Re: Question about forum
Hi, There is a history of this mailing list, but searching something is a nightmare. Imho forum would be great for that. Sent from my BlackBerry® wireless device forums suck imho alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about forum
[EMAIL PROTECTED] wrote: Hi, There is a history of this mailing list, but searching something is a nightmare. Imho forum would be great for that. Sent from my BlackBerry® wireless device forums suck imho alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Second that. It's a shame we had so many spammers on the wiki... Else the general user community could still contribute to it. -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about forum
Nicholas Hall wrote: What's wrong with sharing your experiances with the list? Adding a forum will be just another place I'll have to check to get my FreeRADIUS fix. That's right, a forum wouldn't be a great idea. But this list shouldn't be a replacement for the Wiki either. So whenever we find solutions to problems or undocumented features of FreeRadius, this should imho go into the Wiki. JB - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl and RLM_MODULE_REJECT
Hi, I have a question on rlm_perl and RLM_MODULE_REJECT. If in a function (post_proxy) I return RLM_MODULE_REJECT I can see this in log : modcall[post-proxy]: module perl1 returns reject for request 1 ... but my request is still accepted : Access-Accept not Access-Reject ! How to do that ? Thank. -- Jean-Michel Caricand Tél: 03.81.66.20.63 E-mail: [EMAIL PROTECTED] Equipe systèmes Laboratoire d'Informatique de l'Université de Franche-Comté 16, route de Gray - 25030 BESANÇON CEDEX - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and RLM_MODULE_REJECT
doesn't make sense to use RLM_MODULE_REJECT in post_proxy. May be you need pre_proxy ? From radius.conf file # # When the server decides to proxy a request to a home server, # the proxied request is first passed through the pre-proxy # stage. This stage can re-write the request, or decide to # cancel the proxy. # # Only a few modules currently have this method. # Best Regards, Boian Jordanov SNE Orbitel - Next Generation Telecom tel. +359 2 4004 723 tel. +359 2 4004 002 On Jan 25, 2008, at 11:52 AM, Jean-Michel Caricand wrote: I have a question on rlm_perl and RLM_MODULE_REJECT. If in a function (post_proxy) I return RLM_MODULE_REJECT I can see this in log : - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about forum
Ok. Forum sometimes isn't a best solution. WIKI is a good option because you'll find all you need without to much off topic. On Jan 25, 2008 10:18 AM, JB [EMAIL PROTECTED] wrote: Nicholas Hall wrote: What's wrong with sharing your experiances with the list? Adding a forum will be just another place I'll have to check to get my FreeRADIUS fix. That's right, a forum wouldn't be a great idea. But this list shouldn't be a replacement for the Wiki either. So whenever we find solutions to problems or undocumented features of FreeRadius, this should imho go into the Wiki. JB - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: UserName, Password + MAC authentication using Cisco's BBSM 5.3
1. Use Cleartext-Password with =: as stated in the server documentation. 2. Post the output of radiusd -X. It's likely that the format for the MAC address is wrong. It can have : for delimiters or no delimiters at all. 3. That's not how you end user sessions on any device, Cisco or otherwise. Putting your head in the sand will not make it go away. 4. You use Login-Time not Expiration for that. Ivan Kalik Kalik Informatika ISP Dana 25/1/2008, [EMAIL PROTECTED] [EMAIL PROTECTED] piše: Hello, I'm using Freeradius 1.1.17 version with Cisco's BBSM. With MySqL database too. I've storing username, passwords in mysql db. For now, authentication is OK. I want to check MAC address of users while they are authenticating. Inmy radcheck table: | id | UserName| Attribute | op | Value | ++-+++---+ | 3 | java| Password | == | password | | 18 | java| Calling-Station-Id | == | aa-bb-cc-dd-ee-ff | Also, BBSM's snmp is enabled. So I can get users' MAC addresses. I want Radius server checks username, password and MAC addresses at the same time when the user authenticate. Without Calling-Station-Id, authentication is OK. When I add Calling-Station-Id, the user cannot authenticate. In which table, do I enter this attribute? Also i cannot close or deactivate user session when I want to. When i removing from BBSM Mysql db, session is still open. Or can I put expiration time at every 03 o'clock? Could someone help me abt these? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and RLM_MODULE_REJECT
doesn't make sense to use RLM_MODULE_REJECT in post_proxy. May be you need pre_proxy ? From radius.conf file # # When the server decides to proxy a request to a home server, # the proxied request is first passed through the pre-proxy # stage. This stage can re-write the request, or decide to # cancel the proxy. # # Only a few modules currently have this method. # Best Regards, Boian Jordanov SNE Orbitel - Next Generation Telecom tel. +359 2 4004 723 tel. +359 2 4004 002 On Jan 25, 2008, at 11:52 AM, Jean-Michel Caricand wrote: I have a question on rlm_perl and RLM_MODULE_REJECT. If in a function (post_proxy) I return RLM_MODULE_REJECT I can see this in log : - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html But I must check some attributes defined by my home server. I can't check them in pre_proxy because they are not set. No ? I want to reject the access if by example the Framed-IP-Address is not in a valid range. Thank. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about forum
We have a wiki. You are welcome to contribute... -Peter On Fri 25 Jan 2008, Marinko Tarlac wrote: Ok. Forum sometimes isn't a best solution. WIKI is a good option because you'll find all you need without to much off topic. On Jan 25, 2008 10:18 AM, JB [EMAIL PROTECTED] wrote: Nicholas Hall wrote: What's wrong with sharing your experiances with the list? Adding a forum will be just another place I'll have to check to get my FreeRADIUS fix. That's right, a forum wouldn't be a great idea. But this list shouldn't be a replacement for the Wiki either. So whenever we find solutions to problems or undocumented features of FreeRadius, this should imho go into the Wiki. JB - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple accounting requests crash the server
Hi all, I am seeing a strange situation. I receive an accounting-stop request from a NAS, and FreeRADIUS (1.1.7 against Oracle) updates the corresponding radacct record. However, the NAS is not receiving the ack, and thus re-sends the stop request. On the second request, FreeRADIUS tries to do an update query again, and then, an insert query, with the stop message details (i.e. only a stop time, reason idle-timeout, etc.), which fails. After the third request from the NAS (and corresponding update followed by insert), Oracle throws a unique constraint violation error, and the server freezes. Questions: 1. Why is FreeRADIUS failing to see that this request was already acknowledged, i.e. it has been updated on the database, and just sends an ACK, rather than trying to insert a new record? 2. Why does FreeRADIUS freeze on an SQL error from Oracle? Should it not just log the error and carry on about its business? I am finding my server freezing every few days due to these issues, for example, if a query takes too long to run, or a trigger fails to execute. Is FreeRADIUS against Oracle more fragile than say MySQL? Cheers, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and RLM_MODULE_REJECT
Try with RLM_MODULE_FAIL in post_proxy Best Regards, Boian Jordanov SNE Orbitel - Next Generation Telecom tel. +359 2 4004 723 tel. +359 2 4004 002 On Jan 25, 2008, at 12:35 PM, Jean-Michel Caricand wrote: doesn't make sense to use RLM_MODULE_REJECT in post_proxy. May be you need pre_proxy ? From radius.conf file # # When the server decides to proxy a request to a home server, # the proxied request is first passed through the pre-proxy # stage. This stage can re-write the request, or decide to # cancel the proxy. # # Only a few modules currently have this method. # Best Regards, Boian Jordanov SNE Orbitel - Next Generation Telecom tel. +359 2 4004 723 tel. +359 2 4004 002 On Jan 25, 2008, at 11:52 AM, Jean-Michel Caricand wrote: I have a question on rlm_perl and RLM_MODULE_REJECT. If in a function (post_proxy) I return RLM_MODULE_REJECT I can see this in log : - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html But I must check some attributes defined by my home server. I can't check them in pre_proxy because they are not set. No ? I want to reject the access if by example the Framed-IP-Address is not in a valid range. Thank. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and RLM_MODULE_REJECT
