Re: Add default Service-Type Framed-Protocol to all users
Kenneth Grady [EMAIL PROTECTED] wrote: You could do it with the users file by adding a DEFAULT user re: DEFAULT Service-Type = Authenticate-Only, Framed-Protocol = PPP, Fall-through = yes Thanks, it works! Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Add default Service-Type Framed-Protocol to all users
Hi there I'am using freeradius to authenticate and authorize users connecting to a cisco router. In my configuration freeradius uses ldap as the backend database. I have not defined Service-Type and Framed-Protocol in my ldap schemas. Now I need to add this two attributes for all users. How can I do that without modifying my ldap schemas and my ldap tree? Can I do that with the hints file? Thanks, Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius packet size
Hi there If my freeradius server returns an access-accept packet with a length that exceeds 1472 bytes, authentication on the cisco router fails. It seems that the cisco does not receive or maybe can not reassemble the packet. Anyone knows how I can fix this problem? Thanks, Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius packet size
Josh Howlett [EMAIL PROTECTED] wrote: Try pinging the Cisco from the radius server with that packet size, and see the error message returned. Thanks Josh! I saw that the firewall that is between the radius and the cisco did not allow fragmented packets. Now after changing this setting it works! Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco-AVPair with ip inspect rule
Hi there I'm using Cisco-AVPairs to return ACL filter rules to a Cisco NAS: Cisco-AVPair = ip:inacl#1=permit icmp any any reflect icmp Cisco-AVPair = ip:inacl#2=permit tcp any any eq 53 reflect dns-tcp Cisco-AVPair = ip:inacl#3=permit udp any any eq 53 reflect dns-udp Cisco-AVPair = ip:inacl#4=permit tcp any any eq 80 reflect http ... and so on ... This works without any problem. The Cisco NAS has an IOS with firewall feature set and I want to inspect ftp connections. I have configured the following inspect rule: ip inspect name ftp-connections ftp timeout 30 And I have assigned this rule to the virtual template from which all virtual interfaces are created: interface virtual-template 1 ip inspect ftp-connections in By doing it like that, ftp connections on all virtual interfaces get inspected. There are a lot of these virtual interfaces and the CPU load on the cisco increases a lot. In fact only some of the virtual interfaces needs to be inspected, therefore I would like to return the ip inspect in a Cisco-AVPair. Can this be done? And how does the syntax for such a Cisco-AVPair look like? Thanks, Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: strange behavior of rlm_ippool
Daniel Eyholzer [EMAIL PROTECTED] wrote: I am using freeradius 1.0.0-pre3 with rlm_ippool managing the ip addresses for a cisco NAS. I have several address pools with 254 IPs each. When I started the radius 2 days ago, the rlm_ippool_tool showed me the correct number of active IP addresses, but today I saw that the output does not match the number of ip addresses that are active on the cisco. The rlm_ippool_tool shows only about 120 active addresses and there are about 254 active addresses (the pool is full) on the cisco. Strangely it all still seems to work, the radius does not assign the addresses that are active on the cisco, even if they are not listed in the output of the rlm_ippool_tool. If I use the rlm_ippool_tool to show the addresses in one of this pools, which have not the correct number of active addresses displayed, I see that the last line of the output is incomplete. There is only the NAS address and port, but no allocated ip address displayed: ... NAS:192.168.128.12 port:0x643 - ipaddr:192.168.158.131 active:1 cli:0 num:1 NAS:192.168.128.12 port:0x3f4 - ipaddr:192.168.158.124 active:1 cli:0 num:1 NAS:192.168.128.12 port:0x4c8 How can I delete this last incomplete line from the db if there is no ip addresse? Also it does not allocate addresses from this pools anymore, even if there are a lot of unused addresses. It still seems to delete the addresses from users that disconnects. What could be the problem with this db files? Before this behavior occurred I used the rlm_ippool_tool with the -n option to add some entries, could that have corrupted my db files? Thanks, Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP and CHAP
Hi there Im using 1.0.0-pre3 to authenticate users with ldap as backend. In the LDAP-tree I have md5 passwords. When I configure the Network Access Server to use PAP it works fine, but with CHAP it does not work. I have read that CHAP can not be used with encryptet passwords in the database, is that true? Is there no chance in using CHAP with md5 passwords in the LDAP-tree? I would be most grateful for any comments! Regards, Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP and CHAP
Mitchell, Michael [EMAIL PROTECTED] wrote: In short, yes you need a clear text password at the server end. Okay. b) use a reversible encryption algorithm to store your passwords, and modify the rlm_ldap code to decrypt the user password as it pulls it out of ldap. This feature is not implemented yet? Thanks, Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP and CHAP
