sqlcounter and dialup admin issue
hello list, i'm using freeradius 1.1.0 with mysql 5.0.x and dialup_admin i want to use the monthly counter function of the sqlcounter module. I've added checkItem MaxMonthlySession MaxMonthlySession to sql.attrmap also added: MaxMonthlySession to user_edit.attrs in the radiusd.conf added monthlycounter in the authorize section. freeradius loading the module: http://pastebin.com/542929 I add a user from dialup_admin with a maxmonthlysession = 14400 for example and when the user tries to log in radius says: 1. Tue Feb 7 10:47:14 2006 : Info: rlm_sql (sql): No matching entry in the database for request from user [het] 2. Tue Feb 7 10:47:14 2006 : Auth: Login incorrect: [het/het] (from client pppoe-as port 0 cli 00:0A:EB:40:9F:FD) if i don't specify maxmonthlysession the user logs fine. any idea? -- regards, Georgi Alexandrov Key Server = http://pgp.mit.edu/ :: KeyID = 37B4B3EE Key Fingerprint = E429 BF93 FA67 44E9 B7D4 F89E F990 01C1 37B4 B3EE signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Auth question
Can anyone tell me why I am getting trashed passwords when attempting to authenticate? Login incorrect: [nickm/d\313f`\247+4\203\360/\367] Nick Marino - IT Solutions - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Auth question
what does radiusd.conf says about encryption lines? it is not really trashes, it is encrypted. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] .org] On Behalf Of Nick Marino Sent: Tuesday, February 07, 2006 10:39 AM To: freeradius-users@lists.freeradius.org Subject: Auth question Can anyone tell me why I am getting trashed passwords when attempting to authenticate? Login incorrect: [nickm/d\313f`\247+4\203\360/\367] Nick Marino - IT Solutions - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.15.2/252 - Release Date: 2/6/2006 -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.15.2/252 - Release Date: 2/6/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.15.2/252 - Release Date: 2/6/2006 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth question
Can anyone tell me why I am getting trashed passwords when attempting to authenticate? Login incorrect: [nickm/d\313f`\247+4\203\360/\367] Looks like your secrets in clients.conf don't match what your NAS has. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
grouping rlm_ippool's
Hi Some time ago there was a question about rlm_ippool and if it was possible to group them ie ippool main_pool_1 {} ippool main_pool_2 {} accounting { group main_pool { main_pool_1 main_pool_2 } sql } post-auth { group main_pool { main_pool_1 main_pool_2 } } I have done some testing it it does not seem to work. (using freeradius-1.0.5) Do any one have any idea of how this could be made to work and/or have I not got this configuration correct. Thanks Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS online/offline?
Hypothetically situation: You have users logged into a NAS. the NAS goes down without warning (power failure...) Users who where logged in now have sessions which are not complete (acctstoptime is set to NULL). In my case Simultaneous logins is disabled and need to be so. Therefore once the NAS is brought back up. the users cant log back in, as radius will not authorize the users as they are apparently logged in. My question is... How do i set the accstoptime to the time when the NAS goes down. Is there a way to see when a NAS dies Any input will be greatly appreciated View this message in context: NAS online/offline? Sent from the FreeRadius - User forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Deleting VLAN information while proxying
We have the following problem arising form the eduroam project. Our university radius server sets VLAN information based on user attributes form the LDAP directory. This works fine when the system is used internally. However when our user authenticates while visiting another institution, this VLAN information should not be sent out. In such a situation, the authentication request arrives via the national proxy. We have managed to configure VLAN blocking for EAP-TLS since then we can use Client-IP-Address information. If this address corresponds to the address of the national proxy then we do not set VLAN information at all. This approach breaks down with EAP-TTLS. The internal proxy mechanism rewrites the Client-IP-Address to localhost and all requests look the same. We could in principle base our decision on huntgroups, creating a huntgroup for all out NASes, but his looks so clumsy and a mess to administer. Is there a better trick to solve this? Tomasz -- Tomasz Wolniewicz [EMAIL PROTECTED] http://www.uni.torun.pl/~twoln Uczelniane Centrum Informatyczne InformationCommunication Technology Centre Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University, pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.: +48-693-032-576 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS online/offline?
