Re: ASCII NUL in NAS-Filter-Rule
Just a guess, but is sounds like a string array to me. char **string_array ; Look up malloc and related functions to designate space for additions to the array. This is NOT how you do it but this is the general idea : $string_array[0] = filter entry 1 ; $string_array[1] = filter entry 2 ; An automated way of creating a string array is to use a delimited the use index or rindex to find the delimiter then replace the delimiter with '\0'. If you have experienced programing in C, you should know how to find all the functions required to carry this out. On 2011-Apr-20, at 06:38, Ruslan Pustovoytov wrote: Is my question about sending ascii nul in string attribute is wrong or nobody run into this situation ? Hi All My nas box can use attribute NAS-Filter-Rule from radius server to construct filter rules per subscriber on the fly. Accodingly to rfc 4849 this attribute should contain ascii NUL (0x00) as a delimiter between individual filter rules and at the end of rules. Freeradius define this attribute as a string and I do not know how to create valid string with nul character. I changed attribute type to octets and successfully add null character but a whole string converted to hex also and attribute was not readable. How to send nul character without changing attribute type ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Guy Fraser Network Administrator The Internet Centre 1-888-450-6787 (780)450-6787 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL results going ... wrong
What character set encodings are you using for the database? I suspect the database is set UTF8 and your default character encoding on the system you are developing FreeRadius is different. You can check the MySQL like this : mysql show variables like 'character_%' ; +--+--+ | Variable_name| Value| +--+--+ | character_set_client | latin1 | | character_set_connection | latin1 | | character_set_database | latin1 | | character_set_filesystem | binary | | character_set_results| latin1 | | character_set_server | latin1 | | character_set_system | utf8 | | character_sets_dir | /usr/local/share/mysql/charsets/ | +--+--+ 8 rows in set (0.00 sec) On 2011-Apr-14, at 08:06, Stefan Winter wrote: Hi, I'm just implementing a new virtual server with a slightly complex query and sizable result set coming back in radreply. The query goes out as expected, and the MySQL reply is well-formed and looks as expected in wireshark when it comes back. But the debug output is ... interesting: Thu Apr 14 15:43:07 2011 : Info: [sql-aai] User found in radcheck table Thu Apr 14 15:43:07 2011 : Info: [sql-aai] expand: SELECT * FROM reply_aai_firstname WHERE username='%{SQL-User-Name}' UNION ALL SELECT * FROM reply_aai_lastname WHERE username='%{SQL-User-Name}' UNION ALL SELECT * FROM reply_aai_mail WHERE username='%{SQL-User-Name}' UNION ALL SELECT * FROM reply_aai_eduPersonAffiliation WHERE username='%{SQL-User-Name}' - SELECT * FROM reply_aai_firstname WHERE username='swinter' UNION ALL SELECT * FROM reply_aai_lastname WHERE username='swinter' UNION ALL SELECT * FROM reply_aai_mail WHERE username='swinter' UNION ALL SELECT * FROM reply_aai_eduPersonAffiliation WHERE username='swinter' Thu Apr 14 15:43:07 2011 : Error: rlm_sql: Invalid operator ?x�{?(�{?@�{?D�{?�{?D�{?Z�{?]�{?v�{?swinter for attribute += Thu Apr 14 15:43:07 2011 : Error: rlm_sql (sql-aai): Error getting data from database Thu Apr 14 15:43:07 2011 : Error: [sql-aai] SQL query error; rejecting user Something looks like accessing memory where it better shouldn't. If I execute the xlated query on the MySQL server directly, the result looks beautiful: +--+---+ ++ | username | attribute | op | value | +--+---+ ++ | swinter | RESTENA-AAI-Attribute | += | urn:oid:2.5.4.42='Stefan' | | swinter | RESTENA-AAI-Attribute | += | urn:oid:2.5.4.4='Winter' | | swinter | RESTENA-AAI-Attribute | += | urn:oid:0.9.2342.19200300.100.1.3='stefan.win...@education.lu' | | swinter | RESTENA-AAI-Attribute | += | urn:oid:1.3.6.1.4.1.5923.1.1.1.1='member' | +--+---+ ++ So it must go wrong somewhere in the server. That same server executes many many other SQL queries of the radcheck style without issues. This is the first time I'm using a radreply query though. Version is 2.1.10. mysql client lib is so old I'm too ashamed to tell here. So... any known badnesses in MySQL/radreply? Anything I should do (besides updating mysql client libs, which has right now popped near the top of my TODO list)? Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Guy Fraser Network Administrator The Internet Centre 1-888-450-6787 (780)450-6787 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS with Ldap
---Guy Sent from my iPad On 12 Mar 2011, at 20:06, Usuário do Sistema maico...@ig.com.br wrote: Hello, I'm new at the Freeradius and I'm deploying it with EAP-TLS to authenticate my Wireless users which will be authenticated against a OpenLDAP base. I'm using freeradius2 and when I make a test from other linux machine with command radtest joao.vero jango123 128.2.100.131 2 meleca it's working as follow out Sending Access-Request of id 45 to 128.2.100.131 port 1645 User-Name = joao.vero User-Password = jango123 NAS-IP-Address = 255.255.255.255 NAS-Port = 2 rad_recv: Access-Accept packet from host 128.2.100.131:1645, id=45, length=20 But, when I'm going to authenticate wireless users from Win7 ( with EAP-TLS, I'm using the test certificate from /etc/raddb/certs/..) It isn't working. it's appear in log: TLS Alert read:fatal:unknown CA TLS_accept:failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation What I did until at the moment in ralation EAP-TLS: I've configured the eap.conf file to read the certificates from /etc/raddb/certs/... I've create the user certificate ( as shows README in /etc/raddb/certs ) I've copied and installed two certificates to user machine: cliente.p12 and ca.der. the first as personal and the last as Trusted Root Certification Authorities I wish to use LDAP for authenticate my users but seems that User-Password must be Clear text. there is possible reach EAP-TLS with LDAP?? What I have do ?? any help is welcome Thank! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html You have an issue with the cert, the cert the client is sending back is not recognised by free radius.. As for authenticating you can do this without clear text but you'll need to use NT-LM. With which you use samba to create NTSambaPassword in the LDAP database which it can auth with. You will likely have to extend the schema for your LDAP server.. Though that's quite well documented for adding in Samba support. Thanks --Guy- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRadius/LDAP per NAS access
On 7 Mar 2011, at 22:14, Alexander Clouter wrote: Guy g...@britewhite.net wrote: I now have FreeRadius granting access and using LDAP for username and password information. My next challenge, using the same Radius and LDAP server I would like to grant different users access via different NAS clients. eg in LDAP I would have: uid=guy services: VPN services: WiFi If I have the services: VPN then I would be allowed to connect to the VPN server and if I don't have that entry in my LDIF then it would not be allowed to access. Any ideas on how to do this, simply? ...Dear Lazyweb eh? You should really *attempt* to try, or show you have attempted something, Dear Teacher, just like back at school Please show your working.. :) I did spend quite some time searching for the answer, however documentation end-to-end seems to be a little lacking. http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg59481.html http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg62699.html Now use %{client:keyword} in your LDAP xlat search query... Thanks for the the hints.. I've now got this to work... In modules/ldap I changed filter to: filter = ((uid=%{%{Stripped-User-Name}:-%{User-Name}})(authorizedService=%{client:service})) Then in clients.conf.. just added a an entry to each client: client VPN_Server { secret = ssshhh! shortname = vpn nastype = other service = VPN } And finally for each user in the LDAP database I add the entry: authorsizedService: VPN That's it I can now control access to each client via VPN data. To be honest though, your approach *abuses* LDAP, you should be adding them to a *group*, not bloating-up and overloading the user object; otherwise you might as well use something horrible like SQL... I would argue that point most strongly but this is not the place.. Thanks again for the help --Guy Cheers -- Alexander Clouter .sigmonster says: A woman can never be too rich or too thin. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius2 and OSX clients no TLS
Yes I understand and agree.. However in this environment I think we'll be ok. Thanks --Guy On 6 Mar 2011, at 19:22, Alan Buxey wrote: Hi, I changed default_eap_type=md5 to default_eap_type=ttls and now the Macs are able to authenticate without Certs or any configuration on their side!! I'm guessing that MD5 isnt a valid 'ready ticked' EAP type by default. you would probably be okay putting eg default_eap_type=peap too I'd also agree with James too - you really dont want to just allow a dumb 'click and go' configuration to be valid on a client - otherwise a malicious person could spoof your SSID and your RADIUS server and then clients could try authenticating against the bad RADIUS server with no warnings for the user. if using TTLS/PAP that could be very bad alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeRadius/LDAP per NAS access
Hi all, I now have FreeRadius granting access and using LDAP for username and password information. My next challenge, using the same Radius and LDAP server I would like to grant different users access via different NAS clients. eg in LDAP I would have: uid=guy services: VPN services: WiFi If I have the services: VPN then I would be allowed to connect to the VPN server and if I don't have that entry in my LDIF then it would not be allowed to access. Any ideas on how to do this, simply? Thanks ---Guy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius2 and OSX clients no TLS
On 6 Mar 2011, at 13:03, Phil Mayers wrote: On 03/05/2011 04:46 PM, Guy wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I'm setting up Freeradius2 (FreeRADIUS Version 2.1.7) for WPA Enterprise 2, and I have it basically working. my iPhone/iPad are able to authenticate and connect via the base station. However my Mac (OSX 10.6 Snow leopard) Laptops are having issues. I do not want to push out Client certificates to the laptops. I also do not want people to have to perform any customisations on the clients. When the laptop attempts to join the network I get a nice login window, with username/password. This is fine. However without playing with the network settings (802.1x settings). I'm not able to join the network because I do not have a client Cert: EAP-TLS *requires* a client cert. If you want to use EAP-TLS, you will have to do something on the clients. If you want to use PEAP or something, there are two things to consider - the default eap type in eap.conf: eap { default_eap_type = peap ... } ...and the default EAP type on MacOS. PEAP TTLS require the tls EAP type to be configured I think; I'm not sure you can disable EAP-TLS, as this will break PEAP TTLS. The best you can do is change the default types. If changing it on the server doesn't accomplish it, then I think you're going to have to do some config on the clients. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yup that was it... I changed default_eap_type=md5 to default_eap_type=ttls and now the Macs are able to authenticate without Certs or any configuration on their side!! Cheers, --Guy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius2 and OSX clients no TLS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I'm setting up Freeradius2 (FreeRADIUS Version 2.1.7) for WPA Enterprise 2, and I have it basically working. my iPhone/iPad are able to authenticate and connect via the base station. However my Mac (OSX 10.6 Snow leopard) Laptops are having issues. I do not want to push out Client certificates to the laptops. I also do not want people to have to perform any customisations on the clients. When the laptop attempts to join the network I get a nice login window, with username/password. This is fine. However without playing with the network settings (802.1x settings). I'm not able to join the network because I do not have a client Cert: Sat Mar 5 16:21:28 2011 : Error: -- verify error:num=19:self signed certificate in certificate chain Sat Mar 5 16:21:28 2011 : Error: TLS Alert write:fatal:unknown CA Sat Mar 5 16:21:28 2011 : Error: TLS_accept:error in SSLv3 read client certificate B Sat Mar 5 16:21:28 2011 : Error: rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned Sat Mar 5 16:21:28 2011 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails. Sat Mar 5 16:21:28 2011 : Auth: Login incorrect: [guy/via Auth-Type = EAP] (from client extreme port 0 cli 00-19-E3-E1-BA-C5) However if I do change the 802.1x settings on the mac to not try and to TLS then I'm able to connect just fine. either by PEAP, or TTLS.. So finally my question... How can I reconfigure Radius to not try and offer TLS or if it does offer TLS to not die if a cert is not presented?? I have tried some suggestions such as commenting out the CA in the eap.conf file, but still I fail to pass the TLS. Thanks - ---Guy -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) iEYEARECAAYFAk1yaQcACgkQDc8ue1+sfKEcAQCfYRVtzNb1UcRa9hf+PM3ipToT zCgAn2TGSTOAjigyWLYwTm4HDcy12l9L =JyX7 -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius2 and OSX clients no TLS
it wasn't Freeradius providing the login window, it was OSX... trying to logon to the WiFi Network --Guy On 5 Mar 2011, at 17:26, Luke Hammond wrote: Just a side question, how did you get Freedradius to give you a login window? i tried this and couldn't see how to get it to work.. so had to use another portal for this. On 5/03/2011 2:10 PM, Gary Gatten wrote: FR just does what its told. I think the settings need to be changed on your wireless gear. - Original Message - From: Guy [mailto:g...@britewhite.net] Sent: Saturday, March 05, 2011 10:46 AM To: freeradius-users@lists.freeradius.orgfreeradius-users@lists.freeradius.org Subject: Freeradius2 and OSX clients no TLS -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I'm setting up Freeradius2 (FreeRADIUS Version 2.1.7) for WPA Enterprise 2, and I have it basically working. my iPhone/iPad are able to authenticate and connect via the base station. However my Mac (OSX 10.6 Snow leopard) Laptops are having issues. I do not want to push out Client certificates to the laptops. I also do not want people to have to perform any customisations on the clients. When the laptop attempts to join the network I get a nice login window, with username/password. This is fine. However without playing with the network settings (802.1x settings). I'm not able to join the network because I do not have a client Cert: Sat Mar 5 16:21:28 2011 : Error: -- verify error:num=19:self signed certificate in certificate chain Sat Mar 5 16:21:28 2011 : Error: TLS Alert write:fatal:unknown CA Sat Mar 5 16:21:28 2011 : Error: TLS_accept:error in SSLv3 read client certificate B Sat Mar 5 16:21:28 2011 : Error: rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned Sat Mar 5 16:21:28 2011 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails. Sat Mar 5 16:21:28 2011 : Auth: Login incorrect: [guy/via Auth-Type = EAP] (from client extreme port 0 cli 00-19-E3-E1-BA-C5) However if I do change the 802.1x settings on the mac to not try and to TLS then I'm able to connect just fine. either by PEAP, or TTLS.. So finally my question... How can I reconfigure Radius to not try and offer TLS or if it does offer TLS to not die if a cert is not presented?? I have tried some suggestions such as commenting out the CA in the eap.conf file, but still I fail to pass the TLS. Thanks - ---Guy -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) iEYEARECAAYFAk1yaQcACgkQDc8ue1+sfKEcAQCfYRVtzNb1UcRa9hf+PM3ipToT zCgAn2TGSTOAjigyWLYwTm4HDcy12l9L =JyX7 -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius2 and OSX clients no TLS
That comes later! :) --Guy On 5 Mar 2011, at 17:56, Luke Hammond wrote: Ahh ok. thanks. THought you were talking about a captive portal. On 5/03/2011 2:39 PM, Guy wrote: it wasn't Freeradius providing the login window, it was OSX... trying to logon to the WiFi Network --Guy On 5 Mar 2011, at 17:26, Luke Hammond wrote: Just a side question, how did you get Freedradius to give you a login window? i tried this and couldn't see how to get it to work.. so had to use another portal for this. On 5/03/2011 2:10 PM, Gary Gatten wrote: FR just does what its told. I think the settings need to be changed on your wireless gear. - Original Message - From: Guy [mailto:g...@britewhite.net] Sent: Saturday, March 05, 2011 10:46 AM To: freeradius-users@lists.freeradius.orgfreeradius-users@lists.freeradius.org Subject: Freeradius2 and OSX clients no TLS -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I'm setting up Freeradius2 (FreeRADIUS Version 2.1.7) for WPA Enterprise 2, and I have it basically working. my iPhone/iPad are able to authenticate and connect via the base station. However my Mac (OSX 10.6 Snow leopard) Laptops are having issues. I do not want to push out Client certificates to the laptops. I also do not want people to have to perform any customisations on the clients. When the laptop attempts to join the network I get a nice login window, with username/password. This is fine. However without playing with the network settings (802.1x settings). I'm not able to join the network because I do not have a client Cert: Sat Mar 5 16:21:28 2011 : Error: -- verify error:num=19:self signed certificate in certificate chain Sat Mar 5 16:21:28 2011 : Error: TLS Alert write:fatal:unknown CA Sat Mar 5 16:21:28 2011 : Error: TLS_accept:error in SSLv3 read client certificate B Sat Mar 5 16:21:28 2011 : Error: rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned Sat Mar 5 16:21:28 2011 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails. Sat Mar 5 16:21:28 2011 : Auth: Login incorrect: [guy/via Auth-Type = EAP] (from client extreme port 0 cli 00-19-E3-E1-BA-C5) However if I do change the 802.1x settings on the mac to not try and to TLS then I'm able to connect just fine. either by PEAP, or TTLS.. So finally my question... How can I reconfigure Radius to not try and offer TLS or if it does offer TLS to not die if a cert is not presented?? I have tried some suggestions such as commenting out the CA in the eap.conf file, but still I fail to pass the TLS. Thanks - ---Guy -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) iEYEARECAAYFAk1yaQcACgkQDc8ue1+sfKEcAQCfYRVtzNb1UcRa9hf+PM3ipToT zCgAn2TGSTOAjigyWLYwTm4HDcy12l9L =JyX7 -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius postgresql sql query glitch
On 2009-Dec-07, at 06:00, Josip Rodin wrote: Hi, I've observed an SQL logging problem with FreeRADIUS (2.x) and PostgreSQL (8.1), on several different installations I occasionally get these errors: Mon Dec 7 13:19:01 2009 : Error: [ourlittle_sql] Couldn't update SQL accounting STOP record - ERROR: invalid input syntax for integer: sql trace log indicates that this is the offending query: UPDATE radacct SET AcctStopTime = ('2009-12-07 13:19:01'::timestamp - '6'::interval), AcctSessionTime = CASE WHEN '' = '' THEN (EXTRACT(EPOCH FROM ('2009-12-07 13:19:01'::TIMESTAMP WITH TIME ZONE - AcctStartTime::TIMESTAMP WITH TIME ZONE - '6'::INTERVAL)))::BIGINT ELSE '' END, AcctInputOctets = (('0'::bigint 32) + '0'::bigint), AcctOutputOctets = (('0'::bigint 32) + '0'::bigint), AcctTerminateCause = 'User-Request', AcctStopDelay = 0, FramedIPAddress = NULLIF('4.3.2.1', '')::inet, ConnectInfo_stop = '' WHERE AcctSessionId = '57fc9e4821466d86' AND UserName = 'o...@user.name' AND NASIPAddress = '1.2.3.4' AND AcctStopTime IS NULL; I'm using the default unchanged sql/postgresql/dialup.conf setting: accounting_stop_query = UPDATE ${acct_table2} \ SET AcctStopTime = ('%S'::timestamp - '%{%{Acct-Delay- Time}:-0}'::interval), \ AcctSessionTime = CASE WHEN '%{Acct-Session-Time}' = '' THEN \ (EXTRACT(EPOCH FROM ('%S'::TIMESTAMP WITH TIME ZONE - AcctStartTime::TIMESTAMP WITH TIME ZONE \ - '%{%{Acct-Delay-Time}:-0}'::INTERVAL)))::BIGINT ELSE '%{Acct- Session-Time}' END, \ AcctInputOctets = (('%{%{Acct-Input-Gigawords}:-0}'::bigint 32) + '%{%{Acct-Input-Octets}:-0}'::bigint), \ AcctOutputOctets = (('%{%{Acct-Output-Gigawords}:-0}'::bigint 32) + '%{%{Acct-Output-Octets}:-0}'::bigint), \ AcctTerminateCause = '%{Acct-Terminate-Cause}', \ AcctStopDelay = 0, \ FramedIPAddress = NULLIF('%{Framed-IP-Address}', '')::inet, \ ConnectInfo_stop = '%{Connect-Info}' \ WHERE AcctSessionId = '%{Acct-Session-Id}' \ AND UserName = '%{SQL-User-Name}' \ AND NASIPAddress = '%{NAS-IP-Address}' \ AND AcctStopTime IS NULL Looks like the code wants to use CASE to check whether %{Acct- Session-Time} exists among the internal FreeRADIUS variables, while the return value of the whole SQL CASE construct is supposed to be a bigint. This is a reduced failing case: radiustmobile=# select CASE WHEN '' = '' THEN (EXTRACT(EPOCH FROM ('2009-12-07 13:19:01'::TIMESTAMP WITH TIME ZONE - AcctStartTime::TIMESTAMP WITH TIME ZONE - '6'::INTERVAL)))::BIGINT ELSE '' END from radacct where AcctSessionId = '57fc9e4821466d86'; ERROR: invalid input syntax for integer: I have been using that query for years and have never had a problem. select CASE WHEN '' = '' THEN does not care what is in the empty strings because they are not designated as integers. Your problem is elsewhere. Have you checked to see if AcctStartTime has valid data? Try : select AcctStartTime from radacct where AcctSessionId = '57fc9e4821466d86'; If it contains data that looks like an integer then try : \d raddact Make sure AcctStartTime is a time stamp. Why is your stop record broken? Stop records are supposed to have a valid Acct-Session-Time, your would appear to be missing. In the else case, this fallback return value comes into PostgreSQL as just an empty string, which causes it to trip over - it sees that there's a possibility to write an empty string into a bigint field, which provokes the syntax error, even if the problem won't actually happen with this particular setup of input data. I'm not sure what to do... can the query be rewritten in a manner that would allow for both use cases? (Mailing list users, please Cc: responses for those of us who may not be subscribed. TIA.) -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Guy Fraser Network Administrator The Internet Centre 1-888-450-6787 (780)450-6787 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to enter users in sql?
