Call-Check
Hi, Can someone tell me is it possible to get freeradius respond to Service-Type==Call-Check requests? I have read on cisco's web pages that it is not possible. I am using PM3 RAS with set call-check on option set. Namely, I would like to check for valid caller-id before answering the call and going on with username/password check. If it is possible, some pointers would be very appreciated... TIA Ivo. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot start Cisctron radius server
Hi, I have installed cistron 1.6.7. When I tried to run it,t it gives me an well done. now join the Cistron mailing list. This is the FreeRADIUS mailing list - a completely different program (!) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Tru64 again
Hello Tim Winders, When you run configure in Tru64, configure sets GETHOSTBYADDRRSTYLE and GETHOSTBYNAMERSTYLE to GNUSTYLE in src/include/autoconf.h Modify the two lines in src/include/autoconf.h -#define GETHOSTBYADDRRSTYLE GNUTYPE -#define GETHOSTBYNAMERSTYLE GNUTYPE to +#undef GETHOSTBYADDRRSTYLE +#undef GETHOSTBYNAMERSTYLE Also undef OSFC2 if you haven't already done this. do a make and make install. Run radiusd. It should be work. ---adharsh RE: Tru64 again Tim Winders Thu, 15 Sep 2005 08:17:25 -0700 responding to my own post. I saw a message about looking at the core dump in another thread. So, I followed those instructions. Here is the output from gdb: This GDB was configured as alphaev67-dec-osf5.1... BFD: Unhandled OSF/1 core file section type 4464 BFD: Unhandled OSF/1 core file section type 528 BFD: Unhandled OSF/1 core file section type 0 BFD: Unhandled OSF/1 core file section type 7 BFD: Unhandled OSF/1 core file section type 16384 BFD: Unhandled OSF/1 core file section type 8192 BFD: Unhandled OSF/1 core file section type 0 BFD: Unhandled OSF/1 core file section type 32768 BFD: Unhandled OSF/1 core file section type 49152 BFD: Unhandled OSF/1 core file section type 49152 BFD: Unhandled OSF/1 core file section type 7 BFD: Unhandled OSF/1 core file section type 57344 BFD: Unhandled OSF/1 core file section type 49152 warning: big endian file does not match little endian target. Core was generated by ` '. Program terminated with signal 1, Hangup. warning: Couldn't find general-purpose registers in core file. warning: Couldn't find general-purpose registers in core file. #0 0x in ?? () when I did bt in gdb I got the same #0 0x in ?? () response and nothing else. But, in reading the above, it seems a big endian v. little endian problem. Does this help in getting freeradius to work on Tru64? --- Tim Winders Associate Dean of Information Technology South Plains College Levelland, TX 79336 Problem replying to my email? Click the Sign button in the OE toolbar or, better yet, get your own FREE Personal E-Mail Digital ID: http://www.thawte.com/email/index.html -Original Message- From: Tim Winders [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 14, 2005 11:35 AM To: 'freeradius-users@lists.freeradius.org' Subject: Tru64 again I'm back at trying to get freeradius working under Tru64. This time using 1.0.5. I have an older cvs version working, but I can't remember what I did to make it work. :-( The working version I have is marked 1.1.0-pre0 built on Feb 17, 2005. First, in src/main/radiusd.c I have commented out the OSFC2 define. I do this because I'm not running C2, but it is always found and enabled, which kills the make. Then, I run configure with these options: CFLAGS=-I/usr/local/ssl/include -I/usr/local/include LDFLAGS=-L/usr/local/ssl/lib -L/usr/local/lib LIBS=-lssl -lcrypto -lsecurity ./configure \ --disable-shared \ --enable-ltdl-install=no \ --with-openssl-includes=/usr/local/ssl/include \ --with-openssl-libraries=/usr/local/ssl/lib \ --without-mysql --disable-mysql radiusd seems to compile, but with many warnings. However, when I run it, it immediately seg faults and dumps core. Unfortunately, I am not a programmer, so I don't know how to begin troubleshooting this and try to help get freeradius working under Tru64. I remember being told that none of the development team uses Tru64. So, it's possible this will never work right. But, I'm willing to help out in whatever limited capacity I can, including CPU/shell account. Any useful suggestions are welcome. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PID variable
