Re: MySql Query Problem
Hi I tried my level best to get this query going on but its still not get into proper action. I am writing down the debug info from Radius Server. Have a look over it and let me know that how can i get this query going on. Scenario: a user 'masad2' is calling another endpoint 'user'. After looking at first query request reply, u can see that Radius send Access-Accept. But then the request comes up again from Calling Station (I didnt do it by myself rather program gets its execution after single click). So how can i continue with accepting the first request only and not to process the rest of the requests? Debug: Supplying it as an Attachment Cz its big for writing over here. Thanx On 5/20/05, Marcin Jessa [EMAIL PROTECTED] wrote: Hi. Looks like this query will use quite a while to get executed. What does the debug mode say? Any timeouts? Regards, Marcin Jessa On Fri, 20 May 2005 13:16:20 +0500 Kamran Bukhari [EMAIL PROTECTED] wrote: Hello I want to do the authentication using MYsql on Radius. I was doing it till now when i ended up with new query of my own. I developed a new query for authentication which is not allowing me to enter. Help me out with it. authorize_check_query = SELECT DISTINCT ${authcheck_table}.id,${authcheck_table}.UserName,${authcheck_table}.Attribute,${authcheck_table}.Value,${authcheck_table}.op FROM ${authcheck_table}, ${groupcheck_table} WHERE (${authcheck_table}.Username = '%{Calling-Station-Id}') and (${authcheck_table}.Permission = 'allow') and (${groupcheck_table}.Permission='allow') and (${groupcheck_table}.UserName='%{Calling-Station-Id}') and (${groupcheck_table}.Blocked='Called-Station-Id') ORDER BY ${authcheck_table}.id authcheck_table is like this IdUserName Attribute op Value Permission and my groupcheck_table table is like this UserNameBlockedPermission The basic problem I am facing is that i want to use alias from calling-station-id. How can i do this ? I want to cut alias from both the attributes (Calling-Station-Id and Called-Station-Id) and then want to match them against the values in the table. Help me out -- Kamran Bukhari - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kamran Bukhari rad_recv: Access-Request packet from host 150.150.15.112:3893, id=255, length=227 User-Name = masad2 User-Password = common NAS-IP-Address = 127.0.0.1 NAS-Identifier = GK2 NAS-Port-Type = Virtual Service-Type = Login-User Framed-IP-Address = 150.150.15.112 Calling-Station-Id = masad2 Called-Station-Id = user h323-conf-id = h323-conf-id=4B53E709 5F31810 96D1000C F171813D h323-call-origin = h323-call-origin=originate h323-call-type = h323-call-type=VoIP h323-gw-id = h323-gw-id=GK2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 radius_xlat: '/usr/local/var/log/radius/radacct//auth-detail-20050524' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct//auth-detail-20050524 modcall[authorize]: module auth_log returns ok for request 0 radius_xlat: 'masad2' rlm_sql (sql): sql_set_user escaped user -- 'masad2' radius_xlat: 'SELECT DISTINCT radcheck.id,radcheck.UserName,radcheck.Attribute,radcheck.Value,radcheck.op FROM radcheck, Block WHERE (radcheck.Username = 'masad2') and (radcheck.Permission = 'allow') and (Block.Permission='allow') and (Block.UserName='masad2') and (Block.Blocked='user') ORDER BY radcheck.id' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: SELECT DISTINCT radcheck.id,radcheck.UserName,radcheck.Attribute,radcheck.Value,radcheck.op FROM radcheck, Block WHERE (radcheck.Username = 'masad2') and (radcheck.Permission = 'allow') and (Block.Permission='allow') and (Block.UserName='masad2') and (Block.Blocked='user') ORDER BY radcheck.id radius_xlat: '' radius_xlat: 'SELECT DISTINCT radcheck.id,radcheck.UserName,radcheck.Attribute,radcheck.Value,radcheck.op FROM radcheck, Block WHERE (radcheck.Username = 'masad2') and (radcheck.Permission = 'allow') and (Block.Permission='allow') and (Block.UserName='masad2') and (Block.Blocked='user') ORDER BY radcheck.id' rlm_sql_mysql: query: SELECT DISTINCT radcheck.id,radcheck.UserName,radcheck.Attribute,radcheck.Value,radcheck.op FROM radcheck, Block WHERE (radcheck.Username = 'masad2') and (radcheck.Permission = 'allow') and (Block.Permission='allow') and (Block.UserName='masad2') and (Block.Blocked='user') ORDER BY radcheck.id radius_xlat: '' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns ok for request 0 modcall: group authorize returns ok for request 0 auth: type Local auth: user supplied User-Password matches local User-Password Sending Access-Accept of id 255
Re: radius server and sql server
I could not get the snapshot to compile/install - properly. I see from the google there are a few others also have the same compile difficulty with the eap modules. But I managed to compile the program radsqlrelay, it is a command line tool but how am I going to tell it all those configuration in radius.conf and sql.conf ? I also have a tough time try to persuade 'radsqlrelay' to do anything closer to sensable, # radsqlrelay -d /etc/raddb detail-20050520 Tue May 24 14:49:12 2005 : Error: Unable to open file Ðë?: No such file or directory radsqlrelay: Error reading radiusd.conf radsqlrelay: SQL module initialization failed. :-( - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authenticating client with server
I'm having a problem authenticating my client, Windows XP, to the server, SUSE Linux. Everytime I run radiusd -X -A I get the following messages: Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module preprocess returns ok for request 3 modcall[authorize]: module chap returns noop for request 3 modcall[authorize]: module mschap returns noop for request 3 rlm_realm: No '@' in User-Name = Paulo, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 3 rlm_eap: EAP packet type response id 3 length 17 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 3 users: Matched Paulo at 96 modcall[authorize]: module files returns ok for request 3 modcall: group authorize returns updated for request 3 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept:failed in SSLv3 read client certificate A 4606:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1052:SSL alert number 48 4606:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:s3_pkt.c:837: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. In SSL Handshake Phase In SSL Accept mode rlm_eap_tls: BIO_read failed in a system call (-1), TLS session fails. eaptls_process returned 13 rlm_eap: Freeing handler modcall[authenticate]: module eap returns reject for request 3 modcall: group authenticate returns reject for request 3 auth: Failed to validate the user. Delaying request 3 for 1 seconds Finished request 3 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to 192.168.2.1:3080 EAP-Message = 0x04030004 Message-Authenticator = 0x Cleaning up request 3 ID 0 with timestamp 42929391 Nothing to do. Sleeping until we see a request. It could be having a problem with the certificate. I have a Wireless USB Adapter running the client configured with WPA / TLS / TKIP and a Wireless Router Configured with WPA (with Radius Server) / TKIP. What could be the problem? __ Do you Yahoo!? Yahoo! Small Business - Try our new Resources site http://smallbusiness.yahoo.com/resources/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configuring for multiple vendors
Hi everyone. I am trying to set up my FreeRadius server for use with multiple vendors simultaneously, namely Cisco and Quintum. Currently we have everything working fine with Quintum boxes and are trying to add support for Cisco. We are using FreeRadius to call a SQL Server back end. Here is the stored procedure config for the group reply query in our mssql.conf file: authorize_group_reply_query = EXEC ${groupreply_sp} '%{SQL-User-Name}', '%{Calling-Station-Id}', '%{Called-Station-Id}', '%{Quintum-h323-conf-id}', '%{Quintum-AVPair}', '%{Quintum-h323-gw-id}', '%{NAS-IP-Address}', '%{Quintum-h323-call-origin}' You can see the problem we are going having - if we introduce a Cisco box then none of the vendor specific attributes are matched by the radius server and so we just get a load of blanks passed in to the stored procedure for these attributes. We have tried various things such as including the Cisco dictionary. However, Cisco attributes by default are in the format h323-x rather than Quintum-h323-x so they again don't match the SQL procedure config. If we try changing the Quintum dictionary so its parameters are names similarly to Cisco's, then the radius won't even start, complaining that duplicate attribute names are defined (as indeed they are). Surely it must be possible to run free radius with equipment from multiple vendors... can anyone help? Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Configuring for multiple vendors
Well, if you have different vendor attributes for the same thing then you should be able to do for example: %{Quintum-h323-call-origin:-%{Cisco-h323-call-origin}} That will use Quintum-h323-call-origin if it exists, otherwise Cisco-h323-call-origin See variables.txt in the doc directory for more details... Cheers, Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Chamberlain Sent: Tuesday, 24 May 2005 5:08 PM To: freeradius-users@lists.freeradius.org Subject: Configuring for multiple vendors Hi everyone. I am trying to set up my FreeRadius server for use with multiple vendors simultaneously, namely Cisco and Quintum. Currently we have everything working fine with Quintum boxes and are trying to add support for Cisco. We are using FreeRadius to call a SQL Server back end. Here is the stored procedure config for the group reply query in our mssql.conf file: authorize_group_reply_query = EXEC ${groupreply_sp} '%{SQL-User-Name}', '%{Calling-Station-Id}', '%{Called-Station-Id}', '%{Quintum-h323-conf-id}', '%{Quintum-AVPair}', '%{Quintum-h323-gw-id}', '%{NAS-IP-Address}', '%{Quintum-h323-call-origin}' You can see the problem we are going having - if we introduce a Cisco box then none of the vendor specific attributes are matched by the radius server and so we just get a load of blanks passed in to the stored procedure for these attributes. We have tried various things such as including the Cisco dictionary. However, Cisco attributes by default are in the format h323-x rather than Quintum-h323-x so they again don't match the SQL procedure config. If we try changing the Quintum dictionary so its parameters are names similarly to Cisco's, then the radius won't even start, complaining that duplicate attribute names are defined (as indeed they are). Surely it must be possible to run free radius with equipment from multiple vendors... can anyone help? Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Kick users offline