On 2009-May-27, at 11:51, Just E. Mail wrote: I have successfully setup a freeRADIUS server with PostgreSQL backend (separate) server. When I start freeRADIUS in test mode 'radiusd -X', it connects to the sql server and there is no error. I have two general questions: 1. I need to add one or two test UID PW in the SQL database. Is there a GUI application available to accomplish that or I have to do it manually entering the data? You could try to use the dialup_admin php interface that is included with FreeRadius source. It did not meet our needs so I wrote one for in house use. 2. When the freeRADIUS server is live (on-line) how does user authentication data gets added into the database? In MD5, LINUX has an application to add USER Name Group (created automatically) which both email program (such as Postfix) and freeRADIUS authenticate against. How is it done in PostgreSQL? FreeRadius uses the standard libcrypt routines. Here is a snipet of code from the PHP interface I wrote : function check_password ($test_pass,$old_encrypted) { if(crypt($test_pass,$old_encrypted) == $old_encrypted) { //echo Password matchesBR; return(true); } else { //echo Passwowd does not matchBR; return(false); } } function gen_password ($new_pass) { $encrypted = crypt($new_pass); return($encrypted); } I have tried to post this question as clearly as I can. Please ask and clarification! Jennifer K. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Guy Fraser Network Administrator The Internet Centre 1-888-450-6787 (780)450-6787 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac-Based auth and HP chap
On 2009-Apr-29, at 10:26, jehan procaccia wrote: hello, I use FreeRADIUS Version 2.1.3, and I try a basic configuration from my HP procurve2650 to do Mac-based radius auth. for this I've setup a simple users file 005004B7252EAuth-Type := Local, Cleartext-Password := 005004B7252E Tunnel-type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 15 First ,it isn't clear to me wether to user Cleartext-Password or User-Password and == ou := , and or no around the password ...!? , anyway, with Cleartext-Password it works fine with radtest at least $ radtest 005004B7252E 005004B7252E 157.159.100.55 16 secret rad_recv: Access-Accept packet from host 157.159.100.55 port 1812, id=81, length=36 Now when my HP switch tries to auth my PC which has 005004B7252E as MAC@ for it's eth0, apparently the HP sends a chap password CHAP-Password = 0x07fae6d2c08ceb00229ea664ed50056e80 with turns radius into it's chap module and fails to Authenticate :-( Found Auth-Type = CHAP +- entering group CHAP {...} [chap] login attempt by 005004B7252E with CHAP password [chap] Cleartext-Password is required for authentication ++[chap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject I'am lost. I don't know If I have to set a chap password in users files or anywhere else ? (how, syntax ?) or if I have to tell my HP switch not to do chap (again how ?) Thanks . details of radius -X rad_recv: Access-Request packet from host 157.159.17.138 port 1125, id=8, length=195 Framed-MTU = 1480 NAS-IP-Address = 157.159.17.138 NAS-Identifier = Sw-C01 User-Name = 005004B7252E Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 26 NAS-Port-Type = Ethernet NAS-Port-Id = 26 Called-Station-Id = 00-1c-2e-b4-f2-66 Calling-Station-Id = 00-50-04-b7-25-2e Connect-Info = CONNECT Ethernet 100Mbps Full duplex CHAP-Password = 0x07fae6d2c08ceb00229ea664ed50056e80 Message-Authenticator = 0x4f687fe44ece7630d3470b37598b43b8 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/ auth-detail-%Y%m%d - /var/log/radius/radacct/157.159.17.138/auth- detail-20090429 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail- %Y%m%d expands to /var/log/radius/radacct/157.159.17.138/auth- detail-20090429 [auth_log] expand: %t - Wed Apr 29 17:28:16 2009 ++[auth_log] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = 005004B7252E, looking up realm NULL [suffix] No such realm NULL Uncomment and edit your proxy.conf file for the NULL realm : ... realm NULL { type= radius authhost= LOCAL accthost= LOCAL secret = testing123 } ... ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = CHAP +- entering group CHAP {...} [chap] login attempt by 005004B7252E with CHAP password [chap] Cleartext-Password is required for authentication ++[chap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - 005004B7252E attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 8 to 157.159.17.138 port 1125 Waking up in 4.9 seconds. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Guy Fraser Network Administrator The Internet Centre 1-888-450-6787 (780)450-6787 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radpostauth sql logging of bad passwords
I am obviously missing something. I tried commenting out that section and it did not work I then changed it to : post-auth { reply_log sql sql_log exec Post-Auth-Type REJECT { sql_log } } Could someone toss me a bone or tell me what document I need to read? On 2009-Apr-17, at 11:12, Alan DeKok wrote: Guy Fraser wrote: I thought this would be enough to make it log failed authentications : Yes. But to flat-text files, not to SQL. post-auth { reply_log sql sql_log This says log to SQL on success. exec Post-Auth-Type REJECT { attr_filter.access_reject You could put SQL logging here, too. The configuration has changed significantly since I last contributed to this project. The main changes are moving text from one file to another. e.g. the large chunks of authorize, etc. in radiusd.conf have moved to separate files. But the main configuration is still pretty much the same. Older configuration files can be used *almost* unchanged. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Guy Fraser Network Administrator The Internet Centre 1-888-450-6787 (780)450-6787 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radpostauth sql logging of bad passwords
On 2009-Apr-27, at 11:27, Alan DeKok wrote: Guy Fraser wrote: I am obviously missing something. I tried commenting out that section and it did not work I then changed it to : So... what happens? As far as I could tell nothing changed when I commented out the REJECT section : post-auth { reply_log sql sql_log exec # Post-Auth-Type REJECT { # attr_filter.access_reject # } } And I still do not get any failed authentications when I use : post-auth { reply_log sql sql_log exec Post-Auth-Type REJECT { sql_log } } I did not see any errors in any log files when I see the failed attempts in the /var/log/radacct/radiusd-DEFAULT-*.log file and there are no corresponding entries in /var/log/radacct/sqltrace.sql. I was hoping there was an easy answer. Does it look like something is broken or is this a configuration issue? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Guy Fraser Network Administrator The Internet Centre 1-888-450-6787 (780)450-6787 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radpostauth sql logging of bad passwords
On 2009-Apr-27, at 12:44, Ivan Kalik wrote: On 2009-Apr-27, at 11:27, Alan DeKok wrote: Guy Fraser wrote: I am obviously missing something. Ahem, did you read what sql_log does? Yes it says : modules { ... sql_log { path = ${radacctdir}/sql-relay acct_table = radacct postauth_table = radpostauth sql_user_name = %{%{User-Name}:-DEFAULT} Start = INSERT INTO ${acct_table} ... Stop = UPDATE ${acct_table} SET ... Alive = UPDATE ${acct_table} SET ... Post-Auth = INSERT INTO ${postauth_table} ... } ... } accounting { ... sql_log ... } post-auth { ... sql_log ... } And that my friend does not help me. I tried commenting out that section and it did not work I then changed it to : So... what happens? As far as I could tell nothing changed when I commented out the REJECT section : post-auth { reply_log sql sql_log exec # Post-Auth-Type REJECT { # attr_filter.access_reject # } } Leave reject filter alone. And I still do not get any failed authentications when I use : post-auth { reply_log sql sql_log exec Post-Auth-Type REJECT { sql_log } } List sql instead of sql_log. And put the filter back. Are you saying this will work ? post-auth { reply_log sql sql_log exec Post-Auth-Type REJECT { attr_filter.access_reject sql } } I have put it in an restarted the server. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Guy Fraser Network Administrator The Internet Centre 1-888-450-6787 (780)450-6787 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radpostauth sql logging of bad passwords
On 2009-Apr-17, at 03:08, Alan DeKok wrote: Guy Fraser wrote: I have installed : radiusd: FreeRADIUS Version 2.1.3, for host i386-portbld-freebsd7.1, built on Feb 26 2009 at 15:47:46 I have not been able figure out how to get it to log failed authentication attempts into the radpostauth sql table, like I had it working in Version 1. What do you mean by that? Q: I tried to do stuff, but it didn't work. A: Huh? I thought this would be enough to make it log failed authentications : log { destination = files file = ${logdir}/radius.log requests = ${logdir}/radacct/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y %m%d.log syslog_facility = daemon stripped_names = no auth = yes auth_badpass = yes auth_goodpass = no } Here is the recursive, uncommented and redacted configuration : --- prefix = /usr/local exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct name = radiusd confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd db_dir = ${raddbdir} libdir = /usr/local/lib/freeradius-2.1.3 pidfile = ${run_dir}/${name}.pid user = freeradius group = freeradius max_request_time = 30 cleanup_delay = 5 max_requests = 1024 listen { type = auth ipaddr = * port = 1645 } listen { ipaddr = * port = 1646 type = acct } hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions= yes log { destination = files file = ${logdir}/radius.log requests = ${logdir}/radacct/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y %m%d.log syslog_facility = daemon stripped_names = no auth = yes auth_badpass = yes auth_goodpass = no } checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = yes } proxy_requests = yes $INCLUDE proxy.conf #start : proxy.conf# proxy server { default_fallback = no } home_server localhost { type = auth ipaddr = 127.0.0.1 port = 1645 secret = XXX response_window = 20 zombie_period = 40 revive_interval = 120 status_check = status-server check_interval = 30 num_answers_to_alive = 3 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm LOCAL { type= radius authhost= LOCAL accthost= LOCAL } realm domain.net { type= radius authhost= LOCAL accthost= LOCAL } realm customer.com { type= radius authhost= x.x.x.x:1645 accthost= x.x.x.x:1646 secret = XXX nostrip } ... #end# $INCLUDE clients.conf #start : clients.conf# client localhost { ipaddr = 127.0.0.1 secret = XXX require_message_authenticator = no nastype = other } #end# thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { $INCLUDE ${confdir}/modules/ #start : modules/*# acct_unique { key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port } always fail { rcode = fail } always reject { rcode = reject } always noop { rcode = noop } always handled { rcode = handled } always updated { rcode = updated } always notfound { rcode = notfound } always ok { rcode = ok simulcount = 0 mpp = no } attr_filter attr_filter.post-proxy { attrsfile = ${confdir}/attrs } attr_filter attr_filter.pre-proxy { attrsfile = ${confdir}/attrs.pre-proxy } attr_filter attr_filter.access_reject { key = %{User-Name} attrsfile = ${confdir}/attrs.access_reject } attr_filter attr_filter.accounting_response { key = %{User-Name} attrsfile = ${confdir}/attrs.accounting_response } attr_rewrite sanecallerid { attribute = Called-Station-Id searchin = packet searchfor = [+ ] replacewith = ignore_case = no new_attribute = no max_matches = 10 append = no } chap { } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string } counter daily { filename = ${db_dir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session reply-name = Session-Timeout allowed-servicetype = Framed-User cache-size = 5000 } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600
radpostauth sql logging of bad passwords
I have installed : radiusd: FreeRADIUS Version 2.1.3, for host i386-portbld-freebsd7.1, built on Feb 26 2009 at 15:47:46 I have not been able figure out how to get it to log failed authentication attempts into the radpostauth sql table, like I had it working in Version 1. -- Guy Fraser Network Administrator The Internet Centre 1-888-450-6787 (780)450-6787 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help to use 802.1x with WEP and WPA/AES
Hi SangLee, In my experience, the ability to do WEP and WPA simultaneously is a function of the Access Point rather than any other device in the network. If your AP vendor has implemented in such a way that you cannot run WEP and WPA simultaneously, then push them to fix this. Note, however, that your wireless security is only as strong as the weakest encryption and authentication mechanism. Therefore, if you are using WEP, you will have severely weakened your network. Even WPA with TKIP is reported to have been recently attacked in a much quicker time than previously possible. Ideally, you should look at WPA2/AES as the basis for your wireless security. If you have no choice but to use WEP, then you're likely to need a *very* short session-timeout in order to force the keys to change very frequently (the order of a few minutes at most) in a busy network. This puts a huge load on your RADIUS servers. Rgds, Guy 2008/11/10 Le Sang [EMAIL PROTECTED]: Hello All, Now, I'm using 802.1x for authenticating wireless user. But unfortunately, I cannot use 802.1x with WEP and WPA(WPA2)/AES. Can anybody help me and tell me why I cannot use 802.1x with methods encryption above. Best Regard, SangLee - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneos-Use in login for same mac-address
On 2008-Jun-06, at 08:40, Jean Carlos Oliveira Guandalini wrote: Hello, we have a problem of mac-address clone, and we use the Simultaneous- Use: = 1 option to not allow double login, but when this is a case of the clone mac-address the freeradius allows the connection. Log of sql.trace: INSERT into radpostauth (id, user, pass, reply, date) values ('', 'userlogin', '290476', 'Access-Accept', NOW()); INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('81b00935', 'bcc93b20ea389f59', 'userlogin', '', '10.0.6.10', '2447', 'Ethernet', '2008-06-06 11:08:45', '0', '0', 'RADIUS', '', '', '0', '0', 'INTERNET', '00:4F:62:0A:1F:BF', '', 'Framed-User', 'PPP', '111.111.111.111', '0', '0'); UPDATE radacct SET AcctStopTime = '2008-06-06 11:08:46', AcctSessionTime = '0', AcctInputOctets = '0', AcctOutputOctets = '0', AcctTerminateCause = '', AcctStopDelay = '0', ConnectInfo_stop = '' WHERE AcctSessionId = '81b00935' AND UserName = 'userlogin' AND NASIPAddress = '10.0.6.10'; INSERT into radpostauth (id, user, pass, reply, date) values ('', 'userlogin', '290476', 'Access-Accept', NOW()); INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('81b00936', '3f7c1d06dbd205d4', 'userlogin', '', '10.0.6.10', '2448', 'Ethernet', '2008-06-06 11:08:49', '0', '0', 'RADIUS', '', '', '0', '0', 'INTERNET', '00:4F:62:0A:1F:BF', '', 'Framed-User', 'PPP', '111.111.111.111', '0', '0'); Queries in sql.conf: simul_count_query = SELECT COUNT(*) FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0 simul_verify_query = SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0 despite the mac-address to match are two different users, and the second to connect without first disconnecting was before. Is there any possibliidade to block it? Thanks Sorry for my english (By Google Tradutor) I do not think there is a way to block it. You may want to have the real user change his mac address then block the cloned mac address. You will likely then find that another mac address gets cloned. If you move to a secure username / password access method you may be able to stop the abuser. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Java client for Radius
Hi Avihai, I use the client that comes with the jradius server on my Mac and it's great. I don't use a particularly wide range of the features, I'm sure I barely scratch the surface, if I'm honest, but it does what I need (and it works flawlessly on my Mac :-) I've not tried radius-client so I cannot make a comparison. Rgds, Guy 2008/5/20 avihai marchiano [EMAIL PROTECTED]: Hey, I need a java client for Radius. it need to work with all vendors. I saw two open sources: JRadius, radius-client. Does someone compare them? Does someone can recommend? Thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Java client for Radius
2008/5/20 avihai marchiano [EMAIL PROTECTED]: Do you know if its also support other vendors? JRadius client is java. I initially had some problems because of the environment used to build jradius-client but I contacted the author and he fixed it really quickly. I don't know of any reason why jradius-client won't work on any java engine. I understand (and i might understand wrong) that you need to configure (or install) something in the server side in order to work with JRadius. I need to work against all Radius servers and i cant change or add to the Raidus server. JRadius is a frontend to FreeRADIUS and requires FR to operate properly. However, the client doesn't require any of that. You can download the whole package and just get the client bit and run it. There's a shell script that fires everything up correctly. Rgds, Guy - Original Message From: Guy Davies [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, May 20, 2008 10:35:40 PM Subject: Re: Java client for Radius Hi Avihai, I use the client that comes with the jradius server on my Mac and it's great. I don't use a particularly wide range of the features, I'm sure I barely scratch the surface, if I'm honest, but it does what I need (and it works flawlessly on my Mac :-) I've not tried radius-client so I cannot make a comparison. Rgds, Guy 2008/5/20 avihai marchiano [EMAIL PROTECTED]: Hey, I need a java client for Radius. it need to work with all vendors. I saw two open sources: JRadius, radius-client. Does someone compare them? Does someone can recommend? Thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed with freeradius, solaris and trapeze
