How to Change Source Port for
I'm using copy-acct-to-home-server . Freeradius sends any acct request using the source port of 1814 My client sent me a trace, where wireshark is claiming duplicate requests. We have to handle 1000+ Requests per second. Is it possible to change the source port settings to get a new source port for every request? Thanks. Regarts Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to Change Source Port for
Hi, Freeradius sends any acct request using the source port of 1814 My client sent me a trace, where wireshark is claiming duplicate requests. We have to handle 1000+ Requests per second. Is it possible to change the source port settings to get a new source port for every request? you arent handling accounting quickly enough. fix/improve the database (or switch to using offline accounting - eg the detail file method - buffered-sql) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and Cisco VPN IPSEC profiles authentication
Jevos, Peter wrote:
Hi Alan, , thanks , I’ve read it but it’s too complicated and I’m
missing more examples of configurations
The raddb directory *does* come with examples.
If anybody help me with the syntax and code location with this issue:
Sorry, but:
1) the unlang documentation contains a detailed description of the
syntax
2) my previous message gave the *specific* location of where the logic
should go.
*PLEASE* read the existing documentation and messages on this list.
Failure to do so is a major reason for not solving issues.
If requests come from NAS-IP-Address==1.1.1.1 and the
%{mschap:NT-Domain}=vipdomainuser , check them against module
ntlm_auth_vip ( module is already working ) and if pass give them
Cisco-Avpair += ipsec:addr-pool=vip_vpn_pool and other optional AVpairs.
The unlang syntax is pretty much exactly that. It's not that hard.
if ((NAS-IP-Address == 1.1.1.1) %{mschap:NT-Domain} =
vipdomainuser)) {
update control {
Auth-Type := ntlm_auth_vip
}
update reply {
Cisco-AVPair += ipsec:addr-pool=vip_vpn_pool
}
}
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius Client password not accepted
Hi, I am using free radius for communication between asterisk voip server and database. I have everything setup on same machine which has Centos 5.4. My problem is that when i send request from client to server the radius password is not accepted, also when i see radius packets in wireshark i see that accountstatus type value is not correct. I have checked the password at client and server are same. Please help i have been trying to solve this issue for the past 15 days. Regards Azam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radreply Attributs full lists
Hi every one, Could someone point me to the place i could find the entire list of available attribut that could be send to a user via radreply (or radgroupreply)? i- have been digging a while and only found WISPR-Bandwidth-Max-Down and frame things. i'm pretty sure there is more than that. regards -- View this message in context: http://freeradius.1045715.n5.nabble.com/Radreply-Attributs-full-lists-tp3261819p3261819.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radreply Attributs full lists
morocon wrote: Hi every one, Could someone point me to the place i could find the entire list of available attribut that could be send to a user via radreply (or radgroupreply)? See the dictionary files. There are nearly 5K attributes defined. But most of those are irrelevant. Instead, look at the documentation for the NAS to see which attributes it understands. *All* other attributes will be ignored. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Client password not accepted
Azam Zia wrote: I am using free radius for communication between asterisk voip server and database. I have everything setup on same machine which has Centos 5.4. My problem is that when i send request from client to server the radius password is not accepted, What does that mean? also when i see radius packets in wireshark i see that accountstatus type value is not correct. What does that mean? I have checked the password at client and server are same. Have you tried running the server in debugging mode, as suggested in the FAQ, README, INSTALL, web page, man pages, and daily on this list? Please help i have been trying to solve this issue for the past 15 days. Ask questions earlier. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Output from Exec-Program-Wait in users file
Hi,
am migrating from an ancient radius install to FreeRADIUS Version 2.1.8
The system uses a custom authentication binary which we access from the users
file via,
DEFAULT NAS-IP-Address == 192.168.1.100, Auth-Type := Accept,
Simultaneous-Use := 1
Exec-Program-Wait = /usr/local/sbin/auth -X -U -u 5882626 --
%{User-Name} %{User-Password} %{%{Called-Station-Id}:-Missing}
%{%{NAS-IP-Address}:-Missing} %{%{Calling-Station-Id}:-Missing}
%{%{NAS-Port-Type}:-Missing} %{Vendor-Specific} ,
Fall-Through = no
On the old version, the output from the EXEC was sent back in the Accept
packet..
Now is looks like the stdout form the Exec-Program-Wait is not being send back
but either dropped or misplaced.
