Re: Multiple accounting hosts for one realm?
On Wed, 2005-12-21 at 22:07 +0100, Nicolas Baradakis wrote: Johan Ramm-Ericson wrote: While configuring freeradius 1.0.5 on Solaris 9 I began to look at setting up different accounting hosts for users depending on which realm users orginated from. That worked fine. However; I have now come across a situation where it might be valuable to send the same accounting information to multiple accounting hosts. I am hoping to do this by changing the accthost variable in etc/raddb/proxy.conf. Does anyone on the list know if (a) this is possible, and if it is possible (b) how to do it - i.e can I add further hosts in a list to the existing variable or do I need to use some other method? You might look at radrelay, it comes with FreeRADIUS. http://freeradius.org/radiusd/doc/radrelay -- Nicolas Baradakis Ooopps, sorry about that. I thought I'd gone through the documentation, but obviously my search was not thorough enough... Thanks! /Johan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius Configure Help me
Hello, i am install Slackware 10.2 on freeradius server. [EMAIL PROTECTED]:/etc/raddb# radiusd Thu Dec 22 12:07:48 2005 : Info: Starting - reading configuration files ... [EMAIL PROTECTED]:/etc/raddb# what is this mistake ? From where can i find Radius Install (Configuration) Guide ? Thank you... +-+-+- BEGIN PGP SIGNATURE -+-+-+ Version: GnuPG v1.4.2 (GNU/Linux) ___ / __)Kai Ozgur Geek \__ \PGP ID: B1B63B6E (___/lackwareNetwork Engineer +-+-+-+ END PGP SIGNATURE +-+-+-+ -- ___ Check out the latest SMS services @ http://www.linuxmail.org This allows you to send and receive SMS through your mailbox. Powered by Outblaze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem writing config attributes from script
I got it working. I was actually trying to write a value not compatible with the post-auth type, defined in the dictionnary. That's why the output of my script was not taken into account by freeradius. To pass parameters from my authentication script to my post-authentication script, I've defined my own new Prepaid attribute (in /etc/raddb/dictionnary) ATTRIBUTE Prepaid 3000string The correct format for scripts outputing several attributes is to use a , to separate the pairs. Scripts should output something like : Prepaid = my parameters here , Password = test On 12/22/05, Yannick Deltroo [EMAIL PROTECTED] wrote: Does not work any better with , or ; or between the pairs. After the script is executed, the config environment variables do not contain the output of the script: AUTH_TYPE=CHAP PWD=/root SHLVL=1 _=/usr/bin/printenv If I only write a Password=XXX from the script, the output is taken into account. See the env variable then: PASSWORD=test AUTH_TYPE=CHAP PWD=/root SHLVL=1 _=/usr/bin/printenv My tests show that the only pair accepted from the script is Password = X. Any other single attribute is just ignored. Could it be a problem with attributes dictionnaries ? On 12/21/05, Alan DeKok [EMAIL PROTECTED] wrote: Yannick Deltroo [EMAIL PROTECTED] wrote: of just Password =, i.e. somehting like Post-Auth-Type = THIRD_SCRIPT Password = X I cannot authenticate. Chap authentication fails (see debug log below) Put a , in between the two items, just like you do in the users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems proxying eap requests
Hi all, I have the following setup: WiFi AP(10.0.0.10)---(10.0.0.1)RADIUS 1--RADIUS 2 (public ip address) I want to proxy requests from RADIUS1 to RADIUS2 in a WPA enviroment. I've setup all the stuff and I can see that requests are proxied. If I try to authenticate with an invalid username, I can see how RADIUS1 proxies the request, RADIUS2 denies with Login incorrect, so everything seems to work as expected. The problem is when I try to authenticate a valid user. I can see the request beeing proxied and a Access-Challenge packet beeing received, but the process stalls. Any help? rad_recv: Access-Request packet from host 10.0.0.10:2057, id=0, length=125 User-Name = [EMAIL PROTECTED] NAS-IP-Address = 10.0.0.10 Called-Station-Id = 0014bf3c3c9f Calling-Station-Id = 000e354b8190 NAS-Identifier = 0014bf3c3c9f NAS-Port = 26 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0208000b017261756c4038 Message-Authenticator = 0x5010ed19e8f495cd797e557f31e46c5d Processing the authorize section of radiusd.conf modcall: entering group authorize for request 13 modcall[authorize]: module preprocess returns ok for request 13 rlm_realm: Looking up realm 8 for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm 8 rlm_realm: Proxying request from user raul to realm 8 rlm_realm: Adding Realm = 8 rlm_realm: Preparing to proxy authentication request to realm 8 modcall[authorize]: module suffix returns updated for request 13 modcall[authorize]: module chap returns noop for request 13 modcall[authorize]: module mschap returns noop for request 13 modcall: group authorize returns updated for request 13 Sending Access-Request of id 13 to xxx.yyy.zzz.www:1812 User-Name = [EMAIL PROTECTED] NAS-IP-Address = 10.0.0.10 Called-Station-Id = 0014bf3c3c9f Calling-Station-Id = 000e354b8190 NAS-Identifier = 0014bf3c3c9f NAS-Port = 26 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0208000b017261756c4038 Message-Authenticator = 0x Proxy-State = 0x30 --- Walking the entire request list --- Waking up in 7 seconds... rad_recv: Access-Challenge packet from host xxx.yyy.zzz.www:1812, id=13, length=102 Acct-Interim-Interval = 120 WISPr-Redirection-URL = http://www.google.com; EAP-Message = 0x010900061920 Message-Authenticator = 0xf7471c7d0b32705947085a4651d5a38e State = 0x536aab58a9bc0788890bfc27547e1f64 Proxy-State = 0x30 Sending Access-Challenge of id 0 to 10.0.0.10:2057 Acct-Interim-Interval = 120 WISPr-Redirection-URL = http://www.google.com; EAP-Message = 0x010900061920 Message-Authenticator = 0x State = 0x536aab58a9bc0788890bfc27547e1f64 Finished request 13 Going to the next request Waking up in 7 seconds... Thanks in advance! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Configure Help me
I cannot see any mistake in your post :? Hello, i am install Slackware 10.2 on freeradius server. [EMAIL PROTECTED]:/etc/raddb# radiusd Thu Dec 22 12:07:48 2005 : Info: Starting - reading configuration files ... [EMAIL PROTECTED]:/etc/raddb# what is this mistake ? From where can i find Radius Install (Configuration) Guide ? Thank you... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
huntgroups
Hello ! Short question: Please point me how to make startup changes in huntgroup to configure FR to use two different sql-modules for authacct, based on some criterias?... Examples are most welcome. Explanation: We have contract subscribers and want to use the same RADIUS- server for authacct of prepaid cards. Contact users enters their login+realm and password, but cards users enter card number and PIN-code. That is the difference, that make difference. We need use another SQL module instance for card users... How to configure huntgroups for this situation? Conditions can be (1) if no '@' char in the User-Name attribute, then use 'sql-cards' instance for authacct. Otherwise, use 'sql-contracts'. (2) if User-Name attribute have (determ. via regex) exact 14 digits, then use 'sql-cards' instance for authacct. Otherwise, use 'sql-contracts'. P.S. Searching in list archives doesn't help me. Thanks a lot for any information... -- Ruslan A Dautkhanov - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Configure Help me
On 12/22/05, Kai Geek [EMAIL PROTECTED] wrote: Hello, i am install Slackware 10.2 on freeradius server. In this order? [EMAIL PROTECTED]:/etc/raddb# radiusd Thu Dec 22 12:07:48 2005 : Info: Starting - reading configuration files ... [EMAIL PROTECTED]:/etc/raddb# You successfully launched the radiusd daemon. Try radiusd -X to keep output to your terminal. Bye, Philippe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Configure Help me
Hello, Errors reading dictionary: dict_init: /usr/share/freeradius/dictionary[14]: Couldn't open dictionary /usr/share/freeradius/d ictionary: Too many open files Errors reading radiusd.conf - Original Message - From: Philippe Sultan [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: Freeradius Configure Help me Date: Thu, 22 Dec 2005 11:58:45 +0100 On 12/22/05, Kai Geek [EMAIL PROTECTED] wrote: Hello, i am install Slackware 10.2 on freeradius server. In this order? [EMAIL PROTECTED]:/etc/raddb# radiusd Thu Dec 22 12:07:48 2005 : Info: Starting - reading configuration files ... [EMAIL PROTECTED]:/etc/raddb# You successfully launched the radiusd daemon. Try radiusd -X to keep output to your terminal. Bye, Philippe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html +-+-+- BEGIN PGP SIGNATURE -+-+-+ Version: GnuPG v1.4.2 (GNU/Linux) ___ / __)Kai Ozgur Geek \__ \PGP ID: B1B63B6E (___/lackwareNetwork Engineer +-+-+-+ END PGP SIGNATURE +-+-+-+ -- ___ Check out the latest SMS services @ http://www.linuxmail.org This allows you to send and receive SMS through your mailbox. Powered by Outblaze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows WPA
Stefan Adams wrote: Does anyone know how it's possible to log into a windows domain (no local account) from a Windows XP computer using WPA when the user has never logged in before (making cached credentials impossible)? I work at a high school. We have several mobile carts with laptop computers that do NOT have local accounts for each student. Therefore, each student is required to logon to the windows domain using wireless. This works fine using WEP. However, using WPA, with the automatically supply windows username/password/domain checkbox selected, a user that has never logged into that machine before is not able to log on. The Windows computer complains that the domain controller is not available. This, of course, is true because there are no 'up' network interfaces. But wouldn't it be logical for Windows to first supply the entered credentials to the access point for authorization to the WPA WLAN and then supply those same credentials to the domain controller? It would be logical. It does not do that. See the archives for machine AND PEAP - basically, you need to make the machines authenticate themselves with their machine account first, then those creds are used for the network login during profile download, at which point windows will switch to the user creds. One point to note: apparently the inbuilt windows supplicant has to use the *same method* for both the machine and user creds (e.g. both TLS or both PEAP+MS-CHAP). Also note that in order to authenticate a machine (as opposed to user) account, FreeRadius needs to be talking to an ntlm_auth which in turn talks to a patched samba (the messages you find with the above search should reference the location of the patch and/or the version from which it's integrated). Finally you need an AD domain (not NT4) to do that. Is that the way it works, is there some other way, or are people that have never logged on to these laptops before condemned to never logon at all given our new WPA infrastructure? No, you just have to work hard to fix microsoft's broken behaviour. As always. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bind radius authentication with mac address? so radius will check username, password and mac address from radius database
Hello FreeRadius, as subject.. I don't find any clue of this.. even with google :( I already set up this in sql.conf authorize_check_query = SELECT id,UserName,Attribute,Value,op FROM ${authcheck_table} WHERE STRCMP(Username, '%{SQL-User-Name}') = 0 and (mac='%{Calling-Station-Id}' or isnull(mac) or mac='') ORDER BY id postauth_query = UPDATE ${authcheck_table} set mac='%{Calling-Station-Id}' WHERE Username = '%{SQL-User-Name}' and (mac='' or isnull(mac)) then add this to radreply table in radius database: UserName Attribute op value hendy Calling-Station-Id = 00:0D:87:C7:13:81 i use MikroTik and PPPoE then i try reconnect from different mac address with username: hendy but still connected :( -- Best regards, Yudi mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can I set Autz-Type in hints file?
I have this in the hints file: DEFAULT Called-Station-Id == 987654321, Autz-Type := DialUp And this in radiusd.conf: files dunfiles { usersfile = ${confdir}/users.dun acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = no } ... authorize { Autz-Type DialUp { dunfiles } I don't have much more in authorize section: preprocess chap mschap suffix But when I make a request with Called-Station-Id = 987654321, I get this: modcall: entering group authorize for request 1 hints: Matched DEFAULT at 78 modcall[authorize]: module preprocess returns ok for request 1 ... modcall: group authorize returns ok for request 1 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. I don't see anywhere that dunfiles instance is used? -- damjan | дамјан This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Configure Help me
Errors reading dictionary: dict_init: /usr/share/freeradius/dictionary[14]: Couldn't open dictionary /usr/share/freeradius/d ictionary: Too many open files It is not a FreeRADIUS problem. You should check your system limits values with ulimit and/or sysctl. Bye, Philippe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Configure Help me
the /etc/freeradius/dictionary file points to a different set of dictionary files found at /usr/share/freeradius/dictionary if you copied the same dictionary file to this location the system loops until you have too many files open. The files for this location I found at: ~/freeradius-1.0.5/share from the source tar. hope this helps Scott - Original Message - From: Kai Geek [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, December 22, 2005 6:44 AM Subject: Re: Freeradius Configure Help me Hello, Errors reading dictionary: dict_init: /usr/share/freeradius/dictionary[14]: Couldn't open dictionary /usr/share/freeradius/d ictionary: Too many open files Errors reading radiusd.conf - Original Message - From: Philippe Sultan [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: Freeradius Configure Help me Date: Thu, 22 Dec 2005 11:58:45 +0100 On 12/22/05, Kai Geek [EMAIL PROTECTED] wrote: Hello, i am install Slackware 10.2 on freeradius server. In this order? [EMAIL PROTECTED]:/etc/raddb# radiusd Thu Dec 22 12:07:48 2005 : Info: Starting - reading configuration files ... [EMAIL PROTECTED]:/etc/raddb# You successfully launched the radiusd daemon. Try radiusd -X to keep output to your terminal. Bye, Philippe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html +-+-+- BEGIN PGP SIGNATURE -+-+-+ Version: GnuPG v1.4.2 (GNU/Linux) ___ / __)Kai Ozgur Geek \__ \PGP ID: B1B63B6E (___/lackwareNetwork Engineer +-+-+-+ END PGP SIGNATURE +-+-+-+ -- ___ Check out the latest SMS services @ http://www.linuxmail.org This allows you to send and receive SMS through your mailbox. Powered by Outblaze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MYSQL installation for interaction with freeradius
Hy all, I am testing freeradius 1.0.5 in a solaris 8 machine and it really satisfied me. Now I want to test freeradius with MYSQL. So first, I am going to install the MYSQL software. When I visit the download page (http://dev.mysql.com/downloads/mysql/5.0.html), I see there are three software package options(standard, max and debug). Also, reading the document "Freeradius and MYSQL" (http://www.frontios.com/freeradius.html), I read that I have to make sure to install the MYSQL development headers installed. Which of these MYSQL packages do you recommend me to interact with freeradius? Thank you very much, Rafa - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bind radius authentication with mac address?