2008/4/29 Arran Cudbard-Bell [EMAIL PROTECTED]: Alan DeKok wrote: Guy Davies wrote: [..snip..] You need to tell us which EAP method you plan to use. If you are using local users, you can take your pick from EAP-TTLS/PAP or PEAP/MS-CHAPv2. If you use the former, you can have the passwords encrypted in the users file. If you use the latter, the passwords must be in clear text. Unless your using PEAP offload in which case you just need to list the mschap module, and have the user password available in cleartext or as an nt / lm hash... but don't use PEAP offload. Terminate the EAP tunnel in FR, it generally works better and is far simpler. Agreed. PEAP offload was OK if you had a crappy backend RADIUS server that didn't support EAP very well (or at all), but with a FR backend, you're better off just passing your EAP straight through. [..snip..] Trapeze uses some VSAs to specify which VLAN a user should be connected to, what time-of-day they can connect, etc. Hmm, no. Trapeze use the standard VLAN assignment attributes just like any other Vendor. You may be able to use the VSAs to do fancy stuff but : Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = VID Then that's definitely changed since I used to use Trapeze when it was first brought to market. I started with a pre-FCS version ;-) They used to have VSAs for Trapeze-VLAN-Name that was quite nice if you had different default VLAN numbers in different buildings in the campus. You could name all the default VLANs the same but give the VLANs different IDs in the different MXes. Using the Tunnel-Private-Group-ID means you have to have a consistent VLAN ID for a particular user group across a campus. Works just the same. Just look in dictionary.trapeze and you'll see the options. The Trapeze documentation was always pretty good at explaining the purpose and format of those VSAs. You *MUST* include a VLAN-Name VSA when responding to a Trapeze unit or it won't connect you to the correct VLAN. I have a MXR-2 sitting on my desk that says otherwise. You can set a default VLAN for each wireless service profile Doesn't that just pickup users that fail to attempt 802.1x authentication? Again, it's been a while since I last used Trapeze kit so things may have changed significantly since then. Ah, yes. *That* vendor. I happen to quite like that vendor and wish people would stop spreading misinformation, especially if they haven't used the kit for a few years *hmpf*. I also very much liked that vendor and had no intention of spreading misinformation. I very specifically stated that it had been a while since I used the kit so that people would take my information in context. I object to being accused of spreading misinformation intentionally. I am not frequently active on this list but I do try to give valid information. If it's wrong, then I'll hold my hand up but berating people for trying will just make people stop giving advice altogether. Guy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed with freeradius, solaris and trapeze
Hi Alan, Erm... I'm using WPA2/AES that uses 802.1x to authenticate the user :-) WPA2/TKIP is a strange choice (if not technically invalid). Normally, folks go for WPA/TKIP or WPA2/AES. Anyway, back to Miguel's question... I have not used Trapeze kit for a couple of years but I have used it in the past with FreeRADIUS (and derived RADIUS servers). You need to tell us which EAP method you plan to use. If you are using local users, you can take your pick from EAP-TTLS/PAP or PEAP/MS-CHAPv2. If you use the former, you can have the passwords encrypted in the users file. If you use the latter, the passwords must be in clear text. I believe that the default radius.conf and eap.conf files will work automatically for either option. Trapeze uses some VSAs to specify which VLAN a user should be connected to, what time-of-day they can connect, etc. Just look in dictionary.trapeze and you'll see the options. The Trapeze documentation was always pretty good at explaining the purpose and format of those VSAs. You *MUST* include a VLAN-Name VSA when responding to a Trapeze unit or it won't connect you to the correct VLAN. Rgds, Guy 2008/4/28 Alan DeKok [EMAIL PROTECTED]: Miguel Dias wrote: Can anyone help? I'm starting with WPA2 - TKIP and I would Like to configure FreeRadius to Authenticate some test users that I can create on freeradius. WPA2 means that the access point isn't doing RADIUS authentication for the users. please help really needed... Where should I start??? Configure 802.1x for the AP. Don't use WPA2. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius-based windows authentication
2008/4/25 Phil Mayers [EMAIL PROTECTED]: Mike Perdide wrote: Hello, I'm working on VLAN assignement with FreeRadius, with windows XP users. The FreeRadius server is using openLdap, and works overs EAP-TTLS. The goal of my work is for the users to be on different Vlans depending on their status. The radius part is working fine, since the switch sets the right vlan when the user gives his login and password. My question was : is it possible to authenticate via radius at the windows login screen ? Is the windows machine a domain member? For now, it is using the samba database, but if I want to set up a dynamic vlan assignement, the network needs to be up before the samba partitions are mounted. This last paragraph doesn't make sense to me. I don't know what samba database and samba partitions are. I think you are asking is it possible for the client to do 802.1x with the username/password typed into the login box and the answer is yes. There are three ways to achieve this (that I know of). 1. Using the windows native supplicant and machine account authentication. Basically the process is this: * machine powers on - no-one logged in * machine uses its own domain account to login host/$machinename * user presses ctrl+alt+del * machine validates credentials to the domain controller, over the current network connection * machine downloads the users profile * once the profile is download, the machine does an EAP-Logoff and then re-authenticates using the user credentials * when the user logs out, the machine does and EAP-Logoff and then logs back in using the machine account 2. Using cached profiles - the user logs in without a network connection using a cached profile, then 802.1x starts 3. Using a different supplicant which has a GINA plugin; I believe the Odyssey supplicant (which you have to pay for) can do this. SecureW2 (which is open source) may. Obviously you have to install software. The Odyssey client can certainly do this but it is very important to note that GINA is not making use of the RADIUS server to actually authenticate the user to the Windows machine. It is simply stopping the windows login, taking a copy of the credentials typed into the windows login screen and using those to authenticate using 802.1x so that a secured port is open *before* the windows login is complete, then once the 802.1x process is complete, it returns control of the login process back to windows which authenticates the user either against the local database or using the Active Directory service. Normally, for this to work well, you would have the RADIUS server used for the 802.1x authentication make a call to the AD servers too (using either NTLM or LDAP). That way, you actually have two calls made to the AD, one by the RADIUS server and then another by the user's PC. The dynamic VLAN assignment is almost invariably performed as part of the 802.1x RADIUS authentication response and the actual mechanism used depends very much on the vendor of your Authenticator (the switch or AP). Rgds, Guy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: header enrichment
Hi Mauro, VSA means Vendor Specific Attribute. Vendors can provide 'private' attribute value pairs (AVPs) that are only understood by their equipment so that you can send them information that is not supported natively by the standard RADIUS protocol. If the vendor of your device that would actually perform the header enrichment function can make a query to a RADIUS server based on some 'username' derived from the information available to it (would the user have to login via a web portal first?) then the RADIUS server could return attributes associated with that user. You could theoretically create 'groups' that relate to particular handsets/UA strings and return attributes based on that info, but you still have to have a username. Rgds, Guy On 29/02/2008, mauro [EMAIL PROTECTED] wrote: thanks , this can really helps my. So you suggest to investigate about supported RADIUS attributes admitelly I'm not ARADIUS expert and I don't know what VSA means. but I think we can procede togheter, also if we could find a way to introduce Freeradius into the Mobile Network. if you think we are OT please feel free to contact me privately to not disturb the list thanks very much If there is a RADIUS attribute/VSA that can be interpreted by the RADIUS client as containing the information required to enrich your headers, and the client then does the right thing with the Value of that AV pair, then yes, it can be done. If the RADIUS client cannot take the information from a specific AVP, then no it cannot be done without development work by your client vendor (nothing the server can do to force it). Hope that helps, L'email della prossima generazione? Puoi averla con la nuova Yahoo! Mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: header enrichment
Mauro, On 28/02/2008, mauro [EMAIL PROTECTED] wrote: please have a look inline thanks Normally in a mobile services there's no specification into the header about connection type. *Which header? You are assuming that everyone here is familiar with 3g *terminology. You were already told we were not. i didn't mention anything about 3G, i spoke about mobile services, i think you know perfectly wich kind of services I'm talkig about, anyway I can try to support you: What makes you believe that people familiar with RADIUS would be guaranteed to know perfectly which kind of services you're talking about? You're clearly familiar with mobile services so I assume that you know perfectly well how to configure a RADIUS server. However, I'm prepared to try to support you! Mobile Services: means all the services that a mobile Operator can give to the customers, from SMS to WAP connections, normally when the user connect to Mobile Operator network infrastructure the connection ( mainly if we are talking about WAP connection) is treathed as an internet connection and the mobile browser request contain http header as well as common internet header. Now using some infrastructure is possible to add more parameters to the header.. many sniffing were done but only specific equipment allows to enrich the header with this inofrmation, *Could you describe what you mean in more words? It is meaningless to *say enrich the header. We have no idea what you mean by that. enrich the header as for google search is a particular feature of a system to add specific tag to the header and it's a common way to describe procedure. here below in attach and example of mobile header and the voice Nokia-bearer is that one that gives info about connection type: we need to determinate the type of of the connection Pointing us to Google when you have not given a clear explanation of which header attributes you wish to enrich is not at all helpful. I have a general understanding of what 'header enrichment' is. You just didn't give me any info regarding what you wanted to enrich your headers with. to add to the header the needed parameters normally into a mobile operator some particualr equipment are used as well as radius server to get network parameters as connection type ( i mean connection established by7 the user) this is why I asked for i hope is everything clear now! thanks If there is a RADIUS attribute/VSA that can be interpreted by the RADIUS client as containing the information required to enrich your headers, and the client then does the right thing with the Value of that AV pair, then yes, it can be done. If the RADIUS client cannot take the information from a specific AVP, then no it cannot be done without development work by your client vendor (nothing the server can do to force it). Hope that helps, Guy --header example--- GET /wap/ HTTP/1.0 If-None-Match: 0-6f-3e6cf51a Accept: image/gif, text/x-vCalendar, image/vnd.wap.wbmp, application/vnd.wap.wmlscriptc, text/x-vCard, application/vnd.wap.wmlc, application/vnd.wap.wbxml, text/vnd.wap.wml, text/vnd.wap.wmlscript, text/plain Accept-Language: en Accept-Charset: US-ASCII, ISO-8859-1, UTF-8, ISO-10646-UCS-2 profile: http://wap.sonyericssonmobile.com/UAprof/T200.xml User-Agent: SonyEricssonT200/R101 bearer-indication: 0 accept-application: 1,2 X-Nokia-CONNECTION_MODE: CMODE X-Nokia-BEARER: GPRS -- PARAMETER NEEDEDFRRERADIUS CAN HELP?? X-Nokia-gateway-id: NAWG/3.1/Build52 Via: WTP/1.1 Vodafone wap FTC (Nokia WAP Gateway 3.1/ECD9/3.1.52), 1.1 vlsp1:9010 (squid/2.5.STABLE3) X-Forwarded-For: 172.27.9.3 Host: redsox.tcs.auckland.ac.nz L'email della prossima generazione? Puoi averla con la nuova Yahoo! Mail L'email della prossima generazione? Puoi averla con la nuova Yahoo! Mail L'email della prossima generazione? Puoi averla con la nuova Yahoo! Mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: header enrichment
On 27/02/2008, Alan DeKok [EMAIL PROTECTED] wrote: mauro wrote: Hi all i would like to know if freeradius can help to enrich the user header for that mobile services that needs some particular params as for connection type ( 3g, gprs...). What does that mean? I'm not a 3g expert. Maybe the 3g equipment you're using can use RADIUS attributes. If so, see it's documentation for what RADIUS attributes it uses. Alan is right. I would imagine that you'd need to use the 3GPP or 3GPP2 RADIUS dictionary to respond with attributes that could be used by the client to perform the header enrichment. As long as the information can be presented as a regular RADIUS attribute or VSA, then you can use FreeRADIUS to provide that information to the client (the device performing the header enrichment function). Rgds, Guy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AV-PAIRS
Hi David, Have you tried putting \n to see if that puts a line break into the response? Whether the RADIUS client will barf on that is another matter ;-) Rgds, Guy On 20/02/2008, David W Bell [EMAIL PROTECTED] wrote: David W Bell wrote: Thanks for the info so far. Is there a howto on getting this to work? Questions I still have on this are. 1) Do I need to extend my Schema to include Cisco-AV-Pair if so is there an example I can copy 2) What is the exact line that I need to add to my ldap.attrmap file to then refer to that Can this then be expanded to Group Memberships? The situation I want is for User David, who is a member of the Edge_Router group to have full access to the routers for that group, while having, say, level 6 access to the core routers from membership of the Core_Router group Thanks for any further help David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Seem to have managed to get a bit further. Is there any way of adding a line-break to a Radius-Reply string? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AV-PAIRS
I was wondering the same thing :-) On the subject of getting the attributes from LDAP, the Cisco AV pairs are just another AV Pair. Sure, Cisco have broken their AVs up with sub-AVs, but it's still just passing a value back from LDAP and manipulating the format so that it is placed correctly into the correct AV. The priv-level (as you have clearly worked out) is presented as... Cisco-AV-Pair=priv-level=value value = 0 to 15 If you have an attribute in your LDAP schema that is called Cisco-AV-Pair and it contains the string priv-level=15, then you should be able to return that attribute and map it to the contents of the Cisco-AV-Pair RADIUS attribute. I don't *think* it's any different to mapping any other string based AV Pair. Rgds, Guy On 19/02/2008, Ivan Kalik [EMAIL PROTECTED] wrote: And why do you have password in two locations? If you store it in Ldap you don't need it in users file and vice versa. Ivan Kalik Kalik Informatika ISP Dana 19/2/2008, David W Bell [EMAIL PROTECTED] piše: Hi there. My Saga continues I have freeRADIUS working with openLDAP and can log into CISCO kit and pass the priv-level from the raddb/users file. Is there any way that this information can be passed from the openLDAP user details instead? I am looking to do a single-signon system and it seems a little awkward to have to change a password (as is required in the users file) in 2 locations. Thanks David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Terminate EAP-PEAP client connection at FreeRadius Proxy and proxy (forward) request as PAP
Joakim You could certainly do this with EAP-TTLS/PAP. I know because I've done it myself in a previous job. It's quite simple really. You have the outer authentication using one realm (possibly the null realm and using the name 'anonymous'). In the inner authentication, you use another realm that is proxied by the FreeRADIUS server to the remote server supporting PAP. I've done exactly this with CryptoCARD servers and with Vasco servers. You may need to strip the decoration from the username before forwarding the PAP authentication request to the back end server. e.g. [EMAIL PROTECTED] might need to be reduced to just guyd before that username would be correctly authenticated by the backend server. Rgds, Guy On 31/01/2008, Joakim Lindgren [EMAIL PROTECTED] wrote: Hi all (and really thanks to Alan DeKok), I have a complete EAP-PEAP/TLS/TTLS configuration working against FreeRadius and IAS. A software I´m using is offering two factor authentication and they got their own Radius who only supports PAP. Is it possible to terminate the client EAP connection at the FreeRadius proxy and forward the request as a PAP to the software vendors own Radius. In that case it works, briefly how do I do? Thanks all! (Im going to buy Alan DeKok coming FreeRadius book ;-) Sincerely Joakim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco command authorization
Hi Stefan, It may be primarily Cisco that pushes TACACS+ because ACS is a much better TACACS+ server than it is a RADIUS server. However, there are many vendors that offer some degree of support for TACACS+ just to avoid one of the barriers to entering the many Cisco only networks. :-) Rgds, Guy On 07/01/2008, Stefan Winter [EMAIL PROTECTED] wrote: Could you add this to the wiki ? http://wiki.freeradius.org/Cisco Done. I myself don't use any Cisco kit, but the situation is much the same with HP Procurve Switches. On all but the most expensive switches TACACS+ is the only way to define command lists, on all the others your either a manager or an operator. HP Claim to support a few VSA's for setting command lists and priv levels, but on most of their switches they don't actually work ! Amazing. I would have thought TACACS+ is totally dead and only Cisco holds up their flag. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Command Authorization in freeradius
Ajay, This is not a feature of RADIUS but it can be implemented for some vendors' kit using VSAs. So, it depends very much on the kit you're using whether there is *no* way to do this or a non-standard way to do this :-( Rgds, Guy On 14/12/2007, Gaurav Sabharwal [EMAIL PROTECTED] wrote: Ajay, This is not possible with radius. Cheers, - Gaurav on 12/14/2007 09:52 AM ajay raut said the following: Hi, I want to do a command authorization from a Freeradius server...like the way Tacacs+ have cmd-arg attribute specifies a specific commands the can be executed by a user. I am searching for the attribute in freeradius that can enable such kind of behaviour... Regards, Ajay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS tunnel
No, the tunnel is between the authentication server and the supplicant. The authenticator (the AP or switch) cannot see into the tunnel. Rgds, Guy On 05/12/2007, Sergio Belkin [EMAIL PROTECTED] wrote: When using EAP-TTLS the tunnel is between Access Point and client only? I mean: Is it protected data between AP and freeradius? Thanks in advance -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wired 802.1x supplicent open source where i can get it?
