Re: Question regarding nested WiMAX TLV formatting
Adrien Demarez wrote: I wish to deploy FreeRadius on a WiMAX setup, ... Lots of people do this, I'm not sure why. :( INSERT INTO `radgroupreply` (`id`, `groupname`, `attribute`, `op`, `value`) VALUES (1, 'Gold', 'WiMAX-Packet-Flow-Descriptor-v2', ':=', '??') (2, 'Gold', 'WiMAX-PFDv2-Packet-Data-Flow-Id', ':=', '1') # inside the first one Now. You just specify WiMAX-PFDv2-Packet-Data-Flow-Id, an the server will Do The Right Thing. The server *knows* that it's a TLV, and will pack the attributes appropriately. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Client UDP port selection
On Fri, Feb 04, 2011 at 04:17:11AM -, vijay s sheelavantar wrote: Now the radius client UDP port is selected randomly, Is there a way by which i can mention the server to use perticular UDP port as client port. Are you talking about when freeradius is used as a proxy (and thus sending outbound RADIUS packets?) Or are you talking about radclient? Or something else? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unable to authenticate in case of multilingual characters
Hi, While I am doing testing of my RADIUS client with multilingual characters consits in the username to check my multilingual support module. At that time I am using* FREE RAIDUS server*, I have attached all configuration files related to my setup with this mail. *username :* ∞ *password :* gameover I have sent the username after encoding username = ∞ that is 0xe2889e into UTF-8 that is 0xf8 0xb8 0xa2 0x9e to RADIUS server. But I am not able to authenticate user with the *FREE RAIDUS server*, who wants to login with the above credentials everthough there is not problem in UTF-8 encoded characters. So, Can you please help me out to resolve this issue or pointing me out if i am going in some wrong way by looking into the config file attached. I have also attached the error log of the RADIUS server and wireshark output with this mail. Regards, Karnik jain [root@localhost poc]# radiusd -X FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on Dec 16 2010 at 18:51:59 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/dynamic_clients including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/opendirectory including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/control-socket including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file
Re: Unable to authenticate in case of multilingual characters
karnik jain wrote: While I am doing testing of my RADIUS client with multilingual characters consits in the username to check my multilingual support module. At that time I am using* FREE RAIDUS server*, I have attached all configuration files related to my setup with this mail. ... I have sent the username after encoding username = ∞ that is 0xe2889e into UTF-8 that is 0xf8 0xb8 0xa2 0x9e to RADIUS server. But I am not able to authenticate user with the *FREE RAIDUS server*, who wants to login with the above credentials everthough there is not problem in UTF-8 encoded characters. It looks like the User-Name *isn't* UTF-8. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unable to authenticate in case of multilingual characters
Hi Alan, I have written multilingual character *∞ *directly in RADIUS server's *users file.* without encoding it into UTF-8. * * Do I need to write Username in *user file of RADIUS server *after converting it into UTF-8 to make the *whole thing work*? If Yes then How can I write UTF-8 characters into *users file of RADIUS server.* Do I need to write directly the *HEX of encoded characters* or some other way into the *users file of RADIUS server as shown in attached users file of RADIUS server*? * * I have double check that the UTF-8 Encoder of mine is working fine. Multilingual character = ∞ (infinity symbol) is having equivalent form in HEX = *0xe2889e* and UTF-8 encoding of *0xe2889e* is = *0xf8 0xb8 0xa2 0x9e.* *Can any one please look into to above issue * *and guide me How can I configure the files of free RADIUS server * *to use USER-NAME field other than **US-ASCII like * *Chinese etc.?* * * *Regards,* *Karnik jain* On Fri, Feb 4, 2011 at 8:02 PM, Alan DeKok al...@deployingradius.comwrote: karnik jain wrote: While I am doing testing of my RADIUS client with multilingual characters consits in the username to check my multilingual support module. At that time I am using* FREE RAIDUS server*, I have attached all configuration files related to my setup with this mail. ... I have sent the username after encoding username = ∞ that is 0xe2889e into UTF-8 that is 0xf8 0xb8 0xa2 0x9e to RADIUS server. But I am not able to authenticate user with the *FREE RAIDUS server*, who wants to login with the above credentials everthough there is not problem in UTF-8 encoded characters. It looks like the User-Name *isn't* UTF-8. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html users Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unable to authenticate in case of multilingual characters
--On 04 February 2011 22:02 +0530 karnik jain karnik.j...@gmail.com wrote: Hi Alan, I have written multilingual character *∞ *directly in RADIUS server's *users file.* without encoding it into UTF-8. * * Do I need to write Username in *user file of RADIUS server *after converting it into UTF-8 to make the *whole thing work*? If Yes then How can I write UTF-8 characters into *users file of RADIUS server.* Do I need to write directly the *HEX of encoded characters* or some other way into the *users file of RADIUS server as shown in attached users file of RADIUS server*? * * I have double check that the UTF-8 Encoder of mine is working fine. Multilingual character = ∞ (infinity symbol) is having equivalent form in HEX = *0xe2889e* and UTF-8 encoding of *0xe2889e* is = *0xf8 0xb8 0xa2 0x9e.* *Can any one please look into to above issue * *and guide me How can I configure the files of free RADIUS server * *to use USER-NAME field other than **US-ASCII like * *Chinese etc.?* * * *Regards,* *Karnik jain* Hi Karnik, If you put UTF in the users file and UTF in the User-Name in the radius request it will work. For example: users: 現年快樂Auth-Type := Accept ...and then testing it: echo 'User-Name = 現年快樂' | radclient -x 137.222.253.91:16010 auth SECRET Sending Access-Request of id 161 to 137.222.253.91 port 16010 User-Name = 現年快樂 rad_recv: Access-Accept packet from host 137.222.253.91 port 16010, id=161, length=20 Regards, James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy Maintenance Process
