Re: Authenticate to eDirectory
On 2005-06-06 at 22:04:41 -0400, [EMAIL PROTECTED] wrote (shortened): Hello! Well, now i am completely confused..I have tried to install openldap2 before on sles9/oes-linux and last time edirectory did not start and i had to reinstall from scratch. And again, when selecting the dependencies before installing freeradius i get this: *openldap2 2.2.6-37.36 conflict conflicts with: NDSserv conflicts with openldap2 *Conflict resolution: do not install openldap2 -or- *remove all 4 conflicting packages: delete novstlog delete ndsimon delete novlembox delete ndsserv *ignore conflict and risk system inconsistencies At least 2 of these are key novell components. So, i did not install openldap2 or freeradius. Can someone explain how to make these 2 components work together? I think you don't need openldap2 installed but only openldap2-client. CU, Wolfgang -- SUSE LINUX GmbH -o) Tel: +49-(0)911-740 53 0 Maxfeldstr. 5 /\\ Fax: +49-(0)911-740 53 679 90409 Nuernberg, Germany _\_v simply change to www.suse.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Fwd: rlm_passwd realms]
ok, thanks for the tip. Now receiving the following in debug screen (something with Auth-Type, but can't figure out what exactly): 1)with PAP Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: Looking up realm mt for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm mt rlm_realm: Adding Stripped-User-Name = edgars rlm_realm: Proxying request from user edgars to realm mt rlm_realm: Adding Realm = mt rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 rlm_passwd: Added Autz-Type: 'mt' to config_items rlm_passwd: Added NAS-IP-Address: '10.5.8.103' to request_items modcall[authorize]: module edg_check returns ok for request 0 modcall: group authorize returns ok for request 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: Request already proxied. Ignoring. modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 rlm_passwd: Added Autz-Type: 'mt' to config_items rlm_passwd: Added NAS-IP-Address: '10.5.8.103' to request_items modcall[authorize]: module edg_check returns ok for request 0 modcall: group authorize returns ok for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [edgars/edgars] (from client lalala port 2436 cli 1.1.1.2) 2)with mschap rad_check_password: Found Auth-Type MS-CHAP auth: type MS-CHAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for [EMAIL PROTECTED] with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 0 modcall: group Auth-Type returns reject for request 0 auth: Failed to validate the user. Login incorrect: [edg/no User-Password attribute] (from client lalala port 2437 cli 1.1.1.2) Edgars Alan DeKok wrote: Edgars [EMAIL PROTECTED] wrote: Seems that somewhere is mistake caus' receiving in the debug screen the following information (pay attention to rlm_passwd: *Unable to create Autz-Type: mt*. What could it mean?): You didn't list mt as a VALUE for Autz-Type in the dictionaries. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: passwords
Sarkis Gabriel wrote: check admin.conf # # can be one of crypt,md5,clear # general_encryption_method: clear ^ Dean Mumby wrote: Dean Mumby wrote: Hi all , firstly I installed 1.0.1-1 for centos 3.4 and then downloaded the latest 1.0.3 tar ball and installed dialup_admin. I am able to add users but when I test a password it always says failed. Is there a setting that I have missed somewhere that controls whether the pasword are crypt or not ? I intend to have all auth and acc configured in mysql. OK forget about the other questions. All I need is to know where to start looking for the problem. If I create a user using the dialup admin , the user is created. If I search I can find it but no matter what I do I cannot get it to check the password and tell me its correct. It always says its wrong. Even with simple 1234 passwords. Could it be a problem with the encryption routines ? Is it a php problem. This is an up2date centos 3.4 box. Any Ideas ? Regards Dean - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks for this I had actually found it already and I am now able to test the password using the facility in the show section of the user_info the actual radius authentication test fails . I will keep looking to see why. Thanks again. Dean -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.6.2 - Release Date: 2005/06/04 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS info + MySQL
On Mon, 06 Jun 2005 21:41:22 -0400 Alan DeKok [EMAIL PROTECTED] wrote: Marcin Jessa [EMAIL PROTECTED] wrote: Web scripts get executed as the www user. That way I need to grand apache access to HUP radiusd and that can be done with sudo adding www user to the sudoers file and allowing it to exec /usr/local/sbin/radiusd. The only thing that needs non-WWW permissions is a script which does: #!/bin/sh [ -f /var/log/radius/radiusd.pid] kill -HUP `cat /var/log/radius/radiusd.pid` It doesn't need to exec radiusd. I was hoping I would not need to explain it one more time. It does not metter what kind of signal httpd sends to radiusd, it would still need to be able to execute the command as a privileged user. The perfect solution would be to have radiusd reread the nas table when it gets changed. You've said that a number of times. We're all very clear on your opinions. Yes, I mentioned it since this was the whole point of my email. That should seem reasonible to anyone. You can now: 1) Pay someone to write that code I am considering that option. Do you know of anyone familiar with the freeradius code who could take the job? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: make install error in Solaris 8, freeradius-1.0.3
Hi, small FIX but it works: mv /usr/bin/strip /usr/bin/strip.old echo '#!/bin/bash' /usr/bin/strip echo 'exit' /usr/bin/strip chmod 755 /usr/bin/strip cd freeradius-1.0.3 make install mv -f /usr/bin/strip.old /usr/bin/strip Worked for me. Nuno Fernandes On Monday 06 June 2005 16:52, Alan DeKok wrote: Nuno Pais Fernandes [EMAIL PROTECTED] wrote: Same thing here with Whitebox 3. Try reading previous messages in the list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Nuno Miguel Pais Fernandes [EMAIL PROTECTED] pgpgxcX9pggJd.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: make install error in Solaris 8, freeradius-1.0.3
