build snapshot on freebsd 5.4-release
Hi, Anyone ever tried building current snapshot from cvs on freebsd 5.4- release? Tried searching from the archive and seems like this wasn't resolved yet. Anyone? BR, roy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl %RAD_REPLY issue
On Thursday 13 October 2005 05:08, Max Lock wrote: rlm_perl: ERROR: Failed to create pair Max-Total-Octets = 60 Do you have such attribute in your dictionary ? -- Best Regards, Boian Jordanov SNE Orbitel - Next Generation Telecom tel. +359 2 4004 723 tel. +359 2 4004 002 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ask for help on FreeRadius working with Vocal
hi, all We were struggling a few weeks ago trying to get CDR collection to work. Does anybody know how to setup FreedRadius and Vocal CDR? You are very thankful, if you can help B.R Arthur Pan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl %RAD_REPLY issue
On Thu, 2005-10-13 at 09:35 +0300, Boyan Jordanov wrote: On Thursday 13 October 2005 05:08, Max Lock wrote: rlm_perl: ERROR: Failed to create pair Max-Total-Octets = 60 Do you have such attribute in your dictionary ? You beauty! I do now :) works a treat! thankyou, I've been trying to get this working all day! :) -Max - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Counter reset
Hi, i´m running freeradius 1.0.4 with mysql chilli. Most of them works good :-) But i have some users, which won´t log out. And now comes the problem: if a user has something like 4GB traffic up or download in one session his traffic would get lost and the counter resets. i´m not sure, but is there a buffer wich will overflowed? Or something like this?? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS - FreeBSD - Segmentation fault
Hi, it seems that freeradius has problems with running MySQL with linuxthreads, when compiling MySQL with native pthreads then its running. I dont know why this makes problems only with freeradius, other applications are running just fine with MySQL and linuxthreads... --On Wednesday, October 12, 2005 15:00:10 -0400 Dusty Doris [EMAIL PROTECTED] wrote: Just wondering if you've had any luck? I just installed freeradius 1.0.5 from the ports tree (it was finally updated) on a freebsd 5.4 jail and its starting up for me. I've got to run to a meeting now, but I will be testing it later with actual data. -Dusty - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl %RAD_REPLY issue
On Thu, 2005-10-13 at 20:31 +1300, Max Lock wrote:
On Thu, 2005-10-13 at 09:35 +0300, Boyan Jordanov wrote:
On Thursday 13 October 2005 05:08, Max Lock wrote:
rlm_perl: ERROR: Failed to create pair Max-Total-Octets = 60
Do you have such attribute in your dictionary ?
You beauty!
I do now :)
works a treat! thankyou, I've been trying to get this working all
day! :)
Just one more question! for some reason, simply setting the hash and
returning RLM_MODULE_OK works fine. but I'm returning the contents of a
variable..
$RAD_REPLY{'ChilliSpot-Max-Total-Octets'} = $unused_user_octets;
however the module then returns a reject? when it shouldn't?
perl_pool: item 0x814b2b0 asigned new request. Handled so far: 1
found interpetator at address 0x814b2b0
rlm_perl: Voucher:QEMRS3LFLC01 Used:1003947 Total:600 Left:4996053
rlm_perl: RAD_REPLY: Acct-Interim-Interval = 120
rlm_perl: RAD_REPLY: Idle-Timeout = 300
rlm_perl: RAD_REPLY: Session-Timeout = 208
rlm_perl: RAD_REPLY: WISPr-Bandwidth-Max-Up = 128000
rlm_perl: RAD_REPLY: ChilliSpot-Max-Total-Octets = 4996053
rlm_perl: RAD_REPLY: WISPr-Bandwidth-Max-Down = 256000
rlm_perl: Added pair Acct-Interim-Interval = 120
rlm_perl: Added pair Idle-Timeout = 300
rlm_perl: Added pair Session-Timeout = 208
rlm_perl: Added pair WISPr-Bandwidth-Max-Up = 128000
rlm_perl: Added pair ChilliSpot-Max-Total-Octets = 4996053
rlm_perl: Added pair WISPr-Bandwidth-Max-Down = 256000
rlm_perl: Added pair Max-Daily-Session-Data = 600
rlm_perl: Added pair Password = QEMRS3LFLC01
rlm_perl: Added pair Simultaneous-Use = 1
rlm_perl: Added pair Max-Daily-Session-Time = 7200
rlm_perl: Added pair Auth-Type = Local
perl_pool total/active/spare [5/0/5]
Unreserve perl at address 0x814b2b0
modcall[authorize]: module perl returns reject for request 0
modcall: group authorize returns reject for request 0
What's happening?
-Thanks Max.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting attribute rewriting
Hello, simple question: is there any possibility to rewrite accounting attributes apart from using rlm_attr_rewrite? -christian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Counter reset
Yes there's a 4GB limit in the counter You have to use smaller values (change your sql query to divided all values by a given value) J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] - Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite - -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Andreas Korber Verzonden: donderdag 13 oktober 2005 9:37 Aan: freeradius-users@lists.freeradius.org Onderwerp: Counter reset Hi, i´m running freeradius 1.0.4 with mysql chilli. Most of them works good :-) But i have some users, which won´t log out. And now comes the problem: if a user has something like 4GB traffic up or download in one session his traffic would get lost and the counter resets. i´m not sure, but is there a buffer wich will overflowed? Or something like this?? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with OpenSSL functions
Hi, I would like to ask you (experienced people) something. I'm using freeradius 1.0.4 and I have a message of 48 bytes long (a premaster secret) generated with the random function of openssl. This message has to be public_encrypted and sent to a radius server. Nevertheless, when I use the RSA_public_encrypt() function this encrypts the message of 48 bytes and generates a 64 bytes encrypted message. Normally this functions like this; but as I sent this encrypted message to the server, the server responds me: tls rsa encrypted value length is wrong. This means that the message is well generated but not well encrypted. Can any of you tell me please how can I fix this problem? Knowing that the RSA public key is 64 bytes long, is it normal that the encrypted message is 64 bytes long too? Do you know another openSSL function that public_encrypts a message? Thank you, Juan Daniel MORENO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP Fast
Hi, I would like to know if EAP FAST is accepted by freeRadius or if it's under development. If it is under development, when will it be available? Thank you, Juan Daniel MORENO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl %RAD_REPLY issue
On Thursday 13 October 2005 11:35, Max Lock wrote:
Just one more question! for some reason, simply setting the hash and
returning RLM_MODULE_OK works fine. but I'm returning the contents of a
variable..
$RAD_REPLY{'ChilliSpot-Max-Total-Octets'} = $unused_user_octets;
however the module then returns a reject? when it shouldn't?
You don't need to return a variable just fill the hash and then return
RLM_MODULE_OK, and then rlm_perl will take the values from hash and put them
in radreply.
--
Best Regards,
Boian Jordanov
SNE
Orbitel - Next Generation Telecom
tel. +359 2 4004 723
tel. +359 2 4004 002
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use check MySQL
Hi,
I'm experiencing problems with Simultaneous-Use and MySQL.
Due I have two freeradius servers, I cannot use for accounting radutmp because
if a radius gets a stop packet and the start one went to the other radius the
driver fails, so all accounting is based on MySQL.
The MySQL queries that the radius perform are the followings (using standard
sql.conf file with simul_count_query uncommented, the file is attached)
1- authorize_check_query (gets the Simultaneous-Use := 1)
2- authorize_group_check_query
3- authorize_reply_query
4- authorize_group_reply_query
5- simul_count_query
6- postauth_query
7- accounting_start_query
8- accounting_update_query (updates the radacct table with the IP address from
the pool)
If I try to connect with the same user and the previous conection still
established, this is the sequence of queries:
1- authorize_check_query
2- authorize_group_check_query
3- authorize_reply_query
4- authorize_group_reply_query
5- simul_count_query **returns 1**
6- simul_verify_query
7- accounting stop query **performs a stop in the previously established
session**
8- postauth_query
9- accounting_start_query
10- accounting_update_query (updates the radacct table with the IP address
from the pool)
I think either simul_verify_query is wrong or there is something wrong with
sql.conf. I've attached it.
