Program ? if min(AcctStartTime) or AcctStartTime == 0 the voucher
will not expire, or its possible to generate from PHP script and doing
query to database 'Expire' each time there was authenticate ?

-- 
Best regards,
 avudzmailto:[EMAIL PROTECTED]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re[6]: daily limit

2005-05-11 Thread Chris Knipe

On Wed, May 11, 2005 at 04:31:49PM +0700, avudz wrote:
 Hello Marcin,
 
 Wednesday, May 11, 2005, 4:06:52 PM, you wrote:
 
 MJ Hi.
 
 MJ As far as I know the sqlcounter will disallow furhter
 MJ authentrication only if the user has used her time limit quota.
 MJ The Session-Timeout Attribute will kick him out when loged in
 MJ and the Max-XYZ-Session will be checked the next time a user wants
 MJ to login.
 MJ You would need an additional Attribute for user expiration date as well.
 
 --- mm i c, so i think i need external script to do this ?? like
 Exec-Program ? if min(AcctStartTime) or AcctStartTime == 0 the voucher
 will not expire, or its possible to generate from PHP script and doing
 query to database 'Expire' each time there was authenticate ?
 

I'll second that idea.  Definately would need some external maintenance
on the database every night to expire accounts older than 24hrs...

Alternatively, you *can* do some nifty sql query on the authentication query
that compaires radacct to the account being authenticated, but that would be
a performance hit on authentication times. A nightly maintenance run would 
be the best way to go IMHO.

--
Chris.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re[8]: daily limit


Wednesday, May 11, 2005, 4:36:26 PM, you wrote:



CK I'll second that idea.  Definately would need some external maintenance
CK on the database every night to expire accounts older than 24hrs...

CK Alternatively, you *can* do some nifty sql query on the authentication query
CK that compaires radacct to the account being authenticated, but that would be
CK a performance hit on authentication times. A nightly maintenance run would
CK be the best way to go IMHO.

--- thanks so much for response and idea, btw last *hope* :-) is it
possible to do like this :

Database changed
mysql select * from radgroupcheck;
++---+-+++
| id | GroupName | Attribute   | op | Value  |
++---+-+++
[SNIP]
|  6 | test  | Expiration  | := | 2005-01-10 |
++---+-+++
4 rows in set (0.00 sec)

so all user which in group test if date  10-01-2005 will expire.
*last hope* :-)

-- 
Best regards,
 avudz


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re[8]: daily limit

Hi.

Yepp, that should work, i.e.

mysql select * from radcheck;
++--+---+++
| id | UserName | Attribute | op | Value  |
++--+---+++
|  5 | yazzy| User-Password | := | yazzy  |
|  6 | yazzy| Max-Daily-Session | :=  | 3600  |
|  7 | yazzy| Expiration| := | 2005-01-10 |
++--+---+++

Or you could put it to the readgroupreply table as well for your group.



On Wed, 11 May 2005 16:56:53 +0700
avudz [EMAIL PROTECTED] wrote:

 
 Wednesday, May 11, 2005, 4:36:26 PM, you wrote:
 
 
 
 CK I'll second that idea.  Definately would need some external maintenance
 CK on the database every night to expire accounts older than 24hrs...
 
 CK Alternatively, you *can* do some nifty sql query on the authentication 
 query
 CK that compaires radacct to the account being authenticated, but that would 
 be
 CK a performance hit on authentication times. A nightly maintenance run would
 CK be the best way to go IMHO.
 
 --- thanks so much for response and idea, btw last *hope* :-) is it
 possible to do like this :
 
 Database changed
 mysql select * from radgroupcheck;
 ++---+-+++
 | id | GroupName | Attribute   | op | Value  |
 ++---+-+++
 [SNIP]
 |  6 | test  | Expiration  | := | 2005-01-10 |
 ++---+-+++
 4 rows in set (0.00 sec)
 
 so all user which in group test if date  10-01-2005 will expire.
 *last hope* :-)
 
 -- 
 Best regards,
  avudz
 
 
 - 
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re[8]: daily limit

Errata. I meant radgroupcheck, not radgroupreply.


On Wed, 11 May 2005 12:09:01 +0200
Marcin Jessa [EMAIL PROTECTED] wrote:

 Hi.
 
 Yepp, that should work, i.e.
 
 mysql select * from radcheck;
 ++--+---+++
 | id | UserName | Attribute | op | Value  |
 ++--+---+++
 |  5 | yazzy| User-Password | := | yazzy  |
 |  6 | yazzy| Max-Daily-Session | :=  | 3600  |
 |  7 | yazzy| Expiration| := | 2005-01-10 |
 ++--+---+++
 
 Or you could put it to the readgroupreply table as well for your group.
 
 
 
 On Wed, 11 May 2005 16:56:53 +0700
 avudz [EMAIL PROTECTED] wrote:
 
  
  Wednesday, May 11, 2005, 4:36:26 PM, you wrote:
  
  
  
  CK I'll second that idea.  Definately would need some external maintenance
  CK on the database every night to expire accounts older than 24hrs...
  
  CK Alternatively, you *can* do some nifty sql query on the authentication 
  query
  CK that compaires radacct to the account being authenticated, but that 
  would be
  CK a performance hit on authentication times. A nightly maintenance run 
  would
  CK be the best way to go IMHO.
  