Dont't strip the binary files. :-), It's works. But it's a temporary method. --- Nuno Pais Fernandes [EMAIL PROTECTED]: Hi, small FIX but it works: mv /usr/bin/strip /usr/bin/strip.old echo '#!/bin/bash' /usr/bin/strip echo 'exit' /usr/bin/strip chmod 755 /usr/bin/strip cd freeradius-1.0.3 make install mv -f /usr/bin/strip.old /usr/bin/strip Worked for me. Nuno Fernandes On Monday 06 June 2005 16:52, Alan DeKok wrote: Nuno Pais Fernandes [EMAIL PROTECTED] wrote: Same thing here with Whitebox 3. Try reading previous messages in the list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Nuno Miguel Pais Fernandes [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks. Lei Chen ___ G http://cn.mail.yahoo.com/?id=77071 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SASL bind for LDAP
Hi, could not find anything in the docs. I need to bind to a LDAP server (Apple Open Directory) using a certain SASL mechanism. Is this possible with freeradius 1.0.3, if yes how? If no what else can I do? I just need it for authentication. Thought about pam_ldap. Any experiences? Thanks Ekkehard -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Ip pool doesn't works properly
Hi, How can I configure FreeRADIUS to assign IP address dinamically with Ip Pool when there is a successful authentication from Cisco 7200 access server with FreeRADIUS 1.0.0? Like this it works sending out only 2 ip address...always the same... Is your Cisco sending a unique nasport/nasip for each client? Ip pool uses the nasip/nasport to identify the user. YES FROM LOGS SHOWED BELOW, IT SENDS OUT THE SAME TWO ADDRESS AND DOESN'T KEEP ANYONE ENTRY IN YOUR DATABASE .IPPOOL (VIEWED WITH rlm_ippool_tool -a ...) run radiusd -X and have several users establish a connection. Post the output here if you can't decifer it. rad_recv: Access-Request packet from host 83.216.176.254:21661, id=219, length=95 Framed-Protocol = PPP User-Name = font0001@ CHAP-Password = 0x01af73ef6670b0a4a65130cb133a902c2f NAS-Port-Type = Virtual NAS-Port = 0 Service-Type = Framed-User NAS-IP-Address = 83.216.176.254 rad_lowerpair: User-Name now 'font0001@' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 13 modcall[authorize]: module preprocess returns ok for request 13 radius_xlat: '/freerad100/var/log/radius/radacct/83.216.176.254/auth-detail-20050607' rlm_detail: /freerad100/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /freera d100/var/log/radius/radacct/83.216.176.254/auth-detail-20050607 modcall[authorize]: module auth_log returns ok for request 13 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module chap returns ok for request 13 modcall[authorize]: module mschap returns noop for request 13 rlm_realm: No '/' in User-Name = font0001@, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module IPASS returns noop for request 13 rlm_realm: Looking up realm @ for User-Name = font0001@ rlm_realm: No such realm @ modcall[authorize]: module suffix returns noop for request 13 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 13 modcall[authorize]: module files returns notfound for request 13 radius_xlat: 'font0001@' rlm_sql (sql): sql_set_user escaped user -- 'font0001@' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '[EMAIL PROTECTED] m.it' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Valu e,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'font0001@' AN D usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '[EMAIL PROTECTED] m.it' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Valu e,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'font0001@' AN D usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns ok for request 13 modcall: group authorize returns ok for request 13 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied CHAP-Password matches local User-Password Login OK: [font0001@/CHAP-Password] (from client Telecom-BRAS1-3 port 0) Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 13 modcall[post-auth]: module main_pool returns noop for request 13 rlm_ippool: Searching for an entry for nas/port: 83.216.176.254/0 rlm_ippool: Found a stale entry for ip/port: 83.216.178.213/0 rlm_ippool: num: 0 rlm_ippool: Searching for an entry for nas/port: 83.216.176.254/0 rlm_ippool: Allocating ip to nas/port: 83.216.176.254/0 rlm_ippool: num: 1 rlm_ippool: Allocated ip 83.216.178.190 to client on nas 83.216.176.254,port 0 modcall[post-auth]: module whsitt_pool returns ok for request 13 radius_xlat: '/freerad100/var/log/radius/radacct/83.216.176.254/reply-detail-20050607' rlm_detail: /freerad100/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /freer ad100/var/log/radius/radacct/83.216.176.254/reply-detail-20050607 modcall[post-auth]: module reply_log returns ok for request 13 rlm_sql (sql): Processing sql_postauth radius_xlat: 'font0001@' rlm_sql (sql): sql_set_user escaped user -- 'font0001@' radius_xlat: 'INSERT into radpostauth (id, user, pass, reply, date) values ('', '[EMAIL PROTECTED] t', 'Chap-Password', 'Access-Accept', NOW())' rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id, user, pass, reply, date) values ('', 'font0001@', 'Chap-Password', 'Access-Accept', NOW()) rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): Released sql socket id: 3 modcall[post-auth]: module sql returns ok for request 13 modcall: group post-auth returns ok for request 13 Sending Access
Re: Vendor specific attributes, tags
