Forging a RADIUS request within a module
Hi all, During authentication process, I need to send an Accounting-Start to a network equipment when the authentication is successful (when processing the Access-Request), before sending the Access-Accept back. Is it possible to create the Accounting-Request from inside a module and post it as an event, to let FreeRADIUS core manage processing/sending? If not, I will have to trigger an external radiusclient to do the job. Thanks for your answers. Geoff. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Forging a RADIUS request within a module
During authentication process, I need to send an Accounting-Start to a network equipment Just out of interest - what is network equipment going to do with the accounting request? It's a network filtering appliance. The Accounting-Request ships attributes that say which filtering policy must be applied to the user traffic. Geoff. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Forging a RADIUS request within a module
And you are absolutely sure that you are supposed to send it an Accounting-Request and not proxy Access-Request? Considering that filtering policies are a part of the access setup that would make much more sense. Yes I am. Actually, the appliance works like this, and is not the same box as the NAS. We are already connected to it and we use radclient to send the accounting-request to it. But as a migration from FreeRADIUS 1.1.3 towards 2.1.x may occur, I take a look whether the behaviour could be changed or not. Geoff. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-SIM authentication / Supplicant
Hi all,
I try to use FreeRADIUS to authenticate a wireless device using EAP-SIM.
Currently, my SIM card can be authenticated using a Cisco supplicant
(eap-sim-draft-v5) with a Cisco Access Registrar RADIUS server
(eap-sim-draft-v5) that gets SIM triplets from an ITP and a HLR simulator.
I extracted the triplets from the HLR and injected them into FreeRADIUS
rlm_sim_files module.
I use another laptop, with centrino chipset with Intel EAP-SIM supplicant.
The FreeRADIUS server receives the EAP message and sends back a Challenge.
The supplicant answers to the challenge.
FreeRADIUS then sends back the same challenge.
The supplicant stops
I would like to know whether someone uses EAP-SIM, and which supplicant is used.
Regading RFC compliancy, I assume that FreeRADIUS is eap-sim-draft-v12
compliant (present in RFC directory).
The Intel supplicant can be RFC compliant.
Here is my config :
sites-enabled/default :
authorize {
eap {
ok = return
}
sim_files
}
authenticate {
eap
}
preacct {
}
accounting {
}
session {
}
post-auth {
}
pre-proxy {
}
post-proxy {
}
simtriplets.dat :
[EMAIL PROTECTED],,01234567,89ABCDEFFEDCBA98
[EMAIL PROTECTED],,01234567,89ABCDEFFEDCBA98
[EMAIL PROTECTED],,01234567,89ABCDEFFEDCBA98
I know that triplets are identical, but it is the exact content of my HLR
FreeRADIUS debug output :
rad_recv: Access-Request packet from host 10.67.141.66 port 1647, id=18,
length=282
User-Name = [EMAIL PROTECTED]
Framed-MTU = 1400
Called-Station-Id = 001a.6cf3.fd90
Calling-Station-Id = 0013.ce0d.e627
Cisco-AVPair = ssid=MySSID
Service-Type = Login-User
Message-Authenticator = 0xc30522798ef5169cf5e0c3807650d0ca
EAP-Message =
0x02010037013131303230333034303530363037303840696d732e6d6e633033302e6d63633130322e336770706e6574776f726b2e6f7267
Cisco-NAS-Port = 611
NAS-Port = 611
NAS-Identifier = AP4
Proxy-State = 0x535347
Proxy-State = 0x323234
NAS-IP-Address = 10.67.106.62
Event-Timestamp = Jul 22 2008 07:58:15 GMT
NAS-Port-Type = Wireless-802.11
WISPr-Location-Name = unknown
Proxy-State = 0x3432
+- entering group authorize
rlm_eap: EAP packet type response id 1 length 55
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
rlm_sim_files: authorized user/imsi [EMAIL PROTECTED]
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
