Re: ntlm_auth not respected
Sorry for the individual emails, but I got things working with MSCHAP (w/
ntlm_auth) and WPA-EAP.
My issue was that when I got the two winbind errors, I did some more searching
and there's the potential that the freerad user did not have access to pipe
named: /var/run/samba/winbindd
That pipe is owned as follows:
drwxr-x--- 2 root winbindd_priv 60 Aug 22 11:15 winbindd_privileged/
That being the case, you need to add the user freerad to that group, so it can
execute with the right privileges.
Sending Access-Request of id 52 to 127.0.0.1 port 1812
User-Name = "wyse1"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
MS-CHAP-Challenge = 0xf38d9f1a3dcb27e9
MS-CHAP-Response =
0x0001941d3ff95601f8f335e7eff7c97e1abf28df15abd28b7fda
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=52, length=84
MS-CHAP-MPPE-Keys =
0xd22b3a1df401aa61a721c8a31ba91082
MS-MPPE-Encryption-Policy = 0x0001
MS-MPPE-Encryption-Types = 0x0006
Now, is it safe to disable modules (by commenting them out of the sites-enabled
files) that aren't related to the MSCHAP process? This is just in passing
curiosity.
On Aug 22, 2013, at 10:14 AM, Chris Parker wrote:
> Thank you for setting me on the right track; I have followed the directions
> on http://deployingradius.com/documents/configuration/active_directory.html
> (the bottom section on MSCHAP) and have ntlm_auth in the authenticate {} - as
> per those directions.
> When I run the ntlm_auth command manually, it works find / as does running
> wbinfo -a
>
> root@leopard:/etc/freeradius# wbinfo -a wyse1%K503D
> plaintext password authentication succeeded
> challenge/response password authentication succeeded
>
>
> Ready to process requests.
> rad_recv: Access-Request packet from host 127.0.0.1 port 60046, id=111,
> length=113
> User-Name = "wyse1"
> NAS-IP-Address = 127.0.1.1
> NAS-Port = 1812
> MS-CHAP-Challenge = 0xe07a375bed09f1f7
> MS-CHAP-Response =
> 0x0001065b157b183b4d29d455414b184c57af4912b1d74f4ed726
> # Executing section authorize from file /etc/freeradius/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
> ++[mschap] returns ok
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "wyse1", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user. Authentication
> may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = MSCHAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +- entering group MS-CHAP {...}
> [mschap] Told to do MS-CHAPv1 with NT-Password
> [mschap] expand: %{Stripped-User-Name} ->
> [mschap] ... expanding second conditional
> [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang"
> for details
> [mschap] expand: %{User-Name:-None} -> wyse1
> [mschap] expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
> -> --username=wyse1
> [mschap] mschap1: e0
> [mschap] expand: --challenge=%{mschap:Challenge:-00} ->
> --challenge=e07a375bed09f1f7
> [mschap] expand: --nt-response=%{mschap:NT-Response:-00} ->
> --nt-response=065b157b183b4d29d455414b184c57af4912b1d74f4ed726
> Exec-Program output: Reading winbind reply failed! (0xc001)
> Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc001)
> Exec-Program: returned: 1
> [mschap] External script failed.
> [mschap] MS-CHAP-Response is incorrect.
> ++[mschap] returns reject
> Failed to authenticate the user.
> Login incorrect (mschap: External script says Reading winbind reply failed!
> (0xc001)): [wyse1/] (from client localhost port
> 1812)
> Using Post-Auth-Type Reject
> # Executing group from file /etc/freeradius/sites-enabled/default
> +- entering group REJECT {...}
> [attr_filter.access_reject] expand: %{User-Name} -> wyse1
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 0 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 0
> Sending Access-Reject of id 111 to 127.0.0.1 port 60046
> Waking up in 4.9 seconds.
&
Re: ntlm_auth not respected
Thank you for setting me on the right track; I have followed the directions on
http://deployingradius.com/documents/configuration/active_directory.html (the
bottom section on MSCHAP) and have ntlm_auth in the authenticate {} - as per
those directions.
When I run the ntlm_auth command manually, it works find / as does running
wbinfo -a
root@leopard:/etc/freeradius# wbinfo -a wyse1%K503D
plaintext password authentication succeeded
challenge/response password authentication succeeded
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 60046, id=111,
length=113
User-Name = "wyse1"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
MS-CHAP-Challenge = 0xe07a375bed09f1f7
MS-CHAP-Response =
0x0001065b157b183b4d29d455414b184c57af4912b1d74f4ed726
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "wyse1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv1 with NT-Password
[mschap]expand: %{Stripped-User-Name} ->
[mschap]... expanding second conditional
[mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
[mschap]expand: %{User-Name:-None} -> wyse1
[mschap]expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
-> --username=wyse1
[mschap] mschap1: e0
[mschap]expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=e07a375bed09f1f7
[mschap]expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=065b157b183b4d29d455414b184c57af4912b1d74f4ed726
Exec-Program output: Reading winbind reply failed! (0xc001)
Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc001)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] MS-CHAP-Response is incorrect.
++[mschap] returns reject
Failed to authenticate the user.
Login incorrect (mschap: External script says Reading winbind reply failed!
(0xc001)): [wyse1/] (from client localhost port
1812)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> wyse1
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 111 to 127.0.0.1 port 60046
Waking up in 4.9 seconds.
Cleaning up request 0 ID 111 with timestamp +15
Ready to process requests.
On Aug 22, 2013, at 5:50 AM, Phil Mayers wrote:
> On 21/08/13 23:44, Chris Parker wrote:
>> Okay, pardon my confusion then. I had been following a howto online
>> and it reported that the command when run manually will produce the
>> key.
>>
>> Either way, I'm still having a failure in MSCHAP with radtest that
>> I'm not quite grasping.
>
> Well, as I explained in my other email, mschap == challenge/response,
> "modules/ntlm_auth" != challenge/response.
>
> To reiterate, "modules/ntlm_auth" is almost certainly not what you want, and
> is not intended to be used as-is. I would unconfigure it and concentrate on
> getting "modules/mschap" working.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth not respected
Okay, pardon my confusion then. I had been following a howto online and it reported that the command when run manually will produce the key. Either way, I'm still having a failure in MSCHAP with radtest that I'm not quite grasping. On Aug 21, 2013, at 17:49, Phil Mayers wrote: > On 21/08/2013 19:28, Chris Parker wrote: > >> So I doubt this issue is with FR, but more of that Samba is being >> cranky. I can never get ntlm_auth to give me that NT key, which I >> feel if I could resolve that, I could continue with FR. > > No. NT_KEY is only generated by mschap, not by username/password auth. See my > other email. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth not respected
When I poke around and try to deconstruct the issue, I find that ntlm_auth when
run manually retrieve the NT key, it does not do anything. It just says
NT_STATUS_OK: Success (0x0)
If I run the --diagnostics flag this is what I get...
root@leopard:/etc/freeradius# ntlm_auth --domain=WONKY --username=wyse1
--diagnostics
password:
Wrong Password (0xc06a)
Wrong Password (0xc06a)
Wrong Password (0xc06a)
Wrong Password (0xc06a)
Wrong Password (0xc06a)
Wrong Password (0xc06a)
Wrong Password (0xc06a)
So I doubt this issue is with FR, but more of that Samba is being cranky. I can
never get ntlm_auth to give me that NT key, which I feel if I could resolve
that, I could continue with FR.
On Aug 21, 2013, at 8:55 AM, Chris Parker wrote:
> Thank you Phil!
> That resolved my first steps, and I figured there was something like that. I
> have poured over deployingfreeradius.com, but for the life of me I could not
> find anything of assistance for my set up.
>
> I have enabled the ntlm_auth line in modules/mschap but no password is sent
> to ntlm_auth to be checked.
> So the fact that it's failing makes sense, since there's no password being
> read in and thus it fails authorize. So this is just escaping me on how to
> get the password into ntlm_auth via MSCHAP.
> On top of that, when my access point succeeds against the users file, I
> suspect it's doing EAP but the logs never say "I have detected EAP, setting
> EAP"
>
> rad_recv: Access-Request packet from host 127.0.0.1 port 60203, id=86,
> length=113
> User-Name = "wyse1"
> NAS-IP-Address = 127.0.1.1
> NAS-Port = 1812
> MS-CHAP-Challenge = 0x9e2069a2b9faf93d
> MS-CHAP-Response =
> 0x0001b48195bef7a73a38839411904a51717092c530d4bef03520
> # Executing section authorize from file /etc/freeradius/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
> ++[mschap] returns ok
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "wyse1", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=wyse1
> [ntlm_auth] expand: --password=%{User-Password} -> --password=
> Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc06a)
> Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password
> (0xc06a)
> Exec-Program: returned: 1
> ++[ntlm_auth] returns reject
> Invalid user: [wyse1/] (from client localhost port
> 1812)
> Using Post-Auth-Type Reject
> # Executing group from file /etc/freeradius/sites-enabled/default
> +- entering group REJECT {...}
> [attr_filter.access_reject] expand: %{User-Name} -> wyse1
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 0 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 0
> Sending Access-Reject of id 86 to 127.0.0.1 port 60203
> Waking up in 4.9 seconds.
