Re: Why is the default DH keysize only 512 bits?
Jason Wittlin-Cohen [EMAIL PROTECTED] wrote: I noticed that the default DH keysize in FreeRadius 1.1.3 is 512 bits. If you're talking about the key length in the EAP-TLS module, it looks like those aren't being used for anything. See the source. It does look like the EAP-TLS code is setting a 512-bit ephemeral RSA key, but my reading of the OpenSSL docs indicates it won't be used, because SSL_OP_EPHEMERAL_RSA isn't being set. So that code could be deleted entirely. I originally thought that the DH keysize would be determined by the DH parameter file and only realized that it was still using 512 bit keys when I ran freeradius in debug mode. Which prints out configuration entries that aren't being used. $ cd src/modules/rlm_eap $ grep -r key_length . ./libeap/mppe_keys.c: PRF(s-session-master_key, s-session-master_key_length, ./libeap/mppe_keys.c: PRF(s-session-master_key, s-session-master_key_length, ./types/rlm_eap_tls/rlm_eap_tls.c: { rsa_key_length, PW_TYPE_INTEGER, ./types/rlm_eap_tls/rlm_eap_tls.c:offsetof(EAP_TLS_CONF, rsa_key_length), NULL, 512 }, ./types/rlm_eap_tls/rlm_eap_tls.c: { dh_key_length, PW_TYPE_INTEGER, ./types/rlm_eap_tls/rlm_eap_tls.c:offsetof(EAP_TLS_CONF, dh_key_length), NULL, 512 }, ./types/rlm_eap_tls/rlm_eap_tls.h: int rsa_key_length; ./types/rlm_eap_tls/rlm_eap_tls.h: int dh_key_length; See? They're config options that aren't used. They should be deleted. Also, it might be a good idea to put a comment in the TLS cipher suite comment section that the Microsoft Windows supplicant in Windows XP SP2 uses RC4-MD5 by default (TLS_RSA_WITH_RC4_128_MD5). OK... the cipher_list configuration entry can be edited to force particular methods, if you so desire. OpenSSL's 'HIGH' setting is probably the best for a Windows XP user as it uses EDH-RSA-DES-CBC3-SHA (TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA), so SHA1 is used for integrity, and DH is used for key exchange. OK. That's good to note in the comments. Windows XP SP2 and earlier versions of Windows do not support AES for use in any of the EAP modes. Apparently, if you want to use AES you need to upgrade to Vista (See Security in Vista OK... Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to add group in freeradius
Hello,Can someone explain how to add groups in freeradius. And how to add the user in that group.Thanks. Try the new Yahoo! Philippines Front Page!- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dumb humble question about sqlippool
On Fri 29 Sep 2006 01:02, Guilherme Franco wrote: Thank you very much for your kindness. I'm sorry, again, for posting too much questions about this. It's correct that I'm trying to put this in production as this is the only module that does not worked for me. I'm happy with dialup_admin, AAA and everything else in Oracle! The only missing thing is sqlippool :( I know that it is an experimental module and I also have limited time to work on this module as it's not for me, it's for another company. In the mean time, I'm using regular ippool db in a NFS with just 1 radius active per time (to prevent lockups). That was the only way I've managed to do ippools with 2 servers (is there any alternatives?). As you see I can't abandon oracle, nor install postgre as it would break up some dependencies with other oracle databases that we have. I'm being such a pain for you guys because the sqlippool module is almost working! If I saw that it wouldn't work at all, I would never took the time to work in it as I'm taking now :) I appreciate your concerns and as I'm out of time to deliver the solution to the client, I think I can't try sqlippool anymore. That's a shame because I'm almost there! Now that I've managed to change somethings it's doing all the selects without any errors (that return ie: ip 1.1.1.1 in sqlplus) but it's stating sqlippool_query1: row[0] returned NULL in radiusd -X ( how can it be null if the select was successful? ). It's the only [EMAIL PROTECTED] thing that is preventing the user to get an IP!! That kind of things just take time to debug... Besides that, if I don't set pool_name = name_of_the_pool in sqlippool.conf, allocate-find tries to select from ippool (wich does not exists) instead of the one I've set in radippool table. I would double check this behaviour. It should not select at all if there is no pool-name. NONE of the ippool modules let you set the pool name. You HAVE to set Pool-Name = whatever as a check item Other issue is related to multiple pools, one with dynamic IP's and other with fixed ones (actually it's not possible to do that with only just one sqlippool.conf file without modifying rlm_sqlippool.c). IT IS!! Run two copies of the module! Another thing lies in proxy - if the proxy returns IP 255.255.255.254 for me, sqlippool does not overrides it and do nothing (it doesn't have the override = yes option like ippool). This can be added. Although why would you return an IP like that when you dont need to? Just return the Pool-Name and let the module do its job. So, to close this out, I would REALLY LIKE to make this work and help you guys as well, but because of lack of time, the only way would do this as an enhancement to the already deployed solution for the client, thanks. Do you have sqlippool working with Postgresql?? it seems to me that you do not quite understand how it works which tells me that you dont have a working installation to compare with. IF YOU DO NOT HAVE A WORKING INSTALLATION OF SQLIPPOOL ON POSTGRESQL DO THAT RIGHT NOW BEFORE DOING ANY MORE TESTING WITH ORACLE! PLEASE!!! Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpYSJ8SHPLUo.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Login-Time and Session-Time Conflict
We are using both Login-Time and Session-Time attributes with a rlm_sql configuration and the Login-Time attribute is always overriding the Session-Time. Meaning that if the Session-Time attribute value is less than the timeSpan difference of the Login-Time, the Login-Time timespan difference is still returned as the Session-Time value. I remember reading somewhere that in cases of both attributes being used, the most restrictive should be returned, however this is not happening. Can someone confirm what the real implementation is? We are running freeradius 1.1.1 on a Gentoo linux platform.BTW -- If this is the desired functionality does anyone know a way to get our desired functionality of the smallest Session-Time being used instead of Login-Time?Thank you, Adam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Deny user based on MAC-address
Hi, How can I deny a user from freeradius based on the MAC-address on the PC? I use users file only. Do I need MAC Authentication for that ? Regards, Torkel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: repeat until success?
-Original Message- From: freeradius-users-bounces+proft=medizin.uni- [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Thursday, September 28, 2006 6:43 PM To: FreeRadius users mailing list Subject: Re: repeat until success? Proft, Michael [EMAIL PROTECTED] wrote: is it possible to configure freeradius to do something like repeat until success. Im trying to authenticate local users at the same system freeradius is running on and I proxy requests to another radius server. I want to do this _without_ using realms. So if asking for local user and no success I want to continue proxying requests to another radius server. Is this possible in some way? That sounds more like look up in /etc/passwd, and if not found, proxy to X. That should be easy. Configure the passwd module to read /etc/passwd. Read doc/configurable_failover to see how to run the files module only if the passwd module returns notfound. Then in the users file, do: Hmm i cant get it to work :( How would the configuration part for passwd module look (linux) ? I read the configurable_failover but cant get this to work, or I just don't understand. Could you give some example Alan? Thanks DEFAULT Proxy-To-Realm := realm Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Deny user based on MAC-address
You can use in the users file some like that DEFAULT Fall-Through = Yes # === 00:13:96:00:D3:7F == 00139600D37F Auth-Type := Local, [Some_Input_Attribute] [Some_Output_Attribute_1], [Some_Output_Attribute_2] DEFAULT Auth-Type := Reject Germn P. Santilln Administrador de Redes Jefe delDpto. Tcnico DESETech Argentina S.A. San Martn 133 - CP: B8000FIC Baha Blanca - Argentina Tel/Fax: +54 (291) 456-5642 [EMAIL PROTECTED] http://www.desetech.com.ar From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Torkel Mathisen Sent: Friday, September 29, 2006 4:53 AM To: FreeRadius users mailing list Subject: Deny user based on MAC-address Hi, How can I deny a user from freeradius based on the MAC-address on the PC? I use users file only. Do I need MAC Authentication for that ? Regards, Torkel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dumb humble question about sqlippool