rad_check_password: Found Auth-Type EAP
auth: type EAP
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type sim
rlm_eap: Underlying EAP-Type set EAP ID to 23
++[eap] returns handled
Sending Access-Challenge of id 18 to 10.67.141.66 port 1647
EAP-Message = 0x01170014120a0f020002000111010100
Message-Authenticator = 0x
State = 0x9ef748f79ee05ae75aadbce935e2f4b8
Proxy-State = 0x535347
Proxy-State = 0x323234
Proxy-State = 0x3432
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.67.141.66 port 1647, id=19,
length=333
User-Name = [EMAIL PROTECTED]
Framed-MTU = 1400
Called-Station-Id = 001a.6cf3.fd90
Calling-Station-Id = 0013.ce0d.e627
Cisco-AVPair = ssid=MySSID
Service-Type = Login-User
Message-Authenticator = 0xd4899c4bcc876e21712e13b045ea773f
EAP-Message =
0x02170058120a0e0e00323131303230333034303530363037303840696d732e6d6e633033302e6d63633130322e336770706e6574776f726b2e6f7267100100010705e05543a4f8463a935b25152720718715
Cisco-NAS-Port = 611
NAS-Port = 611
State = 0x9ef748f79ee05ae75aadbce935e2f4b8
NAS-Identifier = AP4
Proxy-State = 0x535347
Proxy-State = 0x323235
NAS-IP-Address = 10.67.106.62
Event-Timestamp = Jul 22 2008 07:58:15 GMT
NAS-Port-Type = Wireless-802.11
WISPr-Location-Name = unknown
Proxy-State = 0x3433
+- entering group authorize
rlm_eap: EAP packet type response id 23 length 88
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
rlm_sim_files: authorized user/imsi [EMAIL PROTECTED]
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
rad_check_password: Found Auth-Type EAP
auth: type EAP
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/sim
rlm_eap: processing type sim
+++ EAP-sim decoded packet:
User-Name = [EMAIL PROTECTED]
Framed-MTU = 1400
Called-Station-Id = 001a.6cf3.fd90
Calling-Station-Id = 0013.ce0d.e627
Cisco-AVPair = ssid=MySSID
Service-Type = Login-User
EAP-SIM and EAP-AKA fast-reauth support
Hi all, I have a question about EAP-SIM and EAP-AKA authentication. Is fast-reauthentication supported (in eap or eap2 module)? Thanks in advance for your answers. Geoff. _ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS and SNMP questions
Hi all, I have 2 questions regarding FreeRADIUS and SNMP: 1/ Is it possible to run 2 FreeRADIUS servers on the same box, with SNMP support activated? I understand it's possible, using distinct values for smux_password parameter. 2/ Connecting FreeRADIUS to Net-SNMP using SMUX is quite easy. Has anyone connected FreeRADIUS with BMC PAtrol agent using SMUX? Thanks for any answer Geoff. _ Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : Re: Wimax VSA support
Another question is, does the wimax forum dictate what to be done with these attributes in radius server ? Yes. The WiMAX NWG specification has detailed requirements. You need to be a member of the WiMAX forum to obtain the specifications, I believe. Since v1, the specifications are freely available on WiMAX forum web site: http://www.wimaxforum.org/technology/documents/ Geoff. _ Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : radsniff bug in 2.0.0-pre2?
Hello I have 2 more problems (not necessarily bugs) with radsniff. 1- I can't enter a RADIUS attribute filter. I can't gifgure out what's the syntax. I tried stuff like -r User-Name = toto and other types of operators, but I still have the message radsniff: Invalid RADIUS filter 2- I can't redirect the output to a file. I tried , , 2, 1, 21 , tee, but at each attempt, my log file is empty. Any hint? Thank you in advance for your answers Geoff. _ Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : Re : radsniff bug in 2.0.0-pre2?
Ok, the first problem comes that there is no call to fflush. The patch is: 210a211,213 /* BEGIN_GAO */ fflush(stdout); /* END_GAO */ 336a340,342 /* BEGIN_GAO */ fflush(stdout); /* END_GAO */ Geoff. _ Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radsniff bug in 2.0.0-pre2?