Hi Alan, The supplicant is the software on the device trying to connect, rather than the server. Unless FreeRADIUS has moved in a totally different direction from when I was using it frequently, it is purely a RADIUS server (the authentication server in the 802.1x process). FreeRADIUS will certainly help the original poster because it implements many of the EAP methods required. He will also need an Ethernet switch that acts as an 802.1x authenticator. I don't know if wpa_supplicant can also support wired 802.1x authentication, but it would certainly be a good place to start when looking to develop one. Rgds, Guy On 03/12/2007, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi, Hi, I am satyanarayana,we are working to implement 802.1x wired supplicent , But Tried a lot by checking somany sites But i didn't get that open source. If any body knows the site are any details Please send to me. freeradius is an existing supplicant which can do wired and wireless 802.1X www.freeradius.org do you want to IMPLEMENT 802.1X AAA, or do you want to create your own wired supplicant client and/or server?? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-Address = 0.0.0.0
On Fri, 2007-10-05 at 11:53 -0500, Walter Gould wrote: Please excuse me if this has already been covered in the docs or the FAQ (I looked - but nothing jumped out at me). In accounting packets coming from Cisco Catalyst 6513 switches, the NAS-IP-Address = 0.0.0.0. Does anybody know why and if this can be changed? I have tried modifying the aaa accounting commands on the switch, but has not seemed to fix it. On our 3750 series switches, this doesn't happen and the correct switch/NAS ip address is listed in the NAS-IP-Address attribute field. Thanks in advance, Not sure but look into assigning an IP address to Loopback0. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: in vs. out
On Thu, 2007-10-04 at 14:39 +0200, Alan DeKok wrote: [EMAIL PROTECTED] wrote: Unfortunately, from a back-end perspective, if having to support a variety of 'broken' commercial vendors, one doesn't have much choice (apart from not supporting these vendors). I guess we have to live with it as it would probably be difficult for these vendors to change their ways now... Acct-Input-Octets has one meaning: the right one. You don't have to interoperate with broken vendors. You tell users to throw the equipment away, and to buy working equipment. Go get 'em! I couldn't resist any longer. RADIUS = Remote Authentication Dial In User Service A number of us on this list and historically on others have been developing radius server and related software. I can't remember any of the developers asking what Input-Octets or Output-Octets meant. --- snip --- 5.3. Acct-Input-Octets Description This attribute indicates how many octets have been received from the port over the course of this service being provided, and can only be present in Accounting-Request records where the Acct- Status-Type is set to Stop. --- snip --- This would be data coming into the NAS from the remote end point {customer}. --- snip --- 5.4. Acct-Output-Octets Description This attribute indicates how many octets have been sent to the port in the course of delivering this service, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop. --- snip --- This would be data going from the NAS to the remote end point {customer}. Unless the reader or translator did not understand English or the parts of a Dial In service there should be no reason for it to be interpreted any other way. If a vendor is unable to comprehend a small concept like in and out, I would not trust them to properly resolve more tricky concepts, like refunds, so Alan suggestion stands. Throw out the improperly designed equipment if the vendor did not just make an error in their manual. If the error is in the manual and not the equipment, let them know, so they can publish an errata. Do a test, figure out which is correct the equipment or the manual. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: data limit in Mikrotik with Freeradius and Mysql
On Fri, 2007-09-21 at 22:18 +0530, ram wrote: Hi iam trying to achive the same any inputs ram Have you tried using ; Acct-Input-Gigawords and Acct-Output-Gigawords instead of ; Acct-Input-Octets and Acct-Output-Octets in the counter calculations ? On 9/20/07, ravi sawant [EMAIL PROTECTED] wrote: Hi Does anyone have solution for limiting users with data traffic. I have working setup of Mikrotik with freeradius and mysql. Have searched on net and found one solution but I can put limit to max 4 GB data. After 4 GB the counter resets to 0. I know the reason of that. It's b'coz of the values stored in protocol are 32 bits only. Awaiting your reply. Thanks Regards, Ravin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Hi, I am new to freeradius and I just had to upgrade one of our servers to RHEL5. As part of this deployment, I have installed freeradius-1.1.3-1.2 and openldap-2.3.27-5. I have looked on the web and talked to some colleagues and this is probably and openldap issue. I am sure it has popped up on this discussion list before. radius is taking up 95% of the CPU. I seem to be getting errors that says that all ldap connections are in use (rlm_ldap) Fri Sep 14 15:39:48 2007 : Error: WARNING: Unresponsive child (id 299209) for request 46 Fri Sep 14 15:39:48 2007 : Error: WARNING: Unresponsive child (id 2981600144) for request 47 Fri Sep 14 15:39:48 2007 : Error: WARNING: Unresponsive child (id 2971110288) for request 48 Fri Sep 14 15:39:48 2007 : Error: rlm_ldap: All ldap connections are in use We did not have any issue with version 2.29 of OpenLdap. Has something major changed? We are gonna downgrade for the time being but if you know of a solution please let me know. cheers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius using 95 % of CPU
Hi, I am new to freeradius and I just had to upgrade one of our servers to RHEL5. As part of this deployment, I have installed freeradius-1.1.3-1.2 and openldap-2.3.27-5. I have looked on the web and talked to some colleagues and this is probably and openldap issue. I am sure it has popped up on this discussion list before. radius is taking up 95% of the CPU. I seem to be getting errors that says that all ldap connections are in use (rlm_ldap) Fri Sep 14 15:39:48 2007 : Error: WARNING: Unresponsive child (id 299209) for request 46 Fri Sep 14 15:39:48 2007 : Error: WARNING: Unresponsive child (id 2981600144) for request 47 Fri Sep 14 15:39:48 2007 : Error: WARNING: Unresponsive child (id 2971110288) for request 48 Fri Sep 14 15:39:48 2007 : Error: rlm_ldap: All ldap connections are in use We did not have any issue with version 2.29 of OpenLdap. Has something major changed? We are gonna downgrade for the time being but if you know of a solution please let me know. cheers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization in RADIUS, Authorization in freeradius
On Sun, 2007-09-02 at 15:36 +0100, George Beitis wrote: Hi everyone, I have a general question regarding Authorization in the RADIUS protocol and how it is implemented in freeradius. What does the RADIUS protocol refer to when it talks about Authorization, does it actually refer to users being probably authorized after being authenticated, using the protocol? Are there RADIUS specific attributes that are for authorization? (not authentication). There are ways of implementing authorization into freeradius, but do those simply overwrite the authentication decision? DIAMETER provides such authorization messeges from my understanding but the RADIUS protocol does not talk about any, is this correct? As far as I understand, Radius is not a AAA server in the way you put it. Radius Authenticates, Accounts and sends Authorization configuration information to the NAS, which implements the Authorization. Radius does not enforce or restrict anything the NAS is not configured to perform, and can in fact the Authentication and Authorization can be overridden by the local configuration on the NAS or requesting Radius Proxy if in use. thank you very much regards George - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Log Rotation
On Fri, 2007-05-18 at 17:09 +0200, Jack J Allan wrote: On 5/18/07, Brian A. Seklecki [EMAIL PROTECTED] wrote: Another solution would be to perform logging via syslog(3), which absolves radiusd from trapping and handling signals and file handlers. Syslog-ng already does this very well -- why duplicate all of that code? ~BAS I've certainly looked at that possibility, the problem is that you cannot separate your logging components nicely. I'd like to separate my radius.log, sqltrace, detail logfiles per nas and all that. I'm afraid that syslog can't do that and you'll run out of log facilities very quickly if you decided to do it manually ( e.g. one facility per logfile). I found a workaround (no HUP) so I'm happy. Jack I have not checked in quite a while, but at one point a while back, I suggested using configurable dynamic log file names, like the detail files have. I used to use such a beast on a version of Cistron Radius that I customized, but I ran into problems trying to make it work with FR because if I remember correctly, and it is quite possible I do not, there was some kind of problem I ran into where the Xlate function did not generate what I expected when it had insufficient data to resolve the log file name due to the type of error. Having the configurable logging was low on my list of priorities back then and has not become any more important as of now, but it would still be a nice feature if their was a way to use defaults using {{variable}:-default} type entries. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS PEAP MCHAPv2
Or, if you're using an Enterprise CA with a self signed cert, then make sure that the CA's cert is installed on your Mac. I do this at home and it's fine once you've installed the CA's cert. Rgds, Guy On 30/04/07, Peter Nixon [EMAIL PROTECTED] wrote: On Mon 30 Apr 2007, Eshun Benjamin wrote: Any one has an idea of how to get rid of The server certificate is not trusted because there are no explicit trust settings on MAC OSX 10.4.9 without selecting always trust these freecertificate Yep. Buy a certificate that your machine trusts :-) -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't access Internet?
Hi Tim, Erm, yes, they're all critical to getting dial-up to work :-) I think you could use a DEFAULT user in the users file that says something like... DEFAULT auth-type := system Fall-Through = yes DEFAULT service-type == framed, framed-protocol == ppp service-type = framed, framed-protocol = ppp, framed-ip-address = 255.255.255.254 framed-mtu = 1500 This is directly taken from the man page for the users file. Rgds, Guy On 09/01/07, Tim Tyler [EMAIL PROTECTED] wrote: FreeRadius experts, Ok, I ran radtest on both the old Lucent technology radius server and on Freeradius with the following results: Lucent Technology radius server (which works) [EMAIL PROTECTED] raddb]# radtest tylert xx 144.89.40.30:1645 1645 yy Sending Access-Request of id 37 to 144.89.40.30:1645 User-Name = tylert User-Password = xx NAS-IP-Address = alum.beloit.edu NAS-Port = 1645 rad_recv: Access-Accept packet from host 144.89.40.30:1645, id=37, length=44 Framed-Protocol = PPP Service-Type = Framed-User Framed-IP-Address = 255.255.255.254 Framed-MTU = 1500 FreeRadius which authenticates, access the local network, but doesn't access the Internet: [EMAIL PROTECTED] raddb]# radtest tylert xx 144.89.40.9 1812 yyy Sending Access-Request of id 159 to 144.89.40.9:1812 User-Name = tylert User-Password = xx NAS-IP-Address = alu.beloit.edu NAS-Port = 1812 rad_recv: Access-Accept packet from host 144.89.40.9:1812, id=159, length=20 So what I am observing is that Freeradius does not send back the following information that Lucent Tech. does. Framed-Protocol = PPP Service-Type = Framed-User Framed-IP-Address = 255.255.255.254 Framed-MTU = 1500 I am guessing that some or all of these are important. Some of the old archives have suggested that the mtu might be important. If I am using a standard unix password crypt file, is it possible to get freeradius to send this information? Or do I need to consider another method? Tim At 11:54 AM 1/8/2007, you wrote: You may wish to use the radius-tools package (correct me if the package name is wrong, List) which is included with freeradius to send test packets from the test application to the Freeradius server, and it'll show you what the attributes you're sending and what the server replies with. You can then do this again to your AIX server and see how the response is different - this will involve adding your test client machine as a NAS in the AIX machine's clients file. Basically you need to eavesdrop on the connection between the radius client and new/old servers, and compare and contrast the replies. This is the best way to work out What has changed? Hope this helps, Jan On 08/01/07, Tim Tyler [EMAIL PROTECTED] wrote: FreeRadius experts, We are trying to run FreeRadius on a RedHat AS 2.1 system. We use an external password file for authentication defined in the unix system (password = filename) section of radius.conf. This seems to work fine. Modem users can authenticate to our old 3com Total Control modem pool, but users can not access the Internet. They can access all local domain servers on campus, but they can't get off campus. This really should not be a firewall issue as the same ip addresses are still associated with the modem pool. Note: if we go back to our old Lucent Technology radius server running on AIX, everybody is fine and can access the Internet again. I am trying to find out what might cause a modem pool to only work locally (access servers on our campus) after switching to FreeRadius particularly since it seems that the authentication part is working? I know that the 3com Total Control modem pool is rather old but I don't know why it would behave differently from one radius server to another as long as authentication works. I read in one of the FreeRadius archives that some users have experienced a similar problem of either very slow or won't work at all for some customers accessing the Internet via Freeradius authentication until they modified the MTU setting. This is curious to me. Is there a place in FreeRadius that I might change the mtu setting given that I am using an external unix password crypt file for all authentication? If so, what mtu setting might be recommended? Is there another possible explanation that might relate to Freeradius? any thoughts are much appreciated? Tim Tyler Network Engineer - Beloit College [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Tim Tyler Network Engineer - Beloit College [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http
Re: Can't access Internet?
Hi Tim, This sounds more like a routing problem. Does the FreeRADIUS server allocate addresses from the same pool as the old Lucent server? If not, it's possible that your router to the Internet doesn't have a route back to the host addresses via the 3Com TC box. If that's not it, then you might try doing a capture of the Access-Accept packets coming from the Lucent and from the FreeRADIUS server using wireshark and compare them to see which attributes are different. Rgds, Guy On 08/01/07, Tim Tyler [EMAIL PROTECTED] wrote: FreeRadius experts, We are trying to run FreeRadius on a RedHat AS 2.1 system. We use an external password file for authentication defined in the unix system (password = filename) section of radius.conf. This seems to work fine. Modem users can authenticate to our old 3com Total Control modem pool, but users can not access the Internet. They can access all local domain servers on campus, but they can't get off campus. This really should not be a firewall issue as the same ip addresses are still associated with the modem pool. Note: if we go back to our old Lucent Technology radius server running on AIX, everybody is fine and can access the Internet again. I am trying to find out what might cause a modem pool to only work locally (access servers on our campus) after switching to FreeRadius particularly since it seems that the authentication part is working? I know that the 3com Total Control modem pool is rather old but I don't know why it would behave differently from one radius server to another as long as authentication works. I read in one of the FreeRadius archives that some users have experienced a similar problem of either very slow or won't work at all for some customers accessing the Internet via Freeradius authentication until they modified the MTU setting. This is curious to me. Is there a place in FreeRadius that I might change the mtu setting given that I am using an external unix password crypt file for all authentication? If so, what mtu setting might be recommended? Is there another possible explanation that might relate to Freeradius? any thoughts are much appreciated? Tim Tyler Network Engineer - Beloit College [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius mac athentication with Tsunami MP.11 5054-R v2.3.0(169)
Hi Cam I am back from Victoria. Could you send us some debug info. HINT: Start freeradius from the command line using radiusd -X . See man radiusd for more information. After it is in debug mode, attempt an authentication and send us the info. On Wed, 2006-11-08 at 13:18 +, Cameron Cowie wrote: Hi: I have configured my freeradius server to run on ubuntu and is stable (or so I think). I have ran tests from my workstation to ask for authentication and it serves out brilliantly. But as soon as I ask my tsunami 5054 to authenticate it locks and refuses to talk to the radius server. user files is just mac address. I am not sure where the problem lies, on the radius server or on the tsunami? again any and all help is greatly appreciated entry for clients.conf is simple } client xx.xx.xx.x { secret = xxxpasswordxxx shortname = xxshortbusxx } (mac address) Auth-Type :Local, User-Password := x as I said simple, but event the most simplest things come with complications. is there something I am missing on? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Guy Fraser Network Administrator The Internet Centre 1-888-450-6787 (780)450-6787 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS + MySQL + decisionmaking?