Le vendredi 25 janvier 2008 12:55, Boian Jordanov a écrit : Try with RLM_MODULE_FAIL in post_proxy Best Regards, Boian Jordanov SNE Orbitel - Next Generation Telecom tel. +359 2 4004 723 tel. +359 2 4004 002 On Jan 25, 2008, at 12:35 PM, Jean-Michel Caricand wrote: doesn't make sense to use RLM_MODULE_REJECT in post_proxy. May be you need pre_proxy ? From radius.conf file # # When the server decides to proxy a request to a home server, # the proxied request is first passed through the pre-proxy # stage. This stage can re-write the request, or decide to # cancel the proxy. # # Only a few modules currently have this method. # Best Regards, Boian Jordanov SNE Orbitel - Next Generation Telecom tel. +359 2 4004 723 tel. +359 2 4004 002 On Jan 25, 2008, at 11:52 AM, Jean-Michel Caricand wrote: I have a question on rlm_perl and RLM_MODULE_REJECT. If in a function (post_proxy) I return RLM_MODULE_REJECT I can see this in log : - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html But I must check some attributes defined by my home server. I can't check them in pre_proxy because they are not set. No ? I want to reject the access if by example the Framed-IP-Address is not in a valid range. Thank. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html With RLM_MODULE_FAIL, I get theses messages : modcall[post-proxy]: module perl1 returns fail for request 0 modcall: leaving group post-proxy (returns fail) for request 0 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 127.0.0.1:42610, id=123, length=71 Discarding duplicate request from client localhost:42610 - ID: 123 due to unfinished request 0 --- Walking the entire request list --- Waking up in 28 seconds... rad_recv: Access-Request packet from host 127.0.0.1:42610, id=123, length=71 Discarding duplicate request from client localhost:42610 - ID: 123 due to unfinished request 0 --- Walking the entire request list --- Waking up in 25 seconds... -- Jean-Michel Caricand Tél: 03.81.66.20.63 E-mail: [EMAIL PROTECTED] Equipe systèmes Laboratoire d'Informatique de l'Université de Franche-Comté 16, route de Gray - 25030 BESANÇON CEDEX - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SSH-login authentication, using Active Directory credentials.
Hi; For a long time now, I have been trying to unify the login credentials, in a heterogeneous environment. While I am aware of the few available options, I have decided against them, for varied reasons. In the last few days, I have been able to produce the effect which I desired, using pam_radius_auth and IAS. All is well, and I am able to SSH-login using my Active directory login credentials. But before I take this to production, I would like to know if this approach is safe - the IAS setting that works says Unencrypted authentication (PAP). From here http://lists.cistron.nl/pipermail/freeradius-users/2006-July/055010.html, I understand that pam_radius_auth 'encrypts' the password. But if a user has the privileges to change the /etc/raddb/server file (and point it to a freeradius server), wouldn't he/she be able to siphon off the credentials? Our setup would disallow direct 'root' logins, over SSH. However, once the user logs in using his/her credentials, they would then be allowed to do a sudo or a privileges escalation. Thereby, opening the possibility of a /etc/raddb/server edit. I know worse things can happen with superuser privileges; however, I am not worried of the bad that can happen to the client machines. Is there a better way, using radius? Please suggest. If this query is a rerun, pointers/references would do. Thank you. Regards, suraj. Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap and users file
users file and EAP-ttls + PAP schema can work togher? Yes. In 2.0.1 you can divert EAP requests to one virtual server, others to a different virtual server that will be doing ldap auth, ... Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap and users file
I have only this entry in users file: DEFAULT Auth-Type := Accept raiudsd -X users: Matched entry DEFAULT at line 1 but it still try to authenticate against ldap. So the question is: users file and EAP-ttls + PAP schema can work togher? thanks -- View this message in context: http://www.nabble.com/eap-and-users-file-tp15086647p15086647.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple accounting requests crash the server [update]
Update to the problem: the accounting-stop alternate query is actually an INSERT, not an UPDATE, by default, which actually surprises me, as in case of a duplicate packet, an INSERT into a properly unique-indexed table is doomed. I have now simply changed the -alt into an UPDATE query, so it would also not affect any record, but at least will not cause Oracle to balk. My only problem now is how to make sure FreeRADIUS does not freeze upon an SQL error. Cheers, Mike Mother wrote: Hi all, I am seeing a strange situation. I receive an accounting-stop request from a NAS, and FreeRADIUS (1.1.7 against Oracle) updates the corresponding radacct record. However, the NAS is not receiving the ack, and thus re-sends the stop request. On the second request, FreeRADIUS tries to do an update query again, and then, an insert query, with the stop message details (i.e. only a stop time, reason idle-timeout, etc.), which fails. After the third request from the NAS (and corresponding update followed by insert), Oracle throws a unique constraint violation error, and the server freezes. Questions: 1. Why is FreeRADIUS failing to see that this request was already acknowledged, i.e. it has been updated on the database, and just sends an ACK, rather than trying to insert a new record? 2. Why does FreeRADIUS freeze on an SQL error from Oracle? Should it not just log the error and carry on about its business? I am finding my server freezing every few days due to these issues, for example, if a query takes too long to run, or a trigger fails to execute. Is FreeRADIUS against Oracle more fragile than say MySQL? Cheers, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hello, and a (hopefully) simple question
That's a very valid point, however we do all the CPE configuration ourselves. Customer, as a rule, does not have access to the PPPoE settings. I think the message they would get is going to say something like There is a problem with your internet connection. Please call blahblahblah to resolve the problem... Simple and effective :-) Vlad On Jan 25, 2008 11:45 AM, Alex Moen [EMAIL PROTECTED] wrote: So, what would be the difference between a customer who was disconnected, and one who cannot remember his/her password (yeah, this never happens, right?) There would be no differentiation, and customers who have simply forgotten their password may be upset when you tell then they are disconnected Might want to remember that when you write your web page. Just my $.10... Alex Vlad Sedov wrote: Well, what I'm trying to do is accept the session whether the password is correct or not, but if it's not correct, assign Framed-IP-Address from a different IP pool, so our firewall downstream from the NAS can redirect their HTTP traffic to a payment site. Vlad On Jan 25, 2008 11:27 AM, JB [EMAIL PROTECTED] wrote: If it's just a message you want to display, you could use the Reply- Message attribute. Of course, your access controler would have to know how handle this attribute. JB Marinko Tarlac wrote: radius will reply whatever you need but you need to tell him what do you want. For example, if you're using mysql, when user account expires you can add him to specific group and group attributes you can set in radgroupreply table. (ip pool, tx, rx limit etc.) On Jan 25, 2008 6:18 PM, Vlad Sedov [EMAIL PROTECTED] wrote: Hey folks. Right now, we use freeradius to authenticate simple pap/chap PPP clients. When a username/password is rejected, radius simply send back a reject message to the NAS. Is it possible to change this behavior so that a failed auth attempt gets accepted with an alternate IP pool instead of being rejected? the idea is to force suspended users through a web proxy that tells them that they have a billing issue, instead of rejecting their connection altogether. Any help would be appreciated Vlad JB - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: certificates in FR 2.0.1 on windows doesnt works
And that is good. Windows doesn't need to know who issued that certificate, only radius server does. Ivan Kalik Kalik Informatika ISP Dana 25/1/2008, orion [EMAIL PROTECTED] piše: its not a problem that windows says about the client certificate : the issuer of this certificate cannot be found ? can the certificate be used in this case ? On 25/01/2008, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: 2)or only ca certificate + client certificate ? the second case the linkage between the ca and client doesnt exist ( as you said is the server the issuer of the client`s certificate ). Link is not needed. Server checks the client certificate to see if it's issued by the server (certificate). Client checks server certificate to see if it's issued by a *known and trusted CA. Nothing checks client certificate against the CA. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Thank you and Diameter question
Raj Patel wrote: as anyone else been using it, I will be happy for some feedback Honestly, I've never seen much use for Diameter. Not that I'm biased, but I'd like to know what real-world problem it solves. Most requirements for diameter are political or commercial, not technical. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: iCHAP?