If I change Simultaneous-Use := 0 the user cannot connect as I should behave
and the logs reports Auth: Multiple logins (max 0)
Freeradius and freeradius-mysql are etch/testing packages Debian official
packages (version 1.0.4-2)
Any help would be appreciated, thanks in advance
--
David
#
# Configuration for the SQL module, when using MySQL.
#
# The database schema is available at:
#
# src/radiusd/src/modules/rlm_sql/drivers/rlm_sql_mysql/db_mysql.sql
#
# If you are using PostgreSQL, please use 'postgresql.conf', instead.
# If you are using Oracle, please use 'oracle.conf', instead.
# If you are using MS-SQL, please use 'mssql.conf', instead.
#
# $Id: sql.conf,v 1.41.2.1 2004/06/10 00:45:01 phampson Exp $
#
sql {
# Database type
# Current supported are: rlm_sql_mysql, rlm_sql_postgresql,
# rlm_sql_iodbc, rlm_sql_oracle, rlm_sql_unixodbc, rlm_sql_freetds
driver = rlm_sql_mysql
# Connect info
server = mysql.server.com
login = mysql.user
password = mysql.pass
# Database table configuration
radius_db = radius.table
# If you want both stop and start records logged to the
# same SQL table, leave this as is. If you want them in
# different tables, put the start table in acct_table1
# and stop table in acct_table2
acct_table1 = radacct
acct_table2 = radacct
# Allow for storing data after authentication
postauth_table = radpostauth
authcheck_table = radcheck
authreply_table = radreply
groupcheck_table = radgroupcheck
groupreply_table = radgroupreply
usergroup_table = usergroup
# Remove stale session if checkrad does not see a double login
deletestalesessions = yes
# Print all SQL statements when in debug mode (-x)
sqltrace = no
sqltracefile = ${logdir}/sqltrace.sql
# number of sql connections to make to server
num_sql_socks = 5
# number of seconds to dely retrying on a failed database
# connection (per_socket)
connect_failure_retry_delay = 60
# Safe characters list for sql queries. Everything else is replaced
# with their mime-encoded equivalents.
# The default list should be ok
#safe-characters =
@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /
###
# Query config: Username
###
# This is the username that will get substituted, escaped, and added
# as attribute 'SQL-User-Name'. '%{SQL-User-Name}' should be used
below
# everywhere a username substitution is needed so you you can be sure
# the username passed from the client is escaped properly.
#
# Uncomment the next line, if you want the sql_user_name to mean:
#
#Use Stripped-User-Name, if it's there.
#Else use User-Name, if it's there,
#Else use hard-coded string DEFAULT as the user name.
#sql_user_name = %{Stripped-User-Name:-%{User-Name:-DEFAULT}}
#
sql_user_name = %{User-Name}
###
# Default profile
###
# This is the default profile. It is found in SQL by group membership.
# That means that this
AW: Counter reset
Sorry Which value. What query Thanks for helping me, but i don´t really understand andi -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Jonathan De Graeve Gesendet: Donnerstag, 13. Oktober 2005 11:59 An: FreeRadius users mailing list Betreff: RE: Counter reset Yes there's a 4GB limit in the counter You have to use smaller values (change your sql query to divided all values by a given value) J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] - Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite - -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Andreas Korber Verzonden: donderdag 13 oktober 2005 9:37 Aan: freeradius-users@lists.freeradius.org Onderwerp: Counter reset Hi, i´m running freeradius 1.0.4 with mysql chilli. Most of them works good :-) But i have some users, which won´t log out. And now comes the problem: if a user has something like 4GB traffic up or download in one session his traffic would get lost and the counter resets. i´m not sure, but is there a buffer wich will overflowed? Or something like this?? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS SQL Schema File
The mssql.conf file is still there and says: # The database schema is available at: # # src/radiusd/src/modules/rlm_sql/drivers/rlm_sql_freetds/db_mssql.sql :( -Daniel On 10/13/05, Daniel Corbe [EMAIL PROTECTED] wrote: It seems to me like (reading back in the archives) there used to be a schmea file for MS SQL servers but that was removed from the archive once FreeTDS support was dropped. Can anyone lend me a hand here? On 10/12/05, Daniel Corbe [EMAIL PROTECTED] wrote: Hello, I have unixodbc configured as the SQL back end for my RADIUS server and the back end database is an MS SQL Server. Does anyone have a schema available for MS SQL Server? This would need to include a unix_timestamp stored procedure. Please help -Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ippool mysql
Title: Ippool mysql Hi There I am trying to setup freeradius 1.0.0.5 using mysql and ippools. Basically i want to use mysql to auth the incoming request and and use ippool to assign an adress to that request. Firstly is that possible? I have setup the mysql DB correctly with the radcheck table specifiying the Pool-Name ( in my case im testing with the main_pool as configured in the radiusd.conf. My second probelm is that if i start up radiusd in debug mode it shows the following error? Module: Loaded IPPOOL ippool: session-db = /home/radius/db.ippool ippool: ip-index = /home/radius/db.ipindex ippool: range-start = 192.168.1.1 IP address [192.168.1.1] ippool: range-stop = 192.168.3.254 IP address [192.168.3.254] ippool: netmask = 255.255.255.0 IP address [255.255.255.0] ippool: cache-size = 800 ippool: override = yes ippool: maximum-timeout = 0 rlm_ippool: Failed to open file /home/radius/db.ippool: Permission denied radiusd.conf[1467]: main_pool: Module instantiation failed. Do i need to create the db files first? If so how is this done? I know this may be arb questions but this is my first time using freeradius :) Thanks Mark NoticeThis email is intended for the addressee only and may contain legally privileged and/or confidential information. If you have received this email in error and are not the intended recipient, you are hereby informed that you are not entitled to read, broadcast, distribute or in any manner whatsoever use the contents of this email or any attachments thereto. You are requested to please notify Psitek that you have received the email and then delete it. Unless clearly stated otherwise, the content and sentiments expressed in this email or any attachments thereto are those of the sender and not of Psitek (Proprietary) Limited. Psitek does not accept liability for any damages, loss or expense of any nature whatsoever arising (a) out of or in connection with the email or any attachments thereto and/or (b) from any act or omission by the recipient relying upon the content of the email or attachments. Psitek further disclaims liability for any damages caused by computer and/or software viruses. Should this email contain the terms of a contract, no binding agreement will result until such time as a written (hardcopy) document is signed on behalf of Psitek. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS SQL Schema File
Daniel Corbe wrote: The mssql.conf file is still there and says: # The database schema is available at: # # src/radiusd/src/modules/rlm_sql/drivers/rlm_sql_freetds/db_mssql.sql :( -Daniel Get it from the CVS Attic: http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/modules/rlm_sql/drivers/rlm_sql_freetds/Attic/db_mssql.sql Grab the 1.3 revision (last one before the file was removed). --Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WG: Problem conversion of User-Name
Hello,
I have a Problem after converting a User-Name of the Form 27180769 to
[EMAIL PROTECTED]
After radius-server authorized the request i want to convert my user to an
@-Form to pass it to the rlm_krb5-module for authentication, because we
have different Kerberos-Realms and the Name 27180769 is probably not
enough to pick the right Kerberos-Server from krb5.conf.
For this shake my external Programm gives back a value Pair in the Form
User-Name := [EMAIL PROTECTED], after I feed it with the LDAP-DN
from the LDAP-request, to pick the right realm.