> Cleaning up request 0 ID 86 with timestamp +6
> Ready to process requests.
>
> On Aug 21, 2013, at 3:25 AM, Phil Mayers wrote:
>
>> On 08/21/2013 05:11 AM, Chris Parker wrote:
>>>
>>> Log output:
>>> rad_recv: Access-Request packet from host 127.0.0.1 port 35826, id=114,
>>> length=57
>>> User-Name = "wyse1"
>>> User-Password = "K503D"
>>> NAS-IP-Address = 127.0.1.1
>>> NAS-Port = 1812
>>> # Executing section authorize from file
>>> /etc/freeradius/sites-enabled/default
>>> +- entering group authorize {...}
>>> ++[preprocess] returns ok
>>> ++[chap] returns noop
>>> ++[mschap] returns noop
>>> ++[digest] returns noop
>>> [suffix] No '@' in User-Name = "wyse1", looking up realm NULL
>>> [suffix] No such realm "NULL"
>>> ++[suffix] returns noop
>>> [eap] No EAP-Message, not doing EAP
>>> ++[eap] returns noop
>>> ++[files] returns noop
>>> ++[expiration] returns noop
>>> ++[logintime] returns noop
>>> [ntlm_auth] expand: --username=%{mschap:User-Name} ->
>>> --username=wyse1
>>> [ntlm_auth] expand: --password=%{User-Password} -> --password=K50
Re: ntlm_auth not respected
Thank you Phil!
That resolved my first steps, and I figured there was something like that. I
have poured over deployingfreeradius.com, but for the life of me I could not
find anything of assistance for my set up.
I have enabled the ntlm_auth line in modules/mschap but no password is sent to
ntlm_auth to be checked.
So the fact that it's failing makes sense, since there's no password being read
in and thus it fails authorize. So this is just escaping me on how to get the
password into ntlm_auth via MSCHAP.
On top of that, when my access point succeeds against the users file, I suspect
it's doing EAP but the logs never say "I have detected EAP, setting EAP"
rad_recv: Access-Request packet from host 127.0.0.1 port 60203, id=86,
length=113
User-Name = "wyse1"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
MS-CHAP-Challenge = 0x9e2069a2b9faf93d
MS-CHAP-Response =
0x0001b48195bef7a73a38839411904a51717092c530d4bef03520
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "wyse1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=wyse1
[ntlm_auth] expand: --password=%{User-Password} -> --password=
Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc06a)
Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password
(0xc06a)
Exec-Program: returned: 1
++[ntlm_auth] returns reject
Invalid user: [wyse1/] (from client localhost port 1812)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> wyse1
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 86 to 127.0.0.1 port 60203
Waking up in 4.9 seconds.
Cleaning up request 0 ID 86 with timestamp +6
Ready to process requests.
On Aug 21, 2013, at 3:25 AM, Phil Mayers wrote:
> On 08/21/2013 05:11 AM, Chris Parker wrote:
>>
>> Log output:
>> rad_recv: Access-Request packet from host 127.0.0.1 port 35826, id=114,
>> length=57
>> User-Name = "wyse1"
>> User-Password = "K503D"
>> NAS-IP-Address = 127.0.1.1
>> NAS-Port = 1812
>> # Executing section authorize from file /etc/freeradius/sites-enabled/default
>> +- entering group authorize {...}
>> ++[preprocess] returns ok
>> ++[chap] returns noop
>> ++[mschap] returns noop
>> ++[digest] returns noop
>> [suffix] No '@' in User-Name = "wyse1", looking up realm NULL
>> [suffix] No such realm "NULL"
>> ++[suffix] returns noop
>> [eap] No EAP-Message, not doing EAP
>> ++[eap] returns noop
>> ++[files] returns noop
>> ++[expiration] returns noop
>> ++[logintime] returns noop
>> [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=wyse1
>> [ntlm_auth] expand: --password=%{User-Password} -> --password=K503D
>> Exec-Program output: NT_STATUS_OK: Success (0x0)
>> Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
>> Exec-Program: returned: 0
>> ++[ntlm_auth] returns ok
>
> You're running ntlm_auth in the "authorize" section, and then:
>
>> [pap] WARNING! No "known good" password found for the user. Authentication
>> may fail because of this.
>> ++[pap] returns noop
>> ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
>> the user
>
> ...nothing in the "authenticate" section.
>
> You either want:
>
> authorize {
> ...
> ntlm_auth
> if (ok) {
>update control {
> Auth-Type := Accept
>}
> }
> ...
> }
>
> ...or:
>
> authorize {
> ...
> # don't run ntlm_auth here, and right at the bottom
> if (User-Password) {
># PAP request, tell ntlm_auth to run in authenticate
>update control {
> Auth-Type = ntlm_auth
>}
> }
> }
> authenticate {
> Auth-Type ntlm_auth {
>ntlm_auth
> }
> }
>
> HOWEVER - you should note that the (EX
ntlm_auth not respected
It seems that I have ntlm_auth configured to talk to Samba correctly. As it
positively works when run from the CLI and FR even shows a positive login, but
that positive login never seems to be sent to the authentication stage.
More food for thought once I tackle this, is that when I try to link all this
together with a Netgear WAP, plain-text users in the users file works perfectly
fine.
Log output:
rad_recv: Access-Request packet from host 127.0.0.1 port 35826, id=114,
length=57
User-Name = "wyse1"
User-Password = "K503D"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "wyse1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=wyse1
[ntlm_auth] expand: --password=%{User-Password} -> --password=K503D
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
++[ntlm_auth] returns ok
[pap] WARNING! No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the
user
Failed to authenticate the user.
Login incorrect: [wyse1/K503D] (from client localhost port 1812)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> wyse1
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 7 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 7
Sending Access-Reject of id 114 to 127.0.0.1 port 35826
Waking up in 4.9 seconds.
Cleaning up request 7 ID 114 with timestamp +843
Ready to process requests.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CVS down
No, that's just CVSWEB, due to webbots that ignore 'robots.txt' and cane the server recursing through 80+ simultaneous CVS diffs via CVSWEB. Disabled the CGI while working out a way to better throttle it's use. CVS is unaffected. -Chris On Mar 9, 2006, at 3:47 PM, Thor Spruyt wrote: http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/ -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html -- Chris Parker Director, Engineering StarNet A Service of US LEC (888)212-0099 Fax (847)963-1302 Wholesale Internet Services http://www.megapop.net VoiceEclipse, The Fresh Alternative http://www.voiceeclipse.com NOTICE: Message is sent IN CONFIDENCE to addressees. It may contain information that is privileged, proprietary or confidential. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem compiling Freeradius + MySQL on Solaris 9
On Mar 8, 2006, at 11:33 AM, Alan wrote: I uninstalled the sunfreeware package and installed the package directly from MySQL.com (mysql-standard-4.0.26-sun-solaris2.9- sparc-64bit.pkg). I receive one error in config.log. Am I missing something here? configure:988: gcc -o conftest -g -O2 conftest.c -L/usr/lib/mysql/ -lmysqlclient_r -lpthread 1>&5 ld: warning: file /usr/lib/mysql//libmysqlclient_r.a(libmysql.o): wrong ELF class: ELFCLASS64 Undefined first referenced symbol in file mysql_init /var/tmp//ccWfUfam.o You're trying to build freeradius as a 32 bit program, and the MySQL libs are 64 bit. You can't mix and match. Either build FR as 64-bit, or use the 32-bit version of MySQL. From the shell 'export CFLAGS=-m64' to set it to build in 64-bit mode. You'll then see: creating cache ./config.cache checking for gcc... gcc checking whether the C compiler (gcc -m64 ) works... yes checking whether the C compiler (gcc -m64 ) is a cross-compiler... no -Chris -- Chris Parker Director, Engineering StarNet A Service of US LEC (888)212-0099 Fax (847)963-1302 Wholesale Internet Services http://www.megapop.net VoiceEclipse, The Fresh Alternative http://www.voiceeclipse.com NOTICE: Message is sent IN CONFIDENCE to addressees. It may contain information that is privileged, proprietary or confidential. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem compiling Freeradius + MySQL on Solaris 9
On Mar 8, 2006, at 8:25 AM, Alan wrote: I've made symlinks like recommended in the mailing lists. I have also specified the lib, include and base MySQL directory when running the configure script. After running configure I always get the same output. Please help. -- configure: warning: mysql libraries not found. Use --with-mysql-lib-dir=. configure: warning: sql submodule 'mysql' disabled Are you setting the LD_LIBRARY_PATH env. variable? Here's what I use: export LD_LIBRARY_PATH=/usr/lib:/usr/local/lib:/usr/ccs/lib:/usr/ ucblib:/usr/local/lib/mysql -Chris -- Chris Parker Director, Engineering StarNet A Service of US LEC (888)212-0099 Fax (847)963-1302 Wholesale Internet Services http://www.megapop.net VoiceEclipse, The Fresh Alternative http://www.voiceeclipse.com NOTICE: Message is sent IN CONFIDENCE to addressees. It may contain information that is privileged, proprietary or confidential. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error with free radius, as5800, and ascend data types
Cisco has an option to accept the non-standard Ascend attributes ( note, NOT the VSA's but the early Ascend attempt to use higher numbered standard attributes ). In regards to the original poster, does the filter value work if you use it in a 'users' file syntax? Also, what version of FreeRADIUS? -Chris On Nov 23, 2005, at 9:45 AM, Guy Davies wrote: Why would FreeRADIUS return Ascend VSAs to a Cisco AS5800? I would only expect it to return values that are either RFC attributes or Cisco VSAs. Rgds, Guy -- Chris Parker Director, Engineering StarNet A Service of US LEC (888)212-0099 Fax (847)963-1302 Wholesale Internet Services http://www.megapop.net VoiceEclipse, The Fresh Alternative http://www.voiceeclipse.com NOTICE: Message is sent IN CONFIDENCE to addressees. It may contain information that is privileged, proprietary or confidential. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: not to return the detault attributes in reject?