Date: Mon, 23 May 2005 17:44:33 +0200 From: Alex Moreno [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Subject: Re: Kick users offline Reply-To: freeradius-users@lists.freeradius.org I do it using the Time-Out=3Dtime variable. Read the documentation for more information. On 5/23/05, Svetlana Vyslanko [EMAIL PROTECTED] wrote: I want to kick users offline if they are over their time limit. Can I do it using FreeRADIUS? Regards, Svetlana In documentation I read: Login-Time defines the time span a user may login to the system. After that a range of hours follows in hhmm-hhmm format. For example, Wk2305-0855,Sa,Su2305-1655. Radiusd calculates the number of seconds left in the time span, and sets the Session-Timeout to that number of seconds. So if someones Login-Time is Al0800-1800 and she logs in at 17:30, Session-Timeout is set to 1800 seconds so that she is kicked off at 18:00. and I set Session-Timeout ( radtest shows it ) but current session doesn't kick off. It works on authorization step but doesn't kick online user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring for multiple vendors
Fantastic! That is exactly what I was looking for. The only downside to this is that we will have to reconfigure the system for each additional manufacturer we want to add. Is there a more general way of doing it? Or is this just the nature of VSAs? Thanks, Mike On 5/24/05, Mitchell, Michael J [EMAIL PROTECTED] wrote: Well, if you have different vendor attributes for the same thing then you should be able to do for example: %{Quintum-h323-call-origin:-%{Cisco-h323-call-origin}} That will use Quintum-h323-call-origin if it exists, otherwise Cisco-h323-call-origin See variables.txt in the doc directory for more details... Cheers, Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Chamberlain Sent: Tuesday, 24 May 2005 5:08 PM To: freeradius-users@lists.freeradius.org Subject: Configuring for multiple vendors Hi everyone. I am trying to set up my FreeRadius server for use with multiple vendors simultaneously, namely Cisco and Quintum. Currently we have everything working fine with Quintum boxes and are trying to add support for Cisco. We are using FreeRadius to call a SQL Server back end. Here is the stored procedure config for the group reply query in our mssql.conf file: authorize_group_reply_query = EXEC ${groupreply_sp} '%{SQL-User-Name}', '%{Calling-Station-Id}', '%{Called-Station-Id}', '%{Quintum-h323-conf-id}', '%{Quintum-AVPair}', '%{Quintum-h323-gw-id}', '%{NAS-IP-Address}', '%{Quintum-h323-call-origin}' You can see the problem we are going having - if we introduce a Cisco box then none of the vendor specific attributes are matched by the radius server and so we just get a load of blanks passed in to the stored procedure for these attributes. We have tried various things such as including the Cisco dictionary. However, Cisco attributes by default are in the format h323-x rather than Quintum-h323-x so they again don't match the SQL procedure config. If we try changing the Quintum dictionary so its parameters are names similarly to Cisco's, then the radius won't even start, complaining that duplicate attribute names are defined (as indeed they are). Surely it must be possible to run free radius with equipment from multiple vendors... can anyone help? Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius with eap/tls/ttls and Access point Cisco 1100 don't authenticate
Hello, I'm running freeradius-1.0.2 on Solaris 9 to authenticate Cisco aironet 1100 access point. --- The Freeradius installation seems good: [EMAIL PROTECTED]/usr/local/bin/radtest test test localhost 0 testing123 Sending Access-Request of id 241 to 127.0.0.1:1812 User-Name = test User-Password = test NAS-IP-Address = euler NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=241, length=20 [EMAIL PROTECTED]tail -f /var/log/radius/radacct/localhost/auth-detail-20050524 Packet-Type = Access-Request Tue May 24 09:45:32 2005 User-Name = test User-Password = test NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Client-IP-Address = localhost -- When I try to connect from te access point I obtain the error message: une erreur s'est produite lors de l'acces au reseau Airport tsunami and freeradius server is looping.. here are the settings I have done: access point Hostname Radius, IP Address 139.124.3.235, ethernet Mac Address 0012.daec.3082, radio 802-11g Mac Address 0012.dacb.b0c0 settings for radio interface: world-mode: enable, radio preamble: short, ethernet encapsulation transform: RFC1042, Reliable Multicast to WGB: disable,Public Secure Packet Forwarding: disable,Short Slot-Time: enable users file: === mbourguel Auth-Type := EAP mobile Auth-Type := EAP , User-Password == mobile testAuth-Type := Local, User-Password == test ... DEFAULT Auth-Type = System Fall-Through = 1 DEFAULT Service-Type = Login-User, Login-Service = Rlogin, Login-IP-Host = euler.univ-mrs.fr # # # # Last default: shell on the local terminal server. # # DEFAULT Service-Type = Shell-User Clients.conf file = client 127.0.0.1 { secret = testing123 shortname = localhost nastype = other } client 139.124.3.235 { secret = cirm shortname = AP nastype = other } Please let me know what changes I have to do for authentication to work. If someone has configured Cisco AP, please explain to me howto configure all. Best regards Maurice Here are the log: #1/radiusd -X [EMAIL PROTECTED]/usr/local/sbin/radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/local/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = yes main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = /var/run/radiusd/radiusd.pid main: user = root main: group = nobody main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded System unix: cache = yes unix: passwd = /etc/passwd unix: shadow = /etc/shadow unix: group = /etc/group unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 HASH: Reinitializing hash structures and lists for caching... HASH: user root found in hashtable bucket 11726 HASH: user anna found in hashtable bucket 63492 HASH: user spamd found in hashtable bucket 16167 HASH: Stored 96 entries from /etc/passwd
How to implement challenge/response authentication
Hi all,I try to modify rlm_example.c toimplement challenge/response authentication, but i dont' know how to code it, i know i have to modify example_authenitcate function , but when i install it to my freeradius server , it cannot return RLM_MODULE_OK, anyone can help me with that, here is my implementation: static int example_authenticate(void *instance, REQUEST *request){ VALUE_PAIR *reply; VALUE_PAIR *state; instance = instance; request = request; state = pairfind(request-packet-vps, PW_STATE); if (state != NULL) { DEBUG("***rlm_example: Found reply to access challenge"); return RLM_MODULE_OK; } /* * Create the challenge, and add it to the reply. */ reply = pairmake("Reply-Message", "This is a challenge", T_OP_EQ); pairadd(request-reply-vps, reply); state = pairmake("State", "0", T_OP_EQ); pairadd(request-reply-vps, state); request-reply-code = PW_ACCESS_CHALLENGE; return RLM_MODULE_HANDLED;} thank! TerryJoin SQAtester.com Community --- http://www.sqatester.com/testersarea/joinus.htm - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Configuring for multiple vendors
Fantastic! That is exactly what I was looking for. The only downside to this is that we will have to reconfigure the system for each additional manufacturer we want to add. Is there a more general way of doing it? Or is this just the nature of VSAs? Hmm, can't think of one. But there are people on this list much smarter than me... ;-) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap attribute, checkItem, and the users file
On Mon, May 23, 2005 at 03:29:33PM -0400, Chris Carver wrote: Date: Mon, 23 May 2005 15:29:33 -0400 From: Chris Carver [EMAIL PROTECTED] Subject: ldap attribute, checkItem, and the users file I'm still struggling with a problem I wrote in about in the past. I will explain what I am trying to do as well as possible. [snip] The definition is in the netsweeper file, along with other attributes of ours, and its contents are as follows: VENDOR SlipStream 7000 ATTRIBUTE SlipStream-Enabled 1 string SlipStream ATTRIBUTE NetSweeper-Enabled 2 string SlipStream ATTRIBUTE redirectPort80 3 string SlipStream After ensuring that the attribute was defined on the ldap side and the radius side, I understood that I needed to modify ldap.attrmap and add a checkItem. Here is that change in etc/raddb/ldap.attrmap: checkItem redirectPort80 radiusRedirectPort80 I did not add a reply item, because I'm not replying with the value of that attribute. I'm performing logic in the users file on that value and THEN passing back attribute/value pairs specified in the users file. My next step was to finally modify the users file. Here is a change to the users file: DEFAULT redirectPort80 == true Framed-Route = 0.0.0.0/0 205.247.236.1/32 1, Fall-Through = yes other irrelevant lines removed To my knowledge, at this point if the user has the ldap attribute radiusRedirectPort80: true then Framed-Route attribute/value should be in the access-accept. I do a radtest with a user who has the ldap attribute radiusRedirectPort80 set to true, and it is not matched. I see exactly the same behavior as with a user who does not have the attribute. Have you ran freeradius with debug switches to see with which operator ldap module adds redirectPort80 pair? Have you tried to make ldap attribute radiusRedirectPort80 with :=true value? Best wishes -- Alexei Chetroi Smile... Tomorrow will be worse. (c) Murphy's Law - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to implement challenge/response authentication