++[sql] returns ok
+- entering group post-auth {...}
Exec-Program output: Framed-Compression=Van-Jacobsen-TCP-IP
Framed-Routing=None Framed-MTU=1500 Framed-IP-Netmask=255.255.255.0
Framed-Protocol=PPP Service-Type=Framed-User Idle-Timeout=1800
Session-Timeout=86400 ERX-Virtual-Router=SOMEROUTER
ERX-Ingress-Policy-Name=COMFORT_UP ERX-Egress-Policy-Name=COMFORT_DOWN
Exec-Program-Wait: plaintext: Framed-Compression=Van-Jacobsen-TCP-IP
Framed-Routing=None Framed-MTU=1500 Framed-IP-Netmask=255.255.255.0
Framed-Protocol=PPP Service-Type=Framed-User Idle-Timeout=1800
Session-Timeout=86400 ERX-Virtual-Router=SOMEROUTER
ERX-Ingress-Policy-Name=COMFORT_UP ERX-Egress-Policy-Name=COMFORT_DOWN
Exec-Program: returned: 0
++[exec] returns noop
Sending Access-Accept of id 248 to 192.168.1.100 port 5
Finished request 0.
Is there a way to direct the output from the Exec-Program into the Accept
packet?
As far as we can tell, we are sending back and empty Accept packet. The values
are calculated by the auth binary, so hard coding them would be very difficult.
It's after 1am here, so I hope this won't seem obvious in the morning.
Any hints would be greatly appreciated.
Thanks so much,
-craig
Craig Campbell
craig.campb...@ccraft.ca
CampbellCraft Consulting Inc
2 Kenny Court
Whitby, Ontario
Canada
L1R 2L8
905 922-2789
__ Information from ESET Smart Security, version of virus signature
database 5612 (2010) __
The message was checked by ESET Smart Security.
http://www.eset.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging ntlm authentication
Thanks. Could you please share the perl scripts and the corresponding configuration in radiusd.conf like authorize and post-auth section related to these logs? Schilling On Wed, Nov 10, 2010 at 10:04 PM, Garber, Neal neal.gar...@iberdrolausa.com wrote: Could you please summarize what you did to log the output from ntlm_auth and MS_CHAP-Error? Sure. I should mention that other options are available now that didn't exist when I created the solution below... I have a PERL script that runs during authorize that obtains user/group or machine/container permissions for the NAS in question from XML files to determine whether the entity is authorized and it creates a Log-Data reply attribute containing all non-sensitive request attributes. This is then written to syslog during post-auth by another PERL script. Our help desk and others use a .Net application that I wrote to display/filter the data from the current or past log files in a grid control. The log contains specifics of the request, authorization and authentication results/messages and reply attributes. Does that answer your question? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Output from Exec-Program-Wait in users file
I think I found the issue. One of the value pairs being returned used a name
not defined in the dictionary file. The new name is similar leading me to
suspect the old name was deprecated and eventually replaced with a more clear
name.
Thanks all!
-craig
- Original Message -
From: Craig Campbell
To: FreeRadius users mailing list
Sent: Friday, November 12, 2010 6:24 AM
Subject: Output from Exec-Program-Wait in users file
Hi,
am migrating from an ancient radius install to FreeRADIUS Version 2.1.8
The system uses a custom authentication binary which we access from the users
file via,
DEFAULT NAS-IP-Address == 192.168.1.100, Auth-Type := Accept,
Simultaneous-Use := 1
Exec-Program-Wait = /usr/local/sbin/auth -X -U -u 5882626 --
%{User-Name} %{User-Password} %{%{Called-Station-Id}:-Missing}
%{%{NAS-IP-Address}:-Missing} %{%{Calling-Station-Id}:-Missing}
%{%{NAS-Port-Type}:-Missing} %{Vendor-Specific} ,
Fall-Through = no
On the old version, the output from the EXEC was sent back in the Accept
packet..
Now is looks like the stdout form the Exec-Program-Wait is not being send
back but either dropped or misplaced.
++[sql] returns ok
+- entering group post-auth {...}
Exec-Program output: Framed-Compression=Van-Jacobsen-TCP-IP
Framed-Routing=None Framed-MTU=1500 Framed-IP-Netmask=255.255.255.0
Framed-Protocol=PPP Service-Type=Framed-User Idle-Timeout=1800
Session-Timeout=86400 ERX-Virtual-Router=SOMEROUTER
ERX-Ingress-Policy-Name=COMFORT_UP ERX-Egress-Policy-Name=COMFORT_DOWN
Exec-Program-Wait: plaintext: Framed-Compression=Van-Jacobsen-TCP-IP
Framed-Routing=None Framed-MTU=1500 Framed-IP-Netmask=255.255.255.0
Framed-Protocol=PPP Service-Type=Framed-User Idle-Timeout=1800
Session-Timeout=86400 ERX-Virtual-Router=SOMEROUTER
ERX-Ingress-Policy-Name=COMFORT_UP ERX-Egress-Policy-Name=COMFORT_DOWN
Exec-Program: returned: 0
++[exec] returns noop
Sending Access-Accept of id 248 to 192.168.1.100 port 5
Finished request 0.