Hi all, How i can retrive the current pid value of freeradius in Shell script. I wanted to create one shell script to run in linux corn commond. because our database is very slow and always radius is going to crashed when it receives more than 1000 request. so my script will check if the radius is crashed it will start automatically using cron. Is anyone have good logic to auto restart radius when it will be crashed? Yours, Abdul Lateef Computer Programmer HATIF COM Mob: +974 - 5405022 Tel: +974 - 4883068 ICQ: 276994704 YM!: abdul_zu Fax: +974 - 4883063 Doha Qatar http://www.hatif.com __ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PID variable
[EMAIL PROTECTED] ~]# cat /var/run/radiusd.pid 10163 josh. Abdul Lateef wrote: Hi all, How i can retrive the current pid value of freeradius in Shell script. I wanted to create one shell script to run in linux corn commond. because our database is very slow and always radius is going to crashed when it receives more than 1000 request. so my script will check if the radius is crashed it will start automatically using cron. Is anyone have good logic to auto restart radius when it will be crashed? Yours, Abdul Lateef Computer Programmer HATIF COM Mob: +974 - 5405022 Tel: +974 - 4883068 ICQ: 276994704 YM!: abdul_zu Fax: +974 - 4883063 Doha Qatar http://www.hatif.com __ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Crashes with 1.0.4/1.0.5, perhaps connected with slow LDAP backend?
Alan,
Thu Sep 29 20:33:19 2005 : Error: Assertion failed in modcall.c, line 68
If you can get a core dump, and do 'bt' in gdb, and also do 'print
*p' at the point of the assertion, that would help a lot.
But my main suspect right now is bad memory. The code hasn't
changed in a long time, and I doubt you're doing anything really weird
to the server.
well, I'm trying hard not to confuse my dear servers :-)
Funny enough, following an advice from our LDAP admin
I changed the ldap query directive sequence in radiusd.conf
on one machine from
Auth-Type LDAP {
redundant {
ldap1
ldap2
ldap3
}
}
to
Auth-Type LDAP {
redundant {
ldap3
ldap1
}
I.e. I avoided our most loaded LDAP server.
I also enabled coredumps and ran in full debug mode all Friday.
Guess what? No crashes over the long weekend (we had a holiday on monday)
Given the erratic behavior, I will indeed give the hardware a closer look.
Thanks so far
Martin
--
Dr. Martin Pauly Fax:49-6421-28-26994
HRZ Univ. MarburgPhone: 49-6421-28-23527
Hans-Meerwein-Str. E-Mail: [EMAIL PROTECTED]
D-35032 Marburg
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TLS Question
Hi,
I'm using freeRadius 1.0.4 and I would like to know something about tls config.
When I launch radius en debug mode I get this messages:
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = (null)
tls: pem_file_type = yes
tls: private_key_file = /etc/raddb/certs/juan/key.key
tls: certificate_file = /etc/raddb/certs/juan/cert.cert
tls: CA_file = /etc/raddb/certs/demoCA/cacert.pem
tls: private_key_password = whatever
tls: dh_file = /etc/raddb/certs/dh
tls: random_file = /etc/raddb/certs/random
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = yes
tls: check_cert_cn = %{User-Name}
but I would like to know how to change some parameters (like
rsa_key_exchange = yes) and, even more important, if the
rsa_key_length is given in Bytes or bits. Does it mean that the
certificate length changes in function of this rsa_key_length?