Terry lee [EMAIL PROTECTED] wrote: You might have better luck if you turned off the HTML and posted in straight text. Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap attribute, checkItem, and the users file
On Mon, 23 May 2005, Chris Carver wrote: Hello, I'm still struggling with a problem I wrote in about in the past. I will explain what I am trying to do as well as possible. We have customers authenticating through our radius server which uses an openldap backend. Each user has an entry in our ldap database and it is the only means of authentication. We want to be able to check for the existance of an ldap attribute in the users file for the user who is currently trying to authenticate. If the attribute is found, we add a radius attribute to the reply and fall-through. If it is not found, those lines are bypassed and logic will continue down the users file. This ldap attribute is our own creation and we modified the schema calling the attribute radiusRedirectPort80 on the ldap backend. Its tested and it works perfectly on the ldap end. I modified the dictionary file and it is called redirectPort80 on the radius side. Following is etc/raddb/dictionary: $INCLUDE /usr/local/pw/freeradius-1.0.2/share/freeradius/dictionary $INCLUDE /usr/local/pw/freeradius-1.0.2/etc/raddb/netsweeper The definition is in the netsweeper file, along with other attributes of ours, and its contents are as follows: VENDOR SlipStream 7000 ATTRIBUTE SlipStream-Enabled 1 string SlipStream ATTRIBUTE NetSweeper-Enabled 2 string SlipStream ATTRIBUTE redirectPort80 3 string SlipStream After ensuring that the attribute was defined on the ldap side and the radius side, I understood that I needed to modify ldap.attrmap and add a checkItem. Here is that change in etc/raddb/ldap.attrmap: checkItem redirectPort80 radiusRedirectPort80 I did not add a reply item, because I'm not replying with the value of that attribute. I'm performing logic in the users file on that value and THEN passing back attribute/value pairs specified in the users file. My next step was to finally modify the users file. Here is a change to the users file: DEFAULT redirectPort80 == true Framed-Route = 0.0.0.0/0 205.247.236.1/32 1, Fall-Through = yes other irrelevant lines removed To my knowledge, at this point if the user has the ldap attribute radiusRedirectPort80: true then Framed-Route attribute/value should be in the access-accept. I do a radtest with a user who has the ldap attribute radiusRedirectPort80 set to true, and it is not matched. I see exactly the same behavior as with a user who does not have the attribute. Am I doing something fundamentally wrong? If not, might there be any common mistakes I could be making? I would be grateful for any pointers. Thanks in advance. The users file will only check attributes in the request, not in the check item list. So the above won't work. You can try using the policy module: if (%{check:redirectPort80} == true) { reply .= { Framed-Route = 0.0.0.0/0 205.247.236.1/32 1 } } Chris Carver - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dialup admin and pptp
from dialup_admin web interface i can clear sessions but i cannot disconnect users. when i press disconnect user nothing happens. i use latest cvs dialup admin , freeradius with mysql and pptp. any clue ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup admin and pptp
On Tue, 24 May 2005, Florin Samareanu wrote: from dialup_admin web interface i can clear sessions but i cannot disconnect users. when i press disconnect user nothing happens. i use latest cvs dialup admin , freeradius with mysql and pptp. any clue ? The disconnect facility will work only for cisco routers using the SNMP AAA session MIB (if that is available and configured) or telnet (if that is configured). Patches are always welcome for other vendors. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MS-CHAP
Hello freeRADIUS mailing list readers, Is it possible to configure a freeRADIUS server running on a UNIX machine to also accept MS-CHAP? If so, is it complicated? is there documentation for it? how can I do that (in a fairly simple way)? /the girl that wonders why Microsoft had to complicate things for her... -- Vicky - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error 778: It was not possible to verify the identity of the server
S close. I have no trouble fetching a cheerful response from the IAS radius server with my simple proxy. I print its output to standard output and return with exit code 0. FreeRADIUS reports the whole thing as a success. And I get: Error 778: It was not possible to verify the identity of the server. ... From the Windows workstation involved. Note that I have also set up mschap and ntlm_auth to handle accounts on the local Samba server, and *those* logons work perfectly. So my feeling is that there's something special I need to do in my faux-proxy to match what a real proxy would do, but I can't imagine what. To test my theory, I configured proxy.conf so that FreeRADIUS would use its built-in proxy code. Yes, that works perfectly. But I can't seem to find a debugging option that causes FreeRADIUS to print not just the request and helpful tracing information but the full *response* that it sends to the client. And that seems to be what I need to disentangle the difference between the real proxy code and what I wrote and sort out why RAS on the PPTP server accepts the output of the former but not of the latter. (Of course, for those who may be wondering, I would gladly use the built-in proxy code, except that I need to try something else if the user is not found, and the standard FreeRADIUS proxy code can't do that.) Any ideas? I think I'm very close here. Thanks! -- Thomas Boutell Boutell.Com, Inc. http://www.boutell.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup admin and pptp
I think this depends if your NAS supports it or not - Freeradius just sends the request and the NAS deals with it [EMAIL PROTECTED] 24/05/2005 12:36 from dialup_admin web interface i can clear sessions but i cannot disconnect users. when i press disconnect user nothing happens. i use latest cvs dialup admin , freeradius with mysql and pptp. any clue ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problems with huntgroups
Hello friends -- We've been steadily running a kerberos-enabled freeradius server here for several years now and everything has been working perfectly. We have several devices that use it for authentication, such as the VPN and modem pool. These are services where anyone with an account in our kerberos server can authenticate and have access. However, that soon will change. A firewall will be brought up and pointed to our server for authentication, and we've been asked to restrict access to certain users. After doing some digging, it seemed like using huntgroups would be the perfect solution for this task. Long story short, I've done google searches, looked in the users and huntgroups file, checked mailing lists and tried every example I could find, and for some reason I can not get the radius server to reject my authentication attempt based on the information in the huntgroups file. So I've come to you for help. Because I couldn't test using our real radius server, I set up an identical one, kerberos enabled, and have been using radtest from a different machine to test. As I've said, I've tried many different examples, but none seem to work for me. The configuration I'm using now I pulled from http://lists.q-linux.com/pipermail/xtradius/2004-April/001026.html (I realize that it's from the xtradius mailing list, but I was hoping to get information on huntgroups in general). Here's my configuration: clients.conf client 10.0.0.1 { secret = testing shortname = testclient } huntgroups: testgroup NAS-IP-Address == 10.0.0.1 (for the purpose of this exercise, my test client) User-Name = randomuser, users: DEFAULTHuntgroup-Name == testgroup, Auth-Type = Kerberos Fall-Through = No ### Allow all others to authenticate to the Kerberos server DEFAULT Auth-Type := Kerberos Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Routing = Broadcast-Listen, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP I've turned on debugging on my radius server. From my client box (10.0.0.1) I run the command: radtest myusername mypasswd radiusserver 0 testing Despite the fact that myusername is not listed in huntgroups in the testgroup section, I'm still allowed access: Sending Access-Request of id 57 to radiuserver:1812 User-Name = myusername User-Password = mypasswd NAS-IP-Address = 10.0.0.1 NAS-Port = 0 rad_recv: Access-Accept packet from host radiusserver:1812, id=57, length=50 Service-Type = Framed-User Framed-Protocol = PPP Framed-Routing = Broadcast-Listen Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP I have the -xxx debugging information if anyone would find that helpful, but I only found one mention of 'hunt' in it: Tue May 24 10:10:46 2005 : Debug: preprocess: huntgroups = /etc/raddb/huntgroups Thank you for any information you can give me. Please let me know if there's any more information you need. Brian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ayuda con radius