Kevin J wrote: Does anybody know about iCHAP? Nope. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thank you and Diameter question
Hi People First thank you, I been reading this mailing list for some time and I found it great source of help I want to share some info with you and than ask a question We are slowly moving here into Java and starting to have Diameter requirements I found OpenBloX Java Diameter a great source of help (i think its GPL)and it seems to meet our requirements (* http://sourceforge.net/projects/openblox/**) * as anyone else been using it, I will be happy for some feedback I guess this is the right place for a feedback with so many AAA gurus around J so sorry again for my post Thanks In advance RP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
iCHAP?
Does anybody know about iCHAP? Kevin, - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: certificates in FR 2.0.1 on windows doesnt works
2)or only ca certificate + client certificate ? the second case the linkage between the ca and client doesnt exist ( as you said is the server the issuer of the client`s certificate ). Link is not needed. Server checks the client certificate to see if it's issued by the server (certificate). Client checks server certificate to see if it's issued by a *known and trusted CA. Nothing checks client certificate against the CA. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Force Auth-Type
Alan DeKok [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Markus Moeller wrote: That was the only way I could get it to work. If I use update control anybody can login, whereas in my setup only a user who exits in ldap get AUth-Type set to LDAP all other users have an empty value and therefore can not authenticate. The LDAP module setting Auth-Type to LDAP is a bit of a hack. I understand that you're depending on it, but the behavior may change in the future. It's changed (slightly) in the past, to fix some issues. It's better to have the policy *explicitly* state what you want. I have changed my setup to use files and a users file together with a private radius attribute mapped to an ldap entry That's reasonable. It's a pretty simple fix to permit an empty ldap.attrmap definition. in users I have DEFAULT user-location == LDN, Auth-Type := Reject Reply-message = You are not allowed to login DEFAULT AUTH-Type := PAM That should mostly work. In 2.0, it's much easier just to put that directly in a policy in a configuration file. Unfortunatly that does not work as I never hit the first default statement in users despite having a user-location of LDN. What do I do wrong here ? How can I use an ldap query result to deny/allow access ? if (%{ldap: stuff... } == bar) { ... } I didn't know that is possible. Where is this documented ? I thought I read all FAQ and documentations. The other questions I have is about the AV pairs used. As far as I understand freeradius uses request, reply, check_tmp, internal only AV pairs. Is there a document which module uses which for what purpose ? Is there a process flow diagram somewhere describing how freeradius works ? I understand 1)client - server sends a request AV pair 2) server processes first authorisation modules and if fails end ? 3) server processes authentication modules and if fails end ? 4) server - client sends reply AV pair What is the use of check(item) AV pairs ? Is it to communicate between modules ? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you Markus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: one RADIUS server per realm setup
I see. I can, indeed, remove Auth-Type := LDAP from the users file and it still works. Cool! However, the behavior described in the documentation is not what I'm seeing, and I'm still getting (contrary to what I said in my previous email) authorization requests not being proxied, even though I have, in my authorize section, the suffix directive previous to files and ldap, which is where I check the LDAP group If my realm is @hampshire.edu, everything works as I want it to, because it doesn't proxy. But when I try to authenticate as a fake user in my test proxy realm (I just want to see it try to proxy), it looks in the local LDAP database! Huh? It says it's preparing to proxy authentication, as it should... how do I make it either proxy authorization as well, or skip authorization for non-local domains? How should I go about this? I must be misunderstanding something. I don't want it to do anything locally if I've set it to proxy! I get the following relevant output from freeradius -X: Listening on authentication address * port 1812 Listening on accounting address * port 1813 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 34022, id=118, length=66 User-Name = [EMAIL PROTECTED] User-Password = passwowrd NAS-IP-Address = 172.20.66.104 NAS-Port = 1 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: Looking up realm testdomain.edu for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm testdomain.edu rlm_realm: Adding Stripped-User-Name = dude rlm_realm: Proxying request from user dude to realm testdomain.edu rlm_realm: Adding Realm = testdomain.edu rlm_realm: Preparing to proxy authentication request to realm testdomain.edu ++[suffix] returns updated ++[unix] returns notfound rlm_ldap: Entering ldap_groupcmp() expand: dc=hampshire, dc=edu - dc=hampshire, dc=edu expand: (uid=%{Stripped-User-Name}) - (uid=dude) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.hampshire.edu:389, authentication 0 rlm_ldap: bind as uid=tu, ou=account, dc=hampshire, dc=edu/tp to ldap.hampshire.edu:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=hampshire, dc=edu, with filter (uid=dude) rlm_ldap: object not found or got ambiguous search result rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() expand: dc=hampshire, dc=edu - dc=hampshire, dc=edu expand: (uid=%{Stripped-User-Name}) - (uid=dude) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=hampshire, dc=edu, with filter (uid=dude) rlm_ldap: object not found or got ambiguous search result rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() expand: dc=hampshire, dc=edu - dc=hampshire, dc=edu expand: (uid=%{Stripped-User-Name}) - (uid=dude) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=hampshire, dc=edu, with filter (uid=dude) rlm_ldap: object not found or got ambiguous search result rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 219 ++[files] returns ok rlm_ldap: - authorize rlm_ldap: performing user authorization for dude expand: (uid=%{Stripped-User-Name}) - (uid=dude) expand: dc=hampshire, dc=edu - dc=hampshire, dc=edu rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=hampshire, dc=edu, with filter (uid=dude) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - [EMAIL PROTECTED] attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 118 to 127.0.0.1 port 34022 Reply-Message = Only current faculty, staff or students are allowed to log in. Waking up in 4.9 seconds. Cleaning up request 0 ID 118 with timestamp +2 Ready to process requests. Alan DeKok wrote: Wm. Josiah Erikson wrote: # Setting Auth-Type = LDAP is ALMOST ALWAYS WRONG. We # really can't emphasize this enough. Uh. OK. That's exactly what I'm doing, and it's working :) Then it works. It's fine. That message is for the majority of people who force LDAP to be used for authentication, and the wonder why EAP doesn't work. Remember: LDAP is a
