Re: Question about forum

2008-01-25 Thread A . L . M . Buxey 
Hi,
 There is a history of this mailing list, but searching something is a 
 nightmare. 
 
 Imho forum would be great for that.
 Sent from my BlackBerry® wireless device

forums suck imho

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question about forum

2008-01-25 Thread Arran Cudbard-Bell 

[EMAIL PROTECTED] wrote:

Hi,
  
There is a history of this mailing list, but searching something is a nightmare. 


Imho forum would be great for that.
Sent from my BlackBerry® wireless device



forums suck imho

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  
Second that. It's a shame we had so many spammers on the wiki... Else 
the general user community could still contribute to it.


--
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08 
University Of Sussex, Brighton

EXT:01273 873900 | INT: 3900

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question about forum

2008-01-25 Thread JB 


Nicholas Hall wrote:
What's wrong with sharing your experiances with the list?  Adding a  
forum will be just another place I'll have to check to get my  
FreeRADIUS fix.


That's right, a forum wouldn't be a great idea.

But this list shouldn't be a replacement for the Wiki either. So  
whenever we find solutions to problems or undocumented features of  
FreeRadius, this should imho go into the Wiki.


JB

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

rlm_perl and RLM_MODULE_REJECT

2008-01-25 Thread Jean-Michel Caricand 
Hi,

I have a question on rlm_perl and RLM_MODULE_REJECT. If in a function 
(post_proxy) I return RLM_MODULE_REJECT I can see this in log :

  modcall[post-proxy]: module perl1 returns reject for request 1

... but my request is still accepted : Access-Accept not Access-Reject !

How to do that ?

Thank.

-- 
Jean-Michel Caricand
Tél: 03.81.66.20.63
E-mail: [EMAIL PROTECTED]

Equipe systèmes
Laboratoire d'Informatique de l'Université de Franche-Comté
16, route de Gray - 25030 BESANÇON CEDEX

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_perl and RLM_MODULE_REJECT

2008-01-25 Thread Boian Jordanov 
doesn't make sense to use RLM_MODULE_REJECT in post_proxy. May be you  
need pre_proxy ?


From radius.conf file

#
#  When the server decides to proxy a request to a home server,
#  the proxied request is first passed through the pre-proxy
#  stage.  This stage can re-write the request, or decide to
#  cancel the proxy.
#
#  Only a few modules currently have this method.
#


Best Regards,
Boian Jordanov
SNE
Orbitel - Next Generation Telecom
tel. +359 2 4004 723
tel. +359 2 4004 002




On Jan 25, 2008, at 11:52 AM, Jean-Michel Caricand wrote:


I have a question on rlm_perl and RLM_MODULE_REJECT. If in a function
(post_proxy) I return RLM_MODULE_REJECT I can see this in log :


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question about forum

2008-01-25 Thread Marinko Tarlac 
Ok. Forum sometimes isn't a best solution. WIKI is a good option because
you'll find all you need without to much off topic.

On Jan 25, 2008 10:18 AM, JB [EMAIL PROTECTED] wrote:


 Nicholas Hall wrote:
  What's wrong with sharing your experiances with the list?  Adding a
  forum will be just another place I'll have to check to get my
  FreeRADIUS fix.

 That's right, a forum wouldn't be a great idea.

 But this list shouldn't be a replacement for the Wiki either. So
 whenever we find solutions to problems or undocumented features of
 FreeRadius, this should imho go into the Wiki.

 JB

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: UserName, Password + MAC authentication using Cisco's BBSM 5.3

2008-01-25 Thread tnt 
1. Use Cleartext-Password with =: as stated in the server documentation.

2. Post the output of radiusd -X. It's likely that the format for the
MAC address is wrong. It can have : for delimiters or no delimiters at
all.

3. That's not how you end user sessions on any device, Cisco or
otherwise. Putting your head in the sand will not make it go away.

4. You use Login-Time not Expiration for that.

Ivan Kalik
Kalik Informatika ISP


Dana 25/1/2008, [EMAIL PROTECTED]
[EMAIL PROTECTED] piše:

Hello,

I'm using Freeradius 1.1.17 version with Cisco's BBSM. With MySqL database
too. I've storing username, passwords in mysql db. For now, authentication
is OK. I want to check MAC address of users while they are authenticating.
Inmy radcheck table:

| id | UserName| Attribute  | op | Value |
++-+++---+
|  3 | java| Password   | == | password  |
| 18 | java| Calling-Station-Id | == | aa-bb-cc-dd-ee-ff |

Also, BBSM's snmp is enabled. So I can get users' MAC addresses. I want
Radius server checks username, password and MAC addresses at the same time
when the user authenticate. Without Calling-Station-Id, authentication is
OK. When I add Calling-Station-Id, the user cannot authenticate. In which
table, do I enter this attribute?

Also i cannot close or deactivate user session when I want to. When i
removing from BBSM Mysql db, session is still open. Or can I put
expiration time at every 03 o'clock?

Could someone help me abt these?

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_perl and RLM_MODULE_REJECT

2008-01-25 Thread Jean-Michel Caricand 
 doesn't make sense to use RLM_MODULE_REJECT in post_proxy. May be you
 need pre_proxy ?

  From radius.conf file

 #
 #  When the server decides to proxy a request to a home server,
 #  the proxied request is first passed through the pre-proxy
 #  stage.  This stage can re-write the request, or decide to
 #  cancel the proxy.
 #
 #  Only a few modules currently have this method.
 #


 Best Regards,
 Boian Jordanov
 SNE
 Orbitel - Next Generation Telecom
 tel. +359 2 4004 723
 tel. +359 2 4004 002




 On Jan 25, 2008, at 11:52 AM, Jean-Michel Caricand wrote:

 I have a question on rlm_perl and RLM_MODULE_REJECT. If in a function
 (post_proxy) I return RLM_MODULE_REJECT I can see this in log :

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html


But I must check some attributes defined by my home server. I can't check
them in pre_proxy because they are not set. No ?

I want to reject the access if by example the Framed-IP-Address is not in
a valid range.

Thank.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question about forum

2008-01-25 Thread Peter Nixon 
We have a wiki. You are welcome to contribute...

-Peter

On Fri 25 Jan 2008, Marinko Tarlac wrote:
 Ok. Forum sometimes isn't a best solution. WIKI is a good option because
 you'll find all you need without to much off topic.

 On Jan 25, 2008 10:18 AM, JB [EMAIL PROTECTED] wrote:
  Nicholas Hall wrote:
   What's wrong with sharing your experiances with the list?  Adding a
   forum will be just another place I'll have to check to get my
   FreeRADIUS fix.
 
  That's right, a forum wouldn't be a great idea.
 
  But this list shouldn't be a replacement for the Wiki either. So
  whenever we find solutions to problems or undocumented features of
  FreeRadius, this should imho go into the Wiki.
 
  JB
 
  -
  List info/subscribe/unsubscribe? See
  http://www.freeradius.org/list/users.html



-- 

Peter Nixon
http://peternixon.net/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Multiple accounting requests crash the server

2008-01-25 Thread Mother 

Hi all,

I am seeing a strange situation. I receive an accounting-stop request 
from a NAS, and FreeRADIUS (1.1.7 against Oracle) updates the 
corresponding radacct record. However, the NAS is not receiving the ack, 
and thus re-sends the stop request. On the second request, FreeRADIUS 
tries to do an update query again, and then, an insert query, with the 
stop message details (i.e. only a stop time, reason idle-timeout, etc.), 
which fails. After the third request from the NAS (and corresponding 
update followed by insert), Oracle throws a unique constraint violation 
error, and the server freezes.


Questions:

1. Why is FreeRADIUS failing to see that this request was already 
acknowledged, i.e. it has been updated on the database, and just sends 
an ACK, rather than trying to insert a new record?


2. Why does FreeRADIUS freeze on an SQL error from Oracle? Should it not 
just log the error and carry on about its business? I am finding my 
server freezing every few days due to these issues, for example, if a 
query takes too long to run, or a trigger fails to execute. Is 
FreeRADIUS against Oracle more fragile than say MySQL?


Cheers,

Mike

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_perl and RLM_MODULE_REJECT

2008-01-25 Thread Boian Jordanov 

Try with RLM_MODULE_FAIL in post_proxy


Best Regards,
Boian Jordanov
SNE
Orbitel - Next Generation Telecom
tel. +359 2 4004 723
tel. +359 2 4004 002




On Jan 25, 2008, at 12:35 PM, Jean-Michel Caricand wrote:


doesn't make sense to use RLM_MODULE_REJECT in post_proxy. May be you
need pre_proxy ?