Hola Igor, mi proyecto final de carrera usa, entre otras muchas cosas, freeradius. No se exactamente que quieres hacer pero quizá nocat o chillispot te sirva de algo para el tema de autentificación, en conjunción con radius (es como lo tengo yo). Otra cosa, esta lista es de habla inglesa así que es muy probable que, excepto yo, poca gente más te conteste ;-). greetings. On 5/24/05, Igor Larrea [EMAIL PROTECTED] wrote: Hola a todos, soy un chico de Bilbao que quiere implantar una arquitectura de red Wi-Fi segura mediante 802.11i usando WPA-Enterprise con un servidor de autenticación RADIUS y un router (Linksys WRT54G) que haga de authenticator. La verdad estoy empezando a mirar cosillas, pero no se por donde empezar,no encuentro demasiada información de como montar el servidor... ni k sw que usar o como usarlo. Encima WPA-Enterprise es demasiado nuevo, no conozco a nadie que lo esté utilizando, en fín y para más inri, tampoco soy un artista en Linux, cosa que espero mejorar poquito a poco. Tenia pensado instalar una Debian, pero tampoco lo tengo claro.. En fín ya veis que no se ni como empezar, si me pudieseis echar una mano y mandarme información al respecto , o links, o ponerme en contacto con alguien que ya tenga implantado un servidor raduis... estaría muy agradecido. Sin más un cordial saludo Igor Larrea __ Renovamos el Correo Yahoo! Nuevos servicios, más seguridad http://correo.yahoo.es - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
best practice with a wifi pcmcia card
Hello there, since I am in the pre-test part of my wifi project, I would like to know if some of you know a pcmcia wifi card able to deal with : - linux and/or BSD (and windows) - WPA 2 (WPA +AES) - PEAP - 802.11 b g - running in master mode (aka hostap) I saw a lot of cards having the same profile but only few support 802.11g on Linux/BSD. Here are the cards I found : AirLancer MC-54ag (atheros chipset, ok for hostap) Proxim 8471-WD (still don't know about WPA support) Thanks in advance for any help, Stéphane PS: I know this is not really related to freeradius but as freeradius could be used for wifi projects, I expect this place as the one of the most helpfull to find people with the knowledge to help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with huntgroups
Hello friends -- We've been steadily running a kerberos-enabled freeradius server here for several years now and everything has been working perfectly. We have several devices that use it for authentication, such as the VPN and modem pool. These are services where anyone with an account in our kerberos server can authenticate and have access. However, that soon will change. A firewall will be brought up and pointed to our server for authentication, and we've been asked to restrict access to certain users. After doing some digging, it seemed like using huntgroups would be the perfect solution for this task. Long story short, I've done google searches, looked in the users and huntgroups file, checked mailing lists and tried every example I could find, and for some reason I can not get the radius server to reject my authentication attempt based on the information in the huntgroups file. So I've come to you for help. Because I couldn't test using our real radius server, I set up an identical one, kerberos enabled, and have been using radtest from a different machine to test. As I've said, I've tried many different examples, but none seem to work for me. The configuration I'm using now I pulled from http://lists.q-linux.com/pipermail/xtradius/2004-April/001026.html (I realize that it's from the xtradius mailing list, but I was hoping to get information on huntgroups in general). Here's my configuration: clients.conf client 10.0.0.1 { secret = testing shortname = testclient } huntgroups: testgroup NAS-IP-Address == 10.0.0.1 (for the purpose of this exercise, my test client) User-Name = randomuser, Not sure if it matters, but you don't need this comma since its the last value. users: DEFAULTHuntgroup-Name == testgroup, Auth-Type = Kerberos Fall-Through = No That should be Auth-Type :=, as = is not allowed as a check item (man 5 users) ### Allow all others to authenticate to the Kerberos server DEFAULT Auth-Type := Kerberos Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Routing = Broadcast-Listen, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP I don't understand what you are trying to do here. If you match the first entry, it says Auth-Type := kerberos. If you don't match the first entry, then you will fall through to the default of Auth-Type := kerberos. Are you trying to make it so that if you are NOT in the huntgroup, then you will be rejected? Or are you trying to make it so if you are not in the Huntgroup you don't get those default reply values? If you want to reject the user if they are not in the huntgroup, then you need to change the DEFAULT to DEFAULT Auth-Type := Reject Otherwise, why even have it match the Huntgroup if you are going to be authenticating in the same manner, regardless? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with huntgroups
On Tue, 24 May 2005, Dustin Doris wrote: huntgroups: testgroup NAS-IP-Address == 10.0.0.1 (for the purpose of this exercise, my test client) User-Name = randomuser, Not sure if it matters, but you don't need this comma since its the last value. Thanks. I was going by the example in the huntgroups file, which has the comma. The server doesn't appear to care either way. users: DEFAULTHuntgroup-Name == testgroup, Auth-Type = Kerberos Fall-Through = No That should be Auth-Type :=, as = is not allowed as a check item (man 5 users) Again, thanks. I definitely need to be more careful about that. I don't understand what you are trying to do here. If you match the first entry, it says Auth-Type := kerberos. If you don't match the first entry, then you will fall through to the default of Auth-Type := kerberos. Are you trying to make it so that if you are NOT in the huntgroup, then you will be rejected? Or are you trying to make it so if you are not in the Huntgroup you don't get those default reply values? Sorry for the confusion. I'm wanting it so that only users in the huntgroups file are able to authenticate from a certain NAS address. So I want anyone with a kerberos username/password to authenticate from the modem pool and VPN, I want only certain users to be able to authenticate from the firewall. If you want to reject the user if they are not in the huntgroup, then you need to change the DEFAULT to DEFAULT Auth-Type := Reject Otherwise, why even have it match the Huntgroup if you are going to be authenticating in the same manner, regardless? I /think/ I read this correctly, so I changed my users file to look like this: DEFAULT Huntgroup-Name == testgroup, Auth-Type := Kerberos Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Routing = Broadcast-Listen, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP, Fall-Through = No DEFAULT Auth-Type := Reject Now it rejects everyone, regardless of where they're coming from and who they are. In the debug file, it says Matched DEFAULT at 19 (line 19 is where the DEFAULT Auth-Type := Reject line is. I get: Tue May 24 11:15:04 2005 : Debug: users: Matched DEFAULT at 19 Tue May 24 11:15:04 2005 : Debug: modcall[authorize]: module files returns ok Tue May 24 11:15:04 2005 : Debug: modcall: group authorize returns ok Tue May 24 11:15:04 2005 : Debug: rad_check_password: Found Auth-Type Reject Tue May 24 11:15:04 2005 : Debug: rad_check_password: Auth-Type = Reject, rejecting user Tue May 24 11:15:04 2005 : Debug: auth: Failed to validate the user. Tue May 24 11:15:04 2005 : Auth: Login incorrect: [myusername] (from client testclient port 0) It's as if it completely ignores the section where I have my huntgroup-name. Brian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
shared secret problem
If I'm getting a incorrect checksum error on the UDP packet sent from the client to the server, would that be the cause of my Shared secret is incorrect error? I've removed/readded the secret on both sides many times... If that is the case, I'm assuming the problem is with the md5 hash on the server and not anything with Freeradius. Is that correct? Thanks, Kris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: shared secret problem
Hi, can you tell us what operating system are you using? I had recently problems with SuSE 9.1 where some packages were broken and therefore the shared secret auth wasn't functioning. Regards, Edvin Seferovic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kris Sent: Dienstag, 24. Mai 2005 17:38 To: freeradius-users@lists.freeradius.org Subject: shared secret problem If I'm getting a incorrect checksum error on the UDP packet sent from the client to the server, would that be the cause of my Shared secret is incorrect error? I've removed/readded the secret on both sides many times... If that is the case, I'm assuming the problem is with the md5 hash on the server and not anything with Freeradius. Is that correct? Thanks, Kris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re: Kick users offline