On Sep 8, 2005, at 2:59 PM, kevin wrote: It didn't work. DEFAULT Auth-Type := Reject Fall-Through = Yes DEFAULT Service-Type == Framed-User Framed-IP-Netmask=255.255.255.255, Service-Type = Framed-User, Idle-Timeout=1800, Session-Timeout=86000, Still return all attributes for the reject packet. Because you've told it to fall through. Change the 'Yes' to 'No' in your Reject profile. -Chris -- Chris Parker Director, Engineering StarNet A Service of US LEC (888)212-0099 Fax (847)963-1302 Wholesale Internet Services http://www.megapop.net VoiceEclipse, The Fresh Alternative http://www.voiceeclipse.com NOTICE: Message is sent IN CONFIDENCE to addressees. It may contain information that is privileged, proprietary or confidential. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More complex "or" logic within check-attribute processing
On Feb 1, 2005, at 3:58 PM, [EMAIL PROTECTED] wrote: What is the best way to accomplish something like that: (I hope this pseudocode is understandable) If Username == "bob" and Password == "test" and ( Calling-Station-Id == "123" or NAS-IP-Address == "1.2.3.4" or Another-Check-Attribute == "foo" ) Then Reply-Value = foo ... Else Reject 4 Entries in the users file. bob Password == "test", Calling-Station == "123" Reply-Items = blah, ..., Fall-Through = no bob Password == "test", NAS-IP-Address = "1.2.3.4" Reply-Items = blah, ..., Fall-Through = no bob Password == "test", Another-Check-Attribute == "foo" Reply-Items = blah, ..., Fall-Through = no DEFAULT Auth-Type := Reject -Chris -- Chris Parker Director, Engineering StarNet A Service of US LEC (888)212-0099 Fax (847)963-1302 Wholesale Internet Services http://www.megapop.net VoiceEclipse, The Fresh Alternative http://www.voiceeclipse.com NOTICE: Message is sent IN CONFIDENCE to addressees. It may contain information that is privileged, proprietary or confidential. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Acct-??put-Gigawords
On Feb 1, 2005, at 2:08 PM, Steve Cole wrote: It appears that Acct-Output-Gigawords and Acct-Input-Gigawords still don't exist in MySQL and other drivers in Freeradius. Is this accurate? Has anyone got any recommendations for a radius server that supports these without using PostgresSQL (very difficult for me at present)? Really, no 1999->present server should be without this capability and it severely limits the usefulness of freeradius. :( Any attribute that is defined in the dictionaries can be used in any module. Simply edit your sql table definitions, and update your sql.conf file to include your updated query with the additional attributes and columns. They are not hardcoded in the modules. -Chris -- \\\|||/// \ StarNet - A US LEC Company \ Chris Parker \ ~ ~ / \ Wholesale Internet\ Director, Engineering | @ @ |\ http://www.megapop.net \ (847) 963-0116 x321 oOo---(_)---oOo--\-- VoiceEclipse, The Fresh Alternative http://www.voiceeclipse.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple NAS Vendors, one user-id?
On Jan 7, 2005, at 3:32 PM, Dustin Doris wrote:
On Fri, 7 Jan 2005, Dustin Doris wrote:
Maybe you can do groups. For example, setup an unlimited group
and a read_only group. Then put the users into the appropriate
group.
Have your users file say something like.
DEFAULT Huntgroup-Name == Juniper, Group == "unlimited"
Juniper-Local-User-Name = "UNLIMITED"
DEFAULT Huntgroup-Name == Juniper, Group == "read_only"
Juniper-Local-User-Name = "READ_ONLY"
This seems like the answer, but I am again being stupid and must be
missing
something. When I try to login now, I get authenticated, but the
Attributes
never get sent back. Here is what I have defined:
DEFAULT Group == "J-UNRESTRICTED", Huntgroup-Name == JUNIPER
Juniper-Local-User-Name = "UNRESTRICTED",
Fall-Through = Yes
DEFAULT Group == "R-UNRESTRICTED", Huntgroup-Name == RIVERSTONE
Riverstone-User-Level = 15,
Fall-Through = Yes
jfeger Auth-Type = System
Group = "J-UNRESTRICTED"
I think that you can't put the group a user is in in the users file. I
would suggest putting your users and groups into some type of backend
like
mysql or ldap. I believe you could also get what you want in the
password
module, with something like what is in the etc_group module in the
default
radiusd.conf file. Or you can use the unix module and store all your
users and groups in /etc/passwd, /etc/shadow, /etc/group. That would
mean
having local users on that machine, however.
Remember that the users file is parsed top down.
Reverse the order of the logic, and you should get it to work. Also
note
the use of the 'set' operator ':='.
jimbob Group := "J-UNRESTRICTED"
Fall-Through = Yes
billybob Group := "J-RESTRICTED"
Fall-Through = Yes
DEFAULT Group == "J-UNRESTRICTED", Huntgroup-Name == "JUNIPER"
Juniper-Local-User-Name = "unrestricted",
Fall-Through = Yes
DEFAULT Group == "J-RESTRICTED", Huntgroup-Name == "JUNIPER"
Juniper-Local-User-Name = "unrestricted",
Fall-Through = Yes
DEFAULT Auth-Type = System
-Chris
--
\\\|||/// \ StarNet - A US LEC Company \ Chris Parker
\ ~ ~ / \ Wholesale Internet\ Director, Engineering
| @ @ |\ http://www.megapop.net \ (847) 963-0116 x321
oOo---(_)---oOo--\--
VoiceEclipse, The Fresh Alternative http://www.voiceeclipse.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: B2BUA + RADIUS: Authenticate fail
On Jan 5, 2005, at 12:45 PM, Bruno Machado wrote: Hi all Im trying to use the B2bua with Radius but some problems is happening here. When I send a "INVITE" from the SER to the B2bua, it try authenticate, but it doesnt work. The text below is the log of the Radius: radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE STRCMP(UserName, '16004') = 0 ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE STRCMP(UserName, '16000') = 0 ORDER BY id What do you get when you run this query by hand? -Chris -- \\\|||/// \ StarNet - A US LEC Company \ Chris Parker \ ~ ~ / \ Wholesale Internet\ Director, Engineering | @ @ |\ http://www.megapop.net \ (847) 963-0116 x321 oOo---(_)---oOo--\-- VoiceEclipse, The Fresh Alternative http://www.voiceeclipse.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPASS: no such realm
At 12:35 PM 3/19/2004, Reinaldo Silva wrote: Hi, I use this version: radiusd: FreeRADIUS Version 0.8.1, for host i386-redhat-linux-gnu, built on Jun 11 2003 at 12:03:43 0.8.1 is quite old. 0.9.3 is recommended. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ Wholesale Internet\ Director, Engineering | @ @ |\ http://www.starnetusa.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Outpace the Competition - http://www.getmespeed.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: patch -- Re: denying access to a NULL realm
At 07:19 AM 3/8/2004, Rok Papez wrote: Rok Papez wrote: What is the best way to "block" the NULL realm ? Blocking of any realm would also be very usefull if users from some other realm wouldn't be allowed to log into this network. I've added a realm option that blocks a certain realm. This way I can deny access for users from certain realms and when used with a NULL realm, users are forced to always specify a @realm with their username :). What's wrong with putting this in the 'users' file: DEFAULT Realm == NULL, Auth-Type := Reject Fall-Through = No -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ Wholesale Internet\ Director, Engineering | @ @ |\ http://www.starnetusa.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Outpace the Competition - http://www.getmespeed.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem in Radius Proxy during FailOver --
At 11:23 AM 2/20/2004, Sudhagar Chinnaswamy wrote: | On Feb 20, 2004, at 6:41 AM, Alan DeKok wrote: | | > "Sudhagar Chinnaswamy" <[EMAIL PROTECTED]> wrote: | >> The failover doesn't work if the "synchronous" parameter is set to | >> "yes". Can someone explain this behaviour ? | > | > It's probably a bug in the server. I don't think that | configuration | > has been well tested. | > | Isn't this actually correct? According to the DOCS, if Synchronous is | set to Yes, then all of the other parameters should be set to 0. How | will the server 'know' what the retry_delay, retry_count, and | dead_time | are? Radius client (NAS or any external Radius server) may not have the information that more than one Radius server serves this particular realm. I believe, mostly the Radius server at top of the hierarchy will have this fail-over information. Also configuring FailOver at large volume of NASes is difficult compared to configuration at Radius Server, which is fewer in number compared to NAS. It might be a good idea to support fail-over in this configuration too. The recommended configuration is to set 'Synchronus = no' for that setup for specifically the reasons mentioned. You can't have both the NAS *and* the RADIUS server handling retransmissions and timeouts for what are hopefully obvious reasons. If you need failover, you cannot set 'Synchronus = Yes'. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ Wholesale Internet\ Director, Engineering | @ @ |\ http://www.starnetusa.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Outpace the Competition - http://www.getmespeed.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allowing same user multiple logins simultaneously....