Thank you very much for your reply. Let me phrase my question differently. In particular, we have a problem that when a NAS goes down, we get a stale session in radacct. It stays there indefinitely. How can we clean this up? View this message in context: RE: NAS online/offline? Sent from the FreeRadius - User forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS online/offline?
A stale session in radacct could happen simply due to the loss of a udp packet with the accounting information in it. RADIUS is totally stateless and has no reliable mechanism for deciding if a user is present or not. If simultaneous use relies entirely upon the contents of radacct, it's very vulnerable to packet loss and also, if you're using multiple radius servers for authentication/authorization and for accounting, you may not have access to all the logs anyway. I was under the impression (possibly falsely) that simultaneous use relied upon the presence of snmp to function properly (I've certainly seen warnings when compiling that snmp isn't present so simultaneous use may not function correctly). Rgds, Guy On 07/02/06, nikwan (sent by Nabble.com) [EMAIL PROTECTED] wrote: Thank you very much for your reply. Let me phrase my question differently. In particular, we have a problem that when a NAS goes down, we get a stale session in radacct. It stays there indefinitely. How can we clean this up? View this message in context: RE: NAS online/offline? Sent from the FreeRadius - User forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [radius] Re: Auth question
Nick Marino - IT Solutions - Original Message - From: Lewis Bergman [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, February 07, 2006 5:56 AM Subject: [radius] Re: Auth question Can anyone tell me why I am getting trashed passwords when attempting to authenticate? Login incorrect: [nickm/d\313f`\247+4\203\360/\367] Looks like your secrets in clients.conf don't match what your NAS has. No the secret in my clients.conf is the same as whats in my NAS, I even reset the password on the nas to be sure. Wierd thing is if I do a test on the user account using Dialup Admin it works perfectly and the password is handled properly. Only when NAS send the request to FR does it generate that garbled password. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using STORED PROCEDURE with Freeradius
Title: Using STORED PROCEDURE with Freeradius Hi, For some reasons I've to use Stored procedure With Freeradius but I am getting following error from mysql: Error: 1312 SQLSTATE: 0A000 (ER_SP_BADSELECT) Message: PROCEDURE %s can't return a result set in the given context You can consider the following example: Instead of following authorize_check_query authorize_check_query = SELECT id, UserName, Attribute, Value, op, uid \ FROM ${authcheck_table} \ WHERE Username = '%{SQL-User-Name}' \ ORDER BY id I want to use this: authorize_check_query = CALL molo('%{SQL-User-Name}') And this is my stored proc in mysql: DELIMITER $$; DROP PROCEDURE IF EXISTS `radius`.`molo`$$ CREATE PROCEDURE `molo`(did VARCHAR(10)) BEGIN DECLARE rid INT; DECLARE ruid VARCHAR(15); DECLARE rattr VARCHAR(15); DECLARE rop CHAR(2); DECLARE rval VARCHAR(10); SELECT id, UserName, Attribute, Value, op INTO rid,ruid,rattr,rop,rval from radcheck WHERE UserName=did; SELECT rid,ruid,rattr,rop,rval; END$$ DELIMITER;$$ I can call this stored proc From any mysql client successfully, but if I call it from sql.conf it gives error: 1312. Any solution please? Thanks in advance Saeed Ahmed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [radius] Re: Auth question
Maybe you are not loading the right dictionary for your NAS? On Feb 7, 2006, at 4:36 PM, Nick Marino wrote: Nick Marino - IT Solutions - Original Message - From: Lewis Bergman [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius- [EMAIL PROTECTED] Sent: Tuesday, February 07, 2006 5:56 AM Subject: [radius] Re: Auth question Can anyone tell me why I am getting trashed passwords when attempting to authenticate? Login incorrect: [nickm/d\313f`\247+4\203\360/\367] Looks like your secrets in clients.conf don't match what your NAS has. No the secret in my clients.conf is the same as whats in my NAS, I even reset the password on the nas to be sure. Wierd thing is if I do a test on the user account using Dialup Admin it works perfectly and the password is handled properly. Only when NAS send the request to FR does it generate that garbled password. - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS online/offline?