Thank you, Juan Daniel MORENO
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple Connections for One UserID
Let me preface this with the required Im pretty much a newbie to freeRADIUS Can someone point me to the place where I can modify the number of simultaneous connections that are allowed per user? Ive just now noticed that I am currently only allowed a single connection and Id like to increase that value. Even better, can someone recommend a good resource (book, website, etc.) to supplement the freeRADIUS website? My configuration is being used to authenticate DSL connections I have modems that terminate on an Alcatel DSLAM which are aggregated at at Juniper ERX router. The router uses the freeRADIUS configuration for auth. Thanks! -Samson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PID variable
Pidof freeradius will also do -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] - Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite - -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Josh Howlett Verzonden: woensdag 5 oktober 2005 11:21 Aan: FreeRadius users mailing list Onderwerp: Re: PID variable [EMAIL PROTECTED] ~]# cat /var/run/radiusd.pid 10163 josh. Abdul Lateef wrote: Hi all, How i can retrive the current pid value of freeradius in Shell script. I wanted to create one shell script to run in linux corn commond. because our database is very slow and always radius is going to crashed when it receives more than 1000 request. so my script will check if the radius is crashed it will start automatically using cron. Is anyone have good logic to auto restart radius when it will be crashed? Yours, Abdul Lateef Computer Programmer HATIF COM Mob: +974 - 5405022 Tel: +974 - 4883068 ICQ: 276994704 YM!: abdul_zu Fax: +974 - 4883063 Doha Qatar http://www.hatif.com __ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
request-proxy request-proxy_reply
hi folks, I should write a module that strips/modifies AV pairs from a proxy reply according to the AV pairs prior sent into the originated request. My doubt is: the AV request-proxy are still valid during post-proxy stage of a rlm_module? -- Massimiliano Liccardo (maX) [EMAIL PROTECTED] jid:[EMAIL PROTECTED] sip:[EMAIL PROTECTED] GnuPG public key available on wwwkeys.eu.pgp.net Key ID: D01F1CAD Key fingerprint: 992D 91B7 9682 9735 12C9 402D AD3F E4BB D01F 1CAD la velocità induce all'oblio, la lentezza al ricordo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Which Operating System is best for freeRADIUS
Building my FR server, I have the choice of a number of operating system for my FreeRADIUS server. Anybody with a suggestion which operating system is best suited for FR? I like to run FR on a VPS (virtual private server) using one of the following OS: - FreeBSD 4.9 (jail) - FreeBSD 5.2 (jail) - Fedora 2 (virtuozza) - Redhat AS3 (virtuozza) - Redhat 9.0 (virtuozza) - CentOS 4.0 (virtuozza) Thanks! Gunther - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No updates with radiusd log
Thanks Alan. I was trying to debug but not in full debugging mode. I'll give that a shot. Thanks again, John -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 5, 2005 01:07 AM To: 'FreeRadius users mailing list' Subject: Re: No updates with radiusd log [EMAIL PROTECTED] wrote: When we attempt to access the FreeRadius server via a remote AP, the radiusd log shows nothing. Run the server in debugging mode to see what it's doing, and why. This is mentioned in the FAQ, README, INSTALL, and daily on this list. No attempt, nothing. Yet the XP client shows a 'validating identity' message. However, I see nothing in the logs to debug. Accounts are set to local authentication via EAP-TLS. EAP-TLS doesn't use local authentication. It uses certificates. Perhaps that's the problem. And debug mode *will* explain this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting and Cisco devices
Is it possible receive accounting information for cisco devices. When I go to my log files I can see the start and stop of my session but dont see the commands I entered on the device. Or does freeradius not log accounting information. I am using version 1.0.5 Thanks, Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Success Story (A tribute to the FreeRADIUS project)
Hello everyone, I am writing this -long overdue- letter to express my gratitude to all FR developers and other people who help through this mailing list. I may not be an active poster, but this list's archive has been a tremendous help during my involvement with FreeRADIUS. Thanks to the intense support (and of course great open source software), my project was a success and I managed to learn a couple of things too :-). To whom it may concern, I have deployed the following setup for my Univercity wifi hotspot: WiFi users connect to APs in the Univercity premises. Authentication follows two scenarios (depending on the particular AP site): Scenario A or NoCat Scenario (low security): -A NoCat captive gateway runs on a PC connected directly to the AP (or the AP itself, for