At 04:31 PM 2/10/2004, Jeremy Ford wrote: I'm trying to allow a user to be able to login twice, simultaneously (with dynamic IPs). However, everytime they try to login in the second time, we get the following errors Feb 10 17:28:42 tnt 1/6: [1/6/70/0] LAN security error, user [MBID 875; ] [user] Feb 10 17:28:43 tnt 1/17: [1/6/70/0] Call Terminated [MBID 875; ] Feb 10 17:28:43 tnt 1/6: [1/6/70/0] STOP: 'user'; cause 101.; progress 67.; host XXX.XXX.XXX.XXX [MBID 875; ] [user] I set user Auth-Type = System, Simultaneous-Use = 2 This is on a MAX TNT, any help on setting this up would be appreciated. I have setup ISDN accounts up like this and they work fine. What does debug from FreeRADIUS show? LAN SECURITY ERROR means some type of auth failure on the part of the TNT and Radius server. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Java Classes
At 03:03 PM 2/10/2004, Pablo Silva wrote: Dear People: I'm working with freeradius-0.9.1-1 version, I would like to know if are there java classes for this project?... if you know about this... please tell me where I can find it, I've searched by google but nothing... No. FreeRADIUS is written in C. Sorry. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get Crypt-Password to work in SQL
At 09:45 AM 2/10/2004, Guy Fraser wrote: Chris Parker wrote: At 07:04 PM 2/9/2004, Guy Fraser wrote: I have scrubbed my RnD machine and installed FreeBSD 5.2, and installed FreeRadius from CVS on 2004 Feb 06 16:16 MST. I looked through the archives, and I can't find any reason why I can't get encrypted passwords to work using MySQL or PostgreSQL. I have had it working before with the same data, but I must have missed something in the config file. I also tried changing the crypt type to md5 but that didn't work either. I have the same data in PostgreSQL and MySQL, and both exibit the same behavior. I switched back to PostgreSQL to make sure it wasn't MySQL specific, so my example data is from PostgreSQL. Clear text passwords seem to work with "User-Password". but Neither DES nor MD5 encrypted passwords work with "Crypt-Password". I am using the same data that worked in 0.9.3 and CVS before 2004. A weird thing I came accross was that if I put the password in clear text using "Crypt-Password" the user authenticates OK. Try setting Auth-Type := Crypt-Local, as well for the user. It seems the server is trying to do a password compare, but not realizing that it retrieved an encrypted password from the DB. This will be fixed before the next release, so the server doesn't have to be explicitly told to use Crypt-Local. It was working before the beginning of the year. Do you have a patch ready. If not I will take a look at rlm_sql, I'm fairly sure there was a check for the password attribute in there before. If the check is gone I'll look at putting one back in. It's not rlm_sql. The same thing happens in the users file, etc. It's trying to do a straight compare between the decrypted 'User-Password' and the 'Crypt-Password' rather than crypting User-Password and comparing the result. Unless you poke it manually by setting Crypt-Local authtype. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Syntax problem in users.permanent
At 04:31 AM 2/10/2004, Doug Young wrote: I have been running freeradius 0.7 in FreeBSD 4.7 for authentication of local dialin users since October 2002 & now wish to add the following lines to the start of the users.permanent file to allow for remote area dialin via the 01983 phone system. DEFAULT Called-Station-Id == "0198333415" Service-Type == Framed-User, You need a comma after CSID, before ST. You don't need a comma after Framed-User. And this should be on the *same* line as DEFAULT. Framed-IP-Address = 255.255.255.254, Service-Type = Framed-User, Framed-Protocol = PPP, Framed-MTU = 1500, Framed-Routing = None, Port-Limit = 1, Framed-Compression = Van-Jacobson-TCP-IP When I stop radiusd & attempt to re-start it fails with following lines in radius.log Tue Feb 10 10:15:30 2004 : Error: /usr/local/etc/raddb/users.permanent[1]: Parse error (check) for entry DEFAULT: Expected end of line or comma Seems pretty clear to me. You've got your commas in the wrong place. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trouble with 'redundant' block
At 12:06 AM 2/10/2004, Jeff Warnica wrote:
Hello all. I just upgraded to the 0.9.3 version on a SunOS 5.6 machine,
using as recent GCC (and friends) as sunfreeware has. I had not attempted
this in the old version. Anyway:
In my accounting {} section, I tried to use the following :
redundant {
sql_clio
ok
}
with the intention of gracefully ignoring SQL failures. However,
check-radiusd-config reports the following:
[snip]
radiusd.conf[1561] Unknown module rcode 'sql_clio'.
Strangely, if I comment out the sql_clio line, it reports:
radiusd.conf[1562] Unknown action 'if'.
That leads me to beleive that the 'always' module is seriously messed. Has
anyone seen issues like this? Ideas?
That looks like possibly a parser issue, and is not module specific, but
rather related to the radiusd.conf file.
Is this with the lastest CVS only, or with the 0.9.3 release? I'm able
to duplicate it with CVS, but don't have 0.9.3 system to test at the
moment.
-Chris
--
\\\|||/// \ StarNet Inc. \ Chris Parker
\ ~ ~ / \ WX *is* Wireless!\ Director, Engineering
| @ @ |\ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\--
\ Wholesale Internet Services - http://www.megapop.net
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get Crypt-Password to work in SQL
At 07:04 PM 2/9/2004, Guy Fraser wrote: I have scrubbed my RnD machine and installed FreeBSD 5.2, and installed FreeRadius from CVS on 2004 Feb 06 16:16 MST. I looked through the archives, and I can't find any reason why I can't get encrypted passwords to work using MySQL or PostgreSQL. I have had it working before with the same data, but I must have missed something in the config file. I also tried changing the crypt type to md5 but that didn't work either. I have the same data in PostgreSQL and MySQL, and both exibit the same behavior. I switched back to PostgreSQL to make sure it wasn't MySQL specific, so my example data is from PostgreSQL. Clear text passwords seem to work with "User-Password". but Neither DES nor MD5 encrypted passwords work with "Crypt-Password". I am using the same data that worked in 0.9.3 and CVS before 2004. A weird thing I came accross was that if I put the password in clear text using "Crypt-Password" the user authenticates OK. Try setting Auth-Type := Crypt-Local, as well for the user. It seems the server is trying to do a password compare, but not realizing that it retrieved an encrypted password from the DB. This will be fixed before the next release, so the server doesn't have to be explicitly told to use Crypt-Local. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRADIUS: Livingston PM
At 04:46 PM 2/9/2004, Richard Bradley wrote: You are correct my Portmasters are transmitting on 1645/1646 and my RADIUS is listing on 1812/1813. How do I change my RADIUS configuration to listen on 1812/1813? On the PM3, the setting is 'set auth x.y.z.a 1812'. If you don't specify the port, the PM3 defaults to 1645/1646. Do the same ( though with 1813 ) for the acct server. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mobile IP Support
At 10:19 AM 2/9/2004, Guy Fraser wrote: kiko kix wrote: Hi! I'm studying the components of the CDMA2000 1xEVDO architecture. One of the components in the Packet Data system is the AAA server. I'm making a comparison between the Cisco Access Registrar, Steel Belted Radius and FreeRadius. Does freeradius support Mobile IP or EVDO ? Thanks. Francis What are they? L2 Transport methods. They have nothing themselves to do with RADIUS. The access hardware that provides the services may well be configured to speak RADIUS. If the RADIUS implementations on the access hardware uses standard RADIUS methods then there's no reason why FreeRADIUS can't support them. The original poster is trying to compare/reveiw products which are completely unrelated. It's like asking about who manufactures the best LCD flat panel displays, ConAgra or General Mills? :) -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRADIUS: Livingston PM
