Re: Windows Client Authentification bevore Domain logon
At 16:26 22/08/05, you wrote: Hi, i sucessfully installed a Radius authentificated Network with EAP-TLS Authentifikation. But I cant get logon to my Domain Controller when themachines boot up.. Ok, I know this Problem is not new, but is there any chance to solve this problem without additional software like AEGIS?? Or is there an other Software for Windows XP and or 2000 which is free from license? And is itpossible to set a default vlan group where the Domain Controller exists and all Clients firstly get in and later change the VLANID??? Would this be possible and how would it work? Greetings Armin I have managed to do this by three different routes. 1. Use the Microsoft built in wireless client. To do this you need to use mmc and the certificate plug in to install a CA certificate personal certificate for the local machine. Create a wireless profile in XP which connects to your network using the CA certificate you installed. Then add a DWORD registry entry AuthType with a value of 2 to HKLM\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global. This causes XP to use the machine account to authenticate to the network. This only uses the machine account to authenticate against the network, at no time does it use the users account. Other values to use are 0 - Use the default XP authentication, 1 - Always perform user authentication when a user logs on, 2 - Perform computer authentication only. 2. As above, but don't add the registry entry. This time the machine will authenticate itself to the network before logon which allows the computer to see the network and the domain. Once the user logs on to the domain the connection is lost and the user account is then used to authenticate against the network. The problem here is that unless the user also has a valid personal certificate the authentication fails. This means going round to each user and installing a certificate, unless you can do it via Active Directory, we are using a Samba PDC here so that is not possible. I decided against this option with having 1500 potential users. 3. If you are using Intel wireless cards download the full version of the ProSet drivers, mine were 2200BG. This allows for different profiles which work as the machine before logon, or during logon to validate the user against the network. It also adds TTLS as well as TLS. There is a problem with this software if you are using roaming profiles. During logoff the network connection is dropped and it is impossible to upload the profile to the servers. According to Intel this is a know problem and at this time they have not replied to say if there is going to be a fix for it. This method worked very well upto the point of saving the profile, it is also much easier to distribute the settings to other machine using the profile import feature the ProSet drivers provide. Steve Atkinson Deputy Network Manager Fallibroome High School Priory Lane Macclesfield Cheshire SK10 4AF - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Netscreen and Freeradius.
Hi, Has anyone used Radius for authentication with the Netscreens? It works fine, however there is one problem. Root-Admin for Radius authentication is no longer supported. This is the value of the NS-Admin-Privilege attribute in the Netscreen dictionary file which gives full access to the user. Consequently you have to use All-VSYS-Root-Admin which gives read-write access to the user, but disables some vital functions. One of which is tftping software and config on and off the device. Is anyone aware of any other limitations for All-VSYS-Root-Admin users? I'm posting this in the hope that other people have come across this issue and found a workaround. Hoping for the best, Maqbool Hashim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
best place for logic - users file or custom module?