Hi All, Currently we are using freeradiusd to proxy / load balance requests to our backend radius application. However as I'm sure many of you encounter there are times which require maintenance / upgrades of the backend servers, what is the best practice in regards to putting home_servers into maintenance so that freeradiusd doesn't attempt to send traffic to them? I'm not sure if there is a simple command we can run? Or is the only option to comment out the home_server from the home_server_pool and then kill -1 to the radiusd process? Brian Carpio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy Maintenance Process
Brian Carpio wrote: Currently we are using freeradiusd to proxy / load balance requests to our backend radius application. However as I’m sure many of you encounter there are times which require maintenance / upgrades of the backend servers, what is the “best practice” in regards to putting home_servers into maintenance so that freeradiusd doesn’t attempt to send traffic to them? Use radmin radmin set home server state IP PORT dead I’m not sure if there is a simple command we can run? Or is the only option to comment out the home_server from the home_server_pool and then kill -1 to the radiusd process? Nope. Mark it dead. When it comes back up, the server will figure that out (if Status-Server is enabled) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxy Maintenance Process
Part of the problem is that during an upgrade our radius application still listens on port 1813 and 1812 and replies to the keepalves (working with development to resolve that since I think that is a problem) so in the mean time I'd like to be able to mark and upgrading server dead then decide when it should be marked alive. Thanks for the quick reply! Brian -Original Message- From: freeradius-users-bounces+bcarpio=broadhop@lists.freeradius.org [mailto:freeradius-users-bounces+bcarpio=broadhop@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Friday, February 04, 2011 11:45 AM To: FreeRadius users mailing list Subject: Re: Proxy Maintenance Process Brian Carpio wrote: Currently we are using freeradiusd to proxy / load balance requests to our backend radius application. However as I’m sure many of you encounter there are times which require maintenance / upgrades of the backend servers, what is the “best practice” in regards to putting home_servers into maintenance so that freeradiusd doesn’t attempt to send traffic to them? Use radmin radmin set home server state IP PORT dead I’m not sure if there is a simple command we can run? Or is the only option to comment out the home_server from the home_server_pool and then kill -1 to the radiusd process? Nope. Mark it dead. When it comes back up, the server will figure that out (if Status-Server is enabled) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unable to authenticate in case of multilingual characters
Hello Sir, But the issue is you have written the Chinese charter directly in place of user name rather than writing its equivalent UTF-8 into users file as said by you. users: 現年快樂 Auth-Type := Accept My doubt is How can I write UTF-8 encoded (may be HEX form) in users file. Because I have did the same in place of Chinese I have written the hex equivalent of ∞ infinity symbol which is also a multilingual character in place of username and sent the request containing hex equivalent of UTF-8 of ∞ infinity symbol. Kindly correct me If i am wrong. -Karnik jain On Fri, Feb 4, 2011 at 10:25 PM, James J J Hooper jjj.hoo...@bristol.ac.ukwrote: --On 04 February 2011 22:02 +0530 karnik jain karnik.j...@gmail.com wrote: Hi Alan, I have written multilingual character *∞ *directly in RADIUS server's *users file.* without encoding it into UTF-8. * * Do I need to write Username in *user file of RADIUS server *after converting it into UTF-8 to make the *whole thing work*? If Yes then How can I write UTF-8 characters into *users file of RADIUS server.* Do I need to write directly the *HEX of encoded characters* or some other way into the *users file of RADIUS server as shown in attached users file of RADIUS server*? * * I have double check that the UTF-8 Encoder of mine is working fine. Multilingual character = ∞ (infinity symbol) is having equivalent form in HEX = *0xe2889e* and UTF-8 encoding of *0xe2889e* is = *0xf8 0xb8 0xa2 0x9e.* *Can any one please look into to above issue * *and guide me How can I configure the files of free RADIUS server * *to use USER-NAME field other than **US-ASCII like * *Chinese etc.?* * * *Regards,* *Karnik jain* Hi Karnik, If you put UTF in the users file and UTF in the User-Name in the radius request it will work. For example: users: 現年快樂 Auth-Type := Accept ...and then testing it: echo 'User-Name = 現年快樂' | radclient -x 137.222.253.91:16010 auth SECRET Sending Access-Request of id 161 to 137.222.253.91 port 16010 User-Name = 現年快樂 rad_recv: Access-Accept packet from host 137.222.253.91 port 16010, id=161, length=20 Regards, James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy Maintenance Process