Hi, so Alan, one more question: what is non-standard ?? maybe there was a misunderstanding. I have a usual vendor specific attribute, but in the beginning of the String field there is a tag of 1 byte. Isn't it right that you can put anything in the string field in case of vendor specific attributes, thats the argument of the vendor, which also delivers the Radius-Server :-) but we want to use freeRadius. Another argument of the vendor is that our Radius-Server (freeRadius) isn't able to understand vendor-specific attributes with tagged fields. I am quite a bit confused now. So this attribute is conform to the RFC?, but the credentials are in proprietary format, right ?? Thanks a lot. Frederic -Ursprungliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Auftrag von Alan DeKok Gesendet: Freitag, 13. Mai 2005 18:30 An: freeradius-users@lists.freeradius.org Betreff: Re: Vendor specific attributes, tags Metz, Frederic [EMAIL PROTECTED] wrote: I have a Vendor specific Radius attribute which is tagged with one byte in the beginning of the value field in the attribute. That's pretty non-standard. So when I have a vendor specific tagged attribute which comes i.e. twice in a Radius-Packet, I want to bring the data of the attribute with tag 1 into field 1 and with tag 2 into field 2 in mysql. But Sql.conf has only one variable (%{Attribute}) for that. I didn't find any spec which allows vendor specific tagging. Can someone help me I've never heard of this before, which is why there's no support for it in the server. i.e. You're the first person to ask for this. My suggestion is code modifications to convert the VSA into a more standard format. There's really no simple way to do it without writing C code. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: make install error in Solaris 8, freeradius-1.0.3
Nuno Pais Fernandes wrote: Hi, small FIX but it works: mv /usr/bin/strip /usr/bin/strip.old echo '#!/bin/bash' /usr/bin/strip echo 'exit' /usr/bin/strip chmod 755 /usr/bin/strip cd freeradius-1.0.3 make install mv -f /usr/bin/strip.old /usr/bin/strip Worked for me. Nuno Fernandes On Monday 06 June 2005 16:52, Alan DeKok wrote: Nuno Pais Fernandes [EMAIL PROTECTED] wrote: Same thing here with Whitebox 3. Try reading previous messages in the list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Had to use the above fix on Solaris 9 as well -- Regards Garry Crothers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Trouble installing 1.0.3
When I install 1.0.3, I get at the end : /var/dev/freeradius-1.0.3/install-sh -c -m 755 -s radwho /usr/local/bin strip: /usr/local/bin/#inst.22560#: File format not recognized gmake[4]: *** [install] Error 1 (...) My configure line is simply ./configure. I am on RH Linux 7.3, plain kernel 2.4.24. But all the rest seems ok. Is this critical ? Nicolas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trouble installing 1.0.3
On 2005-06-07 at 09:18:08 -0400, Nicolas Ross wrote (shortened): When I install 1.0.3, I get at the end : /var/dev/freeradius-1.0.3/install-sh -c -m 755 -s radwho /usr/local/bin strip: /usr/local/bin/#inst.22560#: File format not recognized gmake[4]: *** [install] Error 1 (...) My configure line is simply ./configure. I am on RH Linux 7.3, plain kernel 2.4.24. But all the rest seems ok. Is this critical ? Please see http://bugs.freeradius.org/show_bug.cgi?id=240 CU, Wolfgang -- SUSE LINUX GmbH -o) Tel: +49-(0)911-740 53 0 Maxfeldstr. 5 /\\ Fax: +49-(0)911-740 53 679 90409 Nuernberg, Germany _\_v simply change to www.suse.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Ip pool doesn't works properly
On Tue, 7 Jun 2005, Simone Giovanardi wrote: Hi, How can I configure FreeRADIUS to assign IP address dinamically with Ip Pool when there is a successful authentication from Cisco 7200 access server with FreeRADIUS 1.0.0? Like this it works sending out only 2 ip address...always the same... Is your Cisco sending a unique nasport/nasip for each client? Ip pool uses the nasip/nasport to identify the user. YES FROM LOGS SHOWED BELOW, IT SENDS OUT THE SAME TWO ADDRESS AND DOESN'T KEEP ANYONE ENTRY IN YOUR DATABASE .IPPOOL (VIEWED WITH rlm_ippool_tool -a ...) Unique nasip/nasport. Unique being the key word. Your NAS is sending over nas-port of 0 for all requests. This makes it look like its the same user. rad_recv: Access-Request packet from host 83.216.176.254:21661, id=219, length=95 Framed-Protocol = PPP User-Name = font0001@ CHAP-Password = 0x01af73ef6670b0a4a65130cb133a902c2f NAS-Port-Type = Virtual NAS-Port = 0 Service-Type = Framed-User NAS-IP-Address = 83.216.176.254 rlm_ippool: Searching for an entry for nas/port: 83.216.176.254/0 rlm_ippool: Found a stale entry for ip/port: 83.216.178.213/0 rlm_ippool: num: 0 rlm_ippool: Searching for an entry for nas/port: 83.216.176.254/0 rlm_ippool: Allocating ip to nas/port: 83.216.176.254/0 rlm_ippool: num: 1 rlm_ippool: Allocated ip 83.216.178.190 to client on nas 83.216.176.254,port 0 rad_recv: Access-Request packet from host 83.216.176.254:21661, id=220, length=95 Framed-Protocol = PPP User-Name = font0001@ CHAP-Password = 0x01852ebbe42598a17861fa2b06de488ff7 NAS-Port-Type = Virtual NAS-Port = 0 Service-Type = Framed-User NAS-IP-Address = 83.216.176.254 rlm_ippool: Searching for an entry for nas/port: 83.216.176.254/0 rlm_ippool: Found a stale entry for ip/port: 83.216.178.190/0 rlm_ippool: num: 0 rlm_ippool: Searching for an entry for nas/port: 83.216.176.254/0 rlm_ippool: Allocating ip to nas/port: 83.216.176.254/0 rlm_ippool: num: 1 rlm_ippool: Allocated ip 83.216.178.213 to client on nas 83.216.176.254,port 0 rad_recv: Access-Request packet from host 83.216.176.254:21661, id=226, length=80 Framed-Protocol = PPP User-Name = satc0002@ CHAP-Password = 0x0193da4f830e1c9dfa12364d6122880c8f NAS-Port-Type = Virtual NAS-Port = 0 Service-Type = Framed-User NAS-IP-Address = 83.216.176.254 rlm_ippool: Found a stale entry for ip/port: 83.216.178.213/0 rlm_ippool: num: 0 rlm_ippool: Searching for an entry for nas/port: 83.216.176.254/0 rlm_ippool: Allocating ip to nas/port: 83.216.176.254/0 rlm_ippool: num: 1 rlm_ippool: Allocated ip 83.216.178.190 to client on nas 83.216.176.254,port 0 Notice the nasip and nasport are the same for each request. Ip_pool keys of the combination of nasip/nasport to determine the UNIQUE user. You need to configure your NAS to send over a unique nasport for each user. In cisco, the nas-port is a 32 bit number. Typically, the first 8 bits make up the interface. This is broken down into 4 bits/1 bit/3 bits of slot/mod/port. The second 8 bits makes up the vpi and the last 16 make up the vci. So if you were located in interface 1/0/3 with a PVC of 33/48, the Nas-Port would represent that. Read the Cisco documentation. Try something like this. Router(config)# radius-server attribute nas-port format d In order to use ip-pool you need to have a unique nasport sent over or modify the code to trigger off something else. Hope that helps. -Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
