Re: Freeradius 2.0 - vmps feature, inaccuracies on FreeNAC
Hi, I remain, as always, resolute in my plans for world domination. :) cough please take your place in the queue ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login /logout script hooks
Steven J Lamb wrote: I have been looking for a good example of a way to execute scripts when there is a login or logout. I haven't yet found a good example and unfortunately all of my attempts have failed to do anything. Any help or suggestions as to where I can find a good example of running a shell script when someone logs in or logs out. I would much appreciate it. See the exec module. It can run scripts, and you can run the exec module whenever you want. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + AD host/ machine/ workstation authentication
If you wish to split hairs over a single line in my email that you purposefully skewed the meaning off by all means be that guy. Should you have anything constructive at all to offer the conversation please do, however petty criticisms are not welcome though. On 7/9/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: Not everything comment / criticism about free radius is a vieled insult at you or your work Alan (rolls eyes). saying the radiusd.conf is touchy is a fail call, since it is and most people offering help warn / suggest about changing 1 line at a time. Saying the configuration file is touchy is an admission that you don't understand how it works, and that you don't have a methodical approach to changing it. The recommendations aren't to change a line at a time. The recommendations are to have a methodical approach to creating a new configuration. And to read the documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL IP Pool maximum timeout.
Peter Nixon wrote: In other words, it should only be clearing IP's for which a 'stop' query has gone astray, on the basis that you can't have more than one connection to an individual NAS port. It certainly shouldn't just free up all IP's based on expiry_time. Exactly.. Will it re-allocate IP's once the expiry time has passed? That seems to be the problem, I think. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL IP Pool maximum timeout.
On Mon 09 Jul 2007, Alan DeKok wrote:
Peter Nixon wrote:
In other words, it should only be clearing IP's
for which a 'stop' query has gone astray, on the basis that you can't
have more than one connection to an individual NAS port. It certainly
shouldn't just free up all IP's based on expiry_time.
Exactly..
Will it re-allocate IP's once the expiry time has passed? That seems
to be the problem, I think.
Yes. That IS the purpose of the expiry time :-)
As long as you are getting accounting updates the expiry time continues to be
extended. See:
alive-update = UPDATE ${ippool_table} \
SET expiry_time = 'now'::timestamp(0) + '${lease-duration}
seconds'::interval \
WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '${pool-key}' AND
username = '%{SQL-User-Name}' \
AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress
= '%{Framed-IP-Address}'
Cheers
--
Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + AD host/ machine/ workstation authentication
Fussy config file = petty criticism ? If so deal with it you will hear far worse I'm sure. Why not be honest ? and admit that all your really after is to continue the conflict we hard several months ago. So can we drop it please? If nothing else this is counter productive. I'm very surprised your still upset from previous clash which I had let lie. To be still looking for conflict after all this time is quite sad. so there is no misunderstanding: * The Freeradius configs are the touchiest fussiest config files I have ever dealt with, this in no way reflects on the product itself. It is just a very steep learning curve. I also am aware that most of the complexity is due to it supporting many many protocols and backends. * Freeradius Documentation is lacking (its a common thing for oss projects). That is a statement, not a shot at any of the howto writers. Again I do realise that this is due to the diversity of the project (many different possible configurations). I will gladly help document my current setup once finalized. * I despise people whose only purpose in a thread to be a obnoxious self-important git. To clarify on this most recent occasion that would be you Alan, though I have seen you been very helpful on other threads. The last thing a frustrated user who has been making an honest attempt needs to hear is your an idiot, rtfm, upgrade, etc - paraphrasing of course. On 7/9/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: If you wish to split hairs over a single line in my email that you purposefully skewed the meaning off by all means be that guy. Should you have anything constructive at all to offer the conversation please do, however petty criticisms are not welcome though. So why do you engage in petty criticisms of FreeRADIUS? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : using EAP instead of chilli
i have a wrt54g linksys running dd-wrt can someone help or give a link on how to deploy using the same linksys box. Do this, The settings below will help: SETUP Internet connection: IP on WAN Under Optional Settings Host Name: MyWireless (Name of your client-AP) Domain Name: yourdomain.com (Your own domain) MTU: Auto Under Network Setup Router Local IP: 192.168.1.1 Subnet: 255.255.255.0 Gateway: 0.0.0.0 DHCP DHCP Server: enabled WIRELESS Under Basic settings; Wireless mode: AP wireless Network Mode: Mixed Wireless Network Name: MyWireless (Name of your client-AP) Wireless Channel: 11-2.462GHz Wireless SSID Broadcast: enable Sensitivity Range: 2000 Under Radius MAC Radius Client: enable MAC format : aabbcc-ddeeff Radius Server Address: your radius server IP Radius Server port: 1812 MUU: Password format: shared key Radius shared secret: the secret of your cliet (AP) Wireless Security Security Mode: WPA Radius WPA Algorithms: TKIP+AES Radius Server Address: Your radius server IP Radius Server port: 1812 WPA shared key: the secret of your client (AP) key renewal interval: 3600 ADMINISTRATION management Routing: enable 802.1x : enable Make sure you have your client(AP) information in radius: client.conf ( AP IP , MyWireless, Shared Key) configure eap.conf and radius.conf as well. All the best. == Benjamin K. Eshun - Message d'origine De : Carl aniams [EMAIL PROTECTED] À : freeradius-users@lists.freeradius.org Envoyé le : Samedi, 7 Juillet 2007, 19h15mn 51s Objet : using EAP instead of chilli hi all i'm using freeradius with a mysql database to authenticate users through chillispot, and it's working fine. i would like to authenticate my user using EAP instead of using chilli that already grant them access through dhcp to the network i have a wrt54g linksys running dd-wrt can someone help or give a link on how to deploy using the same linksys box. thanks a lot -- -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ ANIAMBOSSOU Carl NIAMS TECHNOLOGIES tel: +229 90 04 08 58 +229 97 48 01 33 COTONOU REPUBLIC OF BENIN WEST AFRICA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with NULL realm..
