rlm_ldap : user not found

[Nicolas Viers - SCI]

Hello,
i had a problem with freeradius and rlm_ldap module
sometimes and i don' know why users couldn't authenticate on ldap server.
I had this message in radius.log:
Auth: Login incorrect (rlm_ldap: User not found): [dupont]
and few seconds later the authentification is ok with the same user:
Auth: Login OK: [dupont]

Maybe a timeout problem with ldap ?
Should i modify timeout parameters on radiusd.conf or in slapd.conf ?
Maybe a nb of connections ?
Sould i increase ldap_connections_number = parameters ?

Thanks a lot

--



Nicolas Viers   |  Service Commun Informatique
Mél: [EMAIL PROTECTED]|  123, avenue Albert Thomas
   | 87060 Limoges cedex
Tel: 05-55-45-77-09 |  Fax: 05-55-45-75-95
  http://www.unilim.fr/sci






- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

restricting access for users

[Martial VdB]

Hi there,

I’m a newby here so forgive if I ask obvious questions.

I’m trying to setup, wel actually I did setup FreeRADIUS Version 1.0.2 on a 
Linux Debian machine and it is working fine :)

But I need to achieve the following setup:

We have # cisco routers and switches who are locally managed by on site 
engineers. So these local engineers have to be able to log in to their 
devices and not be allowed to log in to devices on other sites. Next to 
these different site engineers there is a group called NOC. The NOC 
engineers need to access all devices on all sites.


I’ve tried several setups by using the huntgroups and using system as 
authentication method but I can't get the huntgroup validation to work. It 
looks like the huntgroups are just ignored. Everyone can just enter any 
device as soon as their usrname and password is matched on the system.


Did someone do a similar setup where users where restricted and with a 
general group that needs access everywhere or can someone tell me how I 
should take this on. It should be fairly easy I thought…



Thanks for your help, it is highly appreciated,

Martial

_
Free blogging with MSN Spaces  http://spaces.msn.com/?mkt=nl-be

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: restricting access for users

[alan walters]

Yes this is my experience as well. Running v 1.0.2 there was nothing in the 
change log for 1.0.3 to say this was fixed either.
Just as a note when I posted these findings nothing came back.

I was using an ldap backend as well. It would be great to have a detailed 
explaination of this one and maybe confirmation that it is not working or 
wheather is it syntax that causes the problem

Alan


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Martial VdB
Sent: 13 June 2005 08:22
To: freeradius-users@lists.freeradius.org
Subject: restricting access for users

Hi there,

Im a newby here so forgive if I ask obvious questions.

Im trying to setup, wel actually I did setup FreeRADIUS Version 1.0.2 on a 
Linux Debian machine and it is working fine :)
But I need to achieve the following setup:

We have # cisco routers and switches who are locally managed by on site 
engineers. So these local engineers have to be able to log in to their 
devices and not be allowed to log in to devices on other sites. Next to 
these different site engineers there is a group called NOC. The NOC 
engineers need to access all devices on all sites.

Ive tried several setups by using the huntgroups and using system as 
authentication method but I can't get the huntgroup validation to work. It 
looks like the huntgroups are just ignored. Everyone can just enter any 
device as soon as their usrname and password is matched on the system.

Did someone do a similar setup where users where restricted and with a 
general group that needs access everywhere or can someone tell me how I 
should take this on. It should be fairly easy I thought


Thanks for your help, it is highly appreciated,

Martial

_
Free blogging with MSN Spaces  http://spaces.msn.com/?mkt=nl-be

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.323 / Virus Database: 267.6.7 - Release Date: 10/06/2005
 

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.323 / Virus Database: 267.6.7 - Release Date: 10/06/2005
 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

MAC+EAP authentication

[Jefri bin Dahari]

Hi,

I plan to implement simultaneous MAC+EAP authentication for my wireless 
users. From my observation, Freeradius can only do either MAC or EAP but not 
MAC and EAP authentication. Can somebody gives me some hints on how to do 
that?
Thanks. 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MAC+EAP authentication

[Alexandre Coninx]

On Mon, Jun 13, 2005, Jefri bin Dahari wrote:
 Hi,
 
 I plan to implement simultaneous MAC+EAP authentication for my wireless 
 users. From my observation, Freeradius can only do either MAC or EAP but 
 not MAC and EAP authentication. Can somebody gives me some hints on how to 
 do that?