Re: Hello, and a (hopefully) simple question
Now that you mention it, the billing software _is_ getting replaced some time soon, but until then I have to hack radius as a workaround. Is it not possible to Fall-Through failed users to another section with its own pool and auth-type: accept? Vlad On Jan 25, 2008 12:16 PM, Andy Billington [EMAIL PROTECTED] wrote: David - agreed. It's a workaround until the billing software can be modified (or replaced); in combination with an expiry_due check and also checking whether its the billing system that made the change though, its not a bad short-term workaround. Needs to be both of those checks though ;-) Andy On 25/01/2008, David Roze [EMAIL PROTECTED] wrote: A trigger on the password field is a workaround. What about if he wants to change a user's password or when it changes back to bring the connection back on? Changing the password is not the right way to reject a connection and everything possible should be done to change the software's behaviour. David Roze --- http://www.netexpertise.eu -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Billington Sent: 25 January 2008 18:58 To: FreeRadius users mailing list Subject: Re: Hello, and a (hopefully) simple question Vlad, are the passwords changed _by the billing system_ for any other reason? You could use a trigger on the table to make a corresponding change on the usergroup when the billing system changes the password. Better though might just be to have a Expiry Due? column added to the users, and then have if expiry_due AND if password changed, then change usergroup triggered. You'll have to have a way to keep track of expiration dates and so on Vlad, are the passwords changed by the billing system for any other reason? You could use a trigger on the table to make a corresponding change on the usergroup when a billing system changes the password. Better though might just be to have a Expired Yes/No column added to the users, and then have if expired AND password changed, then change usergroup triggered. You'll have to have a way to keep track of expiration dates and so on but if the renewals are for a standard period (e.g. 12 months) then you could do a. if expiry_due and password changed, change usergroup (and hence ip etc) b. if expired, password changed already and then password changed again, change usergroup back to normal on assumption that billing system has reset password when payment received. Reset expiry_due to today() plus 12 months Then again I'm probably looking at database level stuff when FreeRADIUS will provide a better way using the many bits of it I dont understand ;-) Andy On 25/01/2008, Vlad Sedov [EMAIL PROTECTED] wrote: Well, what I'm trying to do is accept the session whether the password is correct or not, but if it's not correct, assign Framed-IP-Address from a different IP pool, so our firewall downstream from the NAS can redirect their HTTP traffic to a payment site. Vlad On Jan 25, 2008 11:27 AM, JB [EMAIL PROTECTED] wrote: If it's just a message you want to display, you could use the Reply- Message attribute. Of course, your access controler would have to know how handle this attribute. JB Marinko Tarlac wrote: radius will reply whatever you need but you need to tell him what do you want. For example, if you're using mysql, when user account expires you can add him to specific group and group attributes you can set in radgroupreply table. (ip pool, tx, rx limit etc.) On Jan 25, 2008 6:18 PM, Vlad Sedov [EMAIL PROTECTED] wrote: Hey folks. Right now, we use freeradius to authenticate simple pap/chap PPP clients. When a username/password is rejected, radius simply send back a reject message to the NAS. Is it possible to change this behavior so that a failed auth attempt gets accepted with an alternate IP pool instead of being rejected? the idea is to force suspended users through a web proxy that tells them that they have a billing issue, instead of rejecting their connection altogether. Any help would be appreciated Vlad JB - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hello, and a (hopefully) simple question
Vlad, are the passwords changed _by the billing system_ for any other reason? You could use a trigger on the table to make a corresponding change on the usergroup when the billing system changes the password. Better though might just be to have a Expiry Due? column added to the users, and then have if expiry_due AND if password changed, then change usergroup triggered. You'll have to have a way to keep track of expiration dates and so on Vlad, are the passwords changed by the billing system for any other reason? You could use a trigger on the table to make a corresponding change on the usergroup when a billing system changes the password. Better though might just be to have a Expired Yes/No column added to the users, and then have if expired AND password changed, then change usergroup triggered. You'll have to have a way to keep track of expiration dates and so on but if the renewals are for a standard period (e.g. 12 months) then you could do a. if expiry_due and password changed, change usergroup (and hence ip etc) b. if expired, password changed already and then password changed again, change usergroup back to normal on assumption that billing system has reset password when payment received. Reset expiry_due to today() plus 12 months Then again I'm probably looking at database level stuff when FreeRADIUS will provide a better way using the many bits of it I dont understand ;-) Andy On 25/01/2008, Vlad Sedov [EMAIL PROTECTED] wrote: Well, what I'm trying to do is accept the session whether the password is correct or not, but if it's not correct, assign Framed-IP-Address from a different IP pool, so our firewall downstream from the NAS can redirect their HTTP traffic to a payment site. Vlad On Jan 25, 2008 11:27 AM, JB [EMAIL PROTECTED] wrote: If it's just a message you want to display, you could use the Reply- Message attribute. Of course, your access controler would have to know how handle this attribute. JB Marinko Tarlac wrote: radius will reply whatever you need but you need to tell him what do you want. For example, if you're using mysql, when user account expires you can add him to specific group and group attributes you can set in radgroupreply table. (ip pool, tx, rx limit etc.) On Jan 25, 2008 6:18 PM, Vlad Sedov [EMAIL PROTECTED] wrote: Hey folks. Right now, we use freeradius to authenticate simple pap/chap PPP clients. When a username/password is rejected, radius simply send back a reject message to the NAS. Is it possible to change this behavior so that a failed auth attempt gets accepted with an alternate IP pool instead of being rejected? the idea is to force suspended users through a web proxy that tells them that they have a billing issue, instead of rejecting their connection altogether. Any help would be appreciated Vlad JB - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSH-login authentication, using Active Directory credentials.