hi, i'm planning a significant migration from a different radius server (Radiator, perl based). one advantage of that server is that it is very easy to code custom hooks to apply business logic to post-(ldap)-search and post-auth points of the radius sequence. the disadvantage is the performance of the system (single-threaded, low peak performance intorducing latency into system). our tests with freeradius show a much lighter server - its faster, and easier on memory and cpu. however the downside is that applying custom logic to the radius process is a bit more difficult. i'd like some advide on the best place to implement this logic. for example - a common scenario is for a request to come from A, and the reply to A contains instructions to extend a tunnel to a second device B. A second query from B is then received. this case is handled easily in perl using if() constructs. in theory - and for simple cases - i can do this in the users file with the matching conditions to provide the logic - but that's not a scalable or sensible way i think - correct me if i'm wrong. i'll be handling many conditions (if nas-identifier = x, .., if domain/realm = y ... ). so i guess i have to write a custom module for this? comments appreciated. pointers to examples / tutorials also appreciated - i couldn't find any in the documentation or on the website. tariq - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-MD5 usage
Hello, I have a question about EAP-MD5 usage. Would appreciate any help. I am using FreeRADIUS as the Authentication Server with Open1X Supplicant. When I set Supplicant Identity different from EAP-MD5 username, the RADIUS Server sends my Supplicant an Access-Reject. My questions are the following: 1- Where do we set the Supplicant Identity in the FreeRADIUS Server? Do we set it in the users file? If yes, then where do we set the EAP-MD5 user information? 2- Is it necesasry that the EAP-MD5 username must match the Supplicant identity that open1x Supplicant returns to the Ethernet switch in response to an EAP-Request/Identity packet? Thanks, Bilal _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
piping radacct details to a script
hi all, is there a way to pipe radacct details to a script before it writes to the log file? how do you do this? thanks. regards, marc -- Get Firefox! http://tinyurl.com/cocg2 The browser you can trust. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows Client Authentification bevore Domain logon
Hi, thanks for your email!Ok, i tried it out but i have some problems. If i use the DWORT String you sent me it has no efekkt. I found an other DWORT Key which Sounds "AuthMode" and with this DWORT he only tries to authentificate with the machine account. Maybe you have made a typing mistake in your email?? Ok, but my problem ist, that when he tries to authentificate with the Computer Account i see in the radius debugging modse that he only tried to use the default entry in the user File and not the "Client3" Entry. It seems that he does not find the right Computer Certificate or the Freeradius does not find the Right Entry in his user File??? This is the output from Freeradius -X -A when the DWORT "AuthMode" is set to 2 Starting - reading configuration files ...reread_config: reading radiusd.confConfig: including file! : /etc/freeradius/proxy.confConfig: including file: /etc/freeradius/clients.confConfig: including file: /etc/freeradius/snmp.confConfig: including file: /etc/freeradius/eap.confConfig: including file: /etc/freeradius/sql.confmain: prefix = "/usr"main: localstatedir = "/var"main: logdir = "/var/log/freeradius"main: libdir = "/usr/lib/freeradius"main: radacctdir = "/var/log/freeradius/radacct"main: hostname_lookups = nomain: max_request_time = 30main: cleanup_delay = 5main: max_requests = 1024main: delete_blocked_requests = 0main: port = 0main: allow_core_dumps = nomain: log_stripped_names = nomain: log_file = "/var/log/freeradius/radius.log"main: log_auth = nomain: log_auth_badpass = nomain: log_auth_goodpass = nomain: pidfile = "/var/! run/freeradius/freeradius.pid"main: user = "freerad" p;main: group = "freerad"main: usercollide = nomain: lower_user = "no"main: lower_pass = "no"main: nospace_user = "no"main: nospace_pass = "no"main: checkrad = "/usr/sbin/checkrad"main: proxy_requests = yesproxy: retry_delay = 5proxy: retry_count = 3proxy: synchronous = noproxy: default_fallback = yesproxy: dead_time = 120proxy: post_proxy_authorize = yesproxy: wake_all_if_all_dead = nosecurity: max_attributes = 200security: reject_delay = 1security: status_server = nomain: debug_level = 0read_config_files: reading dictionaryread_config_files: reading naslistUsing deprecated naslist file. Support for this will go away soon.read_config_files: reading clientsread_config_files: reading realmsradiusd: entering modules setupModule: Library ! search path is /usr/lib/freeradiusModule: Loaded exec exec: wait = yesexec: program = "(null)"exec: input_pairs = "request"exec: output_pairs = "(null)"exec: packet_type = "(null)"rlm_exec: Wait=yes but no output defined. Did you mean output=none?Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt"Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yesmschap: require_encryption = nomschap: require_strong = nomschap: with_ntdomain_hack = nomschap: passwd = "(null)"mschap: authtype = "MS-CHAP"mschap: ntlm_auth = "(null)"Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = nounix: passwd = "(null)"! ;unix: shadow = "/etc/shadow"unix: group = "(null)" ;unix: radwtmp = "/var/log/freeradius/radwtmp"unix: usegroup = nounix: cache_reload = 600Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "tls"eap: timer_expire = 60eap: ignore_unknown_eap_types = noeap: cisco_accounting_username_bug = norlm_eap: Loaded and initialized type md5rlm_eap: Loaded and initialized type leapgtc: challenge = "Password: "gtc: auth_type = "PAP"rlm_eap: Loaded and initialized type gtctls: rsa_key_exchange = notls: dh_key_exchange = yestls: rsa_key_length = 512tls: dh_key_length = 512tls: verify_depth = 0tls: CA_path = "(null)"tls: pem_file_type = yestls: private_key_file = "/etc/ssl/certs/8021x-server.pem"tls: certificate_file = "/etc/ssl/certs/8021x-server.pem"tls: CA_file = "/etc/ssl/certs/root.pem"tls: private_key_pa! ssword = "whatever"tls: dh_file = "/etc/ssl/certs/dh"tls: random_file = "/etc/ssl/certs/random"tls: fragment_size = 1024tls: include_length = yestls: check_crl = notls: check_cert_cn = "(null)"rlm_eap: Loaded and initialized type tlsmschapv2: with_ntdomain_hack = norlm_eap: Loaded and initialized type mschapv2Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/freeradius/huntgroups"preprocess: hints = "/etc/freeradius/hints"preprocess: with_ascend_hack = nopreprocess: ascend_channels_per_line = 23preprocess: with_ntdomain_hack = nopreprocess: with_specialix_jetstream_hack = nopreprocess: with_cisco_vsa_hack = noModule: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix"realm: delimiter = "@"realm: ignore_default = norealm: ignore_null = noModule: Instantiated realm (suffix ) Module: Loaded files files: usersfile = "/etc/freeradius/users"files: acctusersfile = "/etc/freeradius/acct_users"files: preproxy_usersfile =
Re: Windows Client Authentification bevore Domain logon
System pocztowy Galtex S.A. informuje, iz Twoja wiadomosc zostala odebrana Wiadomosc wygenerowana automatycznie przez system pocztowy uzytkownika belskia Prosze na ta wiadomosc nie odpowiadac. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
build problem - mysql header files not found
Hi, I am having a problem building freeradius-1.04 on linux. I have installed mysql 4.1.10 but when running make it bails out complaining that mysql.h and errmsg.h cannot be found. The files can be located in /usr/local/mysql/include. As a hack I copied these files into the corresponding build directory and I also added /usr/local/mysql/lib to /etc/ld.so.conf but the build bails out saying a mysql library cannot be found. Searching on the net it seems that these problems are a result of mysql-devel not being installed, but I don't believe this package exists for mysql 4.1.10, as the header files and libraries are included in the standard package. Do I need to set some enviroment variables to get this to work, or am I using an incompatable version of mysql? Thanks in advance, Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: best place for logic - users file or custom module?
Tariq Rashid wrote: hi, i'm planning a significant migration from a different radius server (Radiator, perl based). You might have a look at the rlm_perl module (persistent perl module to intervene in multiple stages). It's not marked stable yet, but it should be soon and it should be working fine already. There's a sample script included in the source distribution in src/module/rlm_perl/ The configuration of the module sits in etc/raddb/experimental.conf for now. -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: best place for logic - users file or custom module?
Tariq Rashid [EMAIL PROTECTED] wrote: hi, i'm planning a significant migration from a different radius server (Radiator, perl based). That's good to hear! our tests with freeradius show a much lighter server - its faster, and easier on memory and cpu. however the downside is that applying custom logic to the radius process is a bit more difficult. Yes, there are trade-offs. i'd like some advide on the best place to implement this logic. for example - a common scenario is for a request to come from A, and the reply to A contains instructions to extend a tunnel to a second device B. A second query from B is then received. this case is handled easily in perl using if() constructs. My suggestion is to use Perl. :) rlm_perl is in 1.0.4, but it's not stable. The CVS head is in transition, too. I would suggest grabbing revision 1.19 of rlm_perl from CVS, and building it into 1.0.4. It should work, and it will get you the custom logic you need. And, it will be multi-threaded, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MD5 usage
Bilal Shahid [EMAIL PROTECTED] wrote: I am using FreeRADIUS as the Authentication Server with Open1X Supplicant. When I set Supplicant Identity different from EAP-MD5 username, the RADIUS Server sends my Supplicant an Access-Reject. Yes. See the configuration for the eap module. 1- Where do we set the Supplicant Identity in the FreeRADIUS Server? Do we set it in the users file? If yes, then where do we set the EAP-MD5 user information? You don't set it in FreeRADIUS. 2- Is it necesasry that the EAP-MD5 username must match the Supplicant identity that open1x Supplicant returns to the Ethernet switch in response to an EAP-Request/Identity packet? In general, yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: best place for logic - users file or custom module?
