Re: interfacing with ISC DHCP
James Lockie wrote: A pointer to a howto would be much appreciated. There is no how-to because there's nothing to do. If you have DHCP already running, it will be used after the clients have been authenticated via RADIUS. The two processes are *completely* independent. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: probs with accounting Attribute Client-IP-Address was not
orion wrote: hi to all. im using FR 2.0.0 with default config. in debug mode i get *rlm_acct_unique*: *WARNING*: *Attribute* *Client *-*IP*-*Address* was not found in request, unique ID MAY be inconsistent Good point. The way that attribute is handled was changed in 2.0. I've committed a fix that should enable your existing configuration to work in 2.0. You can grab CVS head, and replace the rlm_acct_unique.c file in 2.0.0 with the version from CVS. Re-build, re-install, and it should now work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: interfacing with ISC DHCP
This works by default. Just enter NAS details in clients.conf and username and password in users file. Ivan Kalik Kalik Informatika ISP Dana 11/1/2008, James Lockie [EMAIL PROTECTED] piše: [EMAIL PROTECTED] wrote: Yes. Ivan Kalik Kalik Informatika ISP Dana 10/1/2008, [EMAIL PROTECTED] [EMAIL PROTECTED] piše: Is it possible to authenticate with radius and the have ISC DHCP hand out out an IP (etc)? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html A pointer to a howto would be much appreciated. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Groups and EAP
Brian Wilson wrote: I am running Freeradius 1.1.0 Please upgrade to at least 1.1.7. It solves a lot of security issues, *and* helps with the problem you're seeing, too. When I try to authenticate, the radius server receives about 7 Access-requests. That's the way EAP works. Notice that there is no additional call to ldap_group between the authorize and the resulting failure in the files module. The *inner* tunnel session doesn't match a huntgroup. Is there something i'm missing in the configuration file? I would suggest trying 2.0. The new virtual server feature should make this configuration much simpler. The new unlang feature should also simplify the writing of policies. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Message-Authenticator
Norbert Wegener wrote: In cvs from January 9th I noticed for the first time, that freeradius complains about packets without Message-Authenticator and ignores them: WARNING: Insecure packet from host 145.25.153.222: Packet does not contain required Message-Authenticator attribute How can freeradius be convinced to handle those packets? It should... In clients.conf I have require_message_authenticator = no but the clients come from an sql database. The default for that field is no, even for clients coming from SQL. The only thing I can think of is that you did a cvs update which took the definition of that field, but didn't rebuild the SQL module, which depends on it. Try doing a build from a clean CVS checkout, or from the 2.0.0 tarball. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: probs with accounting Attribute Client-IP-Address was not
after replacing the rlm_acct_unique.c my debug tells : rad_recv: Accounting-Request packet from host 192.168.2.225 port 1025, id=94, length=137 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 48 NAS-Port-Type = Ethernet User-Name = user Calling-Station-Id = 00:D0:59:D9:13:61 Called-Station-Id = service1 NAS-Port-Id = ether3 Acct-Session-Id = 8100 Framed-IP-Address = 10.254.254.254 Acct-Authentic = RADIUS Acct-Status-Type = Start NAS-Identifier = MikroTik NAS-IP-Address = 192.168.2.225 Acct-Delay-Time = 0 +- entering group preacct ++[preprocess] returns ok rlm_acct_unique: Hashing 'NAS-Port = 48,Client-IP-Address INVALID-TOKEN 192.168.2.225,NAS-IP-Address = 192.168.2.225,Acct-Session-Id = 8100,User-Name = user' now it says INVALID-TOKEN. should i replace only that file or are other files ( maybe entire package ) to be replaced ?! thanx On 12/01/2008, Alan DeKok [EMAIL PROTECTED] wrote: orion wrote: hi to all. im using FR 2.0.0 with default config. in debug mode i get *rlm_acct_unique*: *WARNING*: *Attribute* *Client *-*IP*-*Address* was not found in request, unique ID MAY be inconsistent Good point. The way that attribute is handled was changed in 2.0. I've committed a fix that should enable your existing configuration to work in 2.0. You can grab CVS head, and replace the rlm_acct_unique.c file in 2.0.0 with the version from CVS. Re-build, re-install, and it should now work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Prefix
On Sat, 12 Jan 2008, Alan DeKok wrote: The hints file contains the following lines, which seem to at least somewhat work as the P is stripped and authentication succeeds. Note that this updates the *request*, not the *reply*. Ahh. Okay. Thanks, this helps understanding the problem somewhat. And in fact, it seems to work after some major refactoring of the users file. userPassword == whatever Please use: Cleartext-Password := ... About the := operator, is it only needed for Cleartext-Password? What about Crypt-Password? There it seems to work with == as well as with :=. regards, andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Message-Authenticator