I have an old instance of icradius - which - when users had a static IP
allocated - login would fail if there was a realm present but work just
fine if the realm was missing. This was in the old, dark days - when
everyone was in the same realm.
Now - freeradius works just fine with a full realm based login and statc
IP but I have a number of users both with and without static IP's who
don't have their realm as part of their login ID..
ie rather than '[EMAIL PROTECTED]' - they just use 'joe'.
The easiest solution would be - if (REALM == NULL) - add on the default
realm.
There are about 10 different realms being used - as well as the 'default'.
Anyway..
In proxy.conf - I have uncommented ..
realm NULL {
type= radius
authhost= LOCAL
accthost= LOCAL
}
(This is now the last 'realm' definition in this file - in case order
matters. 'DEFAULT' is still commented)
In my sql.conf - I have code that looks like...
... Username='%{Stripped-User-Name}' AND realm='%{Realm:-pop.co.za}' AND
ie - if the REALM is missing - it should default to 'pop.co.za'...
Anyway - still getting incorrect logins
A radiusd -X shows me that ..WHERE Username='mje' AND realm='NULL'
AND...
ie - If there is no realm - its set to the string of four characters
'NULL' rather than the string '\0' ..
not what I was hoping for...
If the realm is missing - it can only refer to a user in the 'pop.co.za'
realm - and no other.
Suggestions?
ie - the equivalent of ... if( ${Realm} == NULL) Realm=pop.co.za
..put somewhere.
ps. It would be very useful if one could run radiusd in '-X' mode based
on some criteria - such as the Realm or the Nas,
especially on a busy server - just for matching packets.
(in proxy.conf .. syntax of
realm myrealm.com {
type= radius
authhost= LOCAL
accthost= LOCAL
debug = yes
}
or in clients.conf
client access.pop.co.za {
secret = very
shortname = access
nastype = cisco
debug = yes
}
)
--
. . ___. .__ Posix Systems - Sth Africa
/| /| / /__ [EMAIL PROTECTED] - Mark J Elkins, SCO ACE, Cisco
CCIE
/ |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help: Configuring attributes in Access-Request in 1.1.3
Hi All, I am new to FreeRadius. I am using Free Radius 1.1.3. I want to configure the vendor attribtes in format as below, +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |RADIUS TYPE 26 | Length| Vendor-ID +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Vendor-ID (cont) | Vendor TYPE | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Continuation | Sub-Type | Sub-Type-Len | Sub-Type-Val | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ how can i configure this? Also i want to configure the same in Access-Accept. Can anyone guide me how to configure these. thanks in advance. -- With Regards, Govardhana K N - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + AD host/ machine/ workstation authentication
my 2n comment was referring to my current project (ntlm auth + conditional auth if ldap Field dialupaccess =1 On 7/9/07, Jacob Jarick [EMAIL PROTECTED] wrote: On 7/9/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: Fussy config file = petty criticism ? When it's clear that you aren't following the documentation or recommended methods, yes. Yes I do indeed follow the documentation but alas this is another tired argument you seem bent on dredging up, so you can either repeat yourself yet again or stop calling me a liar. Mailing list / forum questions are always the end result of alot of research on my end that hasn't yielded needed information. Sometimes I may miss something obvious for that I am so sorry I am but a mere human. Rest assured I always try to double and triple check my work, it is a habit I have used for many years to compensate for my dyslexia. Recommended methods are exactly what I'm after, currently there are none listed in your wiki, howtos etc for this particular setup. * I despise people whose only purpose in a thread to be a obnoxious self-important git. As opposed to someone who offer gratuitous slams at a product, and then asks for help? Try that with a mechanic: The last repair you did was shoddy. Can you fix my car now? A mechanic would use choicer words than I have used. Or, he'd smile, do the repair, and purposefully break something else so that you'd have to come in again, and again... If you're going to ask for help, don't insult the people and the project in the same message. My purpose in being a self important git is to point out that your posts are rude. I recognize that you are offended by that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
R: Cisco VRF + Radius
Putting a User into a certain VRF is quite simple: vrfuser User-Password == topsecret Cisco-AVPair += lcp:interface-config#1=ip vrf forwarding \ VRFNAME, Thank you Gerald, this is what I need to do. I tried using this method, but I end up with access-accept reply (from radiusd -X) like this: Sending Access-Accept of id 20 to x.y.159.252 port 1645 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Netmask = 255.255.255.255 Ascend-Client-Primary-DNS = x.y.z.1 Ascend-Client-Secondary-DNS = x.y.z.2 Session-Timeout = 2 Cisco-AVPair = lcp:interface-config#1=ip vrf forwarding Satcom Framed-IP-Address = x.y.129.239 This seems correct to me, but the NAS ignores the Framed-IP-Address so the cpe never gets an Ip address. The IP address is taken from an ippool, the other attributes are stored in sql, everything works fine without that cisco-avpair attribute. Any hint? Thanks in advance, Francesco. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
R: Cisco VRF + Radius
Hi Kalik, thanks for your reply. I had a look at the cisco doc on vrf forwarding, but I think it's not what I need to do. I don't need to put all template items in fr, but only to select the vrf based on group which the user belongs to. Did I miss the point? Do I need to configure Templates inside radius? Thanks, Francesco. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Default realm in 2.0.0-pre1
rlm_sql (sql_auth): starting 1
rlm_sql (sql_auth): Attempting to connect rlm_sql_postgresql #1