is python more stable than the support for perl? i have much more experience in python than perl. also is the perl/python stuff persistent - or is the interpreter invoked for every request? i am asking as i think this is the main reason for Radiator's performance issues - in theory even a big interpreter loaded into RAM should run fine ... but I suspect something inefficent is happening with Radiator. tariq rashid -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Alan DeKok Sent: 23 August 2005 16:54 To: FreeRadius users mailing list Subject: Re: best place for logic - users file or custom module? Tariq Rashid [EMAIL PROTECTED] wrote: hi, i'm planning a significant migration from a different radius server (Radiator, perl based). That's good to hear! our tests with freeradius show a much lighter server - its faster, and easier on memory and cpu. however the downside is that applying custom logic to the radius process is a bit more difficult. Yes, there are trade-offs. i'd like some advide on the best place to implement this logic. for example - a common scenario is for a request to come from A, and the reply to A contains instructions to extend a tunnel to a second device B. A second query from B is then received. this case is handled easily in perl using if() constructs. My suggestion is to use Perl. :) rlm_perl is in 1.0.4, but it's not stable. The CVS head is in transition, too. I would suggest grabbing revision 1.19 of rlm_perl from CVS, and building it into 1.0.4. It should work, and it will get you the custom logic you need. And, it will be multi-threaded, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: piping radacct details to a script
marc racal [EMAIL PROTECTED] wrote: is there a way to pipe radacct details to a script before it writes to the log file? how do you do this? What log file? There are many. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: best place for logic - users file or custom module?
Tariq Rashid wrote: i'd like some advide on the best place to implement this logic. for example - a common scenario is for a request to come from A, and the reply to A contains instructions to extend a tunnel to a second device B. A second query from B is then received. Use huntgroups to distinguish the NASes, and edit the SQL schema and the SQL queries to use the Huntgroup-Name. Then you could get different reply attributes for A and for B from SQL with no overhead. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL radacct not updated
Hi, I have a strange problem with MySQL and FreeRadius. The system had been performing perfectly but it is no longer updating radacct. The result is that when users login the counter on their login page counts down their remaining time. But when they logout and then login again the counter is reset back to its origional value. This means that user names and passwords last forever. The sql log file used to show Quote: SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='bebbik6'; INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('42e44944', '3f1c519e5a66e2fe', 'bebbik6', '', '0.0.0.0', '0', 'Wireless-802.11', '2005-07-26 06:04:07', '0', '0', '', '', '', '0', '0', '00-12-17-B7- A1-70', '00-C0-49-5C-40-48', '', '', '', '192.168.182.2', '', '0'); UPDATE radacct SET AcctStopTime = '2005-07-26 06:04:13', AcctSessionTime = '6', AcctInputOctets = '1403', AcctOutputOctets = '5179', AcctTerminateCause = 'User-Request', AcctStopDelay = '', ConnectInfo_stop = '' WHERE AcctSessionId = '42e44944' AND UserName = 'bebbik6' AND NASIPAddress = '0.0.0.0'; But now it only shows Quote: SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='bebbik6'; I'd really appreciate any help to solve this problem. Regards from Ireland. Sean Bracken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap_connections_number
Hello, it seems to me the FR doesn't open as many connections as in ldap_connections_number specified. Even tough there are many RADIUS requests in the queue (they have to be) and I allowed 50 connections to the ldap server FR opens justs 1 or 2. Why? That wouldn't bother me usually. But my ldap server delays responses when the password was wrong. And because FR uses only so few parallel connections also those requests with correct passwords are affected and delayed. That's why I'd really apreciate if FR used more connections. Is there a chance? Thanks a lot, Benedikt -- Benedikt Panzer Rechenzentrum Universität Stuttgart - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: best place for logic - users file or custom module?