  --- thanks so much for response and idea, btw last *hope* :-) is it
  possible to do like this :
  
  Database changed
  mysql select * from radgroupcheck;
  ++---+-+++
  | id | GroupName | Attribute   | op | Value  |
  ++---+-+++
  [SNIP]
  |  6 | test  | Expiration  | := | 2005-01-10 |
  ++---+-+++
  4 rows in set (0.00 sec)
  
  so all user which in group test if date  10-01-2005 will expire.
  *last hope* :-)
  
  -- 
  Best regards,
   avudz
  
  
  - 
  List info/subscribe/unsubscribe? See 
  http://www.freeradius.org/list/users.html
 
 - 
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re[10]: daily limit

Hello Marcin,

Wednesday, May 11, 2005, 5:09:01 PM, you wrote:

MJ Hi.

MJ Yepp, that should work, i.e.

mysql select * from radcheck;
MJ ++--+---+++
MJ | id | UserName | Attribute | op | Value  |
MJ ++--+---+++
MJ |  5 | yazzy| User-Password | := | yazzy  |
MJ |  6 | yazzy| Max-Daily-Session | :=  | 3600  |
MJ |  7 | yazzy| Expiration| := | 2005-01-10 |
MJ ++--+---+++

MJ Or you could put it to the readgroupreply table as well for your group.


--- wow, ok, dankee :-)



-- 
Best regards,
 avudzmailto:[EMAIL PROTECTED]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Huntgroups

Hi.

I wonder how the huntgroups really work.
Can I have a huntgroup with multiple NAS's stored in SQL and users belonging to 
that huntgroup?
Then can each huntgroup have a different group defined in the radgroup/radcheck 
table ?

What I want to do is to restrict certain users to only be able to access 
certain routers.
At the same time those users would belong to certain groups, each with it's own 
definitions like time limits, bandtwith limits, IP-Pools etc.

If so,  what happens if the NAS user can connect to is listed as say number 3 
in the lists of the avaliable NAS's in the hungroup?
How will the avaliability of NAS's be checked for that user?

Can a user belong to multiple huntgroups ?



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re[11]: daily limit



Wednesday, May 11, 2005, 5:47:16 PM, you wrote:

a Hello Marcin,

a Wednesday, May 11, 2005, 5:09:01 PM, you wrote:

MJ Hi.

MJ Yepp, that should work, i.e.

mysql select * from radcheck;
MJ ++--+---+++
MJ | id | UserName | Attribute | op | Value  |
MJ ++--+---+++
MJ |  5 | yazzy| User-Password | := | yazzy  |
MJ |  6 | yazzy| Max-Daily-Session | :=  | 3600  |
MJ |  7 | yazzy| Expiration| := | 2005-01-10 |
MJ ++--+---+++

MJ Or you could put it to the readgroupreply table as well for your group.



--- hello, sorry for bothering again :-)
i've follow the example like you paste, but i still can login with user
'avudz' even i set date older 4 months.  is it need some special
option on first configure ?

Database changed
mysql select * from radcheck;
++--+---+++
| id | UserName | Attribute | op | Value  |
++--+---+++
[SNIP]
| 11 |   81 | Password  | := | avudz  |
| 12 |   81 | Expiration| := | 2005-01-10 |
++--+---+++
10 rows in set (0.00 sec)



-- 
Best regards,
 avudz


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re[11]: daily limit


Maybe the date format is incorrect?
I am not sure what  those silly americans use but afair it's of Month-Day-Year 
format - as logical as using bodyparts as the scale value for meassurements :)
What does the debugging info say?



On Wed, 11 May 2005 18:24:52 +0700
avudz [EMAIL PROTECTED] wrote:

 
 
 Wednesday, May 11, 2005, 5:47:16 PM, you wrote:
 
 a Hello Marcin,
 
 a Wednesday, May 11, 2005, 5:09:01 PM, you wrote:
 
 MJ Hi.
 
 MJ Yepp, that should work, i.e.
 
 mysql select * from radcheck;
 MJ ++--+---+++
 MJ | id | UserName | Attribute | op | Value  |
 MJ ++--+---+++
 MJ |  5 | yazzy| User-Password | := | yazzy  |
 MJ |  6 | yazzy| Max-Daily-Session | :=  | 3600  |
 MJ |  7 | yazzy| Expiration| := | 2005-01-10 |
 MJ ++--+---+++
 
 MJ Or you could put it to the readgroupreply table as well for your group.
 
 
 
 --- hello, sorry for bothering again :-)
 i've follow the example like you paste, but i still can login with user
 'avudz' even i set date older 4 months.  is it need some special
 option on first configure ?
 
 Database changed
 mysql select * from radcheck;
 ++--+---+++
 | id | UserName | Attribute | op | Value  |
 ++--+---+++
 [SNIP]
 | 11 |   81 | Password  | := | avudz  |
 | 12 |   81 | Expiration| := | 2005-01-10 |
 ++--+---+++
 10 rows in set (0.00 sec)
 
 
 
 -- 
 Best regards,
  avudz
 
 
 - 
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re[13]: daily limit

Hello Marcin,

Wednesday, May 11, 2005, 6:32:36 PM, you wrote:


MJ Maybe the date format is incorrect?
MJ I am not sure what  those silly americans use but afair it's
MJ of Month-Day-Year format - as logical as using bodyparts as the
MJ scale value for meassurements :)
MJ What does the debugging info say?

hehehe.. i don't have any idea about this, how to debug sql date ?

i try this one :

mysql select now();
+-+
| now()   |
+-+
| 2005-05-11 18:40:36 |
+-+
1 row in set (0.00 sec)

i guess the format are same, Year-Month-Date format.



-- 
Best regards,
 avudzmailto:[EMAIL PROTECTED]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

NAS compatibility

2005-05-11 Thread Sylvain Clerc

Hello,

I have problems with Linksys wap54g and wrt54g to do radius
authentication. the NAS sends the request of the client and when
freeradius sends the Access-Challenge, it seems that the NAS doesn't
send it to the client. Naturaly, the client sends another
Access-Request and that's never finished. It's very strange because it
works sometimes and stops working when he wants.