rlm_sql (sql_auth): Connected new DB handle, #1
rlm_sql (sql_auth): starting 2
rlm_sql (sql_auth): Attempting to connect rlm_sql_postgresql #2
rlm_sql (sql_auth): Connected new DB handle, #2
rlm_sql (sql_auth): starting 3
rlm_sql (sql_auth): Attempting to connect rlm_sql_postgresql #3
rlm_sql (sql_auth): Connected new DB handle, #3
rlm_sql (sql_auth): starting 4
rlm_sql (sql_auth): Attempting to connect rlm_sql_postgresql #4
rlm_sql (sql_auth): Connected new DB handle, #4
Module: Instantiating section preacct
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port
}
Module: Instantiating section accounting
Module: Instantiating detail
detail {
detailfile =
/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d
header = %t
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating sql_acct
sql sql_acct {
driver = rlm_sql_postgresql
server = 10.119.15.6
port =
login = raduser
password = raduser
radius_db = radbackend
sqltrace = no
sqltracefile = /var/log/freeradius/sqltrace.sql
readclients = no
deletestalesessions = yes
num_sql_socks = 5
sql_user_name = %{Stripped-User-Name:-%{User-Name}}
default_user_profile =
QUERIES STRIPPED
}
rlm_sql (sql_acct): Driver rlm_sql_postgresql (module
rlm_sql_postgresql) loaded and linked
rlm_sql (sql_acct): Attempting to connect to [EMAIL PROTECTED]:/radbackend
rlm_sql (sql_acct): starting 0
rlm_sql (sql_acct): Attempting to connect rlm_sql_postgresql #0
rlm_sql (sql_acct): Connected new DB handle, #0
rlm_sql (sql_acct): starting 1
rlm_sql (sql_acct): Attempting to connect rlm_sql_postgresql #1
rlm_sql (sql_acct): Connected new DB handle, #1
rlm_sql (sql_acct): starting 2
rlm_sql (sql_acct): Attempting to connect rlm_sql_postgresql #2
rlm_sql (sql_acct): Connected new DB handle, #2
rlm_sql (sql_acct): starting 3
rlm_sql (sql_acct): Attempting to connect rlm_sql_postgresql #3
rlm_sql (sql_acct): Connected new DB handle, #3
rlm_sql (sql_acct): starting 4
rlm_sql (sql_acct): Attempting to connect rlm_sql_postgresql #4
rlm_sql (sql_acct): Connected new DB handle, #4
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = /etc/freeradius/attrs.accounting_response
key = %{User-Name}
}
Module: Instantiating section post-auth
Module: Instantiating reply_log
detail reply_log {
detailfile =
/var/log/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
header = %t
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = /etc/freeradius/attrs.access_reject
key = %{User-Name}
}
}
Initializing the thread pool...
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
Nothing to do. Sleeping until we see a request.
Processing the authorize section of radiusd.conf
+- entering group authorize
hints: Matched DEFAULT at 4
++[preprocess] returns ok
radius_xlat: '/var/log/freeradius/radacct/127.0.0.1/auth-detail-20070709'
rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/1
27.0.0.1/auth-detail-20070709
radius_xlat: 'Mon Jul 9 22:56:01 2007'
++[auth_log] returns ok
++[chap] returns noop
rlm_realm: Looking up realm adsl.ihug.co.nz for User-Name =
[EMAIL PROTECTED]
rlm_realm: No such realm adsl.ihug.co.nz
++[suffix] returns noop
radius_xlat: '[EMAIL PROTECTED]'
rlm_sql (sql_auth): sql_set_user escaped user -- '[EMAIL PROTECTED]'
rlm_sql (sql_auth): Reserving sql socket id: 4
radius_xlat: 'SELECT id, UserName, Attribute, Value, Op
FROM radcheck WHERE Username = 'salman
[EMAIL PROTECTED]' ORDER BY id'
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
radius_xlat: 'SELECT GroupName FROM radusergroup WHERE
UserName='[EMAIL PROTECTED]' ORDER BY priority'
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 1
rlm_sql (sql_auth): Released sql socket id: 4
rlm_sql (sql_auth): User [EMAIL PROTECTED] not found
++[sql_auth] returns notfound
rlm_pap: WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
+- group authorize returns ok
auth: No authenticate method (Auth-Type) configuration found for the
request
Re: Problem with NULL realm..
... Username='%{Stripped-User-Name}' AND realm='%{Realm:-pop.co.za}' AND
ie - if the REALM is missing - it should default to 'pop.co.za'...
Anyway - still getting incorrect logins
A radiusd -X shows me that ..WHERE Username='mje' AND realm='NULL'
AND...
That's how it works. You'll need to refactor your SQL query e.g.
select foo from bar where Username='%{Stripped-User-Name}' and realm=(
case
when '%{Realm}'='NULL' then 'pop.co.za'
else '%{Realm}'
end)
The other and slightly easier alternative is to set ignore_null = yes
on your realm module so that users without a realm won't match the
module, and then use:
select foo from bar where
Username='%{Stripped-User-Name:-%{User-Name}}'
and
realm='${Realm:-pop.co.za}'
ie - If there is no realm - its set to the string of four characters
'NULL' rather than the string '\0' ..
not what I was hoping for...
If the realm is missing - it can only refer to a user in the 'pop.co.za'
realm - and no other.
Suggestions?
ie - the equivalent of ... if( ${Realm} == NULL) Realm=pop.co.za
..put somewhere.
ps. It would be very useful if one could run radiusd in '-X' mode based
on some criteria - such as the Realm or the Nas,
especially on a busy server - just for matching packets.
(in proxy.conf .. syntax of
realm myrealm.com {
type= radius
authhost= LOCAL
accthost= LOCAL
debug = yes
}
or in clients.conf
client access.pop.co.za {
secret = very
shortname = access
nastype = cisco
debug = yes
}
)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Default realm in 2.0.0-pre1
Pshem Kowalczyk wrote:
I'm building 'backend' radius servers, that only have to know about
one domain - the default one, despite the stuff the users put into
their login names.
...
rlm_sql (sql_auth): User [EMAIL PROTECTED] not found
++[sql_auth] returns notfound
rlm_pap: WARNING! No known good password found for the user.
Any ideas why it ignores the DEFAULT realm? Or alternatively - how
else can I get the Stripped-User-Name ?
The ignore_default and ignore_null configurations in rlm_realm
should be removed from 2.x. They can better be done with the new
configuration language.