Tariq Rashid wrote: is python more stable than the support for perl? i have much more experience in python than perl. rlm_python is not marked stable yet either. I don't know about it's stability, but I haven't seen much about rlm_python on the maillist, so maybe support could be very low; also is the perl/python stuff persistent - or is the interpreter invoked for every request? i am asking as i think this is the main reason for Radiator's performance issues - in theory even a big interpreter loaded into RAM should run fine ... but I suspect something inefficent is happening with Radiator. rlm_perl is persistent -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL radacct not updated
sean wrote: Hi, I have a strange problem with MySQL and FreeRadius. The system had been performing perfectly but it is no longer updating radacct. The result is that when users login the counter on their login page counts down their remaining time. But when they logout and then login again the counter is reset back to its origional value. This means that user names and passwords last forever. Check that accounting packets sent by the NAS are actually received on your radius server. -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problems with the detail file
Hello, I am running freeradius version 1.0.4 on Fedora Core 4. I have a problem with the detail file that writes to the radacct directory. I noticed that this log file is setup to write by default. I have uncomment the appropriate lines to have the auth-detail and replay-detail log files written to that same directory. There is no problem with these files being written to that directory either. I receive no errors for these three log files during the daemon startup or during debug output. It looks like this should be working but only the auth-detail and reply-detail log files are being written to that directory. I have no detail file in that directory. Here is the debug output of the server. Module: Loaded detail detail: detailfile = /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (auth_log) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /usr/local/etc/raddb/users files: acctusersfile = /usr/local/etc/raddb/acct_users files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port Module: Instantiated acct_unique (acct_unique) detail: detailfile = /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = /usr/local/var/log/radius/radutmp radutmp: username = %{User-Name} radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) detail: detailfile = /usr/local/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (reply_log) Listening on authentication 192.168.1.222:1645 Listening on accounting 192.168.1.222:1646 Ready to process requests. I cant see any differences for the output between the three files. I receive no erros during startup as well. I think this should be working, but I only get two log files auth-detail and reply-detail, not the detail file. Any help you may be able to give me would be greatly appriciated, thanks in advance. I attached the whole debug output in case you may need it. Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 60 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1645 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: bind_address = 192.168.1.222 IP address [192.168.1.222] main: user = nobody main: group = nobody main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /usr/local/var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module:
Re: FreeRADIUS 1.0.4: SEGMENTATION FAULT
BugBuster [EMAIL PROTECTED] wrote: Running FreeRADIUS in debug mode (radiusd -sfxxyz -l stdout) I get the Segmentation fault message (more details is in .txt attachment). You've included everything but the information requested in doc/bugs. My bet is that this is bug #98 http://bugs.freeradius.org/show_bug.cgi?id=98 Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: best place for logic - users file or custom module?
Tariq Rashid [EMAIL PROTECTED] wrote: is python more stable than the support for perl? i have much more experience in python than perl. See bugs.freeradius.org for an updated python module. There's been no feedback about it, so I'm leery of adding it in until people say it works. also is the perl/python stuff persistent - or is the interpreter invoked for every request? i am asking as i think this is the main reason for Radiator's performance issues - in theory even a big interpreter loaded into RAM should run fine ... but I suspect something inefficent is happening with Radiator. It's probably a combination of things. More RAM usage, coupled with having an interpreted language pack/unback binary data. I'll bet if they wrote 10% of it in C, it would run at 75% the speed of FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap_connections_number
Benedikt Panzer [EMAIL PROTECTED] wrote: Even tough there are many RADIUS requests in the queue (they have to be) and I allowed 50 connections to the ldap server FR opens justs 1 or 2. Why? When you're binding as a user, for authentication, you can't re-use the same connection for multiple requests. So you've got to open/close individual connections. If you're just doing DB lookups, and not LDAP bind as user, then it should open multiple connections. That wouldn't bother me usually. But my ldap server delays responses when the password was wrong. Why are you having your LDAP server perform authentication? Why not use LDAP as a database, and have FreeRADIUS do the authentication? And because FR uses only so few parallel connections also those requests with correct passwords are affected and delayed. That's why I'd really apreciate if FR used more connections. Is there a chance? Sure, edit the source code. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mobile phone authentification
[EMAIL PROTECTED] wrote: I'd like to use FREERADIUS as an authentification method for mobile phones, but I'm not sure First, it's not authentification, it's authentication, without an f. Now I was told that RADIUS is the solution. RADIUS is able to detect the actual sender information and delivers this information to the proxy/gateway which is then able to insert the missing value into the sender-header and everybody's happy ;) Someone was able to follow my thoughts? Nope. RADIUS doesn't detect sender information. I'm not sure you understand what RADIUS does. It's just authentication and accounting, for the most part. It doesn't appear to be involved at all in the scenario you described. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Example of Mac OS X EAP-TLS process?