 From radius.conf file

#
#  When the server decides to proxy a request to a home server,
#  the proxied request is first passed through the pre-proxy
#  stage.  This stage can re-write the request, or decide to
#  cancel the proxy.
#
#  Only a few modules currently have this method.
#


Best Regards,
Boian Jordanov
SNE
Orbitel - Next Generation Telecom
tel. +359 2 4004 723
tel. +359 2 4004 002




On Jan 25, 2008, at 11:52 AM, Jean-Michel Caricand wrote:

I have a question on rlm_perl and RLM_MODULE_REJECT. If in a  
function

(post_proxy) I return RLM_MODULE_REJECT I can see this in log :


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



But I must check some attributes defined by my home server. I can't  
check

them in pre_proxy because they are not set. No ?

I want to reject the access if by example the Framed-IP-Address is  
not in

a valid range.

Thank.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_perl and RLM_MODULE_REJECT

2008-01-25 Thread Jean-Michel Caricand 
Le vendredi 25 janvier 2008 12:55, Boian Jordanov a écrit :
 Try with RLM_MODULE_FAIL in post_proxy


 Best Regards,
 Boian Jordanov
 SNE
 Orbitel - Next Generation Telecom
 tel. +359 2 4004 723
 tel. +359 2 4004 002

 On Jan 25, 2008, at 12:35 PM, Jean-Michel Caricand wrote:
  doesn't make sense to use RLM_MODULE_REJECT in post_proxy. May be you
  need pre_proxy ?
 
   From radius.conf file
 
  #
  #  When the server decides to proxy a request to a home server,
  #  the proxied request is first passed through the pre-proxy
  #  stage.  This stage can re-write the request, or decide to
  #  cancel the proxy.
  #
  #  Only a few modules currently have this method.
  #
 
 
  Best Regards,
  Boian Jordanov
  SNE
  Orbitel - Next Generation Telecom
  tel. +359 2 4004 723
  tel. +359 2 4004 002
 
  On Jan 25, 2008, at 11:52 AM, Jean-Michel Caricand wrote:
  I have a question on rlm_perl and RLM_MODULE_REJECT. If in a
  function
  (post_proxy) I return RLM_MODULE_REJECT I can see this in log :
 
  -
  List info/subscribe/unsubscribe? See
  http://www.freeradius.org/list/users.html
 
  But I must check some attributes defined by my home server. I can't
  check
  them in pre_proxy because they are not set. No ?
 
  I want to reject the access if by example the Framed-IP-Address is
  not in
  a valid range.
 
  Thank.
 
  -
  List info/subscribe/unsubscribe? See http://www.freeradius.org/list/
  users.html

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

With RLM_MODULE_FAIL, I get theses messages :

modcall[post-proxy]: module perl1 returns fail for request 0
modcall: leaving group post-proxy (returns fail) for request 0
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:42610, id=123, length=71
Discarding duplicate request from client localhost:42610 - ID: 123 due to 
unfinished request 0
--- Walking the entire request list ---
Waking up in 28 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:42610, id=123, length=71
Discarding duplicate request from client localhost:42610 - ID: 123 due to 
unfinished request 0
--- Walking the entire request list ---
Waking up in 25 seconds...


-- 
Jean-Michel Caricand
Tél: 03.81.66.20.63
E-mail: [EMAIL PROTECTED]

Equipe systèmes
Laboratoire d'Informatique de l'Université de Franche-Comté
16, route de Gray - 25030 BESANÇON CEDEX

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

SSH-login authentication, using Active Directory credentials.

2008-01-25 Thread suraj shankar 
Hi;
  For a long time now, I have been trying to unify the
login credentials, in a heterogeneous environment.
While I am aware of the few available options, I have
decided against them, for varied reasons.

In the last few days, I have been able to produce the
effect which I desired, using pam_radius_auth and IAS.
All is well, and I am able to SSH-login using my
Active directory login credentials.

  But before I take this to production, I would like
to know if this approach is safe - the IAS setting
that works says Unencrypted authentication (PAP).
From here
http://lists.cistron.nl/pipermail/freeradius-users/2006-July/055010.html,
I understand that pam_radius_auth 'encrypts' the
password. But if a user has the privileges to change
the /etc/raddb/server file (and point it to a
freeradius server), wouldn't he/she be able to siphon
off the credentials?

Our setup would disallow direct 'root' logins, over
SSH. However, once the user logs in using his/her
credentials, they would then be allowed to do a sudo
or a privileges escalation. Thereby, opening the
possibility of a /etc/raddb/server edit.
I know worse things can happen with superuser
privileges; however, I am not worried of the bad that
can happen to the client machines.

Is there a better way, using radius? Please suggest.
If this query is a rerun, pointers/references would
do. Thank you.

Regards,
suraj.


  

Looking for last minute shopping deals?  
Find them fast with Yahoo! Search.  
http://tools.search.yahoo.com/newsearch/category.php?category=shopping
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: eap and users file

2008-01-25 Thread tnt 

users file and EAP-ttls + PAP schema can work togher?


Yes. In 2.0.1 you can divert EAP requests to one virtual server, others
to a different virtual server that will be doing ldap auth, ...

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

eap and users file

2008-01-25 Thread theSnail 

I have only this entry in users file:

DEFAULT Auth-Type := Accept

raiudsd -X

  users: Matched entry DEFAULT at line 1

but it still try to authenticate against ldap. So the question is:

users file and EAP-ttls + PAP schema can work togher?

thanks
-- 
View this message in context: 
http://www.nabble.com/eap-and-users-file-tp15086647p15086647.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Multiple accounting requests crash the server [update]

2008-01-25 Thread Mother 
Update to the problem: the accounting-stop alternate query is actually 
an INSERT, not an UPDATE, by default, which actually surprises me, as in 
case of a duplicate packet, an INSERT into a properly unique-indexed 
table is doomed. I have now simply changed the -alt into an UPDATE 
query, so it would also not affect any record, but at least will not 
cause Oracle to balk.


My only problem now is how to make sure FreeRADIUS does not freeze upon 
an SQL error.


Cheers,

Mike


Mother wrote:

Hi all,

I am seeing a strange situation. I receive an accounting-stop request 
from a NAS, and FreeRADIUS (1.1.7 against Oracle) updates the 
corresponding radacct record. However, the NAS is not receiving the ack, 
and thus re-sends the stop request. On the second request, FreeRADIUS 
tries to do an update query again, and then, an insert query, with the 
stop message details (i.e. only a stop time, reason idle-timeout, etc.), 
which fails. After the third request from the NAS (and corresponding 
update followed by insert), Oracle throws a unique constraint violation 
error, and the server freezes.


Questions:

1. Why is FreeRADIUS failing to see that this request was already 
acknowledged, i.e. it has been updated on the database, and just sends 
an ACK, rather than trying to insert a new record?


2. Why does FreeRADIUS freeze on an SQL error from Oracle? Should it not 
just log the error and carry on about its business? I am finding my 
server freezing every few days due to these issues, for example, if a 
query takes too long to run, or a trigger fails to execute. Is 
FreeRADIUS against Oracle more fragile than say MySQL?


Cheers,

Mike

-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Hello, and a (hopefully) simple question

2008-01-25 Thread Vlad Sedov 
That's a very valid point, however we do all the CPE configuration
ourselves. Customer, as a rule, does not have access to the PPPoE
settings.

I think the message they would get is going to say something like
There is a problem with your internet connection. Please call
blahblahblah to resolve the problem... Simple and effective :-)


Vlad




On Jan 25, 2008 11:45 AM, Alex Moen [EMAIL PROTECTED] wrote:
 So, what would be the difference between a customer who was disconnected, and 
 one who cannot remember his/her password (yeah, this never happens,
 right?)  There would be no differentiation, and customers who have simply 
 forgotten their password may be upset when you tell then they are
 disconnected  Might want to remember that when you write your web page.

 Just my $.10...

 Alex


 Vlad Sedov wrote:
  Well, what I'm trying to do is accept the session whether the password
  is correct or not, but if it's not correct, assign Framed-IP-Address
  from a different IP pool, so our firewall downstream from the NAS can
  redirect their HTTP traffic to a payment site.
 
 
  Vlad
 
 
  On Jan 25, 2008 11:27 AM, JB [EMAIL PROTECTED] wrote:
  If it's just a message you want to display, you could use the Reply-
  Message attribute.
  Of course, your access controler would have to know how handle this
  attribute.
 
  JB
 
 
  Marinko Tarlac wrote:
 
  radius will reply whatever you need but you need to tell him what do
  you want.
 
  For example, if you're using mysql, when user account expires you
  can add him to specific group and group attributes you can set in
  radgroupreply table. (ip pool, tx, rx limit etc.)
 
  On Jan 25, 2008 6:18 PM, Vlad Sedov [EMAIL PROTECTED] wrote:
  Hey folks.
 