/usr/local/lib/rlm_eap_tls-1.0.2.so: undefined symbol: SSL_set_ms g_callback
Hi everyone, I am working in Munich for authentication with SIP phones A XP PC is working fien with the IAS Now instead IAS I am trying the FreeRadius. but when the PC sends a "Access request", I receive an error I am working with the version 1.0.2 The TLS is opened in the EAP.conf. Rgds rad_recv: Access-Request packet from host 192.168.3.128:1064, id=72, length=168 User-Name = "[EMAIL PROTECTED]" Called-Station-Id = "00-11-88-03-16-51" Calling-Station-Id = "00-60-08-13-33-ed" NAS-Identifier = "00-11-88-03-16-3d" NAS-Port = 20 Framed-MTU = 1500 NAS-Port-Type = Ethernet EAP-Message = 0x0201001c017573657231406561706f6c2e7369656d656e732e636f6d Message-Authenticator = 0x19544fcf6da4d901132ee1e9db0bf45a Processing the authorize section of radiusd.confmodcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: Looking up realm "eapol.siemens.com" for User-Name = "[EMAIL PROTECTED]" rlm_realm: No such realm "eapol.siemens.com" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 1 length 28 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 0modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAPauth: type "EAP" Processing the authenticate section of radiusd.confmodcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tlsradiusd: error while loading shared libraries: /usr/local/lib/rlm_eap_tls-1.0.2.so: undefined symbol: SSL_set_msg_callback - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trouble installing 1.0.3
Thanks for pointing it out ! Nicolas - Original Message - From: Wolfgang Rosenauer [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, June 07, 2005 9:30 AM Subject: Re: Trouble installing 1.0.3 On 2005-06-07 at 09:18:08 -0400, Nicolas Ross wrote (shortened): When I install 1.0.3, I get at the end : /var/dev/freeradius-1.0.3/install-sh -c -m 755 -s radwho /usr/local/bin strip: /usr/local/bin/#inst.22560#: File format not recognized gmake[4]: *** [install] Error 1 (...) My configure line is simply ./configure. I am on RH Linux 7.3, plain kernel 2.4.24. But all the rest seems ok. Is this critical ? Please see http://bugs.freeradius.org/show_bug.cgi?id=240 CU, Wolfgang -- SUSE LINUX GmbH -o) Tel: +49-(0)911-740 53 0 Maxfeldstr. 5 /\\ Fax: +49-(0)911-740 53 679 90409 Nuernberg, Germany _\_v simply change to www.suse.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use
I am sorry to post but I am just not getting something right here. I have been running this freeradius server for quite some time with no problems. I have just now decided that I want to solve the Simultaneous-Use problem. I am using 1.0.2 and a mysql database located on another server. I have followed everything that I can find on the net about the configuration but I can still logon the same user as many times as I want. It may help to know that the radius server is only being used by a website script for login (chillispot). For my needs I am not setting up any groups or anything special in the database. I am basically only dealing with the radcheck table. This is the only table that has the usernames and passwords. All the other tables seem not to be needed for what I am doing. I am open to suggetion of course if I need to add entries into any other table to make simultaneous-use work. here are my conf files sql.conf sql_user_name = %{User-Name} simul_count_query = SELECT COUNT(*) FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctSessionTime = 0 simul_verify_query = SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0 group_membership_query = SELECT GroupName FROM ${usergroup_table} WHERE UserName='%{SQL-User-Name}' postauth_query = INSERT into ${postauth_table} (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW()) radiusd.conf --- instantiate { exec expr } authorize { preprocess chap mschap suffix sql } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } } preacct { preprocess suffix } accounting { acct_unique detail unix sql radutmp } session { radutmp } post-auth { } pre-proxy { } post-proxy { eap } any suggestions? thanks -Blake - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: make install error in Solaris 8, freeradius-1.0.3
Dear all, I tried the fix proffered below on redhat90 and it worked aruna -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garry Crothers Sent: Tuesday, June 07, 2005 1:39 PM To: FreeRadius users mailing list Subject: Re: make install error in Solaris 8, freeradius-1.0.3 Nuno Pais Fernandes wrote: Hi, small FIX but it works: mv /usr/bin/strip /usr/bin/strip.old echo '#!/bin/bash' /usr/bin/strip echo 'exit' /usr/bin/strip chmod 755 /usr/bin/strip cd freeradius-1.0.3 make install mv -f /usr/bin/strip.old /usr/bin/strip Worked for me. Nuno Fernandes On Monday 06 June 2005 16:52, Alan DeKok wrote: Nuno Pais Fernandes [EMAIL PROTECTED] wrote: Same thing here with Whitebox 3. Try reading previous messages in the list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Had to use the above fix on Solaris 9 as well -- Regards Garry Crothers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Installing freeradius 1.0.3
Hello, I am trying to install freeradius 1.0.3 in a machine running Linux ubuntu hoary OS. My questions are: 1. Will the following procedure work? tar xzf ~/freeradius-1.0.3.tar.gz cd freeradius-1.0.3 fakeroot dpkg-buildpackage -b sudo dpkg -i ../freeradius_1.0.3-0_i386.deb 2. Do I have to make any changes due to the fact that (i) I am using ubuntu (Debian) or that (ii) I will be using MySQL modules? Thanks, Max - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
First time conf issues