I've got a good, working FreeRadius running EAP-TLS on a SuSE 9.2 box. I've had good luck with WPA supplicants for XP SP2 and several vendor PCMCIA card supplicants - all on XP SP2. I've been trying to get an OS X (Tiger) machine up with the same type of setup, but each time I set the 802.1x TLS check box, I always get an error stating that there is no valid certificate available on the machine. I've imported both the client and root CA certs into the Mac OS X Keychain (the root CA imported into X509 anchors category and the client cert into 'logins'.) I've generated the Mac client cert in the same way as I do the XP client cert except without the xpextensions ASN.1 options on openSSL. I realize this isn't a FreeRadius question per-se but was hoping that someone else in FR land has done an 802.1x EAP-TLS setup on OS X w/FR and had success. Thank you, Landon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + MySQL not working after upgrade from 1.0.1
I now have two servers with the same freeradius configuration (minus minor changes from the upgrade) and the same MySQL database with one running version 1.0.1 (which works) and the other running 1.0.4 (which does not work). Comparing the logs produced by radiusd -X, I see that the only substantial difference is the X-Ascend-Data-Filter Attributes. It could be the bug #242. http://bugs.freeradius.org/show_bug.cgi?id=242 The issue I'm experiencing appears to be something else. After further testing, I've found that the same issue is also present when using the users file for authorization rather than sql. I encounter this problem upon upgrading from version 1.0.1 to = 1.0.2 (using Gentoo). Could it be something to do with the X-Ascend-Data-Filter abinary format? Perhaps a configuration option for that introduced after 1.0.1? This is the output from running radtest between the two servers with different freeradius versions (just showing the X-Ascend-Data-Filter stuff since everything else is the same): * 1.0.1 -- 1.0.1 : X-Ascend-Data-Filter = ip in forward tcp est X-Ascend-Data-Filter = ip in forward dstip 209.102.107.77/32 0 X-Ascend-Data-Filter = ip in forward dstip 64.24.35.0/24 0 X-Ascend-Data-Filter = ip in forward dstip 66.45.243.0/24 0 X-Ascend-Data-Filter = ip in drop tcp dstport = 25 X-Ascend-Data-Filter = ip in forward 0 * 1.0.1 -- 1.0.4 : X-Ascend-Data-Filter = ?? out drop X-Ascend-Data-Filter = 0x 69 70 20 69 6e 20 66 6f 72 77 61 72 64 20 64 73 74 69 70 20 32 30 39 2e 31 30 32 2e 31 30 37 2e 37 37 2f 33 32 20 30 X-Ascend-Data-Filter = 0x 69 70 20 69 6e 20 66 6f 72 77 61 72 64 20 64 73 74 69 70 20 36 34 2e 32 34 2e 33 35 2e 30 2f 32 34 20 30 X-Ascend-Data-Filter = 0x 69 70 20 69 6e 20 66 6f 72 77 61 72 64 20 64 73 74 69 70 20 36 36 2e 34 35 2e 32 34 33 2e 30 2f 32 34 20 30 X-Ascend-Data-Filter = ?? out drop X-Ascend-Data-Filter = ?? out drop * 1.0.4 -- 1.0.1 : X-Ascend-Data-Filter = 0x010101000601 X-Ascend-Data-Filter = 0x01010100d1666b4d0020 X-Ascend-Data-Filter = 0x0101010040182318 X-Ascend-Data-Filter = 0x01010100422df318 X-Ascend-Data-Filter = 0x0100010006190002 X-Ascend-Data-Filter = 0x01010100 * 1.0.4 -- 1.0.4 : X-Ascend-Data-Filter = 0x697020696e20666f72776172642074637020657374 X-Ascend-Data-Filter = 0x697020696e20666f7277617264206473746970203230392e3130322e3130372e37372f33322030 X-Ascend-Data-Filter = 0x697020696e20666f72776172642064737469702036342e32342e33352e302f32342030 X-Ascend-Data-Filter = 0x697020696e20666f72776172642064737469702036362e34352e3234332e302f32342030 X-Ascend-Data-Filter = 0x697020696e2064726f702074637020647374706f7274203d203235 X-Ascend-Data-Filter = 0x697020696e20666f72776172642030 Any ideas? Thanks. -Marc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + MySQL not working after upgrade from 1.0.1