  Right now, we use freeradius to authenticate simple pap/chap PPP
  clients. When a username/password is rejected, radius simply send
  back
  a reject message to the NAS.
 
  Is it possible to change this behavior so that a failed auth attempt
  gets accepted with an alternate IP pool instead of being rejected?
 
  the idea is to force suspended users through a web proxy that tells
  them that they have a billing issue, instead of rejecting their
  connection altogether.
 
 
  Any help would be appreciated
 
 
  Vlad
 
 
  JB
 
 
 
 
  -
  List info/subscribe/unsubscribe? See 
  http://www.freeradius.org/list/users.html
 
  -
  List info/subscribe/unsubscribe? See 
  http://www.freeradius.org/list/users.html
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: certificates in FR 2.0.1 on windows doesnt works

2008-01-25 Thread tnt 
And that is good. Windows doesn't need to know who issued that
certificate, only radius server does.

Ivan Kalik
Kalik Informatika ISP


Dana 25/1/2008, orion [EMAIL PROTECTED] piše:

its not a problem that windows says about the client certificate :
the issuer of this certificate cannot be found  ?

can the certificate be used in this case ?

On 25/01/2008, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:

 2)or only ca certificate + client certificate ?
 
 the second case the linkage between the ca and client doesnt exist ( as
 you
 said is the server the issuer of the client`s certificate ).
 

 Link is not needed. Server checks the client certificate to see if it's
 issued by the server (certificate). Client checks server certificate to
 see if it's issued by a *known and trusted CA. Nothing checks client
 certificate against the CA.

 Ivan Kalik
 Kalik Informatika ISP

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Thank you and Diameter question

2008-01-25 Thread Alan DeKok 
Raj Patel wrote:
 as anyone else been using it, I will be happy for some feedback

  Honestly, I've never seen much use for Diameter.  Not that I'm biased,
but I'd like to know what real-world problem it solves.

  Most requirements for diameter are political or commercial, not technical.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: iCHAP?

2008-01-25 Thread Alan DeKok 
Kevin J wrote:
 Does anybody know about iCHAP?

  Nope.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Thank you and Diameter question

2008-01-25 Thread Raj Patel 
Hi People



First thank you, I been reading this mailing list for some time and I found
it great source of help



I want to share some info with you and than ask a question

We are slowly moving here into Java and starting to have Diameter
requirements

I found OpenBloX Java Diameter a great source of help (i think its GPL)and
it seems to meet our requirements (*
http://sourceforge.net/projects/openblox/**)  *



as anyone else been using it, I will be happy for some feedback



I guess this is the right place for a feedback with so many AAA gurus around
J so sorry again for my post



Thanks In advance

RP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

iCHAP?

2008-01-25 Thread Kevin J 
Does anybody know about iCHAP?

Kevin,


   
-
Be a better friend, newshound, and know-it-all with Yahoo! Mobile.  Try it now.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: certificates in FR 2.0.1 on windows doesnt works

2008-01-25 Thread tnt 
2)or only ca certificate + client certificate ?

the second case the linkage between the ca and client doesnt exist ( as you
said is the server the issuer of the client`s certificate ).


Link is not needed. Server checks the client certificate to see if it's
issued by the server (certificate). Client checks server certificate to
see if it's issued by a *known and trusted CA. Nothing checks client
certificate against the CA.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Force Auth-Type

2008-01-25 Thread Markus Moeller 


Alan DeKok [EMAIL PROTECTED] wrote in message 
news:[EMAIL PROTECTED]

Markus Moeller wrote:

That was the only way I could get it to work. If I use update control
anybody can login, whereas in my setup only a user who exits in ldap get
AUth-Type set to LDAP all other users have an empty value and therefore
can not authenticate.


 The LDAP module setting Auth-Type to LDAP is a bit of a hack.  I
understand that you're depending on it, but the behavior may change in
the future.  It's changed (slightly) in the past, to fix some issues.

 It's better to have the policy *explicitly* state what you want.


I have changed my setup to use files and a users file together with a
private radius attribute mapped to an ldap entry


 That's reasonable.  It's a pretty simple fix to permit an empty
ldap.attrmap definition.


in users I have
DEFAULT user-location == LDN, Auth-Type := Reject
   Reply-message = You are not allowed to login
DEFAULT AUTH-Type := PAM


 That should mostly work.  In 2.0, it's much easier just to put that
directly in a policy in a configuration file.


Unfortunatly that does not work as I never hit the first default
statement in users despite having a user-location of LDN. What do I do
wrong here ? How can I use an ldap query result to deny/allow access ?


 if (%{ldap: stuff... } == bar) {
...
 }



I didn't know that is possible. Where is this documented ? I thought I read 
all FAQ and documentations.


The other questions I have is about the AV pairs used. As far as I 
understand freeradius uses request, reply, check_tmp, internal only AV 
pairs. Is there a document which module uses which for what purpose ?


Is there a process flow diagram somewhere describing how freeradius works ?

I understand
1)client - server sends a request AV pair
2) server processes first authorisation modules and if fails end ?
3) server processes authentication modules and if fails end ?
4) server - client sends reply AV pair

What is the use of check(item) AV  pairs ? Is it to communicate between 
modules ?




 Alan DeKok.
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html




Thank you
Markus 



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: one RADIUS server per realm setup

2008-01-25 Thread Wm. Josiah Erikson 
I see. I can, indeed, remove Auth-Type := LDAP from the users file and 
it still works. Cool!


However, the behavior described in the documentation is not what I'm 
seeing, and I'm still getting (contrary to what I said in my previous 
email) authorization requests not being proxied, even though I have, in 
my authorize section, the suffix directive previous to files and 
ldap, which is where I check the LDAP group


If my realm is @hampshire.edu, everything works as I want it to, because 
it doesn't proxy. But when I try to authenticate as a fake user in my 
test proxy realm (I just want to see it try to proxy), it looks in the 
local LDAP database! Huh? It says it's preparing to proxy 
authentication, as it should... how do I make it either proxy 
authorization as well, or skip authorization for non-local domains? How 
should I go about this?


I must be misunderstanding something. I don't want it to do anything 
locally if I've set it to proxy! I get the following relevant output 
from freeradius -X:


Listening on authentication address * port 1812
Listening on accounting address * port 1813
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 34022, id=118, 
length=66

   User-Name = [EMAIL PROTECTED]
   User-Password = passwowrd
   NAS-IP-Address = 172.20.66.104
   NAS-Port = 1
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
   rlm_realm: Looking up realm testdomain.edu for User-Name = 
[EMAIL PROTECTED]

   rlm_realm: Found realm testdomain.edu
   rlm_realm: Adding Stripped-User-Name = dude
   rlm_realm: Proxying request from user dude to realm testdomain.edu
   rlm_realm: Adding Realm = testdomain.edu
   rlm_realm: Preparing to proxy authentication request to realm 
testdomain.edu

++[suffix] returns updated
++[unix] returns notfound
rlm_ldap: Entering ldap_groupcmp()
   expand: dc=hampshire, dc=edu - dc=hampshire, dc=edu
   expand: (uid=%{Stripped-User-Name}) - (uid=dude)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.hampshire.edu:389, authentication 0
rlm_ldap: bind as uid=tu, ou=account, dc=hampshire, dc=edu/tp to 
ldap.hampshire.edu:389

rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=hampshire, dc=edu, with filter (uid=dude)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
   expand: dc=hampshire, dc=edu - dc=hampshire, dc=edu
   expand: (uid=%{Stripped-User-Name}) - (uid=dude)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=hampshire, dc=edu, with filter (uid=dude)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
   expand: dc=hampshire, dc=edu - dc=hampshire, dc=edu
   expand: (uid=%{Stripped-User-Name}) - (uid=dude)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=hampshire, dc=edu, with filter (uid=dude)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
   users: Matched entry DEFAULT at line 219
++[files] returns ok
rlm_ldap: - authorize
rlm_ldap: performing user authorization for dude
   expand: (uid=%{Stripped-User-Name}) - (uid=dude)
   expand: dc=hampshire, dc=edu - dc=hampshire, dc=edu
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=hampshire, dc=edu, with filter (uid=dude)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns notfound
 Found Post-Auth-Type Reject
+- entering group REJECT
   expand: %{User-Name} - [EMAIL PROTECTED]
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 118 to 127.0.0.1 port 34022
   Reply-Message = Only current faculty, staff or students are 
allowed to log in.

Waking up in 4.9 seconds.
Cleaning up request 0 ID 118 with timestamp +2
Ready to process requests.



Alan DeKok wrote:

Wm. Josiah Erikson wrote:
  

   #  Setting Auth-Type = LDAP is ALMOST ALWAYS WRONG.  We
   #  really can't emphasize this enough.

Uh. OK. That's exactly what I'm doing, and it's working :) 



  Then it works.  It's fine.

