Re: proxy over encrypted stream

[Alan DeKok]

Alexandre Chapellon wrote:
> Is that such a silly question that no one wants to answer?
> Is it understandable?

  Do you read posts on this list?  Your question was already answered.

  Go see the list archives on the web if you're not going to read the
replies on this list.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 2.0.5 on Solaris with openssl 0.9.8h

[Rafiqul Ahsan]

Hi Alan, and All,

Well, I believe I have linked Freeradius 2.0.5 with the right openssl
(0.9.8h) now by adding below env variables(my build logs also says
that linked with -L/usr/local/ssl/lib). However I still see the same
error while using sha256 encryption algorithm with RSA 2048 key. I
sent this query to openssl maillist, they are sending me back to you
(freeradius folks) to verify whether Freeradius supports sha2, sha256
etc. (I hoped that below patch would allow, but no luck).

CFLAGS=-I/usr/local/ssl/include/openssl
CPPFLAGS=-I/usr/local/ssl/include/openssl
LDFLAGS=-L/usr/local/ssl/lib
export CFLAGS CPPFLAGS LDFLAGS

And earlier I added below two patches to Freeradius:

--- freeradius-1.1.7/configure  
+++ freeradius-1.1.7-new/configure  
@@ -20552,7 +20552,7 @@
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   ac_check_lib_save_LIBS=$LIBS
-LIBS="-lssl  $LIBS"
+LIBS="-lssl -lcrypto -ldl $LIBS"
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -20617,8 +20617,7 @@
if test "x$OPENSSL_LIB_DIR" != "x"; then
OPENSSL_LIBS="-L$OPENSSL_LIB_DIR"
fi
-   OPENSSL_LIBS="$OPENSSL_LIBS -lcrypto -lssl -lcrypto"
-
+   OPENSSL_LIBS="$OPENSSL_LIBS -lcrypto -lssl -lcrypto -ldl"
 fi


diff -Naur 
freeradius-1.1.7-mod/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
freeradius-1.1.7/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
--- freeradius-1.1.7-mod/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
2007-04-20
14:58:46.0 +0300
+++ freeradius-1.1.7/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
@@ -292,6 +292,7 @@
 */
SSL_library_init();
SSL_load_error_strings();
+   OpenSSL_add_all_digests();

meth = TLSv1_method();
ctx = SSL_CTX_new(meth);




On 8/14/08, Alan DeKok <[EMAIL PROTECTED]> wrote:
> Rafiqul Ahsan wrote:
> > I tried to install the openssl from Sunware, but it installs at
> > /usr/local/ssl directory. Somehow (could not figure out how) the
> > freeradius build process linking with the Solaris prebuilt openssl
> > library at /usr/sfw..
>
>  Because that's what the linker on Solaris does.  Go read it's
> documentation to see how to configure it to do what you want.  This
> isn't a FreeRADIUS question.
>
> > I would like to change configuration the linker to prefer one version
> > (0.9.8)over the other (0.9.7 is prebuilt comes with Solaris).. also to
> > include references to prefer one over other...But I don;t know where
> > to change.I looked at Configure, Makefilebut cannot seem to find
> > where it was configured that. Can you please help ?
>
>  Maybe the Solaris linker documentation will help?
>
>  Heck, if you're building as root, just do "chmod a-rwx /usr/sfw",
> build FreeRADIUS, and then do "chmod a+rx /usr/sqf".  That should solve
> it.  i.e. This is pretty much a Unix 101 question...
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>


-- 
Rafiqul Ahsan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Multiple accounting copies

[Alexandre Chapellon]

Hello,
I am planning to move from a Sun/SBR installation to Freeradius, and so
have a lot of things to test before...
For exemple, I need to proxy accounting request from my freeradius
server (2.0.5) to several (at least) radius services to allow third
party applications to be aware of services allowed for every user.
I have read that directly proxying to multiple server is not allowed by
freeradius and instead i have to log to a detail file and then create a
virtual server that read this file and behave as a NAS.
My question is: Is it possible to have multiple virtual servers, each
proxying to a specific radius? If not can i achieve this with freeradius
or do i have to look for something else.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Crash on x64?

[Alex Balashov]

Ah, for a clearer picture, I tried running under gdb with the no-fork 
option:



[EMAIL PROTECTED] radius]# gdb /usr/sbin/radiusd
GNU gdb Red Hat Linux (6.5-37.el5_2.2rh)
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain 
conditions.

Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu"...(no debugging 
symbols found)

Using host libthread_db library "/lib64/libthread_db.so.1".

(gdb) r -f
Starting program: /usr/sbin/radiusd -f
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
[Thread debugging using libthread_db enabled]
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
Thu Aug 14 20:17:47 2008 : Info: Starting - reading configuration files ...
[New Thread 47044196995056 (LWP 11633)]
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
---Type  to continue, or q  to quit---
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
[New Thread 1098144064 (LWP 11662)]
[New Thread 1108633920 (LWP 11663)]
[New Thread 1119123776 (LWP 11664)]
[New Thread 1129613632 (LWP 11665)]
[New Thread 1140103488 (LWP 11666)]
[New Thread 1150593344 (LWP 11667)]
[New Thread 1161083200 (LWP 11668)]
[New Thread 1171573056 (LWP 11669)]
[New Thread 1182062912 (LWP 11670)]
[New Thread 1192552768 (LWP 11671)]

[New Thread 1203042624 (LWP 11677)]
[New Thread 1213532480 (LWP 11678)]
[Thread 1098144064 (LWP 11662) exited]
[New Thread 1224022336 (LWP 11679)]
[New Thread 1098144064 (LWP 11680)]
[New Thread 1234512192 (LWP 11684)]
[Thread 1108633920 (LWP 11663) exited]
[New Thread 1245002048 (LWP 11685)]
[New Thread 1108633920 (LWP 11686)]
[New Thread 1255491904 (LWP 11687)]
[New Thread 1265981760 (LWP 11688)]
[New Thread 1276471616 (LWP 11689)]
[New Thread 1286961472 (LWP 11690)]
[Thread 1119123776 (LWP 11664) exited]
[New Thread 1297451328 (LWP 11691)]
[New Thread 1119123776 (LWP 11692)]
[New Thread 1307941184 (LWP 11693)]
[New Thread 1318431040 (LWP 11694)]
[New Thread 1328920896 (LWP 11695)]
[New Thread 1339410752 (LWP 11696)]
[New Thread 1349900608 (LWP 11698)]
*** glibc detected *** /usr/sbin/radiusd: free(): invalid pointer: 
0x2ac95891ca60 ***

(no debugging symbols found)
=== Backtrace: =
/lib64/libc.so.6[0x2ac954229634]
/lib64/libc.so.6(cfree+0x8c)[0x2ac95422cc5c]
/usr/lib64/libpq.so.4[0x2ac95726cdf2]
/usr/lib64/rlm_sql_postgresql.so[0x2ac957061e12]
/usr/lib64/rlm_sql.so(rlm_sql_query+0x63)[0x2ac956e5db33]
/usr/lib64/rlm_sql.so[0x2ac956e5c271]
/usr/sbin/radiusd(modcall+0xb2)[0x2ac952c0dc52]
/usr/sbin/radiusd[0x2ac952c0e241]
/usr/sbin/radiusd(modcall+0x27c)[0x2ac952c0de1c]
/usr/sbin/radiusd(rad_accounting+0xcd)[0x2ac952c056ed]
/usr/sbin/radiusd(rad_respond+0x11a)[0x2ac952c0f1ea]
/usr/sbin/radiusd[0x2ac952c15e51]
/lib64/libpthread.so.0[0x2ac9534812f7]
/lib64/libc.so.6(clone+0x6d)[0x2ac954289b6d]
=== Memory map: 
40d45000-40d46000 ---p 40d45000 00:00 0
40d46000-41746000 rw-p 40d46000 00:00 0
41746000-41747000 ---p 41746000 00:00 0
41747000-42147000 rw-p 41747000 00:00 0
42147000-42148000 ---p 42147000 00:00 0
42148000-42b48000 rw-p 42148000 00:00 0
42b48000-42b49000 ---p 42b48000 00:00 0
42b49000-43549000 rw-p 42b49000 00:00 0
43549000-4354a000 ---p 43549000 00:00 0
4354a000-43f4a000 rw-p 4354a000 00:00 0
43f4a000-43f4b000 ---p 43f4a000 00:00 0
43f4b000-4494b000 rw-p 43f4b000 00:00 0
4494b000-4494c000 ---p 4494b000 00:00 0
4494c000-4534c000 rw-p 4494c000 00:00 0
4534c000-4534d000 ---p 4534c000 00:00 0
4534d000-45d4d000 rw-p 4534d000 00:00 0
45d4d000-45d4e000 ---p 45d4d000 00:00 0
45d4e000-4674e000 rw-p 45d4e000 00:00 0
4674e000-4674f000 ---p 4674e000 00:00 0
4674f000-4714f000 rw-p 4674f000 00:00 0
4714f000-4715 ---p 4714f000 00:00 0
4715-47b5 rw-p 4715 00:00 0
47b5-47b51000 ---p 47b5 00:00 0 47b51000-4855

Re: Crash on x64?

[Alex Balashov]

Alex Balashov wrote:

Greetings,

I am running a very high-volume FreeRADIUS installation on RHEL 5 (not 
my choice), and noticed that FreeRADIUS was periodically dying after 
instantiating a great many worker servers.  I looked at the output in 
GDB and got:


Continuing.