I check the MAC address during the authorization using an external perl
script, and it works well.


-- 
Alexandre Coninx
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: restricting access for users

[Martial VdB]

Hi Alan,

thank you for replying,

this is how I tried this before, I will try to keep this as short as 
possible.


1)
users:
bob   Password == bob, Huntgroup-name == diegem
 Login-Service = 0,
 Vendor-Specific = 9,
 Reply-Message = Hello, bob,
 Cisco-AVpair = shell:priv-lvl=15,
 Service-Type = NAS-Prompt-User,

huntgroups:

diegem NAS-IP-Address == 10.5.x.x
diegem NAS-IP-Address == 10.5.x.x
diegem NAS-IP-Address == 10.5.x.x
brusselsNAS-IP-Address == 10.2.x.x

I hoped that the nas ip addresses belonging to diegem where only accessable 
for users who had Huntgroup-name == diegem in their config.  But this did 
not seem to make a difference.


**
2)
users:
DEFAULT   Auth-Type = System
 Login-Service = 0,
 Vendor-Specific = 9,
 Service-Type = NAS-Prompt-User,
 Cisco-AVpair = shell:priv-lvl=15,
$enab15$
bob
bobke

huntgroups:

diegem NAS-IP-Address == 10.5.x.x
diegem NAS-IP-Address == 10.5.x.x
diegem NAS-IP-Address == 10.5.x.x
  Group == NOC,
brusselsNAS-IP-Address == 10.2.x.x

I made bob and bobke local users on my machine and added them to # groups. 
bob to NOC and bobke to brussels.

bob:x:1005:1005::/home/bob:
bobke:x:1006:1006::/home/bobke:
NOC:x:1005:
brussels:x:1006:

If the user was not a member of group NOC he would be refused on the NAS 
servers belonging to huntgroup diegem.Because diegem is linked to group NOC 
(Group == NOC). This did not work either.


In both cases every user was allowed access as soon as the username and 
passwords checked out. I also had problems with nas ip addresses belonging 
to more that 1 group. It looked like the groups are processed from top to 
bottom and as soon as it hits the first entry of that address freeradius 
allowes access.
But for my problem to be solved it should cache information like Group = NOC 
or for example user_pool = diegem. And compare this information agains an 
entry in
the users file like: user_pool=diegem or checking if on the system bob's 
primary group is NOC.


I did several more combinations but I think one of these 2 should work. 
Perhaps I made a configuration error ?


Big thank you in advance ony for reading and getting into this problem. If I 
was not clear enough please let me know.


Martial

Yes this is my experience as well. Running v 1.0.2 there was nothing in the 
change log for 1.0.3 to say this was fixed either.

Just as a note when I posted these findings nothing came back.


I was using an ldap backend as well. It would be great to have a detailed 
explaination of this one and maybe confirmation that it is not working or 
wheather is it syntax that causes the problem



Alan




From: Martial VdB [EMAIL PROTECTED]
Reply-To: FreeRadius users mailing list 
freeradius-users@lists.freeradius.org

To: freeradius-users@lists.freeradius.org
Subject: restricting access for users
Date: Mon, 13 Jun 2005 09:22:14 +0200

Hi there,

I’m a newby here so forgive if I ask obvious questions.

I’m trying to setup, wel actually I did setup FreeRADIUS Version 1.0.2 on 
a Linux Debian machine and it is working fine :)

But I need to achieve the following setup:

We have # cisco routers and switches who are locally managed by on site 
engineers. So these local engineers have to be able to log in to their 
devices and not be allowed to log in to devices on other sites. Next to 
these different site engineers there is a group called NOC. The NOC 
engineers need to access all devices on all sites.