Thanks for all the answers Mr. Peter! To clarify some things: NONE of the ippool modules let you set the pool name. You HAVE to set Pool-Name = whatever as a check item The radcheck table already have Pool-Name := whatever as a attribute, op, value for all users, but that's ok because I can set it manually in sqlippool.conf and the select DOES run in the correct table then (xlat outputs correctly then and I did a network sniff that shows the query is ok). Other issue is related to multiple pools, one with dynamic IP's and other with fixed ones (actually it's not possible to do that with only just one sqlippool.conf file without modifying rlm_sqlippool.c). IT IS!! Run two copies of the module! Sorry, i meant that I think that it is not possible without loading 2 or more modules (just with one module and one sqlippool.conf) dumb question, sorry. Another thing lies in proxy - if the proxy returns IP 255.255.255.254 for me, sqlippool does not overrides it and do nothing (it doesn't have the override = yes option like ippool). This can be added. Although why would you return an IP like that when you dont need to? Just return the Pool-Name and let the module do its job. I didn't think about it, thanks. Besides that I had to remove the BEGIN statement of allocate-begin (and all other begins) because oracle does not need it, and if you need to specify begin, then it needs to be in a different way (through the sniff, I saw that the begin was stated, then 4 space chars and then a / which is the same as doing BEGIN;/ in sqlplus, generating ORA end-of-file errors) Don't know from where that / came from thought. To solve this, I had to change BEGIN in allocate-begin for commit (a normal oracle operation before any query). About the postgresql installation, I was thinking in installing it. I will do that just to see it's behaviour, thanks. THANKS A LOT AGAIN! On 9/29/06, Peter Nixon [EMAIL PROTECTED] wrote: On Fri 29 Sep 2006 01:02, Guilherme Franco wrote: Thank you very much for your kindness. I'm sorry, again, for posting too much questions about this. It's correct that I'm trying to put this in production as this is the only module that does not worked for me. I'm happy with dialup_admin, AAA and everything else in Oracle! The only missing thing is sqlippool :( I know that it is an experimental module and I also have limited time to work on this module as it's not for me, it's for another company. In the mean time, I'm using regular ippool db in a NFS with just 1 radius active per time (to prevent lockups). That was the only way I've managed to do ippools with 2 servers (is there any alternatives?). As you see I can't abandon oracle, nor install postgre as it would break up some dependencies with other oracle databases that we have. I'm being such a pain for you guys because the sqlippool module is almost working! If I saw that it wouldn't work at all, I would never took the time to work in it as I'm taking now :) I appreciate your concerns and as I'm out of time to deliver the solution to the client, I think I can't try sqlippool anymore. That's a shame because I'm almost there! Now that I've managed to change somethings it's doing all the selects without any errors (that return ie: ip 1.1.1.1 in sqlplus) but it's stating sqlippool_query1: row[0] returned NULL in radiusd -X ( how can it be null if the select was successful? ). It's the only [EMAIL PROTECTED] thing that is preventing the user to get an IP!! That kind of things just take time to debug... Besides that, if I don't set pool_name = name_of_the_pool in sqlippool.conf, allocate-find tries to select from ippool (wich does not exists) instead of the one I've set in radippool table. I would double check this behaviour. It should not select at all if there is no pool-name. NONE of the ippool modules let you set the pool name. You HAVE to set Pool-Name = whatever as a check item Other issue is related to multiple pools, one with dynamic IP's and other with fixed ones (actually it's not possible to do that with only just one sqlippool.conf file without modifying rlm_sqlippool.c). IT IS!! Run two copies of the module! Another thing lies in proxy - if the proxy returns IP 255.255.255.254 for me, sqlippool does not overrides it and do nothing (it doesn't have the override = yes option like ippool). This can be added. Although why would you return an IP like that when you dont need to? Just return the Pool-Name and let the module do its job. So, to close this out, I would REALLY LIKE to make this work and help you guys as well, but because of lack of time, the only way would do this as an enhancement to the already deployed solution for the client, thanks. Do you have sqlippool working with Postgresql?? it seems to me that you do not quite understand how
peap client constantly re-authenticating
Dear list, This may not be the right place to discuss this issue, but radiusd -X is the only info i've got to go on. The windows PEAP client re-authenticates every 10-20 seconds or so. Has anybody else seen this? is it normal behavour? I have a cisco wlan controller, and freeradius 1.1.2. my OS X 802.1x client doesn't do this. Cheers for any pointers, Rob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Why is the default DH keysize only 512 bits?