It seems that the memory allocated for User-Name is not reallocated, so
vals of other vars were overwritten after the program returns.
here is my debug-output from radiusd -s -xx:
Exec-Program: /usr/local/bin/convert.php
CN=27180769,CN=Users,DC=apfelbaum,DC=de
Exec-Program output: User-Name := [EMAIL PROTECTED]
Exec-Program-Wait: value-pairs: User-Name := [EMAIL PROTECTED]
Exec-Program: returned: 0
modcall[authorize]: module convert_name returns ok for request 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'dc=apfelbaum,dc=de'
radius_xlat:
'(|((objectClass=Group)(member=CN=27180769,CN=Users,DC=apfelbaum,DC=de))(
(objectClass=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users,DC=apf
elbaum,DC=de)))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in cn=modemuser,cn=Users,dc=apfelbaum,dc=de,
with filter
(|((objectClass=Group)(member=CN=27180769,CN=Users,DC=apfelbaum,DC=de))(
(objectClass=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users,DC=apfe
lbaum,DC=de)))
rlm_ldap::ldap_groupcmp: User found in group
cn=modemuser,cn=Users,dc=apfelbaum,dc=de
rlm_ldap: ldap_release_conn: Release Id: 0
users: Matched entry DEFAULT at line 219
radius_xlat: 'number=08912124447 direction=outgoing'
modcall[authorize]: module files returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type Kerberos
auth: type Kerberos
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_krb5:
[ss=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users,DC=apfelbaum,DC=
de)`] krb5_g_i_t_w_p failed: Cannot resolve network address for KDC in
requested realm
modcall[authenticate]: module krb5 returns reject for request 0
modcall: group authenticate returns reject for request 0
auth: Failed to validate the user.
Login incorrect:
[ss=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users/ROrt9670] (from
client localhost port 0)
a snap from radiusd.conf:
exec convert_name {
wait=yes
program =/usr/local/bin/convert.php %{Ldap-UserDn}
input_pairs = request
output_pairs = request
}
authorize {
ldap {
notfound = return
}
convert_name
files
}
my users-file:
DEFAULT Ldap-Group == cn=modemuser,cn=Users,dc=apfelbaum,dc=de,
Auth-Type:=Kerberos
DIALT := number=%{reply:DIALT} direction=outgoing,
PPPT := callback=ppp_offered blocktime=3 Layer1Protocol=modem,
Idle-Timeout = 900,
Framed-Protocol = PPP,
User-Service := 2,
Fall-Through = 0,
Framed-Netmask := 255.255.255.255
DEFAULT Ldap-Group == cn=isdnuser,cn=Users,dc=apfelbaum,dc=de,
Auth-Type:=Kerberos
DIALT := number=%{reply:DIALT} direction=outgoing,
PPPT := callback=ppp_offered blocktime=3,
Idle-Timeout = 900,
Framed-Protocol = PPP,
User-Service := 2,
Fall-Through = 0,
Framed-Netmask := 255.255.255.255
DEFAULT Auth-Type := Reject
Reply-Message = Your account has been disabled.
greetings
Marcus Koestler
Bayerisches Landeskriminalamt
SG 343, Netztechnik
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WG: Problem conversion of User-Name
in your /etc/krb5.conf do you have
...
[realms]
apfelbaum.de ={
kdc = kerberos...
On Thu, 2005-10-13 at 07:58, [EMAIL PROTECTED] wrote:
Hello,
I have a Problem after converting a User-Name of the Form 27180769 to
[EMAIL PROTECTED]
After radius-server authorized the request i want to convert my user to an
@-Form to pass it to the rlm_krb5-module for authentication, because we
have different Kerberos-Realms and the Name 27180769 is probably not
enough to pick the right Kerberos-Server from krb5.conf.
For this shake my external Programm gives back a value Pair in the Form
User-Name := [EMAIL PROTECTED], after I feed it with the LDAP-DN
from the LDAP-request, to pick the right realm.
It seems that the memory allocated for User-Name is not reallocated, so
vals of other vars were overwritten after the program returns.
here is my debug-output from radiusd -s -xx:
Exec-Program: /usr/local/bin/convert.php
CN=27180769,CN=Users,DC=apfelbaum,DC=de
Exec-Program output: User-Name := [EMAIL PROTECTED]
Exec-Program-Wait: value-pairs: User-Name := [EMAIL PROTECTED]
Exec-Program: returned: 0
modcall[authorize]: module convert_name returns ok for request 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'dc=apfelbaum,dc=de'
radius_xlat:
'(|((objectClass=Group)(member=CN=27180769,CN=Users,DC=apfelbaum,DC=de))(
(objectClass=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users,DC=apf
elbaum,DC=de)))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in cn=modemuser,cn=Users,dc=apfelbaum,dc=de,
with filter
(|((objectClass=Group)(member=CN=27180769,CN=Users,DC=apfelbaum,DC=de))(
(objectClass=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users,DC=apfe
lbaum,DC=de)))
rlm_ldap::ldap_groupcmp: User found in group
cn=modemuser,cn=Users,dc=apfelbaum,dc=de
rlm_ldap: ldap_release_conn: Release Id: 0
users: Matched entry DEFAULT at line 219
radius_xlat: 'number=08912124447 direction=outgoing'
modcall[authorize]: module files returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type Kerberos
auth: type Kerberos
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_krb5:
[ss=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users,DC=apfelbaum,DC=
de)`] krb5_g_i_t_w_p failed: Cannot resolve network address for KDC in
requested realm
modcall[authenticate]: module krb5 returns reject for request 0
modcall: group authenticate returns reject for request 0
auth: Failed to validate the user.
Login incorrect:
[ss=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users/ROrt9670] (from
client localhost port 0)
a snap from radiusd.conf:
exec convert_name {
wait=yes
program =/usr/local/bin/convert.php %{Ldap-UserDn}
input_pairs = request
output_pairs = request
}
authorize {
ldap {
notfound = return
}
convert_name
files
}
my users-file:
DEFAULT Ldap-Group == cn=modemuser,cn=Users,dc=apfelbaum,dc=de,
Auth-Type:=Kerberos
DIALT := number=%{reply:DIALT} direction=outgoing,
PPPT := callback=ppp_offered blocktime=3 Layer1Protocol=modem,
Idle-Timeout = 900,
Framed-Protocol = PPP,
User-Service := 2,
Fall-Through = 0,
Framed-Netmask := 255.255.255.255
DEFAULT Ldap-Group == cn=isdnuser,cn=Users,dc=apfelbaum,dc=de,
Auth-Type:=Kerberos
DIALT := number=%{reply:DIALT} direction=outgoing,
PPPT := callback=ppp_offered blocktime=3,
Idle-Timeout = 900,
Framed-Protocol = PPP,
User-Service := 2,
Fall-Through = 0,
Framed-Netmask := 255.255.255.255
DEFAULT Auth-Type := Reject
Reply-Message = Your account has been disabled.
greetings
Marcus Koestler
Bayerisches Landeskriminalamt
SG 343, Netztechnik
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: WG: Problem conversion of User-Name
yes.
-Ursprüngliche Nachricht-
Von: Kenneth Grady [mailto:[EMAIL PROTECTED]
Gesendet: Donnerstag, 13. Oktober 2005 16:20
An: FreeRadius users mailing list
Betreff: Re: WG: Problem conversion of User-Name
in your /etc/krb5.conf do you have
...
[realms]
apfelbaum.de ={
kdc = kerberos...
On Thu, 2005-10-13 at 07:58, [EMAIL PROTECTED] wrote:
Hello,
I have a Problem after converting a User-Name of the Form 27180769 to
[EMAIL PROTECTED]
After radius-server authorized the request i want to convert my user to
an
@-Form to pass it to the rlm_krb5-module for authentication, because we
have different Kerberos-Realms and the Name 27180769 is probably not
enough to pick the right Kerberos-Server from krb5.conf.