At 05:15 PM 2/8/2004, Richard Bradley wrote: Does anyone have suggestions why freeRADIUS is not picking up the Livingston PM3? freeRADIUS starts and I set the AUTH and ACCCOUNTING toward the freeRADIUS server and it never picks it up. I'll take someone fishing if they figure it out:-) http://www.lagooner.com What ports is freeRADIUS listening on, and what ports is the PM3 sending to? One is likely set to 1645/1646, and the other set to 1812/1813. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unknown module rcode 'DEFAULT' in attrs
At 09:58 PM 2/6/2004, John Ensley wrote: Hello, Learning freeradius-0.9.3 - never used before. Had it running in default setup after install so it answered from another client requests. Want to add some Ascend-Data-Filter and having problems. Can't understand problem from reading archives. End of start using radiusd -X is this: Module: Instantiated preprocess (preprocess) Module: Loaded attr_filter attr_filter: attrsfile = "/usr/local/etc/raddb/attrs" Module: Instantiated attr_filter (attr_filter) radiusd.conf[78] Unknown module rcode 'DEFAULT'. This is reading attr just fine. It is complaining about line 78 of your 'radiusd.conf' file. What is on that line? # The rest of this file contains the DEFAULT entry. # DEFAULT matches with all realm names. # DEFAULT Service-Type == Framed-User, Service-Type == Login-User, Login-Service == Telnet, Login-Service == Rlogin, Login-Service == TCP-Clear, Login-TCP-Port <= 65536, Framed-IP-Address == 255.255.255.254, Framed-IP-Netmask == 255.255.255.255, Framed-Protocol == PPP, Framed-Protocol == SLIP, Framed-Compression == Van-Jacobson-TCP-IP, Framed-MTU >= 576, Framed-Filter-ID =* ANY, Reply-Message =* ANY, Proxy-State =* ANY, Session-Timeout <= 28800, Idle-Timeout <= 600, Port-Limit <= 2, Ascend-Data-Filter := "ip in forward tcp est", Ascend-Data-Filter := "ip in forward dstip 204.248.85.116/32", Ascend-Data-Filter := "ip in drop tcp dstport = 25", Ascend-Data-Filter := "ip in forward", Fall-Through = no You want to use += on the Ascend-Data-Filter lines after the first one. Please see the docs on 'Operators' for more details on why, in particular the 'rlm_attr_filter' file in '~radiusd/doc/'. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: preproxy for calledstationid to realm
At 09:55 PM 2/6/2004, Jim wrote: preproxy_users file: << DEFAULT Called-Station-ID =~ "*1234", Proxy-To-Realm := "realmname" >> The realm will be stripped before sending on the packets to the auth server. Will/should this work? Any downside besides the fact we have to do this on all of our radius servers? Any other way to do it? You should be able to do this in the plain 'users' file as well. Yes, it will work that way. I know several companies that are doing exactly this today. You also could use 'fastusers' module, which caches the users file in memory. This is very nice if you are doing high volume radius. Anybody do this with MySQL? You should be able to put the same DEFAULT entry in your SQL DB. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP or TTLS with Ldap ?
At 03:16 AM 2/6/2004, Jean-Paul Chapalain wrote:
Hi,
I've realized a other test with a modification radiusd.conf.
I've added ldap in authorize section like this :
authorize {
preprocess
chap
mschap
suffix
# ldap gets the Configured password.
ldap
eap
files
}
But now, server don't performe EAP/TTLS authentication.
See below output :
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on
1814/udp.
Ready to process requests.
rad_recv: Access-Request packet from host 10.154.253.18:1812, id=187,
length=100NAS-IP-Address = 10.154.253.18
NAS-Port-Type = Async
User-Name = "a0153"
Service-Type = Framed-User
Framed-MTU = 1500
Calling-Station-Id = "00-0b-cd-ac-7a-fa"
EAP-Message = 0x020a016130313533
Message-Authenticator = 0xab45a05ade408f00f107fba3a49bd5ac
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "a0153", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for a0153
radius_xlat: '(cn=a0153)'
radius_xlat: 'dc=platine,dc=org'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.154.32.1:3268, authentication 0
rlm_ldap: bind as / to 10.154.32.1:3268
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=platine,dc=org, with filter (cn=a0153)
rlm_ldap: no dialupAccess attribute - access denied by default
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns userlock for request 0
modcall: group authorize returns userlock for request 0
Invalid user (rlm_ldap: Access Attribute denies access): [a0153/] (from client sw-info-ouest-test port 0 cli
00-0b-cd-ac-7a-fa)
See the docs on how to setup LDAP. First, you need to get LDAP to pass
the authorize stage successfully.
The 'no dialupAccess attribute defined' seems to indicate to me that you
should start with defining that.
Here I must bow out, as I'm not as familiar with LDAP. There are others
on this list can hopefully offer better insight into this than I.
-Chris
--
\\\|||/// \ StarNet Inc. \ Chris Parker
\ ~ ~ / \ WX *is* Wireless!\ Director, Engineering
| @ @ |\ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\--
\ Wholesale Internet Services - http://www.megapop.net
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Execute Script in logout
At 12:14 PM 2/5/2004, Claudiney Resende Costa wrote: how I make to execute script after logout? it is possible to make this? You can use 'acct_users' file to trigger this on 'Stop' accounting packet. See docs for EXEC and acct_users info. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP or TTLS with Ldap ?
At 11:02 AM 2/5/2004, Jean-Paul Chapalain wrote: I've realized with success a test for EAP/TTLS (WinXP client of afla-ariss) with FreeRadius local user/password. The user file was like this : #= # Test's User for 802.1x EAP/PEAP or EAP/TTLS #= jpc User-Password == "jpc" BUT when i want use a LDAP backend, i can realize authentication. See below user file for Ldap : #= # Test's User for 802.1x EAP/PEAP or EAP/TTLS #= a0153 Auth-Type := LDAP Try not listing the user in the users file. Add LDAP to your authorize section, and don't set and Auth-Type in DEFAULT entries. LDAP will pull the user-password attribute in during the 'authorize' run, and the EAP modules should set and detect the EAP message so that EAP Authentication is done. By setting Auth-Type := LDAP in users, you are overriding what is called in Authenticate so that EAP Authentication is not performed. Remember, if you use the := operator, it is absolute and overrides any currently set Auth-Types. If anything, you'll want to set it to EAP, not LDAP. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: is ttls with eap md5 & ms-chap is supported?
At 10:39 PM 2/4/2004, raghavendra wrote: Hi List, I could bring-up free-radius server for TTLS setup only with PAP & CHAP protocols, And could not bring up for EAP-MD5, MS-CHAP v2 protocols, my question, is it supported on free-radius, if so where and how should I configure, This area of the server is still undergoing active development. If you haven't already, I would suggest trying one of the nightly 'snapshot' builds, as that will the most recent code for EAP support. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Use of Stripped User Names in radutmp and radwtmp
At 08:46 PM 2/4/2004, Doug Hardie wrote:
I don't know what the proper procedure for submitting suggested changes
is, but here is how I fixed freeradius-0.9.3 to log stripped names in
radutmp and radwtmp.
http://www.freeradius.org/radiusd/doc/DIFFS
First in radiusd.conf radutmp entry, set
username = %{Stripped-User-Name:-%{User-Name}}
Second in rlm_unix, the following change will use stripped names if
log_stripped_names is set in the radius.conf file:
Not sure specifically what this does. Is this patch to modify rlm_unix
to lookup the user in the system with 'stripped-user-name' vs. 'user-name'?
-Chris
--
\\\|||/// \ StarNet Inc. \ Chris Parker
\ ~ ~ / \ WX *is* Wireless!\ Director, Engineering
| @ @ |\ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\--
\ Wholesale Internet Services - http://www.megapop.net
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hello all, I'm having problem getting freeradius working with mschap + plain files auth.