embedded devices). This PC is also responsible for DHCP, firewall rules etc... -The user's web browser is redirected to the login page hosted at the AAA server for this building. There runs the NoCat Auth Server and (of course) a FreeRADIUS server. the NCA server gives the user credentials to FR, who in turns authorizes them against the local Windows AD (where Univercity users reside) and a mysql database (for temporary wifi accounts -can be duration-restricted). -After the NoCat gateway lets the user in, it periodically sends accounting information to the FR server (to be stored in the mysql DB). Scenario B or EAP scenario (high security): -A FreeRADIUS proxy runs on a PC connected directly to the AP (or the AP itself, for embedded devices). This PC is also responsible for DHCP, firewall rules etc... -The AP has WPA-Enterprise enabled and connects to the proxy FR for authentication. -Users IEEE.1X clients for EAP authentication (mainly PEAP). -The FR proxy forwards authentication packets to the central FR server (the same one as scenario A) who authenticates ands authorizes against the Windows AD and mysql DB. -Accounting packets are sent either by the AP (through the proxy) or a NoCat gateway (set in Open mode) which runs at the same PC with the proxy. Accounting information is monitored through the dialup_admin front-end, which is also used for temporary wifi accounts (that go in the mysql db). (The above may imply a large scale deployment but there are only two APs for now :-) [both running scenario A].) That's about it in a nutshell. I named the whole system the WAL (Wireless Aueb -my Univercity- Lan). As you can see, I have also made heavy use of the NoCat project (thanks to everyone in that mailing list/developer team too!!) but it saddens me to see that it got stuck in version 0.82 :-(. Anyway, thanks again and keep up the good work. I am not done with FR just yet, so I'll ne seeing you all :-). Stefanis Eleftherios MsC Student in Computer Science AUEB PS: Sorry for the long post, I just thought it would be nice for people to see what FR (combined with other great open source software) can do in a complete WiFi deployment. PS2: The total software cost for the WAL was 0$ and took one person (me) a total of about 2 months to architecture and setup. __ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Which Operating System is best for freeRADIUS
Gunther wrote: Building my FR server, I have the choice of a number of operating system for my FreeRADIUS server. Anybody with a suggestion which operating system is best suited for FR? I'd suggest Debian, because several members of the project are developping or testing FreeRADIUS under Debian. Moreover the Debian package is directly maintained by one the developpers who regularly adds the major bugfixes into the Debian package between two releases of FreeRADIUS. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Which Operating System is best for freeRADIUS
Nicolas Baradakis wrote: I'd suggest Debian, because several members of the project are developping or testing FreeRADIUS under Debian. Moreover the Debian package is directly maintained by one the developpers who regularly adds the major bugfixes into the Debian package between two releases of FreeRADIUS. Thanks! Not too familiar with Debian, but I don't think it is a different world to all the other Linux distributions. I thought FreeBSD might be a candidate since it is more focusing on networking and services. I run several web hosting packages with FreeBSD, Fedora FC4, Redhat 9, SuSE ... I was actually more looking from the user point of view and not the developers. (sorry for that ;-) Gunther - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Call-Check
Ivo [EMAIL PROTECTED] wrote: Can someone tell me is it possible to get freeradius respond to Service-Type==Call-Check requests? I don't see why niot. I have read on cisco's web pages that it is not possible. Please post the URL. Namely, I would like to check for valid caller-id before answering the call and going on with username/password check. Sure. It's just data in RADIUS packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS Question
Juan Daniel Moreno [EMAIL PROTECTED] wrote: but I would like to know how to change some parameters (like rsa_key_exchange = yes) Add it to the configuration section for tls. and, even more important, if the rsa_key_length is given in Bytes or bits. Bits. Does it mean that the certificate length changes in function of this rsa_key_length? If the certificate includes the key, yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Connections for One UserID
Samson Martinez [EMAIL PROTECTED] wrote: Can someone point me to the place where I can modify the number of simultaneous connections that are allowed per user? I've just now noticed that I am currently only allowed a single connection and I'd like to increase that value. The default configuration is to allow multiple connections. If you're only allowed one, something changed in the config. See doc/Simultaneous-Use Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: request-proxy request-proxy_reply