As the Linksys access points seem to not work fine with FreeRADIUS, I
would know what is working well with it.

Thank you,
Sylvain Clerc.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re[13]: daily limit

Run your radiusd with -X flag, this will force it to foreground and give you 
more info.
 

On Wed, 11 May 2005 18:40:38 +0700
avudz [EMAIL PROTECTED] wrote:

 Hello Marcin,
 
 Wednesday, May 11, 2005, 6:32:36 PM, you wrote:
 
 
 MJ Maybe the date format is incorrect?
 MJ I am not sure what  those silly americans use but afair it's
 MJ of Month-Day-Year format - as logical as using bodyparts as the
 MJ scale value for meassurements :)
 MJ What does the debugging info say?
 
 hehehe.. i don't have any idea about this, how to debug sql date ?
 
 i try this one :
 
 mysql select now();
 +-+
 | now()   |
 +-+
 | 2005-05-11 18:40:36 |
 +-+
 1 row in set (0.00 sec)
 
 i guess the format are same, Year-Month-Date format.
 
 
 
 -- 
 Best regards,
  avudzmailto:[EMAIL PROTECTED]
 
 
 - 
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: help

On Wed, 11 May 2005 13:39:01 +0200
zze-BEN SAID Mehdi RD-CORE-ISS [EMAIL PROTECTED] wrote:

 Hi;
 I'm student and I'm new to freeRadius, actually I'm new to Radius!

Hi. I used to be student and new to FreeRadius, then I started to read the docs 
and man pages.
Then came google to make my life even easier.

 I just need some help for installing and running a Radius client.
 Thanks

Here is some help 
I know it's not as generic as your question but with the information you 
provided that's the best I can do at the moment.



 
 - 
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: help

2005-05-11 Thread Ernesto Freyre Ramírez




Hi , I think your question is about the process of 
compiling and installing. 

This is like other linux software, with a previous 
configure stage with some parameters, If you want more help, I think you could 
to send me a email.

If you wish to learn more about RADIUS itself, I 
think first must to look for the concept, and then go to lear how to work with 
an specific RADIUS suchas freeradius





Ernesto Freyre RamírezJefe de 
OperacionesQnetSoluciones TecnológicasAv. 
Paseo de la República 4675 - Lima 34 Telf.: (511) 241-4122 Anexo 
2245Fax: (511) 446-8135
Visítenos en: www.qnet.com.pe- 
Original Message - 

  From: 
  Marcin Jessa 
  To: freeradius-users@lists.freeradius.org 
  
  Cc: [EMAIL PROTECTED] 
  
  Sent: Wednesday, May 11, 2005 8:11 
  AM
  Subject: Re: help
  On Wed, 11 May 2005 13:39:01 +0200"zze-BEN SAID Mehdi 
  RD-CORE-ISS" [EMAIL PROTECTED] 
  wrote: Hi; I'm student and I'm new to freeRadius, actually 
  I'm new to Radius!Hi. I used to be student and new to FreeRadius, then 
  I started to read the docs and man pages.Then came google to make my life 
  even easier. I just need some help for installing and running a 
  Radius client. ThanksHere is some help 
  I know it's not as generic as your question but 
  with the information you provided that's the best I can do at the 
  moment.  -  List 
  info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- 
  List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

reply-message

2005-05-11 Thread Lucas Aimaretto

Hi all,

I'm willing to send a reply-message when access-reject occurs. The thing
is that, if authorize_check_query fails ( ie: user is not found) , then
authorize_reply_query is not called. So, I do not know how to send back
a Reply-Message Attribute if authorize_reply_query is not executed.

Best Regards,

Lucas

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.11.8 - Release Date: 10/05/2005
 


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: help


Don't you love it when you need to guess people's question?



On Wed, 11 May 2005 09:03:54 -0500
Ernesto Freyre Ramírez [EMAIL PROTECTED] wrote:

 Hi , I think your question is about the process of compiling and installing. 
 
 This is like other linux software, with a previous configure stage with some 
 parameters, If you want more help, I think you could to send me a email.
 
 If you wish to learn more about RADIUS itself, I think first must to look for 
 the concept, and then go to lear how to work with an specific RADIUS suchas 
 freeradius
 
 
 Ernesto Freyre Ramírez
 Jefe de Operaciones
 Qnet
 Soluciones Tecnológicas
 Av. Paseo de la República 4675 - Lima 34 
 Telf.: (511) 241-4122 Anexo 2245
 Fax: (511) 446-8135
 
 Visítenos en: www.qnet.com.pe
 
 - Original Message - 
   From: Marcin Jessa 
   To: freeradius-users@lists.freeradius.org 
   Cc: [EMAIL PROTECTED] 
   Sent: Wednesday, May 11, 2005 8:11 AM
   Subject: Re: help
 
 
   On Wed, 11 May 2005 13:39:01 +0200
   zze-BEN SAID Mehdi RD-CORE-ISS [EMAIL PROTECTED] wrote:
 
Hi;
I'm student and I'm new to freeRadius, actually I'm new to Radius!
 
   Hi. I used to be student and new to FreeRadius, then I started to read the 
 docs and man pages.
   Then came google to make my life even easier.
 
I just need some help for installing and running a Radius client.
Thanks
 
   Here is some help 
   I know it's not as generic as your question but with the information you 
 provided that's the best I can do at the moment.
 