Hello freeradius-users, so radius will check username, password and mac address from radius database as subject.. I can't find any idea of this.. :( I already set up this in sql.conf authorize_check_query = SELECT id,UserName,Attribute,Value,op FROM ${authcheck_table} WHERE STRCMP(Username, '%{SQL-User-Name}') = 0 and (mac='%{Calling-Station-Id}' or isnull(mac) or mac='') ORDER BY id postauth_query = UPDATE ${authcheck_table} set mac='%{Calling-Station-Id}' WHERE Username = '%{SQL-User-Name}' and (mac='' or isnull(mac)) then add this to radreply table in radius database: UserName Attribute op value hendy Calling-Station-Id = 00:0D:87:C7:13:81 i use MikroTik and PPPoE then i try reconnect from different mac address with username: hendy but still connected :( -- Best regards, Yudi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem compiling
hi everybody, well i downloaded last version of freeradius and want to use with openssl, so i tried to compile using: --with-experimental-modules --enable-ltdl-install but i get an error and is impossible to compile, i must delete these options. when i try to run server then i get this: rlm_eap:Failed to link EAP-TYPE/TLS:rlm_eap_tls.so: cannot open shared object: no such file or directory radiusd[9] my configurations point to openssl locations, so why i cann't compile and why this error?? ok, thanks for your time. _ Las mejores tiendas, los precios mas bajos, entregas en todo el mundo, YupiMSN Compras: http://latam.msn.com/compras/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows WPA
Phil, thanks for the information! Finally you need an AD domain (not NT4) to do that. Are you saying I actually need a Microsoft Server? A Samba domain control won't suffice? Being that I have no (ZERO) Microsoft servers, are my chances of doing machine authentication nil? Stefan Date: Thu, 22 Dec 2005 12:44:04 + From: Phil Mayers [EMAIL PROTECTED] Subject: Re: Windows WPA To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1; format=flowed Stefan Adams wrote: Does anyone know how it's possible to log into a windows domain (no local account) from a Windows XP computer using WPA when the user has never logged in before (making cached credentials impossible)? I work at a high school. We have several mobile carts with laptop computers that do NOT have local accounts for each student. Therefore, each student is required to logon to the windows domain using wireless. This works fine using WEP. However, using WPA, with the automatically supply windows username/password/domain checkbox selected, a user that has never logged into that machine before is not able to log on. The Windows computer complains that the domain controller is not available. This, of course, is true because there are no 'up' network interfaces. But wouldn't it be logical for Windows to first supply the entered credentials to the access point for authorization to the WPA WLAN and then supply those same credentials to the domain controller? It would be logical. It does not do that. See the archives for machine AND PEAP - basically, you need to make the machines authenticate themselves with their machine account first, then those creds are used for the network login during profile download, at which point windows will switch to the user creds. One point to note: apparently the inbuilt windows supplicant has to use the *same method* for both the machine and user creds (e.g. both TLS or both PEAP+MS-CHAP). Also note that in order to authenticate a machine (as opposed to user) account, FreeRadius needs to be talking to an ntlm_auth which in turn talks to a patched samba (the messages you find with the above search should reference the location of the patch and/or the version from which it's integrated). Finally you need an AD domain (not NT4) to do that. Is that the way it works, is there some other way, or are people that have never logged on to these laptops before condemned to never logon at all given our new WPA infrastructure? No, you just have to work hard to fix microsoft's broken behaviour. As always. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Auth/Autz Windows Guest
Hypothetically: I notice that when you choose authenticate as guest when computer and user information are not available in the Windows XP wZc utility, that it passes a User-Name of . Let's say I wanted to just automatically authorize and authenticate the user . How could this be done? To try and answer this hypothetical situation, I tried it myself in my test lab but my eap/ldap settings kept jumping in and denying the request. Thanks to all!! Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows WPA
