proxy reply attribute
Hi, I do have a question about the proxy reply attribute. Where should i set/change the attribute like Session-Timeout and Idle-Timeout after the proxy authentication accepted? Thank you. Regards, Aren Chua _ Kick back and relax with hot games and cool activities at the Messenger Café. http://www.cafemessenger.com?ocid=TXT_TAGLM_SeptWLtagline- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy reply attribute
Hi, Hi, I do have a question about the proxy reply attribute. Where should i set/change the attribute like Session-Timeout and Idle-Timeout after the proxy authentication accepted? wherever you set replies eg post-proxy could fire up an SQL query or Perl script. you could also use attr_rewrite or attr_filter to change a remote servers return value alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems of Radius service
Now, I have 3 problems about freeradius in my radius server 1. If I enter service radiusd reload command in linux than freeradius process dead. 2. Sometime, I enter radtest command than no response from service (process was running in that time) 3. After I install mod_auth_radius to apache and configure complete but apache can't connect radius. ** Note I use Linux Fedora Core 6, Apache 2.2.4 and freeradius 1.1.7-3 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: proxy reply attribute
Hi Alan Thank you for the reply. Could you provide some example on attr_rewrite and attr_filter I have look for some wiki on freeradius site, but still not understand how to use it. Regards, Aren Chua Date: Thu, 20 Sep 2007 09:45:08 +0100 From: [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Subject: Re: proxy reply attribute Hi,Hi,I do have a question about the proxy reply attribute. Where should i set/change the attribute like Session-Timeout and Idle-Timeout after the proxy authentication accepted? wherever you set replies eg post-proxy could fire up an SQL query or Perl script. you could also use attr_rewrite or attr_filter to change a remote servers return value alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Gear up for Halo® 3 with free downloads and an exclusive offer. It’s our way of saying thanks for using Windows Live™. http://gethalo3gear.com?ocid=SeptemberWLHalo3_WLHMTxt_2- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems of Radius service
Hi, 1.If I enter service radiusd reload command in linux than freeradius process dead. 2.Sometime, I enter radtest command than no response from service (process was running in that time) 3.After I install mod_auth_radius to apache and configure complete but apache can't connect radius. well, 2 and 3 occur because of number 1. but if the server is running at the time then you have to check eg firewall rules or SELINUX reports for number 1 - does the daemon have the rights to read its config files and to write its config files - eg the user/group that you run radiusd as - when you run as root in debug mode it happily writes/reads what it wants. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
data limit in Mikrotik with Freeradius and Mysql
Hi Does anyone have solution for limiting users with data traffic. I have working setup of Mikrotik with freeradius and mysql. Have searched on net and found one solution but I can put limit to max 4 GB data. After 4 GB the counter resets to 0. I know the reason of that. It's b'coz of the values stored in protocol are 32 bits only. Awaiting your reply. Thanks Regards, Ravin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: data limit in Mikrotik with Freeradius and Mysql
Upgrade to 1.1.7 or: http://www.netexpertise.eu/en/FreeRadius/GigaWordsSupport.html Ivan Kalik Kalik Informatika ISP Dana 20/9/2007, ravi sawant [EMAIL PROTECTED] piše: Hi Does anyone have solution for limiting users with data traffic. I have working setup of Mikrotik with freeradius and mysql. Have searched on net and found one solution but I can put limit to max 4 GB data. After 4 GB the counter resets to 0. I know the reason of that. It's b'coz of the values stored in protocol are 32 bits only. Awaiting your reply. Thanks Regards, Ravin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP (PEAP) problem with MS Win XP
** High Priority **
** Reply Requested When Convenient **
Hi,
I have configure freeradius ver 1.1.5 on an MS XP Box. I need to authenticate
and
authorize MS Windows XP clients (people connect to Access Point manage by an
3Com wireless switch). I have set up the windos box's for EAP-PEAP and MSCHAP
Here is the resaults from the debug
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: ../etc/raddb/proxy.conf
Config: including file: ../etc/raddb/clients.conf
Config: including file: ../etc/raddb/snmp.conf
Config: including file: ../etc/raddb/eap.conf
main: prefix = ..
main: localstatedir = ../var
main: logdir = ../var/log/radius
main: libdir = ../lib
main: radacctdir = ../var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = yes
main: log_file = ../var/log/radius/radius.log
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = ../var/run/radiusd/radiusd.pid
main: user = (null)
main: group = (null)
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = ../sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is ../lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
pap: auto_header = yes
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = yes
mschap: passwd = (null)
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = ../var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = tls
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = (null)
tls: pem_file_type = yes
tls: private_key_file =
../etc/raddb/certs/FreeRADIUS.net/DemoCerts/FreeRADIUS.net-Server.pem
tls: certificate_file =
../etc/raddb/certs/FreeRADIUS.net/DemoCerts/FreeRADIUS.net-Server.crt
tls: CA_file =
../etc/raddb/certs/FreeRADIUS.net/DemoCerts/FreeRADIUS.net-CA.crt
tls: private_key_password = demo
tls: dh_file = ../etc/raddb/certs/FreeRADIUS.net/DemoCerts/dh
tls: random_file = ../etc/raddb/certs/FreeRADIUS.net/DemoCerts/random
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = %{User-Name}
tls: cipher_list = (null)
tls: check_cert_issuer = (null)
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
ttls: default_eap_type = md5
ttls: copy_request_to_tunnel = yes
ttls: use_tunneled_reply = yes
rlm_eap: Loaded and initialized type ttls
peap: default_eap_type = mschapv2
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = ../etc/raddb/huntgroups
preprocess: hints = ../etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = yes
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module:
Re: EAP (PEAP) problem with MS Win XP
Wayne, hoekom doen jy nie jou EAP-PEAP authentication van 'n linux box af
nie? jy sal jou lewe soveel makliker maak.