Hi all, I am testing radsniff, and I have the following behaviour: When launching radsniff with the following input, the program crashes (FreeRADIUS v2.0.0-pre2) [EMAIL PROTECTED] bin]# ./radsniff -f udp Device: [eth0] PCAP filter: [udp] RADIUS secret: [testing123] *** glibc detected *** free(): invalid pointer: 0x08120dbc *** Aborted It seems that radsniff crashes when it tries to decode packets that are not RADIUS ones (dns requests for example). If the filter is very restrictive and matches only used RADIUS ports, it works fine. I just have a problem with a RADIUS request used by my RADIUS load balancer to test my servers status (server version 1.1.3). The request used is a Status-Server request. The content of the request is the following : [EMAIL PROTECTED] ~]# tcpdump -X udp and host 10.67.106.3 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 06:36:26.078778 IP 10.67.106.3.57084 rafale.50812: UDP, length 26 0x: 4500 0036 ff11 d32b 0a43 6a03 E..6...+.Cj. 0x0010: 0a43 6a02 defc c67c 0022 7932 0c01 001a .Cj|.y2 0x0020: 0fc2 4720 8f36 9096 d8b9 f507 de5d 811d ..G..6...].. 0x0030: 0406 0aa2 39c3 9. 06:36:26.079186 IP rafale.50812 10.67.106.3.57084: UDP, length 49 0x: 4500 004d 4000 4011 5215 0a43 6a02 [EMAIL PROTECTED]@.R..Cj. 0x0010: 0a43 6a03 c67c defc 0039 e8d5 0201 0031 .Cj..|...9.1 0x0020: 8605 feab 8157 42de 0bad 532a c113 9148 .WB...S*...H 0x0030: 121d 4672 6565 5241 4449 5553 2075 7020 ..FreeRADIUS.up. 0x0040: 3020 6461 7973 2c20 3232 3a34 34 0.days,.22:44 With this issue, to make radsniff work, I have to exclude my load-balancer source IP address from the CAP filter : udp port 1812 or 1813 or 1814 and host not IP_SRC_LB (my load-balancer performs NAT of the server, so I still see the packets from my clients) Furthermore, would the community be interested in having the date of the packet (in the same format as in radius.log) and the packet id? I think the patch is not much to do. _ Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : radsniff bug in 2.0.0-pre2?
The request used is a Status-Server request. The content of the request is the following : I have just tested sniffing a Status-Request generated by radclient (v2.0.0-pre2), and radsniff crashes the same way. Regards, Geoffroy _ Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : FreeRADIUS 2.0.0-pre2 has been released
I have a question on virtual servers: can the same instance of a module (rlm_detail for example) be used in 2 different virtual servers? How are managed NO_THREAD_SAFE modules in this case (rlm_detail for example)? Thanks Geoff. _ Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : Re: FreeRadius 2.0 proxy question - home_server auth and acct server?
Brian Walters wrote: With the new 2.0 release do we have to make 2 entries for each home server? 1 for auth packets and 1 for acct packets? Yes, because they are *different* servers. They may be different programs that share no memory or configuration. Or, you can continue to use the old-style accthost and authhost directives in the realms section. The server may complain in debugging mode, but it will work. Even in 1.1, FreeRADIUS makes the distinction between auth and acct hosts for remote servers, when marking them dead. Geoff. _ Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Synchronous proxy behaviour question
Hi all, I have a small question on FreeRADIUS behaviour when acting as a synchronous proxy: Are the modules re-executed on a retransmission reception, or is the forwarded request re-sent using the cache? I also have a 2nd question - not regarding proxy: While processing an Access-Request, if a module decides to discard it, will the NAS restransmissions of this request be discarded as well, or could weget a chance of executing the modules again? Thanks in advance Geoff. ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
clients.conf shortname
Hi All, I have a quick question on the shortname attribute for clients: must it be unique among all clients? Thanks in advance for your answers Geoff. ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : rlm_python
Hi Guys Is anyone actually using rlm_python in production? We do. But with a home-made module, based on corrected module stored in bugzilla. We made adjustments in it to meet our customer needs, and it is therefore not reusable. Nevertheless, we did correct memory leaks, threading issues and accents problems in it, but I don't think it would be easy to retrofit inside standard module. Geoff. ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bug on Accouting-Requests proxying
FreeRADIUS 1.1.3 bug - Accounting requests reemission by FreeRADIUS
In file main\request_list.c, function refresh_request.