Massimiliano Liccardo [EMAIL PROTECTED] wrote: My doubt is: the AV request-proxy are still valid during post-proxy stage of a rlm_module? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting and Cisco devices
Ryan Klinkhammer [EMAIL PROTECTED] wrote: Is it possible receive accounting information for cisco devices. When I go to my log files I can see the start and stop of my session but don't see the commands I entered on the device. See the FAQ. If the NAS doesn't send the data, FreeRADIUS won't log it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Call-Check
I wonder if it's this one? http://www.cisco.com/univercd/cc/td/doc/product/voice/sipproxy/radiusps/ radpreau.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, October 05, 2005 2:01 PM To: FreeRadius users mailing list Subject: Re: Call-Check Ivo [EMAIL PROTECTED] wrote: Can someone tell me is it possible to get freeradius respond to Service-Type==Call-Check requests? I don't see why niot. I have read on cisco's web pages that it is not possible. Please post the URL. Namely, I would like to check for valid caller-id before answering the call and going on with username/password check. Sure. It's just data in RADIUS packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Call-Check
From the site: RADIUS Debugging File FreeRADIUS server does not support preauthentication. There is no example for this case. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens King, Michael Verzonden: woensdag 5 oktober 2005 20:08 Aan: FreeRadius users mailing list Onderwerp: RE: Call-Check I wonder if it's this one? http://www.cisco.com/univercd/cc/td/doc/product/voice/sipproxy/radiusps/ radpreau.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, October 05, 2005 2:01 PM To: FreeRadius users mailing list Subject: Re: Call-Check Ivo [EMAIL PROTECTED] wrote: Can someone tell me is it possible to get freeradius respond to Service-Type==Call-Check requests? I don't see why niot. I have read on cisco's web pages that it is not possible. Please post the URL. Namely, I would like to check for valid caller-id before answering the call and going on with username/password check. Sure. It's just data in RADIUS packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Call-Check
Jonathan De Graeve [EMAIL PROTECTED] wrote: From the site: RADIUS Debugging File FreeRADIUS server does not support preauthentication. There is no example for this case. I'm not sure it's true. Please configure the pre-authentication as they describe, run FreeRADIUS in debugging mode, and try using preauthentication. Post the results to the list. Also, configure ACS (or a server that *does* support preauthenticat), run some requests, capture the output with tcpdump, and post the capture file on a web page. From what I can see of Table 10, they're not doing anything magic. There's no reason why you can't configure preauthentication using FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting and Cisco devices
On Wed, 2005-05-10 at 09:56 -0500, Ryan Klinkhammer wrote: Is it possible receive accounting information for cisco devices. When I go to my log files I can see the start and stop of my session but don’t see the commands I entered on the device. Or does freeradius not log accounting information. I am using version 1.0.5 It sounds like you are thinking of syslog accounting rather than radius accounting. If you are using debug to log the activity on your Cisco device you will have to configure it to use a remote syslog server, to collect the debug information. If you want per interface accounting information, you will either want to use SNMP of NetFlow information. Radius is only for the AAA features on the Cisco device. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wireless Provisioning Service Protocol
Has any thought been given on adding the WPS (Wireless Provisioning Service) Protocol to FreeRADIUS? http://msdn.microsoft.com/library/default.asp?url=/library/en-us/randz/p rotocol/portal_wireless_provisioning_service_protocol.asp It sounds really cool in theory. From: http://www.microsoft.com/downloads/details.aspx?FamilyId=9ADF7496-0D50-4 138-848E-9BC810B83C01displaylang=en With WPS technology, new and existing customers can connect to your Wi-Fi network without manual configuration of the computer or network connection. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wireless Provisioning Service Protocol
Hey, Michael, From my recollection, implementing WPS would require first implementing PEAPv2, and there hasn't been any movement there yet. --Mike King, Michael wrote: Has any thought been given on adding the WPS (Wireless Provisioning Service) Protocol to FreeRADIUS? http://msdn.microsoft.com/library/default.asp?url=/library/en-us/randz/p rotocol/portal_wireless_provisioning_service_protocol.asp It sounds really cool in theory. From: http://www.microsoft.com/downloads/details.aspx?FamilyId=9ADF7496-0D50-4 138-848E-9BC810B83C01displaylang=en With WPS technology, new and existing customers can connect to your Wi-Fi network without manual configuration of the computer or network connection. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wireless Provisioning Service Protocol