  That message is for the majority of people who force LDAP to be used
for authentication, and the wonder why EAP doesn't work.

  Remember: LDAP is a

Re: Hello, and a (hopefully) simple question

2008-01-25 Thread Vlad Sedov 
Now that you mention it, the billing software _is_ getting replaced
some time soon, but until then I have to hack radius as a workaround.

Is it not possible to Fall-Through failed users to another section
with its own pool and auth-type: accept?



Vlad



On Jan 25, 2008 12:16 PM, Andy Billington
[EMAIL PROTECTED] wrote:
 David - agreed. It's a workaround until the billing software can be
 modified (or replaced); in combination with an expiry_due check and
 also checking whether its the billing system that made the change
 though, its not a bad short-term workaround. Needs to be both of those
 checks though ;-)
 Andy


 On 25/01/2008, David Roze [EMAIL PROTECTED] wrote:
  A trigger on the password field is a workaround.
  What about if he wants to change a user's password or when it changes back
  to bring the connection back on?
  Changing the password is not the right way to reject a connection and
  everything possible should be done to change the software's behaviour.
 
  David Roze
  ---
  http://www.netexpertise.eu
 
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED]
  On Behalf Of Andy Billington
  Sent: 25 January 2008 18:58
  To: FreeRadius users mailing list
  Subject: Re: Hello, and a (hopefully) simple question
 
  Vlad,
  are the passwords changed _by the billing system_ for any other
  reason? You could use a trigger on the table to make a corresponding
  change on the usergroup when the billing system changes the password.
 
  Better though might just be to have a Expiry Due? column added to
  the users, and then have if expiry_due AND if password changed, then
  change usergroup triggered. You'll have to have a way to keep track
  of expiration dates and so on
 
  Vlad,
  are the passwords changed by the billing system for any other reason?
  You could use a trigger on the table to make a corresponding change on
  the usergroup when a billing system changes the password.
 
  Better though might just be to have a Expired Yes/No column added to
  the users, and then have if expired AND password changed, then change
  usergroup triggered. You'll have to have a way to keep track of
  expiration dates and so on but if the renewals are for a standard
  period (e.g. 12 months) then you could do
 
  a. if expiry_due and password changed, change usergroup (and hence ip etc)
 
  b. if expired, password changed already and then password changed
  again, change usergroup back to normal on assumption that billing
  system has reset password when payment received. Reset expiry_due to
  today() plus 12 months
 
  Then again I'm probably looking at database level stuff when
  FreeRADIUS will provide a better way using the many bits of it I dont
  understand ;-)
  Andy
 
 
 
 
 
  On 25/01/2008, Vlad Sedov [EMAIL PROTECTED] wrote:
   Well, what I'm trying to do is accept the session whether the password
   is correct or not, but if it's not correct, assign Framed-IP-Address
   from a different IP pool, so our firewall downstream from the NAS can
   redirect their HTTP traffic to a payment site.
  
  
   Vlad
  
  
   On Jan 25, 2008 11:27 AM, JB [EMAIL PROTECTED] wrote:
If it's just a message you want to display, you could use the Reply-
Message attribute.
Of course, your access controler would have to know how handle this
attribute.
   
JB
   
   
Marinko Tarlac wrote:
   
 radius will reply whatever you need but you need to tell him what do
 you want.

 For example, if you're using mysql, when user account expires you
 can add him to specific group and group attributes you can set in
 radgroupreply table. (ip pool, tx, rx limit etc.)

 On Jan 25, 2008 6:18 PM, Vlad Sedov [EMAIL PROTECTED] wrote:
 Hey folks.

 Right now, we use freeradius to authenticate simple pap/chap PPP
 clients. When a username/password is rejected, radius simply send
 back
 a reject message to the NAS.

 Is it possible to change this behavior so that a failed auth attempt
 gets accepted with an alternate IP pool instead of being rejected?

 the idea is to force suspended users through a web proxy that tells
 them that they have a billing issue, instead of rejecting their
 connection altogether.


 Any help would be appreciated


 Vlad
   
   
   
JB
   
   
   
   
-
List info/subscribe/unsubscribe? See
  http://www.freeradius.org/list/users.html
   
   -
   List info/subscribe/unsubscribe? See
  http://www.freeradius.org/list/users.html
  
  -
  List info/subscribe/unsubscribe? See
  http://www.freeradius.org/list/users.html
 
  -
  List info/subscribe/unsubscribe? See 
  http://www.freeradius.org/list/users.html
 
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Hello, and a (hopefully) simple question

2008-01-25 Thread Andy Billington 
Vlad,
are the passwords changed _by the billing system_ for any other
reason? You could use a trigger on the table to make a corresponding
change on the usergroup when the billing system changes the password.

Better though might just be to have a Expiry Due? column added to
the users, and then have if expiry_due AND if password changed, then
change usergroup triggered. You'll have to have a way to keep track
of expiration dates and so on

Vlad,
are the passwords changed by the billing system for any other reason?
You could use a trigger on the table to make a corresponding change on
the usergroup when a billing system changes the password.

Better though might just be to have a Expired Yes/No column added to
the users, and then have if expired AND password changed, then change
usergroup triggered. You'll have to have a way to keep track of
expiration dates and so on but if the renewals are for a standard
period (e.g. 12 months) then you could do

a. if expiry_due and password changed, change usergroup (and hence ip etc)

b. if expired, password changed already and then password changed
again, change usergroup back to normal on assumption that billing
system has reset password when payment received. Reset expiry_due to
today() plus 12 months

Then again I'm probably looking at database level stuff when
FreeRADIUS will provide a better way using the many bits of it I dont
understand ;-)
Andy





On 25/01/2008, Vlad Sedov [EMAIL PROTECTED] wrote:
 Well, what I'm trying to do is accept the session whether the password
 is correct or not, but if it's not correct, assign Framed-IP-Address
 from a different IP pool, so our firewall downstream from the NAS can
 redirect their HTTP traffic to a payment site.


 Vlad


 On Jan 25, 2008 11:27 AM, JB [EMAIL PROTECTED] wrote:
  If it's just a message you want to display, you could use the Reply-
  Message attribute.
  Of course, your access controler would have to know how handle this
  attribute.
 
  JB
 
 
  Marinko Tarlac wrote:
 
   radius will reply whatever you need but you need to tell him what do
   you want.
  
   For example, if you're using mysql, when user account expires you
   can add him to specific group and group attributes you can set in
   radgroupreply table. (ip pool, tx, rx limit etc.)
  
   On Jan 25, 2008 6:18 PM, Vlad Sedov [EMAIL PROTECTED] wrote:
   Hey folks.
  
   Right now, we use freeradius to authenticate simple pap/chap PPP
   clients. When a username/password is rejected, radius simply send
   back
   a reject message to the NAS.
  
   Is it possible to change this behavior so that a failed auth attempt
   gets accepted with an alternate IP pool instead of being rejected?
  
   the idea is to force suspended users through a web proxy that tells
   them that they have a billing issue, instead of rejecting their
   connection altogether.
  
  
   Any help would be appreciated
  
  
   Vlad
 
 
 
  JB
 
 
 
 
  -
  List info/subscribe/unsubscribe? See 
  http://www.freeradius.org/list/users.html
 
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SSH-login authentication, using Active Directory credentials.

2008-01-25 Thread Donny Jekels 
Suraj,

You're better of kerberizing your unix environment and join them with AD.
this way your can have a fully single sign on environment.
including samba file share without entering username and passwords.

This is what you need to do.
1) install SFU3.5 on all your DC's
2) install openldap and mit kerberos on all your linux boxen
3) install samba
4) use samba net join  command to add your host to AD
5) install kerberized putty

done, enjoy


On Jan 25, 2008 7:57 AM, suraj shankar [EMAIL PROTECTED] wrote:


 --- Alan DeKok [EMAIL PROTECTED] wrote:

Any solution would have exactly the same security
  issues.
 Yes; I can understand and appreciate that. Thanks,
 Alan.

 Regards,
 suraj.



  
 
 Looking for last minute shopping deals?
 Find them fast with Yahoo! Search.
 http://tools.search.yahoo.com/newsearch/category.php?category=shopping
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Multiple accounting requests crash the server

2008-01-25 Thread Mother 

Hi Alan,

Thanks for your answers, mine inline below:

Alan DeKok wrote:

Mother wrote:

I am seeing a strange situation. I receive an accounting-stop request
from a NAS, and FreeRADIUS (1.1.7 against Oracle) updates the
corresponding radacct record. However, the NAS is not receiving the ack,
and thus re-sends the stop request. On the second request, FreeRADIUS
tries to do an update query again, and then, an insert query, with the
stop message details (i.e. only a stop time, reason idle-timeout, etc.),
which fails.