In the case of an accounting request (request-proxy-code ==
PW_ACCOUNTING_REQUEST), FreeRADIUS adds to the proxied packet the
attribute Acct-Delay-Time (or updates it, if it was present in
previous emission) with value set to the time difference between current
time and time of initial proxied request.
According to RFC 2866, chapter 4.1 :
The Identifier field MUST be changed whenever the content of the
Attributes field changes, and whenever a valid reply has been received
for a previous request. For retransmissions where the contents are
identical, the Identifier MUST remain unchanged.
Note that if Acct-Delay-Time is included in the attributes of an
Accounting-Request then the Acct-Delay-Time value will be updated when
the packet is retransmitted, changing the content of the Attributes
field and requiring a new Identifier and Request Authenticator.
FreeRADIUS updates the content of the packet when reemitting the
accounting request, but does not change the Identifier. Thus, those
packets sent after the first one are *not* true reemissions.
This is a problem to us. For instance, we have the following setup :
A client (A) sending an accounting request to FreeRADIUS (B), which
retransmits the request to a proxy FreeRADIUS server (C). FreeRADIUS C
is slow to respond, so FreeRADIUS B reemits the request, with different
packet attributes (Acct-Delay-Time added), but keeps the same identifier.
FreeRADIUS C receives the second request, but discards it since it has
the same identifier as the request currently being processed. FreeRADIUS
C then decides to finally respond (to the first request). FreeRADIUS B
receives this response, and verifies if the request (the reemission) and
response match. They do not, thus FreeRADIUS B drops the response and
logs an error.
FreeRADIUS should either :
- NOT add Acct-Delay-Time attribute in accounting reemissions, thus
preserving the content of the attributes in the packet.
- or, add an Acct-Delay-Time, but change the identifier and handle the
proxied packet as a new request.
The second solution seems overly complicated, because FreeRADIUS would
have to handle the second proxied request as a completely new request,
but would also have keep the first one, as the proxy server can respond
to any of the reemissions.
The first solution is very simple to correct: it simply involves
removing the block if (request-proxy-code == PW_ACCOUNTING_REQUEST)
{ in function refresh_request of file main\request_list.c.
I don't know if Acct-Delay-Time attribute is really useful to someone,
I've never seen it used in any implementation of a RADIUS server.
Anyhow, it seems way too much hassle to correctly handle this attribute
in accounting reemissions.
If tehre is any any objection, we will develop a patch to remove
Acct-Delay-Time and provide it soon.
Best regards,
Geoff.
___
Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions !
Profitez des connaissances, des opinions et des expériences des internautes sur
Yahoo! Questions/Réponses
http://fr.answers.yahoo.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : 1.1.3 on Solaris 10 (sparc)
I am quite pleased to report I have, with minimal discomfort, version 1.1.3 running on Solaris 10. The source actually compiles perfectly once OS dependencies etc. are met. I will share a few tips here for any who may be attempting the same. My main goal was LDAP functionality. Other bells and whistles might require additional steps. Please forgive the Solaris info here, it is dangerously close to being off-topic... except that you need it to install freeradius. I suggest that those tips shall be stored in the docs directory under FreeRadius CVS. Geoff. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : Auth-Type discussion
Hi all, Maybe my mail will be out of the discussion, but we plan in middle term to migrate an existing AAA system from a commercial software to FreeRADIUS. We already made a prototype to check the feasability (existing system performs authentication against Oracle database sotred procedures). The result of our analysis is that Auth-Type, Post-Auth-Type and Acct-Type are interesting features. Actually, we have several types of users (local prepaid, local postpaid, users to proxy to their home AAA, and postpaid and prepaid users connecting from other networks, so RADIUS traffic is received from a partner AAA). All authentication is planned to be done with custom modules, and in order to have good software maintenability, we plan to make 1 module per traffic type (local prepaid, local postpaid...) + 1 module for traffic identification. Therefore we are likely to use the Auth-Type (and thus Acct-Type) feature. Knowing that Auth-Type is likely to disappear may not be good news for our forseen implementation. Any comments will be welcome. Regards, Geof. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Synchronous Proxy mode
Hi, I have observed the following behaviour with FreeRADIUS 1.0.2, working in proxy mode, with synchronous set to YES: If the realm server is not responding, after max_request_time has expired, the request is rejected, and the realm is marked to dead. I tried to add a backup server to the realm, and actually, the other incoming requests are sent to the secondary server (until dead_time is expired). My questions are: 1/ Is this behaviour known? as it is stated in proxy.conf that Additionally, if you want 'failover' to work, the server must manage retries and timeouts. Therefore, if this is set to yes, then no failover functionality is possible. 2/ Is it still present in current stable (1.1.2)? Thank you for any answer. Best regards, Geof. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_detail perfomances
Hi all, I have question for those who use rlm_detail module. I saw in source code that this module is thread unsafe. My understanding is that will not avoid FreeRADIUS to run multi-thread, but that only one thread will be able to log details at a time. Am I right? Second question: does anybody use rlm_detail on a production platform? If yes, what is the request rate that can be supported nicely? Many thanks for any testimonial. Geof. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
listening interface configuration
Hi,
I am going to configure a FreeRADIUS as a RADIUS proxy. My proxy will have to
listen on a couple of ports on 2 interfaces, so I set the following
configuration in radiusd.conf:
listen {
ipaddr = IP1
port = 1812
type = auth
}
listen {
ipaddr = IP1
port = 1813
type = acct
}
listen {
ipaddr = IP2
port = 1812
type = auth
}
listen {
ipaddr = IP2
port = 1813
type = acct
}
When I start FreeRADIUS, I get the following
...
Listening on authentication IP1:1812
Listening on accounting IP1:1813
Listening on authentication IP2:1812
Listening on accounting IP2:1813
Listening on proxy IP1:1814
...
If I understand packets coming inside IP2, will be forwarded through IP1, right?
Is there a configuration solution to make packets coming inside IP2 to be
forwarded through IP1, or is FreeRADIUS limited to only one proxy ip/port?
Thank you in advance,
Geof.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxy_fail_type attribute
Hi, I just get the last CVS update, and I discovered a hidden attribute in mainconfig.c, name proxy_fail_type. By reading the source code, my understanding is that setting this attribute to fail (for example) in proxy.conf, and setting the value fail for Post-Proxy-Type in dictionary.freeradius.internal, will allow FreeRADIUS to execute a module when the proxy of a request failed (no response from server or other cases). My 1st question: - Am I right (or near to the truth)? I saw that this was not shipped into 1.1.2. But this feature appeared by the end of 2004. So my 2nd and 3rd questions are: - Has anyone used or is anyone using this feature on prodcution deployement? - Is this feature planned to be shipped in 1.2.x? Thank you in advance. Geof. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
VSA encoding