On Wed, 2006-09-27 at 02:47 +0100, Jan Mulders wrote: Hello, I am trying to set up some decision-making logic into FreeRADIUS, to assign users a different speed of service depending on how much bandwidth they've used since their billing started. I want to issue 512k speed to users in group A, who have used less than 20GB of bandwidth (monthlybytecounter is working fine at the moment and totals this up nicely). However, if they've used more than 20GB, I want to issue 256k speed to users. For group B, I want users to get 10Mbps as long as they've used less than 50GB of bandwidth, and 1Mbps if they're over. I want to assign the values for speed to some vendor-specific variable, let's say Max-User-Speed. Hi I am replying because I haven't seen any other replies. The Attribute you use will depend on the NAS equipment you are using. Check the documentation and dictionaries for your radius client. I am using MySQL for this. Here is a snippet from my database: radcheck table: username, attribute, op, value testuser1, Password, ==, testing usergroup table: username, groupname testuser1, groupa Here is a snippet from my radiusd.conf file: instantiate { monthlybytecounter } authorize { preprocess sql } authenticate { pap } preacct { preprocess } accounting { #acct_unique #detail sql radutmp # ? } session { radutmp # ? sql } My question is... how do I implement this? Can anyone write down a few examples of how I'd go about making these rules? Would I perhaps be better off making a cronjob or something that changes the user's group to one of the following? groupA_belowcap, groupA_overcap, groupB_belowcap, groupB_overcap? I do not usually work with MySQL but you are on the right track using a counter but you didn't say if it was an sql_counter, which is what I would use. I would also drop the radutmp bits, and do everything from SQL. One other note, I usually keep the detail bits, for archival purposes in case of a dispute. As for examples, this is as close as I can give you with the bits you want : --- snip --- modules { detail acct_log { detailfile = ${radacctdir}/%Y/%m/detail-%Y%m%d detailperm = 0640 dirperm = 0750 } sqlcounter dailycounter { counter-name = Daily-Session-Time check-name = Max-Daily-Session sqlmod-inst = sql key = User-Name reset = daily query = SELECT SUM(AcctSessionTime - \ GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ FROM radacct WHERE UserName='%{%k}' AND \ UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '%b' } sqlcounter monthlycounter { counter-name = Monthly-Session-Time check-name = Max-Monthly-Session sqlmod-inst = sql key = User-Name reset = monthly query = SELECT SUM(AcctSessionTime - \ GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ FROM radacct WHERE UserName='%{%k}' AND \ UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '%b' } } instantiate { dailycounter monthlycounter } authorize { sql dailycounter monthlycounter } accounting { acct_log sql } session { sql } --- snip --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate requests in a session
On Thu, 2006-08-31 at 12:31 +0300, Peter Nixon wrote: Good question. Does anyone have anything against changing this? -Peter On Thu 31 Aug 2006 10:11, Santiago Balaguer García wrote: Thanks James, I don't figure out to use primary key solves the problem of duplicate keys. I had in radacct as primary key radacctid but now I am going to have acctuniqueid. This proble cause a new thread: why radacctid is the primary key of radacct table instead od acctuniqueid? I used a slightly different solution in my PostgreSQL implementation : ALTER TABLE ONLY radacct ADD CONSTRAINT radacct_unique_session UNIQUE ( username, nasipaddress, nasportid, acctsessionid ); NOTE: When duplicate records come in you will see errors in the log file like these : Fri Jul 7 13:06:47 2006 : Error: rlm_sql (sql): failed after re-connect Fri Jul 7 13:06:47 2006 : Error: rlm_sql (sql): Couldn't insert SQL accounting START record - ERROR: duplicate key violates unique constraint radacct_unique_session These errors are mostly informational, because when the insert fails, rlm_sql will use the alternate update method and will succeed. This is the same method I used on a customized Cistron server I used for over 5 years and had no problems. For some reason acctuniqueid was not unique in the duplicate packets, so my initial attempts at using it were unsuccessful. PostgreSQL can have a primary key that spans multiple columns, and would look like this {IIRC} : ALTER TABLE ONLY radacct ADD CONSTRAINT radacct_pkey_session PRIMARY KEY ( username, nasipaddress, nasportid, acctsessionid ); I did not use this, because I did not want to significantly change the default configuration of most of the tables. Once I get a chance to clean up the admin interface I have been developing I will likely want to add some changes to the PostgreSQL default schema that will allow better management without affecting the default configuration, but since I am not finished I don't want to add the changes to CVS quite yet. From: James Wakefield [EMAIL PROTECTED] Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: Duplicate requests in a session Date: Wed, 30 Aug 2006 22:07:09 +1000 Santiago Balaguer García wrote: Hi people, 1) In my activity I realize that when the conexion to Internet of a NAS is NOT good (there are some reday in the DSL), the NAS send several Start requests. My problen is my RADIUS server ask for all these requests and they are inserted in my DB. So, when the user or the NAS finalize the session and NAS sends Stop Request, the credit associates to the user account is decremented several times. It happens so because I put a trgger in my DB to decrement the user credit atomatically. Can I avoid the problem of inserting several times the start request? If it is so, how?? 2) Is it supposed that the value of acctsessionid and acctuniqueid in radacct table are UNIQUE and they can not be duplicated ? Thanks, Santiago Hi Santiago, Does your DBMS enforce primary key constraints? Do you have a primary key defined for your radacct table? If I recall correctly, MySQL by default doesn't, are you using MySQL? Cheers, -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Acepta el reto MSN Premium: Protección para tus hijos en internet. Descárgalo y pruébalo 2 meses gratis. http://join.msn.com?XAPID=1697DI=1055HL=Footer_mailsenviados_proteccionin fantil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Guy Fraser Network Administrator The Internet Centre 1-888-450-6787 (780)450-6787 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounter
On Wed, 2006-08-30 at 15:35 +0200, Graham Beneke wrote: K. Hoercher wrote: On 8/29/06, Fabiano Martins [EMAIL PROTECTED] wrote: I've benn searching with no sucess about this... It's frustrating... there is no documents about. Perhaps the looking into the very obscure doc/rlm_sqlcounter file helps, although it' not DOC for some strange reason. I've also looked at that document and it has not got me any closer to knowing what is going on. It gives examples of how to use sqlcounter for time based billing - but it does not explain what the different elements of the sqlcounter are - or how they work. I am wanting to build an octets based billing system using some custom dictionary items from the Chillispot NAS - but I can't find info anywhere. Although I have heard that it has been successfully been implemented. There is also some documentation in the config file. There may also be some documentation in the comments within the source code. I believe this has been discussed many times and there should be some information in the archives. Have you Googled for it? Once you figure it out, maybe you wouldn't mind contributing some better documentation for rlm_sqlcounter to the project. I am sure future implementers would appreciate it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Report Generator
Me too. I have also built a report generator, into the management system I built. I can provide snippets, but not the whole source until I get authorization. Here is a little snippet that allows the PHP output to be automatically opened in a spreadsheet : ---begin--- // $output contains tab [\t] delimited fields // and linefeed [\n] delimited records $size_in_bytes = strlen($output); if(strstr($_SERVER['HTTP_USER_AGENT'],'Safari') != false){ // User Agent is Safari = Broken // Document must be opend and saved with a text editor // before excel can open it header(Content-type: application/vnd.ms-excel); header(Content-disposition: attachment; filename=report- . $_SESSION['report'] . - . $syear . $smonth . _ . $eyear . $emonth . - . $gmatch . _ . $umatch . - . date(Y-m-d) . .txt; size= $size_in_bytes); } else { header(Content-type: application/vnd.ms-excel); header(Content-disposition: attachment; filename=report- . $_SESSION['report'] . - . $syear . $smonth . _ . $eyear . $emonth . - . $gmatch . _ . $umatch . - . date(Y-m-d) . .tab; size= $size_in_bytes); } echo $output ; ---End--- Note: When this works, the web page does not change since the data is output as the attachment. On Thu, 2006-08-24 at 11:04 -0600, Scott Miller wrote: I've also created a report generator - but mine does not require you to input the IP address. It just authenticates the user, asks for the month they want to display, and if they want a summary report or a detailed report. It is actually an old ICRadius script (written in PHP) that I found and modified to fit my needs. I'm willing to share this one as well if anyone is interested. Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sean Sent: Wednesday, August 23, 2006 1:58 PM To: freeradius-users@lists.freeradius.org Subject: Report Generator Hi, Ive written a report generator in PHP and HTML that will allow your clients to generate usage reports from the FreeRadius log files. When the user logs in he/she is asked for their IP address and the Month that they want to display. If anyone wants a copy let me know. If there is enough interest I'll make it available for public download. Regards, Sean Bracken http://swarmhotspots.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql variable substitution clarification
I have run into an issue where we now have different types of NAS servers. I would like to use %{Connect-Info} if available or a string formatted from two attributes like : D%{Ascend-Data-Rate}_X%{Ascend-Xmit-Rate} This is how I tried to do it : ConnectInfo_stop = \ '%{Connect-Info:-D%{Ascend-Data-Rate}_X%{Ascend-Xmit-Rate}}' This is what I get when %{Connect-Info} is not available : D_X I haven't seen any examples where two attributes are combined to make one attribute. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql variable substitution clarification
On Fri, 2006-07-07 at 11:02 -0600, Guy Fraser wrote: I have run into an issue where we now have different types of NAS servers. I would like to use %{Connect-Info} if available or a string formatted from two attributes like : D%{Ascend-Data-Rate}_X%{Ascend-Xmit-Rate} This is how I tried to do it : ConnectInfo_stop = \ '%{Connect-Info:-D%{Ascend-Data-Rate}_X%{Ascend-Xmit-Rate}}' This is what I get when %{Connect-Info} is not available : D_X I haven't seen any examples where two attributes are combined to make one attribute. Thanks I figured it out when running debug for some other reason, sorry for the stupid question. Reason : X-Ascend-Disconnect-Cause = PPP-Rcv-Terminate-Req X-Ascend-Connect-Progress = LAN-Session-Up X-Ascend-Data-Rate = 26400 X-Ascend-PreSession-Time = 32 X-Ascend-Pre-Input-Octets = 364 X-Ascend-Pre-Output-Octets = 253 X-Ascend-Pre-Input-Packets = 15 X-Ascend-Pre-Output-Packets = 13 X-Ascend-First-Dest = 209.115.142.9 X-Ascend-Xmit-Rate = 26400 X-Ascend-Modem-PortNo = 21 X-Ascend-Modem-SlotNo = 16 X-Ascend-Modem-ShelfNo = 1 The attributes are not named like they were in Cistron dictionaries. They all start with X-. Thanks anyway. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql variable substitution clarification
On Fri, 2006-07-07 at 11:19 -0600, Guy Fraser wrote: On Fri, 2006-07-07 at 11:02 -0600, Guy Fraser wrote: I have run into an issue where we now have different types of NAS servers. I would like to use %{Connect-Info} if available or a string formatted from two attributes like : D%{Ascend-Data-Rate}_X%{Ascend-Xmit-Rate} This is how I tried to do it : ConnectInfo_stop = \ '%{Connect-Info:-D%{Ascend-Data-Rate}_X%{Ascend-Xmit-Rate}}' This is what I get when %{Connect-Info} is not available : D_X I haven't seen any examples where two attributes are combined to make one attribute. Thanks I figured it out when running debug for some other reason, sorry for the stupid question. Reason : X-Ascend-Disconnect-Cause = PPP-Rcv-Terminate-Req X-Ascend-Connect-Progress = LAN-Session-Up X-Ascend-Data-Rate = 26400 X-Ascend-PreSession-Time = 32 X-Ascend-Pre-Input-Octets = 364 X-Ascend-Pre-Output-Octets = 253 X-Ascend-Pre-Input-Packets = 15 X-Ascend-Pre-Output-Packets = 13 X-Ascend-First-Dest = 209.115.142.9 X-Ascend-Xmit-Rate = 26400 X-Ascend-Modem-PortNo = 21 X-Ascend-Modem-SlotNo = 16 X-Ascend-Modem-ShelfNo = 1 The attributes are not named like they were in Cistron dictionaries. They all start with X-. Thanks anyway. Foiled again :^( I changed it to : ConnectInfo_stop = \ '%{Connect-Info:-D%{X-Ascend-Data-Rate}_X%{X-Ascend-Xmit-Rate}}' Now I get stuff like : D26400 Help would still be appreciated. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql variable substitution clarification
On Fri, 2006-07-07 at 14:18 -0400, Alan DeKok wrote: Guy Fraser [EMAIL PROTECTED] wrote: The attributes are not named like they were in Cistron dictionaries. They all start with X-. There's still a bug: Reply-Message = `%{Reply-Message:-x%{User-Password}x}` returns xbob for the standard test of user bob/bob. Patch is given below. Index: src/main/xlat.c === RCS file: /source/radiusd/src/main/xlat.c,v retrieving revision 1.72.2.7.2.1 diff -u -r1.72.2.7.2.1 xlat.c --- src/main/xlat.c 8 Dec 2005 12:47:56 - 1.72.2.7.2.1 +++ src/main/xlat.c 7 Jul 2006 18:24:08 - @@ -533,7 +533,7 @@ * useless if we found what we need */ if (found) { - while((*p != '\0') (openbraces 0)) { + while((*p != '\0') (openbraces *open)) { /* * Handle escapes outside of the loop. */ Thank you, I'll give it a shot. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fixed IP
Hi Mahesh, This is *totally* independent of the authentication process. You don't need to do anything to the RADIUS server to do this. You need a DHCP server. When your client (the PC) is attached to a particular subnet, it will request a DHCP address by sending a broadcast to find a DHCP server. The DHCP server will see the MAC address from which the request was sent and, if a one-to-one mapping between that MAC address and an IP address exists in the config files for the DHCP server, it will return that IP address. The RADIUS server's job is over well before that happens (except for any accounting it may do). Rgds, Guy On 28/06/06, Mahesh S Kudva [EMAIL PROTECTED] wrote: Thanks for the guidance. how can i use the post-auth section?? Regards Thanks Mahesh S Kudva -Original Message- From: Phil Mayers [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Tue, 27 Jun 2006 10:30:37 +0100 Subject: Re: Fixed IP Mahesh S Kudva wrote: Hi I am running Freeradius on Mac OS X. How do i assign fixed IP address to my wireless clients who are authenticating under Apple BAse stations?? You can't with radius. 802.11 clients assign IP addresses by DHCP after the link, so you would need to configure the DHCP server appropriately. (In theory one could push an IP from FreeRadius into the DHCP server e.g. in the post-auth section with an exec module, but that would be a custom solution you'd have to make yourself) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- Robosoft Technologies - Come home to Technology - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fixed IP
This is probably best achieved using DHCP rather than RADIUS. Once RADIUS has authenticated the user and the device is connected to the subnet, you'll normally obtain a dynamic IP address via DHCP. DHCP can be configured to give a fixed IP address to a particular MAC address. Rgds, Guy On 26/06/06, Mahesh S Kudva [EMAIL PROTECTED] wrote: Hi I am running Freeradius on Mac OS X. How do i assign fixed IP address to my wireless clients who are authenticating under Apple BAse stations?? Any suggestions welcome Regards Thanks Mahesh S Kudva --- Robosoft Technologies - Come home to Technology - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help,need radius client
Hi Eric, If you just want a test client, then you can either use the radclient, which is bundled with freeradius (or radtest which provides a front end to radclient). Alternatively, if you want to use a windows pc to test from, there are various options. Just put radius test client into google and there are a few (e.g. NTRadPing, radlogin, etc). I've yet to find anything specifically for OSX with a similar front end to NTRadPing or radlogin. Rgds, Guy On 23/05/06, Guillermo Rodriguez [EMAIL PROTECTED] wrote: El mar, 23-05-2006 a las 17:23 +0800, lee eric escribió: hello all, I used freeradius to config my radius server,and now i need a radius client to communicate with radius server.I search through google and have not any idea,can someone give any suggestions? Yes, search in the mailinglist of freeradius. Regards. Guillermo 3xs eric _ 与联机的朋友进行交流,请使用 MSN Messenger: http://messenger.msn.com/cn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius upgrade
Hi Giuseppe, In general, you can upgrade straight from one version to the next by doing a configure; make; make install if you used that method to install in the first place (rather than an RPM or other package manager). If you have any custom dictionaries, be sure to backup /usr/local/share/freeradius before doing the make install and then merge your custom entries back into the new dictionaries that will be installed there. Other than that, it should go pretty well. I had no specific issues I can remember going from 1.0.x to 1.1.0. I have had issues compiling 1.1.1 but that should be fixed apparently in 1.1.2. Rgds, Guy On 17/05/06, Giuseppe Parlato [EMAIL PROTECTED] wrote: no one can help me ? Giuseppe - Original Message - From: Giuseppe [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Wednesday, May 17, 2006 11:08 AM Subject: freeradius upgrade Hello all, I'm new here and freeradius newbye. I have to upgrade from freeradius 1.0.1 to 1.1.1 on red hat linux. Do you have any advice or help ? The default 1.0.1 installation is the same as the new one 1.1.1? I mean does it install file in /usr/local/etc for configuration file, /usr/local/var/log for log files and /usr/local/lib for libraries ? .. then configuration file I suppose won't be changed, right? .. then the procedure is the same as intsllation procedure? thanks Giuseppe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regular expression - Trying to rewrite User-Name
On Thu, 2006-11-05 at 15:13 -0400, Damian Porter wrote: I have bee struggling with problem for a few days now. I use Centos 4.3 and freeradius 1.0.1. I am trying to rewrite a username to include dashes. see my statement below in the rewrite section. searchfor = ([a-z0-9]{2})([a-z0-9]{2})([a-z0-9]{2})([a- z0-9]{2})([a-z0-9]{2})([a-z0-9]{2}) replacewith = %{1}-%{2}-%{3}-%{4}-%{5}-%{6} this is the output that i am getting in my radius.log file. Thu May 11 14:36:24 2006 : Info: rlm_sql_mysql: Starting connect to MySQL server for #0 Thu May 11 14:36:24 2006 : Info: rlm_sql_mysql: Starting connect to MySQL server for #1 Thu May 11 14:36:24 2006 : Info: rlm_sql_mysql: Starting connect to MySQL server for #2 Thu May 11 14:36:24 2006 : Info: rlm_sql_mysql: Starting connect to MySQL server for #3 Thu May 11 14:36:24 2006 : Info: rlm_sql_mysql: Starting connect to MySQL server for #4 Thu May 11 14:36:24 2006 : Info: Ready to process requests. Thu May 11 14:36:39 2006 : Auth: Login incorrect: [0e35-353afe-3afe19- fe19/NOPASSWORD] (from client$ Thu May 11 14:38:49 2006 : Auth: Login incorrect: [13ce-ce20f9-20f949- f949/NOPASSWORD] (from client$ Thu May 11 14:38:56 2006 : Auth: Login incorrect: [0e35-353ad7-3ad71b- d71b/NOPASSWORD] (from client$ PS i have even gone as far as downloading regular expression programs to check my code. If anybody has any suggestions or has encounted this problem before let me know. I have no idea if that is supposed to work, but I noticed what appears to be a problem: 0e35-353ad7-3ad71b-d71b Can not be parsed with : ([a-z0-9]{2})([a-z0-9]{2})([a-z0-9]{2})([a-z0-9]{2})([a-z0-9]{2}) ([a-z0-9]{2}) Because ; 1) 0e35-353ad7-3ad71b-d71b is 24 charcters not 12 2) You have no provisions for '-' characters. So your search will not get a match. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New PHP for interface