Alan DeKok wrote: Jason Wittlin-Cohen [EMAIL PROTECTED] wrote: I noticed that the default DH keysize in FreeRadius 1.1.3 is 512 bits. If you're talking about the key length in the EAP-TLS module, it looks like those aren't being used for anything. See the source. It does look like the EAP-TLS code is setting a 512-bit ephemeral RSA key, but my reading of the OpenSSL docs indicates it won't be used, because SSL_OP_EPHEMERAL_RSA isn't being set. So that code could be deleted entirely. I originally thought that the DH keysize would be determined by the DH parameter file and only realized that it was still using 512 bit keys when I ran freeradius in debug mode. Which prints out configuration entries that aren't being used. $ cd src/modules/rlm_eap $ grep -r key_length . ./libeap/mppe_keys.c: PRF(s-session-master_key, s-session-master_key_length, ./libeap/mppe_keys.c: PRF(s-session-master_key, s-session-master_key_length, ./types/rlm_eap_tls/rlm_eap_tls.c: { "rsa_key_length", PW_TYPE_INTEGER, ./types/rlm_eap_tls/rlm_eap_tls.c: offsetof(EAP_TLS_CONF, rsa_key_length), NULL, "512" }, ./types/rlm_eap_tls/rlm_eap_tls.c: { "dh_key_length", PW_TYPE_INTEGER, ./types/rlm_eap_tls/rlm_eap_tls.c: offsetof(EAP_TLS_CONF, dh_key_length), NULL, "512" }, ./types/rlm_eap_tls/rlm_eap_tls.h: int rsa_key_length; ./types/rlm_eap_tls/rlm_eap_tls.h: int dh_key_length; See? They're config options that aren't used. They should be deleted. So, if dh_key_length is being ignored, how is the DH key size determined? By the DH parameter file? Jason - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dumb humble question about sqlippool
On Fri 29 Sep 2006 15:23, Guilherme Franco wrote: Thanks for all the answers Mr. Peter! To clarify some things: NONE of the ippool modules let you set the pool name. You HAVE to set Pool-Name = whatever as a check item The radcheck table already have Pool-Name := whatever as a attribute, op, value for all users, but that's ok because I can set it manually in sqlippool.conf and the select DOES run in the correct table then (xlat outputs correctly then and I did a network sniff that shows the query is ok). If you set it in sqlippool.conf it is ignored by the module It will make no difference to the operation at all. Other issue is related to multiple pools, one with dynamic IP's and other with fixed ones (actually it's not possible to do that with only just one sqlippool.conf file without modifying rlm_sqlippool.c). IT IS!! Run two copies of the module! Sorry, i meant that I think that it is not possible without loading 2 or more modules (just with one module and one sqlippool.conf) dumb question, sorry. OK. We we specifically designed the module so you can run more than one instance of it (like most other radius modules) and the different instances may have different queries, tables and sql connections (Completely different database types if you wish) Another thing lies in proxy - if the proxy returns IP 255.255.255.254 for me, sqlippool does not overrides it and do nothing (it doesn't have the override = yes option like ippool). This can be added. Although why would you return an IP like that when you dont need to? Just return the Pool-Name and let the module do its job. I didn't think about it, thanks. You are welcome :-) Infact we have added today the capability to detect an ip address of 255.255.255.254 but this makes no sense except for when you are acting as a proxy and wish to add an ip address from a pool to an accept packet comming from a home server. Just use Pool-Name for all local users. Besides that I had to remove the BEGIN statement of allocate-begin (and all other begins) because oracle does not need it, and if you need to specify begin, then it needs to be in a different way (through the sniff, I saw that the begin was stated, then 4 space chars and then a / which is the same as doing BEGIN;/ in sqlplus, generating ORA end-of-file errors) Don't know from where that / came from thought. To solve this, I had to change BEGIN in allocate-begin for commit (a normal oracle operation before any query). Please send me a copy (privately if you wish) of your existing sqlippool.conf and working source code (or patch) so that we can integrate it into the existing code. About the postgresql installation, I was thinking in installing it. I will do that just to see it's behaviour, thanks. OK. I assumed that you had done this long ago. Please do it as a test. THANKS A LOT AGAIN! Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpilHV4TWstI.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