Hi, what are you actually using to start-up a connection? PPP or something else? I am using Poptop/PPP combination and I get kicked out right on time. But I only use Session-Timeout attribute. Where did you read that about Login-Time, it is really interesting for my next project, and maybe I could test it on my system and tell you the results? Regards, Edvin Seferovic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Svetlana Vyslanko Sent: Dienstag, 24. Mai 2005 09:43 To: freeradius-users@lists.freeradius.org Subject: Re: Re: Kick users offline Date: Mon, 23 May 2005 17:44:33 +0200 From: Alex Moreno [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Subject: Re: Kick users offline Reply-To: freeradius-users@lists.freeradius.org I do it using the Time-Out=3Dtime variable. Read the documentation for more information. On 5/23/05, Svetlana Vyslanko [EMAIL PROTECTED] wrote: I want to kick users offline if they are over their time limit. Can I do it using FreeRADIUS? Regards, Svetlana In documentation I read: Login-Time defines the time span a user may login to the system. After that a range of hours follows in hhmm-hhmm format. For example, Wk2305-0855,Sa,Su2305-1655. Radiusd calculates the number of seconds left in the time span, and sets the Session-Timeout to that number of seconds. So if someones Login-Time is Al0800-1800 and she logs in at 17:30, Session-Timeout is set to 1800 seconds so that she is kicked off at 18:00. and I set Session-Timeout ( radtest shows it ) but current session doesn't kick off. It works on authorization step but doesn't kick online user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: shared secret problem
So sorry, I'm using SLES 9 for x86_64 --Kris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Seferovic Edvin Sent: Tuesday, May 24, 2005 10:50 AM To: freeradius-users@lists.freeradius.org Subject: RE: shared secret problem Hi, can you tell us what operating system are you using? I had recently problems with SuSE 9.1 where some packages were broken and therefore the shared secret auth wasn't functioning. Regards, Edvin Seferovic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kris Sent: Dienstag, 24. Mai 2005 17:38 To: freeradius-users@lists.freeradius.org Subject: shared secret problem If I'm getting a incorrect checksum error on the UDP packet sent from the client to the server, would that be the cause of my Shared secret is incorrect error? I've removed/readded the secret on both sides many times... If that is the case, I'm assuming the problem is with the md5 hash on the server and not anything with Freeradius. Is that correct? Thanks, Kris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with huntgroups
huntgroups: testgroup NAS-IP-Address == 10.0.0.1 (for the purpose of this exercise, my test client) User-Name = randomuser, Sorry for the confusion. I'm wanting it so that only users in the huntgroups file are able to authenticate from a certain NAS address. So I want anyone with a kerberos username/password to authenticate from the modem pool and VPN, I want only certain users to be able to authenticate from the firewall. That makes more sense now. I guess I didn't have my coffee yet and couldn't read into that. I've never done this with huntgroups alone, I usually use a backend of some type and store users into groups. But what if you do this in the users file. I'm just taking stabs at this now, since I haven't done it before with just huntgroups. DEFAULT NAS-IP-Address == 10.0.0.1, Huntgroup-Name != testgroup, Auth-Type := Reject Fall-Through = no DEFAULT Auth-Type := Kerberos ... Freeradius will read the users file from top to bottom. So, when the packet comes in from nas-ip of 10.0.0.1, it will see a huntgroup check and will look in your huntgroups file. If you aren't in the testgroup huntgroup, you will be rejected. Otherwise, it will fall through to the kerberos default and will use kerberos to authenticate you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sending Session-Timeout on Exec-Program-Wait
Hi, I'm using Exec-Program-Wait for user validation. On some cases, I want to send back the Session-Timeout According to what I've seen, on the script I execute on Exec-Program-Wait, I can send back this value like this: print Session-Timeout=$timeout\n; exit 0; # Grant Access Now, on this thread: http://lists.cistron.nl/pipermail/freeradius-users/2004-March/029131.html they say to add Service-Type := Framed-User to the reply in order to work with Cisco. Is this correct? Must I always send that value pair, for it to work on Cisco systems? So it would end being: print Service-Type=Framed-User\n; print Session-Timeout=$timeout\n; exit 0; # Grant Access Thanks in advance, Juan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP
Hello, I've found a pretty good howto at http://www.tldp.org/HOWTO/8021X-HOWTO/intro.html Take a look Jonathan vicky wrote: Hello freeRADIUS mailing list readers, Is it possible to configure a freeRADIUS server running on a UNIX machine to also accept MS-CHAP? If so, is it complicated? is there documentation for it? how can I do that (in a fairly simple way)? /the girl that wonders why Microsoft had to complicate things for her... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MS-CHAP
Hi, take a look at www.poptop.org it is a *nix implementation of MS PPTP VPN Server that uses MS-CHAP. There is also a very good how-to about CHAP auth, and freeRadius. Regards, Edvin Seferovic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan Delizy Sent: Dienstag, 24. Mai 2005 18:22 To: freeradius-users@lists.freeradius.org Subject: Re: MS-CHAP Hello, I've found a pretty good howto at http://www.tldp.org/HOWTO/8021X-HOWTO/intro.html Take a look Jonathan vicky wrote: Hello freeRADIUS mailing list readers, Is it possible to configure a freeRADIUS server running on a UNIX machine to also accept MS-CHAP? If so, is it complicated? is there documentation for it? how can I do that (in a fairly simple way)? /the girl that wonders why Microsoft had to complicate things for her... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authenticate as computer .....
Hi, Since few days I succeed in PEAP auth with freeradius, but I've a biggest problem. I would like to check the authenticate as computer when information is available box so my computer should be reachable even if nobody is logged in. I've read in previous post that it is only possible with an Active Directory (AD) server, and as you well think I don't want an AD server... So is somebody has an idea or a method to do that ? It seems I can authenticate only the machine with certificate but I don't find any recent howto to do that. Please help :) ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring for multiple vendors
Mitchell, Michael J [EMAIL PROTECTED] wrote: The only downside to this is that we will have to reconfigure the system for each additional manufacturer we want to add. The good news is that few vendors do the annoying AVPair stuff that Cisco does. Is there a more general way of doing it? Or is this just the nature of VSAs? Hmm, can't think of one. But there are people on this list much smarter than me... ;-) Code hacks. Create virtual attributes, and use those in the configurion files. This leaves the mapping between real virtual attributes all in one place. e.g. virtual { My-Attribute-Foo = %{Vendor-Foo:-%{Vendor-Bar:-%{Vendor-Stuff}}} } ... DEFAULT My-Attribute-Foo == stuff... # compare against 1 of the 3 above Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius install problems
Hi all: We´re tryng to install freeradius in a base RedHat 9. We try with basic installation of freeradius-snapshot-20050524.tar.gz: ./configure make make install but don´t work. Is there a document to install freeradius in a Red Hat 9 box?? Thanks¡ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius server and sql server
Ming-Ching Tiew [EMAIL PROTECTED] wrote: Hate to border you folks who are non-programmers here, but I think the code is questionable here, Hmm... you're right. In any case, radsqlrelay is about to be deleted from the CVS head. Radrelay, too. They're being replaced with minor changes to the server core which means that radiusd can now do everything those two programs did, and more. Wait a few weeks, and the CVS head should be fixed, and the relay functionality completely merged into radiusd. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: shared secret problem
Hi, you welcome ;) If you contact Novell/SuSE and get an answer about this topic ( or maybe a solution ) I would be thankful if you could mail it to this mailing list. I intend to move on SLES shortly, and now when I know the fact that freeRadius is not working ( on x86_64 ) whis move could be delayed. Regards, Edvin Seferovic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kris Sent: Dienstag, 24. Mai 2005 18:24 To: freeradius-users@lists.freeradius.org Subject: RE: shared secret problem Thanks so much for the information and quick response. I'll attempt to contact Novell/SuSE. I tried the procedure below without much success over the last week or two. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Seferovic Edvin Sent: Tuesday, May 24, 2005 11:17 AM To: freeradius-users@lists.freeradius.org Subject: RE: shared secret problem BINGO... there u go ;) I was using SuSE PRO 9.1 on x86_64 WHICH WAS BROKEN !! SuSE changed this in the next version 9.2. Aparently SLES 9 has the same problem. You could try contacting Novell/SuSe about this ;) Here is a part of a friendly person from this list which encountered the same problem, and solved it : --- cut --- Since, I also got the SuSE 9.2 RPM working on SuSE 9.1 I will include the more detailed instructions below: Well I just got mine working on SuSE 9.1 64 bit. It was one heck of a hack, and probably not done in the correct way, but this is what I did: 1. I grabbed the 9.2 source rpm: freeradius-1.0.0-5.4.src.rpm 2. I ran rpm build --rebuild freeradius-1.0.0-5.4.src.rpm to learn dependencies. I installed the dependencies I could off of the 9.1 distribution. From the 9.2 distribution I installed: libnscd-1.0-2.x86_64.rpm and libzio-0.1-4-0.1-4.x86_64.rpm. 3. I thought I had other issues so I also installed libtool-1.5.8-3.x86_64.rpm and libtool-32bit-9.2-200410061204.x86_64.rpm but they are probably not required from 9.2. 