Alan DeKok wrote: Norbert Wegener wrote: In cvs from January 9th I noticed for the first time, that freeradius complains about packets without Message-Authenticator and ignores them: WARNING: Insecure packet from host 145.25.153.222: Packet does not contain required Message-Authenticator attribute How can freeradius be convinced to handle those packets? It should... In clients.conf I have require_message_authenticator = no but the clients come from an sql database. The default for that field is no, even for clients coming from SQL. The only thing I can think of is that you did a cvs update which took the definition of that field, but didn't rebuild the SQL module, which depends on it. Try doing a build from a clean CVS checkout, or from the 2.0.0 tarball. Maybe that has been the problem. I took the rpms from http://download.opensuse.org/repositories/network:/aaa/openSUSE_10.2/i586/ and it works as expected. Thanks. Norbert Wegener Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Groups and EAP
hi, I'd like to add into this that if you upgrade to 2.0 then the EAP is simpler and quicker - and your LDAP wont get hit with each request. it'll only get the bare required outside and then the essential inner tunnel stuff. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help
hello i am given a project of installing freeRADIUS 1.1.7 on fedora core 7. i am unable to go next to the step radiusd -x kindly tell me some method to install it please help i have installed fedora core 7 on VmWare 5.5 and that on windows xp. do i need more than one computer to install this. i am a student at university 3rd year BSc computer science help me please _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help
On 12/01/2008, adnan deura [EMAIL PROTECTED] wrote: hello i am given a project of installing freeRADIUS 1.1.7 on fedora core 7. i am unable to go next to the step radiusd -x kindly tell me some method to install it please help http://wiki.freeradius.org/Build#Building_RedHat_packages Same applies for Fedora. Worked well for me. Although, does it have to be v 1.1.7? Version 2.0.0 is now out, and built fine for me on Fedora 8. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Possible Spam : Low Spam probability - : Re: SQL Counter Problem
Thanks alan, I have tested and it definitely seems to be a problem, the field is using a varchar(255) in sql I thought this was an issue but it is not. Is there any way you could rebuild the sqlcounters for freeradius.net ? have a compiled version already. I have seen some mention about the sqlcounter being compiled using a traffic based option and not looking at the session time Regards Keith Dovale -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, January 11, 2008 2:41 PM To: FreeRadius users mailing list Subject: Possible Spam : Low Spam probability - : Re: SQL Counter Problem Keith Dovale wrote: Is there a limitation with the SQLCounter routine using a value above 2,148,000,000 in the checkfield ? As if I set this value to anything below this figure the routine works as planned however if I go above this value it rejects the user as no available time. The counters are 32 bits, so that is likely the source of the limitation. I am trying to use the sqlcounter to check to see if the user has available bandwidth and if so give them access, but this now limits me to this value. I am using the freeradius port for cygwin, can anyone help me out with this as I need to set this figure to above 30Mb value 30Mb should work. If you need 64-bit counters, the code will have to be modified. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: probs with accounting Attribute Client-IP-Address was not
orion wrote: after replacing the rlm_acct_unique.c my debug tells : rad_recv: Accounting-Request packet from host 192.168.2.225 ...Client-IP-Address INVALID-TOKEN now it says INVALID-TOKEN. OK. Grab the latest version from CVS. I've fixed a typo. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Prefix
Andreas Thienemann wrote: About the := operator, is it only needed for Cleartext-Password? What about Crypt-Password? There it seems to work with == as well as with :=. It's a hack to use '=='. Don't use it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeBSD port for 2.0.0 (and a FreeRADIUS patch submission)