Hi all, I have a question regarding Vendor-specific attribute encoding: What type of smart encoding are supported by radclient (and thus FreeRADIUS). I mean, I know I can use TLV encoded VSA - as described in the RFC, for example: WISPr-Redirection-URL=http://www.google.fr or Cisco-Account-Info=QT600 For VSA encoded only with Vendor-ID and String, I can use the syntax: Vendor-Specific=0x0009FC140256305a31393939406f72616e67652e6672 (Cisco-Account-Info VSA I believe) I saw a strange dictionary amongst FreeRADIUS dictionaries: for USR robotics dictionay.usr It is talking about a NMC encoding, and the follinwg is added after the vendor id declaration: format=4,0 As anyone explanation about this type of encoding? From my side, I have a vendor (having a vendor-id) that uses the following encoding: RADIUS Attribute Id (1 byte) = 26 RADIUS Attribute Length (1 byte) = total length of attribute value + 2 Vendor ID (4 bytes) A Project Type attribute (1 byte) And as much attributes as possible (up to 248 bytes), using TLV where T is 1 byte and L is 1 byte. The following scheme shows the attribute encoding. 0 1 234 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type (26) | Length | Vendor-Id | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Vendor-Id (cont)| Project type | N°Attribute 0 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |AttributeLength| Value Attribute 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ . . . .| N°Attribute n |AttributeLength|. . . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value Attribute n . . . . . . . . . . . . . . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Is FreeRADIUS able to support such encoding method? Or maybe with only one TLV attribute per RADIUS attribute (26 + L + VendorID + ProjectType + TLV)? For the moment, we use the Vendor-Specific=0x00 method, but as the attributes are standardized with this vendor, we would like to use it, in a smarter way. Sorry if I have been a litte long. Thankyou in advance. Geof. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: returning variable as HEX in Access-Accept
I receive for instance Framed-MTU = 1500 in Access-Request and now I have to put in the Access-Accept Class = 05DC (the hex value of the framed-MTU) and sent it back to the NAS. Maybe you can do it by developing a simple module by your own? Geof. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : VSA encoding
It's USR's old format. 4 bytes of attribute type, and no length. The VSA length is used for the length instead. Thank you for the info. Ugh. What the heck is the project type? Actually, the vendor has several projects, each one owning potentially 256 attributes. If the server does support this, what does it do with the project type? It doesn't fit into the normal Attribute = value system used by the server. I assume that if I had to implement its support, attributes name should be of the form VendorName-ProjectName-AttributeName=foo Thanks. Geof. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-SIM compliancy
Hi all, I have a question regarding EAP-SIM authentication, in the case where authentication is performed by an external AAA system. We already perform LEAP and EAP-TLS authentication against an external AAA system authentication through FreeRADIUS (FreeRADIUS acts as a proxy for EAP authentication). Regarding EAP-SIM, is FreeRADIUS compliant with the latest EAP-SIM version that became a RFC (RFC 4186), in the case where authentication is performed by an external AAA system? Thank you for you answers Geof. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM compliancy
Thank you for your answer. I mean EAP-SIM has been described in 16 successive drafts, and finally became a RFC. I don't know the content of the RFC itself, but I know that other AAA server (Cisco Access Registrar for example), performing EAP-SIM against SS7 network and HLR do need to upgrade in order to support latest release of EAP-SIM. Thanks Geof. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS SNMP capacities
Hello all, Would it be possible to have some information about FreeRADIUS SNMP capacities. Which version of snmp are supported? What can be done? Which types of trap can be sent to the manager? Which type of info can the manager ask? What are the other features? Is it stable? Any peice of information will be of great help. Best regards, Geoffroy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems moving from FreeRADIUS 1.0.0 to version 1.0.1
Hello, I'm working with Nicolas - who sent the first mail. The module failing is not the one showed in the request (its cod eis too big). When we saw that something was going wrong, we quickly wrote a very simple module to stress the failure, and we built it with release 1.0.1. Geoffroy --- Alan DeKok [EMAIL PROTECTED] a écrit : Chaigneau Nicolas [EMAIL PROTECTED] wrote: I've been using FreeRADIUS 1.0.0 so far. I just tried to install FreeRADIUS 1.0.1, but I'm encountering a problem : I get a bus error upon receiving an access-request. Did you re-build you module in 1.0.1, or just re-use the lobrary from 1.0.0? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Vous manquez despace pour stocker vos mails ? Yahoo! Mail vous offre GRATUITEMENT 100 Mo ! Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés pour dialoguer instantanément avec vos amis. A télécharger gratuitement sur http://fr.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sending VSA with FreeRADIUS radclient
Hello, I know I can send VSA using radclient, by putting the following line in my request file: Cisco-AVPair=Hello! What I want to know, is if I can send VSA which content is not formatted like mentionned in RFC2865 (§5.26). I mean that I want to send: +++++ | 26 | Length | Vendor-ID | +++++ | Vendor-ID (cont)| My Content... ++++--... Is it possible with radclient? Thak you in advance Geoffroy Créez gratuitement votre Yahoo! Mail avec 100 Mo de stockage ! Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ Dialoguez en direct avec vos amis grâce à Yahoo! Messenger !Téléchargez Yahoo! Messenger sur http://fr.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radclient regression (from V1.60) ?