Stefan Adams wrote: Phil, thanks for the information! Finally you need an AD domain (not NT4) to do that. Are you saying I actually need a Microsoft Server? A Samba domain control won't suffice? Being that I have no (ZERO) Microsoft servers, are my chances of doing machine authentication nil? Ah, that's a different kettle of fish entirely. In this specific case I *believe* the RPC call allowing you to MSCHAP a machine account is a newer RPC, so since Samba emulates NT4 you may still find that method doesn't work. But, if you have a samba domain controller, you can in a supported fashion extract the LM and NT hashes from your SAM, and give those to FreeRadius directly, which can then do the MSCHAP without a callout to the domain at *all*, which has obvious scalability and resilience value. How to do this depends on what SAM backend you're using, whether the FreeRadius server runs on the same machine as the Samba DC or a different one, and of course whether your site policy permits the risk of moving the LM/NT hashes around, though I personally don't buy the arguments about the risk involved there. If you're using an LDAP backend, see frequent posts about using LDAP and ways of mapping the ntPassword LDAP attribute to the NT-Password radius attribute. If you're using smbpasswd, then a passwd file module can be used in FreeRadius, with the config as described in the default radiusd.conf (I believe), subject to you obviously getting the file somewhere FreeRadius can see it, and HUPing the server if/when it changes. Other SAMs (TDB, etc.) can probably be done similarly but that's samba-specific. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows WPA
Guy Davies wrote: The other alternative is to use a third party 802.1x supplicant with a decent GINA module. This behaves *exactly* as you want. It accepts the users' credentials at the windows login, stops the windows login process, logs the user into the network, then returns control to windows to login the user to the AD. I've been doing this with EAP-TTLS/PAP to an AD backend with LDAP (no NTLM :-) for a while. Sure, though there's typically cost (sometimes money, sometimes just time) and of course the need for custom software there. Are you using a for-pay one, or are they any good free ones these days? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bind radius authentication with mac address? so radius will check username, password and mac address from radius database
Yudi Wijaya [EMAIL PROTECTED] wrote: I already set up this in sql.conf authorize_check_query = SELECT id,UserName,Attribute,Value,op FROM ${authcheck_table} WHERE STRCMP(Username, '%{SQL-User-Name}') = 0 and (mac='%{Calling-Station-Id}' or isnull(mac) or mac='') ORDER BY id Huh? You have a field in SQL called mac? I think you're very confused about what the SQL server is doing. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can I set Autz-Type in hints file?
Damjan [EMAIL PROTECTED] wrote: I have this in the hints file: DEFAULT Called-Station-Id == 987654321, Autz-Type := DialUp I don't think that will do what you want. I suggest using the users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accept all
Lewis Bergman [EMAIL PROTECTED] wrote: Due to a huge glitch in my db cluster I need to send an access accept to all requests. An entry like DEFAULT Auth-Type := Accept in the users file doesn't seem to allow chap users to authenticate. How can I allow this? Debug mode says...? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems proxying eap requests
=?ISO-8859-1?Q?Joseba_Beltr=E1n?= [EMAIL PROTECTED] wrote: The problem is when I try to authenticate a valid user. I can see the request beeing proxied and a Access-Challenge packet beeing received, but the process stalls. The supplicant is ignoring the response from the server. Find out why that's happening. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: default gateway per user basis
Igor Smitran [EMAIL PROTECTED] wrote: I have a pppoe server on freebsd. I want to setup freeradius to give different ip address block and gateway to users. I need two pools, and i have a two gateways. One gateway is more expensive than the otherone. So, users that pay less will use chiper gateway and vice versa. Is this possible? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows WPA
In this case, if you happen to be using Samba as your PDC with an LDAP backend, you should actually be able to use rlm_ldap to lookup the NTLM hashes from the same LDAP tree that your Samba PDC uses. Once you have those hashes, you can do MSCHAPv2 without having to use ntlm_auth. --Mike Phil Mayers wrote: Stefan Adams wrote: Phil, thanks for the information! Finally you need an AD domain (not NT4) to do that. Are you saying I actually need a Microsoft Server? A Samba domain control won't suffice? Being that I have no (ZERO) Microsoft servers, are my chances of doing machine authentication nil? Ah, that's a different kettle of fish entirely. In this specific case I *believe* the RPC call allowing you to MSCHAP a machine account is a newer RPC, so since Samba emulates NT4 you may still find that method doesn't work. But, if you have a samba domain controller, you can in a supported fashion extract the LM and NT hashes from your SAM, and give those to FreeRadius directly, which can then do the MSCHAP without a callout to the domain at *all*, which has obvious scalability and resilience value. How to do this depends on what SAM backend you're using, whether the FreeRadius server runs on the same machine as the Samba DC or a different one, and of course whether your site policy permits the risk of moving the LM/NT hashes around, though I personally don't buy the arguments about the risk involved there. If you're using an LDAP backend, see frequent posts about using LDAP and ways of mapping the ntPassword LDAP attribute to the NT-Password radius attribute. If you're using smbpasswd, then a passwd file module can be used in FreeRadius, with the config as described in the default radiusd.conf (I believe), subject to you obviously getting the file somewhere FreeRadius can see it, and HUPing the server if/when it changes. Other SAMs (TDB, etc.) can probably be done similarly but that's samba-specific. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accept all