[New LWP 11400]
[tcsetpgrp failed in terminal_inferior: Operation not permitted]
(no debugging symbols found)
[Thread debugging using libthread_db enabled]
[New Thread 47272748113904 (LWP 11350)]
[New Thread 1328978240 (LWP 11441)]
[New Thread 1318488384 (LWP 11439)]
[New Thread 1370937664 (LWP 11438)]
[New Thread 1307998528 (LWP 11437)]
[New Thread 1360447808 (LWP 11436)]
[New Thread 1140160832 (LWP 11435)]
[New Thread 1297508672 (LWP 11434)]
[New Thread 1287018816 (LWP 11433)]
[New Thread 1276528960 (LWP 11432)]
[New Thread 1266039104 (LWP 11431)]
[New Thread 1119181120 (LWP 11430)]
[New Thread 1255549248 (LWP 11429)]
[New Thread 1245059392 (LWP 11428)]
[New Thread 1234569536 (LWP 11427)]
[New Thread 1129670976 (LWP 11423)]
[New Thread 1203099968 (LWP 11422)]
[New Thread 1339468096 (LWP 11421)]
[New Thread 1108691264 (LWP 11420)]
[New Thread 1349957952 (LWP 11419)]
[New Thread 1213589824 (LWP 11412)]
[New Thread 1224079680 (LWP 11411)]
[New Thread 1094392128 (LWP 11410)]
[New Thread 1538775360 (LWP 11406)]
[New Thread 1528285504 (LWP 11405)]
[New Thread 1517795648 (LWP 11404)]
[New Thread 1192610112 (LWP 11403)]
[New Thread 1507305792 (LWP 11402)]
[New Thread 1496815936 (LWP 11401)]
[New Thread 1486326080 (LWP 11400)]
[New Thread 1475836224 (LWP 11399)]
[New Thread 1465346368 (LWP 11398)]
[New Thread 1454856512 (LWP 11397)]
[New Thread 1444366656 (LWP 11396)]
[New Thread 1433876800 (LWP 11395)]
[New Thread 1423386944 (LWP 11394)]
[New Thread 1412897088 (LWP 11393)]
[New Thread 1161140544 (LWP 11392)]

Program received signal SIGTRAP, Trace/breakpoint trap.
[Switching to Thread 1486326080 (LWP 11400)]
0x2afe89997d19 in dl_open_worker () from /lib64/ld-linux-x86-64.so.2
(gdb)
Continuing.

Program received signal SIGABRT, Aborted.
0x2afe8ad3d155 in raise () from /lib64/libc.so.6

Is this a bug in the x64 libdl?

-- Alex



Clarification:  I ask because I did not reset any breakpoints.

--
Alex Balashov
Evariste Systems
Web: http://www.evaristesys.com/
Tel: (+1) (678) 954-0670
Direct : (+1) (678) 954-0671
Mobile : (+1) (706) 338-8599
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Crash on x64?

[Alex Balashov]

Greetings,

I am running a very high-volume FreeRADIUS installation on RHEL 5 (not 
my choice), and noticed that FreeRADIUS was periodically dying after 
instantiating a great many worker servers.  I looked at the output in 
GDB and got:


Continuing.

[New LWP 11400]
[tcsetpgrp failed in terminal_inferior: Operation not permitted]
(no debugging symbols found)
[Thread debugging using libthread_db enabled]
[New Thread 47272748113904 (LWP 11350)]
[New Thread 1328978240 (LWP 11441)]
[New Thread 1318488384 (LWP 11439)]
[New Thread 1370937664 (LWP 11438)]
[New Thread 1307998528 (LWP 11437)]
[New Thread 1360447808 (LWP 11436)]
[New Thread 1140160832 (LWP 11435)]
[New Thread 1297508672 (LWP 11434)]
[New Thread 1287018816 (LWP 11433)]
[New Thread 1276528960 (LWP 11432)]
[New Thread 1266039104 (LWP 11431)]
[New Thread 1119181120 (LWP 11430)]
[New Thread 1255549248 (LWP 11429)]
[New Thread 1245059392 (LWP 11428)]
[New Thread 1234569536 (LWP 11427)]
[New Thread 1129670976 (LWP 11423)]
[New Thread 1203099968 (LWP 11422)]
[New Thread 1339468096 (LWP 11421)]
[New Thread 1108691264 (LWP 11420)]
[New Thread 1349957952 (LWP 11419)]
[New Thread 1213589824 (LWP 11412)]
[New Thread 1224079680 (LWP 11411)]
[New Thread 1094392128 (LWP 11410)]
[New Thread 1538775360 (LWP 11406)]
[New Thread 1528285504 (LWP 11405)]
[New Thread 1517795648 (LWP 11404)]
[New Thread 1192610112 (LWP 11403)]
[New Thread 1507305792 (LWP 11402)]
[New Thread 1496815936 (LWP 11401)]
[New Thread 1486326080 (LWP 11400)]
[New Thread 1475836224 (LWP 11399)]
[New Thread 1465346368 (LWP 11398)]
[New Thread 1454856512 (LWP 11397)]
[New Thread 1444366656 (LWP 11396)]
[New Thread 1433876800 (LWP 11395)]
[New Thread 1423386944 (LWP 11394)]
[New Thread 1412897088 (LWP 11393)]
[New Thread 1161140544 (LWP 11392)]

Program received signal SIGTRAP, Trace/breakpoint trap.
[Switching to Thread 1486326080 (LWP 11400)]
0x2afe89997d19 in dl_open_worker () from /lib64/ld-linux-x86-64.so.2
(gdb)
Continuing.

Program received signal SIGABRT, Aborted.
0x2afe8ad3d155 in raise () from /lib64/libc.so.6

Is this a bug in the x64 libdl?

-- Alex

--
Alex Balashov
Evariste Systems
Web: http://www.evaristesys.com/
Tel: (+1) (678) 954-0670
Direct : (+1) (678) 954-0671
Mobile : (+1) (706) 338-8599
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius in an AD environment on opensuse server

[Ivan Kalik]

If that's difficult, save raddb configuration directory (and
subdirectories) as cfgbkp1, cfgbkp2, ... When you mess up and don't
know how to fix it you can copy back.

Ivan Kalik
Kalik Informatika ISP


Dana 14/8/2008, "Murray, Elizabeth [DNR]"
<[EMAIL PROTECTED]> piše:

>http://deployingradius.com/documents/configuration/setup.html
>
>Sorry.  It's on this page having to do with the Mercurial installation.
>
>
>
>-Original Message-
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
>Sent: Thursday, August 14, 2008 2:34 PM
>To: FreeRadius users mailing list
>Subject: Re: Freeradius in an AD environment on opensuse server
>
>Murray, Elizabeth [DNR] wrote:
>> OK.  Following the suggestions, I installed the application for the 
>> application to track changes.  Not so easy to do.  I now give up.
>
>  That is about as vague a description as I've ever seen.
>
>  If it's not possible for you to describe accurately what you're doing,
>you won't have much luck solving *any* problems.
>
>> I followed the instructions and when I run the test it asks me about the 
>> .hgrc file.  Not to be found anywhere.
>
>  Followed "the instructions"?  On what page?  Can you say?  Is it a secret?
>
>> This will have to be step by step for me.   Good way to check you site 
>> though!!!
>
>  I think the problems you're running into are not with the
>documentation or examples.
>
>  Alan DeKok.
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sending Access-Request of id 42 to 10.0.6.29 port 1812 User-Name= "test" User-Password = "testing123" NAS-IP-Address =10.30.1.104 NAS-Port = 1812 rad_recv: Access-Reject packet fromhost 10.0.6.29

[Ivan Kalik]

>hi ! to firts alan my server is 10.30.1.104 no 10.0.6.29 

Fine.

>
>ok, and when i write : radtest test testing123 10.0.6.29 1812 testing123  

So why are you sending the request to the wrong radius server? Read
instructions how to use radtest again.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius in an AD environment on opensuse server

[Murray, Elizabeth [DNR]]

OK.  I'll pass that by.  It does make this suggestion on 
http://deployingradius.com/documents/configuration/setup.html link.  I just 
finished rebuilding my opensuse server and will start with the PAP settings.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Maurizio Cimaschi
Sent: Thursday, August 14, 2008 4:22 PM
To: FreeRadius users mailing list
Subject: Re: Freeradius in an AD environment on opensuse server

Murray, Elizabeth [DNR] wrote:
> OK.  Following the suggestions, I installed the application for the 
> application to track changes.  Not so easy to do.  I now give up.
> I followed the instructions and when I run the test it asks me about the 
> .hgrc file.  Not to be found anywhere.

Given this error, it seems that you're busy installing Mercurial; but I
did not sugest you to install any Source Control Management system. At
least is not related with the installation of freeradius.



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius in an AD environment on opensuse server

[Murray, Elizabeth [DNR]]

http://deployingradius.com/documents/configuration/setup.html

Sorry.  It's on this page having to do with the Mercurial installation.



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: Thursday, August 14, 2008 2:34 PM
To: FreeRadius users mailing list
Subject: Re: Freeradius in an AD environment on opensuse server

Murray, Elizabeth [DNR] wrote:
> OK.  Following the suggestions, I installed the application for the 
> application to track changes.  Not so easy to do.  I now give up.

  That is about as vague a description as I've ever seen.

  If it's not possible for you to describe accurately what you're doing,
you won't have much luck solving *any* problems.

> I followed the instructions and when I run the test it asks me about the 
> .hgrc file.  Not to be found anywhere.