if you cannot ping the NAS, probably it is down. however, when your NAS updates its accounting, radius will no be aware to remove its stale sessions, i believe, the time taken here depends on how your NAS updates accounting packets to your RAS. with my case it is from 2 minutes to 10 minutes, the stale sessions will be gone. it is not good and advisable to force and remove the stale sessions completely using zap commands, it is depreciated but it does the job. hope it helps From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of nikwan (sent by Nabble.com)Sent: Tuesday, February 07, 2006 2:06 PMTo: freeradius-users@lists.freeradius.orgSubject: NAS online/offline? Hypothetically situation: You have users logged into a NAS. the NAS goes down without warning (power failure...) Users who where logged in now have sessions which are not complete (acctstoptime is set to NULL). In my case Simultaneous logins is disabled and need to be so. Therefore once the NAS is brought back up. the users cant log back in, as radius will not authorize the users as they are apparently logged in. My question is... How do i set the accstoptime to the time when the NAS goes down. Is there a way to see when a NAS dies Any input will be greatly appreciated View this message in context: NAS online/offline?Sent from the FreeRadius - User forum at Nabble.com. --No virus found in this incoming message.Checked by AVG Free Edition.Version: 7.1.375 / Virus Database: 267.15.2/252 - Release Date: 2/6/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.15.2/252 - Release Date: 2/6/2006 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [radius] Re: Auth question
Nick Marino - IT Solutions - Original Message - From: futhwo [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, February 07, 2006 9:57 AM Subject: Re: [radius] Re: Auth question Maybe you are not loading the right dictionary for your NAS? On Feb 7, 2006, at 4:36 PM, Nick Marino wrote: that could be possible, the only one that is being included is the compat and freeradius and other than whats in the main dictionary file itself. When I try to include the ascend dictionary it throws errors about duplicate values. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with PPTP and LDAP authentication.
Ladies and gents... We have lift off. Thanks! --joeyOn 2/6/06, Alan DeKok [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: I've taken out the LDAP section in users - so it's exactly the same as the default users file. ldap is now listed after mschap in authorize {}. Trying again, I get the following:Run the server in debugging mode, as suggested in the README, FAQ,and INSTALL.Then, read the output.All of it.The answer will be in the debug output.Alan DeKok. -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS online/offline?
Use sql radius accounting logging modify the table to have a timestamp field modify the server queries if neccessary run an external script/process that checks for all acctstoptime=0 and timestamp (current_time - (expected_update_interval*2)) updates them all with acctstoptime = timestamp. or something like that nikwan (sent by Nabble.com) wrote: Hypothetically situation: You have users logged into a NAS. the NAS goes down without warning (power failure...) Users who where logged in now have sessions which are not complete (acctstoptime is set to NULL). In my case Simultaneous logins is disabled and need to be so. Therefore once the NAS is brought back up. the users cant log back in, as radius will not authorize the users as they are apparently logged in. My question is... How do i set the accstoptime to the time when the NAS goes down. Is there a way to see when a NAS dies Any input will be greatly appreciated View this message in context: NAS online/offline? http://www.nabble.com/NAS-online-offline--t1075858.html#a2800675 Sent from the FreeRadius - User http://www.nabble.com/FreeRadius---User-f1104.html forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS online/offline?