My FreeRadius don't log anything
Hi everybody, I am a real newbie to FreeRadius, I am migrating from an existing Livington radius. My concern here is this one : I am unable to configure my server to log auth requests. The two Auth-Type I use here are either Local or System, the server doesn't log neither. Here a run with only one request. The log file and the pid file doesn't exists after this run. The directories used for logging are writable for the user under which the server is running. Any clue ? # /usr/local/radius/ppp/sbin/radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/radius/ppp/etc/raddb/clients.conf Config: including file: /usr/local/radius/ppp/etc/raddb/snmp.conf main: prefix = /usr/local/radius/ppp main: localstatedir = /usr/local/radius/ppp/var main: logdir = /usr/local/radius/ppp/var/log/radius main: libdir = /usr/local/radius/ppp/lib main: radacctdir = /usr/local/radius/ppp/var/log/radius/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = /usr/local/radius/ppp/var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/radius/ppp/var/run/radiusd/radiusd.pid main: user = radiusppp main: group = radiusppp main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/radius/ppp/sbin/checkrad main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/radius/ppp/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded System unix: cache = no unix: passwd = /usr/local/radius/ppp/etc/raddb/passwd unix: shadow = (null) unix: group = (null) unix: radwtmp = /usr/local/radius/ppp/var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded preprocess preprocess: huntgroups = /usr/local/radius/ppp/etc/raddb/huntgroups preprocess: hints = /usr/local/radius/ppp/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded files files: usersfile = /usr/local/radius/ppp/etc/raddb/users files: acctusersfile = /usr/local/radius/ppp/etc/raddb/acct_users files: preproxy_usersfile = /usr/local/radius/ppp/etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port Module: Instantiated acct_unique (acct_unique) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded detail detail: detailfile = /usr/local/radius/ppp/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = /usr/local/radius/ppp/var/log/radius/radutmp radutmp: username = %{User-Name} radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:35846, id=185, length=47 User-Name = demogw CHAP-Password = 0xb9f4107bffcf854f69e8eec05eb04cd67f Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module chap returns ok for request 0 users: Matched entry demogw at line 54 modcall[authorize]: module files returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied CHAP-Password matches local User-Password Login OK: [demogw] (from client localhost port 0) Sending Access-Accept of id 185 to 127.0.0.1 port 35846 User-Service-Type = Framed-User NAS-Port-Type = ISDN Port-Limit = 8
Re: My FreeRadius don't log anything
On Fri 29 Sep 2006 17:08, Didier Benza wrote: Hi everybody, I am a real newbie to FreeRadius, I am migrating from an existing Livington radius. My concern here is this one : I am unable to configure my server to log auth requests. The two Auth-Type I use here are either Local or System, the server doesn't log neither. Here a run with only one request. The log file and the pid file doesn't exists after this run. The directories used for logging are writable for the user under which the server is running. Any clue ? If you run in debug mode (-X) the server logs to the screen instead of the disk. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpJZ8hINitsV.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl behaviour
When I call a perl module via rlm_perl and dont undef %RAD_CHECK and %RAD_REPLY before exiting, rlm_perl duplicates some attributes contained within the hashes. For instance: At entry to rlm_perl instance: $RAD_CHECK{Ldap-Group} is an ARRAY: (GroupA, GroupB) After exiting the script, Added pair Ldap-Group messages appear in debug output. If I call another perl script to dump the %RAD_CHECK hash, it shows: $RAD_CHECK{Ldap-Group } is an ARRAY: (GroupA, GroupB, GroupA, GroupB) If I undef %RAD_CHECK before exiting from the first perl module, the values are not duplicated. I did some analysis of the sequence of events and I believe this is whats happening: - rlm_ldap creates the Ldap-Group attributes on the check list with operator T_OP_CMP_EQ during authorize (Ldap-Group is a checkItem in