  Why?


As I mention in my update, an accounting-stop that uses the alternate 
default query will attempt an insert, not an update (I have a few new 
records in radacct with only stop time after this episode, all with the 
same session ID). The reason the NAS was resending was that it was not 
receiving the confirmation back from FreeRADIUS, most likely due to a 
temporary network failure on a segment along the way.



After the third request from the NAS (and corresponding
update followed by insert), Oracle throws a unique constraint violation
error, and the server freezes.


  Weird.


Indeed - why it throws this after the third query is what gets me, as 
the unique constraint should have been hit right after the first update 
was done. I will investigate the timeline of events with more detail.



Questions:

1. Why is FreeRADIUS failing to see that this request was already
acknowledged, i.e. it has been updated on the database, and just sends
an ACK, rather than trying to insert a new record?


  Because RADIUS doesn't work like that.  Accounting requests are never
re-sent, so *all* accounting requests are brand new, and have to be
treated that way.


They are never re-sent? Then please tell one of the major European 
wireless ISP about this, as they were hammering my server :) This is 
what they saw:


Fri Jan 25 10:31:10 2008: INFO: AuthRADIUS: No reply after 2
retransmissions to 80.33.137.68:1813 for [EMAIL PROTECTED]  (25). Now have
1 consecutive failures over 0 seconds. Backing off for 30 seconds

Note that they are *not* using FreeRADIUS. In any case, I will adapt the 
queries as needed so that they don't hit a brick wall if I find 
conditions like this.



2. Why does FreeRADIUS freeze on an SQL error from Oracle? Should it not
just log the error and carry on about its business? I am finding my
server freezing every few days due to these issues, for example, if a
query takes too long to run, or a trigger fails to execute. Is
FreeRADIUS against Oracle more fragile than say MySQL?


  I think that fewer people are using it that way.


Yes, I understand Oracle penetration in FreeRADIUS is tiny, but still.


  Perhaps you could try posting the error message, or run it under gdb
to see why it's freezing.


These are the sanitized logs, with irrelevant crud cut out:

#1:

rad_recv: Accounting-Request packet from host X.X.X.X:46641, id=184, 
length=302

User-Name = blah
NAS-Port = 2
NAS-Port-Type = Wireless-802.11
NAS-Identifier = XX
NAS-IP-Address = X.X.X.X
Acct-Status-Type = Stop
Calling-Station-Id = MAC
Called-Station-Id = MAC
Event-Timestamp = Jan 25 2008 10:49:13 CET
Acct-Delay-Time = 955
Acct-Session-Id = 59fdb3fd
Acct-Authentic = RADIUS
Acct-Session-Time = 343
Acct-Input-Octets = 48365
Acct-Input-Gigawords = 0
Acct-Input-Packets = 199
Acct-Output-Octets = 42343
Acct-Output-Gigawords = 0
Acct-Output-Packets = 248
Acct-Terminate-Cause = Idle-Timeout
Framed-IP-Address = 192.168.51.186
WISPr-Location-Name = Address
Vendor-18529-Attr-42 = 0x48455336373131
Attr-103 = 0x4799b09a
Attr-103 = 0x4799b09a
WISPr-Location-ID = isocc=es,cc=34,ac=08080,network=SSID
UPDATE query (fails)
INSERT query (seems to take place)
rlm_sql (sql): Released sql socket id: 3
  modcall[accounting]: module sql returns ok for request 0
modcall: leaving group accounting (returns ok) for request 0
Sending Accounting-Response of id 184 to X.X.X.X port 46641
Finished request 0


#2:

rad_recv: Accounting-Request packet from host X.X.X.X:46641, id=185, 
length=302

User-Name = blah
NAS-Port = 2
NAS-Port-Type = Wireless-802.11
NAS-Identifier = XXX
NAS-IP-Address = X.X.X.X
Acct-Status-Type = Stop
Calling-Station-Id = MAC
Called-Station-Id = MAC
Event-Timestamp = Jan 25 2008 10:49:13 CET
Acct-Delay-Time = 955
Acct-Session-Id = 59fdb3fd
Acct-Authentic = RADIUS
Acct-Session-Time = 343
Acct-Input-Octets = 48365
Acct-Input-Gigawords = 0
Acct-Input-Packets = 199
Acct-Output-Octets = 42343
Acct-Output-Gigawords = 0
Acct-Output-Packets = 248
Acct-Terminate-Cause = Idle-Timeout
Framed-IP-Address = 192.168.51.186
WISPr-Location-Name = Address
Vendor-18529-Attr-42 = 0x48455336373131
Attr-103 = 0x4799b05a
Attr-103 = 0x4799b09b
WISPr-Location-ID = isocc=es,cc=34,ac=08080,network=SSID
UPDATE query (fails)
INSERT

Re: SSH-login authentication, using Active Directory credentials.

2008-01-25 Thread suraj shankar 

--- Alan DeKok [EMAIL PROTECTED] wrote:

   Any solution would have exactly the same security
 issues.
Yes; I can understand and appreciate that. Thanks,
Alan.

Regards,
suraj.


  

Looking for last minute shopping deals?  
Find them fast with Yahoo! Search.  
http://tools.search.yahoo.com/newsearch/category.php?category=shopping
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IP Pool defined, but radius does not hand out an IP address.

2008-01-25 Thread Alan DeKok 
Andrew D Kirch wrote:
 You might try putting it at the top of radiusd.conf

  Done.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SSH-login authentication, using Active Directory credentials.

2008-01-25 Thread tnt 

Is there a better way, using radius? 


No. Once user is authenticated radius has nothing to do with them (you
say that they can increase privileges after authentication). Can't you
put them in jail.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Multiple accounting requests crash the server

2008-01-25 Thread tnt 

#1:

rad_recv: Accounting-Request packet from host X.X.X.X:46641, id=184,
length=302
 User-Name = blah
 NAS-Port = 2
 NAS-Port-Type = Wireless-802.11
 NAS-Identifier = XX
 NAS-IP-Address = X.X.X.X
 Acct-Status-Type = Stop
 Calling-Station-Id = MAC
 Called-Station-Id = MAC
 Event-Timestamp = Jan 25 2008 10:49:13 CET
 Acct-Delay-Time = 955
 Acct-Session-Id = 59fdb3fd
 Acct-Authentic = RADIUS
 Acct-Session-Time = 343
 Acct-Input-Octets = 48365
 Acct-Input-Gigawords = 0
 Acct-Input-Packets = 199
 Acct-Output-Octets = 42343
 Acct-Output-Gigawords = 0
 Acct-Output-Packets = 248
 Acct-Terminate-Cause = Idle-Timeout
 Framed-IP-Address = 192.168.51.186
 WISPr-Location-Name = Address
 Vendor-18529-Attr-42 = 0x48455336373131
 Attr-103 = 0x4799b09a
 Attr-103 = 0x4799b09a
 WISPr-Location-ID = isocc=es,cc=34,ac=08080,network=SSID
UPDATE query (fails)
INSERT query (seems to take place)
rlm_sql (sql): Released sql socket id: 3
   modcall[accounting]: module sql returns ok for request 0
modcall: leaving group accounting (returns ok) for request 0
Sending Accounting-Response of id 184 to X.X.X.X port 46641
Finished request 0


Did you find out why did the UPDATE query fail. That's where the trouble
started. INSERT takes much longer to do ...

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: simple Ldap-group search

2008-01-25 Thread Markus Moeller 
I think you need to use Ldap-Group instead of myldap-Ldap-Group or do you use 
do_xlat ?

Markus

  cxu [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]
  Background:

   

  When a user associated with the ssid Guest, the user will authenticate 
against a FreeRadius server.  If he has a university account, the FreeRadius 
server will authenticate him via LDAP.  If he does not have a university 
account, the FreeRadius server will do the authentication with a guest account 
database.

   

   

  Goal:

   

  To reduce the chance to do the LDAP search, the LDAP-group search is 
successful if the user is in the LDAP and no matter which LDAP group he is in.

   

   

  My shot and the problem:

   

  I am trying to do a wildcard search in LDAP-Group search, but it looks like 
the wildcard could not work.

   

  Related entries in the file users,

   

  omitted

   

  DEFAULT Called-Station-Id =~ .*Guest, myldap-Ldap-Group == *, Autz-Type 
:= Ldap1, Auth-Type := Ldap1

   

  DEFAULT Called-Station-Id =~ .*Guest, Group == guest, Autz-Type := Web, 
Auth-Type := System

   

  omitted

   

   

  Debug output,

   

  output omitted

   

  rlm_ldap: performing search in ou=people,dc=myuniv,dc=ca, with filter 
((cn=*)(|((objectClass=GroupOfNames)(member=))((objectClass=GroupOfUniqueNames)(uniquemember=

   

  output omitted

   

  rlm_ldap::groupcmp: Group * not found or user not a member

  rlm_ldap: ldap_release_conn: Release Id: 0

  ++[files] returns noop

  rlm_pap: WARNING! No known good password found for the user.  
Authentication may fail because of this.