I read the 132 page spec last night. Personally, I wasn't terribly impressed. josh. King, Michael wrote: Has any thought been given on adding the WPS (Wireless Provisioning Service) Protocol to FreeRADIUS? http://msdn.microsoft.com/library/default.asp?url=/library/en-us/randz/p rotocol/portal_wireless_provisioning_service_protocol.asp It sounds really cool in theory. From: http://www.microsoft.com/downloads/details.aspx?FamilyId=9ADF7496-0D50-4 138-848E-9BC810B83C01displaylang=en With WPS technology, new and existing customers can connect to your Wi-Fi network without manual configuration of the computer or network connection. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Call-Check
I'm using Cisco preauth feature on an AS5300 series acting as standard modem RAS against a FreeRADIUS. I use it to blacklist some ANIs that aren't allowed to put a call on my gear, and I need to do it before the call gets answered. It is working great in the sense that I get the blacklisted numbers rejected without sending an Answer signal on the PSTN line, due to that Cisco's preauth feature makes it to do an Access-Request before it answers the call, but FR treats it as a normal packet, with the only detail that it has lesser information (i.e, in the modem RAS case, you dont have the real UserName until you answer the call and modem negotiation ends up, so Cisco normally lets you put the DNIS or ANI or something in the UserName field and password). The only two details is this and the fact that from FR's point of view, the NAS will be doing Auth twice, one for the preauth fase on the cisco, and another for the real auth fase. So you will be seeing two Access-Request packets from NAS. Ing. Paolo Rotela Jefe Técnico Blue Telecom - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, October 05, 2005 3:41 PM Subject: Re: Call-Check Jonathan De Graeve [EMAIL PROTECTED] wrote: From the site: RADIUS Debugging File FreeRADIUS server does not support preauthentication. There is no example for this case. I'm not sure it's true. Please configure the pre-authentication as they describe, run FreeRADIUS in debugging mode, and try using preauthentication. Post the results to the list. Also, configure ACS (or a server that *does* support preauthenticat), run some requests, capture the output with tcpdump, and post the capture file on a web page. From what I can see of Table 10, they're not doing anything magic. There's no reason why you can't configure preauthentication using FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting and Cisco devices
On Wednesday 05 October 2005 15:07, Guy Fraser wrote: On Wed, 2005-05-10 at 09:56 -0500, Ryan Klinkhammer wrote: Is it possible receive accounting information for cisco devices. When I go to my log files I can see the start and stop of my session but don’t see the commands I entered on the device. Or does freeradius not log accounting information. I am using version 1.0.5 It sounds like you are thinking of syslog accounting rather than radius accounting. If you are using debug to log the activity on your Cisco device you will have to configure it to use a remote syslog server, to collect the debug information. If you want per interface accounting information, you will either want to use SNMP of NetFlow information. Radius is only for the AAA features on the Cisco device. A few minutes with google found: http://www-128.ibm.com/developerworks/library/l-radius/#N101E5 I haven't tested those config lines yet, but the last two in Listing 9 might be what you're looking for. Good luck, and let us know how it goes. Kevin Bonner pgpd8AZkA3ZaK.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
access for 24 hours after first login?
hello list, i set up freeradius succesfully for authentification against pam and users file :-) now i want to enhance the functionality about the following feature: setting up several predefined (guest) accounts with a generated username and password. this account should be valid from the first time it is used (first login) for 24 hours (or even better until 23:59 that day). this is intended for our daily visitors and guests or for conference members, the idea is to give them a username/password pair to be used just that day without much administration effort. (just generate a list of lets say 100 accounts and if they have been used just create new ones). (how) can this be realized using freeradius? has anyone set up a similar (or even better ;-) ) solution for this aim? (one-day passwords valid after first login) thanks for any help and hints! regards, markus -- Markus Krause email: [EMAIL PROTECTED] Computing CenterTel.: 089 - 89 40 85 99 Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98 - This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access for 24 hours after first login?