I've been using ICRadius for awhile and it's ran smoothly, but needed to upgrade to freeradius to do some WPA radius. It installed fine on a FreeBSD 4.11 system, reading the information in the MySQL Database. However I can't get it working and would like some help. if I start the server, when I run radtest it only seems to send the User-Name. It will say Sending Access-Request, User-Name = kpitcher and will then get a rad_recv error. I also seem to authenticate half way, and then it just doesn't go through. Any suggestions would be greatly appreciated. Keith rlm_sql (sql): sql_set_user escaped user -- 'kpitcher' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'kpitcher' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 2 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'kpitcher' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'kpitcher' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'kpitcher' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module sql returns ok for request 1 modcall: group authorize returns updated for request 1 There was no response configured: rejecting request 1 Server rejecting request 1. reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /var main: logdir = /var/log main: libdir = /usr/local/lib main: radacctdir = /var/log/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = /var/log/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = /var/run/radiusd/radiusd.pid main: bind_address = 127.0.0.1 IP address [127.0.0.1] main: user = (null) main: group = (null) main: usercollide = no main: lower_user = yes main: lower_pass = after main: nospace_user = yes main: nospace_pass = after main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = no proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded detail detail: detailfile = /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (auth_log) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module:
Question regarding SSH connection resets when auth via pam radius
Hi, any help with this issue would be greatly appreciated: I have pam_radius_auth configured on redhat enterprise (just for sshd and login), and the authentication is working properly. Unfortunately, when I log in via SSH, after some time (fairly brief), the connection simply terminates. I get no errors, and I have perused the pertinent logs, and I see absolutely NO indication that there is a problem. I did a sniffer trace, and it is the server side of the SSH connection that actually terminates it. The TCP connection is terminated gracefully with a TCP FIN sent by the server. I can't decode the SSH data further to determine if there is an error in the SSH protocol. It seems that the connection reset happens after a certain amount of data is passed, rather than an amount of time. I find it hard to believe that the RADIUS authentication would have any effect on encyrption key exchanges or anything like that, but I do not have this problem when I log in with an account that is NOT configured in RADIUS (also I remove the line in /etc/pam.d/login) At this point, I have no idea where to move forward with my troubleshooting efforts. Any ideas? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Vendor specific attributes, tags
Metz, Frederic [EMAIL PROTECTED] wrote: ... PLEASE don't CC me on posts to the list. I already get enough mail. If I get enough duplicates from someone, I just delete all of their messages unread. what is non-standard ?? maybe there was a misunderstanding. non-standard == not defined in the RFC's. I have a usual vendor specific attribute, but in the beginning of the String field there is a tag of 1 byte. Yes, I'm very clear on that. Isn't it right that you can put anything in the string field in case of vendor specific attributes, thats the argument of the vendor, which also delivers the Radius-Server :-) Yes, that's true. but we want to use freeRadius. Another argument of the vendor is that our Radius-Server (freeRadius) isn't able to understand vendor-specific attributes with tagged fields. *No* RADIUS server I know of supports that. It's non-standard. If your client uses it, then *no* radius server will be able to understand those attributes. I am quite a bit confused now. So this attribute is conform to the RFC?, but the credentials are in proprietary format, right ?? Yes. But you also said: I want to bring the data of the attribute with tag 1 into field 1 and with tag 2 into field 2 in mysql. Let me repeat myself again: NO RADIUS SERVER I KNOW OF CAN DO THIS TODAY. It's non-standard. If you want FreeRADIUS to do it, then write C code to interpret the attributes, because the default configuration of FreeRADIUS does not understand these attribures, because they're non-standard. In nearly 10 years of working RADIUS, this is the first time I've seen this kind of attribute. The benefit with using FreeRADIUS is that you *can* fix it to do what you want. With commercial servers, you can't. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: /usr/local/lib/rlm_eap_tls-1.0.2.so: undefined symbol: SSL_set_ms g_callback
JAUMOTTE JEAN-LOUIS [EMAIL PROTECTED] wrote: Hi everyone, I am working in Munich for authentication with SIP phones Sounds great! /usr/local/lib/rlm_eap_tls-1.0.2.so: undefined symbol: SSL_set_msg_callback You have two versions of OpenSSL installed. FreeRADIUS uses one when it's built, and then your dynamic library loader chooses the other when FreeRADIUS is executing. The solution is to set LD_PRELOAD. See scripts/rc.radiusd for examples. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use
Blake [EMAIL PROTECTED] wrote: I have been running this freeradius server for quite some time with no problems. I have just now decided that I want to solve the Simultaneous-Use problem. I am using 1.0.2 and a mysql database located on another server. I have followed everything that I can find on the net about the configuration but I can still logon the same user as many times as I want. Are you setting Simultaneous-Use = 1? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: First time conf issues
Keith Pitcher [EMAIL PROTECTED] wrote: if I start the server, when I run radtest it only seems to send the User-Name. It will say Sending Access-Request, User-Name = kpitcher and will then get a rad_recv error. Are you willing to post the *exact* command you entered, and the *exact* output, rather than summarizing them? There was no response configured: rejecting request 1 Did you try configuring the server to know about the user password you're trying with radtest? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS info + MySQL