  Followed "the instructions"?  On what page?  Can you say?  Is it a secret?

> This will have to be step by step for me.   Good way to check you site 
> though!!!

  I think the problems you're running into are not with the
documentation or examples.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sending Access-Request of id 42 to 10.0.6.29 port 1812 User-Name = "test" User-Password = "testing123" NAS-IP-Address = 10.30.1.104 NAS-Port = 1812 rad_recv: Access-Reject packet from host 10.0.6.

[A . L . M . Buxey]

Hi,

> hi ! to firts alan my server is 10.30.1.104 no 10.0.6.29 and when i write
> this: radiusd -i 10.30.1.104 -p 1812 -x -X :

okay. your server is 10.30.1.104

> ok, and when i write : radtest test testing123 10.0.6.29 1812 testing123  i
> get:

do you know what that command means?  you are sending a request
for user 'test' with password 'testing123' to server 10.0.6.29

so WHAT is server 10.0.6.29 ? its certainly not the server
you've just started. THAT server was 10.30.1.104

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius in an AD environment on opensuse server

[Maurizio Cimaschi]

Murray, Elizabeth [DNR] wrote:
OK.  Following the suggestions, I installed the application for the application to track changes.  Not so easy to do.  I now give up. 
I followed the instructions and when I run the test it asks me about the .hgrc file.  Not to be found anywhere.


Given this error, it seems that you're busy installing Mercurial; but I 
did not sugest you to install any Source Control Management system. At 
least is not related with the installation of freeradius.




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sending Access-Request of id 42 to 10.0.6.29 port 1812 User-Name = "test" User-Password = "testing123" NAS-IP-Address = 10.30.1.104 NAS-Port = 1812 rad_recv: Access-Reject packet from host 10.0.6.

[Martin Silvero]

hi ! to firts alan my server is 10.30.1.104 no 10.0.6.29 and when i write
this: radiusd -i 10.30.1.104 -p 1812 -x -X :


Thu Aug 14 17:36:15 2008 : Info: FreeRADIUS Version 2.0.5, for host
x86_64-unknown-linux-gnu, built on Jul 24 2008 at 10:54:31
Thu Aug 14 17:36:15 2008 : Info: Copyright (C) 1999-2008 The FreeRADIUS
server project and contributors.
Thu Aug 14 17:36:15 2008 : Info: There is NO warranty; not even for
MERCHANTABILITY or FITNESS FOR A
Thu Aug 14 17:36:15 2008 : Info: PARTICULAR PURPOSE.
Thu Aug 14 17:36:15 2008 : Info: You may redistribute copies of FreeRADIUS
under the terms of the
Thu Aug 14 17:36:15 2008 : Info: GNU General Public License v2.
Thu Aug 14 17:36:15 2008 : Info: Starting - reading configuration files ...
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/radiusd.conf
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/proxy.conf
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/clients.conf
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/snmp.conf
Thu Aug 14 17:36:15 2008 : Debug: including files in directory
/usr/local/etc/raddb/modules/
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/mac2vlan
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/ldap
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/smbpasswd
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/files
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/policy
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/echo
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/passwd
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/expr
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/attr_filter
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/always
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/realm
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/ippool
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/preprocess
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/chap
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/unix
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/mschap
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/radutmp
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/detail
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/expiration
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/pam
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/checkval
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/logintime
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/pap
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/etc_group
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/detail.log
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/acct_unique
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/mac2ip
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/digest
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/attr_rewrite
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/sradutmp
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/krb5
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/exec
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/sql_log
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/counter
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/eap.conf
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/policy.conf
Thu Aug 14 17:36:15 2008 : Debug: including files in directory
/usr/local/etc/raddb/sites-enabled/
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/sites-enabled/in

Re: proxy over encrypted stream

[Alexandre Chapellon]

Alexandre Chapellon a écrit :
> Hello, I'm  not very familiar with radius, and i have a lot of questions.
> For example:
> Is it possible to proxy auth and acct request from one freeradius to
> another over an encrypted network stream such as SSL or TLS?
>   

Is that such a silly question that no one wants to answer?
Is it understandable?

> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>   
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius in an AD environment on opensuse server

[Alan DeKok]

Murray, Elizabeth [DNR] wrote:
> OK.  Following the suggestions, I installed the application for the 
> application to track changes.  Not so easy to do.  I now give up.

  That is about as vague a description as I've ever seen.

  If it's not possible for you to describe accurately what you're doing,
you won't have much luck solving *any* problems.

> I followed the instructions and when I run the test it asks me about the 
> .hgrc file.  Not to be found anywhere.

  Followed "the instructions"?  On what page?  Can you say?  Is it a secret?

> This will have to be step by step for me.   Good way to check you site 
> though!!!

  I think the problems you're running into are not with the
documentation or examples.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius in an AD environment on opensuse server

[Alan DeKok]

Maurizio Cimaschi wrote:
> Ivan Kalik wrote:
>> You can't get cleartext password from AD, but you can extract encrypted
>> (nt hashed) password as NT-Password with ldap. You will be able to
>> authenticate pap and mschap requests with that.
> 
> I was lurking in the attribute list of the AD:
> http://msdn.microsoft.com/en-us/library/ms675480(VS.85).aspx
> 
> There's a particoular attribute that may do the trick: "DBCS-Pwd
> Attribute". It is said to be the account's LAN manager password.

  Cute... but not good enough for doing MS-CHAP.  MS-CHAP has fields for
LAN manager passwords... which are usually blank.  The passwords are
pretty much always NT-hashed passwords.

> Since rlm_mschap should be able to authenticate using one of clear-text
> pwd, LAN mgr pwd and NT pwd this should be enought.

  The *client* has to supply the MS-CHAP magic using the LAN-manager
password.  Since the client always chooses NT-hashed passwords... using
LAN manager passwords is not possible.

> Via ldap.attrmap should be possible to map that attribute to the radius
> attribute LM-Password.

  Yup.

> What do you think ?

  Nice, if the clients did LM passwords.  Which they don't, unfortunately.

  Still, it's worth adding to the default ldap.attrmap.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sending Access-Request of id 42 to 10.0.6.29 port 1812 User-Name = "test" User-Password = "testing123" NAS-IP-Address = 10.30.1.104 NAS-Port = 1812 rad_recv: Access-Reject packet from host 10.0.6.

[Alan DeKok]

Martin Silvero wrote:
> now i have this. i hope this time your answerme!!1

  Why?  Is there some kind of contractual obligation requiring people
here to respond?

> Sending Access-Request of id 42 to 10.0.6.29  port 1812
> User-Name = "test"
> User-Password = "testing123"
> NAS-IP-Address = 10.30.1.104 
> NAS-Port = 1812
> rad_recv: Access-Reject packet from host 10.0.6.29 
> port 1812, id=42, length=88
> State =
> 0xb58bf2bf2470c7b33a07ab72ff21378e
> Message-Authenticator = 0x53f17e1045e6a2f65d3a3f48704ea2c9

  The RADIUS server isn't FreeRADIUS.

  Go ask the RADIUS server vendor what's going on.  Don't be surprised
if they ask for money before answering your questions.

  Questions about other RADIUS servers don't belong on this list.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius in an AD environment on opensuse server

[Murray, Elizabeth [DNR]]

OK.  Following the suggestions, I installed the application for the application 
to track changes.  Not so easy to do.  I now give up.

I followed the instructions and when I run the test it asks me about the .hgrc 
file.  Not to be found anywhere.

This will have to be step by step for me.   Good way to check you site though!!!

Liz M
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Maurizio Cimaschi
Sent: Thursday, August 14, 2008 12:47 PM
To: FreeRadius users mailing list
Subject: Re: Freeradius in an AD environment on opensuse server

Murray, Elizabeth [DNR] wrote:
> Thanks.   Glad I didn't get this last night or I wouldn't have slept!!!

I'm happy not do have disrupted you sleep ;-)

> I will have multiple access points spread across a large geographic area that 
> will authenticate to a series of Radius servers located in the internal 
> network.  Any other suggestions would be appreciated.  I've got most of this 
> in my head so I need to do some writing.  I'm here for 2 days then vacation.  
> I almost don't want to go because this has been such a frustrating task for 
> me.
> Thanks again.  Any more ideas would be appreciated.

Just one consideration. Do your IT envirnonment have to be resilient to
a loss of a server or WAN line ? If not I would not bother to have more
than one radius server; if yes you should already have in place backup
domain controllers, so I'd map a radius server for every backup domain
controller.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sending Access-Request of id 42 to 10.0.6.29 port 1812 User-Name = "test" User-Password = "testing123" NAS-IP-Address = 10.30.1.104 NAS-Port = 1812 rad_recv: Access-Reject packet from host 10.0.6.

[A . L . M . Buxey]

hi,

you need to look at the debug log for the
RADIUS server which lives at 10.0.6.29 
as that is the thing doing the rejecting!