[EMAIL PROTECTED] wrote: Could it be something to do with the X-Ascend-Data-Filter abinary format? Perhaps a configuration option for that introduced after 1.0.1? This is the output from running radtest between the two servers with different freeradius versions (just showing the X-Ascend-Data-Filter stuff since everything else is the same): The parsing printing code for Ascend data filters (src/lib/filters.c) hasn't changed in 1.0.0 to 1.0.4. So that can't be the source of the problem. * 1.0.1 -- 1.0.4 : X-Ascend-Data-Filter = ?? out drop X-Ascend-Data-Filter = 0x 69 70 20 69 6e 20 66 6f 72 77 61 72 64 20 64 73 74 69 70 20 32 30 39 2e 31 30 32 2e 31 30 37 2e 37 37 2f 33 32 20 30 Which is the *ascii* version of the data, and not the packed Ascend format. * 1.0.4 -- 1.0.1 : X-Ascend-Data-Filter = 0x010101000601 Which looks like it might be the correct (but weird) format. * 1.0.4 -- 1.0.4 : X-Ascend-Data-Filter = 0x697020696e20666f72776172642074637020657374 And again, with the text strings. Any ideas? Thanks. It looks like the dictionaries you're using for 1.0.4 have the X-Ascend0Data-Filter as type octets, and not type abinary. Are you sure you didn't edit the dictionaries? Are you sure there's no other attribute 242, of type octets? Are you sure you're using the 1.0.4 dictionaries with 1.0.4? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: piping radacct details to a script
On 8/24/05, Alan DeKok [EMAIL PROTECTED] wrote: marc racal [EMAIL PROTECTED] wrote: is there a way to pipe radacct details to a script before it writes to the log file? how do you do this? What log file? There are many. radacct details logs. -marc -- Get Firefox! http://tinyurl.com/cocg2 The browser you can trust. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: piping radacct details to a script
marc racal [EMAIL PROTECTED] wrote: What log file? There are many. radacct details logs. Thanks for keeping your answer as short and as cryptic as possible. It really gives people incentive to answer you. 1) The only reference to radacct in the server is in SQL. 2) there is no details log file 3) I can guess what you're trying to do 4) If my guess is right, the answer is in the documentation and examples Good luck. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + MySQL not working after upgrade from 1.0.1
Problem solved. I had been compiling versions 1.0.1 without enabling Ascend binary support. Are you sure you didn't edit the dictionaries? Are you sure there's no other attribute 242, of type octets? Are you sure you're using the 1.0.4 dictionaries with 1.0.4? I was in the process of removing and reinstalling freeradius, on what was already a fresh install on a new sever. to make absolute sure of all of that when I noticed a Gentoo local use flag, frascend, which appears to have been introduced in Gentoo freeradius ebuilds after version 1.0.1 which changed the default behavior for later versions to not enable what was previously enabled by default. Much thanks. -Marc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + MySQL not working after upgrade from 1.0.1
[EMAIL PROTECTED] wrote: Problem solved. I had been compiling versions 1.0.1 without enabling Ascend binary support. It should probably be enabled by default. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html