At 07:25 PM 2/4/2004, Anton Blajev wrote: Hello to all! I've installed freeradius few hours ago. I've configured it according to my need and tested it firstly with radtest, it works just as expected, fine! After that I've decided to test it how it works with in the real world, so I've tryed logging in from a win98se machine (that used to work with plain ppp.secret file just fine) After trying out I got this error: -- rad_recv: Access-Request packet from host 127.0.0.1:3975, id=112, length=148 Thread 2 assigned request 2 --- Walking the entire request list --- Threads: total/active/spare threads = 4/1/3 Nothing to do. Sleeping until we see a request. Thread 2 handling request 2, (1 handled so far) User-Name = "steve" Service-Type = Framed-User Framed-Protocol = PPP MS-CHAP-Challenge = 0x39363331393835353831343234303433 MS-CHAP2-Response = 0x010407ccac6a99be8a4398fedf66beb0cfc0ce27d9a5235ff6bf349a672c6d584f9987782bc2ad0690c4 NAS-Identifier = "router.lozenetz.net" NAS-Port-Type = Virtual modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type := MS-CHAP' modcall[authorize]: module "mschap" returns ok for request 2 users: Matched DEFAULT at 152 users: Matched DEFAULT at 171 users: Matched DEFAULT at 183 Note that it is matching your DEFAULT entries, not the specific 'steve' entry. steve Auth-Type := Local, User-Password == "testing" Try removing the 'Auth-Type' from this line. Since you want to use MS-CHAP, you should let the MS-CHAP module detect and set the Auth-Type, as you are trying to override it here. I've not used MS-CHAP myself, but from the debug you posted this appears to be what is occuring. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Authentication based on realm and IP address only
At 05:08 PM 2/3/2004, [EMAIL PROTECTED] wrote: So basically I want radius to ignore the username and password and check the realm and NAS-IP address only (or possibly another check item) The end users client software does pass username in the form of [EMAIL PROTECTED] along with password, NAS-IP, dialer-digits etc. I have created the following entry in my user file: DEFAULT Realm = = "myisp.com", NAS-IP-Address="xxx.xxx.xxx.xxx" vendor-specific-attribute=1, Fall-Through = Yes Auth: Login incorrect: [EMAIL PROTECTED]/asdfasd] (from client mytest port 0) Questions: 1. Regardless of whether this is a good idea or not, can radius be configured to do this? Yes. 2. If so, how? Add Auth-Type := Accept to your DEFAULT profile as a Check-Item ( that means on the same line as DEFAULT ). -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Freeradius Servers On The Same Host
At 01:55 PM 1/30/2004, Frank Everitt wrote: All... This may be a bizarre idea but if it will work I can save the purchase of some additional equipment. I'd like to know if it's possible to run two different radiusd process on the same server. Each would be set up to listen at different port pairs and would do authentication from two different password sources, local and ldap. Yes/Nowhat do you think Yes, it can be done. Make sure to pass the base directories to ./configure so they install and look for config files in different locations. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radreply Implementation Question
At 01:12 PM 1/29/2004, Deramus, Chris wrote: Thanks for your response Chris. We have thousands of users so having them login with different usernames probably will not be an option. The only value that I could find that may work would be the Connect-Info atttribute; however, I am still a little confused at how it would be implemented? The different username option is not a one or the other. It can be setup so that the user can login either as 'user' or '[EMAIL PROTECTED]'. If they all login with 'user' today, then they all keep doing that. The ones that care can login with '[EMAIL PROTECTED]' to trigger the compression. Regarding the Connect-Info, what are the attribute values that you see being sent for the different connection types? -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radreply Implementation Question
At 11:40 AM 1/29/2004, Deramus, Chris wrote: To all, I currently use radreply to send numerous values to a Cisco 3030 VPN Device. These attributes are mainly sent based on username MySQL queries (Framed IP Addresses, DNS/WINS Entries, Domain Search Suffixes, etc.). I now would like use a new Cisco AV Pair CVPN3000-IPSec-IP-Compression. This AV Pair already has an entry in the dictionary.cisco.vpn3000 file; however, I am trying to think of the best way to implement its features. Setting this value to one turns LZS compression on which greatly benefits dial-up users; however, it slows down broadband users (per Cisco's documentation). Using LZS compression for all users across the board has also been known to saturate the device at a much faster pace. I was trying to implement some logic based on either connection speed, Framed-Protocol, etc. that would be able to decipher if a user was coming in with a connection less than 128k. If so, then FreeRADIUS would send the Concentrator the particular reply with a value of 1. I was curious if anyone had any suggestions on the best approach to take? You can use as a determining factor any attribute which is present in the Access-Request. With the wide variety of operators ( to include Regexp string expressions ) it shouldn't be too hard to determine whether it's a Dial or Broadband connection. Alternatively, you could allow users to indicate through some method ( optional realm? ) whether they want compression. IE: [EMAIL PROTECTED] get's LZS assigned user get's no compression Then just strip the realm, or use 'Stripped-User-Name' for your password lookups. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: nocat authenfication problem: RADIUS AVP
At 04:24 AM 1/28/2004, Pierrick Le Fol wrote: Hello all, Somebody has been used freeradius to realize nocat authentification ? So I have tried to associate them but it seems that the freeradius is dumb of nocat request. Strangest is that the freeradius work with NTRadping ( remote request ) or with radtest ( local request ): Run the radius server in debug mode. What do you see that is different about the packets received by the RADIUS server from Nocat vs. radtest? -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Per-Domain Defaults
At 11:57 AM 1/26/2004, Joe Warren-Meeks wrote: On 26 Jan 2004, at 5:04 pm, Alan DeKok wrote: Heya, DEFAULT Realm == "domain1.net", stuff ... other stuff... DEFAULT Realm == "domain2.net", stuff ... other stuff... DEFAULT Realm == "domain1.net" Service-Type = Outbound-User, Tunnel-Type = :1:L2TP, Tunnel-Medium-Type = :1:IP, Tunnel-Server-Endpoint = :1:21.21.21.21, Tunnel-Assignment-Id = :1:terminator_test, Tunnel-Password = :1:password, Tunnel-Preference = :1:1, Fall-Through = No I have tried adding the above, but it doesn't seem to work. Am I doing something wrong? What does debug show? Also, please notice that if you have Fall-Through = No on *ANY* matching entry, processing of the users file stops at that point. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Per-Domain Defaults
At 10:25 AM 1/26/2004, Joe Warren-Meeks wrote: Hello there, foo# radiusd -v radiusd: FreeRADIUS Version 0.9.0, for host i386-unknown-freebsd4.7, built on Oct 13 2003 at 14:15:59 I have been having issues with defaults. Specifically, I have accounts where i would like to apply different sets of defaults depending on domain name the user is trying to authenticate with. jimbob User-Password == "nomoresecrets" Framed-IP-Address = 127.0.0.1 DEFAULT Realm == "fubar" First-Default = Attributes, ..., Fall-Through = Yes DEFAULT Realm == "tarfu" Second-Default = Attributes, ..., Fall-Through = Yes -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More Memory Leak Issues
At 04:07 AM 1/26/2004, Bhaskar Bhattarai wrote: Hello all: I am running FreeRadius-0.9.3 on RedHat Linux 9. When I run Memory Profiler (MemProf) I see a lot of memory leaks being reported. Don't mean to be annoying, but I have dumped all the reported memory leak cases below for analysis. But before that, the following are my system specifications :- One, this type of discusson belongs on the -devel list. Two, are you actually observing the running process leaking memory, or just relying solely on the output of memprof? -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up monthly time limits
At 01:33 PM 1/23/2004, Lisa Casey wrote:
Hi,
I'm using Free Radius and need to set up monthly time limits of 200
hours/month/user. I have read rlm_counter in radiusd.conf, and even though
I'm not sure how well I understand this, I've proceeded to try to set it up.
Here's what I've done. In radiusd.conf:
counter monthly {
filename = ${raddbdir}/db.monthly
key = User-Name
count-attribute = Acct-Session-Time
reset = monthly
counter-name = Monthly-Session-Time
check-name = Max-Monthly-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
In Instantiation I have:
instantiate {
expr
monthly
}
In authorize I have:
authorize {
preprocess
eap
suffix
files
mschap
monthly
}
In accounting I have:
accounting {
acct_unique
detail
monthly
unix# wtmp file
radutmp
}
In my users file I have each user listed as a separate entry. Example:
lisa Auth-Type == Local, Password == c57bl6j
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 255.255.255.254,
Framed-IP-Netmask = 255.255.255.255,
Framed-Routing = None,
Framed-Compression = None,
Framed-MTU = 1500
So at the top of the users file I added this:
DEFAULT Monthly-Session-Time > 72, Auth-Type := Reject
Reply-Message = "You've used up your allocated monthly time.",
Fall-Through = No
That all looks good so far. Nothing jumps out as being wrong at least.
Now when I restart Free Radius I get this error message:
Fri Jan 23 14:10:33 2004 : Error: radiusd.conf[1160] Failed to link to
module 'rlm_counter': file not found
What have I done, or not done, or failed to understand??
The rlm_counter module doesn't look to be loadable. Can you check to
confirm that it is compiled?
You can check this by changing to the directory:
$ cd ~/radiusd/src/modules/rlm_counter
Make sure you have the the various .lo .o and other files that are
created when it successfully compiles. If it is there, run:
$ make install
If it is not, you'll need to likely rerun the module 'configure' script
and watch for any errors or things it says it can't find. It may be that
your system is missing something that rlm_counter needs. In that case,
you'll need to add that to the system first, then re-run configure and
build the module.
-Chris
--
\\\|||/// \ StarNet Inc. \ Chris Parker
\ ~ ~ / \ WX *is* Wireless!\ Director, Engineering
| @ @ |\ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\--
\ Wholesale Internet Services - http://www.megapop.net
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Blank username/password
At 12:01 PM 1/15/2004, Adil Bikarbass wrote: The lucent list said, i can't send empty username to the Lucent PM3, i'm wondering if it's the case with other NAS vendors? No, it said, "The PM3 is dropping the session at the PPP level, it is not sending anything to RADIUS". Some vendors allows blank usernames. It is not required per the RFC, though not using one makes things a bit interesting. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple module lookups when only one should be used
At 02:45 PM 1/14/2004, Alan DeKok wrote:
Mike Sturdee <[EMAIL PROTECTED]> wrote:
> users that dial into a number ending in 195 get the correct Auth-Type &
> Autz-Type, as do other calls that need to auth off of LDAP1. Problem is,
> when I have the LDAP2 instances in authorize {} authenticate {}, users
> authing off of LDAP1 do not get the correct group attributes per the group
> lookup in module instance ldap1. when radiusd is in debug mode, it shows
> the LDAP1 users going through both the ldap1 and ldap2 module instances..