Suraj, You're better of kerberizing your unix environment and join them with AD. this way your can have a fully single sign on environment. including samba file share without entering username and passwords. This is what you need to do. 1) install SFU3.5 on all your DC's 2) install openldap and mit kerberos on all your linux boxen 3) install samba 4) use samba net join command to add your host to AD 5) install kerberized putty done, enjoy On Jan 25, 2008 7:57 AM, suraj shankar [EMAIL PROTECTED] wrote: --- Alan DeKok [EMAIL PROTECTED] wrote: Any solution would have exactly the same security issues. Yes; I can understand and appreciate that. Thanks, Alan. Regards, suraj. Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple accounting requests crash the server
Hi Alan, Thanks for your answers, mine inline below: Alan DeKok wrote: Mother wrote: I am seeing a strange situation. I receive an accounting-stop request from a NAS, and FreeRADIUS (1.1.7 against Oracle) updates the corresponding radacct record. However, the NAS is not receiving the ack, and thus re-sends the stop request. On the second request, FreeRADIUS tries to do an update query again, and then, an insert query, with the stop message details (i.e. only a stop time, reason idle-timeout, etc.), which fails. Why? As I mention in my update, an accounting-stop that uses the alternate default query will attempt an insert, not an update (I have a few new records in radacct with only stop time after this episode, all with the same session ID). The reason the NAS was resending was that it was not receiving the confirmation back from FreeRADIUS, most likely due to a temporary network failure on a segment along the way. After the third request from the NAS (and corresponding update followed by insert), Oracle throws a unique constraint violation error, and the server freezes. Weird. Indeed - why it throws this after the third query is what gets me, as the unique constraint should have been hit right after the first update was done. I will investigate the timeline of events with more detail. Questions: 1. Why is FreeRADIUS failing to see that this request was already acknowledged, i.e. it has been updated on the database, and just sends an ACK, rather than trying to insert a new record? Because RADIUS doesn't work like that. Accounting requests are never re-sent, so *all* accounting requests are brand new, and have to be treated that way. They are never re-sent? Then please tell one of the major European wireless ISP about this, as they were hammering my server :) This is what they saw: Fri Jan 25 10:31:10 2008: INFO: AuthRADIUS: No reply after 2 retransmissions to 80.33.137.68:1813 for [EMAIL PROTECTED] (25). Now have 1 consecutive failures over 0 seconds. Backing off for 30 seconds Note that they are *not* using FreeRADIUS. In any case, I will adapt the queries as needed so that they don't hit a brick wall if I find conditions like this. 2. Why does FreeRADIUS freeze on an SQL error from Oracle? Should it not just log the error and carry on about its business? I am finding my server freezing every few days due to these issues, for example, if a query takes too long to run, or a trigger fails to execute. Is FreeRADIUS against Oracle more fragile than say MySQL? I think that fewer people are using it that way. Yes, I understand Oracle penetration in FreeRADIUS is tiny, but still. Perhaps you could try posting the error message, or run it under gdb to see why it's freezing. These are the sanitized logs, with irrelevant crud cut out: #1: rad_recv: Accounting-Request packet from host X.X.X.X:46641, id=184, length=302 User-Name = blah NAS-Port = 2 NAS-Port-Type = Wireless-802.11 NAS-Identifier = XX NAS-IP-Address = X.X.X.X Acct-Status-Type = Stop Calling-Station-Id = MAC Called-Station-Id = MAC Event-Timestamp = Jan 25 2008 10:49:13 CET Acct-Delay-Time = 955 Acct-Session-Id = 59fdb3fd Acct-Authentic = RADIUS Acct-Session-Time = 343 Acct-Input-Octets = 48365 Acct-Input-Gigawords = 0 Acct-Input-Packets = 199 Acct-Output-Octets = 42343 Acct-Output-Gigawords = 0 Acct-Output-Packets = 248 Acct-Terminate-Cause = Idle-Timeout Framed-IP-Address = 192.168.51.186 WISPr-Location-Name = Address Vendor-18529-Attr-42 = 0x48455336373131 Attr-103 = 0x4799b09a Attr-103 = 0x4799b09a WISPr-Location-ID = isocc=es,cc=34,ac=08080,network=SSID UPDATE query (fails) INSERT query (seems to take place) rlm_sql (sql): Released sql socket id: 3 modcall[accounting]: module sql returns ok for request 0 modcall: leaving group accounting (returns ok) for request 0 Sending Accounting-Response of id 184 to X.X.X.X port 46641 Finished request 0 #2: rad_recv: Accounting-Request packet from host X.X.X.X:46641, id=185, length=302 User-Name = blah NAS-Port = 2 NAS-Port-Type = Wireless-802.11 NAS-Identifier = XXX NAS-IP-Address = X.X.X.X Acct-Status-Type = Stop Calling-Station-Id = MAC Called-Station-Id = MAC Event-Timestamp = Jan 25 2008 10:49:13 CET Acct-Delay-Time = 955 Acct-Session-Id = 59fdb3fd Acct-Authentic = RADIUS Acct-Session-Time = 343 Acct-Input-Octets = 48365 Acct-Input-Gigawords = 0 Acct-Input-Packets = 199 Acct-Output-Octets = 42343 Acct-Output-Gigawords = 0 Acct-Output-Packets = 248 Acct-Terminate-Cause = Idle-Timeout Framed-IP-Address = 192.168.51.186 WISPr-Location-Name = Address Vendor-18529-Attr-42 = 0x48455336373131 Attr-103 = 0x4799b05a Attr-103 = 0x4799b09b WISPr-Location-ID = isocc=es,cc=34,ac=08080,network=SSID UPDATE query (fails) INSERT
Re: SSH-login authentication, using Active Directory credentials.
--- Alan DeKok [EMAIL PROTECTED] wrote: Any solution would have exactly the same security issues. Yes; I can understand and appreciate that. Thanks, Alan. Regards, suraj. Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pool defined, but radius does not hand out an IP address.
Andrew D Kirch wrote: You might try putting it at the top of radiusd.conf Done. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSH-login authentication, using Active Directory credentials.
Is there a better way, using radius? No. Once user is authenticated radius has nothing to do with them (you say that they can increase privileges after authentication). Can't you put them in jail. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple accounting requests crash the server
#1: rad_recv: Accounting-Request packet from host X.X.X.X:46641, id=184, length=302 User-Name = blah NAS-Port = 2 NAS-Port-Type = Wireless-802.11 NAS-Identifier = XX NAS-IP-Address = X.X.X.X Acct-Status-Type = Stop Calling-Station-Id = MAC Called-Station-Id = MAC Event-Timestamp = Jan 25 2008 10:49:13 CET Acct-Delay-Time = 955 Acct-Session-Id = 59fdb3fd Acct-Authentic = RADIUS Acct-Session-Time = 343 Acct-Input-Octets = 48365 Acct-Input-Gigawords = 0 Acct-Input-Packets = 199 Acct-Output-Octets = 42343 Acct-Output-Gigawords = 0 Acct-Output-Packets = 248 Acct-Terminate-Cause = Idle-Timeout Framed-IP-Address = 192.168.51.186 WISPr-Location-Name = Address Vendor-18529-Attr-42 = 0x48455336373131 Attr-103 = 0x4799b09a Attr-103 = 0x4799b09a WISPr-Location-ID = isocc=es,cc=34,ac=08080,network=SSID UPDATE query (fails) INSERT query (seems to take place) rlm_sql (sql): Released sql socket id: 3 modcall[accounting]: module sql returns ok for request 0 modcall: leaving group accounting (returns ok) for request 0 Sending Accounting-Response of id 184 to X.X.X.X port 46641 Finished request 0 Did you find out why did the UPDATE query fail. That's where the trouble started. INSERT takes much longer to do ... Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: simple Ldap-group search
I think you need to use Ldap-Group instead of myldap-Ldap-Group or do you use do_xlat ? Markus cxu [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Background: When a user associated with the ssid Guest, the user will authenticate against a FreeRadius server. If he has a university account, the FreeRadius server will authenticate him via LDAP. If he does not have a university account, the FreeRadius server will do the authentication with a guest account database. Goal: To reduce the chance to do the LDAP search, the LDAP-group search is successful if the user is in the LDAP and no matter which LDAP group he is in. My shot and the problem: I am trying to do a wildcard search in LDAP-Group search, but it looks like the wildcard could not work. Related entries in the file users, omitted DEFAULT Called-Station-Id =~ .*Guest, myldap-Ldap-Group == *, Autz-Type := Ldap1, Auth-Type := Ldap1 DEFAULT Called-Station-Id =~ .*Guest, Group == guest, Autz-Type := Web, Auth-Type := System omitted Debug output, output omitted rlm_ldap: performing search in ou=people,dc=myuniv,dc=ca, with filter ((cn=*)(|((objectClass=GroupOfNames)(member=))((objectClass=GroupOfUniqueNames)(uniquemember= output omitted rlm_ldap::groupcmp: Group * not found or user not a member rlm_ldap: ldap_release_conn: Release Id: 0 ++[files] returns noop rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [cxu] (from client localhost port 0) Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Questions: 1.. Is there any way to make the wildcard LDAP-group search work? 2.. Whether unlang could be applied here and how? 3.. Any advice? Thanks! Andrew -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: certificates in FR 2.0.1 on windows doesnt works
orion wrote: the import of client.p12 is ok but it doesnt have a valid link it is ca-server-client What does that mean? and the details of the server certificate tells that is not authorized to issue certificates . Where does it say that? Which certificate tool are you using to look at the certificates? the client certificates tells that is issued by the server not by the ca. Yes, that is supposed to happen. the question is : the client certificate should be issued by the server or by the ca? Server. in fact after modified the Makefile and client.cnf and re-importing them in xp then the linkage is ok. ( ca-client ) That's not how it's supposed to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSH-login authentication, using Active Directory credentials.