Seferovic Edvin [EMAIL PROTECTED] wrote: I have been watching this from the beginning ;) It got really interesting now. Does anyone know about OMAPI support in DHCPd? It allows you to change the config ( for example - update a lease ) at the real time without a need to restart a server. As I said in an earlier post, FreeRADIUS allows this, too. Just not for everything. Similarly, DHCPd doesn't export all of it's configuration through OMAPI. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radrelay bug with large attributes
Simon Pasquier [EMAIL PROTECTED] wrote: I've checked the bug database and the latest version of radrelay.c in the CVS repository but I couldn't find anything. So I was wondering if a bug should be opened to track this issue? I'll fix the issue in 1.0.4, which should be released soon. The problem won't re-occur in 1.1.x, as radrelay is being replaced with other, more powerful, functionality. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WLAN Transport protocol
Joseph Abadi [EMAIL PROTECTED] wrote: The whole setup works fine when the wireless cards have the WLAN Transport protocol Installed. But we are also working with some 20 USB wireless adapters that don't come with the protocol and don't give us the option to install it. Those cards aren't able to connect at all. Here comes the very noob question: is there a way to download that protocol or it has to be provided with the card/adapter itself ? http://www.securew2.com Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS info + MySQL
Marcin Jessa [EMAIL PROTECTED] wrote: I was hoping I would not need to explain it one more time. I am very clear on what you want, and why. What you're not clear on is my answers. It does not metter what kind of signal httpd sends to radiusd, it would still need to be able to execute the command as a privileged user. So... list the command under sudo. You know how to do that, you posted an example earlier. What you did wrong with the previous sudo example was allow www to run radiusd, which is useless. Do you know of anyone familiar with the freeradius code who could take the job? http://www.freeradius.org/business/ It's a public web site. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS info + MySQL
Marcin Jessa [EMAIL PROTECTED] wrote: One more thing about this solution is you would need to either run radiusd as root or chown radiususer:radiusgroup the radius configs in order to be able to HUP radiusd. Radius daemon is started as root and then switched to the unprivileged user defined in radiusd.conf Radius will die if it gets signal HUP and the config files are not owned by the unprivileged user. No. It will die if it can't read the files. That's different. Having radius configs owned by unprivileged user increases security risk, since this will grant an attacker who manages to abuse the server access to change the configs... Either way, sending -HUP signal to a running radius daemon seems like a bad idea. Only if the file permissions prevent it. $ chown -R root.radiusd /etc/raddb $ chmod o+rw /etc/raddb/* $ chmod g-w /etc/raddb/* $ chmod g+r /etc/raddb/* And have the server run as user radiusd, group radiusd. It has read permissions to radiusd.conf, so a HUP will work. It doesn't have write permissions, so it's secure. This is what different groups file permissions are for. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use
Alan DeKok wrote: Blake [EMAIL PROTECTED] wrote: I have been running this freeradius server for quite some time with no problems. I have just now decided that I want to solve the Simultaneous-Use problem. I am using 1.0.2 and a mysql database located on another server. I have followed everything that I can find on the net about the configuration but I can still logon the same user as many times as I want. Are you setting Simultaneous-Use = 1? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html That may be my problem. Which file does that entry need to exist? Where in the file? -Blake- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS info + MySQL
Hi, I must have missed that part. Where can I find some doc about OMAPI support in freeradius? Thank you in advance. Regards, Edvin Seferovic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Dienstag, 07. Juni 2005 20:54 To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: NAS info + MySQL Seferovic Edvin [EMAIL PROTECTED] wrote: I have been watching this from the beginning ;) It got really interesting now. Does anyone know about OMAPI support in DHCPd? It allows you to change the config ( for example - update a lease ) at the real time without a need to restart a server. As I said in an earlier post, FreeRADIUS allows this, too. Just not for everything. Similarly, DHCPd doesn't export all of it's configuration through OMAPI. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
link error in radiusd
I have clean compiled freeradius 1.0.3 for ubuntu hoary with mysql. I have put the radiusd.conf (includes sql.conf and sqlcounter.conf), sql.conf (with mysql as database type) and sqlcounter.conf in the /etc/freeradius directory. When running radiusd -X I get the following error: radiusd.conf[5] Failed to link to module 'rlm_sqlcounter': rlm_sqlcounter.so: cannot open shared object file: No such file or directory I understand the error but how can I correct it? Thanks, Max - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use
Blake [EMAIL PROTECTED] wrote: That may be my problem. Which file does that entry need to exist? Where in the file? doc/Simultaneous-Use Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS info + MySQL
Seferovic Edvin [EMAIL PROTECTED] wrote: I must have missed that part. Where can I find some doc about OMAPI support in freeradius? sigh FreeRADIUS does not have OMAPI support. Like DHCPd, FreeRADIUS supports live updates of SOME configuration. FreeRADIUS does this by using *databases* to store *data*, and by querying those databases dynamically. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
...traffic control with freeradius?