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Sending Access-Request of id 42 to 10.0.6.29 port 1812 User-Name = "test" User-Password = "testing123" NAS-IP-Address = 10.30.1.104 NAS-Port = 1812 rad_recv: Access-Reject packet from host 10.0.6.29 p

[Martin Silvero]

hello!



now i have this. i hope this time your answerme!!1





Sending Access-Request of id 42 to 10.0.6.29 port 1812
User-Name = "test"
User-Password = "testing123"
NAS-IP-Address = 10.30.1.104
NAS-Port = 1812
rad_recv: Access-Reject packet from host 10.0.6.29 port 1812, id=42,
length=88
State =
0xb58bf2bf2470c7b33a07ab72ff21378e
Message-Authenticator = 0x53f17e1045e6a2f65d3a3f48704ea2c9





¿? could you help me

-- 
--

Silvero Martin
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication seems to work, only it doesn't actually (EAP-TTLS)

[Pat Riehecky]

On Thu, 2008-08-14 at 15:59 +0200, Alan DeKok wrote:
> Pat Riehecky wrote:
> > My long term goal is EAP-TTLS + PAP with FreeRadius 2.0 and LDAP
> 
>   That should be easy enough.
> 
> > That being said I have taken one of my existing, working with FreeRadius
> > 1.1.5, access points and pointed it at my test radius server.
> 
>   Why?   Why not just test everything from the command-line?  See my web
> site for examples of testing EAP (http://deployingradius.com).

Found the tools needed (knowledge) to figure out my own errors there.

Thanks!
Pat

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius in an AD environment on opensuse server

[Maurizio Cimaschi]

Murray, Elizabeth [DNR] wrote:

Thanks.   Glad I didn't get this last night or I wouldn't have slept!!!


I'm happy not do have disrupted you sleep ;-)


I will have multiple access points spread across a large geographic area that 
will authenticate to a series of Radius servers located in the internal 
network.  Any other suggestions would be appreciated.  I've got most of this in 
my head so I need to do some writing.  I'm here for 2 days then vacation.  I 
almost don't want to go because this has been such a frustrating task for me.
Thanks again.  Any more ideas would be appreciated.


Just one consideration. Do your IT envirnonment have to be resilient to 
a loss of a server or WAN line ? If not I would not bother to have more 
than one radius server; if yes you should already have in place backup 
domain controllers, so I'd map a radius server for every backup domain 
controller.



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius in an AD environment on opensuse server

[Maurizio Cimaschi]

Ivan Kalik wrote:

You can't get cleartext password from AD, but you can extract encrypted
(nt hashed) password as NT-Password with ldap. You will be able to
authenticate pap and mschap requests with that.


I was lurking in the attribute list of the AD: 
http://msdn.microsoft.com/en-us/library/ms675480(VS.85).aspx


There's a particoular attribute that may do the trick: "DBCS-Pwd 
Attribute". It is said to be the account's LAN manager password.


Since rlm_mschap should be able to authenticate using one of clear-text 
pwd, LAN mgr pwd and NT pwd this should be enought.


Via ldap.attrmap should be possible to map that attribute to the radius 
attribute LM-Password.


What do you think ?


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: FreeRadius 2.0.5 AD PEAP

[Brooks, Kyle]

>you've configured inner-tunnel for EAP - but do you have the
inner-tunnel virtual server config file living >in sites-enabled/ ?

Hello Alan,

Here are the contents of the inner-tunnel file located in sites-enabled/

# -*- text -*-
##
#
#   This is a virtual server that handles *only* inner tunnel
#   requests for EAP-TTLS and PEAP types.
#
#   $Id: inner-tunnel,v 1.6 2008/03/29 21:33:12 aland Exp $
#
##

server inner-tunnel {

#
#  Un-comment the next section to perform test on the inner tunnel #
without needing an outer tunnel session.  The tests will not be #
exactly the same as when TTLS or PEAP are used, but they will #  be
close enough for many tests.
#
#listen {
#   ipaddr = 127.0.0.1
#   port = 18120
#   type = auth
#}


#  Authorization. First preprocess (hints and huntgroups files), #  then
realms, and finally look in the "users" file.
#
#  The order of the realm modules will determine the order that #  we
try to find a matching realm.
#
#  Make *sure* that 'preprocess' comes before any realm if you #  need
to setup hints for the remote radius server authorize {
#
#  The chap module will set 'Auth-Type := CHAP' if we are
#  handling a CHAP request and Auth-Type has not already been
set
chap

#
#  If the users are logging in with an MS-CHAP-Challenge
#  attribute for authentication, the mschap module will find
#  the MS-CHAP-Challenge attribute, and add 'Auth-Type :=
MS-CHAP'
#  to the request, which will cause the server to then use
#  the mschap module for authentication.
mschap

#
#  Pull crypt'd passwords from /etc/passwd or /etc/shadow,
#  using the system API's to get the password.  If you want
#  to read /etc/passwd or /etc/shadow directly, see the
#  passwd module, above.
#
unix

#
#  Look for IPASS style 'realm/', and if not found, look for
#  '@realm', and decide whether or not to proxy, based on
#  that.
#   IPASS

#
#  If you are using multiple kinds of realms, you probably
#  want to set "ignore_null = yes" for all of them.
#  Otherwise, when the first style of realm doesn't match,
#  the other styles won't be checked.
#
#  Note that proxying the inner tunnel authentication means
#  that the user MAY use one identity in the outer session
#  (e.g. "anonymous", and a different one here
#  (e.g. "[EMAIL PROTECTED]").  The inner session will then be
#  proxied elsewhere for authentication.  If you are not
#  careful, this means that the user can cause you to forward
#  the authentication to another RADIUS server, and have the
#  accounting logs *not* sent to the other server.  This makes
#  it difficult to bill people for their network activity.
#
suffix
#   ntdomain

#
#  The "suffix" module takes care of stripping the domain
#  (e.g. "@example.com") from the User-Name attribute, and the
#  next few lines ensure that the request is not proxied.
#
#  If you want the inner tunnel request to be proxied, delete
#  the next few lines.
#
update control {
   Proxy-To-Realm := LOCAL
}

#
#  This module takes care of EAP-MSCHAPv2 authentication.
#
#  It also sets the EAP-Type attribute in the request
#  attribute list to the EAP type from the packet.
#
#  The example below uses module failover to avoid querying all
#  of the following modules if the EAP module returns "ok".
#  Therefore, your LDAP and/or SQL servers will not be queried
#  for the many packets that go back and forth to set up TTLS
#  or PEAP.  The load on those servers will therefore be
reduced.
#
eap {
ok = return
}

#
#  Read the 'users' file
files

#
#  Look in an SQL database.  The schema of the database
#  is meant to mirror the "users" file.
#
#  See "Authorization Queries" in sql.conf
#   sql

#
#  If you are using /etc/smbpasswd, and are also doing
#  mschap authentication, the un-comment this line, and
#  configure the 'etc_smbpasswd' module, above.
#   etc_smbpasswd

#
#  The ldap module will set Auth-Type to LDAP if it has not
#  already been set
ldap

#
#  Enforce daily limits on time spent logged in.
#   daily

#
# Use the checkval module
#   checkval

expiration
logintime

#
#  If no other module has claimed responsibility fo

Re: FreeRadius 2.0.5 AD PEAP

[A . L . M . Buxey]

hi,

you've configured inner-tunnel for EAP - but
do you have the inner-tunnel virtual server config file
living in sites-enabled/ ?

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: FreeRadius 2.0.5 AD PEAP

[Brooks, Kyle]

>>++[mschap] returns ok
>>MSCHAP Success
>>++[eap] returns handled
>
>Radius is doing fine. Your switch is having problems with EAP-MSCHAPv2.
>Debug the switch.
>
>Ivan Kalik
>Kalik Informatika ISP

Ok, but we are using this same switch and config for our current
deployment of freeradius 1.1.7 with AD and everything is working fine.

I will debug the switch but would it be something else?

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help needed for radrelay under 1.1.3

[Ryan]

Hi Alan,

Thanks for the advice. Will look into upgrading to 2.0.5. As this is
production system, will need to plan for it.

Best Regards,
Ryan

> Date: Tue, 12 Aug 2008 17:45:37 +0200
> From: Alan DeKok <[EMAIL PROTECTED]>
> Subject: Re: Help needed for radrelay under 1.1.3
> To: FreeRadius users mailing list
>
> Message-ID: <[EMAIL PROTECTED]>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Ryan wrote:
>> Need some help on radrelay for 1.1.3 if possible.
>
>  Upgrade to 2.0.5.  The radrelay functionality is integrated into the
> server core, and works much better than 1.1.x.
>
>> Have tried running radrelay in debug mode but was not able to find any
>> error other than the following
>> rad_verify: Received Accounting-Response packet from client
>> xxx.xxx.xxx.xxx port 1813 with invalid signature (err=2)!  (Shared
>> secret is incorrect.)
>
>  Well... fix that.  Really.  It's making radrelay not work.
>
>> Both radius are running 1.1.3.
>>
>> The error is rather strange as I'm sure that the shared secret is correct.
>
>  (a) the shared secret is wrong.
>  (b) the MD5 libraries on the system are broken
>  (c) the memory on the system is corrupt.
>
>  Pick one.
>
>  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius 2.0.5 AD PEAP

[Ivan Kalik]

>++[mschap] returns ok
>MSCHAP Success
>++[eap] returns handled

Radius is doing fine. Your switch is having problems with EAP-MSCHAPv2.
Debug the switch.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MySQL + freeradius problem

[Alan DeKok]

Igor Sawczuk wrote:
> Hi,
> I have problem with freeradius and MySQL.
> I run successfully freeradius using users file, but I wanted to
> migrate to MySQL,and from then I have a lot of problems.
> First of all, I got errors in radius.log that I not understand:
> Thu Aug 14 16:16:17 2008 : Error: rlm_radutmp: Logout for NAS 
> port 285213359, but no Login record

  The NAS is sending out of order packets.  If you're not using
rlm_radutmp, then delete the references to it from the configuration files.