nikwan (sent by Nabble.com) wrote: Hypothetically situation: You have users logged into a NAS. the NAS goes down without warning (power failure...) Users who where logged in now have sessions which are not complete (acctstoptime is set to NULL). In my case Simultaneous logins is disabled and need to be so. Therefore once the NAS is brought back up. the users cant log back in, as radius will not authorize the users as they are apparently logged in. My question is... How do i set the accstoptime to the time when the NAS goes down. Is there a way to see when a NAS dies Any input will be greatly appreciated View this message in context: NAS online/offline? http://www.nabble.com/NAS-online-offline--t1075858.html#a2800675 Sent from the FreeRadius - User http://www.nabble.com/FreeRadius---User-f1104.html forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hi, I Had the same issue, search the list for how to deal with this as subject and you will get the full thread, in a nutshell an option that may help you is that your NAS should use Acounting On/Off packets in order to let FR know that all those sessions went down. I think this should be ok in case you have a single NAS. Regards, Ezequiel. -- Ezequiel O. Block Cooperativa La Lonja, Servicios de Internet. T 02322-474537 F 02322-470406 E [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Deleting VLAN information while proxying
Tomasz Wolniewicz [EMAIL PROTECTED] wrote: Our university radius server sets VLAN information based on user attributes form the LDAP directory. This works fine when the system is used internally. However when our user authenticates while visiting another institution, this VLAN information should not be sent out. rlm_attr_filter should work, I think. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [radius] Re: Auth question
Nick Marino [EMAIL PROTECTED] wrote: that could be possible, the only one that is being included is the compat and freeradius and other than whats in the main dictionary file itself. The dictionaries have nothing to do with the passwords or shared secrets. When I try to include the ascend dictionary it throws errors about duplicate values. The ascend dictionary should be included by default, but not all of it. Because there *are* duplicate values. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP/TLS work but with errors
When a client try to log in with an valid certificate it works. But I get this error: TLS_accept:error in SSLv3 read client certificate A Tue Feb 7 18:34:53 2006 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Feb 7 18:34:53 2006 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Feb 7 18:34:53 2006 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Feb 7 18:34:53 2006 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Feb 7 18:34:54 2006 : Info: rlm_eap_tls: Received EAP-TLS First Fragment of the message Tue Feb 7 18:34:55 2006 : Info: rlm_eap_tls: More fragments to follow Tue Feb 7 18:34:55 2006 : Info: (other): SSL negotiation finished successfully Tue Feb 7 18:34:55 2006 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Feb 7 18:34:55 2006 : Auth: Login OK: [schneeball.netz-von-frank/no User-Password attribute] (from client DasGrosseWLAN port 24 cli 000e2e3ee98f) In the client cert I have set the 1.3.6.1.5.5.7.3.2 (Client authentication) attribute. And the server cert has set the 1.3.6.1.5.5.7.3.1( Server authentication) attribute. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [radius] Re: Auth question
Nick Marino [EMAIL PROTECTED] wrote: Only when NAS send the request to FR does it generate that garbled password. Then the shared secret is wrong. Or, there's a bug in the server that mangles the password only for that NAS. Which is more likely? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Deleting VLAN information while proxying
Alan DeKok napisał(a): Tomasz Wolniewicz [EMAIL PROTECTED] wrote: Our university radius server sets VLAN information based on user attributes form the LDAP directory. This works fine when the system is used internally. However when our user authenticates while visiting another institution, this VLAN information should not be sent out. rlm_attr_filter should work, I think. Alan DeKok. Alan, thanks, but it seems that when freeradius does the internal proxy to service the eap-ttls then the pre-proxy and post-proxy are not being entered, and this is where we would expect to put attr_filter. We tried the post_auth but it refuses to take attr_filter. Tomasz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: grouping rlm_ippool's
Mike O'Connor [EMAIL PROTECTED] wrote: Do any one have any idea of how this could be made to work and/or have I not got this configuration correct. I think it may work in the CVS head. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS work but with errors
=?ISO-8859-15?Q?Frank_B=FCttner?= [EMAIL PROTECTED] wrote: When a client try to log in with an valid certificate it works. But I get this error: TLS_accept:error in SSLv3 read client certificate A Ignore it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
System hangs with Apache SSL mod_auth_radius sending authentication information to a radius - my sql server.