On 9/20/07, WAYNE VANDERMERWE [EMAIL PROTECTED]
wrote:
Hi,
I have configure freeradius ver 1.1.5 on an MS XP Box. I need to
authenticate and
authorize MS Windows XP clients (people connect to Access Point manage by
an
3Com wireless switch). I have set up the windos box's for EAP-PEAP and
MSCHAP
Here is the resaults from the debug
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: ../etc/raddb/proxy.conf
Config: including file: ../etc/raddb/clients.conf
Config: including file: ../etc/raddb/snmp.conf
Config: including file: ../etc/raddb/eap.conf
main: prefix = ..
main: localstatedir = ../var
main: logdir = ../var/log/radius
main: libdir = ../lib
main: radacctdir = ../var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = yes
main: log_file = ../var/log/radius/radius.log
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = ../var/run/radiusd/radiusd.pid
main: user = (null)
main: group = (null)
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = ../sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is ../lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
pap: auto_header = yes
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = yes
mschap: passwd = (null)
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = ../var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = tls
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = (null)
tls: pem_file_type = yes
tls: private_key_file =
../etc/raddb/certs/FreeRADIUS.net/DemoCerts/FreeRADIUS.net-Server.pem
tls: certificate_file =
../etc/raddb/certs/FreeRADIUS.net/DemoCerts/FreeRADIUS.net-Server.crt
tls: CA_file =
../etc/raddb/certs/FreeRADIUS.net/DemoCerts/FreeRADIUS.net-CA.crt
tls: private_key_password = demo
tls: dh_file = ../etc/raddb/certs/FreeRADIUS.net/DemoCerts/dh
tls: random_file = ../etc/raddb/certs/FreeRADIUS.net/DemoCerts/random
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = %{User-Name}
tls: cipher_list = (null)
tls: check_cert_issuer = (null)
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
ttls: default_eap_type = md5
ttls: copy_request_to_tunnel = yes
ttls: use_tunneled_reply = yes
rlm_eap: Loaded and initialized type ttls
peap: default_eap_type = mschapv2
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = ../etc/raddb/huntgroups
preprocess: hints = ../etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess:
Re: New dictionary for huawei-3com
Krzysztof Olędzki wrote: Hello, 3Com is now also using #25506 (H3C - huawei-3com) vendor attribute in a new firmware (3.3.0) for 3c5500G switches. This patch adds appropriate dictionary and also moves hp to be properly sorted. Added, thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP (PEAP) problem with MS Win XP
Hi, ** High Priority ** ** Reply Requested When Convenient ** What? This isnt a paid-for service. answers given on this mailing list are given in community spirit. however, should you wish to take any of us on in a consulting role for usual financial reimbursements under contractual agreement ona commercial basis then i am sure that such requests would be taken for granted. so, PEAP isnt working. have you tested from a non windows box to ensure that you havent fallen foul of the usual EAP problems - as clearly noted at the top of eap.conf? if so, then i would be concerned by this int he debug: modcall: entering group authenticate for request 0 rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler modcall[authenticate]: module eap returns invalid for request 0 modcall: leaving group authenticate (returns invalid) for request 0 auth: Failed to validate the user. Login incorrect: [53986067/no User-Password attribute] (from client elhc-network port 0 cli 00-0F-CB-FA-D4-63) what are you doing with the User-Name and/or identity? you cant play with those packets as it breaks EAP. the debug also looks worryingly short. you should post the whole debug. also, HOW are you authenticating the users? you dont have ntlm_auth set and LDAP doesnt seem to be doing anything...I fear very very much that you have some Auth-Type := EAP in yours users file or something worse! please post your config files. oh, and dont hurry, i'm certainly not demanding an urgent response. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unsubscribe
thanks for all the help guys, Im no longer using freeradius at work. Big thanks to every1 (excluding Alan Dekok, sorry we had our diff). Take it easy. unsubscribe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unsubscribe
thanks for all the help guys, Im no longer using freeradius at work. Big thanks to every1 (excluding Alan Dekok...) unsubscribe John Wan Please consider the environment before printing this email -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Jarick Sent: Friday, 21 September 2007 1:27 PM To: FreeRadius users mailing list Subject: unsubscribe thanks for all the help guys, Im no longer using freeradius at work. Big thanks to every1 (excluding Alan Dekok, sorry we had our diff). Take it easy. unsubscribe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ___ Notice from Melbourne Business School Ltd The information contained in this e-mail is confidential, and is intended for the named person's use only. It may contain proprietary or legally privileged information. If you have received this email in error, please notify the sender and delete it immediately. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient Internet communications are not secure. You should scan this message and any attachments for viruses. Melbourne Business School does not accept any liability for loss or damage which may result from receipt of this message or any attachments. __ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