Hi Just a question: There any way to establish that a user (or group) connects at certain hours of the day only? For example: If Peter attempts to connect after 3:00 pm, the radius should reject the request; because Peter can connect only between 12:00 am and 3:00 pm. Thanks you. - Este mensaje fue enviado usando el servicio de correo en web de Infomed http://webmail.sld.cu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ...traffic control with freeradius?
LoginTime attribute Read the doc Regards, Edvin Seferovic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Dienstag, 07. Juni 2005 22:47 To: freeradius-users@lists.freeradius.org Subject: ...traffic control with freeradius? Hi Just a question: There any way to establish that a user (or group) connects at certain hours of the day only? For example: If Peter attempts to connect after 3:00 pm, the radius should reject the request; because Peter can connect only between 12:00 am and 3:00 pm. Thanks you. - Este mensaje fue enviado usando el servicio de correo en web de Infomed http://webmail.sld.cu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authenticate/Attributes based on NAS-IP-Address
Using MySQL as a backend, is there any way to configure Authentication and Attribute (replies), based on the NAS-IP-Address sent to the FreeRADIUS server? Allow requests from NAS1 to authenticate and have certain attributes for users in that group and then allow requests from NAS2 to authenticate and have different attributes. Would there be anyway to allow a user to be a part of both groups? Thanks, Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate/Attributes based on NAS-IP-Address
Alan DeKok wrote: N White [EMAIL PROTECTED] wrote: Using MySQL as a backend, is there any way to configure Authentication and Attribute (replies), based on the NAS-IP-Address sent to the FreeRADIUS server? Yes. Use it as a check item, like anything else. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ NOD32 1.1132 (20050607) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com Ok, so is it possible for them to be a part of two groups? The reason I ask is that if a customer logs in through NAS1, I want them to be assigned a dynamic IP, if they are logged in from NAS2, I want them to be assigned a static IP. Is this possible? I guess two groups may not even play a role in a statically assigned IP. Thanks -Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate/Attributes based on NAS-IP-Address
N White [EMAIL PROTECTED] wrote: Ok, so is it possible for them to be a part of two groups? The reason I ask is that if a customer logs in through NAS1, I want them to be assigned a dynamic IP, if they are logged in from NAS2, I want them to be assigned a static IP. Is this possible? Sure, but it's not really a group. In the users file, you can do: bob NAS-IP-Address == foo, Pool-Name := foo bob NAS-IP-Address == bar Framed-IP-Address := 1.2.3.4 Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate/Attributes based on NAS-IP-Address
N White [EMAIL PROTECTED] wrote: Yeah, but I want to use MySQL, not the users file. I don't use MySQL, sorry. If you want someone to give you the exact answer you're looking for, I suggest you hire a contracter. Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate/Attributes based on NAS-IP-Address
Alan DeKok wrote: N White [EMAIL PROTECTED] wrote: Yeah, but I want to use MySQL, not the users file. I don't use MySQL, sorry. If you want someone to give you the exact answer you're looking for, I suggest you hire a contracter. Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ NOD32 1.1132 (20050607) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com Well, thanks for the input. With MySQL, 1500 users is easier to maintain. Perhaps I should just run a second FreeRADIUS server for the second NAS. It means more equipment, but whatever it takes. -Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Copyright and GPL infringement in tinyPEAP
On Sun, Jun 05, 2005, Alan DeKok wrote: Your web site http:/www.tinypeap.com is distributing binaries built at least in part from code that is derived from the FreeRADIUS server project (http://www.freeradius.org). I refer you to the following URL's: http://www.linksysinfo.org/modules.php?name=Forumsfile=viewtopict=5649 Is there any news about this probable GPL infringement ? I would be glad to be informed of any news from the people from tinypeap.com. -- Endy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Copyright and GPL infringement in tinyPEAP
Alexandre Coninx [EMAIL PROTECTED] wrote: Is there any news about this probable GPL infringement ? I would be glad to be informed of any news from the people from tinypeap.com. No news. We will keep people posted as we get more information. As of today, their provider has had 24hrs to fix the problem, and has not. Next thing, I think, is a DMCA take-down notice, with lawyers, and legal smack-downs. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate/Attributes based on NAS-IP-Address
On Tue, 7 Jun 2005, N White wrote: Well, thanks for the input. With MySQL, 1500 users is easier to maintain. Perhaps I should just run a second FreeRADIUS server for the second NAS. It means more equipment, but whatever it takes. -Nick You don't need to do that, you can do it with SQL in one server. First, work on reading the documentation and installing the server and setting up mysql for authorization. Once you've got that down, then move on to the reply values and groups if you want them. Alan gave you a good start with the users file entries. Read man 5 users, that will tell you about the users file. You'll take that info and transfer it to sql. It would look something like this. users file only format bob NAS-IP-Address == foo, Pool-Name := foo bob NAS-IP-Address == bar Framed-IP-Address := 1.2.3.4 SQL Format. in the users file DEFAULT NAS-IP-Address == foo, Pool-Name := foo This says any user from that nas-ip will have Pool-Name set to foo. That is what ippool will use to assign ips. in radiusd.conf, in your ip_pool section be sure to include. override = no That makes it so a dynamic ip from ippool will not override one statically assigned to the user as a reply value. In sql in the radcheck table you put your users and their passwords. In radreply you put the users and their static ip. for example, insert into radcheck (username,attribute,value,op) VALUES ('bob','User-Password','bobspassword','=='); insert into radreply (username,attribute,value,op) VALUES ('bob','Framed-IP-Address','1.1.1.1',':='), ('bob','Framed-IP-Netmask','255.255.255.0',':='); That should give you a good start. Get it setup and if you run into problems post radiusd -X to the list and describe what you are trying to do. You can add groups into if you want but right now you probably won't need it. Hope that is helpful. Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate/Attributes based on NAS-IP-Address