System hangs with Apache SSL mod_auth_radius sending authentication information to a radius - mysql server. Hi everyone, I am having a problem with my apache web server hanging and am looking for help. I have check the log files and am finding nothing to indicate the cause of the system hangs. The web server which hangs is Fedora Core 4 The Radius - Mysql server is Redhat EL4 httpd.conf excerpts. LoadModule cgi_module modules/mod_cgi.soLoadModule radius_auth_module /usr/lib/httpd/modules/mod_auth_radius-2.0.so#/IfModule# End of proxy directives. Add to the BOTTOM of httpd.conf# If we're using mod_auth_radius, then add it's specific# configuration options.#IfModule mod_auth_radius-2.0.c ## AddRadiusAuth server[:port] shared-secret [ timeout [ : retries ]]# Use localhost, the old RADIUS port, secret 'testing123',# time out after 5 seconds, and retry 3 times.AddRadiusAuth imp-dell-21:1812password 5:3# ServerName RadiusPassword in clients.conf file## AuthRadiusBindAddress hostname/ip-address## Bind client (local) socket to this local IP address.# The server will then see RADIUS client requests will come from# the given IP address.## By default, the module does not bind to any particular address,# and the operating system chooses the address to use.# ## AddRadiusCookieValid minutes-for-which-cookie-is-valid## the special value of 0 (zero) means the cookie is valid forever.#AddRadiusCookieValid 5/IfModule /var/www/html/.htaccess file is unchanged A sample per-directory access-control configuration, to be used# as a '.htacces' file.# ## Use basic password authentication.# AuthType Digest won't work with RADIUS authentication.#AuthType Basic ## Tell the user the realm to which they're authenticating.# This string should be configured for your site.#AuthName "RADIUS authentication for localhost" ## don't use 'mod_auth'.# You might want to disable other authentication types here.# You can get a similar effect by commenting out the# 'AddModule mod_auth_*' lines, previously in httpd.conf#AuthAuthoritative off ## Use mod_auth_radius for all authentication, and make the responses# from it authoritative.#AuthRadiusAuthoritative on ## Make a local variation of AddRadiusCookieValid. The server will choose# the MINIMUM of the two values.## AuthRadiusCookieValid minutes-for-which-cookie-is-valid#AuthRadiusCookieValid 5 ## Set the use of RADIUS authentication at this Location"## Locally set the RADIUS authentication active.## If there is a directory which you do NOT want to have RADIUS# authentication for, then use a Directory directive, and# set "AuthRadiusActive Off"#AuthRadiusActive On ## require that mod_auth_radius return a valid user, otherwise# access is denied.#require valid-user The error logs do not record what the problem is. Any ideas? Frank Reiss - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [radius] Re: Auth question
Nick Marino - IT Solutions - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, February 07, 2006 11:49 AM Subject: Re: [radius] Re: Auth question Nick Marino [EMAIL PROTECTED] wrote: that could be possible, the only one that is being included is the compat and freeradius and other than whats in the main dictionary file itself. The dictionaries have nothing to do with the passwords or shared secrets. When I try to include the ascend dictionary it throws errors about duplicate values. The ascend dictionary should be included by default, but not all of it. Because there *are* duplicate values. Alan DeKok. Yes thank you. I already corrected that problem. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [radius] Re: Auth question
Nick Marino - IT Solutions - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, February 07, 2006 11:50 AM Subject: Re: [radius] Re: Auth question Nick Marino [EMAIL PROTECTED] wrote: Only when NAS send the request to FR does it generate that garbled password. Then the shared secret is wrong. Or, there's a bug in the server that mangles the password only for that NAS. Which is more likely? Alan DeKok. - Its more likely that the password is wrong but, I am sure that they are the same. Like I said I even reset the password in the nas to make sure. I will check again but I dont think that is the problem. Shared secret has been the same in the nas for 3 years now and it has always worked. This just started after upgrading to the newest version of FR 1.1.0. Is there a place that I am missing that should have the shared secret in it that I havent changed. I hate to ask but exactly what all files need the shared password in it. clients.conf and where else? This just started after upgrading to the newest version of FR. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Deleting VLAN information while proxying