 
 

- 
List info/subscribe/unsubscribe? See 
 http://www.freeradius.org/list/users.html
 
   - 
   List info/subscribe/unsubscribe? See 
 http://www.freeradius.org/list/users.html
 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RADIUS on Linux Network

Hello! My name is Paulo. I would like to set up a network using at least two different operating systems. My main choices are SUSE Linux and Windows XP (not Windows 2K). I am planning to set up a network that runs through a RADIUS server. I will install the server to SUSE Linux and having my Windows XP as my client. I am also planning to have my client to access the server remotely from any locations using a VPN connection. I don't know if this is possible. I am not really familiar with Linux and having a problem to start with. My Windows XP is loaded into my built-in Wi-Fi laptop and I am about to load SUSE Linux into one of my old computers. What other devices should be involved? I am really having trouble configuring out on how to build this kind of network. I need to get this done in less than two weeks. If you have any help to offer, please contact me as soon as possible. Thank you in advance. I will be waiting for your reply.

Re: help

2005-05-11 Thread ccarver

This is a good book for general RADIUS protocol information and some good
freeradius specifics:

http://www.oreilly.com/catalog/radius/index.html

If you are running into a specific problem you need help with, then ask a
specific question.

-Chris

Quoting zze-BEN SAID Mehdi RD-CORE-ISS [EMAIL PROTECTED]:

 Hi;
 I'm student and I'm new to freeRadius, actually I'm new to Radius!
 I just need some help for installing and running a Radius client.
 Thanks

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: help

is there anyone you know that can help me setup a network step by step from scratch? thx.

Hello! My name is Paulo. I would like to set up a network using at least two different operating systems. My main choices are SUSE Linux and Windows XP (not Windows 2K). I am planning to set up a network that runs through a RADIUS server. I will install the server to SUSE Linux and having my Windows XP as my client. I am also planning to have my client to access the server remotely from any locations using a VPN connection. I don't know if this is possible. I am not really familiar with Linux and having a problem to start with. My Windows XP is loaded into my built-in Wi-Fi laptop and I am about to load SUSE Linux into one of my old computers. What other devices should be involved? I am really having trouble configuring out on how to build this kind of network. I need to get this done in less than two weeks. If you have any help to offer, please contact me as soon as possible. Thank you in advance. I will be waiting for your
reply.[EMAIL PROTECTED] wrote:
This is a good book for general RADIUS protocol information and some goodfreeradius specifics:http://www.oreilly.com/catalog/radius/index.htmlIf you are running into a specific problem you need help with, then ask aspecific question.-ChrisQuoting zze-BEN SAID Mehdi RD-CORE-ISS <[EMAIL PROTECTED]>: Hi; I'm student and I'm new to freeRadius, actually I'm new to Radius! I just need some help for installing and running a Radius client. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: RADIUS on Linux Network

thanks for replying. this is going to be my graduation project. I am trying to setup a network consisting of Linux and Windows XP. The server (RADIUS) is going to be installed on the linux having my Windows XP as my client. What materials do I need to have and how do I start it with?[EMAIL PROTECTED] wrote:



-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Paulo C. PanaliganSent: Wednesday, May 11, 2005 10:19 AMTo: freeradius-users@lists.freeradius.orgSubject: RADIUS on Linux Network
Hello! My name is Paulo. I would like to set up a network using at least two different operating systems.


Hello, Paulo,

 My main choices are SUSE Linux and Windows XP(not Windows 2K).
I am planning to set up a network that runs through a RADIUS server.

 I need to get this done in less than two weeks. If you have any help to offer, please contact me as soon as possible.

less than two weeks, as soon as posible...umm

where can i send you my rate card?

 Thank you in advance. I will be waiting for your reply.

Your Welcome.
Ahh wait , you want free supports from a freeopen forum, ummm
you will have be more specific, what exactly are you trying to do, what problem are you trying to solve, is this an experiment or homework?

:)

RE: RADIUS on Linux Network

thanks for replying. this is going to be my graduation project.I am trying to setup a network consisting of Linux and Windows XP. The server (RADIUS) is going to be installed on the linux having my Windows XP as my client. I was going to set up three workstations running three different OS but then I realized that I don't have much time to do so. What materials do I need to have and how do I start it with? thx in advance.Brian Ertel [EMAIL PROTECTED] wrote:

Paulo,

What are you using for a VPN server? I am assuming you want to use freeradius to
authenticate remote users who are connecting to the VPN server to then gain access
to resources on your network.

Brian

__
Brian Ertel Network Administrator Amherst College [EMAIL PROTECTED] 413.542.8320 __

-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Paulo C. PanaliganSent: Wednesday, May 11, 2005 12:19 PMTo: freeradius-users@lists.freeradius.orgSubject: RADIUS on Linux Network
Hello! My name is Paulo. I would like to set up a network using at least two different operating systems. My main choices are SUSE Linux and Windows XP (not Windows 2K). I am planning to set up a network that runs through a RADIUS server. I will install the server to SUSE Linux and having my Windows XP as my client. I am also planning to have my client to access the server remotely from any locations using a VPN connection. I don't know if this is possible. I am not really familiar with Linux and having a problem to start with. My Windows XP is loaded into my built-in Wi-Fi laptop and I am about to load SUSE Linux into one of my old computers. What other devices should be involved? I am really having trouble configuring out on how to build this kind of network. I need to get this done in less than two weeks. If you have any help to offer, please contact me as soon as possible. Thank you in advance. I will be waiting for your reply.

posgresql how to

Hello,

  anybody knows where can i download / read radius-postgre how to ? i
  think i better switch to postgre :-)
  

-- 
Best regards,
 ./avd  mailto:[EMAIL PROTECTED]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RADIUS NETWORK

WHAT MATERIALS DO I NEED TO SETUP A RADIUS NETWORK ON LINUX?