> Thu Aug 14 16:16:17 2008 : Error: rlm_sql (sql) in sql_accounting:
> stop packet with zero session length. [user 'user_XXX', nas
> '172.16.2.3']

  That message can be ignored.

> Thu Aug 14 16:16:21 2008 : Auth: Login OK: [user_XXX] (from client
>  port 285213359 cli #XXX#ZZZ#VVV)
> 
> I get this logs, when I shutdown old radius, and start new which is using 
> MySQL.
> I don't know why, NAS is still asking for user_XXX and radius always
> gives error msg (above).
> 
> The question is:
> 1. Should I change something in my radius+MySQL configuration? (for
> ex. add additional atributes radreply)

  No.

> 2. Should I wait, until everybody logout from old radius, and the start new.

  No.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: sql_set_user bug (was Re: Possible bug in unlang?)

[Alan DeKok]

Phil Mayers wrote:
> It's also appending a 2nd "w" on the end, almost as if something is
> re-using the original string buffer:
> 
> "IC\rmtw"
> 
> ...and writing "ICmtw" into it, giving:
> 
> "ICmtww"

  That looks like a separate bug.  Try the "valuepair.diff" patch first.

> I can work up a patch for the sql_set_user functions in rlm_sql and
> rlm_sql_log; I take it then this is un-related to the unlang issue?

  Yes.

  Try the sql.diff file for the \r bug.

  Alan DeKok.
diff --git a/src/modules/rlm_sql/rlm_sql.c b/src/modules/rlm_sql/rlm_sql.c
index dc8dc25..f59a04e 100644
--- a/src/modules/rlm_sql/rlm_sql.c
+++ b/src/modules/rlm_sql/rlm_sql.c
@@ -435,13 +435,16 @@ int sql_set_user(SQL_INST *inst, REQUEST *request, char *sqlusername, const char
 	strlcpy(sqlusername, tmpuser, MAX_STRING_LEN);
 	DEBUG2("rlm_sql (%s): sql_set_user escaped user --> '%s'",
 		   inst->config->xlat_name, sqlusername);
-	vp = pairmake("SQL-User-Name", sqlusername, 0);
-	if (vp == NULL) {
+	vp = radius_pairmake(request, &request->packet->vps,
+			 "SQL-User-Name", NULL, 0);
+	if (!vp) {
 		radlog(L_ERR, "%s", librad_errstr);
 		return -1;
 	}
 
-	pairadd(&request->packet->vps, vp);
+	strlcpy(vp->vp_strvalue, tmpuser, sizeof(vp->vp_strvalue));
+	vp->vp_length = strlen(vp->vp_strvalue);
+
 	return 0;
 
 }
diff --git a/src/lib/valuepair.c b/src/lib/valuepair.c
index 97c7b93..42eb3f8 100644
--- a/src/lib/valuepair.c
+++ b/src/lib/valuepair.c
@@ -879,6 +879,7 @@ VALUE_PAIR *pairparsevalue(VALUE_PAIR *vp, const char *value)
 length++;
 			}
 			vp->length = length;
+			vp->vp_strvalue[vp->length] = '\0';
 			break;
 
 		case PW_TYPE_IPADDR:
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

MySQL + freeradius problem

[Igor Sawczuk]

Hi,
I have problem with freeradius and MySQL.
I run successfully freeradius using users file, but I wanted to
migrate to MySQL,and from then I have a lot of problems.
First of all, I got errors in radius.log that I not understand:
Thu Aug 14 16:16:17 2008 : Error: rlm_radutmp: Logout for NAS 
port 285213359, but no Login record
Thu Aug 14 16:16:17 2008 : Error: rlm_sql (sql) in sql_accounting:
stop packet with zero session length. [user 'user_XXX', nas
'172.16.2.3']
Thu Aug 14 16:16:21 2008 : Auth: Login OK: [user_XXX] (from client
 port 285213359 cli #XXX#ZZZ#VVV)

I get this logs, when I shutdown old radius, and start new which is using MySQL.
I don't know why, NAS is still asking for user_XXX and radius always
gives error msg (above).

The question is:
1. Should I change something in my radius+MySQL configuration? (for
ex. add additional atributes radreply)
2. Should I wait, until everybody logout from old radius, and the start new.

Thanks in advance.

btw. If you are from Poland, and know how to resolve my problem,
answer some questions about radius and you could help me in exchange
of good sushi restaurant, please let me now. :)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRadius 2.0.5 AD PEAP

[Brooks, Kyle]

In follow up to 'FreeRadius 2.0.3 setup help' on Jul 27.

We have tested using the certificate creation scripts and WinCA signed
certificates with the same result of an access challenge. We have tested
with both a Windows XP and Linux client with the same result. We are
using Cisco switches.
What am I missing? We have provided debug and radius.conf and eap.conf
files

FreeRADIUS Version 2.0.5, for host i386-redhat-linux-gnu, built on Jul
30 2008 at 10:41:14
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. 
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A 
PARTICULAR PURPOSE. 
You may redistribute copies of FreeRADIUS under the terms of the 
GNU General Public License v2. 
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including configuration file /etc/raddb/snmp.conf
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/default
group = root
user = root
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
 log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
 }
}
 client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
 }
 client 10.0.1.9 {
require_message_authenticator = no
secret = "c3750test"
shortname = "switch-man-lan"
nastype = "cisco"
 }
radiusd:  Loading Realms and Home Servers 
 proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
 }
 home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth+acct"
secret = "testing123"
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_check = "none"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
 }
 home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
 }
 realm example.com {
auth_pool = my_auth_failover
 }
 realm ads..org {
authhost = LOCAL
accthost = LOCAL
 }
 realm  {
authhost = LOCAL
accthost = LOCAL
 }
 realm LOCAL {
 }
radiusd:  Instantiating modules 
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating exec
  exec {
wait = yes
input_pairs = "request"
shell_escape = yes
  }
 Module: Linked to module rlm_expr
 Module: Instantiating expr
 Module: Linked to module rlm_expiration
 Module: Instantiating expiration
  expiration {
reply-message = "Password Has Expired  "
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating logintime
  logintime {
reply-message = "You are calling outside your allowed timespan
"
minimum-timeout = 60
  }
 }
radiusd:  Loading Virtual Servers 
server inner-tunnel {
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating pap
  pap {
encryption_scheme = "auto"
auto_header = no
  }
 Module: Linked to module rlm_chap
 Module: Instantiating chap
 Module: Linked to module rlm_mschap
 Module: Instantiating mschap
  mschap {
use_mppe = no
require_encryption = yes
require_strong = no
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=
--username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
  }
 Module: Linked to module rlm_unix
 Module: Instantiating unix
  unix {
radwtmp = "/var/log/radius/radwtmp"
  }
 Module: Linked to module rlm_eap
 Module: Instantiating eap
  eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
  }
 Module: Linked to sub-module rlm_eap_gtc
 Module: Instantiating eap-gtc
   gtc {
challenge = "Password: "
auth_type

RE: Freeradius in an AD environment on opensuse server

[Murray, Elizabeth [DNR]]

I'll give it a try again.  I did find your website but came to a spot that I 
couldn't get past.  I'll start again with a clean server and let you k now when 
I get stuck.  Thanks.  Nice to know I’m not alone.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: Thursday, August 14, 2008 2:12 AM
To: FreeRadius users mailing list
Subject: Re: Freeradius in an AD environment on opensuse server

Murray, Elizabeth [DNR] wrote:
> I’ve been struggling with this for months.

  That's always a bad sign.  If something goes wrong... ask.

>  I found a doc HOW TO on the
> opensuse website.  It says I have to use Samba in order to have the
> users authenticate.  For some reason every time I get that thing
> configured, it works for a few days then…it’s gone.

  Computers aren't magic.  If data disappears, it's because something is
making it disappear.

> Can I set up freeradius to authenticate with ldaps and be secure?

  No.  Active Directory pretends to be an LDAP server.  But it doesn't
supply clear-text passwords when LDAP clients ask for them.  So... the
only way for FreeRADIUS to authenticate against AD is via Samba.

> I would really be grateful for any help you could give me.  I now have
> the radius server back to it’s original configuration….clean.  So I’m
> ready to do your bidding.

  See my web site for configuring FreeRADIUS && AD.

http://deployingradius.com/documents/configuration/active_directory.html

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: newbe getting mad with error ..

[Alan DeKok]

José Soler wrote:
> I have spenndt the whole day trying to install Freeradius 1.1.3 over a
> Debian 4.0 machine. I need to use version 1.1.3 since it is the
> recommended one for another application I am trying to test.

  If an application *requires* a specific version of FreeRADIUS...
there's likely something wrong with the application.

> Everything went smooth until the last step when I restarted Freeradius
> after completing the configuration. I do not know how to tackle this one
> and I am completely desperate…anyone can give me a hint?

  Just put everything on one line, without the '\':

query = "."

  And the problem will go away.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

newbe getting mad with error ..

[José Soler]

Hi,

 

I have spenndt the whole day trying to install Freeradius 1.1.3 over a Debian 
4.0 machine. I need to use version 1.1.3 since it is the recommended one for 
another application I am trying to test.

 

Everything went smooth until the last step when I restarted Freeradius after 
completing the configuration. I do not know how to tackle this one and I am 
completely desperate...anyone can give me a hint?

 

I got the following:

 

freeradius:/etc/freeradius# freeradius restart

Thu Aug 14 17:08:35 2008 : Info: Starting - reading configuration files ...