For this shake my external Programm gives back a value Pair in the Form
User-Name := [EMAIL PROTECTED], after I feed it with the LDAP-DN
from the LDAP-request, to pick the right realm.
It seems that the memory allocated for User-Name is not reallocated, so
vals of other vars were overwritten after the program returns.
here is my debug-output from radiusd -s -xx:
Exec-Program: /usr/local/bin/convert.php
CN=27180769,CN=Users,DC=apfelbaum,DC=de
Exec-Program output: User-Name := [EMAIL PROTECTED]
Exec-Program-Wait: value-pairs: User-Name := [EMAIL PROTECTED]
Exec-Program: returned: 0
modcall[authorize]: module convert_name returns ok for request 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'dc=apfelbaum,dc=de'
radius_xlat:
'(|((objectClass=Group)(member=CN=27180769,CN=Users,DC=apfelbaum,DC=de))(
(objectClass=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users,DC=apf
elbaum,DC=de)))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in cn=modemuser,cn=Users,dc=apfelbaum,dc=de,
with filter
(|((objectClass=Group)(member=CN=27180769,CN=Users,DC=apfelbaum,DC=de))(
(objectClass=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users,DC=apfe
lbaum,DC=de)))
rlm_ldap::ldap_groupcmp: User found in group
cn=modemuser,cn=Users,dc=apfelbaum,dc=de
rlm_ldap: ldap_release_conn: Release Id: 0
users: Matched entry DEFAULT at line 219
radius_xlat: 'number=08912124447 direction=outgoing'
modcall[authorize]: module files returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type Kerberos
auth: type Kerberos
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_krb5:
[ss=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users,DC=apfelbaum,DC=
de)`] krb5_g_i_t_w_p failed: Cannot resolve network address for KDC in
requested realm
modcall[authenticate]: module krb5 returns reject for request 0
modcall: group authenticate returns reject for request 0
auth: Failed to validate the user.
Login incorrect:
[ss=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users/ROrt9670]
(from
client localhost port 0)
a snap from radiusd.conf:
exec convert_name {
wait=yes
program =/usr/local/bin/convert.php %{Ldap-UserDn}
input_pairs = request
output_pairs = request
}
authorize {
ldap {
notfound = return
}
convert_name
files
}
my users-file:
DEFAULT Ldap-Group == cn=modemuser,cn=Users,dc=apfelbaum,dc=de,
Auth-Type:=Kerberos
DIALT := number=%{reply:DIALT} direction=outgoing,
PPPT := callback=ppp_offered blocktime=3 Layer1Protocol=modem,
Idle-Timeout = 900,
Framed-Protocol = PPP,
User-Service := 2,
Fall-Through = 0,
Framed-Netmask := 255.255.255.255
DEFAULT Ldap-Group == cn=isdnuser,cn=Users,dc=apfelbaum,dc=de,
Auth-Type:=Kerberos
DIALT := number=%{reply:DIALT} direction=outgoing,
PPPT := callback=ppp_offered blocktime=3,
Idle-Timeout = 900,
Framed-Protocol = PPP,
User-Service := 2,
Fall-Through = 0,
Framed-Netmask := 255.255.255.255
DEFAULT Auth-Type := Reject
Reply-Message = Your account has been disabled.
greetings
Marcus Koestler
Bayerisches Landeskriminalamt
SG 343, Netztechnik
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Counter reset
Ok, now i understand. Thanks. One more question. Where to set the octets value for recalculation? Thanks -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Jonathan De Graeve Gesendet: Donnerstag, 13. Oktober 2005 15:22 An: FreeRadius users mailing list Betreff: RE: Counter reset Octet values are in bytes So just calculated what it would be in MB or in GB. I recalculate the value to be in MB so I force the max octets to like 1024MB for 1GB Divide your end result with 1024*1024 or something J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] - Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite - -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Andreas Korber Verzonden: donderdag 13 oktober 2005 15:13 Aan: 'FreeRadius users mailing list' Onderwerp: AW: Counter reset Sorry Which value. What query Thanks for helping me, but i don´t really understand andi -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Jonathan De Graeve Gesendet: Donnerstag, 13. Oktober 2005 11:59 An: FreeRadius users mailing list Betreff: RE: Counter reset Yes there's a 4GB limit in the counter You have to use smaller values (change your sql query to divided all values by a given value) J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] - Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite - -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Andreas Korber Verzonden: donderdag 13 oktober 2005 9:37 Aan: freeradius-users@lists.freeradius.org Onderwerp: Counter reset Hi, i´m running freeradius 1.0.4 with mysql chilli. Most of them works good :-) But i have some users, which won´t log out. And now comes the problem: if a user has something like 4GB traffic up or download in one session his traffic would get lost and the counter resets. i´m not sure, but is there a buffer wich will overflowed? Or something like this?? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Counter reset
In your SQL query J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] - Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite - -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Andreas Korber Verzonden: donderdag 13 oktober 2005 16:51 Aan: 'FreeRadius users mailing list' Onderwerp: AW: Counter reset Ok, now i understand. Thanks. One more question. Where to set the octets value for recalculation? Thanks -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Jonathan De Graeve Gesendet: Donnerstag, 13. Oktober 2005 15:22 An: FreeRadius users mailing list Betreff: RE: Counter reset Octet values are in bytes So just calculated what it would be in MB or in GB. I recalculate the value to be in MB so I force the max octets to like 1024MB for 1GB Divide your end result with 1024*1024 or something J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] - Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite - -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Andreas Korber Verzonden: donderdag 13 oktober 2005 15:13 Aan: 'FreeRadius users mailing list' Onderwerp: AW: Counter reset Sorry Which value. What query Thanks for helping me, but i don´t really understand andi -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Jonathan De Graeve Gesendet: Donnerstag, 13. Oktober 2005 11:59 An: FreeRadius users mailing list Betreff: RE: Counter reset Yes there's a 4GB limit in the counter You have to use smaller values (change your sql query to divided all values by a given value) J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] - Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite - -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Andreas Korber Verzonden: donderdag 13 oktober 2005 9:37 Aan: freeradius-users@lists.freeradius.org Onderwerp: Counter reset Hi, i´m running freeradius 1.0.4 with mysql chilli. Most of them works good :-) But i have some users, which won´t log out. And now comes the problem: if a user has something like 4GB traffic up or download in one session his traffic would get lost and the counter resets. i´m not sure, but is there a buffer wich will overflowed? Or something like this?? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Counter reset
Ok thanks i´ll have a look this evening -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Jonathan De Graeve Gesendet: Donnerstag, 13. Oktober 2005 17:03 An: FreeRadius users mailing list Betreff: RE: Counter reset In your SQL query J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] - Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite - -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Andreas Korber Verzonden: donderdag 13 oktober 2005 16:51 Aan: 'FreeRadius users mailing list' Onderwerp: AW: Counter reset Ok, now i understand. Thanks. One more question. Where to set the octets value for recalculation? Thanks -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Jonathan De Graeve Gesendet: Donnerstag, 13. Oktober 2005 15:22 An: FreeRadius users mailing list Betreff: RE: Counter reset Octet values are in bytes So just calculated what it would be in MB or in GB. I recalculate the value to be in MB so I force the max octets to like 1024MB for 1GB Divide your end result with 1024*1024 or something J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] - Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite - -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Andreas Korber Verzonden: donderdag 13 oktober 2005 15:13 Aan: 'FreeRadius users mailing list' Onderwerp: AW: Counter reset Sorry Which value. What query Thanks for helping me, but i don´t really understand andi -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Jonathan De Graeve Gesendet: Donnerstag, 13. Oktober 2005 11:59 An: FreeRadius users mailing list Betreff: RE: Counter reset Yes there's a 4GB limit in the counter You have to use smaller values (change your sql query to divided all values by a given value) J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] - Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite - -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Andreas Korber Verzonden: donderdag 13 oktober 2005 9:37 Aan: freeradius-users@lists.freeradius.org Onderwerp: Counter reset Hi, i´m running freeradius 1.0.4 with mysql chilli. Most of them works good :-) But i have some users, which won´t log out. And now comes the problem: if a user has something like 4GB traffic up or download in one session his traffic would get lost and the counter resets. i´m not sure, but is there a buffer wich will overflowed? Or something like this?? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Packet of Disconnect