Alan DeKok wrote: Lewis Bergman [EMAIL PROTECTED] wrote: Due to a huge glitch in my db cluster I need to send an access accept to all requests. An entry like DEFAULT Auth-Type := Accept in the users file doesn't seem to allow chap users to authenticate. How can I allow this? Debug mode says...? When I had the debug mode going chap reported no clear text password. Maybe it was the order they are checked. I got it running so I'll have to get a test server up and then run some test against it and let you know. I still would like to configure freeradius to check against the sql and if it can't connect, accept all but now that the crisis is over I can go back to setting up a test server and trying things out and when I get frustrated with my stupidity I'll shout. Thanks Alan. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: default gateway per user basis
Igor Smitran [EMAIL PROTECTED] wrote: I have a pppoe server on freebsd. I want to setup freeradius to give different ip address block and gateway to users. I need two pools, and i have a two gateways. One gateway is more expensive than the otherone. So, users that pay less will use chiper gateway and vice versa. Is this possible? Yes. Alan DeKok. Can you tell me how? :lol: Igor - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accept all
Lewis Bergman wrote: I still would like to configure freeradius to check against the sql and if it can't connect, accept all Just a stab, but one of my test config files has this in it: always handled { rcode = handled } ... redundant { sql handled } See the failover doc. You should be able to failover to a module that always accepts. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: default gateway per user basis
Igor Smitran [EMAIL PROTECTED] wrote: Can you tell me how? :lol: Look at the packets coming from the two gateways, and see how they're different. Use those differences to write rules that match those differences, and return the different configurations. *You* have access to that data. No one else does. So no one else can give any more detailes response than that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accept all
Lewis Bergman [EMAIL PROTECTED] wrote: When I had the debug mode going chap reported no clear text password. Maybe it was the order they are checked. Probably. I got it running so I'll have to get a test server up and then run some test against it and let you know. Don't worry about it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql_mysql.so where do I locate this file and its associated files for Redhat ES4 to run Radius and MySQL
Hi, I am trying to build a radius server using MySQL and am getting a message about missing rlm_sql_mysql.so. I could use some help in locating the required modules. Thanks Frank Reiss - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql_mysql.so where do I locate this file and its associated files for Redhat ES4 to run Radius and MySQL
Frank Reiss [EMAIL PROTECTED] wrote: I am trying to build a radius server using MySQL and am getting a message about missing rlm_sql_mysql.so. I could use some help in locating the required modules. If you have the MySQL development package installed, that module will be built when you build FreeRADIUS. If not, you can't get that module anywhere. Install the MySQL development package for your OS, and re-build FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql_mysql.so where do I locate this file and its associated files for Redhat ES4 to run Radius and MySQL
Frank Reiss wrote: Hi, I am trying to build a radius server using MySQL and am getting a message about missing rlm_sql_mysql.so. I could use some help in locating the required modules. You need the mysql-devel rpm installed before you do the ./configure make make install process. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: default gateway per user basis
Alan Dekok wrote: Look at the packets coming from the two gateways, and see how they're different. Use those differences to write rules that match those differences, and return the different configurations. Ok, let us say that we have two users: Alan and Igor 1. when Igor logs in he needs to get IP address 192.168.1.10/24 and gateway 192.168.1.100 2. when Alan logs in he needs to get IP address 192.168.2.10/24 and gateway 192.168.2.100 different IP ranges, different C classes and different gateways accordingly. I am not sure what do i have to listen from those gateways. Computer with pppoe server and freeradius has connection to both C classes. I just want to route users differently. One user to more expensive link, one user to less expensive link. Help please? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: default gateway per user basis
Igor Smitran [EMAIL PROTECTED] wrote: 1. when Igor logs in he needs to get IP address 192.168.1.10/24 and gateway 192.168.1.100 2. when Alan logs in he needs to get IP address 192.168.2.10/24 and gateway 192.168.2.100 Read the NAS documentation to see which RADIUS attributes it expects to see, in order to configure that. Sorry if this sounds unhelpful, but configuring anything on FreeRADIUS is useless unless you know the NAS understands it. Once you know what the NAS understands, it's trivial to see how to configure FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
patch for sqlcounter, please test!