Is there a way to direct the output from the Exec-Program into the Accept
packet?
As far as we can tell, we are sending back and empty Accept packet. The
values are calculated by the auth binary, so hard coding them would be very
difficult.
It's after 1am here, so I hope this won't seem obvious in the morning.
Any hints would be greatly appreciated.
Thanks so much,
-craig
--
Craig Campbell
craig.campb...@ccraft.ca
CampbellCraft Consulting Inc
2 Kenny Court
Whitby, Ontario
Canada
L1R 2L8
905 922-2789
__ Information from ESET Smart Security, version of virus signature
database 5612 (2010) __
The message was checked by ESET Smart Security.
http://www.eset.com
__ Information from ESET Smart Security, version of virus signature
database 5614 (20101112) __
The message was checked by ESET Smart Security.
http://www.eset.com
__ Information from ESET Smart Security, version of virus signature
database 5614 (20101112) __
The message was checked by ESET Smart Security.
http://www.eset.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius and Cisco VPN IPSEC profiles authentication
Thank you phill, that's great help, but it still doesn't work as it
should.
Now I don't know how should I adjust the users file : )
I used
if ((NAS-IP-Address == 1.1.1.1) %{mschap:NT-Domain} =
vipdomainuser)) {
update control {
Auth-Type := ntlm_auth_vip
}
update reply {
Cisco-AVPair += ipsec:addr-pool=vip_vpn_pool
}
}
And in the user file is:
DEFAULT Auth-Type := ntlm_auth_vpn_osw
Service-Type = Framed-User,
Framed-Protocol = PPP,
With this it's working as it should , however if request comes from the
different NT-Domain then vipdomainuser it's blocked ( according the
ntlm_auth_vip ), and it doesn't go to another DEFAULT rule where
everybody can pass.
I trid also Fall-through parameter, it didn't work as well,
I'm sorry that I'm bothering again ( Alan tried to explain me many times
), but I was using MS IAS many years, and my concepts come from this
system
Thank you
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and Cisco VPN IPSEC profiles authentication
Jevos, Peter wrote: Thank you phill, that's great help, but it still doesn't work as it should. Now I don't know how should I adjust the users file : ) You don't. The messages on this list should make it *very* clear that updating the authorize section is all that is necessary. With this it's working as it should , however if request comes from the different NT-Domain then vipdomainuser it's blocked ( according the ntlm_auth_vip ), and it doesn't go to another DEFAULT rule where everybody can pass. So *think* a little bit. You wrote two rules in an earlier email. One was translated for you into unlang. It should be relatively easy to translate the *second* one into unlang. As a hint, if you don't implement a rule for a different NT-Domain, then the rules for that different NT-Domain won't be applied. Because they don't exist. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius and Cisco VPN IPSEC profiles authentication
As a hint, if you don't implement a rule for a different NT-Domain, then the rules for that different NT-Domain won't be applied. Because they don't exist. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you Alan , it makes sense. But it doesn't solve my problem In my cisco configuration there is a group: crypto isakmp client configuration group vipgroup key dns 1.1.11.10 1.1.11.11 wins 1.1.11.12 1.1.11.13 pool vpn-vipgroup How could i ensure that this group with this parameters will be accesible only for the users from the domain vipdomainusers ( e.g. ntlm_auth_vipusers authentication) ? The other groups configured on the same router will be accessible for any domain users ( but i cannot name hundreds domains in the freeradius config ) point is that cisco radius doesn't send a group name ( vipgroup ) in the request to the radius server Ok, i can return CiscoAv pairs (pool, dns... )to the router, but still if any domain user try to connect to the group vipgroup, it recieves the pool and other parameters thanks, you're great that you can help us pet thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and Cisco VPN IPSEC profiles authentication
Jevos, Peter wrote: Thank you Alan , it makes sense. But it doesn't solve my problem (1) Edit your responses. It shows consideration for other people (2) pick one problem at a time. Changing the problem midway in a conversation makes it look like you don't care about the solution to the first problem. In my cisco configuration there is a group: crypto isakmp client configuration group vipgroup key dns 1.1.11.10 1.1.11.11 wins 1.1.11.12 1.1.11.13 pool vpn-vipgroup How could i ensure that this group with this parameters will be accesible only for the users from the domain vipdomainusers ( e.g. ntlm_auth_vipusers authentication) ? Go back and read my messages again. Is there anything in the RADIUS packet which will distinguish the different groups? If not, you're out of luck. The other groups configured on the same router will be accessible for any domain users ( but i cannot name hundreds domains in the freeradius config ) point is that cisco radius doesn't send a group name ( vipgroup ) in the request to the radius server Go ask Cisco to fix their equipment. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