Can freeradius handle a Disconnect Request (Attribute 40). If so how ? This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.net/legal/email.aspx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: build snapshot on freebsd 5.4-release
Hi, Anyone ever tried building current snapshot from cvs on freebsd 5.4- release? Tried searching from the archive and seems like this wasn't resolved yet. Anyone? I did it successfully a few weeks ago. I'll give it a shot again next week if I have time. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with OpenSSL functions
Juan Daniel Moreno [EMAIL PROTECTED] wrote: Can any of you tell me please how can I fix this problem? Knowing that the RSA public key is 64 bytes long, is it normal that the encrypted message is 64 bytes long too? The two are completely independent. Do you know another openSSL function that public_encrypts a message? You don't call the encryption functions. You call send tls data, and it takes care of encrypting the data and putting it into a TLS session. Again, see the FreeRADIUS source code for how it handles this. See wpa_supplicant (another package) for a client implementation of EAP that does exactly what you're trying to do. I don't understand why it's so difficult to read pre-existing code, and to use it as examples for new code. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP Fast
Juan Daniel Moreno [EMAIL PROTECTED] wrote: I would like to know if EAP FAST is accepted by freeRadius or if it's under development. If it is under development, when will it be available? As soon as someone sends a patch. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use check MySQL
David M. [EMAIL PROTECTED] wrote: If I try to connect with the same user and the previous conection still established, this is the sequence of queries: 1- authorize_check_query 2- authorize_group_check_query 3- authorize_reply_query 4- authorize_group_reply_query 5- simul_count_query **returns 1** 6- simul_verify_query 7- accounting stop query **performs a stop in the previously established session** That's nice. What does debugging mode say? ALWAYS run the server in debugging mode to track down these kinds of problems. There is NO OTHER WAY to solve the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ippool mysql
Mark Novitzkas [EMAIL PROTECTED] wrote: I am trying to setup freeradius 1.0.0.5 using mysql and ippools. Basically i want to use mysql to auth the incoming request and and use ippool to assign an adress to that request. Firstly is that possible? Yes. rlm_ippool: Failed to open file /home/radius/db.ippool: Permission denied So... check the permissions on that directory? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Packet of Disconnect
Ashwin Gobind [EMAIL PROTECTED] wrote: Can freeradius handle a Disconnect Request (Attribute 40). No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
client configuration via postgres in version 1.0.1
Is it possible to use the nas table for client information instead of clients.conf? I tried uncommenting readclients=yes in sql.conf but the server read the clients from clients.conf. Thanks, Joel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Patch for Statistics page
I was having problems with the statistics page only displaying the from date and the to date, rather than all of the dates in between. Come to find out, the reason is that the wrong date config variable is used in stats.php3. You basically just change sql_date_format to sql_full_date_format. Here is what to change: Lines 35 and 36 should be: $before = date($config[sql_full_date_format], $now + 86400); $after = ($after != '') ? $after : date($config[sql_full_date_format], $now - 604800 ); If you don't want to change the code, change the variable sql_date_format to look like sql_full_date_format in the admin.conf. Hope this helps someone. Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl %RAD_REPLY issue
On Thu, 2005-10-13 at 15:14 +0300, Boyan Jordanov wrote:
You don't need to return a variable just fill the hash and then return
RLM_MODULE_OK, and then rlm_perl will take the values from hash and put them
in radreply.
that's what I'm trying to do.
sub authorize {
my $used_user_octets =
get_used_octets($RAD_REQUEST{'Stripped-User-Name'});
$unused_user_octets = ($RAD_CHECK{'Max-Daily-Session-Data'} -
$used_user_octets);
radiusd::radlog(1,Voucher:$RAD_REQUEST{'Stripped-User-Name'} Used:
$used_user_octets Total:$RAD_CHECK{'Max-Daily-Session-Data'} Left:
$unused_user_octets);
$RAD_REPLY{'ChilliSpot-Max-Total-Octets'} = $unused_user_octets;
return RLM_MODULE_OK;
}
The log line shows that the variables are all correctly populated.
-Cheers Max
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Packet of Disconnect
When will it be able to? jay At 10:48 AM 10/13/2005, you wrote: Ashwin Gobind [EMAIL PROTECTED] wrote: Can freeradius handle a Disconnect Request (Attribute 40). No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Microsoft SQL 2000 interface
http://www.freeradius.org/development.html#cvs - Original Message - From: Cliff Hayes [EMAIL PROTECTED] To: Duane Cox [EMAIL PROTECTED] Sent: Thursday, October 13, 2005 1:56 PM Subject: RE: Microsoft SQL 2000 interface All, Please help with instructions on how to download the CVS ver of freeradius mentioned below. I'm new to Linux. I know how to tar, configure, and make. Don't know how to CVS. Cliff -Original Message- From: Duane Cox [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 12, 2005 11:12 AM To: Cliff Hayes Subject: Re: Microsoft SQL 2000 interface I've posted this a few times, so you can search the archives for my previous email, or download the CVS ver of freeradius. There is a file in the doc folder called mssql and in there is detailed info for setting up MSSQL and FR. I assume this file will be released into FR 1.0.6 I would read both my post in the email archives and read the doc in CVS. You will have to adjust your views to pull the correct data from platypus. But it is possible to do, yes. Duane Cox - Original Message - From: Cliff Hayes [EMAIL PROTECTED] To: Duane Cox [EMAIL PROTECTED]; FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, October 12, 2005 10:19 AM Subject: RE: Microsoft SQL 2000 interface Duane, No, I don't know where to start in that department. I'm in the inquiry stage now. Just trying to find out if it can be done. Is there a HOW-TO file somewhere? I just loaded a box with a fresh copy of Fedora 4 and freeRadius. I've been tasked with replacing Radiator, and freeRadius is the preferred path. This is my first stumbling block. Cliff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Duane Cox Sent: Wednesday, October 12, 2005 9:15 AM To: FreeRadius users mailing list Subject: Re: Microsoft SQL 2000 interface Yes it can be done. Do you have freeradius talking to the MSSQL db yet? Duane Cox - Original Message - From: Cliff Hayes [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Wednesday, October 12, 2005 8:56 AM Subject: Microsoft SQL 2000 interface All, Sorry to have to bring up the M word, but that's what we have - Microsoft SQL 2000 interfacing with Platypus and Radiator. I searched the FAQ and archives and found no reference to a Microsoft SQL interface. Can I populate my Microsoft SQL DB with freeRadius? If so, how? Thanks, Cliff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Packet of Disconnect
Jay Barnell [EMAIL PROTECTED] wrote: When will it be able to? When a patch is sent in. As always, patches are welcome. radclient can *send* those packets, but the server can't receive them. Why? Read the RFC's for how those packets are supposed to be implemented. When a server receives a disconnect packet, it has to check to see IF it had an Access-Request with the same contents, WOULD that request be forward to the IP that the disconnect request came from. That's hard. It's easier to punt on the problem. We could implement limited support for disconnect, where local administrators (not remote ones) would be allowed to send disconnect packets. But if that's the requirement, those admins can already use radclient to send packets directly to the NAS. So I'm not sure there's *any* benefit to adding disconnect support to the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: client configuration via postgres in version 1.0.1