Alan DeKok wrote: Can you not key off of the NAS information, and *not* add VLAN data, then? I am not sure what you mean by that. Using NAS information is the only thing that came to our minds, that is we create a large hunt group containing all local NASes and add VLAN data only when this is hit. But we did not manage to make any comparison of NAS-IP-Address other then equality. If one could use regex then it would be easy, but somehow this did not seem to work. Obviously one could use another dirty hack - add another proxy server and do all cleaning there, but it seems that there should be a clean and simple way of doing what we need. Actually one might argue that it is the network provider that should be careful to filter out all foreign VLAN attributes on input as this can be a security hazard not to do so, and this task is easily done with attr_filter. Unfortunately if a user gets to a site that does not filter VLAN attributes on input, in most cases the VLAN will not match anything useful and the user will not get connected, so it makes a lot of sense to block the VLANs also on the output as a good service to our users (not to mention the fact that telling people our VLAN numbers is probably not very wise either). Tomasz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [radius] Re: Auth question
Nick Marino [EMAIL PROTECTED] wrote: Its more likely that the password is wrong but, I am sure that they are the same. If the password is wrong, then you'll see the wrong password, rather than ranbom binary nonsense. Shared secret has been the same in the nas for 3 years now and it has always worked. This just started after upgrading to the newest version of FR 1.1.0. That's not good. What happens when you use radclient from 1.0.5 to the 1.1.0 server? Is there a place that I am missing that should have the shared secret in it that I havent changed. I hate to ask but exactly what all files need the shared password in it. clients.conf and where else? Nowhere else. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [radius] Re: Auth question
The only files I know of that use the secret password are clients.conf and proxy.conf. Make sure your clients.conf has an entry for your NAS with the correct IP address and the correct secret. I don't think you'll need to touch the proxy.conf file; its used for proxying RADIUS requests that successfully reach you to another RADIUS server, and you apparently aren't receving requests successfully. On 2/7/06, Nick Marino [EMAIL PROTECTED] wrote: Nick Marino - IT Solutions - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, February 07, 2006 11:50 AM Subject: Re: [radius] Re: Auth question Nick Marino [EMAIL PROTECTED] wrote: Only when NAS send the request to FR does it generate that garbled password. Then the shared secret is wrong. Or, there's a bug in the server that mangles the password only for that NAS. Which is more likely? Alan DeKok. - Its more likely that the password is wrong but, I am sure that they are the same. Like I said I even reset the password in the nas to make sure. I will check again but I dont think that is the problem. Shared secret has been the same in the nas for 3 years now and it has always worked. This just started after upgrading to the newest version of FR 1.1.0. Is there a place that I am missing that should have the shared secret in it that I havent changed. I hate to ask but exactly what all files need the shared password in it. clients.conf and where else? This just started after upgrading to the newest version of FR. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Building on Solaris 10
Hi guys. When building FreeRADIUS on Solaris, which compiler should i use ? Has anyone built FR with the Sun compiler ? Thanx Paul signature.asc Description: This is a digitally signed message part - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Decrypt Chap Password
Is there an easy way to see what password is being sent to FR when the pass is sent as Chap-Password ?-- respectfully, Joseph - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [radius] Re: Auth question