hi list! part of a radius-related project is to allow access to our guests and visitors at our institute to parts of our network, of course only with username and password, and do some logging. the idea is that guests get an account and a password which they can use for a period of one to seven days (according to setup). to achieve this i am using the sqlcounter module using the following query: query = SELECT TO_DAYS(NOW()) - MIN(TO_DAYS(AcctStartTime)) FROM radacct WHERE UserName = '%{%k}' LIMIT 1; this actually works very well, a user logs in and is allowed to access to the network until the date changes e.g. the second time if he is allowed access for two days. but as i am saving the days as days in the mysql database, i run into trouble with Session-Timeout because rlm_sqlcounter assumes that the query returns seconds and the user gets a session timeout of the remaining days as seconds (a value between 1 and 7!). putting the day limit as seconds into the database does (in my case/opinion) not make any sense here. as i posted a question about this some two months ago to the freeradius users list unfortunately nobody had a solution available, but i can remember several answers (to the list an by private mail) that this feature would be nice! so i finaly tried some coding today and now here is my proposal: add an optional parameter 'timeunit' to sqlcounter.conf that represents the time unit used in the query and the check value (in the sql db), my config then reads: + /etc/raddb/sqlcounter.conf sqlcounter shorttermaccounts { counter-name = Short-Term-Account check-name = Max-Days-Passed sqlmod-inst = sql key = User-Name reset = never timeunit = days query = SELECT TO_DAYS(NOW()) - MIN(TO_DAYS(AcctStartTime)) FROM radacct WHERE UserName = '%{%k}' LIMIT 1; } - /etc/raddb/sqlcounter.conf in rlm_sqlcounter.c i added some lines which (if 'timeunit' is set) multiply the value of 'res' (i assume this is the remaining time of allowd success) by an appropriate value to get seconds. in this case Session-Timeout is returned correctly. possible values for timeunit are minutes, hours, days, and weeks (for now). a patch to version 1.0.5 can be found as attachment to this email. i ran several tests and it is also working with different queries (like the ones in the doc), but i would appreciate others to do some testing if it really works. but as it seems that nobody has made a proposal/code for this yet, what do think about it? i put this also on bugs.freeradius.org but could not find the component rlm_sqlcounter so i put it in modules, i hope i did not mess up things! hoping for many feedback! ;-) with best regards, markus -- Markus Krause email: [EMAIL PROTECTED] Computing CenterTel.: 089 - 89 40 85 99 Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98 - This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] --- rlm_sqlcounter-original.c 2005-12-16 15:05:54.725659800 +0100 +++ rlm_sqlcounter.c 2005-12-16 15:20:10.761522568 +0100 @@ -72,6 +72,7 @@ char *sqlmod_inst; /* instance of SQL module to use, usually just 'sql' */ char *query; /* SQL query to retrieve current session time */ char *reset; /* daily, weekly, monthly, never or user defined */ + char *timeunit; /* minutes, hours, days or weeks */ time_t reset_time; time_t last_reset; int key_attr; /* attribute number for key field */ @@ -94,6 +95,7 @@ { sqlmod-inst, PW_TYPE_STRING_PTR, offsetof(rlm_sqlcounter_t,sqlmod_inst), NULL, NULL }, { query, PW_TYPE_STRING_PTR, offsetof(rlm_sqlcounter_t,query), NULL, NULL }, { reset, PW_TYPE_STRING_PTR, offsetof(rlm_sqlcounter_t,reset), NULL, NULL }, + { timeunit, PW_TYPE_STRING_PTR, offsetof(rlm_sqlcounter_t,timeunit), NULL, NULL }, { NULL, -1, 0, NULL, NULL } }; @@ -544,6 +546,7 @@ int ret=RLM_MODULE_NOOP; int counter=0; int res=0; + int timemultiplier=1; DICT_ATTR *dattr; VALUE_PAIR *key_vp, *check_vp; VALUE_PAIR *reply_item; @@ -612,6 +615,27 @@ * Check if check item counter */ res=check_vp-lvalue - counter; + + /* + * If timeunit is set in sqlcounter.conf set timemultiplier + */ + if( data-timeunit != NULL ) { + if(strcmp(data-timeunit, minutes) == 0 ) { + timemultiplier = 60; + } else if(strcmp(data-timeunit, hours) == 0 ) { + timemultiplier = 3600; + } else if(strcmp(data-timeunit, days) == 0 ) { + timemultiplier = 86400; + } else if(strcmp(data-timeunit, weeks) == 0 ) { + timemultiplier = 604800; + } else { + radlog(L_ERR, rlm_sqlcounter: Unknown value for timeunit \%s\ in sqlcounter.conf, data-timeunit); + return -1; + } + } + if( timemultiplier ) + res *= timemultiplier; + if (res 0) { DEBUG2(rlm_sqlcounter: (Check item - counter) is greater than