Hello,
I am using radclient fom FreeRADIUS in CVS version
1.60. It works fine.
I saw that radclient evolved to deal with several
files / several requests per file. That's an
interesting feature for what I need.
Nevertheless, reading radclient.c (I haven't tested it
yet), I think that a regression occured, for '-i'
parameter.
It seems that the issue occured in version 1.63.
The 'id' var, declared in main(), is still set, but a
global var 'last_used_id' is in fact used, and is not
set regarding command line arguments. Therfore, I
wonder if the '-i' parameter is still of incidence on
the true value of request's ID.
Furthermore, The '-i' parameter works with radclient
V1.60, but when you put '-i 128', the true request's
ID is 129.
Maybe I am wrong, for the first point ('-i' present
but not used), but for the 2nd point, It has been
tested on my box.
Good day to all.
Geoffroy
Yahoo! Mail : votre e-mail personnel et gratuit qui vous suit partout !
Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/
Dialoguez en direct avec vos amis grâce à Yahoo! Messenger !Téléchargez Yahoo!
Messenger sur http://fr.messenger.yahoo.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bug in radclient
Hello, I think there is a bug in radclient (since v1.63?). I currently use radclient v1.60, and it works fine. I saw that new functionalities appeared, and I downloaded V1.72. Reading the radclient.c source file, I became a little plerplex about the '-i' feature, which allows to set the ID of the requests to send. I mean, that: In main(), line 687, an int var named 'id' is declared. Line 732, it is assigned a value, regarding command line arguments. But it is used nowhere else. Instead, a global variable, named 'last_used_id', declared on line 75, is assigned the value 'getpid() 0xFF', in main(), line 892. I don't see the var 'id' used anywhere. But I can see 'last_used_id' is used in function 'send_one_packet', to set the request id. I didn't compile nor test this new radclient. Maybe I read the code the wrong way. Tell me if it is not a bug, where and how the 'id' var is used. Else maybe this issue will need a correction. Regards, Geoffroy Yahoo! Mail : votre e-mail personnel et gratuit qui vous suit partout ! Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ Dialoguez en direct avec vos amis grâce à Yahoo! Messenger !Téléchargez Yahoo! Messenger sur http://fr.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(no subject)
Hello,
I am training at FreeRADIUS, and I'm writting my own module to make different
stuff on request. It works well.
I use FreeRADIUS snapshot-20040102.
I think I've found an error in the libradius, in the file valuepair.c, into the
function pairreplace.
My valuepair.c is in version 1.74, but it seems, in CVS logs, that this function
did not evolve.
I join the patch at the end of this mail, done using diff, but without the -u
option - not available on
Solaris.
The problem is that when replacing an A/V pair by another, if the A/V pair to
replace is the last one, the loop exits before to reach it. Therefore, the A/V
pair is present twice.
Thanks for updates about it.
Geoffroy
Path starts here:
178c178
VALUE_PAIR *i, *next;
---
VALUE_PAIR *i, *next, *prev;
180a181,185
/*
Quiet compiler
*/
prev = NULL;
191c196
for(i = *first; i-next; i = next) {
---
for(i = *first; i; i = next) {
199a205
prev = i;
206c212
i-next = add;
---
prev-next = add;
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