4. I installed the source rpm. 5. I went into /usr/src/packages/SOURCES and bunzipped freeradius-1.0.0.0.tar.bz2 6. I cd'ed into the freeradius-1.0.0.0 directory and in Make.inc I modified the variable LIBLTDL to: LIBLTDL = /usr/lib64/libltdl.so 7. I re-bzipped the directory so the change was stored in the bzipped file. 8. I cd'ed into the /usr/src/packages/SPEC/ directory and ran: rpmbuild -bb freeradius.spec 9. I cd'ed into /usr/src/packages/RPMS/x86_64 and installed the 2 created packages: freeradius-1.0.0-5.4.x86_64.rpm freeradius-devel-1.0.0-5.4.x86_64.rpm 10. eap was still broken so I cd'ed into /usr/src/packages/BUILD/ freeradius-1.0.0/src/modules/rlm_eap/.libs/ 11. I copied rlm_eap-1.0.0.soU to /usr/lib/freeradius 12. I cd'ed into /usr/lib/freeradius and did a ln -s rlm_eap-1.0.0.soU rlm_eap.so --- cut --- Maybe you could just take the RPM package from another SuSE distro and try it. I hope this could help. BTW - I spent over 2 weeks looking for this crapy error. Regards, Edvin Seferovic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kris Sent: Dienstag, 24. Mai 2005 17:59 To: freeradius-users@lists.freeradius.org Subject: RE: shared secret problem So sorry, I'm using SLES 9 for x86_64 --Kris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Seferovic Edvin Sent: Tuesday, May 24, 2005 10:50 AM To: freeradius-users@lists.freeradius.org Subject: RE: shared secret problem Hi, can you tell us what operating system are you using? I had recently problems with SuSE 9.1 where some packages were broken and therefore the shared secret auth wasn't functioning. Regards, Edvin Seferovic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kris Sent: Dienstag, 24. Mai 2005 17:38 To: freeradius-users@lists.freeradius.org Subject: shared secret problem If I'm getting a incorrect checksum error on the UDP packet sent from the client to the server, would that be the cause of my Shared secret is incorrect error? I've removed/readded the secret on both sides many times... If that is the case, I'm assuming the problem is with the md5 hash on the server and not anything with Freeradius. Is that correct? Thanks, Kris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP
vicky [EMAIL PROTECTED] wrote: Is it possible to configure a freeRADIUS server running on a UNIX machine to also accept MS-CHAP? If so, is it complicated? is there documentation for it? how can I do that (in a fairly simple way)? Install the server. It will work. Did you try reading the web site, which lists MS-CHAP as being supported? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Kick users offline
At authorization stage FreeRADIUS calculates and sends proper Session-Timeout attribute to Access Server that tells him how long user can stay online. This calculations done using attributes such as Login-Time, Expiration, Session-Timeout and current time. If user's time is over limit but he still is online then you can't kick him offline through FreeRADIUS. Because actualy kicking user offline is ability of Access Server not of FreeRADIUS. I want to kick users offline if they are over their time limit. Can I do it using FreeRADIUS? Regards, Svetlana - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS problem
Hello, I'm using freeradius 1.0.2 with Red Hat Enterprise Server 3 and MySql. I have the following problem with EAP-TTLS: authentication is succesful using a Proxim 8470-WD a/b/g PCMCIA card, but fails with a Zyxel G-405 802.11g Wireless LAN Ethernet Adapter. I've checked both freeradius logs and the only difference I see is this: With the proxim card: - auth: type MSCHAP With Zyxel Adapter: --- auth: type System For your information, I include the complete freeradius log when using the Zyxel wireless adapter: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = no mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = /etc/shadow unix: group = (null) unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /var/ssl/certs/cert-srv.pem tls: certificate_file = /var/ssl/certs/cert-srv.pem tls: CA_file = /var/ssl/cacert.pem tls: private_key_password = whatever tls: dh_file = /var/ssl/certs/dh tls: random_file = /var/ssl/certs/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) rlm_eap: Loaded and initialized type tls ttls: default_eap_type = md5 ttls: copy_request_to_tunnel = yes ttls: use_tunneled_reply = yes rlm_eap: Loaded and initialized type ttls peap: default_eap_type = mschapv2 peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no
RE: MS-CHAP
On Tue, 24 May 2005, Seferovic Edvin wrote: Hi, take a look at www.poptop.org it is a *nix implementation of MS PPTP VPN Server that uses MS-CHAP. There is also a very good how-to about CHAP auth, and freeRadius. US users should be aware that to run PPTP with Windows clients and have any security you need to use MPPE encryption, which is unfortunately patented. This may be a nonissue for some users, especially European users (for now at least...). This just came up in my writing process -- would love to talk all about poptop, but I can hardly focus on something I can't openly encourage the larger part of my readership to use. (: -- Thomas Boutell Boutell.Com, Inc. http://www.boutell.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using radclient as a poor man's proxy
On 5/23/05, Thomas Boutell [EMAIL PROTECTED] wrote: As also suggested here I am attempting to drive radclient as a poor man's proxy connection from a custom script. Unfortunately attribute names are apparently case-sensitive and the environment variables lose case information from their names. When I pass an attribute without matching the case in the dictionary exactly, radclient hangs up on me right away. Let your script write down all the attributes to a file and ask the radclient to pick the attributes from that file. My 2 cents. -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius install problems
Juanjo Lopez [EMAIL PROTECTED] wrote: ./configure make make install but don't work. Is there a document to install freeradius in a Red Hat 9 box?? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS problem
Ignacio Siles [EMAIL PROTECTED] wrote: I've checked both freeradius logs and the only difference I see is this: With the proxim card: - auth: type MSCHAP With Zyxel Adapter: --- auth: type System So... Don't set Auth-Type = System. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
closer, but not working (was Re: problems with huntgroups)
On Tue, 24 May 2005, Dustin Doris wrote: DEFAULT NAS-IP-Address == 10.0.0.1, Huntgroup-Name != testgroup, Auth-Type := Reject Fall-Through = no DEFAULT Auth-Type := Kerberos ... Thanks for your quick reply, Dustin. I gave the above a try, and unfortunately it still didn't work. However I went back to look at the debugging log I had set up to see if I missed anything. In a case of missing the forest through the trees, I didn't even notice this before: Tue May 24 13:15:03 2005 : Debug: Thread 1 handling request 0, (1 handled so far) User-Name = myusername User-Password = mypasswd NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Tue May 24 13:15:03 2005 : Debug: modcall: entering group authorize Tue May 24 13:15:03 2005 : Debug: modcall[authorize]: module preprocess returns ok For some reason, it's seeing the requests coming from NAS-IP-Address = 255.255.255.255 versus the ip address I think it should be coming from. So, I made these changes to my configuration: huntgroups: testgroup NAS-IP-Address == 255.255.255.255 User-Name == randomuser, users: DEFAULT NAS-IP-Address == 255.255.255.255, Huntgroup-Name == testgroup, Auth-Type := Kerberos Fall-Through = No DEFAULT Auth-Type := Kerberos Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Routing = Broadcast-Listen, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP Rerun radtest from my test client and I'm rejected. If I add myusername to huntgroups, I'm accepted. From the log, I get: User-Name = myusername User-Password = mypasswd NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Tue May 24 13:26:42 2005 : Debug: huntgroups: Matched testgroup at 47 Tue May 24 13:26:42 2005 : Debug: users: Matched DEFAULT at 8 So it appears that that configuration works, but only if I set the NAS-IP-address to 255.255.255.255. Obviously, this isn't the way it's supposed to work, because the server sees /every/ NAS as 255.255.255.255, even when I run radtest from localhost. I suspected it might have something to do with the client and server being on different VLANs on the router, but I wouldn't expect it to do the same thing from itself. Brian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap attribute, checkItem, and the users file