Yes. The "authorize" section processes the modules from top to
bottom, even if set Autz-Type previously.
The issue is that the "authorize" section *started* by processing
modules from top to bottom, and the Autz-Type was added later. So it
may not entirely do the right thing at times...
I'm open to suggestions for what to do with the "authorize" section
and Autz-Type. I don't want to break older configurations, so that's
a bit of a constraint.
Have an 'old_style_authorize' config directive that defaults to yes.
All it to be set to 'no' to achieve 'authenticate' style processing
based on 'autz-type'.
The problem is that Authenticate works, because we set Auth-Type prior
to entering that block. We don't have anything to set Autz-Type prior
to running the Authorize block. :\
Is the functionality required above something could be accomplished with
the 'configureable failover' behaviour of modifying processing of modules
based on return value of previous module call?
-Chris
--
\\\|||/// \ StarNet Inc. \ Chris Parker
\ ~ ~ / \ WX *is* Wireless!\ Director, Engineering
| @ @ |\ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\--
\ Wholesale Internet Services - http://www.megapop.net
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: striping AVP pairs from the Radius request
At 11:26 AM 1/14/2004, Bojan Tomic wrote: Hello I'm using freeRADIUS as a proxy for radius requests. Now, is it possible to strip some AVP pairs from the original request before the request is proxied forward and how do I do that? rlm_attr_filter Use the current CVS version, as it adds support for pre/post-proxy instances. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius using a Cistron users file.
At 08:14 AM 1/14/2004, Alex Moen wrote: > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Chris Parker > Sent: Tuesday, January 13, 2004 5:36 PM > To: [EMAIL PROTECTED] > Subject: RE: Freeradius using a Cistron users file. > Perhaps rather than storing a crypted password in the > plaintext Password attribute, you could try using the > 'Crypted-Password' attribute. > > -Chris Thank you, Chris, for the advise. That worked. Is that documented anywhere, other than maybe the O'Reilly Radius book (that I don't have)? I could not find it anywhere in the man pages, docs, faq, etc. I'm adding an example of using a 'Crypt-Local' and 'Crypted-Password' entry to the CVS users file. We've got examples for 'Local' and 'User-Password' so it makes sense to have the Crypted ones as well. The confusion on this whole thing stemmed from the fact that I am trying to integrate a freeradius server into an existing Cistron environment, and the way we have configured the users file is to put an encrypted password string into the Password attribute... Yep, while FR descended from Cistron, it's not quite the same in terms of how it handles and parses things. Glad it's working for you now. :) -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending VAR's
At 07:01 PM 1/13/2004, [EMAIL PROTECTED] wrote: How do I send the attributes back to the NAS with the Accept packet ? Add them to the Reply-Items in the users profile. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using FreeRadius 0.9.3 to provide a telnet session to UNIX or Windows box
At 05:17 PM 1/13/2004, MG wrote: Thank you Chris Parker for your prior assistance. Authentication on my RADIUS server was successful but the Telnet prompt to my target Unix box still does not appear on the user's PC, with user setup; >usertest Auth-Type := Local, User-Password == "testunix" > Service-Type = Login-User, > Login-Service = Telnet, > Login-TCP-Port = Telnet, > Login-IP-Host = 192.168.212.43 Then, I used Hyperterminal to dial into my service provider's RADIUS client and manually entered the required Login and Password and got the following in my Hyperterminal window; Welcome to RADIUS Client Service login: usertest password: Please hold ... Authenticated. But the Telnet prompt for the target Unix box 192.168.212.43 SunOS 5.6 login: does not appear after 'Authenticated'. What may be wrong considering the debug info below which includes starting the RADIUS server and (**>>>>>) the attempt to connect using Hyperterminal; What do you show on your Term Server? What does 'snoop x.y.z.a' on your Sun box show ( where x.y.z.a is the ip address of your Term Server ). The above profile works on Cisco, Ascend, Lucent, and Livingston hardware, as I'm using it today. If it doens't work on your term server, then you have config issue ( perhaps not allowing telnet ) somewhere on the term server or the Sun server. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius using a Cistron users file.
At 05:16 PM 1/13/2004, Alex Moen wrote: > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Alan DeKok > Sent: Tuesday, January 13, 2004 2:03 PM > To: [EMAIL PROTECTED] > Subject: Re: Freeradius using a Cistron users file. > > > "Alex Moen" <[EMAIL PROTECTED]> wrote: > > OK, Alan, I did what you said. I have a two line users file now: > > > > bob Auth-Type := Crypt-Local, Password == "IZOofOc2ONteU" > > Reply-Message = "Hello, bob" > > > > The weird thing is that when I use "IZOofOc2ONteU" as a > password in = > > radtest, here is the output: > > It doesn't work. Does "IZOofOc2ONteU" *look* like a > crypt'd password? Actually, yes it does look like a crypted password. Like, from a shadow file. Which is where my script is retrieving, and will continue to retrieve, password information. BTW, by your answer, it looks like you didn't even read the output that I posted. Did you? If you did, you would have noticed that there were significant differences between the two examples that I provided. > What's wrong with trying the sample configurations from the > FAQ, or "man" page? They work. I did use the sample configs. And, when using plain text passwords, they work fine. Perhaps rather than storing a crypted password in the plaintext Password attribute, you could try using the 'Crypted-Password' attribute. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How tcan I translate old X-Ascend... attributes to Ascned...
At 12:14 PM 1/9/2004, Antoine Cavalié wrote: What I want is not just having them look the same in the detail files. What I want is that freeradius acts in the same manner if it receives either a X-Ascend-foo=x or a Ascend-foo=x Then the first suggestion. You will need to write a custom module to do this. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: duplicate accounting mysql rows - possible bug in module rlm_sql.c
At 10:05 AM 1/9/2004, Antoine Cavalié wrote: As nobody helped me , I did it alone If somebody has the same problem, mail me See the docs for 'rlm_acct_unique'. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How tcan I translate old X-Ascend... attributes to Ascned...
At 10:04 AM 1/9/2004, Antoine Cavalié wrote: Hi everybody Two NASes send packets to my freeRadius 0.9.3 One sends old-style X-Ascend-... lines The other sends new-style Ascend-... ones I would like to have freeRadius work correctly for both My idea is to have freeRadius translate packets as they come , so all packets only contain new-style lines but I don't know where to implement that translation rlm_attr_rewrite.c ? rlm_attr_filter.c ? elsewhere ? Any idea will be greatfully appreciated You'd best handle this with a custom module. rlm_attr_rewrite will rewrite value data, but what you want to do is toggle the attribute number. Alternatively, if you just want them to look the same in the detail, then you could edit the dictionary entries so that the VSA attributes are listed first, and then change the non-VSA attributes to remove the 'X-' at the beginning. It is important to put the VSA attributes first, so that if you specify the attribute by name, the VSA entry is returned on the dictionary lookup. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SPAM [was: Re: VXAMCECD, the whistle made]
At 06:28 AM 1/3/2004, Miquel van Smoorenburg wrote: In article <[EMAIL PROTECTED]>, Lunsford <[EMAIL PROTECTED]> wrote: >arctan demise digestive stationarity plutarch equitable lawbreak >predicament proctor hysterectomy justice mallow rheumatism beograd paid >contrariwise >coexistent won auriga irredentism memphis Okay, even with extensive spamassassin and RBL filtering, 50% of the messages on freeradius-users and -devel this morning were spam. I did not want to make the lists subscriber-only because of the occasional spam message getting through, but this is absurd. I'm seriously considering making the list subscriber-post only. What do you think about this ? Good idea ? Bad idea ? An unfortunate consequence, but in my opinion, a needed one. If someone needs help, it is trivial to subscribe to the list. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use freeradius 0.9.3 to give users Telnet session on UNIX or Windows servers
At 03:46 PM 1/2/2004, MG wrote: Hi, I have configured the freeRADIUS 0.9.3 server on RedHat 9. I am required to use FreeRADIUS to authenticate valid users and give them a Telnet session on either another Unix(192.168.20.7) server or a Windows (192.168.20.14) server on the same network as mu FreeRADIUS server. I configured my "users" file as below; unixuser Auth-Type := Local, User-Password == "testunix" Service-Type = Framed-User, Framed-Protocol = PPP, Login-Service = Telnet, Login-TCP-Port = Telnet, Login-IP-Host = 192.168.20.7 winuser Auth-Type := Local, User-Password == "testwin" Service-Type = Framed-User, Framed-Protocol = PPP, Login-Service = Telnet, Login-TCP-Port = Telnet, Login-IP-Host = 192.168.20.14 However, the users get authenticated, but no Telnet session, i.e., no Telnet username prompt. How do I accomplish this project? Please help! You don't send Framed-User and PPP back if you don't want a Framed session. See my previous answer to your question where I told you how to fix it: http://lists.freeradius.org/pipermail/freeradius-users/2003-December/026965.html -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Faking CHAP?