Brian Carpio bcar...@broadhop.com wrote: Currently we are using freeradiusd to proxy / load balance requests to our backend radius application. However as I'm sure many of you encounter there are times which require maintenance / upgrades of the backend servers, what is the best practice in regards to putting home_servers into maintenance so that freeradiusd doesn't attempt to send traffic to them? I'm not sure if there is a simple command we can run? Or is the only option to comment out the home_server from the home_server_pool and then kill -1 to the radiusd process? You might want to consider an alternative deployment, we use anycasting and found it very reliable and far easier to maintain: http://www.digriz.org.uk/ha-ospf-anycast Make sure there are at least two L3 hops between RADIUS servers. Cheers -- Alexander Clouter .sigmonster says: Do not believe in miracles -- rely on them. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unable to authenticate in case of multilingual characters
On 02/04/2011 02:01 PM, karnik jain wrote: Hello Sir, But the issue is you have written the Chinese charter directly in place of user name rather than writing its equivalent UTF-8 into users file as said by you. No, it was utf-8, but was rendered as a Chinese glyph. users: 現年快樂 Auth-Type := Accept My doubt is How can I write UTF-8 encoded (may be HEX form) in users file. By using an editor that supports utf-8 You keep asking internationalization questions on this list and people by their graciousness answer you. But as far as I can tell you haven't made any effort to understand how internationalization works. Until you understand it you're going to keep beating your head against a wall, plus it's not our responsibility to teach you this material, it's your job to learn it. and UTF-8 encoding of *0xe2889e* is = *0xf8 0xb8 0xa2 0x9e.* Wrong. The utf-8 encoding of infinity is the 3 octet sequence: 0xE2 0x88 0x9E Hint, you can't just type the above into a file -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unable to authenticate in case of multilingual characters
karnik jain wrote: But the issue is you have written the Chinese charter directly in place of user name rather than writing its equivalent UTF-8 into users file as said by you. Uh... nonsense. You can't write chinese characters in ASCII. You need to write them in another encoding, such as UTF-8. users: 現年快樂 Auth-Type := Accept My doubt is How can I write UTF-8 encoded (may be HEX form) in users file. You keep saying hex form. I have no idea what that means, and I suspect, neither do you. Because I have did the same in place of Chinese I have written the hex equivalent of ∞ infinity symbol which is also a multilingual character in place of username and sent the request containing hex equivalent of UTF-8 of ∞ infinity symbol. No. You write the UTF-8 characters, and it will work. Your insistence on using some non-existent hex equivalent is why it doesn't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy Maintenance Process
On Fri, Feb 04, 2011 at 07:44:41PM +0100, Alan DeKok wrote: what is the “best practice” in regards to putting home_servers into maintenance so that freeradiusd doesn’t attempt to send traffic to them? Use radmin radmin set home server state IP PORT dead WARNING This tool is experimental and should not be used in production environments. (Just quoting the manpage... maybe it's more paranoid than necessary) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to test authentication process using Access-Challenge response
Hi, I'm currently playing around with freeradius to implement a two-way authentication using smsotp. Is there a way to test the whole authentication process, including access-challenge packets without using a real radius client device? Many thanks and best regards, Greg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to test authentication process using Access-Challenge response
You can use TinyRadius with JMeter to bulk load queries. There are a number of different radius client tools you can use. On Sat, Feb 5, 2011 at 1:30 PM, Gregor Bruhin g...@11g.ch wrote: Hi, I'm currently playing around with freeradius to implement a two-way authentication using smsotp. Is there a way to test the whole authentication process, including access-challenge packets without using a real radius client device? Many thanks and best regards, Greg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius Groups / Profiles
I have installed freeradius with daloRadius. I have then created a group / profile to cut off after using a certain amount of data. I have the following problem. It does not cut the user off when the limit was reached but it will reject the user when he/she tries to log in again. The DB only gets updated with the used octets once the users logs off. How do I get the session to be terminated when the max octets is reached? Thanks Neill -- View this message in context: http://freeradius.1045715.n5.nabble.com/Radius-Groups-Profiles-tp3372247p3372247.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy Maintenance Process
Brian Candler wrote: WARNING This tool is experimental and should not be used in production environments. (Just quoting the manpage... maybe it's more paranoid than necessary) From an old version of the server. It no longer says that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to test authentication process using Access-Challenge response
Gregor Bruhin wrote: Is there a way to test the whole authentication process, including access-challenge packets without using a real radius client device? Use radclient. You will likely need to hack the source. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html