Markus Krause [EMAIL PROTECTED] wrote: i set up freeradius succesfully for authentification against pam and users file :-) Please don't use authentification. It's authentication. now i want to enhance the functionality about the following feature: setting up several predefined (guest) accounts with a generated username and password. this account should be valid from the first time it is used (first login) for 24 hours (or even better until 23:59 that day). rlm_counter. Set it for 24 hours of access, and reset=never. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Which Operating System is best for freeRADIUS
Building my FR server, I have the choice of a number of operating system for my FreeRADIUS server. Anybody with a suggestion which operating system is best suited for FR? I like to run FR on a VPS (virtual private server) using one of the following OS: - FreeBSD 4.9 (jail) - FreeBSD 5.2 (jail) - Fedora 2 (virtuozza) - Redhat AS3 (virtuozza) - Redhat 9.0 (virtuozza) - CentOS 4.0 (virtuozza) Thanks! Gunther I think they all would work fine. I myself prefer freebsd, specificall 5.4. I am running it on standalone freebsd5.4 servers in production and in the process of setting a few up in jails in my lab. I really like the jails in freebsd, they are so easy to use. If you need any tips with it, email me off-list. I've got a couple jails setup right now running openldap. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Call-Check
On Sri, 2005-10-05 at 17:28 -0300, Paolo Rotela wrote: so Cisco normally lets you put the DNIS or ANI or something in the UserName field and password). The only two details is this and the fact that from FR's point of view, the NAS will be doing Auth twice, one for the preauth fase on the cisco, and another for the real auth fase. So you will be seeing two Access-Request packets from NAS. Since it looks like normal authentication request, FR (when using sql database) is looking into radcheck for username / password, but my NAS (PM3) sends only username and there is no User-Password attribute in request so FR denies access - I can see Auth: Login incorrect: [XXX/no User-Password attribute] in log file (where XXX is callerId, of course). So, how can I tell FR not to look for password and to accept call from some phone number if that number is in some sql table? TIA. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Call-Check
Ivo [EMAIL PROTECTED] wrote: So, how can I tell FR not to look for password and to accept call from some phone number if that number is in some sql table? Auth-Type := Accept Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
add a realm to a User-Name if no realm
I am in need of rewriting a username in a request to include a domain. Basically, if a user comes in as user add the realm @dom.com so it is checked as [EMAIL PROTECTED]. I found this in the archives which seems to be close. http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg15228.html I presume the solution above would go in the users file. I need to be able to do this differently per client. Is this possible? So I added DEFAULT User-Name !~ @, User-Name := [EMAIL PROTECTED] but that fails to yeild the result I was looking for. I see from the debug that it is matched users: Matched entry DEFAULT at line 223 But that user isn't in the users file, they are all in MySQL. As a result, do I need that in the sql.conf or one of the preprocess files? I did add the user to the user file but authentication still failed. I have also studied variables.txt but seem unable to make this work. I even tried making my own preprocess file. I didn't expect it to work and I wasn't dissappointed. Any help appreciated. -- Lewis Bergman Texas Communications 4309 Maple ST. Abilene, TX 79602 325-691-3301 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: add a realm to a User-Name if no realm
I wasn't quite specific enough on my post. The NULL match in the realm
module would probably work for the no realm at all situation.
I was hoping to look for a specific %{NAS-Identifier} and based on that
AND the fact that a user does not have an @ in the username, add the
realm.
--
Lewis Bergman
Texas Communications
4309 Maple ST.
Abilene, TX 79602
325-691-3301
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