--- [EMAIL PROTECTED] wrote: Is there a better way, using radius? No. Once user is authenticated radius has nothing to do with them (you say that they can increase privileges after authentication). Can't you put them in jail. Yeah, I would eventually do that, if there is no 'better way'. But usually the App. administrators complain that they are crippled by insufficient privileges. So I am looking for something more creative ... :) And so, what I really meant by a 'better way' was like a way to tell pam_radius_auth, to use a certificate instead of a PSK! ... or something like that ... Hey, but thanks Ivan, for the suggestion - will lock them up, if I can't find a better way! Regards, suraj. Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: one RADIUS server per realm setup
Wm. Josiah Erikson wrote: # Setting Auth-Type = LDAP is ALMOST ALWAYS WRONG. We # really can't emphasize this enough. Uh. OK. That's exactly what I'm doing, and it's working :) Then it works. It's fine. That message is for the majority of people who force LDAP to be used for authentication, and the wonder why EAP doesn't work. Remember: LDAP is a database. It's not an authentication server. However, is there a better way to do this that I'm not understanding? Why shouldn't I set Auth-Type := LDAP ? You probably don't need to set it. If you simply deleted that from the users file, your configuration would probably still work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sql_log against postgresql
Have 2.0 running against a Postgresql database. The sql_log code looks like it functions differently than the sql statements in the postgres driver (stop packets are another insert instead of an update). Has anyone already changed out the sql lines match the way it works without sql_log, don't see why it would be an issue... if you have would you mind sharing it? PS Nice to see the column names were corrected in 2.0 (between MySql and Postgresql schemas). Thanks, Roy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple accounting requests crash the server
Mother wrote: I am seeing a strange situation. I receive an accounting-stop request from a NAS, and FreeRADIUS (1.1.7 against Oracle) updates the corresponding radacct record. However, the NAS is not receiving the ack, and thus re-sends the stop request. On the second request, FreeRADIUS tries to do an update query again, and then, an insert query, with the stop message details (i.e. only a stop time, reason idle-timeout, etc.), which fails. Why? After the third request from the NAS (and corresponding update followed by insert), Oracle throws a unique constraint violation error, and the server freezes. Weird. Questions: 1. Why is FreeRADIUS failing to see that this request was already acknowledged, i.e. it has been updated on the database, and just sends an ACK, rather than trying to insert a new record? Because RADIUS doesn't work like that. Accounting requests are never re-sent, so *all* accounting requests are brand new, and have to be treated that way. 2. Why does FreeRADIUS freeze on an SQL error from Oracle? Should it not just log the error and carry on about its business? I am finding my server freezing every few days due to these issues, for example, if a query takes too long to run, or a trigger fails to execute. Is FreeRADIUS against Oracle more fragile than say MySQL? I think that fewer people are using it that way. Perhaps you could try posting the error message, or run it under gdb to see why it's freezing. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap and users file
theSnail wrote: I have only this entry in users file: DEFAULT Auth-Type := Accept raiudsd -X users: Matched entry DEFAULT at line 1 but it still try to authenticate against ldap. So the question is: Why haven't you posted the entire output from radiusd -X ? i.e. you configured the server to use LDAP, and it's doing what you told it to do. Because you don't understand what you've configured, you don't understand what it's doing. users file and EAP-ttls + PAP schema can work togher? Yes. Lots of people are doing that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSH-login authentication, using Active Directory credentials.
suraj shankar wrote: I understand that pam_radius_auth 'encrypts' the password. But if a user has the privileges to change the /etc/raddb/server file (and point it to a freeradius server), wouldn't he/she be able to siphon off the credentials? Yes. Our setup would disallow direct 'root' logins, over SSH. However, once the user logs in using his/her credentials, they would then be allowed to do a sudo or a privileges escalation. Thereby, opening the possibility of a /etc/raddb/server edit. So... why are you giving people root access if you don't trust them? I know worse things can happen with superuser privileges; however, I am not worried of the bad that can happen to the client machines. Is there a better way, using radius? Please suggest. If this query is a rerun, pointers/references would do. Thank you. Any solution would have exactly the same security issues. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about forum
Yes, write to Peter Nixon and he will help you. Ivan Kalik Kalik Informatika ISP Dana 25/1/2008, Marinko Tarlac [EMAIL PROTECTED] piše: I would like to register too. Is there any chance for this? On Jan 25, 2008 5:37 PM, JB [EMAIL PROTECTED] wrote: Peter Nixon wrote: We have a wiki. You are welcome to contribute... Account creation/free editing seems to be deactivated... Bye, JB - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hello, and a (hopefully) simple question
So, what would be the difference between a customer who was disconnected, and one who cannot remember his/her password (yeah, this never happens, right?) There would be no differentiation, and customers who have simply forgotten their password may be upset when you tell then they are disconnected Might want to remember that when you write your web page. Just my $.10... Alex Vlad Sedov wrote: Well, what I'm trying to do is accept the session whether the password is correct or not, but if it's not correct, assign Framed-IP-Address from a different IP pool, so our firewall downstream from the NAS can redirect their HTTP traffic to a payment site. Vlad On Jan 25, 2008 11:27 AM, JB [EMAIL PROTECTED] wrote: If it's just a message you want to display, you could use the Reply- Message attribute. Of course, your access controler would have to know how handle this attribute. JB Marinko Tarlac wrote: radius will reply whatever you need but you need to tell him what do you want. For example, if you're using mysql, when user account expires you can add him to specific group and group attributes you can set in radgroupreply table. (ip pool, tx, rx limit etc.) On Jan 25, 2008 6:18 PM, Vlad Sedov [EMAIL PROTECTED] wrote: Hey folks. Right now, we use freeradius to authenticate simple pap/chap PPP clients. When a username/password is rejected, radius simply send back a reject message to the NAS. Is it possible to change this behavior so that a failed auth attempt gets accepted with an alternate IP pool instead of being rejected? the idea is to force suspended users through a web proxy that tells them that they have a billing issue, instead of rejecting their connection altogether. Any help would be appreciated Vlad JB - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hello, and a (hopefully) simple question
The only problem with this method is that our billing system is not (currently) capable of changing the usergroup when the account is suspended. All it does is change the password. Vlad On Jan 25, 2008 11:22 AM, Marinko Tarlac [EMAIL PROTECTED] wrote: radius will reply whatever you need but you need to tell him what do you want. For example, if you're using mysql, when user account expires you can add him to specific group and group attributes you can set in radgroupreply table. (ip pool, tx, rx limit etc.) On Jan 25, 2008 6:18 PM, Vlad Sedov [EMAIL PROTECTED] wrote: Hey folks. Right now, we use freeradius to authenticate simple pap/chap PPP clients. When a username/password is rejected, radius simply send back a reject message to the NAS. Is it possible to change this behavior so that a failed auth attempt gets accepted with an alternate IP pool instead of being rejected? the idea is to force suspended users through a web proxy that tells them that they have a billing issue, instead of rejecting their connection altogether. Any help would be appreciated Vlad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about forum