  ++[pap] returns noop

  auth: No authenticate method (Auth-Type) configuration found for the request: 
Rejecting the user

  auth: Failed to validate the user.

  Login incorrect: [cxu] (from client localhost port 0)

  Delaying reject of request 0 for 1 seconds

  Going to the next request

  Waking up in 0.9 seconds.

  Sending delayed reject for request 0

   

  Questions:

   

1.. Is there any way to make the wildcard LDAP-group search work? 
2.. Whether unlang could be applied here and how? 
3.. Any advice? 
   

  Thanks!

   

  Andrew

   



--


  -
  List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: certificates in FR 2.0.1 on windows doesnt works

2008-01-25 Thread Alan DeKok 
orion wrote:
 the import of client.p12 is ok but it doesnt have a valid link
 it is ca-server-client

  What does that mean?

 and the details of the server certificate tells that is not authorized
 to issue certificates .

  Where does it say that?  Which certificate tool are you using to look
at the certificates?

 the client certificates tells that is issued by the server not by the ca.

  Yes, that is supposed to happen.

 the question is :
 the client certificate should be issued by the server or by the ca?

  Server.

 in fact after modified the Makefile and client.cnf and re-importing them
 in xp
 then the linkage is ok.  ( ca-client )

  That's not how it's supposed to work.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SSH-login authentication, using Active Directory credentials.

2008-01-25 Thread suraj shankar 

--- [EMAIL PROTECTED] wrote:

 Is there a better way, using radius? 

 No. Once user is authenticated radius has nothing to
 do with them (you
 say that they can increase privileges after
 authentication). Can't you
 put them in jail.
Yeah, I would eventually do that, if there is no
'better way'. But usually the App. administrators
complain that they are crippled by insufficient
privileges. So I am looking for something more
creative ... :)
And so, what I really meant by a 'better way' was like
a way to tell pam_radius_auth, to use a certificate
instead of a PSK! ... or something like that ...

Hey, but thanks Ivan, for the suggestion - will lock
them up, if I can't find a better way!

Regards,
suraj.


  

Looking for last minute shopping deals?  
Find them fast with Yahoo! Search.  
http://tools.search.yahoo.com/newsearch/category.php?category=shopping
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: one RADIUS server per realm setup

2008-01-25 Thread Alan DeKok 
Wm. Josiah Erikson wrote:
#  Setting Auth-Type = LDAP is ALMOST ALWAYS WRONG.  We
#  really can't emphasize this enough.
 
 Uh. OK. That's exactly what I'm doing, and it's working :) 

  Then it works.  It's fine.

  That message is for the majority of people who force LDAP to be used
for authentication, and the wonder why EAP doesn't work.

  Remember: LDAP is a database.  It's not an authentication server.

 However, is there a better way to do this that I'm not understanding?
 Why shouldn't I set Auth-Type := LDAP ?

  You probably don't need to set it.  If you simply deleted that from
the users file, your configuration would probably still work.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Sql_log against postgresql

2008-01-25 Thread Roy Walker 
Have 2.0 running against a Postgresql database.  The sql_log code looks
like it functions differently than the sql statements in the postgres
driver (stop packets are another insert instead of an update).  Has
anyone already changed out the sql lines match the way it works without
sql_log, don't see why it would be an issue...  if you have would you
mind sharing it?

 

PS  Nice to see the column names were corrected in 2.0 (between MySql
and Postgresql schemas).

 

Thanks,

Roy

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Multiple accounting requests crash the server

2008-01-25 Thread Alan DeKok 
Mother wrote:
 I am seeing a strange situation. I receive an accounting-stop request
 from a NAS, and FreeRADIUS (1.1.7 against Oracle) updates the
 corresponding radacct record. However, the NAS is not receiving the ack,
 and thus re-sends the stop request. On the second request, FreeRADIUS
 tries to do an update query again, and then, an insert query, with the
 stop message details (i.e. only a stop time, reason idle-timeout, etc.),
 which fails.

  Why?

 After the third request from the NAS (and corresponding
 update followed by insert), Oracle throws a unique constraint violation
 error, and the server freezes.

  Weird.

 Questions:
 
 1. Why is FreeRADIUS failing to see that this request was already
 acknowledged, i.e. it has been updated on the database, and just sends
 an ACK, rather than trying to insert a new record?

  Because RADIUS doesn't work like that.  Accounting requests are never
re-sent, so *all* accounting requests are brand new, and have to be
treated that way.

 2. Why does FreeRADIUS freeze on an SQL error from Oracle? Should it not
 just log the error and carry on about its business? I am finding my
 server freezing every few days due to these issues, for example, if a
 query takes too long to run, or a trigger fails to execute. Is
 FreeRADIUS against Oracle more fragile than say MySQL?

  I think that fewer people are using it that way.

  Perhaps you could try posting the error message, or run it under gdb
to see why it's freezing.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: eap and users file

2008-01-25 Thread Alan DeKok 
theSnail wrote:
 I have only this entry in users file:
 
 DEFAULT Auth-Type := Accept
 
 raiudsd -X
 
   users: Matched entry DEFAULT at line 1
 
 but it still try to authenticate against ldap. So the question is:

  Why haven't you posted the entire output from radiusd -X ?

  i.e. you configured the server to use LDAP, and it's doing what you
told it to do.  Because you don't understand what you've configured, you
don't understand what it's doing.

 users file and EAP-ttls + PAP schema can work togher?

  Yes.  Lots of people are doing that.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SSH-login authentication, using Active Directory credentials.

2008-01-25 Thread Alan DeKok 
suraj shankar wrote:
 I understand that pam_radius_auth 'encrypts' the
 password. But if a user has the privileges to change
 the /etc/raddb/server file (and point it to a
 freeradius server), wouldn't he/she be able to siphon
 off the credentials?

  Yes.

 Our setup would disallow direct 'root' logins, over
 SSH. However, once the user logs in using his/her
 credentials, they would then be allowed to do a sudo
 or a privileges escalation. Thereby, opening the
 possibility of a /etc/raddb/server edit.

  So... why are you giving people root access if you don't trust them?

 I know worse things can happen with superuser
 privileges; however, I am not worried of the bad that
 can happen to the client machines.
 
 Is there a better way, using radius? Please suggest.
 If this query is a rerun, pointers/references would
 do. Thank you.

  Any solution would have exactly the same security issues.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question about forum

2008-01-25 Thread tnt 
Yes, write to Peter Nixon and he will help you.

Ivan Kalik
Kalik Informatika ISP


Dana 25/1/2008, Marinko Tarlac [EMAIL PROTECTED] piše:

I would like to register too. Is there any chance for this?

On Jan 25, 2008 5:37 PM, JB [EMAIL PROTECTED] wrote:


 Peter Nixon wrote:
  We have a wiki. You are welcome to contribute...

 Account creation/free editing seems to be deactivated...

 Bye,
 JB

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Hello, and a (hopefully) simple question

2008-01-25 Thread Alex Moen 
So, what would be the difference between a customer who was disconnected, and one who cannot remember his/her password (yeah, this never happens, 
right?)  There would be no differentiation, and customers who have simply forgotten their password may be upset when you tell then they are 
disconnected  Might want to remember that when you write your web page.


Just my $.10...

Alex

Vlad Sedov wrote:

Well, what I'm trying to do is accept the session whether the password
is correct or not, but if it's not correct, assign Framed-IP-Address
from a different IP pool, so our firewall downstream from the NAS can
redirect their HTTP traffic to a payment site.


Vlad


On Jan 25, 2008 11:27 AM, JB [EMAIL PROTECTED] wrote:

If it's just a message you want to display, you could use the Reply-
Message attribute.
Of course, your access controler would have to know how handle this
attribute.

JB


Marinko Tarlac wrote:


radius will reply whatever you need but you need to tell him what do
you want.

For example, if you're using mysql, when user account expires you
can add him to specific group and group attributes you can set in
radgroupreply table. (ip pool, tx, rx limit etc.)

On Jan 25, 2008 6:18 PM, Vlad Sedov [EMAIL PROTECTED] wrote:

Hey folks.

Right now, we use freeradius to authenticate simple pap/chap PPP
clients. When a username/password is rejected, radius simply send
back
a reject message to the NAS.

Is it possible to change this behavior so that a failed auth attempt
gets accepted with an alternate IP pool instead of being rejected?

the idea is to force suspended users through a web proxy that tells
them that they have a billing issue, instead of rejecting their
connection altogether.