RE: RADIUS NETWORK

2005-05-11 Thread mmiranda





-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]On Behalf Of Paulo C. 
PanaliganSent: Wednesday, May 11, 2005 11:18 AMTo: 
freeradius-users@lists.freeradius.orgSubject: RADIUS 
NETWORK
WHAT MATERIALS DO I NEED TO SETUP A RADIUS NETWORK ON LINUX?



A 
radius server, and at leat one machine runnig some type of radius 
client.

Re: (no subject)

2005-05-11 Thread Raghu

On 5/8/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
 Hello, I have a problem and I hope that You can help me, please!?
 
 version: 1.0.0
 I want use (Free)RADIUS for AAA on IPv6.
 Only one router, one RADIUS server and one user. User(IPv6 address) connect 
 with Telnet to
 Router(IPv6 address)
 Questions:
 Can RADIUS solve this problem?
 Can be RADIUS on Linux with IPv6 address?(problem with: radius-server host 
 192.168.2.2 auth-port
 1812 acct-port 1813 - there is not IPv6 address)
 if yes, I need configuration of RADIUS
 if no, and it is on IPv4 address, need configuration of RADIUS
 Example: If all addresses are IPv4)
 Conf. on router:
 Router(config)# aaa new-model
 Router(config)# radius-server host 192.168.2.2 auth-port 1812 acct-port 1813
 Router(config)# radius-server retransmit 1
 Router(config)# radius-server key radius
 Router(config)# aaa authentication login default group radius
 Router(config)# aaa authorization exec default group radius
 Conf. of RADIUS:
 clients.conf:
   client 192.168.2.1  {
   secret  = radius
 shortname  = ethernet
 nastype= cisco
 }
 users:
 test Auth-Type := Local, User-Password == test
 
 I read RFC 3162 but it didn't help me...
 best solution for me is:
 
 Router(config)# aaa new-model
 Router(config)# radius-server host !!different!! 2001::2/64(IPv6) auth-port 
 1812 acct-port 1813
 Router(config)# radius-server retransmit 1
 Router(config)# radius-server key radius
 Router(config)# aaa authentication login default group radius
 Router(config)# aaa authorization exec default group radius
 Conf. of RADIUS:
 clients.conf:
   client !!different!!2001:1::/64(Ipv6)  {
   secret  = radius
 shortname  = ethernet
 nastype= cisco
   !!different!!
 and there something like : Login-IPv6-Host
   NAS-IPv6-Address
 }
 users:
 test Auth-Type := Local, User-Password == test

 but this in not possible:)
 PLEASE HELP!


Try the latest CVS and try your IPv6 client configuration
For now, I guess, Login-IPv6-Host  NAS-IPv6-Address
are not supported.

-Raghu

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: RADIUS NETWORK

2005-05-11 Thread King, Michael

Before this get's too much further.

You are experiencing a hard time because you have not done any research
on your own, you are just asking for help.  

Especially when many howto's / write up's exist on the exact subject you
are inquiring about.

For people with no sense of humor
http://www.google.com/search?query=FreeRADIUS++WinXP+Authentication+Setu
p


**WARNING** this link is only for people with a sense of humor

www.justfuckinggoogleit.com/search.pl?query=FreeRADIUS/WinXP%20Authentic
ation%20Setup



PS, it's generally discouraged to send HTML mail to mailing lists.


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paulo
C. Panaligan
Sent: Wednesday, May 11, 2005 1:18 PM
To: freeradius-users@lists.freeradius.org
Subject: RADIUS NETWORK


WHAT MATERIALS DO I NEED TO SETUP A RADIUS NETWORK ON LINUX?


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

DialupAdmin/LDAP - General Questions

2005-05-11 Thread Mathieu Bénard

Hello
I'd like to manage my LDAP users with DialupAdmin Radius interface, and 
here come a few questions.

1: It seems that DialupAdmin uses LDAPv2 protocol. Can it possibly use 
LDAPv3 ?
2: From what I read in the /lib/ldap/create_user.php3:

   $dn = 'uid=' . $login . ',' . 
$config[ldap_default_new_entry_suffix];
   $new_user_entry[objectclass][0]=top;
   $new_user_entry[objectclass][1]=person;
   
$new_user_entry[objectclass][2]=organizationalPerson;
   $new_user_entry[objectclass][3]=inetOrgPerson;
   $new_user_entry[objectclass][4]=radiusprofile;

dialupadmin intend to use an old radius LDAP schema instead of 
RADIUS-LDAPv3.schema. It uses uid= as mandatory attribute, but with 
RADIUS-LDAPv3.schema, cn= is expected.
I don't want to modify the source of dialupadmin, so should I use an 
older radius schema, or modify it by myself ?

Thanks a lot
Mafioo

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: reply-message

2005-05-11 Thread Alan DeKok

Lucas Aimaretto [EMAIL PROTECTED] wrote:
 I'm willing to send a reply-message when access-reject occurs. The thing
 is that, if authorize_check_query fails ( ie: user is not found) , then
 authorize_reply_query is not called. So, I do not know how to send back
 a Reply-Message Attribute if authorize_reply_query is not executed.

  List a module in the Reject section of post-auth.

  The SQL configuration you're using is meant to give users
attributes.  It's NOT meant to deal with users who aren't found at
all.  The rest of the server configuration allows you to control that.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: reply-message

2005-05-11 Thread Lucas Aimaretto

  I'm willing to send a reply-message when access-reject occurs. The 
  thing is that, if authorize_check_query fails ( ie: user is 
  not found) then authorize_reply_query is not called. So, I do not 
  know how to send back a Reply-Message Attribute if 
  authorize_reply_query is not executed.
 