Thu Aug 14 17:08:35 2008 : Error: /etc/freeradius/radiusd.conf[1460]: Line is 
not in 'attribute = value' format

Thu Aug 14 17:08:35 2008 : Error: Errors reading radiusd.conf

 

 

The mentioned line [1460] in the radius.conf file looks as follows:

 

[1459] query = "SELECT SUM(AcctSessionTime - \

[1460]  GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \

[1461]  FROM radacct WHERE UserName='%{%k}' AND \

[1462]  UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"

 

Thanks a lot !

 

jose


No virus found in this outgoing message.
Checked by AVG. 
Version: 7.5.524 / Virus Database: 270.6.3/1610 - Release Date: 13/08/2008 16:14
 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius in an AD environment on opensuse server

[Ivan Kalik]

You can't get cleartext password from AD, but you can extract encrypted
(nt hashed) password as NT-Password with ldap. You will be able to
authenticate pap and mschap requests with that.

Ivan Kalik


Dana 14/8/2008, "Murray, Elizabeth [DNR]"
<[EMAIL PROTECTED]> piše:

>Thanks.   Glad I didn't get this last night or I wouldn't have slept!!!
>
>
>I will have multiple access points spread across a large geographic area that 
>will authenticate to a series of Radius servers located in the internal 
>network.  Any other suggestions would be appreciated.  I've got most of this 
>in my head so I need to do some writing.  I'm here for 2 days then vacation.  
>I almost don't want to go because this has been such a frustrating task for me.
>
>Thanks again.  Any more ideas would be appreciated.
>
>Liz M
>
>-Original Message-
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Maurizio 
>Cimaschi
>Sent: Wednesday, August 13, 2008 5:44 PM
>To: FreeRadius users mailing list
>Subject: Re: Freeradius in an AD environment on opensuse server
>
>Hi Liz,
>
>Murray, Elizabeth [DNR] wrote:
>> We’ve moved from a Novell eDirectory solution to . . . . Active Directory.
>
>I'm not an AD expert, but they say (
>http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsbg_dat_jhzx.mspx?mfr=true
>) that AD is accessible using the LDAPv3 protocol; so it should be
>possible to use it like any other LDAP server.
>
>> Can I set up freeradius to authenticate with ldaps and be secure?
>
>What do you mean with "to be secure" ?
>Do you mean the connection between the radius server and the AD ?
>Are you familiar with the SCHEMAs used in AD (I'm not, by the way) ?
>Have you already planned the access rules that you will need on the AD
>to complete the authentication/authorization procedure ?
>(These are questions intented for yourself, in the first place).
>
>> The
>> ldap would be Microsoft and is on my domain controller.   I have
>> websites using the ldap process but OR do I have to do that samba thing?
>
>First of all, I think that you should take a moment to put down the
>architecture that you're working with (just to have a complete picture),
>your goals and the expertise that is available to you and/or your
>collegues/organization. Then, you can start planning your setup.
>
>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius in an AD environment on opensuse server

[Murray, Elizabeth [DNR]]

Thanks.   Glad I didn't get this last night or I wouldn't have slept!!!


I will have multiple access points spread across a large geographic area that 
will authenticate to a series of Radius servers located in the internal 
network.  Any other suggestions would be appreciated.  I've got most of this in 
my head so I need to do some writing.  I'm here for 2 days then vacation.  I 
almost don't want to go because this has been such a frustrating task for me.

Thanks again.  Any more ideas would be appreciated.

Liz M

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Maurizio Cimaschi
Sent: Wednesday, August 13, 2008 5:44 PM
To: FreeRadius users mailing list
Subject: Re: Freeradius in an AD environment on opensuse server

Hi Liz,

Murray, Elizabeth [DNR] wrote:
> We’ve moved from a Novell eDirectory solution to . . . . Active Directory.

I'm not an AD expert, but they say (
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsbg_dat_jhzx.mspx?mfr=true
) that AD is accessible using the LDAPv3 protocol; so it should be
possible to use it like any other LDAP server.

> Can I set up freeradius to authenticate with ldaps and be secure?

What do you mean with "to be secure" ?
Do you mean the connection between the radius server and the AD ?
Are you familiar with the SCHEMAs used in AD (I'm not, by the way) ?
Have you already planned the access rules that you will need on the AD
to complete the authentication/authorization procedure ?
(These are questions intented for yourself, in the first place).

> The
> ldap would be Microsoft and is on my domain controller.   I have
> websites using the ldap process but OR do I have to do that samba thing?

First of all, I think that you should take a moment to put down the
architecture that you're working with (just to have a complete picture),
your goals and the expertise that is available to you and/or your
collegues/organization. Then, you can start planning your setup.



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication seems to work, only it doesn't actually (EAP-TTLS)

[Alan DeKok]

Pat Riehecky wrote:
> My long term goal is EAP-TTLS + PAP with FreeRadius 2.0 and LDAP

  That should be easy enough.

> That being said I have taken one of my existing, working with FreeRadius
> 1.1.5, access points and pointed it at my test radius server.

  Why?   Why not just test everything from the command-line?  See my web
site for examples of testing EAP (http://deployingradius.com).

> When I try and connect the agent sends dozens of requests that the debug
> log seems very happy with "Login OK: [prieheck] (from client"
> However, that seems to be the extent of it.  The login's are approved,
> but it doesn't seem like anyone is getting informed.

  I have no idea what that means.
...
> Sending Access-Accept of id 222 to 10.4.6.7 port 1645

  Well, that looks like it's working.

> I would happily share any of my other config lines, but don't know what
> you would want to see and don't want to flood you with too much data

  Perhaps you could explain what's going wrong.  Saying "no one is
getting informed" makes no sense.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Authentication seems to work, only it doesn't actually (EAP-TTLS)

[Pat Riehecky]

My long term goal is EAP-TTLS + PAP with FreeRadius 2.0 and LDAP

That being said I have taken one of my existing, working with FreeRadius
1.1.5, access points and pointed it at my test radius server.

When I try and connect the agent sends dozens of requests that the debug
log seems very happy with "Login OK: [prieheck] (from client"
However, that seems to be the extent of it.  The login's are approved,
but it doesn't seem like anyone is getting informed.

A radeapclient test:

+++> About to send encoded packet:
User-Name = "prieheck"
Cleartext-Password = "please"
NAS-IP-Address = 127.0.0.1
EAP-Code = Response
EAP-Id = 210
EAP-Type-Identity = "prieheck"
Message-Authenticator = 0x00
NAS-Port = 0
<+++ EAP decoded packet:
EAP-Message = 0x01d300160410e04884bebefb1c9c1940272ac62346e4
Message-Authenticator = 0xe1b0cbd908bc1932ee01c1634efccc17
State = 0x5d58d3605d8bd76df879afd5c99b16ef
EAP-Id = 211
EAP-Code = Request
EAP-Type-MD5 = 0x10e04884bebefb1c9c1940272ac62346e4

+++> About to send encoded packet:
User-Name = "prieheck"
Cleartext-Password = "please"
NAS-IP-Address = 127.0.0.1
EAP-Code = Response
EAP-Id = 211
Message-Authenticator = 0x
NAS-Port = 0
EAP-Type-MD5 = 0x105df5963fda67a6941067d7019e8bbe14
State = 0x5d58d3605d8bd76df879afd5c99b16ef
<+++ EAP decoded packet:
EAP-Message = 0x03d30004
Message-Authenticator = 0xd8d24fc4a6faa627be412bfc40169290
User-Name = "prieheck"
EAP-Id = 211
EAP-Code = Success

   Total approved auths:  1
 Total denied auths:  1

So it looks to me like the eap bit is all going good, but I am at a loss
(especially concerning the denied auth there...).

EAP/PEAP is working just fine so I think it may be my eap.conf file
related to ttls:

 eap.conf
eap {
default_eap_type = md5
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_file = ${certdir}/radius.key
certificate_file = ${certdir}/radius.crt
CA_file = ${cadir}/cacert.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
cipher_list = "DEFAULT"
make_cert_command = "${certdir}/bootstrap"
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
mschapv2 {
}
md5 {
}
}

This is a bit of the debug output from free radius

++[pap] returns ok
Login OK: [prieheck] (from client AP1200 port 0 via TLS tunnel)
} # server inner-tunnel
  TTLS: Got tunneled reply RADIUS code 2
  TTLS: Got tunneled Access-Accept
  rlm_eap: Freeing handler
++[eap] returns ok
Login OK: [prieheck] (from client AP1200 port 385 cli 0106.cfa9.d2eb)
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 222 to 10.4.6.7 port 1645
MS-MPPE-Recv-Key =
0x9a15665cdb643dd496bc1bf028a244b31833e89886d373d74f7864714839c048
MS-MPPE-Send-Key =
0x92acfe330cfa9a94b9fc61226a1c438c2572287a8aac94c71ed2e0828050f174
EAP-Message = 0x03060004
Message-Authenticator = 0x
User-Name = "prieheck"
Finished request 4.
Going to the next request
Waking up in 4.0 seconds.
Cleaning up request 0 ID 218 with timestamp +19
Waking up in 0.3 seconds.
Cleaning up request 1 ID 219 with timestamp +20
Cleaning up request 2 ID 220 with timestamp +20
Waking up in 0.4 seconds.
rad_recv: Access-Request packet from host 10.4.6.7 port 1645, id=223,
length=142
User-Name = "prieheck"
Framed-MTU = 1400
Called-Station-Id = "000f.f7d4.d460"
Calling-Station-Id = "0106.cfa9.d2eb"
Service-Type = Login-User


Currently using FreeRadius 2.0.5 on 32-bit Ubuntu, built by me.