Any help would be appreciated


Vlad



JB




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Hello, and a (hopefully) simple question

2008-01-25 Thread Vlad Sedov 
The only problem with this method is that our billing system is not
(currently) capable of changing the usergroup when the account is
suspended. All it does is change the password.


Vlad



On Jan 25, 2008 11:22 AM, Marinko Tarlac [EMAIL PROTECTED] wrote:
 radius will reply whatever you need but you need to tell him what do you
 want.

 For example, if you're using mysql, when user account expires you can add
 him to specific group and group attributes you can set in radgroupreply
 table. (ip pool, tx, rx limit etc.)



 On Jan 25, 2008 6:18 PM, Vlad Sedov [EMAIL PROTECTED] wrote:
 
 
 
  Hey folks.
 
  Right now, we use freeradius to authenticate simple pap/chap PPP
  clients. When a username/password is rejected, radius simply send back
  a reject message to the NAS.
 
  Is it possible to change this behavior so that a failed auth attempt
  gets accepted with an alternate IP pool instead of being rejected?
 
  the idea is to force suspended users through a web proxy that tells
  them that they have a billing issue, instead of rejecting their
  connection altogether.
 
 
  Any help would be appreciated
 
 
  Vlad
  -
  List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
 


 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question about forum

2008-01-25 Thread Marinko Tarlac 
I would like to register too. Is there any chance for this?

On Jan 25, 2008 5:37 PM, JB [EMAIL PROTECTED] wrote:


 Peter Nixon wrote:
  We have a wiki. You are welcome to contribute...

 Account creation/free editing seems to be deactivated...

 Bye,
 JB

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_perl and RLM_MODULE_REJECT

2008-01-25 Thread Alan DeKok 
Jean-Michel Caricand wrote:
 Well. I made a lot of tests without success. I'm not yet able to REJECT a 
 request in a post_proxy function, but that works fine in a authorize 
 function. 
 
 Does someone have ideas ?

  In 2.0, it looks like this isn't dealt with in src/main/event.c around
line 1075.  It's probably useful to add...

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_perl and RLM_MODULE_REJECT

2008-01-25 Thread Jean-Michel Caricand 
Le vendredi 25 janvier 2008 12:55, Boian Jordanov a écrit :
 Try with RLM_MODULE_FAIL in post_proxy


 Best Regards,
 Boian Jordanov
 SNE
 Orbitel - Next Generation Telecom
 tel. +359 2 4004 723
 tel. +359 2 4004 002

 On Jan 25, 2008, at 12:35 PM, Jean-Michel Caricand wrote:
  doesn't make sense to use RLM_MODULE_REJECT in post_proxy. May be you
  need pre_proxy ?
 
   From radius.conf file
 
  #
  #  When the server decides to proxy a request to a home server,
  #  the proxied request is first passed through the pre-proxy
  #  stage.  This stage can re-write the request, or decide to
  #  cancel the proxy.
  #
  #  Only a few modules currently have this method.
  #
 
 
  Best Regards,
  Boian Jordanov
  SNE
  Orbitel - Next Generation Telecom
  tel. +359 2 4004 723
  tel. +359 2 4004 002
 
  On Jan 25, 2008, at 11:52 AM, Jean-Michel Caricand wrote:
  I have a question on rlm_perl and RLM_MODULE_REJECT. If in a
  function
  (post_proxy) I return RLM_MODULE_REJECT I can see this in log :
 
  -
  List info/subscribe/unsubscribe? See
  http://www.freeradius.org/list/users.html
 
  But I must check some attributes defined by my home server. I can't
  check
  them in pre_proxy because they are not set. No ?
 
  I want to reject the access if by example the Framed-IP-Address is
  not in
  a valid range.
 
  Thank.
 
  -
  List info/subscribe/unsubscribe? See http://www.freeradius.org/list/
  users.html

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

Well. I made a lot of tests without success. I'm not yet able to REJECT a 
request in a post_proxy function, but that works fine in a authorize 
function. 

Does someone have ideas ?

 

-- 
Jean-Michel Caricand
Tél: 03.81.66.20.63
E-mail: [EMAIL PROTECTED]

Equipe systèmes
Laboratoire d'Informatique de l'Université de Franche-Comté
16, route de Gray - 25030 BESANÇON CEDEX

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question about forum

2008-01-25 Thread JB 


Peter Nixon wrote:

We have a wiki. You are welcome to contribute...


Account creation/free editing seems to be deactivated...

Bye,
JB

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Hello, and a (hopefully) simple question

2008-01-25 Thread Vlad Sedov 
Hey folks.

Right now, we use freeradius to authenticate simple pap/chap PPP
clients. When a username/password is rejected, radius simply send back
a reject message to the NAS.

Is it possible to change this behavior so that a failed auth attempt
gets accepted with an alternate IP pool instead of being rejected?

the idea is to force suspended users through a web proxy that tells
them that they have a billing issue, instead of rejecting their
connection altogether.


Any help would be appreciated


Vlad
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Hello, and a (hopefully) simple question

2008-01-25 Thread Marinko Tarlac 
radius will reply whatever you need but you need to tell him what do you
want.

For example, if you're using mysql, when user account expires you can add
him to specific group and group attributes you can set in radgroupreply
table. (ip pool, tx, rx limit etc.)

On Jan 25, 2008 6:18 PM, Vlad Sedov [EMAIL PROTECTED] wrote:

 Hey folks.

 Right now, we use freeradius to authenticate simple pap/chap PPP
 clients. When a username/password is rejected, radius simply send back
 a reject message to the NAS.

 Is it possible to change this behavior so that a failed auth attempt
 gets accepted with an alternate IP pool instead of being rejected?

 the idea is to force suspended users through a web proxy that tells
 them that they have a billing issue, instead of rejecting their
 connection altogether.


 Any help would be appreciated


 Vlad
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Hello, and a (hopefully) simple question

2008-01-25 Thread JB 
If it's just a message you want to display, you could use the Reply- 
Message attribute.
Of course, your access controler would have to know how handle this  
attribute.


JB

Marinko Tarlac wrote:

radius will reply whatever you need but you need to tell him what do  
you want.


For example, if you're using mysql, when user account expires you  
can add him to specific group and group attributes you can set in  
radgroupreply table. (ip pool, tx, rx limit etc.)


On Jan 25, 2008 6:18 PM, Vlad Sedov [EMAIL PROTECTED] wrote:

Hey folks.

Right now, we use freeradius to authenticate simple pap/chap PPP
clients. When a username/password is rejected, radius simply send  
back

a reject message to the NAS.

Is it possible to change this behavior so that a failed auth attempt
gets accepted with an alternate IP pool instead of being rejected?

the idea is to force suspended users through a web proxy that tells
them that they have a billing issue, instead of rejecting their
connection altogether.


Any help would be appreciated


Vlad




JB



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Hello, and a (hopefully) simple question

2008-01-25 Thread David Roze 
A trigger on the password field is a workaround.
What about if he wants to change a user's password or when it changes back
to bring the connection back on?
Changing the password is not the right way to reject a connection and
everything possible should be done to change the software's behaviour.

David Roze
---
http://www.netexpertise.eu


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
On Behalf Of Andy Billington
Sent: 25 January 2008 18:58
To: FreeRadius users mailing list
Subject: Re: Hello, and a (hopefully) simple question

Vlad,
are the passwords changed _by the billing system_ for any other
reason? You could use a trigger on the table to make a corresponding
change on the usergroup when the billing system changes the password.

Better though might just be to have a Expiry Due? column added to
the users, and then have if expiry_due AND if password changed, then
change usergroup triggered. You'll have to have a way to keep track
of expiration dates and so on

Vlad,
are the passwords changed by the billing system for any other reason?
You could use a trigger on the table to make a corresponding change on
the usergroup when a billing system changes the password.

Better though might just be to have a Expired Yes/No column added to
the users, and then have if expired AND password changed, then change
usergroup triggered. You'll have to have a way to keep track of
expiration dates and so on but if the renewals are for a standard
period (e.g. 12 months) then you could do

a. if expiry_due and password changed, change usergroup (and hence ip etc)

b. if expired, password changed already and then password changed
again, change usergroup back to normal on assumption that billing
system has reset password when payment received. Reset expiry_due to
today() plus 12 months

Then again I'm probably looking at database level stuff when
FreeRADIUS will provide a better way using the many bits of it I dont
understand ;-)
Andy





On 25/01/2008, Vlad Sedov [EMAIL PROTECTED] wrote:
 Well, what I'm trying to do is accept the session whether the password
 is correct or not, but if it's not correct, assign Framed-IP-Address
 from a different IP pool, so our firewall downstream from the NAS can
 redirect their HTTP traffic to a payment site.