Kostas Kalevras wrote: On Mon, 23 May 2005, Chris Carver wrote: Hello, I'm still struggling with a problem I wrote in about in the past. I will explain what I am trying to do as well as possible. We have customers authenticating through our radius server which uses an openldap backend. Each user has an entry in our ldap database and it is the only means of authentication. We want to be able to check for the existance of an ldap attribute in the users file for the user who is currently trying to authenticate. If the attribute is found, we add a radius attribute to the reply and fall-through. If it is not found, those lines are bypassed and logic will continue down the users file. This ldap attribute is our own creation and we modified the schema calling the attribute radiusRedirectPort80 on the ldap backend. Its tested and it works perfectly on the ldap end. I modified the dictionary file and it is called redirectPort80 on the radius side. Following is etc/raddb/dictionary: $INCLUDE /usr/local/pw/freeradius-1.0.2/share/freeradius/dictionary $INCLUDE /usr/local/pw/freeradius-1.0.2/etc/raddb/netsweeper The definition is in the netsweeper file, along with other attributes of ours, and its contents are as follows: VENDOR SlipStream 7000 ATTRIBUTE SlipStream-Enabled 1 string SlipStream ATTRIBUTE NetSweeper-Enabled 2 string SlipStream ATTRIBUTE redirectPort80 3 string SlipStream After ensuring that the attribute was defined on the ldap side and the radius side, I understood that I needed to modify ldap.attrmap and add a checkItem. Here is that change in etc/raddb/ldap.attrmap: checkItem redirectPort80 radiusRedirectPort80 I did not add a reply item, because I'm not replying with the value of that attribute. I'm performing logic in the users file on that value and THEN passing back attribute/value pairs specified in the users file. My next step was to finally modify the users file. Here is a change to the users file: DEFAULT redirectPort80 == true Framed-Route = 0.0.0.0/0 205.247.236.1/32 1, Fall-Through = yes other irrelevant lines removed To my knowledge, at this point if the user has the ldap attribute radiusRedirectPort80: true then Framed-Route attribute/value should be in the access-accept. I do a radtest with a user who has the ldap attribute radiusRedirectPort80 set to true, and it is not matched. I see exactly the same behavior as with a user who does not have the attribute. Am I doing something fundamentally wrong? If not, might there be any common mistakes I could be making? I would be grateful for any pointers. Thanks in advance. The users file will only check attributes in the request, not in the check item list. So the above won't work. You can try using the policy module: if (%{check:redirectPort80} == true) { reply .= { Framed-Route = 0.0.0.0/0 205.247.236.1/32 1 } } Thank you for the reply! The logic I see there should definitely work, but I'm still a bit confused. I did some research and I'm having any trouble finding mention of the policy module you mention. Although doc/variables.txt was very helpful, it doesn't show any use of an if statement and I'm not sure in what configuration file(s) such a piece of code would be acceptable. Where would I put the lines you mentioned above? Sorry if I'm making a silly mistake or overlooking something. Chris Carver - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas KalevrasNetwork Operations Center [EMAIL PROTECTED]National Technical University of Athens, Greece Work Phone:+30 210 7721861 'Go back to the shadow'Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: closer, but not working (was Re: problems with huntgroups)
On Tue, 24 May 2005 [EMAIL PROTECTED] wrote: On Tue, 24 May 2005, Dustin Doris wrote: DEFAULT NAS-IP-Address == 10.0.0.1, Huntgroup-Name != testgroup, Auth-Type := Reject Fall-Through = no DEFAULT Auth-Type := Kerberos ... Thanks for your quick reply, Dustin. I gave the above a try, and unfortunately it still didn't work. However I went back to look at the debugging log I had set up to see if I missed anything. In a case of missing the forest through the trees, I didn't even notice this before: Tue May 24 13:15:03 2005 : Debug: Thread 1 handling request 0, (1 handled so far) User-Name = myusername User-Password = mypasswd NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Tue May 24 13:15:03 2005 : Debug: modcall: entering group authorize Tue May 24 13:15:03 2005 : Debug: modcall[authorize]: module preprocess returns ok For some reason, it's seeing the requests coming from NAS-IP-Address = 255.255.255.255 versus the ip address I think it should be coming from. So, I made these changes to my configuration: huntgroups: testgroup NAS-IP-Address == 255.255.255.255 User-Name == randomuser, users: DEFAULT NAS-IP-Address == 255.255.255.255, Huntgroup-Name == testgroup, Auth-Type := Kerberos Fall-Through = No DEFAULT Auth-Type := Kerberos Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Routing = Broadcast-Listen, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP Rerun radtest from my test client and I'm rejected. If I add myusername to huntgroups, I'm accepted. From the log, I get: User-Name = myusername User-Password = mypasswd NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Tue May 24 13:26:42 2005 : Debug: huntgroups: Matched testgroup at 47 Tue May 24 13:26:42 2005 : Debug: users: Matched DEFAULT at 8 So it appears that that configuration works, but only if I set the NAS-IP-address to 255.255.255.255. Obviously, this isn't the way it's supposed to work, because the server sees /every/ NAS as 255.255.255.255, even when I run radtest from localhost. I suspected it might have something to do with the client and server being on different VLANs on the router, but I wouldn't expect it to do the same thing from itself. Brian Glad the config is working for you. I think radius doesn't actually see that NAS as 255.255.255.255, its being sent over as that in the packet. If you did a tcpdump and captured the radius packet and then viewed it with ethereal, you'd see. But you can do this for testing if you'd like. either create a file, say its called test User-Name = myusername User-Password = mypasswd NAS-IP-Address = 10.0.0.1 NAS-Port = 0 and run radclient -f test localhost auth yoursecret or just pipe it printf User-Name = myusername\nUser-Password = mypasswd\nNAS-IP-Address = 10.0.0.1\nNAS-Port = 0\n | radclient localhost auth yoursecret Actually, I think you can do it with radtest adding nasname as well. This will make sure it sends over the right nas-ip. At least you know that config will work when you can get the right nas-ip over. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Oracle module
I do have /usr/lib/oracle/10.1.0.3/client set for ORACLE_HOME ok, here's the config.log of rlm_sql_oracle for configure --with-rlm- sql_oracle-include-dir=/usr/include/oracle/10.1.0.3/client This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. configure:534: checking for gcc configure:647: checking whether the C compiler (gcc -g -O2 - D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall - D_GNU_SOURCE -DNDEBUG ) works configure:663: gcc -o conftest -g -O2 -D_REENTRANT - D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE - DNDEBUG conftest.c -lnsl -lresolv -lpthread -lcrypto -lssl 15 configure:660: warning: return type defaults to `int' configure:689: checking whether the C compiler (gcc -g -O2 - D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall - D_GNU_SOURCE -DNDEBUG ) is a cross-compiler configure:694: checking whether we are using GNU C configure:722: checking whether gcc accepts -g configure:754: checking how to run the C preprocessor configure:840: checking for oci.h configure:851: gcc -c -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS - DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG conftest.c 15 configure:845:17: oci.h: No such file or directory configure: In function `main': configure:847: warning: unused variable `a' configure: failed program was: #line 844 configure #include confdefs.h #include oci.h int main() { int a = 1; ; return 0; } configure:931: gcc -c -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS - DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG -I/usr/lib/oracle/ 10.1.0.3/client/rdbms/demo -I/usr/lib/oracle/10.1.0.3/client/rdbms/ public -I/usr/lib/oracle/10.1.0.3/client/plsql/public -I/usr/lib/ oracle/10.1.0.3/client/network/public -I/usr/lib/oracle/10.1.0.3/ client/oci/include conftest.c 15 configure:925:17: oci.h: No such file or directory configure: In function `main': configure:927: warning: unused variable `a' configure: failed program was: #line 924 configure #include confdefs.h #include oci.h int main() { int a = 1; ; return 0; } configure:994: gcc -c -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS - DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG -I/usr/include/oracle/ 10.1.0.3/client conftest.c 15 configure: In function `main': configure:990: warning: unused variable `a' giving me an oci.h error even though the main configure outputs: configuring in ./drivers/rlm_sql_oracle running /bin/sh ./configure --with-rlm-sql_oracle-include-dir=/usr/ include/oracle/10.1.0.3/client --enable-ltdl-install --cache- file=../../../../.././config.cache --srcdir=. loading cache ../../../../.././config.cache checking for gcc... (cached) gcc checking whether the C compiler (gcc -g -O2 -D_REENTRANT - D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE - DNDEBUG ) works... yes checking whether the C compiler (gcc -g -O2 -D_REENTRANT - D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE - DNDEBUG ) is a cross-compiler... no checking whether we are using GNU C... (cached) yes checking whether gcc accepts -g... (cached) yes checking how to run the C preprocessor... (cached) gcc -E checking for oci.h... yes yes creating ./config.status creating Makefile configuring in ./drivers/rlm_sql_unixodbc running /bin/sh ./configure --with-rlm-sql_oracle-include-dir=/usr/ include/oracle/10.1.0.3/client --enable-ltdl-install --cache- file=../../../../.././config.cache --srcdir=. loading cache ../../../../.././config.cache checking for gcc... (cached) gcc One would think there is no point of continuing after after looking at the errors in the first paragraph above, but here's the make output: m -fr .libs/rlm_sql_postgresql.la .libs/rlm_sql_postgresql.* .libs/ rlm_sql_postgresql-1.0.2.* gcc -shared sql_postgresql.lo -lpq -Wl,-soname - Wl,rlm_sql_postgresql-1.0.2.so -o .libs/rlm_sql_postgresql-1.0.2.so (cd .libs rm -f rlm_sql_postgresql.so ln -s rlm_sql_postgresql-1.0.2.so rlm_sql_postgresql.so) ar cru .libs/rlm_sql_postgresql.a sql_postgresql.o ranlib .libs/rlm_sql_postgresql.a creating rlm_sql_postgresql.la (cd .libs rm -f rlm_sql_postgresql.la ln -s ../ rlm_sql_postgresql.la rlm_sql_postgresql.la) gmake[10]: Leaving directory `/root/freeradius-1.0.2/src/modules/ rlm_sql/drivers/rlm_sql_postgresql' Making dynamic in rlm_sql_oracle... gmake[10]: Entering directory `/root/freeradius-1.0.2/src/modules/ rlm_sql/drivers/rlm_sql_oracle' /root/freeradius-1.0.2/libtool --mode=compile gcc -g -O2 - D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall - D_GNU_SOURCE -DNDEBUG -I../.. -I../../../../include -I/usr/include/oracle/10.1.0.3/ client -c sql_oracle.c rm -f .libs/sql_oracle.lo gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 - Wall -D_GNU_SOURCE -DNDEBUG -I../.. -I../../../../include -I/usr/ include/orac le/10.1.0.3/client -c sql_oracle.c