David Wood wrote: PATCH SUBMISSION - THREADING ISSUES [...] Firstly, for threading on FreeBSD you should just use -pthread (and not use -lpthread). There are different threading libraries available on FreeBSD; the OS does the correct thing if you just use -pthread. -pthread vs -lpthread is a long discussion. If the configure script says -lpthread is supported, I think we can use it in all cases. (including FreeBSD) I'm unsure there's a need to make one more special case in the mainstream FreeRADIUS tree. Moreover I note that -pthread has been removed from the pthread manpage. Secondly, it deals with the case where python is built with threads (as is now the default for python on FreeBSD). As I don't use rlm_python, I can't test whether it works after this patch, but rlm_python won't even build on FreeBSD without it. I believe this is a problem with the python library. The linker should report the dependencies of libpython2.4.so. I've asked a friend who is running 7.0-CURRENT and it looks OK for him: $ ldd /usr/local/lib/libpython2.4.so.1 /usr/local/lib/libpython2.4.so.1: libutil.so.6 = /lib/libutil.so.6 (0x800c24000) libm.so.4 = /lib/libm.so.4 (0x800d32000) libthr.so.2 = /lib/libthr.so.2 (0x800e4c000) libc.so.7 = /lib/libc.so.7 (0x800632000) I don't see why you would need to add -pthread to the linker command line. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: probs with accounting Attribute Client-IP-Address was not
grabed the latest and installed. now it says rlm_acct_unique: Hashing 'NAS-Port = 9,Client-IP-Address = 192.168.2.225,NAS-IP-Address = 192.168.2.225,Acct-Session-Id = 8160,User-Name = orioni' rlm_acct_unique: Acct-Unique-Session-ID = 59cf7442060b83a6. the Client-IP-Address is the same as NAS-IP-Address. in my clients.conf i have client 192.168.2.0/24 { secret = sekret shortname = private } it this a bug or it should be like that ( Client-IP-Address same as NAS-IP-Address. ) ? On 12/01/2008, Alan DeKok [EMAIL PROTECTED] wrote: orion wrote: after replacing the rlm_acct_unique.c my debug tells : rad_recv: Accounting-Request packet from host 192.168.2.225 ...Client-IP-Address INVALID-TOKEN now it says INVALID-TOKEN. OK. Grab the latest version from CVS. I've fixed a typo. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: interfacing with ISC DHCP
Alan DeKok wrote: James Lockie wrote: A pointer to a howto would be much appreciated. There is no how-to because there's nothing to do. If you have DHCP already running, it will be used after the clients have been authenticated via RADIUS. The two processes are *completely* independent. Alan DeKok. I don't want them independent. :-) DHCP can give out an IP first but I don't want the default gateway to work for THAT specific IP until the user has been authenticated with radius. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: interfacing with ISC DHCP
James Lockie wrote: I don't want them independent. :-) DHCP can give out an IP first but I don't want the default gateway to work for THAT specific IP until the user has been authenticated with radius. Then you want a captive portal. This isn't a RADIUS problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help
adnan deura wrote: hello i am given a project of installing freeRADIUS 1.1.7 on fedora core 7. i am unable to go next to the step radiusd -x radiusd is located in /usr/sbin so you can't just type radiusd unless /usr/sbin is in your path, which it won't unless you're root. Also, the radius server is normally started with an init script % service radiusd start To start on boot % chkconfig radiusd on kindly tell me some method to install it please help i have installed fedora core 7 on VmWare 5.5 and that on windows xp. do i need more than one computer to install this. i am a student at university 3rd year BSc computer science help me please The F-7 repositories have 1.1.5, the F-8 repositories have 1.1.7 % yum install freeradius\* -- John Dennis [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco 10008 issue
Alex Moen [EMAIL PROTECTED] writes: Any advice would be welcome, and let me know if I need to send more detail... Sounds like its time to consider something else than Cisco. I can recommend Juniper ERXes for broadband aggregation. And they certainly work well with FreeRADIUS. Oh, I hope the sales reps' boss didn't see this... Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: probs with accounting Attribute Client-IP-Address was not
Hi, it this a bug or it should be like that ( Client-IP-Address same as NAS-IP-Address. ) ? what makes you think they would be different? the client is your NAS, yes? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy requests based on Called-Id
Hello, I want to proxy requests to different radius servers matching the Called-Id of the request instead of matching a realm attached to the username. Is this possible with freeradius? Abel, Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy requests based on Called-Id
Yes. DEFAULT Called-Station-Id == someNAS, Proxy-To-Realm := somerealm DEFAULT Called-Station-Id == anotherNAS, Proxy-To-Realm := anotherrealm Ivan Kalik Kalik Informatika ISP Dana 12/1/2008, Abel Alejandro [EMAIL PROTECTED] piše: Hello, I want to proxy requests to different radius servers matching the Called-Id of the request instead of matching a realm attached to the username. Is this possible with freeradius? Abel, Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html