Joel Bjerk [EMAIL PROTECTED] wrote: Is it possible to use the nas table for client information instead of clients.conf? I tried uncommenting readclients=yes in sql.conf but the server read the clients from clients.conf. It should work in 1.0.5. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Microsoft SQL 2000 interface
All, Please help with instructions on how to download the CVS ver of freeradius mentioned below. I'm new to Linux. I know how to tar, configure, and make. Don't know how to CVS. $ cvs -d :pserver:[EMAIL PROTECTED]:/source login type in anoncvs as password $ cvs -d :pserver:[EMAIL PROTECTED]:/source checkout radiusd - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
testing freeradius ports
Hi All, I am running freeradius 1.0.5, it seems to start with no errors and listens on the default ports 1812 1813, should I be able to telnet to these ports to check if it accepts connections on them? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Microsoft SQL 2000 interface
Thanks. Went to http://www.freeradius.org/development.html#cvs. Made assumption I need to download CVS. Went there and downloaded it. Came back and executed the command listed on http://www.freeradius.org/development.html#cvs: cvs -d :pserver:[EMAIL PROTECTED]:/source login I entered the password anoncvs and was taken back to the system prompt. Cliff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Duane Cox Sent: Thursday, October 13, 2005 2:05 PM To: FreeRadius users mailing list Subject: Re: Microsoft SQL 2000 interface http://www.freeradius.org/development.html#cvs - Original Message - From: Cliff Hayes [EMAIL PROTECTED] To: Duane Cox [EMAIL PROTECTED] Sent: Thursday, October 13, 2005 1:56 PM Subject: RE: Microsoft SQL 2000 interface All, Please help with instructions on how to download the CVS ver of freeradius mentioned below. I'm new to Linux. I know how to tar, configure, and make. Don't know how to CVS. Cliff -Original Message- From: Duane Cox [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 12, 2005 11:12 AM To: Cliff Hayes Subject: Re: Microsoft SQL 2000 interface I've posted this a few times, so you can search the archives for my previous email, or download the CVS ver of freeradius. There is a file in the doc folder called mssql and in there is detailed info for setting up MSSQL and FR. I assume this file will be released into FR 1.0.6 I would read both my post in the email archives and read the doc in CVS. You will have to adjust your views to pull the correct data from platypus. But it is possible to do, yes. Duane Cox - Original Message - From: Cliff Hayes [EMAIL PROTECTED] To: Duane Cox [EMAIL PROTECTED]; FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, October 12, 2005 10:19 AM Subject: RE: Microsoft SQL 2000 interface Duane, No, I don't know where to start in that department. I'm in the inquiry stage now. Just trying to find out if it can be done. Is there a HOW-TO file somewhere? I just loaded a box with a fresh copy of Fedora 4 and freeRadius. I've been tasked with replacing Radiator, and freeRadius is the preferred path. This is my first stumbling block. Cliff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Duane Cox Sent: Wednesday, October 12, 2005 9:15 AM To: FreeRadius users mailing list Subject: Re: Microsoft SQL 2000 interface Yes it can be done. Do you have freeradius talking to the MSSQL db yet? Duane Cox - Original Message - From: Cliff Hayes [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Wednesday, October 12, 2005 8:56 AM Subject: Microsoft SQL 2000 interface All, Sorry to have to bring up the M word, but that's what we have - Microsoft SQL 2000 interfacing with Platypus and Radiator. I searched the FAQ and archives and found no reference to a Microsoft SQL interface. Can I populate my Microsoft SQL DB with freeRadius? If so, how? Thanks, Cliff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: testing freeradius ports
On Thu, 13 Oct 2005, jean wrote: Hi All, I am running freeradius 1.0.5, it seems to start with no errors and listens on the default ports 1812 1813, should I be able to telnet to these ports to check if it accepts connections on them? No, telnet uses tcp. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Microsoft SQL 2000 interface
Thanks. Went to http://www.freeradius.org/development.html#cvs. Made assumption I need to download CVS. Went there and downloaded it. Came back and executed the command listed on http://www.freeradius.org/development.html#cvs: cvs -d :pserver:[EMAIL PROTECTED]:/source login I entered the password anoncvs and was taken back to the system prompt. Half way there, now enter the second command listed on that page. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Microsoft SQL 2000 interface
Cliff Hayes [EMAIL PROTECTED] wrote: and executed the command listed on http://www.freeradius.org/development.html#cvs: cvs -d :pserver:[EMAIL PROTECTED]:/source login I entered the password anoncvs and was taken back to the system prompt. Try typing in the *next* command on the web page. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius/PEAP
Hi, I am trying to secure my wireless connections using PEAP-TLS MSChapv2 to authenticate users against my Linux /etc/shadow; /etc/password/; and /etc/group files. I would like to use PAM but UNIX will work too. I do not want to use the USERS file as it stores passwords in clear text and that is what we are trying to avoid. All my tests conclude that this functionality will not work. I am able to Auth just fine using the USERS file with a username and password. Any info or direction would be greatly appreciated. Thank you James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/PEAP
James, MSChapv2 needs plaintext or NTLM credentials. You won't be able to do what you're trying. It works with users file because you specify the plaintext. josh. James Taylor wrote: Hi, I am trying to secure my wireless connections using PEAP-TLS MSChapv2 to authenticate users against my Linux /etc/shadow; /etc/password/; and /etc/group files. I would like to use PAM but UNIX will work too. I do not want to use the USERS file as it stores passwords in clear text and that is what we are trying to avoid. All my tests conclude that this functionality will not work. I am able to Auth just fine using the USERS file with a username and password. Any info or direction would be greatly appreciated. Thank you James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius/PEAP
Am I able to use PEAP to auth to UNIX or PAM instead of mscahpv2? Do I do this in the EAP.CONF file? What we are basically trying to do is use FreeRadius to authenticate against our current user database on our linux server while still maintaining the PEAP-TLS security with wireless. Is that even possible? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Josh Howlett Sent: Thursday, October 13, 2005 2:25 PM To: FreeRadius users mailing list Subject: Re: FreeRadius/PEAP James, MSChapv2 needs plaintext or NTLM credentials. You won't be able to do what you're trying. It works with users file because you specify the plaintext. josh. James Taylor wrote: Hi, I am trying to secure my wireless connections using PEAP-TLS MSChapv2 to authenticate users against my Linux /etc/shadow; /etc/password/; and /etc/group files. I would like to use PAM but UNIX will work too. I do not want to use the USERS file as it stores passwords in clear text and that is what we are trying to avoid. All my tests conclude that this functionality will not work. I am able to Auth just fine using the USERS file with a username and password. Any info or direction would be greatly appreciated. Thank you James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/PEAP
I have everything working with the users file. Josh, do you think if I have sambaNTpassword attribute in my ldap (I use ldap for authenticating users) with the ntlm credential it could work? Yuri On 10/13/05, Josh Howlett [EMAIL PROTECTED] wrote: James,MSChapv2 needs plaintext or NTLM credentials. You won't be able to dowhat you're trying. It works with users file because you specify the plaintext.josh.James Taylor wrote: Hi, I am trying to secure my wireless connections using PEAP-TLS MSChapv2 to authenticate users against my Linux /etc/shadow; /etc/password/; and /etc/group files.I would like to use PAM but UNIX will work too.I do not want to use the USERS file as it stores passwords in clear text and that is what we are trying to avoid. All my tests conclude that this functionality will not work.I am able to Auth just fine using the USERS file with a username and password. Any info or direction would be greatly appreciated. Thank you James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Yuri Francalacci[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/PEAP