I would like to register too. Is there any chance for this? On Jan 25, 2008 5:37 PM, JB [EMAIL PROTECTED] wrote: Peter Nixon wrote: We have a wiki. You are welcome to contribute... Account creation/free editing seems to be deactivated... Bye, JB - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and RLM_MODULE_REJECT
Jean-Michel Caricand wrote: Well. I made a lot of tests without success. I'm not yet able to REJECT a request in a post_proxy function, but that works fine in a authorize function. Does someone have ideas ? In 2.0, it looks like this isn't dealt with in src/main/event.c around line 1075. It's probably useful to add... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and RLM_MODULE_REJECT
Le vendredi 25 janvier 2008 12:55, Boian Jordanov a écrit : Try with RLM_MODULE_FAIL in post_proxy Best Regards, Boian Jordanov SNE Orbitel - Next Generation Telecom tel. +359 2 4004 723 tel. +359 2 4004 002 On Jan 25, 2008, at 12:35 PM, Jean-Michel Caricand wrote: doesn't make sense to use RLM_MODULE_REJECT in post_proxy. May be you need pre_proxy ? From radius.conf file # # When the server decides to proxy a request to a home server, # the proxied request is first passed through the pre-proxy # stage. This stage can re-write the request, or decide to # cancel the proxy. # # Only a few modules currently have this method. # Best Regards, Boian Jordanov SNE Orbitel - Next Generation Telecom tel. +359 2 4004 723 tel. +359 2 4004 002 On Jan 25, 2008, at 11:52 AM, Jean-Michel Caricand wrote: I have a question on rlm_perl and RLM_MODULE_REJECT. If in a function (post_proxy) I return RLM_MODULE_REJECT I can see this in log : - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html But I must check some attributes defined by my home server. I can't check them in pre_proxy because they are not set. No ? I want to reject the access if by example the Framed-IP-Address is not in a valid range. Thank. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Well. I made a lot of tests without success. I'm not yet able to REJECT a request in a post_proxy function, but that works fine in a authorize function. Does someone have ideas ? -- Jean-Michel Caricand Tél: 03.81.66.20.63 E-mail: [EMAIL PROTECTED] Equipe systèmes Laboratoire d'Informatique de l'Université de Franche-Comté 16, route de Gray - 25030 BESANÇON CEDEX - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about forum
Peter Nixon wrote: We have a wiki. You are welcome to contribute... Account creation/free editing seems to be deactivated... Bye, JB - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello, and a (hopefully) simple question
Hey folks. Right now, we use freeradius to authenticate simple pap/chap PPP clients. When a username/password is rejected, radius simply send back a reject message to the NAS. Is it possible to change this behavior so that a failed auth attempt gets accepted with an alternate IP pool instead of being rejected? the idea is to force suspended users through a web proxy that tells them that they have a billing issue, instead of rejecting their connection altogether. Any help would be appreciated Vlad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hello, and a (hopefully) simple question
radius will reply whatever you need but you need to tell him what do you want. For example, if you're using mysql, when user account expires you can add him to specific group and group attributes you can set in radgroupreply table. (ip pool, tx, rx limit etc.) On Jan 25, 2008 6:18 PM, Vlad Sedov [EMAIL PROTECTED] wrote: Hey folks. Right now, we use freeradius to authenticate simple pap/chap PPP clients. When a username/password is rejected, radius simply send back a reject message to the NAS. Is it possible to change this behavior so that a failed auth attempt gets accepted with an alternate IP pool instead of being rejected? the idea is to force suspended users through a web proxy that tells them that they have a billing issue, instead of rejecting their connection altogether. Any help would be appreciated Vlad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hello, and a (hopefully) simple question
If it's just a message you want to display, you could use the Reply- Message attribute. Of course, your access controler would have to know how handle this attribute. JB Marinko Tarlac wrote: radius will reply whatever you need but you need to tell him what do you want. For example, if you're using mysql, when user account expires you can add him to specific group and group attributes you can set in radgroupreply table. (ip pool, tx, rx limit etc.) On Jan 25, 2008 6:18 PM, Vlad Sedov [EMAIL PROTECTED] wrote: Hey folks. Right now, we use freeradius to authenticate simple pap/chap PPP clients. When a username/password is rejected, radius simply send back a reject message to the NAS. Is it possible to change this behavior so that a failed auth attempt gets accepted with an alternate IP pool instead of being rejected? the idea is to force suspended users through a web proxy that tells them that they have a billing issue, instead of rejecting their connection altogether. Any help would be appreciated Vlad JB - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Hello, and a (hopefully) simple question
A trigger on the password field is a workaround. What about if he wants to change a user's password or when it changes back to bring the connection back on? Changing the password is not the right way to reject a connection and everything possible should be done to change the software's behaviour. David Roze --- http://www.netexpertise.eu -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Billington Sent: 25 January 2008 18:58 To: FreeRadius users mailing list Subject: Re: Hello, and a (hopefully) simple question Vlad, are the passwords changed _by the billing system_ for any other reason? You could use a trigger on the table to make a corresponding change on the usergroup when the billing system changes the password. Better though might just be to have a Expiry Due? column added to the users, and then have if expiry_due AND if password changed, then change usergroup triggered. You'll have to have a way to keep track of expiration dates and so on Vlad, are the passwords changed by the billing system for any other reason? You could use a trigger on the table to make a corresponding change on the usergroup when a billing system changes the password. Better though might just be to have a Expired Yes/No column added to the users, and then have if expired AND password changed, then change usergroup triggered. You'll have to have a way to keep track of expiration dates and so on but if the renewals are for a standard period (e.g. 12 months) then you could do a. if expiry_due and password changed, change usergroup (and hence ip etc) b. if expired, password changed already and then password changed again, change usergroup back to normal on assumption that billing system has reset password when payment received. Reset expiry_due to today() plus 12 months Then again I'm probably looking at database level stuff when FreeRADIUS will provide a better way using the many bits of it I dont understand ;-) Andy On 25/01/2008, Vlad Sedov [EMAIL PROTECTED] wrote: Well, what I'm trying to do is accept the session whether the password is correct or not, but if it's not correct, assign Framed-IP-Address from a different IP pool, so our firewall downstream from the NAS can redirect their HTTP traffic to a payment site. Vlad On Jan 25, 2008 11:27 AM, JB [EMAIL PROTECTED] wrote: If it's just a message you want to display, you could use the Reply- Message attribute. Of course, your access controler would have to know how handle this attribute. JB Marinko Tarlac wrote: radius will reply whatever you need but you need to tell him what do you want. For example, if you're using mysql, when user account expires you can add him to specific group and group attributes you can set in radgroupreply table. (ip pool, tx, rx limit etc.) On Jan 25, 2008 6:18 PM, Vlad Sedov [EMAIL PROTECTED] wrote: Hey folks. Right now, we use freeradius to authenticate simple pap/chap PPP clients. When a username/password is rejected, radius simply send back a reject message to the NAS. Is it possible to change this behavior so that a failed auth attempt gets accepted with an alternate IP pool instead of being rejected? the idea is to force suspended users through a web proxy that tells them that they have a billing issue, instead of rejecting their connection altogether. Any help would be appreciated Vlad JB - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hello, and a (hopefully) simple question