I’ve tried several setups by using the huntgroups and using system as 
authentication method but I can't get the huntgroup validation to work. It 
looks like the huntgroups are just ignored. Everyone can just enter any 
device as soon as their usrname and password is matched on the system.


Did someone do a similar setup where users where restricted and with a 
general group that needs access everywhere or can someone tell me how I 
should take this on. It should be fairly easy I thought…



Thanks for your help, it is highly appreciated,

Martial


_
Free blogging with MSN Spaces  http://spaces.msn.com/?mkt=nl-be

- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


_
Is your PC infected? Get a FREE online computer virus scan from McAfee® 
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: restricting access for users

[alan walters]

I have a configuration similar to your no one option.
From readinr the huntgroups how to and the users how to, this seems to
be the most correct method to use.

I have a second issue with this in that the users file has a defulat
reject if the group is not matched. This also is not being used
correctly by freeradius. The user defaults into that if there group does
not match but does not get rejected.

Please can someone confirm these findings.

Regards

alan

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Martial VdB
Sent: 13 June 2005 13:06
To: freeradius-users@lists.freeradius.org
Subject: RE: restricting access for users

Hi Alan,

thank you for replying,

this is how I tried this before, I will try to keep this as short as 
possible.

1)
users:
bob   Password == bob, Huntgroup-name == diegem
  Login-Service = 0,
  Vendor-Specific = 9,
  Reply-Message = Hello, bob,
  Cisco-AVpair = shell:priv-lvl=15,
  Service-Type = NAS-Prompt-User,

huntgroups:

diegem NAS-IP-Address == 10.5.x.x
diegem NAS-IP-Address == 10.5.x.x
diegem NAS-IP-Address == 10.5.x.x
brusselsNAS-IP-Address == 10.2.x.x

I hoped that the nas ip addresses belonging to diegem where only
accessable 
for users who had Huntgroup-name == diegem in their config.  But this
did 
not seem to make a difference.


**
2)
users:
DEFAULT   Auth-Type = System
  Login-Service = 0,
  Vendor-Specific = 9,
  Service-Type = NAS-Prompt-User,
  Cisco-AVpair = shell:priv-lvl=15,
$enab15$
bob
bobke

huntgroups:

diegem NAS-IP-Address == 10.5.x.x
diegem NAS-IP-Address == 10.5.x.x
diegem NAS-IP-Address == 10.5.x.x
   Group == NOC,
brusselsNAS-IP-Address == 10.2.x.x

I made bob and bobke local users on my machine and added them to #
groups. 
bob to NOC and bobke to brussels.
bob:x:1005:1005::/home/bob:
bobke:x:1006:1006::/home/bobke:
NOC:x:1005:
brussels:x:1006:

If the user was not a member of group NOC he would be refused on the NAS

servers belonging to huntgroup diegem.Because diegem is linked to group
NOC 
(Group == NOC). This did not work either.

In both cases every user was allowed access as soon as the username and 
passwords checked out. I also had problems with nas ip addresses
belonging 
to more that 1 group. It looked like the groups are processed from top
to 
bottom and as soon as it hits the first entry of that address freeradius

allowes access.
But for my problem to be solved it should cache information like Group =
NOC 
or for example user_pool = diegem. And compare this information agains
an 
entry in
the users file like: user_pool=diegem or checking if on the system bob's

primary group is NOC.

I did several more combinations but I think one of these 2 should work. 
Perhaps I made a configuration error ?

Big thank you in advance ony for reading and getting into this problem.
If I 
was not clear enough please let me know.

Martial

Yes this is my experience as well. Running v 1.0.2 there was nothing in
the 
change log for 1.0.3 to say this was fixed either.
Just as a note when I posted these findings nothing came back.

I was using an ldap backend as well. It would be great to have a
detailed 
explaination of this one and maybe confirmation that it is not working
or 
wheather is it syntax that causes the problem

Alan


From: Martial VdB [EMAIL PROTECTED]
Reply-To: FreeRadius users mailing list 
freeradius-users@lists.freeradius.org
To: freeradius-users@lists.freeradius.org
Subject: restricting access for users
Date: Mon, 13 Jun 2005 09:22:14 +0200

Hi there,

I'm a newby here so forgive if I ask obvious questions.