No - your user database needs to store passwords in plaintext or NTLM. You basically have two options: use a TTLS supplicant instead (such as wpa_supplicant or SecureW2), or change your user database. best regards, josh. James Taylor wrote: Am I able to use PEAP to auth to UNIX or PAM instead of mscahpv2? Do I do this in the EAP.CONF file? What we are basically trying to do is use FreeRadius to authenticate against our current user database on our linux server while still maintaining the PEAP-TLS security with wireless. Is that even possible? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Josh Howlett Sent: Thursday, October 13, 2005 2:25 PM To: FreeRadius users mailing list Subject: Re: FreeRadius/PEAP James, MSChapv2 needs plaintext or NTLM credentials. You won't be able to do what you're trying. It works with users file because you specify the plaintext. josh. James Taylor wrote: Hi, I am trying to secure my wireless connections using PEAP-TLS MSChapv2 to authenticate users against my Linux /etc/shadow; /etc/password/; and /etc/group files. I would like to use PAM but UNIX will work too. I do not want to use the USERS file as it stores passwords in clear text and that is what we are trying to avoid. All my tests conclude that this functionality will not work. I am able to Auth just fine using the USERS file with a username and password. Any info or direction would be greatly appreciated. Thank you James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/PEAP
/etc/shadow files and PEAP/MSCHAPv2 are mutually exclusive. You can store the NT hashed passwords in the users file if you'd like, but, other than that, you'll have to use plaintext passwords. It's just the nature of the beast. --Mike James Taylor wrote: Hi, I am trying to secure my wireless connections using PEAP-TLS MSChapv2 to authenticate users against my Linux /etc/shadow; /etc/password/; and /etc/group files. I would like to use PAM but UNIX will work too. I do not want to use the USERS file as it stores passwords in clear text and that is what we are trying to avoid. All my tests conclude that this functionality will not work. I am able to Auth just fine using the USERS file with a username and password. Any info or direction would be greatly appreciated. Thank you James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/PEAP
James Taylor [EMAIL PROTECTED] wrote: Am I able to use PEAP to auth to UNIX or PAM instead of mscahpv2? Your question doesn't make sense. Pam and Unix /etc/passwd are both systems that store known good passwords. MSCHAPv2 is an authentication protocol where a user tries to authenticate based on an unknown password. What we are basically trying to do is use FreeRadius to authenticate against our current user database on our linux server while still maintaining the PEAP-TLS security with wireless. Is that even possible? No the crypt'd passwords stored in /etc/passwd are 100% incompatible with PEAP. You can: a) store clear-text passwords b) use EAP-TTLS with tunneled PAP. You don't really have many other choices. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Microsoft SQL 2000 interface
Ok. Now I got it. Thanks for your patience. I wrote the following instructions if the webmaster would like to include it near the CVS lines we've been talking about. I think it would help people who have not used CVS before :) For those of you new to CVS, it is the preferred method of obtaining our software. Here's what to do: 1. visit http://www.nongnu.org/cvs/#downloading and download, unzip, and install the software (standard ./configure, make, make install) 2. make sure you are in the directory where you want our software to go 3. execute the command: cvs -d :pserver:[EMAIL PROTECTED]:/source login 4. you will be prompted for a password, enter: anoncvs 5. nothing will happen, and you will be returned to the system prompt 6. execute the command: cvs -d :pserver:[EMAIL PROTECTED]:/source checkout module (where module is the name of one of the modules listed below) 7. the above will result in the specified software directory being downloaded to your current directory Cliff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Alan DeKok Sent: Thursday, October 13, 2005 3:47 PM To: FreeRadius users mailing list Subject: Re: Microsoft SQL 2000 interface Cliff Hayes [EMAIL PROTECTED] wrote: and executed the command listed on http://www.freeradius.org/development.html#cvs: cvs -d :pserver:[EMAIL PROTECTED]:/source login I entered the password anoncvs and was taken back to the system prompt. Try typing in the *next* command on the web page. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/PEAP
James Taylor wrote: Am I able to use PEAP to auth to UNIX or PAM instead of mscahpv2? Do I do this in the EAP.CONF file? What we are basically trying to do is use FreeRadius to authenticate against our current user database on our linux server while still maintaining the PEAP-TLS security with wireless. Is that even possible? PEAP can have several inner types. One of these is GTC (generic token card) which sends a prompt and asks for a response. I believe the prompt can be password and the response the actual password. How well windows' GTC support works I couldn't tell you, though I know it's there. See the gtc section in eap.conf PAM would not help; as Josh says, MSCHAPv2 needs the NT/LM hashes, which means either having the hashes, or the plaintext password to generate them from, not a crypt. In any event, PAM seems to work very badly because of threading issues. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using PAM to authenticate Radius auth requests with PEAP
A co-worker of mine here has been asking questions of the list today but I have some of my own. Namely, I don't know much about how Radius does it's magic, but unless I am completely off the bat here, it appears to me that some sort of channel is created between the Radius client and the server over which requests are sent. These requests include a user and a password and other information. The radius server will then compare the user and password to the ones in it's configured database and either authenticate or not. Unix passwords are encrypted through a one-way function and stored in a password file. These passwords can no longer be reversed back to their clear text format but it is possible to take a clear text user and password (from the radius client) and convert it to this format and compare the two thus matching, or not. I can imagine that PEAP, specifically, does the password encryption on the client and passes that on, using a similar but obviously not the same, one way encryption algorithm, thus requiring the radius server to have access to a clear text password which it would encrypt with the same key and algorithm in order to match to the one from the client. If this is the case, than I can readily see how it can never (never being a long time) be possible to use these sorts of passwords along with UNIX encrypted passwords. This is a darn shame, but if it is indeed the case, so be it. I am asking the list if this is the case or if the reason authentication isn't possible is a simple programming effort that hasn't been done. Also, given our setup: Client: Cisco Wireless AP (1200) Server: Linux running Freeradius What is the optimal means to provide maximum security and still be able to authenticate against the unix shadow password file? Thank you for your time - Yossie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using PAM to authenticate Radius auth requests with PEAP
Joseph Silverman [EMAIL PROTECTED] wrote: I can imagine that PEAP, specifically, does the password encryption on the client and passes that on, using a similar but obviously not the same, one way encryption algorithm, thus requiring the radius server to have access to a clear text password which it would encrypt with the same key and algorithm in order to match to the one from the client. Yes. If this is the case, than I can readily see how it can never (never being a long time) be possible to use these sorts of passwords along with UNIX encrypted passwords. This is a darn shame, but if it is indeed the case, so be it. Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IP address assignment
I am using radius to authenticate access from VPN. Would anyone now how to record the IP address the user is assigned after they log in. Michael This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP address assignment
Infusino, Michael - ADP Dataphile wrote:
I am using radius to authenticate access from VPN.
Would anyone now how to record the IP address the user is assigned after
they log in.
Michael
How does a little dynamic dns strike you? Make sure to actualy read
below and attached scripts and setup a DNS key.
--radiusd.conf-
modules section
exec ddns_update {
wait = no
program = /usr/local/sbin/radius-dns-update.sh
input_pairs = request
packet_type = Accounting-Request
shell_escape = yes
}
end modules
instantiate section---
ddns_update
---end section
#!/bin/bash
#must setup this key!!