 Vlad


 On Jan 25, 2008 11:27 AM, JB [EMAIL PROTECTED] wrote:
  If it's just a message you want to display, you could use the Reply-
  Message attribute.
  Of course, your access controler would have to know how handle this
  attribute.
 
  JB
 
 
  Marinko Tarlac wrote:
 
   radius will reply whatever you need but you need to tell him what do
   you want.
  
   For example, if you're using mysql, when user account expires you
   can add him to specific group and group attributes you can set in
   radgroupreply table. (ip pool, tx, rx limit etc.)
  
   On Jan 25, 2008 6:18 PM, Vlad Sedov [EMAIL PROTECTED] wrote:
   Hey folks.
  
   Right now, we use freeradius to authenticate simple pap/chap PPP
   clients. When a username/password is rejected, radius simply send
   back
   a reject message to the NAS.
  
   Is it possible to change this behavior so that a failed auth attempt
   gets accepted with an alternate IP pool instead of being rejected?
  
   the idea is to force suspended users through a web proxy that tells
   them that they have a billing issue, instead of rejecting their
   connection altogether.
  
  
   Any help would be appreciated
  
  
   Vlad
 
 
 
  JB
 
 
 
 
  -
  List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
 
 -
 List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Hello, and a (hopefully) simple question

2008-01-25 Thread Andy Billington 
David - agreed. It's a workaround until the billing software can be
modified (or replaced); in combination with an expiry_due check and
also checking whether its the billing system that made the change
though, its not a bad short-term workaround. Needs to be both of those
checks though ;-)
Andy

On 25/01/2008, David Roze [EMAIL PROTECTED] wrote:
 A trigger on the password field is a workaround.
 What about if he wants to change a user's password or when it changes back
 to bring the connection back on?
 Changing the password is not the right way to reject a connection and
 everything possible should be done to change the software's behaviour.

 David Roze
 ---
 http://www.netexpertise.eu


 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]
 On Behalf Of Andy Billington
 Sent: 25 January 2008 18:58
 To: FreeRadius users mailing list
 Subject: Re: Hello, and a (hopefully) simple question

 Vlad,
 are the passwords changed _by the billing system_ for any other
 reason? You could use a trigger on the table to make a corresponding
 change on the usergroup when the billing system changes the password.

 Better though might just be to have a Expiry Due? column added to
 the users, and then have if expiry_due AND if password changed, then
 change usergroup triggered. You'll have to have a way to keep track
 of expiration dates and so on

 Vlad,
 are the passwords changed by the billing system for any other reason?
 You could use a trigger on the table to make a corresponding change on
 the usergroup when a billing system changes the password.

 Better though might just be to have a Expired Yes/No column added to
 the users, and then have if expired AND password changed, then change
 usergroup triggered. You'll have to have a way to keep track of
 expiration dates and so on but if the renewals are for a standard
 period (e.g. 12 months) then you could do

 a. if expiry_due and password changed, change usergroup (and hence ip etc)

 b. if expired, password changed already and then password changed
 again, change usergroup back to normal on assumption that billing
 system has reset password when payment received. Reset expiry_due to
 today() plus 12 months

 Then again I'm probably looking at database level stuff when
 FreeRADIUS will provide a better way using the many bits of it I dont
 understand ;-)
 Andy





 On 25/01/2008, Vlad Sedov [EMAIL PROTECTED] wrote:
  Well, what I'm trying to do is accept the session whether the password
  is correct or not, but if it's not correct, assign Framed-IP-Address
  from a different IP pool, so our firewall downstream from the NAS can
  redirect their HTTP traffic to a payment site.
 
 
  Vlad
 
 
  On Jan 25, 2008 11:27 AM, JB [EMAIL PROTECTED] wrote:
   If it's just a message you want to display, you could use the Reply-
   Message attribute.
   Of course, your access controler would have to know how handle this
   attribute.
  
   JB
  
  
   Marinko Tarlac wrote:
  
radius will reply whatever you need but you need to tell him what do
you want.
   
For example, if you're using mysql, when user account expires you
can add him to specific group and group attributes you can set in
radgroupreply table. (ip pool, tx, rx limit etc.)
   
On Jan 25, 2008 6:18 PM, Vlad Sedov [EMAIL PROTECTED] wrote:
Hey folks.
   
Right now, we use freeradius to authenticate simple pap/chap PPP
clients. When a username/password is rejected, radius simply send
back
a reject message to the NAS.
   
Is it possible to change this behavior so that a failed auth attempt
gets accepted with an alternate IP pool instead of being rejected?
   
the idea is to force suspended users through a web proxy that tells
them that they have a billing issue, instead of rejecting their
connection altogether.
   
   
Any help would be appreciated
   
   
Vlad
  
  
  
   JB
  
  
  
  
   -
   List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
  
  -
  List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
 
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: certificates in FR 2.0.1 on windows doesnt works

2008-01-25 Thread orion 
im using standart windows mmc.

after import of the CA and Server certificates
the server certificate links to the ca certificate ok

CA certificate
|- server certificate

but when i import the client.p12 certificate the linkage is

CA certificate
|- server certificate
|- client certificate

in that moment the server part tells ( it not allow to issue certificate for
others).

So the server certifiace is not allowed to issue certificate ( in this case
to issue the certificate for the server. ).

1)Its necessary to import the server certificate + ca certificate + client
certificate ?
2)or only ca certificate + client certificate ?

the second case the linkage between the ca and client doesnt exist ( as you
said is the server the issuer of the client`s certificate ).


On 25/01/2008, Alan DeKok [EMAIL PROTECTED] wrote:

 orion wrote:
  the import of client.p12 is ok but it doesnt have a valid link
  it is ca-server-client

   What does that mean?

  and the details of the server certificate tells that is not authorized
  to issue certificates .

   Where does it say that?  Which certificate tool are you using to look
 at the certificates?

  the client certificates tells that is issued by the server not by the
 ca.

   Yes, that is supposed to happen.

  the question is :
  the client certificate should be issued by the server or by the ca?

   Server.

  in fact after modified the Makefile and client.cnf and re-importing them
  in xp
  then the linkage is ok.  ( ca-client )

   That's not how it's supposed to work.

   Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: certificates in FR 2.0.1 on windows doesnt works

2008-01-25 Thread orion 
its not a problem that windows says about the client certificate :
the issuer of this certificate cannot be found  ?

can the certificate be used in this case ?

On 25/01/2008, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:

 2)or only ca certificate + client certificate ?
 
 the second case the linkage between the ca and client doesnt exist ( as
 you
 said is the server the issuer of the client`s certificate ).
 

 Link is not needed. Server checks the client certificate to see if it's
 issued by the server (certificate). Client checks server certificate to
 see if it's issued by a *known and trusted CA. Nothing checks client
 certificate against the CA.

 Ivan Kalik
 Kalik Informatika ISP

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: certificates in FR 2.0.1 on windows doesnt works

2008-01-25 Thread Alan DeKok 
orion wrote:
 but when i import the client.p12 certificate the linkage is
 
 CA certificate
 |- server certificate
 |- client certificate
 
 in that moment the server part tells ( it not allow to issue certificate
 for others).

  There's no reason why the intermediate certificate can't issue a
client certificate.

  And yes, you already said it complained about that.  There's no reason
to re-post a summary of that message.  You were asked to post *specific*
information.

 So the server certifiace is not allowed to issue certificate ( in this
 case to issue the certificate for the server. ).

  Nonsense.

 1)Its necessary to import the server certificate + ca certificate +
 client certificate ?
 2)or only ca certificate + client certificate ?
 
 the second case the linkage between the ca and client doesnt exist ( as
 you said is the server the issuer of the client`s certificate ).

  A direct linkage doesn't exist, and doesn't need to exist.

  Windows has *zero* problems using such a client certificate for
EAP-TLS.  If you see an error message, then either the software you're
using is broken, or you didn't understand the message it's producing.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: certificates in FR 2.0.1 on windows doesnt works

2008-01-25 Thread Alan DeKok 
orion wrote:
 its not a problem that windows says about the client certificate :
 the issuer of this certificate cannot be found  ?

  Thank you for FINALLY posting the REAL error message.  It helps to
post the REAL error message, because you can then get a REAL solution.

  In this case, you didn't add the server certificate (or the CA
certificate) into the root CA store.  All of the documentation and
howto's say you need to do this, so

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Hello, and a (hopefully) simple question

2008-01-25 Thread tnt 
Now that you mention it, the billing software _is_ getting replaced
some time soon, but until then I have to hack radius as a workaround.


So alter groups and not passwords.

Is it not possible to Fall-Through failed users to another section
with its own pool and auth-type: accept?

Why? Just place a user in a suspend group (configured with that pool) and
there is no need to fall through anything. And the users with wrong
passwords will still be getting usual errors.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html