David - agreed. It's a workaround until the billing software can be modified (or replaced); in combination with an expiry_due check and also checking whether its the billing system that made the change though, its not a bad short-term workaround. Needs to be both of those checks though ;-) Andy On 25/01/2008, David Roze [EMAIL PROTECTED] wrote: A trigger on the password field is a workaround. What about if he wants to change a user's password or when it changes back to bring the connection back on? Changing the password is not the right way to reject a connection and everything possible should be done to change the software's behaviour. David Roze --- http://www.netexpertise.eu -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Billington Sent: 25 January 2008 18:58 To: FreeRadius users mailing list Subject: Re: Hello, and a (hopefully) simple question Vlad, are the passwords changed _by the billing system_ for any other reason? You could use a trigger on the table to make a corresponding change on the usergroup when the billing system changes the password. Better though might just be to have a Expiry Due? column added to the users, and then have if expiry_due AND if password changed, then change usergroup triggered. You'll have to have a way to keep track of expiration dates and so on Vlad, are the passwords changed by the billing system for any other reason? You could use a trigger on the table to make a corresponding change on the usergroup when a billing system changes the password. Better though might just be to have a Expired Yes/No column added to the users, and then have if expired AND password changed, then change usergroup triggered. You'll have to have a way to keep track of expiration dates and so on but if the renewals are for a standard period (e.g. 12 months) then you could do a. if expiry_due and password changed, change usergroup (and hence ip etc) b. if expired, password changed already and then password changed again, change usergroup back to normal on assumption that billing system has reset password when payment received. Reset expiry_due to today() plus 12 months Then again I'm probably looking at database level stuff when FreeRADIUS will provide a better way using the many bits of it I dont understand ;-) Andy On 25/01/2008, Vlad Sedov [EMAIL PROTECTED] wrote: Well, what I'm trying to do is accept the session whether the password is correct or not, but if it's not correct, assign Framed-IP-Address from a different IP pool, so our firewall downstream from the NAS can redirect their HTTP traffic to a payment site. Vlad On Jan 25, 2008 11:27 AM, JB [EMAIL PROTECTED] wrote: If it's just a message you want to display, you could use the Reply- Message attribute. Of course, your access controler would have to know how handle this attribute. JB Marinko Tarlac wrote: radius will reply whatever you need but you need to tell him what do you want. For example, if you're using mysql, when user account expires you can add him to specific group and group attributes you can set in radgroupreply table. (ip pool, tx, rx limit etc.) On Jan 25, 2008 6:18 PM, Vlad Sedov [EMAIL PROTECTED] wrote: Hey folks. Right now, we use freeradius to authenticate simple pap/chap PPP clients. When a username/password is rejected, radius simply send back a reject message to the NAS. Is it possible to change this behavior so that a failed auth attempt gets accepted with an alternate IP pool instead of being rejected? the idea is to force suspended users through a web proxy that tells them that they have a billing issue, instead of rejecting their connection altogether. Any help would be appreciated Vlad JB - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: certificates in FR 2.0.1 on windows doesnt works
im using standart windows mmc. after import of the CA and Server certificates the server certificate links to the ca certificate ok CA certificate |- server certificate but when i import the client.p12 certificate the linkage is CA certificate |- server certificate |- client certificate in that moment the server part tells ( it not allow to issue certificate for others). So the server certifiace is not allowed to issue certificate ( in this case to issue the certificate for the server. ). 1)Its necessary to import the server certificate + ca certificate + client certificate ? 2)or only ca certificate + client certificate ? the second case the linkage between the ca and client doesnt exist ( as you said is the server the issuer of the client`s certificate ). On 25/01/2008, Alan DeKok [EMAIL PROTECTED] wrote: orion wrote: the import of client.p12 is ok but it doesnt have a valid link it is ca-server-client What does that mean? and the details of the server certificate tells that is not authorized to issue certificates . Where does it say that? Which certificate tool are you using to look at the certificates? the client certificates tells that is issued by the server not by the ca. Yes, that is supposed to happen. the question is : the client certificate should be issued by the server or by the ca? Server. in fact after modified the Makefile and client.cnf and re-importing them in xp then the linkage is ok. ( ca-client ) That's not how it's supposed to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: certificates in FR 2.0.1 on windows doesnt works
its not a problem that windows says about the client certificate : the issuer of this certificate cannot be found ? can the certificate be used in this case ? On 25/01/2008, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: 2)or only ca certificate + client certificate ? the second case the linkage between the ca and client doesnt exist ( as you said is the server the issuer of the client`s certificate ). Link is not needed. Server checks the client certificate to see if it's issued by the server (certificate). Client checks server certificate to see if it's issued by a *known and trusted CA. Nothing checks client certificate against the CA. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: certificates in FR 2.0.1 on windows doesnt works
orion wrote: but when i import the client.p12 certificate the linkage is CA certificate |- server certificate |- client certificate in that moment the server part tells ( it not allow to issue certificate for others). There's no reason why the intermediate certificate can't issue a client certificate. And yes, you already said it complained about that. There's no reason to re-post a summary of that message. You were asked to post *specific* information. So the server certifiace is not allowed to issue certificate ( in this case to issue the certificate for the server. ). Nonsense. 1)Its necessary to import the server certificate + ca certificate + client certificate ? 2)or only ca certificate + client certificate ? the second case the linkage between the ca and client doesnt exist ( as you said is the server the issuer of the client`s certificate ). A direct linkage doesn't exist, and doesn't need to exist. Windows has *zero* problems using such a client certificate for EAP-TLS. If you see an error message, then either the software you're using is broken, or you didn't understand the message it's producing. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: certificates in FR 2.0.1 on windows doesnt works
orion wrote: its not a problem that windows says about the client certificate : the issuer of this certificate cannot be found ? Thank you for FINALLY posting the REAL error message. It helps to post the REAL error message, because you can then get a REAL solution. In this case, you didn't add the server certificate (or the CA certificate) into the root CA store. All of the documentation and howto's say you need to do this, so Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hello, and a (hopefully) simple question
Now that you mention it, the billing software _is_ getting replaced some time soon, but until then I have to hack radius as a workaround. So alter groups and not passwords. Is it not possible to Fall-Through failed users to another section with its own pool and auth-type: accept? Why? Just place a user in a suspend group (configured with that pool) and there is no need to fall through anything. And the users with wrong passwords will still be getting usual errors. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html