To get the stripped user name, just do:
if (%{User-Name} =~ /^(.*)@(.*)$/) {
update request {
Stripped-User-Name := %{1}
Realm := %{2}
}
}
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius mysql
Hi All! I have a problem with freeradius getting access to a mysql database. I installed freeradius 1.1.5 on OpenSuse. The radius server is working, because I get an Access-Accept Packet with radtest (I configured the clients.conf). But how do I configure FreeRadius to use an MySql-database? I already installed lampp, it contains an MySql-Server with the comfotable tool PHP-MyAdmin... Thanks Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: Cisco VRF + Radius
You don't need to set up vrf templates if everyone is going to use the default radius server and default authentication and au6thorization groups. It's optional. What does debug radius and debug ppp negotiation on Cisco say about why was the Framed-IP-Address rejected. If it fails on IPCP then your route is the problem. Since it all goes well without it ... Ivan Kalik Kalik Informatika ISP Dana 9/7/2007, Francesco Cristofori [EMAIL PROTECTED] piše: Putting a User into a certain VRF is quite simple: vrfuser User-Password == topsecret Cisco-AVPair += lcp:interface-config#1=ip vrf forwarding \ VRFNAME, Thank you Gerald, this is what I need to do. I tried using this method, but I end up with access-accept reply (from radiusd -X) like this: Sending Access-Accept of id 20 to x.y.159.252 port 1645 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Netmask = 255.255.255.255 Ascend-Client-Primary-DNS = x.y.z.1 Ascend-Client-Secondary-DNS = x.y.z.2 Session-Timeout = 2 Cisco-AVPair = lcp:interface-config#1=ip vrf forwarding Satcom Framed-IP-Address = x.y.129.239 This seems correct to me, but the NAS ignores the Framed-IP-Address so the cpe never gets an Ip address. The IP address is taken from an ippool, the other attributes are stored in sql, everything works fine without that cisco-avpair attribute. Any hint? Thanks in advance, Francesco. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius mysql
On Mon 09 Jul 2007, Michael Ziemann wrote: Hi All! I have a problem with freeradius getting access to a mysql database. I installed freeradius 1.1.5 on OpenSuse. The radius server is working, because I get an Access-Accept Packet with radtest (I configured the clients.conf). But how do I configure FreeRadius to use an MySql-database? Did you use the SUSE packages? My packages? or compile yourself from source? Both SUSE and my packages contain mysql support, you simply need to read through radiusd.conf (search for sql) and enable it. Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help: Configuring attributes in Access-Request in 1.1.3
Are you sure? You would need to be a vendor making equipment in order to configure new ones. If you just want to add a new vendor attribute that is not in the dictionary.vendorName in that (older) version of Freeradius you can add new attributes by editing that vendors dictionary file. Just follow the template for the existing entries. Once it is in the dictionary add that VSA to the reply items just like any other attribute and it will be passed in the Access-Accept packet. Ivan Kalik Kalik Informatika ISP Dana 9/7/2007, Govardhana K N [EMAIL PROTECTED] piše: Hi All, I am new to FreeRadius. I am using Free Radius 1.1.3. I want to configure the vendor attribtes in format as below, +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |RADIUS TYPE 26 | Length| Vendor-ID +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Vendor-ID (cont) | Vendor TYPE | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Continuation | Sub-Type | Sub-Type-Len | Sub-Type-Val | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ how can i configure this? Also i want to configure the same in Access-Accept. Can anyone guide me how to configure these. thanks in advance. -- With Regards, Govardhana K N - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius mysql
Make the database tables using this script: http://wiki.freeradius.org/MySQL_DDL_script Configure connection details (server, username, password) to MySQL in sql.conf. Make sure that user(name) has appropriate access to the database. Find sql entries in radiusd.conf and uncomment them Ivan Kalik kalik Informatika ISP Dana 9/7/2007, Michael Ziemann [EMAIL PROTECTED] piše: Hi All! I have a problem with freeradius getting access to a mysql database. I installed freeradius 1.1.5 on OpenSuse. The radius server is working, because I get an Access-Accept Packet with radtest (I configured the clients.conf). But how do I configure FreeRadius to use an MySql-database? I already installed lampp, it contains an MySql-Server with the comfotable tool PHP-MyAdmin... Thanks Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using two tables (postgreSql) to validate users
Hi Daniel,
It is very easy to use as many tables you need.
You can have in config:
authorize_check_query = SELECT * FROM
pl_AUTHORIZE_CHECK('%{SQL-User-Name}', '%{User-Password}',
'%{Client-IP-Address}')
pl_AUTHORIZE_CHECK will be a stored procedure on the postgresql backend.
For example, I used something like this:
sql CREATE TYPE radius_check_pairs AS (id integer, username text, attrname
text, attrval text, attrop text);
sql CREATE OR REPLACE FUNCTION pl_AUTHORIZE_CHECK (text, text, text)
RETURNS SETOF radius_check_pairs AS $$
$user = $_[0]; $pass = $_[1]; $nasip = $_[2];
my $rv = spi_exec_query(SELECT status FROM accounts WHERE username = '$user'
AND password='$pass';, 1);
$status = $rv-{rows}[0]{status};
if ($rv-{processed} 1) {
elog(NOTICE, AUTHCHECK: User $user / $pass NOT FOUND);
return [ { id = 0, username = $_[0], attrname = 'Auth-Type',
attrval= 'Reject', attrop = ':=' } ];
}
if ($status != '1') {
elog(NOTICE, AUTHCHECK: User $user not active);
push @$reply, {
id = 0, username = $_[0], attrname = 'Auth-Type',
attrval = 'Reject', attrop = ':='
};
push @$reply, {
id = 1, username = $_[0], attrname =
'Reply-Message', attrval = 'Acccount suspended!', attrop = ':='
};
return($reply);
}
elog(NOTICE, AUTHCHECK: User $user - login ok);
return [ { id = 0, username = $_[0], attrname = 'Auth-Type', attrval =
'Accept', attrop = ':=' } ];
$$ LANGUAGE plperl;
The advantages of this scenario.. You can have anything you want in
this procedure, including cpan modules : and you can still run the
radius server on your favorite pentium II with load average 0.