dynamic ip shared secret Question
hello ... i need a solution where freeradius accepts clients from any ip but with different shared secrets (because i want to authenticate users behind a dsl flatrate or something like this) is there any possiblity to do something like that ? greeting grischan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
windows 2000 supplicants and FreeRADIUS
do you have documentation on setting up a windows 2000 wifi-supplicants against a FreeRADIUS server that queries LDAP for authentication? ie.: windows 2000 notebook wi-fi connection to FreeRADIUS server FreeRADIUS server to LDAP server for authenication LDAP back to FreeRADIUS FreeRADIUS back to windows 2000 supplicant credentials verified network connectivity granted to windows 2000 supplicant! (=} i've successfuly set up windows xp supplicants; however, i'm stumped on getting win2k to work. thank you in advance!!!-- cheers!jeremiah jay macias
Re: dynamic ip shared secret Question
glanzel [EMAIL PROTECTED] wrote: i need a solution where freeradius accepts clients from any ip but with different shared secrets (because i want to authenticate users behind a dsl flatrate or something like this) is there any possiblity to do something like that ? No. You may end up with two clients at the same IP at different times. This makes it difficult to determine which shared secret to use. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: closer, but not working (was Re: problems with huntgroups)
On Tue, 24 May 2005, Dustin Doris wrote: printf User-Name = myusername\nUser-Password = mypasswd\nNAS-IP-Address = 10.0.0.1\nNAS-Port = 0\n | radclient localhost auth yoursecret Actually, I think you can do it with radtest adding nasname as well. This will make sure it sends over the right nas-ip. At least you know that config will work when you can get the right nas-ip over. Thanks for all your help, Dustin! I used the above printf/radclient command and everything works as expected. I tried to use it with radtest and the nasname option, but I never could get the syntax correct. Anyway, it works, so that's a huge weight off my shoulders :) Now, to try it on the REAL radius server. Brian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: windows 2000 supplicants and FreeRADIUS
On Tue, May 24, 2005, jay macias wrote: i've successfuly set up windows xp supplicants; however, i'm stumped on getting win2k to work. thank you in advance!!! Unfortunately, there is no integrated WPA supplicant in Windows 2000. You will have to use an external supplicant. Until now, i haven't found any free software doing that. There is a (proprietary) W2K WPA software available there : http://www.wirelesssecuritycorp.com/wsc/public/WPAAssistant.do . The basic version that does WPA-PSK is available at no cost (i didn't test it), but you must pay for the version with WPA-RADIUS support. -- Alexandre Coninx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radiusd -C
The FAQ says I can use radiusd -C to check the files before a HUP, it also gives a nice sample script to use to check for necessary updating of the users file. However, I get radiusd: invalid option -- C The FAQ says 1.6.4 and later, but the latest version that can be downloaded is only 1.0.2? Carl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem authenticating: Please Help
I'm having a problem authenticating myclient, Windows XP, to the server, SUSE Linux.Everytime I run radiusd -X -A I get the followingmessages: Processing the authorize section of radiusd.confmodcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns okfor request 3 modcall[authorize]: module "chap" returns noop forrequest 3 modcall[authorize]: module "mschap" returns noop forrequest 3 rlm_realm: No '@' in User-Name = "Paulo", lookingup realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop forrequest 3 rlm_eap: EAP packet type response id 3 length 17 rlm_eap: No EAP Start, assuming it's an on-going EAPconversation modcall[authorize]: module "eap" returns updated forrequest 3 users: Matched Paulo at 96 modcall[authorize]: module "files" returns ok forrequest 3modcall: group authorize returns updated for request 3 rad_check_password: Found Auth-Type EAPauth: type "EAP" Processing the authenticate section of radiusd.confmodcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLSrlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: TLS 1.0 Alert [length 0002], fatalunknown_caTLS Alert read:fatal:unknown CA TLS_accept:failed in SSLv3 read client certificateA4606:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1alert unknown ca:s3_pkt.c:1052:SSL alert number 484606:error:140940E5:SSL routines:SSL3_READ_BYTES:sslhandshake failure:s3_pkt.c:837:rlm_eap_tls: SSL_read failed in a system call (-1),TLS session fails.In SSL Handshake PhaseIn SSL Accept moderlm_eap_tls: BIO_read failed in a system call (-1),TLS session fails. eaptls_process returned 13 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns rejectfor request 3modcall: group authenticate returns reject for request3auth: Failed to validate the user.Delaying request 3 for 1 secondsFinished request 3Going to the next requestWaking up in 6 seconds...--- Walking the entire request list ---Sending Access-Reject of id 0 to 192.168.2.1:3080 EAP-Message = 0x04030004 Message-Authenticator =0xCleaning up request 3 ID 0 with timestamp 42929391Nothing to do. Sleeping until we see a request.It could be having a problem with the certificate. Ihave a Wireless USB Adapter running the clientconfigured with WPA / TLS / TKIP and a Wireless RouterConfigured with WPA (with Radius Server) / TKIP. Whatcould be the problem?__Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: radiusd -C
Carl Davis [EMAIL PROTECTED] wrote: The FAQ says 1.6.4 and later, but the latest version that can be downloaded is only 1.0.2? Hmm... the FAQ is really old. That option isn't supported, and the 1.6.4 thing is for Cistron, not FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius install problems
maybe if you could give us more information we could help you better :-P. What happens? What does not happen? All that kind of things... On 5/24/05, Juanjo Lopez [EMAIL PROTECTED] wrote: Hi all: We´re tryng to install freeradius in a base RedHat 9. We try with basic installation of freeradius-snapshot-20050524.tar.gz: ./configure make make install but don´t work. Is there a document to install freeradius in a Red Hat 9 box?? Thanks¡ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd -C
Is there another good option for checking the conf files before doing an HUP? On Tue, 2005-05-24 at 15:32 -0400, Alan DeKok wrote: Carl Davis [EMAIL PROTECTED] wrote: The FAQ says 1.6.4 and later, but the latest version that can be downloaded is only 1.0.2? Hmm... the FAQ is really old. That option isn't supported, and the 1.6.4 thing is for Cistron, not FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Defunct/zombie acct exec processes - still
Hi I just upgraded to 1.0.2 from 0.93, and now Im seeing my acct exec program being left in a zombie state after being fired by acct_users file. Is there something I can do to prevent this, its eating all my server's threads. Is this related to rlm_exec: Wait=yes but no output defined. Did you mean output=none? ? Is there something freeradius needs to see by way of returned data for it to let go of the child process cleanly? Should I set wait=no? If so which exec statement applies to the acct_users exec file? Thx in advance, Jon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd -C
Carl Davis [EMAIL PROTECTED] wrote: Is there another good option for checking the conf files before doing an HUP? No, sorry. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius server and sql server
From: Alan DeKok [EMAIL PROTECTED] In any case, radsqlrelay is about to be deleted from the CVS head. Radrelay, too. They're being replaced with minor changes to the server core which means that radiusd can now do everything those two programs did, and more. Wait a few weeks, and the CVS head should be fixed, and the relay functionality completely merged into radiusd. I am certainly grateful of development along this direction and I hope there will be sufficient retries and/or connection re-establishment mechanism built into these relays. As in any life environment, there are failures and there will be more failures. We cannot stop failures from happening but it is important to recover from the failures. Cheers. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: closer, but not working (was Re: problems with huntgroups)
Hi, For some reason, it's seeing the requests coming from NAS-IP-Address = 255.255.255.255 versus the ip address I think it should be coming from. you could try checking Client-IP-Address instead of NAS-IP-Address. NAS... is unreliable since the client can put into it whatever he likes. Client-IP-Address is a FreeRADIUS internal attribute that is set to the IP address from whom the request was received, i.e. the source address of the UDP packet. This is much more reliable than NAS-IP-Address. Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingénieur réseau et système 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg email: [EMAIL PROTECTED] tél.: +352 424409-33 http://www.restena.lu fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html