Mitchell, Michael [EMAIL PROTECTED] wrote: Well its not a standard feature of freeRADIUS, and quite possibly shouldn't be, so probably never will be. ;-) Why isn't it a standard feature? Is there an obvious reason? Are you all storing your password in clear text in LDAP or whatever backend you use? Or are you just not using CHAP for authentication? Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging to syslog
On Sun, 04 Jul 2004 10:15:34 -0400 Alan DeKok [EMAIL PROTECTED] wrote: http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/raddb/radiusd.conf.in The log_destination directive was added to the server *after* the 1.0.0 branch was created. So this feature will not be in the final 1.0.0 release? I don't know why you're trying to use those directives in 1.0.0-pre3, they're not in the default configuration file, and they won't work. Oh, I musst have mixed up the configuration files. Thanks, Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging to syslog
On Sun, 4 Jul 2004 00:10:36 +0200 Daniel Eyholzer [EMAIL PROTECTED] wrote: I'm trying to let freeradius 1.0.0-pre3 log to syslog, but it does not seems to work. I have tried both, setting the log_destination to syslog and starting radiusd with the -l syslog option, but nothing gets logged by syslog. I have read that this feature is known to not been working, is that still true for 1.0.0-pre3? Or has anyone managed to get freeradius log to syslog? Setting the logdir variable in radiusd.conf to syslog does work, but I don't think that's the correct way to do it. With this setting it does no longer write the debuging output to stdout if I use the -X option, the debuging output is then written to syslog. The log_destination variable and log { ... } section in radiusd.conf seems to be ignored, I have to set the syslog facility with the -g option when I start radiusd. Any comments? Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ippool with non subsequent address ranges
On Thu, 1 Jul 2004 12:27:22 +0300 (EEST) Kostas Kalevras [EMAIL PROTECTED] wrote: Do a cvs update on the ippool module or wait for tomorrow's CVS snapshot. Then you can set Pool-Name to DEFAULT and it will match all of the ippool module instances. I have tested the updated ippool module, but it did not work. In fact it does not work at all anymore with the change that has been made to the source code. It always returns noop because an if condition is wrong. I have slightly changed this if condition to make it work. The patch is attached. Cheers, Daniel patch-rlm_ippool Description: Binary data
ippool with non subsequent address ranges
Hi there I am using FreeRADIUS Version 0.9.3 and I need to set up an ippool with addresses that are not subsequent. I have two ranges of addresses, say 192.168.2.0/24 and 192.168.6.0/24. According to what I have read I can set only one range-start and one range-stop parameter for a single ippool. Therefore it is not feasible to create an ippool with addresses from different ranges that are not subsequent, am I right with this assumption? I have tried to solve this problem by creating two separate ippools for each of the two ranges. In the post-auth section I did set the following: post-auth { # Get an address from the IP Pool. redundant { mypool1 mypool2 } } But this does not seems to work, because I can not add more than one Pool-Name check item attribute for a single user, can't I? If a user has set his Pool-Name attribute to mypool1 and mypool1 has no more addresses available, he will not get any addresses, because he was never assigned to mypool2. Therefore mypool2 will always return noop for the request. Does anyone has a similar setup and knows how to solve this problem? I have searched the net and the mailinglist, but did not find any working solution. I would be most grateful for any hints! Regards, Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ippool with non subsequent address ranges
On Thu, 1 Jul 2004 12:27:22 +0300 (EEST) Kostas Kalevras [EMAIL PROTECTED] wrote: Do a cvs update on the ippool module or wait for tomorrow's CVS snapshot. Then you can set Pool-Name to DEFAULT and it will match all of the ippool module instances. Thanks for your reply, Kostas, I will try that. But which pool will it choose first by default, will it be the first one listed in the post-auth section? I'm asking that because i have some other pools in my config and users with the Pool-Name set to DEFAULT should not pick an address from this other pools. If it tries every pool listed in the post-auth section, beginning with the one on the top i will be okay until the default pools have no more addresses available, but then i will get in to troubles because it will pick an address from the next pool, is that right? Anyway, in my setup it will not really mater because there should allways be enough addresses for all users in the default pools. Therefore I think that the Pool-Name set to DEFAULT will solve my problem. Best regards, Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html