my ldap.attrmap) - upon return from the perl script, rlm_perl calls pairmove to move the attributes from the RAD_CHECK, RAD_REPLY and RAD_PROXY_REPLY hashes back to the respective pairlist. - pairmove adds attributes to the destination list for operator T_OP_CMP_EQ (takes default case) which creates duplicates Is this expected behaviour of rlm_perl? If so, can it be put on the to do list for rlm_perl documentation updates (or is it there already and I missed it)? Also, this seems to imply that its not possible to change or remove, at least, some types of check or reply attributes from within rlm_perl? Also, the wiki for rlm_perl states that it passes configuration pairs in %RAD_CONFIG. I dont believe this is true (the hash is empty and I checked the source for 1.1.2, 1.1.3 and the latest snapshot and it doesnt create that hash). Is this a feature that is in the works or is the wiki incorrect? I can supply debug output, radiusd.conf and scripts if necessary.. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql radacct table no query
Hmm, i was testing the mysql backend with freeradius 1.1.3. looks good at first glance, but i bumped into something essential (for us that is). We like to link MAC addresses with the user account's. what did i do: I added a user in table radcheck. worked! next step, added same user in table: radacct. username:gebruiker CalledStationId: 00166f980e79 did not work! I change the MAC address to a wrong one, and i still get in.?? also in debug (radiusd -X) no radacct query is done?, so no attribute checkings are done !!?? So my question is, how can i make the attributes work with the mysql backend.. are we missing some mysql queries in the sql.conf ?? (btw, this all did worked with the 'users' file from freeradius) Cheers Collen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql radacct table no query
you should be putting it in radcheck, so it's checked when you log in. radacct is used to store accounting information (like session times etc :)) Hope this helps, Jan Mulders On 29/09/06, Collen Blijenberg [EMAIL PROTECTED] wrote: Hmm, i was testing the mysql backend with freeradius 1.1.3. looks good at first glance, but i bumped into something essential (for us that is). We like to link MAC addresses with the user account's. what did i do: I added a user in table radcheck. worked! next step, added same user in table: radacct. username:gebruiker CalledStationId: 00166f980e79 did not work! I change the MAC address to a wrong one, and i still get in.?? also in debug (radiusd -X) no radacct query is done?, so no attribute checkings are done !!?? So my question is, how can i make the attributes work with the mysql backend.. are we missing some mysql queries in the sql.conf ?? (btw, this all did worked with the 'users' file from freeradius) Cheers Collen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Questions about latest CVS
Hi,all Ijust installed the radiusd on CVS successfully. There are twoquestions: Does the radiusd server listen on IPv6 address by default?How to use the radclient in Ipv6 ? Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help to pass a local variable from Freeradius to exec program
Hi All I am trying to pass a integer value from Free radius to exec program . I have tryed to add as a value pair using paircreate() and then added the same to the request-packet-vps using pairadd. Set the lvalue , strvalue etc and passed to the radius_exec_program from rad_accounting module. Also set the tmp-name = Atribute-Name-Format . Still the attribute and value is not getting printed in the exec - progrm . Any help in this regard whould really help me. Thanks and regards Shankar ganesh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Questions about latest CVS
=?GB2312?B?uN/h1A==?= [EMAIL PROTECTED] wrote: Does the radiusd server listen on IPv6 address by default? No. You have to configure it. How to use the radclient in Ipv6 ? Send the request to an IPv6 address? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius is not restarting properly (fails to quit and becomes a zombie process)