I'm trying to setup, wel actually I did setup FreeRADIUS Version 1.0.2
on 
a Linux Debian machine and it is working fine :)
But I need to achieve the following setup:

We have # cisco routers and switches who are locally managed by on
site 
engineers. So these local engineers have to be able to log in to their

devices and not be allowed to log in to devices on other sites. Next
to 
these different site engineers there is a group called NOC. The NOC 
engineers need to access all devices on all sites.

I've tried several setups by using the huntgroups and using system as 
authentication method but I can't get the huntgroup validation to
work. It 
looks like the huntgroups are just ignored. Everyone can just enter
any 
device as soon as their usrname and password is matched on the system.

Did someone do a similar setup where users where restricted and with a

general group that needs access everywhere or can someone tell me how
I 
should take this on. It should be fairly easy I thought...


Thanks for your help, it is highly appreciated,

Martial

_
Free blogging with MSN 

executing external program

[vicky]

Hello guys and girls,

While executing a script of mine in the radiusd.conf file I get a very 
strange error that worries me.


/radius_xlat:  '/home/vicky/finalprog/compAttrs Access-Request'
Exec-Program: /home/vicky/finalprog/compAttrs Access-Request
MASTER: Child PID 28050 failed to catch signal 11: killing all active 
servers./


The script it self is tested aside and it work. What seems to be the 
problem. I've never seen anything like this before...


Thanks for all the suggestions!

--
Vicky

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: restricting access for users

[Dustin Doris]

Try this.

huntgroups
 diegem NAS-IP-Address == 10.5.x.x
 diegem NAS-IP-Address == 10.5.x.x
 diegem NAS-IP-Address == 10.5.x.x
 brusselsNAS-IP-Address == 10.2.x.x


users file

#note: there is no default auth-type = system here

DEFAULT Group == NOC, Auth-Type := System
replyattrs = replyvalues

bob Huntgroup-Name == diegem, Auth-Type := System
replyattrs = replyvalues...

somebrusselluserHuntgroup-Name == brussells, Auth-Type := System
reply attrs

DEFAULT Auth-Type := Reject

That means:

If user is in group NOC, match here and authorize the user using system
If user bob is coming from huntgroup diegam, match here and authorize user
If user somebrusselluser is coming from huntgroup brussells, match
If no matches on above, reject the user

I suspect that your DEFAULT Auth-Type = system entry is at the top of your
users file.  Then you have some matching rules.  You have a user that
comes in but won't match any of your matching rules, so it will default to
the auth-type = system entry that it matched at first and simply authorize
the user with system.

What I have above, specifies to use system when it matches each user entry
or the group entry.  If there is no match, then it tells you to reject the
user.




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: restricting access for users

[Dustin Doris]

 I have a second issue with this in that the users file has a defulat
 reject if the group is not matched. This also is not being used
 correctly by freeradius. The user defaults into that if there group does
 not match but does not get rejected.


I have never noticed any problems like that myself.

I suspect you have something else in your users file that it is matching
on.  Perhaps a DEFAULT Auth-Type = something?

Please post your users file in its entirety (you can remove the # lines if
you would like for easier reading)

Then post your radiusd -X output showing this behavior.  That way you can
read the debug info and look for a line that says something like matched
users file at 1.

Without seeing the users file and the actual debug here its hard to say.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Database connection failure and retry

[Alan DeKok]

Ming-Ching Tiew [EMAIL PROTECTED] wrote:
 With the current state of the drivers, they are not usable. Period.

  Does this mean:

  a) you will do something about it?

or

  b) you expect someone else to do something about it?

  Alan Dekok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: restricting access for users

[alan walters]

Dustin I get matchs in my users files. But the huntgroup seems to just be 
bypassed.

Could you PM me with a users file and huntgroups file incase it is a syntax 
issue.

thenks

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dustin Doris
Sent: 13 June 2005 14:52
To: FreeRadius users mailing list
Subject: RE: restricting access for users


 I have a second issue with this in that the users file has a defulat
 reject if the group is not matched. This also is not being used
 correctly by freeradius. The user defaults into that if there group does
 not match but does not get rejected.