On Sat, 2006-29-04 at 15:07 -0500, JasonN wrote: On 4/29/06, mnisay [EMAIL PROTECTED] wrote: I believed he was referring to browsable dialup administration page using PHP+APACHE+FreeRadius+MySQL direct access to authentication server. You are correct. I had this coded up by a member of my team for a client that runs a small access userbase (dialup). Obviously, dialup is only one of many things you can use radiusd for, and FreeRadius may be modified to do all sorts of stuff. All this PHP interface does is hook you up to the dB (could be remote, but by default I do it locally) and allow you to edit the MySQL dB you're using for your radiusd authentication. What type of operations are u using? Local only w/ direct access to FR or remote w/ only configs of BD? If nobody takes offense, I'll just post the URI to download the php code. It's short and sweet. Some of you may find it useful. Obviously, it's not as robust as the the intends to be. But, it's also not broken. Anyone interested in working from this start to build something much more feature rich, please contact me directly. I don't wish to pollute this list. If we come up with something the FreeRadius commit team wish to use, we may offer it at that time. Right now, this is very basic. But, it makes my ISP clients very happy. http://www.jasonn.com/files/projects/manage.php.txt If you want to participate, please don't waste the list's time discussing it here. It's extraneous to the FreeRadius core, even though it may be very useful to many of you. You are welcome to email me personally. - [EMAIL PROTECTED] I'll definitely check it out when I get a chance. If it does some of what I need, I will help write some routines to make it work with PostgreSQL as well as MySQL. I have some PHP code I started to develop that has functions to read the configuration files. My code can be integrated with what you have to allow your code to use items from radiusd.conf and the included files. This would allow a more seamless integration and simpler setup. I will dig around, I am pretty sure I have some code that allows CSS and table formatted output to be generated from arrays generated by SQL queries and other things as well. It makes fairly easy work of beautifying generated output.;^) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql replication vs. radrelay
On Fri, 2006-28-04 at 15:37 +0200, Olaf Schaefer wrote: 1.8 ? Freeradius 1.1.1 comes with dialup-admin v1.70.2, the recent CVS includes v1.80 a file in the documentation directory. The last batch of patches Where can I find your patches? Maybe you've done something which could be useful for me. :) Most were incorporated into the CVS head before FreeRadius was 1.0.0. I doubt I have any of the original patch files anymore. That's right. I would have to study the GPL and FSF licences, to understand the implications. Hmmm, isn't freeradius itself released under the same license? Sure, supplying patches that fix bugs or provide improvements does not concern me, because I know that is allowed. Taking the code for dialup_admin breaking it down and turning it into something else is quite different. I respect the tremendous amount of work that went into dialup_admin, and I am sure that many people find it meets their needs. Some of the minimum requirements I have to meet require significant changes, and rather than struggle to get my changes included. I know that I don't like it when people use my code without giving me any credit, making it seems easier to start from scratch so that I don't appear to be taking credit for work that I did not do on my own. That sounds like much work It's like eating an Elephant. Start off with small bites, and just keep on munching, until eventually your done. Bon appetit! ;) I am still mulling it over. I think is has to be clear what the expected usage is. I mean there are two directions, the first is the (technical) administration of the radius server concerning tasks like setting up NAS, IP-pools, configuration in general etc. The second is the business-thing, like adding users, billing evaluation of accounting data, colorful statistics :) etc. Absolutely, I think there are basically three types of activity: 1) Configuration - Used very rarely buy knowledgable staff, to change operation of the server. 2) Administration - Maintenance of administration, user accounts, service packages, billing systems and report generators. 3) User - Allows users to maintain parts of their account(s) that are permitted, and view the reports they are permitted to see. Some of the tools required to make configuration possible can also be used for administration and in some cases the user area as well, but using a conditioned read only method. For instance it would be easier for administration to be able to select dictionary attributes from a list then be able to select valid values for that attribute, or have their entries verified as being valid. I guess Dialup-Admin is somewhere in between. So a real GUI-configuration tool would be very nice. My Boss ruled it out. He doesn't want a bunch of bits and pieces that are loosely coupled. Unfortunately, what he wants to use it too limited to do what is needed, but is easy to use. I know this scenario, too :) Have a nice weekend. After work I'm going to look for some elephants... I hope you get something to eat first. ;^) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql replication vs. radrelay
On Tue, 2006-25-04 at 07:19 +0200, Olaf Schaefer wrote: I have given up on dialup-admin for now. It seemed broken when for now but not forever ;) Who knows.;-) I tested the version that comes with 1.1.1, and there are parts that need too much work for what I want. I also don't like the I use version 1.80 from the CVS snapshot. It seems quit stable 1.8 ? php3 extensions since it is in php4 and have been unable to Yes, the php3 extension are funny have those and some other changes accepted in CVS. I have not What do you mean?^^^ A fair while ago I spent a considerable amount of time making patches to allow dialup_admin to work with PostgreSQL and NetSNMP. I also made some other enhancements which are noted in a file in the documentation directory. The last batch of patches I submitted were not accepted, and after a while I gave up on it to work on other more urgent projects. fully read the licence dialup-admin uses so I decided to start After you mentioned the licence issue I got curious and searched dialup-admin. I found: This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. That's right. I would have to study the GPL and FSF licences, to understand the implications. from scratch without referencing it at all. That sounds like much work It's like eating an Elephant. Start off with small bites, and just keep on munching, until eventually your done. that I need to write as well. I am also considering using C and the wxWidget cross platform libraries to design a more comprehensive Integrated Management System, but I will need Ambitious plan :) Do want to do it all on your own? I am still mulling it over. to learn how to build a GUI app first. So far I have only built console and web based GUI apps, but PHP and Java may not work for the end project. I will need hierarchal administration and access control for my implementation. The system will also need the ability to search for related accounts and quickly navigate between them, and produce reports and audit trails. Since I have experience accessing In my eyes that's all only ;) a question of DB-queries. So I don't see the advantage (for my needs) of programing a new DB-Interface. Have you tried freeside (http://www.sisd.com/freeside)?. I can't tell you much about it I only had a glance at it. AFAIK it offers for instance automated invoices. My Boss ruled it out. He doesn't want a bunch of bits and pieces that are loosely coupled. Unfortunately, what he wants to use it too limited to do what is needed, but is easy to use. The things that are almost what we need are usually too difficult or the accountants rule them out. There was a lot of training to get our current system where we wanted it, now there are no old dogs that want to learn new tricks.:^( The only way I will get anything through, is if I can seamlessly integrate into what they want, or make something that does everything required from a single application, so there are no more multiple entries situations that are required to maintain accounts. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PostgreSQL tables in a schema
On Thu, 2006-20-04 at 20:02 +0300, Milen A. Radev wrote: Is it possible to place the necessary tables in a separate schema? We need to cross-reference some tables and it would be very convenient if we could place the tables inside the same database together with our other schemas. I saw that same table names are specified in the configuration file (postgresql.conf). Probably it would be easy to prepend the schema name. But I saw some other tables in the DB that are not mentioned in the conf file. If that is what you want to do, go ahead. You do not need to prepend the the schema if the radius users path includes the schema. Read the PostgreSQL docs, and customize the queries how ever you want. The config files are part of the documentation system and are meant to serve as samples only, it is up to you to tweek them. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql replication vs. radrelay
On Thu, 2006-20-04 at 10:08 +0200, Olaf Schaefer wrote: http://sphinx.incentre.net/radius.html Not bad. I've began something similar only for IP pools but Peter Nixon announced an sql_ippool module which also stores the configuration information in the mysql-DB, so I stopped coding and witing for it :) Let me know what you think. It's a good basis to make freeradius fully configurable via dialup admin. It shouldn't be that difficult to generate config files using the variables of your parser. When I have my production system running (migration from MS-IAS to freeradius) I'm going to do some efforts in this direction. Olaf I have given up on dialup-admin for now. It seemed broken when I tested the version that comes with 1.1.1, and there are parts that need too much work for what I want. I also don't like the php3 extensions since it is in php4 and have been unable to have those and some other changes accepted in CVS. I have not fully read the licence dialup-admin uses so I decided to start from scratch without referencing it at all. Unfortunately I haven't had any time to continue with this project lately, and you are the first one to respond to me about it. I have a Cisco NetFlow analyzer and traffic accounting system that I need to write as well. I am also considering using C and the wxWidget cross platform libraries to design a more comprehensive Integrated Management System, but I will need to learn how to build a GUI app first. So far I have only built console and web based GUI apps, but PHP and Java may not work for the end project. I will need hierarchal administration and access control for my implementation. The system will also need the ability to search for related accounts and quickly navigate between them, and produce reports and audit trails. Since I have experience accessing PostgreSQL in C and have some libraries I built for our current system, it may not be overly difficult to build a proper cross platform GUI interface. I have Windows, Linux, FreeBSD as well as PPC and Intel Macs with OS9 and OS X in our office now and have had a similar variety in the past, which is why I had been using web based GUI projects in the past, but I recently cam across a tutorial for wxWidgets. I got a ton of stuff to do today, see you later. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, mysql, please help!!!
On Wed, 2006-12-04 at 14:02 -0400, Alan DeKok wrote: YvesDM [EMAIL PROTECTED] wrote: mysql select * from radcheck; ++--+---+++ | id | UserName | Attribute | op | Value | ++--+---+++ | 1 | steve| User-Password | :=3D | $1$nyiGAEuR$5wcFr5bT7SfkVjIChnbZo0= | These are *not* clear-text passwords. They're encrypted passwords. Change the attribute name to Crypt-Password, and it should work. Alan DeKok. You will also need to use Auth-Type := Crypt-Local This has been discussed, an enormous number of times. Please feel free to use Google to search for answers. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql replication vs. radrelay
On Fri, 2006-07-04 at 10:12 +0200, Olaf Schäfer wrote: Not yet! That's what I'm looking for. I've already started to do something in this direction regarding ip-pools. Where can I find your parser? regards, Olaf The quick site I set up hosting the files is at: http://sphinx.incentre.net/radius.html Let me know what you think. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
I don't think you should be setting the Auth-Type. Just let FreeRADIUS work that out. What are you doing with your Cisco AP? Are you doing PEAP/MS-CHAPv2? If so, then you must have a User-Password == foo in your user database and you *must not* set Auth-Type := EAP. You should do as Sergio says and use == in your Cisco-AVPair check item. This is a comparison. Rgds, Guy On 06/04/06, Antonio Matera [EMAIL PROTECTED] wrote: Hallo, If I set Cisco-AVPair == ssid=SSID1 in my user authentication, the authentication Fail with any ssid and user. If I set Cisco-AVPair := ssid=SSID1 my users are always authenticated. Is there any other configuration to set in the radius or in the access point? In my access request there is the AVPair attribute: rad_recv: Access-Request packet from host 192.168.9.104:1645, id=19, length=166 User-Name = TEST4 Framed-MTU = 1400 Called-Station-Id = 0012.dacb.8420 Calling-Station-Id = 000c.f135.f1ba Cisco-AVPair = ssid=VLAN3 Service-Type = Login-User Message-Authenticator = 0xb2a3f1fd52d9d6ff9702cc8f1f480f46 EAP-Message = 0x020600060d00 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = 260 NAS-Port = 260 State = 0x0491685cf8ece3184d685dedfedbb3d4 NAS-IP-Address = 192.168.9.104 NAS-Identifier = ap but I don't understand if it works... Any idea? Thanks on 06/04/2006 11.39 Sergio Sagliocco said the following: Hi I think you have to try in this way (for example): TEST4 Cisco-AVPair == ssid=SSID1 , Auth-Type := EAP Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN DEFAULT Auth-Type := Reject if uou want a password: TEST4 Cisco-AVPair == ssid=SSID1 ,User-Password=, Auth-Type := EAP Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN DEFAULT Auth-Type := Reject Regards sergio Antonio Matera wrote: My goal is to have authenticate user only if the SSID is right! You know how can I do it? Thanks Antonio on 05/04/2006 17.33 Sergio Sagliocco said the following: Hello your goal is authenticate users only if the SSID is rght or to have different EAP Authentication method based on SSID? regards sergio Antonio Matera wrote: Hallo, thanks for the answer. With your solution my radius don't authenticate my users Is my configuration correct or I need other change in my radius files? Thanks bye on 05/04/2006 15.27 Sergio Sagliocco said the following: Hi I think you have to use == instead of := For example: DEFAULT Cisco-AVPair == ssid=testLEAP , EAP-Type := Cisco-LEAP Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Antonio Matera CREATE-NET Via Solteri, 38 - 38100 Trento e-mail: [EMAIL PROTECTED] phone: +39 0461 408400 ext. 305 fax: +39 0461 421157 www.create-net.org -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compiling freeradius 1.1.1 in FreeBSD 6.0 with mysql support
On Wed, 2006-05-04 at 13:08 -0400, Alan DeKok wrote: Mark Hennessy [EMAIL PROTECTED] wrote: I'm trying to build freeradius 1.1.1 on a FreeBSD 6.0 system with MySQL 4.1.15 Doesn't the ports system work? That exactly what I was thinking. The port was updated on Mar. 28 checking for mysql_init in -lmysqlclient_r (using mysql_config)... no See the config.log for details. Maybe libmysqlclient_r needs additional libraries for it to work. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to make FR reset the logs
On Thu, 2006-06-04 at 14:12 -0400, Dennis Skinner wrote: Guy Fraser wrote: vacuum; This is not a MySQL command. You probably want to look at CHECK TABLE, REPAIR TABLE, and OPTIMIZE TABLE. But we are getting off topic here I will note that FreeRADIUS performance had significant improvements once the tables were changed to InnoDB from MyISAM, especially the radacct table as that fills up quick if you don't archive regularly. I said : I don't use MySQL very often so do not know for sure if this would work, but here goes a simple example : select * into radacct_old from radacct where AcctStopTime '2006-04-01 00:00:00' ; delete from radacct where AcctStopTime '2006-04-01 00:00:00' ; vacuum; If you intend on using MySQL you will need to learn how to use it. There are many functions and some may help you do what you want. I prefer PostgreSQL, which is SQL92 compliant and does support the SQL VACUUM command. MySQL database maintenance is of little interest to me, because I do not think it is good for anything but text and blob storage, and I don't need that very often. Since nobody else had attempted to answer the posters question I suggested a possible method he could try, and suggested he learn how to maintain MySQL if he intends on using it. I REALLY do NOT want to get into a flame war over the differences between MySQL and PostgreSQL. I based my sample on SQL standard commands hoping that MySQL would support them, but having suggested that they may not work without specifying why, may have left it open for interpretation. I am sure that for those who know MySQL well it works very well for them, but I don't care to spend the time learning how to do things the MySQL way. I have provided some assistance ensuring that the MySQL and PostgreSQL drivers had the same functionality, and have a MySQL db on the RD machine for that purpose, but do not have any intention on using it for production. The PostgreSQL db I use for my custom Cistron server has operated flawlessly and at high efficiency since it was installed over 5 years ago. Since the Software and Hardware are long in the tooth, I will be upgrading them in the near future. I have been helping with the development of FreeRadius for a couple years, in preparation for this long anticipated upgrade. Once I have a good Management interface I will upgrade. I have spent a few days building some functions and others have been spending considerable time on similar projects, and some of us have agreed to share, our work in order to move this along, so I am hoping to have a new server in place by years end. Good luck, and have a great day. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql replication vs. radrelay
On Thu, 2006-06-04 at 23:01 +0200, Olaf Schäfer wrote: hello, I have a redundant radius server setup with two radius servers. On each of the servers freeradius 1.1.1 and mysql is running. If the primary server goes down the AC falls back to the secondary server. To keep the databases (except the radacct table) synchronised I use MySQL replication. But I'm not sure which is the best way to replicate the accounting information: using radrelay or mysql-replication, too? Besides the man page for radrelay says The functions of radrelay have been added to radiusd. I couldn't find any documentation about this feature. Any hints? regards, olaf There are many schools of thought on that. Some prefer SQL replication, others suggest it is better to build it into the management system. If you have lots of people managing the accounts and you may need a different method, than someone with only a few people maintaining accounts, since table locking and connection load balancing could become an issue. In some cases batch processing is acceptable, in other cases it can be detrimental. Can you give us an idea, about how many people will be changing user info and at what rate you would be expecting additions, modifications and removals? It would be helpful for those of us designing management systems, so we can test for possible conflicts and performance issues. I am not yet working on the SQL maintenance portion of my project but it would be helpful for me to have that information in order to do some preliminary planning. Some replication methods scale better than others, but have their own drawbacks and difficulties. PS Have you had a chance to try my PHP radiusd.conf configuration parser ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup admin ippool administraton
On Fri, 2006-31-03 at 10:37 +0200, Olaf Schäfer wrote: But the configuration information like range-start etc. is still stored in the radiusd.conf. My idea was to put these configuration information for each ippool into the mysql-db. That may be harder to do. But if you can create a patch, it will be welcome. I'm afraid this exceeds my abilities :( Thus I resigned to the fact and have started to parse the radiusd.conf via PHP. I have written a recursive function for reading radiusd.conf and all included files. I finally spent some time and built a simple site to host the current files for the FreeRadius Admin stuff I am working on. You can check it out at : http://sphinx.incentre.net/radius.html -- Guy Fraser Network Administrator The Internet Centre 1-888-450-6787 (780)450-6787 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius out of the box....