Jason Wittlin-Cohen [EMAIL PROTECTED] wrote: Over the last few days I've been having a recurring problem. Whenever I start Freeradius either with radiusd in a terminal or as a service in Debian, I can not restart/kill radiusd properly if it's authenticated any clients. Restarting the service says it's successful but the radius log states that port 1812 is already in use. top shows 100% cpu usage It looks like http://bugs.freeradius.org/show_bug.cgi?id=365 The solution is to not re-initialize the modules on HUP. It works in *most* cases, because the code handling the HUP tries to wait until all of the modules have stopped. But if your back-end DB's are slow, it doesn't have much choice but to proceed with handling the HUP. Most people don't see it because the modules respond quickly. I'd say the first step to a work-around is to make sure none of the modules you're using are blocking the server. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to add group in freeradius
William A. Peroche [EMAIL PROTECTED] wrote: Can someone explain how to add groups in freeradius. And how to add the user in that group. See the FAQ, or man rlm_passwd Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login-Time and Session-Time Conflict
Adam Tybor [EMAIL PROTECTED] wrote: I remember reading somewhere that in cases of both attributes being used, the most restrictive should be returned, however this is not happening. Can someone confirm what the real implementation is? We are running freeradius 1.1.1 on a Gentoo linux platform. If you set Session-Time *before* Login-Time, the Login-Time code does the right thing. If you set Session-Time *after* Login-Time, then you have to check the values manually. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting stopped
[EMAIL PROTECTED] wrote: Since a power cut last Sunday FreeRadius has stopped writing to its log files and updating radacct in MySQL. It is continuing to authenticate users. It gives no error messages running radiusd -X. I've tried upgrading from 1.0.3 to 1.1.3 with no effect. I would suggest that something else on the machine broke when the power failed, like maybe the MySQL client libraries. Install a new OS on a new machine, and copy the configuration there... making sure that the configuration is OK. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: repeat until success?
Proft, Michael [EMAIL PROTECTED] wrote: Hmm i cant get it to work :( How would the configuration part for passwd module look (linux) ? Why not post what you did here? That would be the easiest way to solve the problem. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Why is the default DH keysize only 512 bits?
Jason Wittlin-Cohen [EMAIL PROTECTED] wrote: So, if dh_key_length is being ignored, how is the DH key size determined? By the DH parameter file? Apparently. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login-Time and Session-Time Conflict
Alan,I tried that prior and I just confirmed it.I have the following two rows in my radcheck table and I made sure the natural sort, without the id, that Session-Timeout comes before Login-Time and I still always get the Login-Time timespan diff as my Session-Timeout value. Interestingly enough when I debug on the server I see no debug output for rlm_logintime module. Was this module not included in 1.1.1 because when I look at the cvs source code I see where the check is made and see tons of DEBUG statements that are not showing up on my console.Below is an example from my database and test.radcheck id user attrib op value3 freeunlimited Session-Timeout := 1204 freeunlimited Login-Time := Thu-2030-2130,Fri-1300-1600radtestresponse: Access-Accept--- attrib dump--Session-Timeout=9060 AdamOn 9/29/06, Alan DeKok [EMAIL PROTECTED] wrote: Adam Tybor [EMAIL PROTECTED] wrote: I remember reading somewhere that in cases of both attributes being used, the most restrictive should be returned, however this is not happening.Can someone confirm what the real implementation is? We are running freeradius 1.1.1 on a Gentoo linux platform.If you set Session-Time *before* Login-Time, the Login-Time codedoes the right thing.If you set Session-Time *after* Login-Time, then you have to check the values manually.Alan DeKok.--http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
VSA and other attributes in Access-Accept