Claudiu Filip
@: [EMAIL PROTECTED]
Http://www.globtel.ro
T:+40344880100
F:+40344880113
Hi again...
I have a doubt: Is it possible to use two tables to check the users? I
need to do something like this... Freeradius checks if the user is valid
on the table 1, if it returns true the user is validated, but if the
return is false, freeradius checks the table 2, trying to validate the
user once again.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with NULL realm..
Phil Mayers wrote:
... Username='%{Stripped-User-Name}' AND realm='%{Realm:-pop.co.za}' AND
ie - if the REALM is missing - it should default to 'pop.co.za'...
Anyway - still getting incorrect logins
A radiusd -X shows me that ..WHERE Username='mje' AND realm='NULL'
AND...
That's how it works. You'll need to refactor your SQL query e.g.
grumble if people wanted the string 'NULL' - they should use
%{Realm:-NULL}
(user hides below the keyboard :-)
select foo from bar where Username='%{Stripped-User-Name}' and realm=(
case
when '%{Realm}'='NULL' then 'pop.co.za'
else '%{Realm}'
end)
The other and slightly easier alternative is to set ignore_null = yes
on your realm module so that users without a realm won't match the
module, and then use:
select foo from bar where
Username='%{Stripped-User-Name:-%{User-Name}}'
and
realm='${Realm:-pop.co.za}'
Being lazy - I'm starting here. (Also - less impact on existing users)
Changed 'ignore_null' to yes..
Smiled - and tried to dial-in
rad_recv: Access-Request packet from host 160.124.0.97:1645, id=81,
length=106
NAS-IP-Address = 160.124.0.97
NAS-Port = 70
Cisco-NAS-Port = Async70
NAS-Port-Type = Async
User-Name = mje
Called-Station-Id = 0800
User-Password = verysecret
Service-Type = Framed-User
Framed-Protocol = PPP
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
modcall[authorize]: module preprocess returns ok for request 7
modcall[authorize]: module chap returns noop for request 7
modcall[authorize]: module mschap returns noop for request 7
rlm_realm: No '@' in User-Name = mje, skipping NULL due to config.
*** Line above suggests the 'ignore_null' worked ***
modcall[authorize]: module suffix returns noop for request 7
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 7
radius_xlat: 'mje'
rlm_sql (sql): sql_set_user escaped user -- 'mje'
radius_xlat: 'SELECT userid as id,UserName,'Password' as
Attribute,password as Value,'==' as op FROM useracct WHERE Username=''
AND realm='pop.co.za' AND .
Something stole my username ???
I'm not too sure of the logic here.
I've left the NULL realm in proxy.conf uncommented - so its 'live'.
It seems that the 'NULL' realm matched... then skipped (?) - so I got a
null username and a null realm (all the other info got through!)
Looks like the SQL logic works though...
I just hate complicating the SQL queries even more than I already have!
I guess FreeRadius 2.xx will make things easier?
ie - If there is no realm - its set to the string of four characters
'NULL' rather than the string '\0' ..
not what I was hoping for...
If the realm is missing - it can only refer to a user in the 'pop.co.za'
realm - and no other.
Suggestions?
ie - the equivalent of ... if( ${Realm} == NULL) Realm=pop.co.za
..put somewhere.
ps. It would be very useful if one could run radiusd in '-X' mode based
on some criteria - such as the Realm or the Nas,
especially on a busy server - just for matching packets.
(in proxy.conf .. syntax of
realm myrealm.com {
type= radius
authhost= LOCAL
accthost= LOCAL
debug = yes
}
or in clients.conf
client access.pop.co.za {
secret = very
shortname = access
nastype = cisco
debug = yes
}
)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
. . ___. .__ Posix Systems - Sth Africa
/| /| / /__ [EMAIL PROTECTED] - Mark J Elkins, SCO ACE, Cisco
CCIE
/ |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help: Configuring attributes in Access-Request in 1.1.3
Ivan, Thanks for the information. As I am totaly new to FreeRadius, Can u also tell me, in which file should i update to reflect the attributes in Access-Accept. is it in sql.conf? Thanks Regards, Govardhana K N On 7/9/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Are you sure? You would need to be a vendor making equipment in order to configure new ones. If you just want to add a new vendor attribute that is not in the dictionary.vendorName in that (older) version of Freeradius you can add new attributes by editing that vendors dictionary file. Just follow the template for the existing entries. Once it is in the dictionary add that VSA to the reply items just like any other attribute and it will be passed in the Access-Accept packet. Ivan Kalik Kalik Informatika ISP Dana 9/7/2007, Govardhana K N [EMAIL PROTECTED] piše: Hi All, I am new to FreeRadius. I am using Free Radius 1.1.3. I want to configure the vendor attribtes in format as below, +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |RADIUS TYPE 26 | Length| Vendor-ID +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Vendor-ID (cont) | Vendor TYPE | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Continuation | Sub-Type | Sub-Type-Len | Sub-Type-Val | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ how can i configure this? Also i want to configure the same in Access-Accept. Can anyone guide me how to configure these. thanks in advance. -- With Regards, Govardhana K N - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- With Regards, Govardhana K N - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help: Configuring attributes in Access-Request in 1.1.3
Since you are mentioning file, not database, Ldap or such, it's users file (should be at /usr/local/etc/raddb/users). Read the examples and make something like that for your user. You will see what you should check for and what should go in the reply. Format is: user check1, check2, , checklast reply1, reply2, ... replylast All check items go in the first line, all reply items go indented one below another. Items are separated by commas, no comma after last (check/reply) item. Dana 9/7/2007, Govardhana K N [EMAIL PROTECTED] piše: Ivan, Thanks for the information. As I am totaly new to FreeRadius, Can u also tell me, in which file should i update to reflect the attributes in Access-Accept. is it in sql.conf? Thanks Regards, Govardhana K N On 7/9/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Are you sure? You would need to be a vendor making equipment in order to configure new ones. If you just want to add a new vendor attribute that is not in the dictionary.vendorName in that (older) version of Freeradius you can add new attributes by editing that vendors dictionary file. Just follow the