On Wed, 2006-05-04 at 09:07 +0100, Tony Spencer wrote: Because of the issues I've been having with authentication with Freeradius I started from scratch and used RPM to remove Freeradius and then re-installed the latest version. I needed to be able to accept both PAP and CHAP authentication, however I couldn't get it to do both and had to by default to get it to auth everyone no matter what the password should be. But I don't see this as ideal. Since I took over the radius server from someone else I'm guessing it had been changed by the previous person to the extend where only a re- install would solve the problem. I read that out of the box Freeradius would accept both PAP and CHAP authentication as long as the password was in clear text and I used Password ==. So I re-installed Freeradius version freeradius-1.0.1-3.RHEL4.3 and convert all the entries from Auth-Type := Accept to Password == password where password was the users password. ...snip... DEFAULT Auth-Type = System Fall-Through = 1 ...snip... Auth-Type = System is for reading the user names from the password file IIRC. Try : Auth-Type = Local - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: frontend for freeradius???
On Thu, 2006-30-03 at 22:04 -0500, Alan DeKok wrote: Guy Fraser [EMAIL PROTECTED] wrote: Since the users file can handle multiple alternate configurations for DEFAULT and or user entries, it will require careful planning. I would suggest avoiding the users file. It causes *way* too many problems. Instead, design something that will be useful, better than the users file, and easy for you to implement. We'll then take a look at creating a module to support it. Alan DeKok. Interesting Idea! I have very simple needs now for Radius, we only provide a few different dialup packages and only allow PAP authentication. The current rml_sql is all I currently need, but I will consider some alternative ideas, that could provide easier manageability for myself and many others on this list. PS I have recently posted a link to some of the PHP stuff I have developed lately. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to make FR reset the logs
On Wed, 2006-05-04 at 06:15 +0300, Mordor Networks wrote: hi Is it possible to make FR remove all monthly accounting logs from the database mysql? Yikes, why would you want to do that? Wouldn't it be better to move the data to monthly archive tables, then remove the data and vacuum the table? This is basically what I currently use, so that when a customer tries to dispute his charges, we can produce detailed information very quickly. I currently maintain 3+ years of detail, users can check totals, summaries or detailed logging for their account from the beginning of the third year ago {IE Jan 2003} until the previous logout. Once I have a similar scheme in place I will be moving to which ever current version of FreeRadius is available. I will continue to work toward integrating similar functionality into FreeRadius, that I developed for Cistron, allowing dynamic {using xlat} table names. I currently use this method in my custom version of Cistron Radius, to generate new logging tables every month as required. The system I developed has met our needs for the last 5+ years, but I would prefer to build support into an open platform {FreeRadius}, so others can make use of the same advantages, and the community can enhance and support the project. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: frontend for freeradius???
On Thu, 2006-30-03 at 16:40 +0100, Pelusa Vali wrote: hi list, i have a question, are there any freeradius frontend to administer users, but which don't assume i have ldap or mysql?? my users are only in users file, i reviewed dialup_admin and php radius accounting tool, but both assume i have mysql or ldap, i just want some program with graphical interface to add users and passwords in freeradius, and if possible monitor them. are there something like that?? thanks. I don't think there are any official projects. Some people have in-house management systems, but are weary about making them public. If you are willing to modify and maintain the front end code without endless queries to the progenitors of some code, you might want to ask if anyone has something to help you get started. I have been working on some PHP functions to manage FreeRadius, but have not developed anything for the users file yet. So far I have developed functions that can acquire the information from the configuration or dictionary files. But I am taking some time to consider how to handle the huge amount of data from the dictionary files. Since the users file can handle multiple alternate configurations for DEFAULT and or user entries, it will require careful planning. In order to make sure the entries are stored in a unique way, and ensure that the correct entry can be identified, and make sure that entries do not get combined. For my needs, most users will have little more than an encrypted password, and we intend on using an SQL backend, and do not use the users file at all, so accessing the data in the users file is near the bottom of my list, but others may have it as a different priority. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: frontend for freeradius???
On Thu, 2006-30-03 at 16:40 +0100, Pelusa Vali wrote: hi list, i have a question, are there any freeradius frontend to administer users, but which don't assume i have ldap or mysql?? my users are only in users file, i reviewed dialup_admin and php radius accounting tool, but both assume i have mysql or ldap, i just want some program with graphical interface to add users and passwords in freeradius, and if possible monitor them. are there something like that?? thanks. I almost forgot. If most or all of your users have the same checks and replies but have different passwords and are using PAP, you may want to consider a default entry with Auth-Type = System and using the password file to maintain users. If you do it that way, you could use Webmin to maintain the user accounts. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Expiration Date
On Thu, 2006-30-03 at 10:09 -0600, Atkins, Dwane P wrote: I have looked into the db_mysql.sql and found that their was start and stop dates in the radacct. If I can get freeradius to use the radcheck table, does this mean it will automatically see the radacct table and use input from this table as well? Have you read any of the documentation? The FreeRadius database schemas and configurations are designed to be generic examples, to help you get started, and are meant to be part of the documentation, which is why they are labelled .sample . You are free to modify anything in the configuration files and database schema, to fit your specific needs. There are many different modules and features that may do exactly what you want without doing any significant changes to the configuration files. You should read all the documentation, and go through all the config files. It is a lot of work, but if you do not do your homework, you will never know how to help yourself. We are not babysitters, and are more than happy to help once you run into problems, but are not going to spoon feed you. Happy reading. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VLAN and SSID
Yes, just use the Cisco AV Pair to say user1 Auth-Type := EAP, Cisco-AVPair := SSID=SSID1 user2 Auth-Type := EAP, Cisco-AVPair := SSID=SSID2 That would force user1 to only associate to SSID1 and user2 to only associate to SSID2. You *may* need to change them from being check attributes to reply attributes if your AP doesn't actually send those attributes with an Access-Request. In that case, you send the Cisco-AVPair = SSID=SSIDn back to the AP and if it doesn't match, then it can locally fail to authorize the user. Rgds, Guy On 29/03/06, Antonio Matera [EMAIL PROTECTED] wrote: Hallo, I have a problem with the authentication on different VLAN. I write for you my example: I have two VLAN (VLAN1 and VLAN2) conneccted to two SSID (SSID1 and SSID2) on my Cisco 1200 AP. I have the same authentication on both connection (EAP-TLS). In my users file I have two user: user1Auth-Type := EAP Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN user2Auth-Type := EAP Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 3, Tunnel-Type = VLAN the authentication works fine but , for example, if I connect the WinXP client on the SSID1 with the certificate user of the VLAN2, I have this situation: The client is connected to the VLAN2 but the SSID of the wireless connection is SSID1. It is possible to prevent the connection to the select SSID if the certificate of the user is incorrect? Thanks, bye - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VLAN and SSID
The Cisco-AVPair mechanism is a mutation of the standard VSA mechanism. Cisco uses a single Vendor ID but wanted to use many VSAs. The limit with a single Vendor ID is 255 (IIRC). So, Cisco's Vendor Specific Attribute number 1 is Cisco-AVPair. They then create sub-VSAs within that VSA using the textual syntax Cisco-AVPair=Sub-VSA-name=Sub-VSA-value To get a list of relevant VSAs, you really need to refer to Cisco's documentation. Rgds, Guy On 29/03/06, James J J Hooper [EMAIL PROTECTED] wrote: --On Wednesday, March 29, 2006 12:20:57 +0200 Antonio Matera [EMAIL PROTECTED] wrote: Hallo, thanks for the replies. If I insert only the Cisco-AVPair attribute, it doesn't work... Now I try the radius-server vsa send authentication command... It is a AP console command? It is possible to set this command from the AP web interface? I haven't experience with the console setting yes, either at the console or go to this url: https://YOUR-ACCESS-POINT-ADDRESS/level/15/configure/-/radius-server/vsa/send/authentication/CR (you may need to use http instead of https) Regards, James -- James J J Hooper, Information Services University of Bristol -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VLAN and SSID
Hi Antonio, If you're using the Cisco-AVPair as a check item, it *must* be on the first line of the user entry. e.g. user1Auth-Type := EAP, Cisco-AVPair := ssid=SSID1 ... reply items here, one per line... If you want to configure it as a reply item, it should be... Cisco-AVPair = ssid=SSID1 NOTE: =, not := for the reply item. Rgds, Guy On 29/03/06, Antonio Matera [EMAIL PROTECTED] wrote: Hallo, now I have the users configured as follow: user1Auth-Type := EAP Cisco-AVPair := ssid=SSID1, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN user2Auth-Type := EAP Cisco-AVPair := ssid=SSID2, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 3, Tunnel-Type = VLAN The AP has the radius-server vsa send authentication, but when I connect for example to the SSID2 using user1, radius write this log for a big number of request: rad_recv: Access-Request packet from host 192.168.9.104:1645, id=167, length=137 User-Name = user1 Framed-MTU = 1400 Called-Station-Id = .. Calling-Station-Id = .. Service-Type = Login-User Message-Authenticator = 0xd58071e7b7c3b158323ae6e2da5cf746 EAP-Message = 0x020600060d00 NAS-Port-Type = Wireless-802.11 NAS-Port = 1215 State = 0x15f928ed12d8d4d1a278530b6dd26c21 NAS-IP-Address = 192.168.9.104 NAS-Identifier = ap Processing the authorize section of radiusd.conf modcall: entering group authorize for request 53 modcall[authorize]: module preprocess returns ok for request 53 modcall[authorize]: module mschap returns noop for request 53 rlm_realm: No '@' in User-Name = user1, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 53 rlm_eap: EAP packet type response id 6 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 53 users: Matched entry user1 at line 14 modcall[authorize]: module files returns ok for request 53 modcall: leaving group authorize (returns updated) for request 53 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 53 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap: Freeing handler modcall[authenticate]: module eap returns ok for request 53 modcall: leaving group authenticate (returns ok) for request 53 Login OK: [user1/no User-Password attribute] (from client ap-test port 1215 cli 000c.f135.f1ba) Sending Access-Accept of id 167 to 192.168.9.104 port 1645 Cisco-AVPair := ssid=SSID1 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 2 Tunnel-Type:0 = VLAN MS-MPPE-Recv-Key = 0x4b79e8c8d51a317ecfc389ae1109e9cbf4fed548b081a3d9a207cb1673fb2011 MS-MPPE-Send-Key = 0x00c78f66a7706dbc37c2ef3a9cf1f4f183b28d840da50d583ae780041fe1f1d9 EAP-Message = 0x03060004 Message-Authenticator = 0x User-Name = user1 Finished request 53 The XP client tell that the SSID2 is connected, but if I try to navigate on the VLAN1 or VLAN2 i can't do it. Why the radius receive a big number of request from the client and it doesn't sent a failed authorization? It is possible to eliminate the requests after the first? It is possible to send to the XP client a failed authorization? At the moment the client doesn't understand if it is or isn't connected to the SSID. Thanks a lot for your time Bye Antonio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compile errors in Freeradius-1.1.1
Hi Alan, I am not sure if this is even remotely relevant but rlm_x99_token has been renamed to rlm_otp, I think. Try --without-rlm_otp and see if that helps. I've also been unable to compile FR 1.1.1 using the same parameters as I used in 1.1.0 but my problems appear to be similar to those with issues in libeap (not the same as yours). Rgds, Guy On 28/03/06, Alan [EMAIL PROTECTED] wrote: I am currently trying to compile the new version of FreeRadius 1.1.1. I've used the same configure statement just like in 1.1.0 and for some reason I am receiving a few build errors. Please help. ~Alan OS: Red Hat Enterprise v.3 (2.4.21-4.EL 32bit) Configure Statement: ./configure --prefix=/custom/freeradius-1.1.1 \ --without-rlm_x99_token \ --without-rlm_krb5 \ --without-rlm_sql_postgresql \ -without-rlm_sql_oracle After running make install the ls command shows a few weird symlinks in the install directory: [EMAIL PROTECTED]:37:34 Tue Mar 28]-[/custom/freeradius-1.1.1] $ ls total 436 drwxr-xr-x2 root root 4096 Mar 28 09:34 bin drwxr-xr-x3 root root 4096 Mar 28 09:34 etc -rwxr-xr-x1 root root 170033 Mar 28 09:36 libradius-1.1.1.so -rw-r--r--1 root root 233620 Mar 28 09:36 libradius.a -rwxr-xr-x1 root root 749 Mar 28 09:36 libradius.la lrwxrwxrwx1 root root 18 Mar 28 09:36 libradius.so - libradius-1.1.1.so drwxr-xr-x5 root root 4096 Mar 28 09:34 man drwxr-xr-x2 root root 4096 Mar 28 09:34 sbin drwx--3 root root 4096 Mar 28 09:34 share drwxr-xr-x4 root root 4096 Mar 28 09:34 var Output error after running make install: [EMAIL PROTECTED]:36:43 Tue Mar 28]-[~/freeradius-1.1.1] $ sudo make install /home/johnny5/freeradius-1.1.1/install-sh -c -d -m 755 /custom/freeradius-1.1.1/sbin /home/johnny5/freeradius-1.1.1/install-sh -c -d -m 755 /custom/freeradius-1.1.1/bin /home/johnny5/freeradius-1.1.1/install-sh -c -d -m 755 /custom/freeradius-1.1.1/etc/raddb /home/johnny5/freeradius-1.1.1/install-sh -c -d -m 755 /custom/freeradius-1.1.1/man /home/johnny5/freeradius-1.1.1/install-sh -c -d -m 755 /custom/freeradius-1.1.1/var/run/radiusd /home/johnny5/freeradius-1.1.1/install-sh -c -d -m 700 /custom/freeradius-1.1.1/var/log/radius /home/johnny5/freeradius-1.1.1/install-sh -c -d -m 700 /custom/freeradius-1.1.1/var/log/radius/radacct /home/johnny5/freeradius-1.1.1/install-sh -c -d -m 700 /custom/freeradius-1.1.1/share /home/johnny5/freeradius-1.1.1/install-sh -c -d -m 755 /custom/freeradius-1.1.1/share/freeradius for i in 1 5 8; do \ /home/johnny5/freeradius-1.1.1/install-sh -c -d -m 755 /custom/freeradius-1.1.1/man/man$i; \ for p in man/man$i/*.$i; do \ /home/johnny5/freeradius-1.1.1/install-sh -c -m 644 $p /custom/freeradius-1.1.1/man/man$i; \ done \ done gmake[1]: Entering directory `/home/johnny5/freeradius-1.1.1' Making install in src... gmake[2]: Entering directory `/home/johnny5/freeradius-1.1.1/src' gmake[3]: Entering directory `/home/johnny5/freeradius-1.1.1/src' Making install in include... gmake[4]: Entering directory `/home/johnny5/freeradius-1.1.1/src/include' gmake[4]: Nothing to be done for `install'. gmake[4]: Leaving directory `/home/johnny5/freeradius-1.1.1/src/include' Making install in lib... gmake[4]: Entering directory `/home/johnny5/freeradius-1.1.1/src/lib' /home/johnny5/freeradius-1.1.1/libtool --mode=install /home/johnny5/freeradius-1.1.1/install-sh -c -c libradius.la /custom/freeradius-1.1.1/lib /home/johnny5/freeradius-1.1.1/install-sh -c -c .libs/libradius-1.1.1.so /custom/freeradius-1.1.1/libradius-1.1.1.so (cd /custom/freeradius-1.1.1 rm -f libradius.so ln -s libradius-1.1.1.so libradius.so) /home/johnny5/freeradius-1.1.1/install-sh -c -c .libs/libradius.lai /custom/freeradius-1.1.1/libradius.la /home/johnny5/freeradius-1.1.1/install-sh -c -c .libs/libradius.a /custom/freeradius-1.1.1/libradius.a ranlib /custom/freeradius-1.1.1/libradius.a chmod 644 /custom/freeradius-1.1.1/libradius.a libtool: install: warning: remember to run `libtool --finish /custom/freeradius-1.1.1/lib' rm -f /custom/freeradius-1.1.1/lib/libradius-1.1.1.la; ln -s libradius.la /custom/freeradius-1.1.1/lib/libradius-1.1.1.la ln: creating symbolic link `/custom/freeradius-1.1.1/lib/libradius-1.1.1.la' to `libradius.la': No such file or directory gmake[4]: *** [install] Error 1 gmake[4]: Leaving directory `/home/johnny5/freeradius-1.1.1/src/lib' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/home/johnny5/freeradius-1.1.1/src' gmake[2]: *** [install] Error 2 gmake[2]: Leaving directory `/home/johnny5/freeradius-1.1.1/src' gmake[1]: *** [common] Error 2 make: *** [install] Error 2 - List info/subscribe/unsubscribe? See http