Radius SIP billing
Hey guys, Im running FR1.0.5 with unixODBC (Sybase) backend and Im trying to bill calls generated from Sip Express Router (SER). The problem that I have is the following scenario: When UserA calls UserB: SER generates a star-record where the Calling-Station-Id is UserA and the Called-Station-Id is UserB, this is the desired and always the correct behavior. When UserA hangs up on UserB: SER generates a stop-record where the Calling-Station-Id is UserA and the Called-Station-Id is UserB, this is the desired and correct behavior. But if UserB hangs up on UserA: SER generates a stop-record where the Calling-Station-Id is UserB and the Called-Station-Id is UserA, this is the undesired and incorrect behavior. To me the Calling-Station-Id and the Called-Station-Id should be the same for both start and stop records, am I right by thinking that? According to the developers of SER/OpenSER, this is the correct behavior, whoever sends the hangup signal (BYE or CANCEL) is considered the Calling-Station-Id, and they are unwilling to modify or create a patch to fix this. So for my purposes, i need the Calling-Station-Id and the Called-Station-Id to be the same on both the star and stop records, since the start record is always correct, what do I need to do to have FR fix the stop record when it receives it to show the same Calling-Station-Id and the Called-Station-Id as the Start Record? Thanks in advance, Lenir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius SIP billing
Lenir [EMAIL PROTECTED] wrote: But if UserB hangs up on UserA: SER generates a stop-record where the Calling-Station-Id is UserB and the Called-Station-Id is UserA, this is the undesired and incorrect behavior. It would appear to be a bug in SER. To me the Calling-Station-Id and the Called-Station-Id should be the same for both start and stop records, am I right by thinking that? Yes. According to the developers of SER/OpenSER, this is the correct behavior, whoever sends the hangup signal (BYE or CANCEL) is considered the Calling-Station-Id, and they are unwilling to modify or create a patch to fix this. What they do for something inside of SER is their business. When they generate RADIUS packets, they should follow RADIUS standards and interoperability. The expectation, as you said, is that the Calling/Called-Station-Id doesn't change during a session. If it does, it's a bug and they should fix it. So for my purposes, i need the Calling-Station-Id and the Called-Station-Id to be the same on both the star and stop records, since the start record is always correct, what do I need to do to have FR fix the stop record when it receives it to show the same Calling-Station-Id and the Called-Station-Id as the Start Record? I would say it's not a FreeRADIUS issue. Rather, just inject the records into SQL as-is, and write a script to post-process the SQL database, to fix the records. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Any Good Documentation for newbies
Hello As I am new to this free radius, could you please suggest me a good documentation(free) available on the net. Version I am using is Free RADIUS 1.0.5. Regards Manuj - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any Good Documentation for newbies
On Thu, 23 Dec 2005, Manuj wrote: Hello As I am new to this free radius, could you please suggest me a good documentation(free) available on the net. Version I am using is Free RADIUS 1.0.5. Regards Manuj Download the source. Untar the package and cd into the doc/ directory. When you're done with that, cd back into the raddb directory and read the comments in the config files. Most of the time, what you want to do will just work with minimal changes. Then set it up and give it a shot. Run it in debug mode (radiusd -X) and send some test packets to it with radclient (this is all in the docs I listed). If you want to learn more about radius, you could even do a package capture with tcpdump and then read the packets with ethereal. That will show you what is going back and forth between the servers. If you're feeling really ambitious, read the radius RFCs. It probably won't make much sense if your not used to that kind of document but it will help give you an idea of how radius works if your new to it. Then post questions here and be sure to include your debug output and a detailed description of what you're trying to do. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html