Yes I dont think its a NAS problem at all. The garbled password you are seeing that I sent is the users actual password. When that request comes from the nas and rlm_pap tries you auth it, the password is showing up like that. if you look at what I posted you will see it is a username/password pair and the password is getting garbled. Login incorrect: [nickm/d\313f`\247+4\203\360/\367] Also I stated if I test it from Dialup admin using the same shared secret for nas it works fine and the password is not garbled. Only when it comes from the nas to FR. The packets are being accepted from the nas, that is not the issue. To prove to myself, I set in the users file DEFAULT = Authtype := Accept so it will let everyting thing go through and it does. The packets come from the NAS and althought they still have garbled passwords when FR process it in rlm_pap it allows them to connect due to the DEFUALT I have set in the users file. At that point the user logs in and they show up in Dialup admin as they should. Even the accounting packets work from that point on. Nick Marino - IT Solutions - Original Message - From: Andrew Browning [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, February 07, 2006 1:56 PM Subject: Re: [radius] Re: Auth question The only files I know of that use the secret password are clients.conf and proxy.conf. Make sure your clients.conf has an entry for your NAS with the correct IP address and the correct secret. I don't think you'll need to touch the proxy.conf file; its used for proxying RADIUS requests that successfully reach you to another RADIUS server, and you apparently aren't receving requests successfully. On 2/7/06, Nick Marino [EMAIL PROTECTED] wrote: Nick Marino - IT Solutions - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, February 07, 2006 11:50 AM Subject: Re: [radius] Re: Auth question Nick Marino [EMAIL PROTECTED] wrote: Only when NAS send the request to FR does it generate that garbled password. Then the shared secret is wrong. Or, there's a bug in the server that mangles the password only for that NAS. Which is more likely? Alan DeKok. - Its more likely that the password is wrong but, I am sure that they are the same. Like I said I even reset the password in the nas to make sure. I will check again but I dont think that is the problem. Shared secret has been the same in the nas for 3 years now and it has always worked. This just started after upgrading to the newest version of FR 1.1.0. Is there a place that I am missing that should have the shared secret in it that I havent changed. I hate to ask but exactly what all files need the shared password in it. clients.conf and where else? This just started after upgrading to the newest version of FR. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.15.2/252 - Release Date: 2/6/2006 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Decrypt Chap Password
Joseph [EMAIL PROTECTED] wrote: Is there an easy way to see what password is being sent to FR when the pass is sent as Chap-Password ? No. It's a one-way transformation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Deleting VLAN information while proxying
Tomasz Wolniewicz [EMAIL PROTECTED] wrote: I am not sure what you mean by that. Using NAS information is the only thing that came to our minds, that is we create a large hunt group containing all local NASes and add VLAN data only when this is hit. But we did not manage to make any comparison of NAS-IP-Address other then equality. If one could use regex then it would be easy, but somehow this did not seem to work. You can use rlm_passwd, and create a local group based on NAS IP address. Then in the users file, key off of the local group, and set the VLAN. See man rlm_passwd for examples of doing something similar. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: grouping rlm_ippool's
Alan DeKok wrote: Mike O'Connor [EMAIL PROTECTED] wrote: Do any one have any idea of how this could be made to work and/or have I not got this configuration correct. I think it may work in the CVS head. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Mike, repost succcess if any, i will do the same ;-) -- regards, Georgi Alexandrov Key Server = http://pgp.mit.edu/ :: KeyID = 37B4B3EE Key Fingerprint = E429 BF93 FA67 44E9 B7D4 F89E F990 01C1 37B4 B3EE signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ascend-data-filters
I been told that I need to configure ascend-data-filters to pass ADF's to make port 25 work for our dialup users. Does he mean something like this? Ascend-Data-Filter = ip in forward destport = 25 ** Computer problems? ... ..http://www.multibyte.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to kick a logged user