Hi: Could anyone please provide me some advice on my question below. Currently I am seeing VSAs in my reply messages from freeRADIUS being passed in Access-Accept, Access-Challenge. I would like to limit certain VSAs to only Accepts, or Challenge. Is this possible - because according to the RFCs for 3GPP/3GPP2 only some of them are possible in certain type of responses. Thx.Regards, Mohammed. Date: Thu, 30 Mar 2006 14:06:02 -0800 (PST)From: Mohammed Petiwala [EMAIL PROTECTED]Subject: VSA and other attributes in Access-AcceptTo: freeradius-users@lists.freeradius.org Hi: First thanks to the freeRADIUS team - this is one of the most flexibile and powerful AAA available...I've 2 questions: 1. I've set up my clients to authenticate using EAP-TTLS with MSCHAPv2 as the inner authentication protocol. This works fine with the wpa_suppicant with intel 2200b/g as well as the Cisco Aironet 350. I've created my own dictionary file with VSAs that are useful for my NAS once Access-Accept is returned. The 'users' file has the VSAs Attrib = Value listed after each user entry and I do see the attributes being returned correctly on Access-Accept. My question is (please correct me if I am wrong) - I see the VSAs being returned during the intermediate Access-Challenge messages too even before authentication is complete. Is this the normal behavior, is there a way to setup the freeRADIUS server so that the VSAs are only returned on Access-Accept and not during the Access-Challenge. The NAS does ignore the VSAs in any case during the challenge - but would be good if there was a way to limit the message size for the Access-Challenge messages (only if this is valid from RADIUS RFC perspective - if someone could clarify).2. How can I set users in the 'users' file (an example would be very helpful if someone can send) so that some users are only allowed to authenticate using EAP-TTLS while others are only allowed to use PEAP. Once I create an entry into the users file (and both authentications are EAP types) - the user can authenticate using any eap type - I would like to limit this per user. Is it possible?? Thx.Regards, Mohammed. All-new Yahoo! Mail - Fire up a more powerful email and get things done faster.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login-Time and Session-Time Conflict
Adam Tybor [EMAIL PROTECTED] wrote: I have the following two rows in my radcheck table and I made sure the natural sort, without the id, that Session-Timeout comes before Login-Time OK... looking at src/main/auth.c, the Login-Time update of Session-Timeout is done just before the Access-Accept is returned, so that should be working. Interestingly enough when I debug on the server I see no debug output for rlm_logintime module. Was this module not included in 1.1.1because when I look at the cvs source code I see where the check is made and see tons of DEBUG statements that are not showing up on my console. The module is not in 1.1.1. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting Stopped
Hi Alan, Thanks for taking the time to respond. I've already fixed the problem. It only took a bit of lateral thinking. The ADSL modem wasn't exchanging any information on port 1813. For the life of me I can't understand how it could re-boot and only loose a bit of it's setup. It would have been much better if it had lost everything. I wasted the best part of a week testing syslogd, reinstalling FreeRadius, MySQL and setting up a new test server. Anyway, once again thanks. I really appreciate the time and effort you take to give support to end users. Regards, Sean -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help with undocumented attributes
Andrew Long [EMAIL PROTECTED] wrote: I am working with an inherited system (freeradius 0.9.0 on RH). The system is running but as a new user/admin I am having trouble getting info on the actual setup. I do 'rpm -qv freeradius' and it returns freeradius is not installed, yet it IS. Someone built it from source. You *really* should upgrade. /usr/local/etc/raddb is populated, as is /usr/local/share/freeradius. How can I get info on the running version? man radiusd says radiusd -v Also, I am having trouble finding info on attributes that do not seem to be documented which limit some of our user's sessions. Examples are 'Max-Acct-Age', 'Max-Daily-Session', and 'Check-Login-Day'. I need to get a better understanding of how this session management is done. They're local to your configuration, which is why they aren't documented. Good documentation on the web seems hard to come by. Any help most appreciated. Try the wiki. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:Re: Questions about latest CVS
Hi,all Does the radiusd server listen on IPv6 address by default?No. You have to configure it. Could you tell me how to configure it listen on IPv6 address? How to use the radclient in Ipv6 ?Send the request to an IPv6 address? Yes,send the request to the Radius server listening on IPv6 address. Thank you very much. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html