I have never noticed any problems like that myself.

I suspect you have something else in your users file that it is matching
on.  Perhaps a DEFAULT Auth-Type = something?

Please post your users file in its entirety (you can remove the # lines if
you would like for easier reading)

Then post your radiusd -X output showing this behavior.  That way you can
read the debug info and look for a line that says something like matched
users file at 1.

Without seeing the users file and the actual debug here its hard to say.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.323 / Virus Database: 267.6.7 - Release Date: 10/06/2005
 

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.323 / Virus Database: 267.6.7 - Release Date: 10/06/2005
 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Class attribute questions

[Shawn K. O'Shea]

  I just wanted to make 
  sure that I wasn't missing something, and that there isn't 
 an easier 
  way to get at the ASCII inside the octet stream.
   Edit the dictionary, and change octets to string?

I saw discussion in a previous thread (Handling of the 'Class'
attribute, this post in particular,
http://lists.freeradius.org/mailman/htdig/freeradius-users/2003-July/021
267.html) that implied this was frowned upon, at least when interacting
with other RADIUS servers (which is what I'm using FreeRADIUS for), but
also because the RFC recommends that it should be treated as
undistinguished octets. 

  2) The rfc's allow for more than one Class attribute (at least in 
  Accounting-Request packets). How does FreeRADIUS treat 
 references to 
  %{Class} when this happens? i.e. Is there a syntax to refer to each 
  instance of the Class attr or get a count of how many are 
 in the packet?
   The CVS snapshots allow this.  1.0.x doesn't.  See doc/variables.txt

I read through the current doc/variables.txt in CVS. Looks great. Is
this a 1.1.x kind of feature or will it find it's way into a later
1.0.x?

Thanks for the reply.
-Shawn

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Multiple logins Freeradius/Mysql

[Mark Elkins]

We've set up Simultaneous-Use := 1 - and this seems fine.
However, I have my first user - who is really off the net and 'radzap'
seems to do nothing (radwho still gives the user as being there).

What is the code... in sql.conf...
simul_count_query = SELECT COUNT(*) FROM ${acct_table1} WHERE
UserName='%{SQL-User-Name}' AND AcctStopTime = 0
...for

In our previous Radius - we used to simply provide a valid AcctStopTime
time - and the user could then login again.

What do I need to do to change freeradius to do Simultaneous-Use control
using mysql and not using radwho??

I've read doc/Simultaneous-Use - which doesn't use/mention [my]sql.

I'm guessing (looking at where radutmp is mentioned)... radiusd.conf
has...

session {
radutmp
}

Should this be changed to...
session {
sql
}

???



-- 
  .  . ___. .__  Posix Systems - Sth Africa.  e.164 VOIP ready
 /| /|   / /__   [EMAIL PROTECTED]  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Multiple logins Freeradius/Mysql

[Aaron Paetznick]

I'm having a similar problem.  I'm using sql accounting.  I've 
uncommented the simul_count_query query line.  I've entered the 
Simultaneous-Use attribute in the radgroupcheck table with the := op. 
 It's still trying to use checkrad (in the log) no matter what I do. 
I've read the doc file.  Help?



--Aaron



Mark Elkins wrote:

We've set up Simultaneous-Use := 1 - and this seems fine.
However, I have my first user - who is really off the net and 'radzap'
seems to do nothing (radwho still gives the user as being there).

What is the code... in sql.conf...
simul_count_query = SELECT COUNT(*) FROM ${acct_table1} WHERE
UserName='%{SQL-User-Name}' AND AcctStopTime = 0
...for

In our previous Radius - we used to simply provide a valid AcctStopTime
time - and the user could then login again.

What do I need to do to change freeradius to do Simultaneous-Use control
using mysql and not using radwho??

I've read doc/Simultaneous-Use - which doesn't use/mention [my]sql.

I'm guessing (looking at where radutmp is mentioned)... radiusd.conf
has...

session {
radutmp
}

Should this be changed to...
session {
sql
}

???