Hi, Thanks for the answers. Well after testing a while and checking the dusty radkill script, I´d like to comment, for the mailing list archive, about what I tested/found: - For the record: Freeradius can´t kick a logged user. There's no configuration option on radiusd.conf or something to kick a connected user. - To kick a user you should access the NAS and reset the port where the user is connected to. - To create a script for this task, you can: 1.- Get the port where the user is logged with the radwho command. i.e.: radwho | grep 'username' | awk '{print $3 $6}' (this should give you a string with the port and the NAS where username is connected) 2.- Telnet to the NAS and reset the port. i.e.: you can use the PHPTelnet.php class (http://www.geckotribe.com/php-telnet/) Then you can do something like this: require_once PHPTelnet.php; $telnet = new PHPTelnet(); $result = $telnet-Connect('Nas_IP','Nas_root_user','Nas_root_pwd'); $command_to_send=reset .$port; $telnet-DoCommand($command_to_send); $telnet-Disconnect(); or adjust it with the commands that your NAS uses. HTH someone in the future. Edo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy reply and setting attribute in users file
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all In the 'users' file, I have the following lines: DEFAULT Huntgroup-Name == Security-Devices, LDAP-Group == group1, Proxy-To-Realm := 'innerradius' Class:=OU=vpngroupa;, Fall-Through = No DEFAULT Huntgroup-Name == Security-Devices, LDAP-Group == group2, Proxy-To-Realm := 'innerradius' Class:=OU=vpngroupb;, Fall-Through = No (The Inner Radius server provides the authentication - one time password). The problem is that setting the Class attribute does not happen. Presumably, this is because of the setting post_proxy_authorize = no in the file proxy.conf. When post_proxy_authorize is set to Yes, the Class attribute does get set, but then the 'users' file is traversed twice, which is obviously an overhead, considering that the 'users' file has many other unrelated entries, not just the ones shown here. Also, setting post_proxy_authorize = yes is just there for backwards compatibility, as per the comments in the proxy.conf file, and is not the preferred setting, I presume, in the future. My question then is, how do I set the Class attribute for the various different cases, two examples of which are shown above, if not as I have shown above? Would that be via the post_proxy section? If so, could anyone give me an example of how this could be done? FYR, this is being run on FreeRadius 1.0.1 on Redhat Enterprise Linux 3. Thanks SW -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.4 wkYEARECAAYFAkPpQ+oACgkQmw4BJyaatJ18GACfYQOFEn8SBhZ4IQYyQYbBBMKD3/4A n23uYwysIQqPu1oWrrp500gbHJ1/ =Svg+ -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using STORED PROCEDURE with Freeradius
2006/2/7, Saeed Ahmed [EMAIL PROTECTED]: Hi, For some reasons I've to use Stored procedure With Freeradius but I am getting following error from mysql: Error: 1312 SQLSTATE: 0A000 (ER_SP_BADSELECT) Message: PROCEDURE %s can't return a result set in the given context You can consider the following example: Instead of following authorize_check_query authorize_check_query = SELECT id, UserName, Attribute, Value, op, uid \ FROM ${authcheck_table} \ WHERE Username = '%{SQL-User-Name}' \ ORDER BY id I want to use this: authorize_check_query = CALL molo('%{SQL-User-Name}') And this is my stored proc in mysql: DELIMITER $$; DROP PROCEDURE IF EXISTS `radius`.`molo`$$ CREATE PROCEDURE `molo`(did VARCHAR(10)) BEGIN DECLARE rid INT; DECLARE ruid VARCHAR(15); DECLARE rattr VARCHAR(15); DECLARE rop CHAR(2); DECLARE rval VARCHAR(10); SELECT id, UserName, Attribute, Value, op INTO rid,ruid,rattr,rop,rval from radcheck WHERE UserName=did; SELECT rid,ruid,rattr,rop,rval; END$$ DELIMITER;$$ I can call this stored proc From any my sql client successfully, but if I call it from sql.conf it give s error: 1312. Any solution please? Thanks in advance Saeed Ahmed. -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Perhaps it's happen because the field name returned by the molo procedure.I think you have to use UserName insted of ruid because UserName field already mapped to User-Name Attribute. Or you have to change how freeradius map the attributes with field in your database. RegardsAgus-- -BEGIN GEEK CODE BLOCK-Version: 3.1GCS d(-) s:- a--- C++(+++)$$ UL$$ P+? L++$$ !E--- W++ !N !o !K-- w !O M !V PS PE !Y PGP t 5 X R tv b DI D G e h r y --END GEEK CODE BLOCK-- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html