At 01:04 PM 12/31/2003, Drew Weaver wrote: Is there anyway to 'fake' CHAP? We are using a national dial-up network for I would say maybe 7% of our customers, and for whatever reason the POPs that they use require CHAP, we really don't like to use CHAP for the obvious insecurities. So I am wondering is there a way to have it do this. CHAP request comes in, FreeRadius knows that we don't do chap, it checks against the SYSTEM database, and returns accept or reject. Any clue? I imagine the only way this wouldn't be possible is if there is some kind of twisted encryption handshaking going on before the authentication. We really would like to just have ONE set of passwords if possible, but if it isn't, I guess there isn't much I can do about it. Being a wholesaler, I'm very familiar with the CHAP/PAP issues you are facing. The main problem is that Windows has a preference for CHAP ( go figure ). During the PPP negotiation, the NAS offers an authentication method to the client, PAP or CHAP. The client can choose whether to reject the offer to use the protocol and the NAS ( if configured to do so ) will offer the remaining protocol. If the client rejects both, then the session is terminated. The problem with Windows is that it can be made to reject PAP if offered ( via the 'Require Secure Password' option in DUN ), but it *cannot* ( as far as I am recently familiar, XP may be different ) be made to reject CHAP. Older Ascend and other NAS, while they support PAP and CHAP, offer CHAP as the first option to the client. Which, if it is windows, will happily accept and try to use. Recent versions of Ascend TAOS, and Cisco IOS, and most other code now offers the ability to configure the PAP/CHAP offering order, so that you can offer PAP first, which makes the whole issue moot. TAOS: ( introduced in 9.x or thereabouts ) 'pap-preferred' config option IOS: 'ppp authentication pap chap callin' in the 'interface' config I'd ask your wholesaler why they require CHAP, as all recent software now supports the ability to offer PAP before CHAP. For the record, StarNet ( the wholesaler I work for ) offers PAP first, CHAP second. This allows both to be supported, as the users who want/need CHAP can use it, while still allowing those that use PAP to not have to convert. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Goodwin's Law ( was RE: Running on Mac OS X 10.3 )
At 10:19 AM 12/31/2003, Cris Boisvert wrote: I Agree... I run .. Bsd, linux , and OSX.. The FR Install on linux is Easy.. OS X is a Bear... If someone has the Knowledge to make a FR Installer for OSX that takes care of the library problems it would be great... Also..This thread would be ended.I would be really greatfull too. Hehe Can't Everyone just geat along.. Goodwin's Law [1] has been invoked. Do not post any further messages to this thread, as it is no longer a useful discussion. Thanks, -Chris [1] http://members.tripod.com/~goodwin_2/law.html -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Running on Mac OS X 10.3
At 11:07 PM 12/30/2003, Mike Horwath wrote: You stated: Dynamic linking on OS X is problematic. I countered your statement because I think you are full of shit. And your retort so far has been childish at best. Now, your issue (and others) with FR and dynamic loading of modules is another issue, instead of your blanket statement. Go play your semanticly pedantic games elsewhere, this will be my last response on this thread, as I sense the Nazi's are coming. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using FreeRadius 0.9.3 to provide a telnet session on UNIX or Windows
At 06:15 PM 12/30/2003, MG wrote: Hi, I have configured the freeRADIUS 0.9.3 server on RedHat 9. I am required to use FreeRADIUS to authenticate valid users and give them a Telnet session on either another Unix(192.168.20.7) server or a Windows (192.168.20.14) server on the same network as mu FreeRADIUS server. I configured my "users" file as below; unixuser Auth-Type := Local, User-Password == "testunix" Service-Type = Framed-User, Framed-Protocol = PPP, Login-Service = Telnet, Login-TCP-Port = Telnet, Login-IP-Host = 192.168.20.7 If you want to do a Telnet session you should not send back Framed attributes, which tell the NAS to do PPP. Try this syntax instead: unixuser Auth-Type := Local, User-Password == "testunix" Service-Type = Login-User, Login-Service = Telnet, Login-TCP-Port = Telnet, Login-IP-Host = 192.168.20.7 -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Running on Mac OS X 10.3
At 05:11 PM 12/30/2003, Mike Horwath wrote: On Mon, Dec 29, 2003 at 11:05:51AM -0600, Chris Parker wrote: > Tell me what your experiences are. Hint, one will run, one won't. > Which, is left as an exercise for the reader. Wow, great answer. And *have* you tried it? Or do you just offer conjectures with no practical experience regarding running FreeRADIUS on OSX? How much time have you spent poking and tweaking FR to get it to run on OSX? So far, your answer has been "other stuff runs on OSX, so it must be something else". And you called me a troll? Yep. I did. Thanks, I'll just go back to lurking since it is obvious you don't want to answer the question with any details. They've been hashed over many times in the list archives. And please, do not go looking at the problem with the dynamic linking issues either, that would be difficult I bet. See the answer posted by another user RE the type of shared libs used by Apple in OSX. That has the detail you are looking for. And libtool? Ack. But whatever. Got a better solution? Please share. Back to lurking (after I am done with this thread). Okay, bye. If you have patches to contribute, or meaningful suggestions on how to handle the dynamic loading problems on OSX, please continue to post. If not, *plonk*. Cheers, -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Running on Mac OS X 10.3
At 10:53 AM 12/29/2003, Mike Horwath wrote: On Mon, Dec 29, 2003 at 10:26:09AM -0600, Chris Parker wrote: > At 10:23 AM 12/29/2003, Mike Horwath wrote: > >On Mon, Dec 29, 2003 at 10:19:56AM -0600, Chris Parker wrote: > >> Dynamic linking on OS X is problematic. Rebuild/rerun configure with > >> --disable-shared. > > > >I have never heard of such a thing with 10.3... > > > >Care to pass out some pointers to your conclusions? > > Experience with it perhaps? > > Are you trolling or are you trying to postulate that dynamic linking > on 10.3 is just fine? I am no troll. Just because you haven't seen me post here doesn't mean I have not been reading messages in this list for years, or running an ISP for more than 10 years. That's great, don't assume that we don't know what we're talking about with getting FR to build just becuase some other software you've built uses shared libraries on OS X. I ask that question because I have been doing development using different software under OS X now for over a year without a single problem I could attribute to dynamic linking and shared libraries. Because the way that FR uses or attempts to use dynamic runtime linking of the modules it uses is not compatible with OS X. I have rebuilt 95% of my software under 10.3 without hassle or problem including my own hacked up news server (based on Diablo) that is going to go into production (part of a side business I have). Of course, this is far more I/O and bandwidth intensive than any RADIUS server :) That's nice. Does diablo use libtool? If not, then whether it is I/O or bw intensive is irrelevant as that was never the problem. So, uhm, now that we have determined I am not a troll, are you going to give more than a passing answer of 'experience' and provide some details? I would love to test out these theories and see what can be done. Download two copies of FR. Configure one with './configure' and the other with './configure --disable-shared'. Tell me what your experiences are. Hint, one will run, one won't. Which, is left as an exercise for the reader. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Running on Mac OS X 10.3
At 10:23 AM 12/29/2003, Mike Horwath wrote: On Mon, Dec 29, 2003 at 10:19:56AM -0600, Chris Parker wrote: > Dynamic linking on OS X is problematic. Rebuild/rerun configure with > --disable-shared. I have never heard of such a thing with 10.3... Care to pass out some pointers to your conclusions? Experience with it perhaps? Are you trolling or are you trying to postulate that dynamic linking on 10.3 is just fine? -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius x MySQL using two databases
At 04:41 AM 12/29/2003, Leandro Sant'ana wrote: Anybody know how-to use two databases with one FreeRadius for authentication two groups of users in diferents ports? Edit the queries in your sql.conf, or run two instances of the SQL module, one for each database. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Running on Mac OS X 10.3
At 08:37 PM 12/28/2003, Farokh Irani wrote: I managed to get 0.9.3 to compile under 10.3 (by the way the doc/MACOS file needs to be updated to include the change to src/include/sysutmp.h - adding "#undef HAVE_UTMP_H" before the line "#if defined(HAVE_UTMP_H) || defined(HAVE_UTMPX_H)" which I found out about in the Google search). However, when I try to run radiusd -X, the last few lines are: Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 rlm_eap: Failed to link EAP-Type/md5: dlcompat: invalid handle radiusd.conf[600]: eap: Module instantiation failed. Any pointers on what might be going on would be appreciated. Dynamic linking on OS X is problematic. Rebuild/rerun configure with --disable-shared. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