I would happily share any of my other config lines, but don't know what
you would want to see and don't want to flood you with too much data

Pat


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Redundant waits for minutes to failover

[Alan DeKok]

Stefan A. wrote:
> So, I'd sys no DNS at all...
> Ad it worked immediately after starting the mysql server
> 
> Anything els to check?

  No idea.  FreeRADIUS has *no* minute-long waits coded into it.  It's
dependent on the host OS.

  So the problem is either DNS, or the MySQL client library is waiting
minutes to notice that the MySQL server is down.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

wpa configuration

[Ahmet DÜLGAR]

hi everyonei am new at freeradiusi want to test my configuretion that write in 
document to use radtest programbut i cant run it, i dont know where to write 
this command,i use opensuse 11 and freeradius 2.0.5i installed it by yastso 
when i write the command radtest  xxx xxx xxx,linux says unknown commandwhat 
should i doi couldnt find radtest where to be locatethanks for repply

Aileniz ve arkadaşlarınızla paylaşmak için bir ayda 500'e kadar fotoğraf 
gönderin! Şimdi ücretsiz Windows Live Alanınıza gidin Buraya tıkla! 
_
Windows Live Spaces – hayatınız, Alanınız. Daha fazlasını öğrenmek için buraya 
tıklayın.
http://get.live.com/spaces/overview-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Trivial patch for rlm_acctlog in 2.0.5

[Kostas Zorbadelos]

On Wednesday 13 August 2008 12:24:44 Alan DeKok wrote:
> Kostas Zorbadelos wrote:
> > As we are preparing for migration to 2.X version in some of our
> > production systems, I took a closer look at the sources and found the
> > rlm_acctlog module that allows for the logging of various types of
> > accounting messages in the radius logs. Moreover I saw that syslog
> > support in 2.X is vastly improved over 1.X series.
>
>   See also rlm_linelog in the current source (git.freeradius.org), and
> raddb/modules/linelog.  It is a fully configurable module that logs one
> line of text to a file, based on dynamically expanded keys.
>

I will give a look at it. Seems like a nice generalization of rlm_acctlog -:)

> > My minor request is, could you include the following patch in later
> > releases (so as to not maintain it internally)?
>
>   Done.
>

Thanks

>   Alan DeKok.

Kostas Zorbadelos

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Post-proxy Perl script availability

[Julien Leloup]

Ok, here it goes. The Perl script and SQL schema are in attachment.

Best regards,

Julien Leloup


Alan DeKok a écrit :

Julien Leloup wrote:
  

My question is, do I have to make this script (and SQL schema I suppose)
available in the FreeRadius CVS ? I'm not sure it's the kind of script
usefull for a large panel of FreeRadius users, but if I have to make it
available (maybe to respect GPLv2 or if someone is interested by this
script) it's not a problem.



  Post it to the list.  Or if it's large, as a new feature request to
bugs.freeradius.org.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  


#!/usr/bin/perl

use strict;
use DBI;

# This is very important ! Without this script will not get the filled hashesh 
from main.
use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK %RAD_REQUEST_PROXY 
%RAD_REQUEST_PROXY_REPLY);
use Data::Dumper;

# Types de retour possibles (code standard FreeRadius)
use constantRLM_MODULE_REJECT=>0;#  /* immediately reject the request */
use constantRLM_MODULE_FAIL=>  1;#  /* module failed, don't reply */
use constantRLM_MODULE_OK=>2;#  /* the module is OK, continue */
use constantRLM_MODULE_HANDLED=>   3;#  /* the module handled the request, 
so stop. */
use constantRLM_MODULE_INVALID=>   4;#  /* the module considers the request 
invalid. */
use constantRLM_MODULE_USERLOCK=>  5;#  /* reject the request (user is 
locked out) */
use constantRLM_MODULE_NOTFOUND=>  6;#  /* user not found */
use constantRLM_MODULE_NOOP=>  7;#  /* module succeeded without doing 
anything */
use constantRLM_MODULE_UPDATED=>   8;#  /* OK (pairs modified) */
use constantRLM_MODULE_NUMCODES=>  9;#  /* How many return codes there are 
*/

# Fonction appellee en phase post-proxy
sub post_proxy {

# Liste des attributs presents en phase Post-Proxy : debug uniquement
# &log_attributes;

# Recuperation des attributs de QoS Redback, provenant du serveur 
Radius distant
my $class = $RAD_REQUEST_PROXY_REPLY{'Class'};

if( !$class ) {

&radiusd::radlog(4, "Attribut Class absent : utilisation du 
profil de QoS par défaut");

# La valeur de l'attribut Class n'a pas ete trouvee dans la 
reponse du Radius distant.
# On passe sur un profil de QoS par défaut
$class = "default_class";

# return RLM_MODULE_REJECT;
}

# Recuperation du Circuit-Id
my $circuit = $RAD_REQUEST{'ADSL-Agent-Circuit-Id'};

if( !$circuit ) {

&radiusd::radlog(4, "Attribut Circuit Id absent");
# La valeur de l'attribut Circuit Id n'a pas ete trouvée dans 
la requete d'origine.
return RLM_MODULE_REJECT;
}

my $dbp = 
DBI->connect("dbi:mysql:database=radius;host=127.0.0.1","radius","radius") or 
die "Connection au serveur MySQL impossible!";

# Requête SQL de matching des attributs de QoS Alcatel-Lucent et Redback
# Les signes '?' seront remplacés à l'exécution par de vraies valeurs 
(protection contre les injections SQL)
my $requete="   SELECT  SLA_Profile, Sub_Profile, COUNT(*)
FROMqos
WHERE   class=?
GROUP BYSLA_Profile, Sub_Profile;";

# Préparation de la requête SQL
my  $result = $dbp->prepare($requete);

#exécution de la requête sql
$result-> execute($class) || die "Probleme de mapping QoS : 
$DBI::errstr";

# Récupération des résultats de la requête
# Attention : la requête peut retourner plus d'une ligne
my ($sla, $sub, $count) = $result->fetchrow_array;

if(!defined($count)) {

&radiusd::radlog(4, "Erreur lors du mapping attributs de QoS : 
aucune correspondance, utilisation d'un profil par défaut"); 
# La requête n'a pas retournée de ligne : on utilise un profil 
de QoS par défaut

$sla = "9c_3P_sla";
$sub = "9c_3P_sub";
# return RLM_MODULE_REJECT;
}
elsif($count > 1) {

&radiusd::radlog(4, "Plusieurs profils QoS trouvés : $count 
profils pour la classe $class. Utilisation du profil par défaut.");
# La requête a retournée plus d'une ligne : on passe sur le 
profil par défaut

$sla = "9c_3P_sla";
$sub = "9c_3P_sub";
# return RLM_MODULE_REJECT;
}
elsif( $sub eq '' ) {

&radiusd::radlog(4, "Attribut Sub-Profile absent de la base. 
Utilisation du profil par défaut.");
# La valeur de l'attribut Sub-Profile n'a pas été renseignée 
correctement : profil par défaut

$sla = "9c_3P_sla";
$sub = "9c_3P_sub";
# return R

Re: Post-proxy Perl script availability

[Alan DeKok]

Julien Leloup wrote:
> My question is, do I have to make this script (and SQL schema I suppose)
> available in the FreeRadius CVS ? I'm not sure it's the kind of script
> usefull for a large panel of FreeRadius users, but if I have to make it
> available (maybe to respect GPLv2 or if someone is interested by this
> script) it's not a problem.

  Post it to the list.  Or if it's large, as a new feature request to
bugs.freeradius.org.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius, MySQL, MAC Authentication w/ Dynamic VLAN

[Alan DeKok]

James Taylor wrote:
> I am currently tasked with a new project where I have been asked to move
> our currently working ‘users’ file into a manageable MySQL DB (we have
> over 500 user entries so it’s understandable). Below you will find a
> currently working entry from the ‘users’ file.
>
> /Mac-addresss/ Auth-Type := local, User-Password == "/password/"

  Don't set Auth-Type.  Use:

Mac-address Cleartext-Password := "password"

> Calling-Station-ID == "/mac-address/",

  You should use '=', not '==' here.

> As you can tell this is a wireless user and of course I have the
> dictionary attributes added (like I said it is currently a working users
> file) but my question is how to take this information and add it to the
> MySQL radius.radcheck database?  From what I am seeing the ID is a
> primary key and must be unique and there is only one attribute field.  I
> may be asking this incorrectly but, does the DB read the rows starting
> with the ID 1 being the first user and continue down until the next user
> entry and return all the rows into Radius for authentication?  

  It looks for matching entries.  See doc/rlm_sql.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: FreeRadius, MySQL, MAC Authentication w/ Dynamic VLAN

[James Taylor]

Yes, I think I figured it out I just wanted to know if anyone else has run 
into any crazy issues doing this and if there were any snags I may be aware of. 
 I attached an example of my theoretical database that I will be implementing 
in the morning.  We'll see!  Thank you for the quick reply... if anyone else 
has a comment please feel free to let me know!