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with [microsoft] stuff not working

[Scott Gusler]

Upon further inspection i found it was sending 2 other attributes, defaults
from my users file

i started testing it with radclient, using info one of the NAS's sent,
radtest wasn't giving it this extra info i guess
and i ended up with these 2 extra attributes


Framed-MTU = 576
Framed-Compression = Van-Jacobson-TCP-IP


I removed just the MTU and it still worked with the portmasters and started
working perfectly find on the TC1000's too
I'm not quite sure why it wasn't working with that attribute but it resolved
the problem


Scott


- Original Message - 
From: Alan DeKok [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Wednesday, June 08, 2005 1:32 PM
Subject: Re: Problem with [microsoft] stuff not working


 Scott Gusler [EMAIL PROTECTED] wrote:
  now i dunno what kinda voodoo magic is goin on but it's confusing me

   About the only thing I can suggest is to re-order the attributes in
 the FreeRADIUS config, so that they're in the same order as sent by
 SBR.

   If necessary, create a hard-coded config to do this for testing.  If
 it works, it's worth your time to fix the rest of the config.  And
 doing the test should take only 10 minutes.

   Alan DeKok.

 -
 List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Free RADIUS for WLAN - Problems?

[dat nguyen]

Hi Artur Hecker,
Very thanks for your help. I think you did a good job and hope you keep doing something like this.
Thanks again.
Best Regards__Do You Yahoo!?Tired of spam?  Yahoo! Mail has the best spam protection around http://mail.yahoo.com - 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Class attribute questions

[Alan DeKok]

Shawn K. O'Shea [EMAIL PROTECTED] wrote:
 I saw discussion in a previous thread (Handling of the 'Class'
 attribute, this post in particular,
 http://lists.freeradius.org/mailman/htdig/freeradius-users/2003-July/021
 267.html) that implied this was frowned upon, at least when interacting
 with other RADIUS servers 

  Editing the FreeRADIUS dictionary files will have *zero* impact on
other RADIUS servers.

 I read through the current doc/variables.txt in CVS. Looks great. Is
 this a 1.1.x kind of feature or will it find it's way into a later
 1.0.x?

  1.1.x and following.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: bogus session handling in radutmp?

[Alan DeKok]

Stefan Winter [EMAIL PROTECTED] wrote:
 Occasionally, this file gets corrupted: it contains a _plain text_
 copy of an accounting packet (exactly as you see them in the detail
 files) as opposed to the binary format this file is usually in.

  That sounds to me like file descriptors are being re-used between
threads, when they're not supposed to be.

  It should go away if you stop using the detail module, but you
might get something else in radutmp.

  I've never seen this before, and I'm not sure there's much we can do
to the application to fix it.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Qry:- How to assgin DNS server IP address to the client through RADIUS server

[Alan DeKok]

romel dutta [EMAIL PROTECTED] wrote:
Here i am using freeradius-1.0.2 using for AAA function...and
 pppoe-server as the client Here i need to assgin the DNS ip
 address to the pppoe-client through the radius. server... pls tell
 me which attribute is there to assign DNS IP address

  There is no standard attribute to do this.  See the documentation
for pppoe to see what it expects.

 Also tell me it is possible to assign ip address through the
 freeradius-1.0.2

  Yes.

  Alan DeKOk.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP + RADIUS + local-Auth + LDAP

[Alan DeKok]

Florian Prester [EMAIL PROTECTED] wrote:
 authorize: If I place the users-word before anything else, the 
 authorization should take place by the users-file, which means if an 
 user exists in the users-file it is authoized? correct?

  It means that the users file is processed before anything else.

  You don't need to move it, though.  The default configuration works.

 authenticate: If the password matches cleartext/crypt the users is 
 authenticated? correct?

  Yes.

 2.) If I try to uses PEAP and LDAP I need cleartext-passwords!? correct?

  Or NT-Password.

 If I add ldap after the users-wordin the authorize-section ldap 
 should only be used, if the user cannot be found in the users-file?