template for the existing entries. Once it is in the dictionary add that VSA to the reply items just like any other attribute and it will be passed in the Access-Accept packet. Ivan Kalik Kalik Informatika ISP Dana 9/7/2007, Govardhana K N [EMAIL PROTECTED] pie: Hi All, I am new to FreeRadius. I am using Free Radius 1.1.3. I want to configure the vendor attribtes in format as below, +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |RADIUS TYPE 26 | Length| Vendor-ID +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Vendor-ID (cont) | Vendor TYPE | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Continuation | Sub-Type | Sub-Type-Len | Sub-Type-Val | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ how can i configure this? Also i want to configure the same in Access-Accept. Can anyone guide me how to configure these. thanks in advance. -- With Regards, Govardhana K N - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- With Regards, Govardhana K N - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP certificates, signing requirements and examples
Hi All, I came across this infomation and tought it would be nice to drop it here. Eventhough it is ssl issue it has to do with PEAP. Just to discuss; any comments. PEAP certificates, signing requirements and examples There are only minor differences between standard SSL certificates used by secure web sites and those used with PEAP on 802.1x wireless networks. With PEAP the SID of the network, rather than your organizations domain must match the common name (cn) of the certificate. Additionally an EKU (Enhanced Key Usage) for Server Authentication (OID 1.3.6.1.5.5.7.3.1) must be specified when creating your public certificate or signing request. [ PEAP ] extendedKeyUsage = 1.3.6.1.5.5.7.3.2 extendedKeyUsage = 1.3.6.1.5.5.7.3.1 [ clientAuth ] extendedKeyUsage = 1.3.6.1.5.5.7.3.2 [ serverAuth ] extendedKeyUsage = 1.3.6.1.5.5.7.3.1 In these examples we will use the OpenSSL utility to create a Certificate Signing Request (CSR) used with a third party certificate authority such as Verisign or Thawte. We will also generate a ‘self-signed’ certificate that does not require a certificate authority but does require users to first accept your certificate as valid on a one time basis depending on the supplicant and its configuration. Example creating a certificate signing request for a certificate authority openssl req -new -nodes -keyout private.pem -out public.csr -extensions PEAP -config openssl.cnf The output file public.csr is processed by your certificate authority (CA), which will return a signed certificate file to you. Combine private.pem with the certificate returned from the CA into a single file. This file becomes the ‘PEAP Certificate’ file. You will likely also need the CA’s certificate chain file if one is required. This file becomes the ‘PEAP CA Certificate’. Example creating a ‘self-signed’ certificate openssl req -new -x509 -key private.pem -out public.pem -extensions PEAP -config openssl.cnf -days 5000 == Benjamin K. Eshun _ Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help: Configuring attributes in Access-Request in 1.1.3
I tried configuring the same but it there were no attributes present in Access-Accept. the command I used to create the Access-Request is given below: [EMAIL PROTECTED]:~$] radclient -x 127.0.0.1 auth testing123 user-name=govardhana user-password=govardhana nas-identifier=jrcnas nas-port-type=15 Sending Access-Request of id 219 to 127.0.0.1 port 1812 User-Name = govardhana User-Password = govardhana NAS-Identifier = jrcnas NAS-Port-Type = Ethernet rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=219, length=20 How can i configure any attribute in Access-Accept packet. Thanks Regards, Govardhana K N On 7/9/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Since you are mentioning file, not database, Ldap or such, it's users file (should be at /usr/local/etc/raddb/users). Read the examples and make something like that for your user. You will see what you should check for and what should go in the reply. Format is: user check1, check2, , checklast reply1, reply2, ... replylast All check items go in the first line, all reply items go indented one below another. Items are separated by commas, no comma after last (check/reply) item. Dana 9/7/2007, Govardhana K N [EMAIL PROTECTED] piše: Ivan, Thanks for the information. As I am totaly new to FreeRadius, Can u also tell me, in which file should i update to reflect the attributes in Access-Accept. is it in sql.conf? Thanks Regards, Govardhana K N On 7/9/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Are you sure? You would need to be a vendor making equipment in order to configure new ones. If you just want to add a new vendor attribute that is not in the dictionary.vendorName in that (older) version of Freeradius you can add new attributes by editing that vendors dictionary file. Just follow the template for the existing entries. Once it is in the dictionary add that VSA to the reply items just like any other attribute and it will be passed in the Access-Accept packet. Ivan Kalik Kalik Informatika ISP Dana 9/7/2007, Govardhana K N [EMAIL PROTECTED] pi e: Hi All, I am new to FreeRadius. I am using Free Radius 1.1.3. I want to configure the vendor attribtes in format as below, +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |RADIUS TYPE 26 | Length| Vendor-ID +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Vendor-ID (cont) | Vendor TYPE | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Continuation | Sub-Type | Sub-Type-Len | Sub-Type-Val | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ how can i configure this? Also i want to configure the same in Access-Accept. Can anyone guide me how to configure these. thanks in advance. -- With Regards, Govardhana K N - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- With Regards, Govardhana K N - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- With Regards, Govardhana K N - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP certificates, signing requirements and examples
Eshun Benjamin wrote: Hi All, I came across this infomation and tought it would be nice to drop it here. Eventhough it is ssl issue it has to do with PEAP. Just to discuss; any comments. This is documented in eap.conf, among other places. It's on the Wiki, in the script files that create the test certificates for the server, etc. In 2.0, a brand-new install of the server will automatically create test certificates with the right OID's for Windows. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SQL IP Pool maximum timeout.