Dustin Doris wrote: On Tue, 7 Jun 2005, N White wrote: Well, thanks for the input. With MySQL, 1500 users is easier to maintain. Perhaps I should just run a second FreeRADIUS server for the second NAS. It means more equipment, but whatever it takes. -Nick You don't need to do that, you can do it with SQL in one server. First, work on reading the documentation and installing the server and setting up mysql for authorization. Once you've got that down, then move on to the reply values and groups if you want them. Alan gave you a good start with the users file entries. Read man 5 users, that will tell you about the users file. You'll take that info and transfer it to sql. It would look something like this. users file only format bob NAS-IP-Address == foo, Pool-Name := foo bob NAS-IP-Address == bar Framed-IP-Address := 1.2.3.4 SQL Format. in the users file DEFAULT NAS-IP-Address == foo, Pool-Name := foo This says any user from that nas-ip will have Pool-Name set to foo. That is what ippool will use to assign ips. in radiusd.conf, in your ip_pool section be sure to include. override = no That makes it so a dynamic ip from ippool will not override one statically assigned to the user as a reply value. In sql in the radcheck table you put your users and their passwords. In radreply you put the users and their static ip. for example, insert into radcheck (username,attribute,value,op) VALUES ('bob','User-Password','bobspassword','=='); insert into radreply (username,attribute,value,op) VALUES ('bob','Framed-IP-Address','1.1.1.1',':='), ('bob','Framed-IP-Netmask','255.255.255.0',':='); That should give you a good start. Get it setup and if you run into problems post radiusd -X to the list and describe what you are trying to do. You can add groups into if you want but right now you probably won't need it. Hope that is helpful. Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ NOD32 1.1132 (20050607) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com Actually I already have two running FreeRADIUS servers with SQL. That isn't the hard part. The problem with your instructions is that I'm not using ippool to assign dynamic IPs, our NASes are doing that (Portmaster 2/3). I don't have a problem setting up static IPs either, as we have several Dial-Up users who need those also. The problem lies in that I want to use the RADIUS server for PPPoE authentication also. But I want to allow users who log in through PPPoE to also be able to log in regularly(Dial-Up), when their PPPoE isn't logged in. BUT, when they log in through PPPoE, I want them to be assigned a static IP, when they login via Portmasters/Dial-Up, then they don't get the static IP, they get a regular dynamic one. Basically if a user logs in through NAS1, they are assigned X attributes with dynamic IP, if they log in through NAS2, they are assigned Y attributes with a static IP. And all this needs to be done in MySQL, that way my own PHP frontend(which I intend to release GPL) can work with it. Also I think MySQL scales better. -Nick -- | Nick White | | Network Consultant | | http://www.edge9.net | | [EMAIL PROTECTED] | - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with [microsoft] stuff not working
Ok i'm not sure what all detail i need to give for this post but here goes I have a USR Hiperarc tc1000 and a portmaster 4 we migrated from steelbelt to freeradius for auth and accounting the problem comes in here, when i use freeradius with the portmaster it works perfect fine, as expected a user gets online and goes wheerever they please the TC1000 is another story, when a user dials into this, they can't use microsoft stuff, you open outlook express and try to check pop3 mail ANYWHERE and it doesn't work, you try imap, it works fine, you open internet explorer you load google fine, you lod apache.org fine, you try to load any site using IIS as a server, it won't load, if you try to sign in with msn messenger it works perfectly fine, irc works fine, yahooo messenger works fine now if i switch primary and secondary back to steelbelt, thats it, just switch it back, it all magically works fine again now i dunno what kinda voodoo magic is goin on but it's confusing me accounting attributes sent back by steelbelt only differ in one respect they send a Class attribute #steeleblt reply rad_recv: Access-Accept packet from host 65.111.222.4:1645, id=54, length=76 Service-Type = Framed-User Framed-Protocol = PPP Class = 0x5342522d434c20444e3d2273646775736c657041543d223230302200 Session-Timeout = 28800 Idle-Timeout = 1200 freeradius reply rad_recv: Access-Accept packet from host 127.0.0.1:1645, id=221, length=50 Framed-Protocol = PPP Idle-Timeout = 1200 Service-Type = Framed-User Session-Timeout = 28800 If anyone has any insight into whats causing this i'de definatly like to know Thanks, Scott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can a user be authenticated with MAC address and EAP/TLS
Hi all, I try to authenticate my wireless user with MAC address and EAP/TLS simultaneously. I set my Cisco 1230 AP to authenticate 'with MAC address and EAP' and my wireless client as for EAP/TLS authentication because no special setting is needed for MAC authentication. However, the wireless client only do EAP/TLS, not MAC authentication. Anything that I miss? Thanks. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html