  No.  See doc/configurable_failover

 If I add  password_attribute = sn thr user is authenticated, if 
 the password-hash-challenge is matching the sn-hash-challenge, meaning 
 the sn-attribute is taken as password? correct?

  Yes.

 3.) What means the Groupe-authenticate/authorize if I am using ldap?

  I'm not sure what you mean by that.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: restricting access for users

[Alan DeKok]

Martial VdB [EMAIL PROTECTED] wrote:
 I’ve tried several setups by using the huntgroups and using system as 
 authentication method but I can't get the huntgroup validation to work. It 
 looks like the huntgroups are just ignored. Everyone can just enter any 
 device as soon as their usrname and password is matched on the system.

  The huntgroups don't appear to work in 1.0.x

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MAC+EAP authentication

[Alan DeKok]

Jefri bin Dahari [EMAIL PROTECTED] wrote:
 I plan to implement simultaneous MAC+EAP authentication for my wireless 
 users. From my observation, Freeradius can only do either MAC or EAP but not 
 MAC and EAP authentication. Can somebody gives me some hints on how to do 
 that?

  It can do both.  EAP is authentication, MAC checking isn't really
authentication.

  What are you seeing in RADIUS packets, and what do you want to happen?

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Generating freeradius 1.0.3

[Software Development Group]

Hello,
Running Debian, I have done a $ fakeroot
dpkg-buildpackage -b on the freeradius 1.0.3 directory. I
get a warning saying 
remember to run 'libtool --finish
/usr/lib/freeradius' 
which I do when the process finishes, and three error messages:
dpkg-shlibdeps: warning: could not find path for
libeap-1.0.3.so
dpkg-shlibdeps: warning: could not find path for libradius-1.0.3.so
dpkg-shlibdeps: warning: could not find path for
libradius-1.0.3.so
How can I get this done? What is the easiest way to install
freeradius 1.0.3 in a Debien system?
Thanks.
Max

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Link error (invalid ELF header) in freeradius 1.0.3

[Software Development Group]

Hello,
I am getting the following error when running freeradius -X:
radiusd.conf[2] Failed to link to module
'rlm_sqlcounter': /usr/lib/freeradius/rlm_sqlcounter.a: invalid ELF
header
Thanks.
Max 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PROBLEM WITH THE CERTIFICATES

[Alan DeKok]

=?iso-8859-1?B?R2VvcmdpbmEgTm9lbWkgR29ueuFsZXogQ2ViYWxsb3M=?= [EMAIL 
PROTECTED] wrote:
 I know that is a problem with the client certificate.. i imported the root 
 and client certificate to windows.

  It doesn't appear that the client is sending the certificate to the
server.

  Either the client doesn't have a certificate, or that certificate is
not signed by the servers certificate.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Proxim AP-4000 MAC Auth w/multi VLAN assignment support

[Matthew Sweet]

Hello,

I am looking at setting up a group of Proxim AP-4000 wireless gateways. I
want to be able to authenticate via the MAC address of each user's laptop
WiFi NIC.

I am trying to find the raddb tags required to send / receive the
information to make this work. Can someone point me in the right direction
as far as this goes?

Much appreciated to all.

Matt


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MAC+EAP authentication

[Artur Hecker]

i personally think that it's completely useless.

implementing EAP or MAC authentication, meaning that one of both would
work, is a huge security hole and requiring both is useless since EAP
authentication implicitly filters away everything unauthenticated...

(even if i understand that might be necessary for current WiFi phones,
etc., please be aware that under linux you can actually change the MAC
address with one command...)


ciao
artur


On 6/13/05, Alan DeKok [EMAIL PROTECTED] wrote:
 Jefri bin Dahari [EMAIL PROTECTED] wrote:
  I plan to implement simultaneous MAC+EAP authentication for my wireless
  users. From my observation, Freeradius can only do either MAC or EAP but not
  MAC and EAP authentication. Can somebody gives me some hints on how to do
  that?
 
   It can do both.  EAP is authentication, MAC checking isn't really
 authentication.
 
   What are you seeing in RADIUS packets, and what do you want to happen?
 
   Alan DeKok.
 
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html