On Behalf Of Dave said: Yes accounting is working well from the NAS Are you sure the NAS is sending 'interim update' accounting packets, not just start/stop? Here's my understanding of how it works (I'm sure Peter will correct me if I'm wrong!): On an access request, sqlippool will first check to see if this looks like a 'lost stop' case (allocate-clear) by checking to see if there are any assigned IP's in the pool with the same 'pool-key' (NAS-Port in a dialup context) as the request. If so, free up that IP. Then it looks for an IP to assign (allocate-find), by checking for a free or expired IP in the pool, allocates it (allocate-update) and sets the expiry_time to now + lease-duration. On an accounting 'stop', it frees up the IP (stop-clear). On an accounting 'update', it extends the expiry_time by 'lease-duration' seconds (alive-update). There's a little more to it than that (like accounting on/off), but that's the basic life cycle of an IP assignment. So ... if your NAS isn't sending accounting updates, then it will start re-assigning IP's after the initial expiry_time (lease-duration). If your NAS doesn't implement accounting updates, you may have to set session timeouts to less than your lease-duration. -- hugh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any successes with Belkin Wireless Access Point.
Your AP IP address is from Automatic Private IP Addressing range. Routing
is not going to work there. Make a proper /30 network between AP and
the PC.
Ivan Kalik
Kalik Informatika ISP
Dana 9/7/2007, Garvin Haslett [EMAIL PROTECTED] piše:
I have a tiny test network consisting of a Belkin Wireless Access Point
(FCC: K7SF5D7132A) connected by an ethernet cable to a Windows machine
with an Intel network card.
I'm running FreeRADIUS.net-1.1.5-r0.0.3 and configure the client thus:
client 169.254.188.217 {
secret = testing123
shortname = belkin-at-garvin
}
When I connect to the AP I can see packets getting through to the
network card using ethereal but nothing appears in the radius.log.
When I disconnect from the AP the device's MAC still appears in the AP's
list and it is reported as being Authenticated!
Can anyone tell me what I have missed in the configuration?
Garvin.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Default realm in 2.0.0-pre1
Some more details:
authorize {
preprocess
if (%{User-Name} =~ /^(.*)@(.*)$/) {
update request {
Stripped-User-Name := xyz
Realm := abc
}
}
auth_log
chap
suffix
sql
pap
}
freeradius -X
Config: including file: /etc/freeradius/radiusd.conf
Config: including file: /etc/freeradius/clients.conf
Config: including file: /etc/freeradius/snmp.conf
Config: including file: /etc/freeradius/sql.conf
Config: including file: /etc/freeradius/sql/postgresql-dialup.conf
/etc/freeradius/radiusd.conf[177]: Line is not in 'attribute = value' format
Errors reading /etc/freeradius/radiusd.conf
kind regards
Pshem
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS vs Windows VISTA clients
Hi ppl Wondering if anyone can provide me a link/doc (without me going out to prepare a small lab enviroment for proof-of-concept), that will help prove that FreeRADIUS will support Window VISTA clients with their respective factory defaults. Thank you. Regards Crowley - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS vs Windows VISTA clients
Thanks Arran, Is there a doc that will shed some light as to the procedure for enabling support for a VISA client. (I am refering to PPTP connections.) Again, thanx for the reply. /Crowley On 7/9/07, Arran Cudbard-Bell [EMAIL PROTECTED] wrote: Jose wrote: Hi ppl Wondering if anyone can provide me a link/doc (without me going out to prepare a small lab enviroment for proof-of-concept), that will help prove that FreeRADIUS will support Window VISTA clients with their respective factory defaults. Thank you. Regards Crowley It won't, VISTA, XP Win2k Sp4 all require at least some configuration before they will work with *any* RADIUS server. Mac OSX supplicant on the other hand, works out of the box :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Default realm in 2.0.0-pre1
Pshem Kowalczyk wrote: Is that functionality available in the 2.0.0-pre1? No. You need the CVS head. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS vs Windows VISTA clients
Jose wrote: Wondering if anyone can provide me a link/doc (without me going out to prepare a small lab enviroment for proof-of-concept), that will help prove that FreeRADIUS will support Window VISTA clients with their respective factory defaults. Thank you. PEAP doesn't work that way. If you're willing to uncheck validate server certificate in the 802.1x GUI, then PEAP will work. If you're willing to install the server certificate on the Vista box, then PEAP will work. Your question is like asking how to buy something in a store without giving them money or a credit card. It's possible, I guess... but realistically, no one ever does it that way. For *very* good reasons. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: setup question : mschap + perl authentication
Johan wrote:
I'm wondering if it's possible to authenticate a user who is using
mschap authentication with perl.
Sure. Just re-write all of the MS-CHAP authentication protocol in
rlm_mschap in Perl.
But why the heck would you want to do that?
I already made a perl script, which I use with rlm_perl to authenticate
users to an ftp backend. I use that script to authenticate users from
the authentication proxy of a Cisco PIX.
Does the FTP backend support MS-CHAP? If not, there's no point in
writing any Perl code to integrate the two.
My next setup is to authenticate user requests from a Wireless Access
Point with EAP-TTLS.
Is it possible to do that with the radiusd.conf ?
I already tried to setup like this in the authenticate section :
mschap {
perl
}
But problem is, the perl script doens't seems to receive the same
information as a PIX request. Do I need to modify my script to talk
mschap ?
I think you're randomly trying to get something to work, without
understanding what's going on.
Is there a perl module to understand the mschap protocol ?
Look on CPAN. We don't manage Perl packages here.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Default realm in 2.0.0-pre1
On 10/07/07, Alan DeKok [EMAIL PROTECTED] wrote:
Pshem Kowalczyk wrote:
Is that functionality available in the 2.0.0-pre1?
No.
You need the CVS head.