   List a module in the Reject section of post-auth.
 
   The SQL configuration you're using is meant to give users 
 attributes.  It's NOT meant to deal with users who aren't 
 found at all.  The rest of the server configuration allows 
 you to control that.

Thanx for the fast response!.

Now, what do you suggest to do? I'm needing to have some reply-messages
according to some situations. 

Example: credit of user  0, then Reply-Message = No credit
   destination not available, then Reply-Message = Destination
error
   etc ...

But, as you said, I'm checking this at the authorize_check_query. If any
of those conditions fail, I'm returning an empty table, and so,
authorize_check_query fails ... then authorize_reply_query is not
executed. Finally, I have no reply-attributes to send back to NAS.

I've tried the post-auth, with the sql module, and a postauth_query. The
table I return contains the Reply-Message = THE_MESSAGE_NEEDED, but I
can not see the Reply-Message attribute at the access-reject reply.
Obviously it is not adding that attribute to the reply.

How could I add some reply-messages at the access-reject reply, with
variable content, according to some situations? ( keep in mind that I
have all the users info at a sql database ).

Besides this reply-message detail, I really need to say that freeradius
is just a wonderful program. It is really versatile and I only have
thankful words to the programmers of it. I was using ic-radius and I was
kind of scared about migrating to freeradius, because I would take so
much time. It only took a week  Thanx again ...

Regards,

Lucas


-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.11.8 - Release Date: 10/05/2005
 


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Auth-Type = System and DSL Static IP

2005-05-11 Thread Dustin Doris

On Tue, 10 May 2005, Andrey wrote:

 Hi List,

 I have a question about Auth-Type = System. I have several accounts that
 need to be authenticated through System and it works great as long as
 the IP is assigned dynamically. As soon as I switch an account to static
 IP, it authenticates but does not assign the desired ip address. I'm
 guessing it's to do with the order in which things are checked: 1) check
 sql - auth-type: system; 2) system - authenticate; 3) assign dynamic
 ip, since it's not going back to sql, but of course it might be
 something else.


When you say dynamic are you referring to rlm_ip_pool?  If so, make sure
you have override = no in your config.  If you set it to override = yes,
then ippool will override the reply item you already have configured for
the user.

When you say switch the account to static IP what do you mean by that.
Does that mean that you are assigning the reply item of Framed-IP-Address?
If so, that should not be overwriten by ip_pool so long as you have
override = no.

Otherwise - post some debug output (radiusd -X)



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAp/TSL authorization problem

2005-05-11 Thread Sergey Guriev

   3  2005 22:39 Jim Seymour :

 Hmmm... I thought it meant simply that the User-Name was a match.


Anyway . I changed it to User-Password and nothig has changed. 

 Regards, Sergey.
--
Sergey A. Guriev
Organization: New Telephone Company
e-mail: [EMAIL PROTECTED]
--

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAp/TSL authorization problem

2005-05-11 Thread Sergey Guriev

   3  2005 22:39 Jim Seymour :
 Sergey Guriev [EMAIL PROTECTED] wrote:


 Hmmm... I thought it meant simply that the User-Name was a match.

And, also I see that in the Radius.log 

---
Thu May 12 08:28:14 2005 : Info: rlm_eap_tls:  Length Included
Thu May 12 08:28:14 2005 : Error: TLS_accept:error in SSLv3 read client 
certificate A
Thu May 12 08:28:14 2005 : Info: rlm_eap_tls:  Length Included
Thu May 12 08:28:14 2005 : Info: (other): SSL negotiation finished 
successfully
Thu May 12 08:28:14 2005 : Info: rlm_eap_tls: Received EAP-TLS ACK message
---

 Regards, Sergey.
--
Sergey A. Guriev
Organization: New Telephone Company
e-mail: [EMAIL PROTECTED]
--

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

OpenLDAP / FreeRADIUS / Cisco 5350 problem

2005-05-11 Thread Douglas G. Phillips

I'm running into an issue here, and I can't seem to find the forest for
the trees.  I'm probably overlooking something obvious, and am not
searching correctly for the problem.

Our LDAP server is using crypted passwords at the moment.

The router is a cisco 5350.  RADIUS is FreeRADIUS 1.0.1-2 on Debian
Sarge.

The problem is this: If I pass the radtest client a clear-text password,
authentication is successful.  If either I pass the client an encrypted
password (copied from the logs) or point the 5350 at the radius server,
it doesn't work.  I verified that the shared secret is correctly matched
with what is in the router.

Here is a sample of the password that is being passed:

User-Password = \240d\351E\3737\025\022\0227,(rest removed)

Here is the configuration (comments omitted to save space).  I have
tried with the password_header both set to {CRYPT} and commented out.

ldap {
 server = ***
 identity = 
 password = 
 basedn = ou=people,dc=eiu,dc=edu
 filter = (uid=%{Stripped-User-Name:-%{User-Name}})
 dictionary_mapping = ${raddbdir}/ldap.attrmap
 ldap_connections_number = 5
 password_header = {CRYPT}
 timeout = 4
 timelimit = 3
 net_timeout = 1
}

authorize {
 preprocess
 auth_log
 suffix
 ldap
}

authenticate {
 Auth-Type LDAP {
  ldap
 }
}

Any ideas?

Thanks.
-- 
Douglas G. Phillips
Distributed Computing Information Technology Services
Eastern Illinois University(217) 581-7631



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: OpenLDAP / FreeRADIUS / Cisco 5350 problem

2005-05-11 Thread Vladimir Vuksan

Douglas G. Phillips wrote:
Here is a sample of the password that is being passed:
User-Password = \240d\351E\3737\025\022\0227,(rest removed)
 

This may imply that your shared secret is incorrect. Please verify that 
RADIUS shared secret on Cisco 5350 and shared secret for that particular 
IP in clients.conf match.