###
##Wired Connections##
###

#RADIUS Table: radcheck
IDUserName  GroupName
1  macaddr  VLAN10

#RADIUS Table: radcheck
IDUserName: Attribute:Value:
   Op:
1  macaddr  User-Password macaddr   
   ==

#RADIUS Table: radreply
IDUserName: Attribute:Value:
   Op:
1  macaddr  Calling-Station-ID 
macaddr-from-sw   ==

###RADIUS Table: radgroupreply#
IDGroupName: Attribute: 
   Value:   Op:
1  VLAN10Tunnel-Type
  VLAN =
2  VLAN10Tunnel-Medium-Type   
IEEE-802   =
3  VLAN10Tunnel-Private-Group-ID 10 
  =

###
##Wireless Connections
###

#RADIUS Table: radcheck
IDUserName  GroupName
1  macaddr  VLAN11

#RADIUS Table: radcheck
IDUserName: Attribute:Value:
   Op:
1  macaddr  User-Password nas-password  
  ==

#RADIUS Table: radreply
IDUserName: Attribute:Value:
   Op:
1  macaddr  Calling-Station-ID 
macaddr-from-sw   ==

###RADIUS Table: radgroupreply#
IDGroupName: Attribute: 
   Value:   Op:
1  VLAN11Airespace-Wlan-Id  
wlan-id-on-controller =
2  VLAN11Airespace-Interace-name
wlan-interface-name =
3  VLAN11Tunnel-Type
  VLAN =
4  VLAN11Tunnel-Medium-Type   
IEEE-802   =
5  VLAN11Tunnel-Private-Group-ID 11 
  =

James Taylor
FCIP Networks

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marinko Tarlac
Sent: Thursday, August 14, 2008 12:48 AM
To: FreeRadius users mailing list
Subject: Re: FreeRadius, MySQL, MAC Authentication w/ Dynamic VLAN

http://wiki.freeradius.org/SQL_HOWTO
On Thu, Aug 14, 2008 at 9:42 AM, James Taylor <[EMAIL PROTECTED]> wrote:

Hello everyone!



I am currently tasked with a new project where I have been asked to move our 
currently working 'users' file into a manageable MySQL DB (we have over 500 
user entries so it's understandable). Below you will find a currently working 
entry from the 'users' file.



Mac-addresss Auth-Type := local, User-Password == "password"

Calling-Station-ID == "mac-address",

Airespace-Wlan-Id = 5,

Airespace-Interface-Name = Wireless WLAN Name,

Tunnel-Type = VLAN,

Tunnel-Medium-Type = IEEE:802,

Tunnel-Private-Group-ID = VLAN-ID



As you can tell this is a wireless user and of course I have the dictionary 
attributes added (like I said it is currently a working users file) but my 
question is how to take this information and add it to the MySQL 
radius.radcheck database?  From what I am seeing the ID is a primary key and 
must be unique and there is only one attribute field.  I may 

Post-proxy Perl script availability

[Julien Leloup]

Hello,

I developped a little script in Perl working with FreeRadius v2.x, 
called in post-proxy section to implement QoS Radius attributes 
translation from "Class" attribute to Alcatel-Lucent QoS attribute "SLA 
Profile" and "SUB Profile". It's using a database to get a mapping 
between this attributes and replace them before sending the response to 
the client.


My question is, do I have to make this script (and SQL schema I suppose) 
available in the FreeRadius CVS ? I'm not sure it's the kind of script 
usefull for a large panel of FreeRadius users, but if I have to make it 
available (maybe to respect GPLv2 or if someone is interested by this 
script) it's not a problem.


Best regards,

Julien Leloup
Axione
132, boulevard Camélinat
92240 Malakoff, France
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius, MySQL, MAC Authentication w/ Dynamic VLAN

[Marinko Tarlac]

http://wiki.freeradius.org/SQL_HOWTO

On Thu, Aug 14, 2008 at 9:42 AM, James Taylor <[EMAIL PROTECTED]> wrote:

>  Hello everyone!
>
>
>
> I am currently tasked with a new project where I have been asked to move
> our currently working 'users' file into a manageable MySQL DB (we have over
> 500 user entries so it's understandable). Below you will find a currently
> working entry from the 'users' file.
>
>
>
> *Mac-addresss* Auth-Type := local, User-Password == "*password*"
>
> Calling-Station-ID == "*mac-address*",
>
> Airespace-Wlan-Id = 5,
>
> Airespace-Interface-Name = *Wireless WLAN Name*,
>
> Tunnel-Type = VLAN,
>
> Tunnel-Medium-Type = IEEE:802,
>
> Tunnel-Private-Group-ID = *VLAN-ID*
>
>
>
> As you can tell this is a wireless user and of course I have the dictionary
> attributes added (like I said it is currently a working users file) but my
> question is how to take this information and add it to the MySQL
> radius.radcheck database?  From what I am seeing the ID is a primary key and
> must be unique and there is only one attribute field.  I may be asking this
> incorrectly but, does the DB read the rows starting with the ID 1 being the
> first user and continue down until the next user entry and return all the
> rows into Radius for authentication?
>
>
>
> If you have any possible pointers it would be greatly appreciated!   Thank
> you everyone!
>
>
>
> James Taylor
>
> FCIP Networks
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRadius, MySQL, MAC Authentication w/ Dynamic VLAN

[James Taylor]

Hello everyone!

I am currently tasked with a new project where I have been asked to move our 
currently working 'users' file into a manageable MySQL DB (we have over 500 
user entries so it's understandable). Below you will find a currently working 
entry from the 'users' file.

Mac-addresss Auth-Type := local, User-Password == "password"
Calling-Station-ID == "mac-address",
Airespace-Wlan-Id = 5,
Airespace-Interface-Name = Wireless WLAN Name,
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE:802,
Tunnel-Private-Group-ID = VLAN-ID

As you can tell this is a wireless user and of course I have the dictionary 
attributes added (like I said it is currently a working users file) but my 
question is how to take this information and add it to the MySQL 
radius.radcheck database?  From what I am seeing the ID is a primary key and 
must be unique and there is only one attribute field.  I may be asking this 
incorrectly but, does the DB read the rows starting with the ID 1 being the 
first user and continue down until the next user entry and return all the rows 
into Radius for authentication?

If you have any possible pointers it would be greatly appreciated!   Thank you 
everyone!

James Taylor
FCIP Networks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius in an AD environment on opensuse server

[Roberto S. G.]

>Can I set up freeradius to authenticate with ldaps and be secure?  The
>ldap would be Microsoft and is on my domain controller.   I have
>websites using the ldap process but OR do I have to do that samba
>thing?

It can be done more or less easily, depending on what type of 
authentication are u doing... If it's plain user/pwd, you can configure 
freeradius to use LDAP directly. That would be easier.
The servers would be your AD servers (you can use all of them if you 
have more than one), uncomment and configure ldap parts on your FR conf.


In order to use ldaps, you just have to enable it in your AD servers if 
it isn't (just make a netstat looking for por 636 on your AD; if needed, 
check your windows version on how to enable it), and if you wanna check 
AD certificates from freeradius when doing connections (it's a good 
idea), you'll have to import your AD's CA certificate to ./certs on yor 
FR configuration.

It'd run smoothly.

bye
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 2.0.5 on Solaris with openssl 0.9.8h

[Alan DeKok]

Rafiqul Ahsan wrote:
> I tried to install the openssl from Sunware, but it installs at
> /usr/local/ssl directory. Somehow (could not figure out how) the
> freeradius build process linking with the Solaris prebuilt openssl
> library at /usr/sfw..

  Because that's what the linker on Solaris does.  Go read it's
documentation to see how to configure it to do what you want.  This
isn't a FreeRADIUS question.

> I would like to change configuration the linker to prefer one version
> (0.9.8)over the other (0.9.7 is prebuilt comes with Solaris).. also to
> include references to prefer one over other...But I don;t know where
> to change.I looked at Configure, Makefilebut cannot seem to find
> where it was configured that. Can you please help ?

  Maybe the Solaris linker documentation will help?

  Heck, if you're building as root, just do "chmod a-rwx /usr/sfw",
build FreeRADIUS, and then do "chmod a+rx /usr/sqf".  That should solve
it.  i.e. This is pretty much a Unix 101 question...

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius in an AD environment on opensuse server

[Alan DeKok]

Murray, Elizabeth [DNR] wrote:
> I’ve been struggling with this for months.

  That's always a bad sign.  If something goes wrong... ask.

>  I found a doc HOW TO on the
> opensuse website.  It says I have to use Samba in order to have the
> users authenticate.  For some reason every time I get that thing
> configured, it works for a few days then…it’s gone. 

  Computers aren't magic.  If data disappears, it's because something is
making it disappear.

> Can I set up freeradius to authenticate with ldaps and be secure?

  No.  Active Directory pretends to be an LDAP server.  But it doesn't
supply clear-text passwords when LDAP clients ask for them.  So... the
only way for FreeRADIUS to authenticate against AD is via Samba.

> I would really be grateful for any help you could give me.  I now have
> the radius server back to it’s original configuration….clean.  So I’m
> ready to do your bidding.

  See my web site for configuring FreeRADIUS && AD.

http://deployingradius.com/documents/configuration/active_directory.html

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: proxy over encrypted stream

[Alan DeKok]

Alexandre Chapellon wrote:
> Hello, I'm  not very familiar with radius, and i have a lot of questions.
> For example:
> Is it possible to proxy auth and acct request from one freeradius to
> another over an encrypted network stream such as SSL or TLS?

  Not today.

  We're working on RadSec, which will allow this.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: invalid login attempts user lockout

[Alan DeKok]

Sudarshan Soma wrote:
> Thanks Alan.  I saw a reference for considering attribute
> PASSWORD-RETRY in freeradius to implement user lockout. So could you
> please let me know if there are any plans to include this in the
> upcoming releases.

  No.

  If you have an example that works, please submit it, and it will be
included.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html