Ok. Then I'll have a look into this later, for now - I figured out
that the easiest way of fixing my problem is to do it like this:
attr_rewrite strip_domain {
attribute = User-Name
searchin = packet
searchfor = @(.*)
replacewith =
ignore_case = yes
max_matches = 1
append = no
}
Thanks for your help and when is the -pre2 coming ? ;-)
kind regards
pshem
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS vs Windows VISTA clients
Jose wrote: Thanks Arran, Is there a doc that will shed some light as to the procedure for enabling support for a VISA client. (I am refering to PPTP connections.) EAPOL or EAP over PPP ? Either way I don't think such a document exists for VISTA ... though from my own tests it's much the same as XP. http://www.hep.phys.soton.ac.uk/~jhe/documents/WPA-Authentication+RADIUS-HOWTO.html See section 4. Again, thanx for the reply. /Crowley On 7/9/07, *Arran Cudbard-Bell* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Jose wrote: Hi ppl Wondering if anyone can provide me a link/doc (without me going out to prepare a small lab enviroment for proof-of-concept), that will help prove that FreeRADIUS will support Window VISTA clients with their respective factory defaults. Thank you. Regards Crowley It won't, VISTA, XP Win2k Sp4 all require at least some configuration before they will work with *any* RADIUS server. Mac OSX supplicant on the other hand, works out of the box :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Default realm in 2.0.0-pre1
Pshem Kowalczyk wrote: Thanks for your help and when is the -pre2 coming ? ;-) ASAP, I hope. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: setup question : mschap + perl authentication
Alan DeKok wrote: Johan wrote: I'm wondering if it's possible to authenticate a user who is using mschap authentication with perl. Sure. Just re-write all of the MS-CHAP authentication protocol in rlm_mschap in Perl. But why the heck would you want to do that? You know i've been thinking of doing that in PHP (PHP Based supplicant for weblogin via RADIUS), i'm sure it's possible... and it would be of some benefit, just the RFC makes my head hurt... one of the few times I've regreted not studying computer science. *sigh* something to do with hashing the nt hash using different sha functions. Got PAP working though thats not exactly hard... and CHAP seems very easy , so i'll do that tomorrow. Have a request hash Radius to Supplicant Hash this hash with a hash of the password Supplicant Here have the request hash and the hash of the request hash with the password.. Supplicant to Radius *works* And the advantage of supporting MSChap is that you don't have to store your passwords in cleartext... Just NT4 or LMHash which while not much more secure than cleartext , looks far more impressive in a password database. But yes, as Alan said, why bother implimenting the server side MSChap module in perl ... rlm_perl wasn't really designed for this kind of stuff, more for request flow control and acquiring extra attributes from databases and various other perly type things. You ok Alan ? You've seemed less yeah go look at this howto / man page and more *stab stab* die recently ... Sorry abundance of Guinness ... Thanks, Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: setup question : mschap + perl authentication
Arran Cudbard-Bell wrote: And the advantage of supporting MSChap is that you don't have to store your passwords in cleartext... Just NT4 or LMHash which while not much more secure than cleartext , looks far more impressive in a password database. And the server already does the heavy lifting of implementing MS-CHAP. Why re-invent the wheel? You ok Alan ? You've seemed less yeah go look at this howto / man page and more *stab stab* die recently ... Questions like why are you so mean can't be answered with read this man page. They require careful analysis. Though the incidence of such complaints did go down after Section 5 was added to the top-level README. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS vs Windows VISTA clients
Thanks Arran, Is there a doc that will shed some light as to the procedure for enabling support for a VISA client. (I am refering to PPTP connections.) Again, thanx for the reply. /Crowley PPTP will work (with Vista as well) out of the box. It should use MS-CHAPv2 which is enabled by default in Freeradius. Store cleartext password and you will be fine. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL IP Pool maximum timeout.
Hugh Messenger wrote: On Behalf Of Dave said: Yes accounting is working well from the NAS Are you sure the NAS is sending 'interim update' accounting packets, not just start/stop? My NAS is currently NOT sending interm updates, but there is an option to use that, just wasn't sure what it did, or how it would apply to me, but it makes sense, that it extends the lease time, do all NAS's send interim updates? on the DSL side of my operation I don't see any interim updates until the user logs off (or lost carrier) (this is a proxied operation to me) I don't have control of that NAS, only my wireless NAS Here's my understanding of how it works (I'm sure Peter will correct me if I'm wrong!): On an access request, sqlippool will first check to see if this looks like a 'lost stop' case (allocate-clear) by checking to see if there are any assigned IP's in the pool with the same 'pool-key' (NAS-Port in a dialup context) as the request. If so, free up that IP. Then it looks for an IP to assign (allocate-find), by checking for a free or expired IP in the pool, allocates it (allocate-update) and sets the expiry_time to now + lease-duration. On an accounting 'stop', it frees up the IP (stop-clear). On an accounting 'update', it extends the expiry_time by 'lease-duration' seconds (alive-update). There's a little more to it than that (like accounting on/off), but that's the basic life cycle of an IP assignment. So ... if your NAS isn't sending accounting updates, then it will start re-assigning IP's after the initial expiry_time (lease-duration). If your NAS doesn't implement accounting updates, you may have to set session timeouts to less than your lease-duration. -- hugh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap auth based on user acc and dialupaccess attr
Hello, Im currently trying to setup FR to authenticate a user / machine regardless of password, provided that the account exists and that DialupAccess = 1. Im a bit stuck atm because I do not know how to ignore the passwd failing the ldap check. In the end I hope to have the ldap check if dialup access is allowed, if it is then check if user / pass is correct via ntlm. Once I have ldap working as I want it to then I will add ntlm auth. Running gentoo with 2.6.20 kernel freeradius 1.1.6 windows 2003 server radiusd.conf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap auth based on user acc and dialupaccess attr
Forgot to paste the radiusd.conf url - http://pastebin.ca/611795 On 7/10/07, Jacob Jarick [EMAIL PROTECTED] wrote: Hello, Im currently trying to setup FR to authenticate a user / machine regardless of password, provided that the account exists and that DialupAccess = 1. Im a bit stuck atm because I do not know how to ignore the passwd failing the ldap check. In the end I hope to have the ldap check if dialup access is allowed, if it is then check if user / pass is correct via ntlm. Once I have ldap working as I want it to then I will add ntlm auth. Running gentoo with 2.6.20 kernel freeradius 1.1.6 windows 2003 server radiusd.conf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