Vladimir
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: OpenLDAP / FreeRADIUS / Cisco 5350 problem

2005-05-11 Thread Alan DeKok

Douglas G. Phillips [EMAIL PROTECTED] wrote:
 Our LDAP server is using crypted passwords at the moment.

  RADIUS clients can use PAP.  Nothing else.

 The problem is this: If I pass the radtest client a clear-text password,
 authentication is successful.  If either I pass the client an encrypted
 password (copied from the logs)

  That won't work.  The server will interpret the User-Password
attribute as the clear-text password, because that's the definition of
User-Password.

  There are no provisions in RADIUS for passing crypt'd passwords in a
RADIUS packet.


 ... or point the 5350 at the radius server, it doesn't work.

  I don't see why.

 Here is the configuration (comments omitted to save space).  I have
 tried with the password_header both set to {CRYPT} and commented out.

  That tells the LDAP module how to interpret the password it gets
from the LDAP server.  It doesn't tell FreeRADIUS to treat
User-Password as a crypt'd password.  The documentation for the LDAP
module makes the first point clear.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: OpenLDAP / FreeRADIUS / Cisco 5350 problem

2005-05-11 Thread Julien freeradius

Hello Douglas,
The password that you try to resend is not the encrypted password it s 
an ascii representation of your encrypted password.
I assume that you need to activate the chap (or pap with a 
encryption_scheme = crypt)  module to be able to authenticate this request.
I don't know about LDAP, but I authenticate this kind of encrypted 
password with mysql using a scheme like this:

modules {
[...]
   pap {
   encryption_scheme = crypt
   } 

[...]
   chap {
   authtype = CHAP
   }
[...]
}
authorize {
preprocess
auth_log
chap
suffix
# I m using MySQL instead of LDAP ...
sql
}
authenticate {
Auth-Type LDAP
{
 ldap
}
   Auth-Type CHAP
   {
   chap
   }
}
Hope this can help you.
I'm running into an issue here, and I can't seem to find the forest for
the trees.  I'm probably overlooking something obvious, and am not
searching correctly for the problem.
Our LDAP server is using crypted passwords at the moment.
The router is a cisco 5350.  RADIUS is FreeRADIUS 1.0.1-2 on Debian
Sarge.
The problem is this: If I pass the radtest client a clear-text password,
authentication is successful.  If either I pass the client an encrypted
password (copied from the logs) or point the 5350 at the radius server,
it doesn't work.  I verified that the shared secret is correctly matched
with what is in the router.
Here is a sample of the password that is being passed:
User-Password = \240d\351E\3737\025\022\0227,(rest removed)
Here is the configuration (comments omitted to save space).  I have
tried with the password_header both set to {CRYPT} and commented out.
ldap {
server = ***
identity = 
password = 
basedn = ou=people,dc=eiu,dc=edu
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_header = {CRYPT}
timeout = 4
timelimit = 3
net_timeout = 1
}
authorize {
preprocess
auth_log
suffix
ldap
}
authenticate {
Auth-Type LDAP {
 ldap
}
}
Any ideas?
Thanks.
 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: DialupAdmin/LDAP - General Questions

2005-05-11 Thread Chris Carver

Mathieu Bénard wrote:
Hello
I'd like to manage my LDAP users with DialupAdmin Radius interface, 
and here come a few questions.

1: It seems that DialupAdmin uses LDAPv2 protocol. Can it possibly use 
LDAPv3 ?
Absolutely.  I'm using it right now.
2: From what I read in the /lib/ldap/create_user.php3:
   $dn = 'uid=' . $login . ',' . 
$config[ldap_default_new_entry_suffix];
   $new_user_entry[objectclass][0]=top;
   $new_user_entry[objectclass][1]=person;
   
$new_user_entry[objectclass][2]=organizationalPerson;
   $new_user_entry[objectclass][3]=inetOrgPerson;
   $new_user_entry[objectclass][4]=radiusprofile;

dialupadmin intend to use an old radius LDAP schema instead of 
RADIUS-LDAPv3.schema. It uses uid= as mandatory attribute, but with 
RADIUS-LDAPv3.schema, cn= is expected.
I don't want to modify the source of dialupadmin, so should I use an 
older radius schema, or modify it by myself ?
I modified my schema to use cn=  The objectclass radiusprofile is 
constructed as follows:

objectclass
  ( 1.3.6.1.4.1.3317.4.3.2.1
 NAME 'radiusprofile'
 SUP top STRUCTURAL
 DESC ''
 MUST cn
 MAY ( radiusArapFeatures $ radiusArapSecurity $ radiusArapZoneAccess $
   radiusAuthType $ radiusCallbackId $ radiusCallbackNumber $
   radiusCalledStationId $ radiusCallingStationId $ radiusClass $
   radiusClientIPAddress $ radiusFilterId $ 
radiusFramedAppleTalkLink $
   radiusFramedAppleTalkNetwork $ radiusFramedAppleTalkZone $
   radiusFramedCompression $ radiusFramedIPAddress $
   radiusFramedCompression $ radiusFramedIPAddress $
   radiusFramedIPNetmask $ radiusFramedIPXNetwork $
   radiusFramedMTU $ radiusFramedProtocol $
   radiusFramedRoute $ radiusFramedRouting $ radiusIdleTimeout $
   radiusGroupName $ radiusHint $ radiusHuntgroupName $
   radiusLoginIPHost $ radiusLoginLATGroup $ radiusLoginLATNode $
   radiusLoginLATPort $ radiusLoginLATService $ 
radiusLoginService $
   radiusLoginTCPPort $ radiusLoginTime $ radiusPasswordRetry $
   radiusPortLimit $ radiusPrompt $ radiusProxyToRealm $
   radiusRealm $ radiusReplicateToRealm $ radiusServiceType $
   radiusSessionTimeout $ radiusStripUserName $
   radiusTerminationAction $ radiusTunnelAssignmentId $
   radiusTunnelClientEndpoint $ radiusIdleTimeout $
   radiusLoginIPHost $ radiusLoginLATGroup $ radiusLoginLATNode $
   radiusLoginLATPort $ radiusLoginLATService $ 
radiusLoginService $
   radiusLoginTCPPort $ radiusPasswordRetry $ radiusPortLimit $
   radiusPrompt $ radiusProfileDn $ radiusServiceType $
   radiusSessionTimeout $ radiusSimultaneousUse $
   radiusTerminationAction $ radiusTunnelAssignmentId $
   radiusTunnelClientEndpoint $ radiusTunnelMediumType $
   radiusTunnelPassword $ radiusTunnelPreference $
   radiusTunnelPrivateGroupId $ radiusTunnelServerEndpoint $
   radiusTunnelType $ radiusUserCategory $ radiusVSA )
 )

I hope that helps.
-Chris
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RADIUS NETWORK

2005-05-11 Thread Jim Seymour

Paulo C. Panaligan [EMAIL PROTECTED] wrote:
 
 WHAT MATERIALS DO I NEED TO SETUP A RADIUS NETWORK ON LINUX?

Paulo, you're not getting any useful answers because you're violating
every rule in the book on how to go about asking for help.  Briefly:
You're asking a group of people, this mailing list, to do all your work
for you, to spoon-feed you, as it were, without demonstrating any
willingness to expend any energy, time or resources of your own into
learning how to do things.

Mailing lists and other forums like this one do not exist to do your
work for you, but to help you get over rough spots and improve the
product/project through bug reports, etc.

I might note that students pestering mailing lists to do their
school-work for them are generally particularly unwelcome.  Ask for
help: Certainly.  Ask us to do your project for you: No.

I believe you'd be well-advised to read this:

http://www.catb.org/~esr/faqs/smart-questions.html

Pay particular attention to the section entitled Before You Ask.

Good luck.

Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at http://jimsun.linxnet.com/scform.php.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: RADIUS NETWORK

2005-05-11 Thread mmiranda

[EMAIL PROTECTED] wrote:
 Paulo C. Panaligan [EMAIL PROTECTED] wrote:
 
 WHAT MATERIALS DO I NEED TO SETUP A RADIUS NETWORK ON LINUX?
 
 Paulo, you're not getting any useful answers because you're violating
 every rule in the book on how to go about asking for help. 
 
 I believe you'd be well-advised to read this:
 
 http://www.catb.org/~esr/faqs/smart-questions.html
 
 Pay particular attention to the section entitled Before You Ask.
 

I believe this link will clarify in more detail what Paulo is doing bad

http://perl.plover.com/Questions.html

I cant think of a better example, Paulo: read it carefully and dont even
think post any more messages before you understand what we are talking
about. 

---
 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: HuntGroup + MySQL

2005-05-11 Thread Dustin Doris


On Wed, 11 May 2005, Julien freeradius wrote:

 Hello,

 I would like to set freeradius to send a PPP like configuration if the
 request come from a nas and a VPN style configuration if coming from
 another NAS. More or less like that :

 huntgroups file:
 PPPNAS-IP-Address == 192.168.2.1
 VPN  NAS-IP-Address == 192.168.2.2


 Users file:

 DEFAULT  Huntgroup-Name = PPP
 Framed-Protocol = PPP,
 Framed-Compression = Van-Jacobson-TCP-IP,
 Framed-IP-Address = 255.255.255.254

 DEFAULT  Huntgroup-Name = VPN
 CVPN3000-Primary-DNS = XXX.XXX.XXX.XXX,
 CVPN3000-Secondary-DNS = XXX.XXX.XXX.XXX


 But I'm using MySQL. So I have set it as this:

 Usergroup table :

 | id  | UserName  | GroupName |
 | 1   | TestUser | confPPP   |
 | 2   | TestUser | confVPN   |

 Radgroupcheck Table :

 | id | GroupName| Attribute   | op |
 Value   |
 |  4 | confVPN| Huntgroup-Name | += | VPN |
 |  8 | confPPP  | Huntgroup-Name | += |
 PPP |

Why do you have the operator as += ?  Try it with == instead.


 RadgroupReply table :

 | id| GroupName   | Attribute
  | op | Value| prio |
 | 701 | confPPP | Framed-Address   |
 :=  | 255.255.255.254  |3 |
 | 700 | confPPP | Framed-Protocol
 | :=  | PPP  |2 |
 | 702 | confPPP | Framed-Compression   | :=
 | Van-Jacobsen-TCP-IP  |4 |
 | 711 | confPPP | Fall-Through
  | :=  | No |5 |
 | 703 | confVPN   | CVPN3000-Primary-DNS   | :=  |
 1|0 |
 | 704 | confVPN   | CVPN3000-Secondary-DNS   | :=  |
 1|0 |


 The authentification work, the huntgroup is well match (I  see the hunt
 group on the log), but the reply include always both data, the reply of
 the VPN AND the reply of the PPP. How can I reply only the VPN
 attributes when the request is coming from the VPN nas and PPP atribute
 for the other one.

 Thanks in advance.


Read man 5 users.  In that it says += always matches as a check item and
== matches if the named attribute is present and has the given value.

I think that is where your problem lies.



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Windows/Linux