#man nsupdate
NSUPDATE=nsupdate -k
/etc/freeradius/keys/Kradius-dns-updates.+157+08981.private
function usage()
{
echo Usage: `basename $0` -u User-Name -t Hint -s Acct-Status-Type -i
Framed-IP-Address
exit 1
}
while getopts u:t:s:i: opt; do
case $opt in
u) USER_NAME=$OPTARG;;
t) HINT=$OPTARG;;
s) ACCT_STATUS_TYPE=$OPTARG;;
i) FRAMED_IP_ADDRESS=$OPTARG;;
*) usage;;
esac;
done
HINT=`echo ${HINT} | tr -d ''`
USER_NAME=`echo ${USER_NAME} | tr -d ''`
ACCT_STATUS_TYPE=`echo ${ACCT_STATUS_TYPE} | tr -d ''`
FRAMED_IP_ADDRESS=`echo ${FRAMED_IP_ADDRESS} | tr -d ''`
if [[ ${USER_NAME} == ]] ||
[[ ${HINT} == ]] ||
[[ ${ACCT_STATUS_TYPE} == ]] ||
[[ ${FRAMED_IP_ADDRESS} == ]]; then exit 1; fi
#make sure you update below list to something that fits your setup!
case ${HINT} in
XXX) DOMAINNAME=xxx.you.net;;
YYY) DOMAINNAME=yyy.you.net;;
*)exit 1;;
esac;
USER_NAME=[EMAIL PROTECTED]
DNS_A_REC=${USER_NAME}.${DOMAINNAME}
DELETE_DNS_A_REC=prereq yxdomain ${DOMAINNAME}\nupdate delete ${DNS_A_REC} A
ADD_DNS_A_REC=update add ${DNS_A_REC} 300 in A ${FRAMED_IP_ADDRESS}
TOUCH_DNS_A_REC=prereq nxdomain ${DNS_A_REC}\n
case ${ACCT_STATUS_TYPE} in
Start)
echo -e ${DELETE_DNS_A_REC}\n${ADD_DNS_A_REC}\nsend |
$NSUPDATE
;;
Stop)
#comment below to leave logged out users in DNS
echo -e ${DELETE_DNS_A_REC}\nsend | $NSUPDATE
;;
Alive)
#uncomment below to flood active users in during turnup
# echo -e ${TOUCH_DNS_A_REC}\n${ADD_DNS_A_REC}\nsend | $NSUPDATE
exit 0;;
*)
exit 1;;
esac;
#!/bin/bash
STAGE2=/usr/local/sbin/radius-dns-update.s2.sh
if [[ ${USER_NAME} == ]] ||
[[ ${HINT} == ]] ||
[[ ${ACCT_STATUS_TYPE} == ]] ||
[[ ${FRAMED_IP_ADDRESS} == ]]; then exit 0; fi
if [[ -x $STAGE2 ]]; then
$STAGE2 -u${USER_NAME} -t${HINT} -s${ACCT_STATUS_TYPE}
-i${FRAMED_IP_ADDRESS} 21 /dev/null
fi
exit 0
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: IP address assignment
Very nice.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Sent: Thursday, October 13, 2005 11:41 PM
To: FreeRadius users mailing list
Subject: Re: IP address assignment
Infusino, Michael - ADP Dataphile wrote:
I am using radius to authenticate access from VPN.
Would anyone now how to record the IP address the user is assigned after
they log in.
Michael
How does a little dynamic dns strike you? Make sure to actualy read
below and attached scripts and setup a DNS key.
--radiusd.conf-
modules section
exec ddns_update {
wait = no
program = /usr/local/sbin/radius-dns-update.sh
input_pairs = request
packet_type = Accounting-Request
shell_escape = yes
}
end modules
instantiate section---
ddns_update
---end section
_
This message and any attachments are intended only for the use of the addressee
and
may contain information that is privileged and confidential. If the reader of
the
message is not the intended recipient or an authorized representative of the
intended recipient, you are hereby notified that any dissemination of this
communication is strictly prohibited. If you have received this communication in
error, please notify us immediately by e-mail and delete the message and any
attachments from your system.
application/ms-tnef-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logging question
Currently I'm using the mysql logging functions of FreeRADIUS and I'm logging two different things: Dial-up customers that log in with just their username (username) DSL Customers that log in with user at domain ([EMAIL PROTECTED]) I'm wondering, how would I get it so that both log the same way, that is, just username, not the suffix @itol.com. Any advice would be great! Thanks, Curt LeCaptain - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging question
Curt LeCaptain wrote: Currently I'm using the mysql logging functions of FreeRADIUS and I'm logging two different things: Dial-up customers that log in with just their username (username) DSL Customers that log in with user at domain ([EMAIL PROTECTED]) I'm wondering, how would I get it so that both log the same way, that is, just username, not the suffix @itol.com. Any advice would be great! Thanks, Curt LeCaptain - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html sql.conf lets you log the stripped username - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP address assignment
On Oct 13, 2005, at 10:44 PM, Infusino, Michael - ADP Dataphile wrote:
Very nice.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Sent: Thursday, October 13, 2005 11:41 PM
To: FreeRadius users mailing list
Subject: Re: IP address assignment
Infusino, Michael - ADP Dataphile wrote:
I am using radius to authenticate access from VPN.
Would anyone now how to record the IP address the user is assigned
after
they log in.
Michael
How does a little dynamic dns strike you? Make sure to actualy read
below and attached scripts and setup a DNS key.
--radiusd.conf-
modules section
exec ddns_update {
wait = no
program = /usr/local/sbin/radius-dns-update.sh
input_pairs = request
packet_type = Accounting-Request
shell_escape = yes
}
end modules
instantiate section---
ddns_update
---end section
snip
rantDoes everyone top post now? How do you read a thread?/rant
Phil
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple instances
Hello there. This is probably a stupid question, but how do I run multiple instances of radiusd on the same machine, listening on different ports? I have two configuration directories: /usr/local/etc/raddb /usr/local/etc/raddb2 which specify ports 1812 and 1813 respectively, so I thought I'd be able to issue the following commands: 1812 is for authentication and 1813 for accounting. So, if you used the port configuration in radiusd.conf and set raddb to 1812, it will automatically use 1813 for accounting. radiusd -d /usr/local/etc/raddb radiusd -d /usr/local/etc/raddb2 That is the correct way to do that part. This doesn't seem to work however, as the second command seems to have no effect, ie. I see the first radiusd process running but never the second. Can anyone help please? Probably because you are trying to set port = 1813 on raddb2, which would make it listen to 1813 and 1814 - but 1813 is already taken on raddb. Easiest way to do it is to set raddb with port = 1812 and raddb2 with port = 1645 (1645 and 1646 are the old traditional radius ports. Those are pretty safe to use since a lot of people still run radius on those ports - you'll probably still see it commented out in /etc/services) -Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP address assignment
Infusino, Michael - ADP Dataphile wrote:
I am using radius to authenticate access from VPN.
Would anyone now how to record the IP address the user is assigned after
they log in.
Michael
How does a little dynamic dns strike you? Make sure to actualy read below and
attached scripts and setup a DNS key.
--radiusd.conf-
modules section
exec ddns_update {
wait = no
program = /usr/local/sbin/radius-dns-update.sh
input_pairs = request
packet_type = Accounting-Request
shell_escape = yes
}
end modules
instantiate section---
ddns_update
---end section
Interesting idea. I like it.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging question
Currently I'm using the mysql logging functions of FreeRADIUS and I'm logging two different things: Dial-up customers that log in with just their username (username) DSL Customers that log in with user at domain ([EMAIL PROTECTED]) I'm wondering, how would I get it so that both log the same way, that is, just username, not the suffix @itol.com. Any advice would be great! Are these the same users? For example bob is the same as [EMAIL PROTECTED] Is that the only domain you serve? If so, use the hints file to automatically change the username for you. This was recommended by Alan a few days ago for a similar question on the list. in hints DEFAULT User-Name !~ .*@ User-Name := [EMAIL PROTECTED] That will rewrite bob to [EMAIL PROTECTED], if its doesn't contain an @. Then they could do either. However, if you plan on supporting more domains in the future, then I'd start getting them used to @domain now because it will be even more of a struggle if you need to make them start using it later. Plus with an @domain on the username you leave yourself open to more options with realms, proxying, etc.. I am close to finally converting everyone to use realms as our services and domains using radius have grown quite a bit. Having realms makes it a lot easier for us, especially that we now have a dozen ISPs running over our lines. Its been a struggle, especially getting marketing/customer service to let me do it. However, if you don't need realms and probably never will, that config entry will do exactly you need. -Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