Re: L2tp and fixed Framed IP Address for ADSL customers
On Tue, 2006-28-03 at 12:05 -0500, Alan DeKok wrote: Adil Bikarbass [EMAIL PROTECTED] wrote: My radius is listening on 1645 for auth and 1646 for acct, I can see the auth request coming into my radius box but the IP address is never got from the Framed-IP reply item but assigned from the Cisco pool Any clue about what could be the problem? The NAS. Fight with it some more. I don't think there's anything you can do to FreeRADIUS to fix it. Is the IP address in a valid range configured on the NAS? A Cisco will not assign an IP address that it is not configured to handle. It seems to me we used eigrp to handle the static ip address networks for our NAS servers. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Clear text passwords
On Thu, 2006-23-03 at 17:44 -0500, Alan DeKok wrote: Corey Burks [EMAIL PROTECTED] wrote: In my radiusd.conf file I made the following changes and it is still logging my password clear text password log_auth = no You will have to edit the source code to the detail module to make it do what you want. Is that the way it is supposed to be, or is it on a todo list for it to be fixed? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Want to use 2 different authentication-methods
On Wed, 2006-22-03 at 15:15 +0100, Hans-Peter Fuchs wrote: I use freeradius 1.0.5 for a special NAS I want to use 2 user databases. requests from nas-special should first verified per sql If and only if sql does not verify the user try pam. In users I have: # new DEFAULT NAS-IP-Address == special, Autz-Type := SQL Idle-Timeout = 3600, Session-Timeout= 7200, Fall-Through = yes end new begin old config: works DEFAULT Auth-Type = Pam Have you tried : DEFAULT NAS-IP-Address != special, Auth-Type = Pam ... Service-Type = Framed-User, Nomadix-Bw-Up = 128, Fall-Through = yes ### end old config ### begin new config # pam-authentified users from ssg get Ainternet-attribute DEFAULT NAS-IP-Address == special Service-Type = Framed-User, Idle-Timeout = 3600, Session-Timeout= 7200, Cisco-Account-Info += KW0, Fall-Through = yes ### end new config But with this users who are verified by sql are also checked against pam. Do you have some tips? Output from radiusd -X: rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module sql returns ok for request 0 modcall: group Autz-Type returns ok for request 0 rad_check_password: Found Auth-Type Pam auth: type PAM Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 pam_pass: using pamauth string radius for pam.conf lookup pam_pass: function pam_authenticate FAILED for test. Reason: Permission denied modcall[authenticate]: module pam returns reject for request 0 modcall: group authenticate returns reject for request 0 auth: Failed to validate the user. Grüße Hans-Peter Fuchs Hans-Peter Fuchs - RZKR, Zimmer 20 Zentrum fuer angewandte Informatik - Universitaetsweiter Service RRZK Universität zu Köln - Tel: 0221-470-6972 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql.conf
On Mon, 2006-20-03 at 16:56 -0600, Atkins, Dwane P wrote: Why is it that when I run a radiusd –X, I always come back with errors on saying that it cannot connect to the mysql server: ...snip... rlm_sql_mysql: Couldn't connect socket to MySQL server [EMAIL PROTECTED]:radius rlm_sql_mysql: Mysql error 'Access denied for user 'radius'@'localhost' (using password: YES)' ...snip... I have put this in my sql.conf like so: # Connect info server = localhost login = radius password = x # Database table configuration radius_db = radius What am I doing wrong? I have followed a number of whitepapers to install this and most of them say the same thing. I downloaded freeradius and mysql-server using the ‘yum install’ option. Now, when I do a ./configure on freeradius, do I need to do it with a –with—mysql option? Should I try this on something other than FC4? I am opened to options. First of all for stability, I would suggest FreeBSD. The Fedora Core Releases are, cutting edge with a short life span. First thing you should try is using the mysql command line to access the database with the credentials you put in the configuration file. bash mysql -h localhost -u radius -p x If it lets you in try to connect to the db : mysql \r radius If you can not get connected this way the problem is in your MySQL configuration. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql problem
On Thu, 2006-16-03 at 10:45 +0100, KNO wrote: On 3/16/06, Alan DeKok [EMAIL PROTECTED] wrote: Fabiano Rodrigo Boscatto [EMAIL PROTECTED] wrote: Hi there, i have freeradius working fine with mysql authentication. The problem is that the User-Password is stored in mysql table as clear text. Is there a way to crypt that? Change User-Password to Crypt-Password, and encrypt the password with the Unix crypt() tool. Then CHAP MS-CHAP stop working. If you want to encrypt the password with some kind of key, and then make the key available to FreeRADIUS too, that might be useful. Maybe. But it's not as useful as it might first look. You're better off controlling access to the entire MySQL DB, which contains a lot more security information than the clear-text password. Alan DeKok. And what I must to do if I want to use MD5 to store the passwords? Greets, Aitor If you are using a Unix/Linux system that can use MD5 passwords in the password file, then -libcrypt likely supports MD5 passwords. I have tested using SHA1/DES/MD5 encrypted passwords from the system password file on FreeBSD and put them in SQL and it worked. One thing I discovered while testing was that you will need to set Auth-Type := Crypt-Local and Crypt-Password == 'encrypted-data'. I tend to put the Auth-Type settings in radgroupcheck and assign users with encrypted passwords to different groups than those with clear text. Example: 1 chap-unlimited Auth-Type := Local 2 pap-unlimited Auth-Type := Crypt-Local Then radcheck would be like : 1 fredf User-Password == wilma 2 troll Crypt-Password == $1$f3d5.Cf9$aeM0tnhrmahLR/yHMlEwU1 And usergroup would be like : 1 fredf chap-unlimited 2 troll pap-unlimited I have just started working on a new PHP management system and am intending on supporting the system crypt() command for encoding passwords when updated. Dialup Admin has not been updated much, since the last time I used it, and it does not provide many of the functions I need. I am using code I have written from scratch, but in the day I have been working on it I have almost got a function that correctly parses radiusd.conf and any files included. Once I can accurately read the all the config files that are not intended on being deprecated then I will make the functions to modify them. Once that is done I will concentrate on functions to maintain MySQL and PostgreSQL users and accounting tasks. It is a fairly large task, and it may get sidelined for or more simple system, but I want to start using FreeRadius, so I can decommission the Cistron server I customized to send accounting info directly to a PostgreSQL data base. Although the current system has been working flawlessly for over 5 years, FreeBSD has a lot more functionality, flexibility and is currently maintained by more people than just me. TTFN - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: detail Files
On Fri, 2006-17-03 at 16:15 -0500, Lisa Casey wrote: Hi, I sent this email a couple of hours ago but it hasn't appeared on the list yet so I'm resending it. If it comes through twice, accept my apologies. Currently my Freeradius server writes new accounting detail files each day. In radiusd.conf, if I were to change detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d to detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m Would it then write one detail file for each month? Yes Normally I don't like the per NAS/Client directories, but do like daily logs, so I use : detailfile = ${radacctdir}/detail-%Y%m%d I use a cron job to compress the daily logs, and archive them. I only keep them in case of a legal dispute, all of my real accounting is done in SQL. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: incorrect radacct AcctSessionTime
On Tue, 2006-14-03 at 15:16 -0500, Alan DeKok wrote: Gunther [EMAIL PROTECTED] wrote: From time to time I see entries in the radacct AcctSessionTime column with over 1 billion seconds, despite that the StopTime minus StartTime is less than 5 seconds. With FR 1.0.5 it was a few times 2147483647: 2147483647 is 2^31-1. It looks like a signed/unsigned problem to me. I used to see Acct-Session-Time responses from USR Hyper Cards like that every so often, the NAS was at fault and required a reboot. We would then calculate the time : Example, Acct-Session-Time = (Acct-Stop-Time - Acct-Stop-Delay) - (Acct-Start-Time + Acct-Start-Delay) We did it that way to give the customer the benefit of any error possibly incurred by delays. How you do this in real life will depend on what kind of DB you use to store the accounting data. Now with 1.1.0 it is around 1142280970: Which is a weird number. I presume that the NAS (wrt54g with Chillispot) is sending the incorrect information ... Is this correct? Maybe. See the SQL queries. If the NAS is sending Acct-Session-Time, that goes into the column. If it doesn't send Acct-Session-Time, then the session time is calculated based on the local system time, and other info. It looks to me like the clocks on your NAS and the RADIUS server may be quite a ways off from each other. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Password Logging
On Mon, 2006-13-03 at 17:38 +0100, andre kip wrote: Hi Geoff, I haven't been successful in getting freeradius not to log passwords. Where is this rlm_syslog?? I am looking for it at source but to no avail. ..or did you change rlm_detail by adding: if ((strstr(buf, User-Password) != 0) (strcmp(inst-hidepasswd, yes) == 0)) { pair-next; } regards, Mr. Trüffle Have you tried changing the settings in radiusd.conf? # Log authentication requests to the log file. # # allowed values: {no, yes} # log_auth = no # Log passwords with the authentication requests. # log_auth_badpass - logs password if it's rejected # log_auth_goodpass - logs password if it's correct # # allowed values: {no, yes} # log_auth_badpass = no log_auth_goodpass = no - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: About Monthly Time Limits
On Mon, 2006-13-03 at 15:39 -0500, Lisa Casey wrote: Hi, We are an ISP. As many ISP's do these days, we outsource our dialup numbers to wholesalers such as Megapops, etc. but we maintain our own radius servers. The wholesaler proxies radius requests to us. The following is kind of hypothetical, but I need to know this in order to understand how all this works. I have monthly time limits set up in my Freeradius. When customers login, where exactly does the information come from that tells Freeradius This customer is OK, he has not used up his time limit yet or Reject this customer, he has used up his limit for this month. Is this dependent on something in the radius config at the wholesalers end, or is this info taken from my db.monthly file? Another way of asking this question (in case I'm not making myself clear which is always a possibility) is: Does the wholesaler have to support monthly time limits or can I do it all from my end (whether or not the wholesaler supports such an attribute)? Any info about how this process works will probably help clear up my thinking. Thanks, Lisa Casey You will want to use a monthly counter. Personally I would prefer a rlm_sqlcounter, and slightly modify the rlm_sql queries to provide a maximum session time of the time left as an attribute. The whole thing is very configurable and it's kind of left up to the admin to tweek the configs for there own unique purpose. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeBSD and freeRADIUS with mySQL
On Sat, 2006-25-02 at 14:52 -0500, Alan DeKok wrote: [EMAIL PROTECTED] wrote: the ports for freeradius don't seem to install correctly, and when we build from lates binaries there is errors when trying to load mysql... In the mandrake 10.2 system I had - all I did was install mysqlxx-dev development extensions, and all was good... I can't find any support for freebsd. I suggest asking on the freebsd ports list, asking the maintainer, or looking through the freebsd bug list. I don't know any developer who uses FreeBSD, so that makes it difficult to track down the problem. Alan DeKok. I have not been actively doing any development lately, but I did a bunch of development pre 1.0 to ensure the PostgreSQL and MySQL had the same functionality. The maintainer for the FreeBSD port is quite good, and I have not had any problems with the port in the past. There have been an enormous amount of posts on this topic, and it has been answered a hundred times. The information is out there there is also sample data that I have posted a number of times. It would help if the original poster, let us know what version of FreeBSD he was using. He mentions Mandrake 10.2 but as far as I know they don't have a FreeBSD distribution. ;^) I was planning on doing some more testing soon, I will try to get to it today. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: hints processing for Accounting-On / Off packets?
On Wed, 2006-22-02 at 07:34 +0100, Stefan Winter wrote: Hi, You don't have to have a User-Name in the request to use that file. If it isn't there and you need it for further processing you can add it. Well, no. That's exactly the point: the hints file is *skipped* if there is no User-Name in the request. Greetings, Stefan Winter The hints file was originally designed to classify users and determine what methods of connection were allowed, by using an uppercase character or other pattern. It provided a similar function to what groups are now used for, before groups were implemented. The letter or pattern could be removed before authentication if desired. Examples : Uacct01 = UUCP user acct01 Pacct02 = PAP user acct02 Cacct03 = CHAP user acct03 etc. The Accounting-On is a status messages from the NAS indicating that no users are currently logged on and that accounting will start. The Accounting-Off is a status messages from the NAS indicating that all users logged in are being logged off and that accounting will stop. There is no relationship to any specific account, so hints is not supposed to be used. If you are using hints to do some other kind of processing, you are likely using it for something it was not intended for. If you are using an SQL backend for accounting the Accounting-On / Accounting-Off packets are handled by the sql configuration to mark all active as stopped for the NAS that sent the packet. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP credentials against AD?
Hi Josh, So long as the user is a valid user, it can be used to do the bind, AFAIK. I used to do this at the office. Our AD Admins created a special account with a non-expiring password but no other special privileges to authenticate the search/bind and that worked fine. We used to use EAP-TTLS/PAP for wireless login. We also used the GINA module in the 802.1x supplicant we had to authenticate prior to completion of windows login so that login scripts worked properly too :-) Rgds, Guy On 15/02/06, Josh Howlett [EMAIL PROTECTED] wrote: Hi Stefan, We probably need a freeradius-eduroam list :-) Is it possible to authenticate PAP credentials from the NAS against a Windows domain using NTLM? I've tried using the mschap module, but it expects to see a Challenge that the NAS doesn't provide. If you want to authenticate against AD and have PAP credentials available, just treat the AD server like an LDAP server, i.e.: the ldap {} section is for you. It will use the credentials to bind as the user to AD, and if that succeeds the user is allowed in. I didn't realise that AD allowed authenticated binds from users by default. Does it require some special tweaking? Our AD admin are *very* cautious about who talks to it... (probably very sensible). best regards, josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: clint ip-address as broadcast address with mask
Of course it has meaning. If your host is on a /23 subnet, then the middle .255 and .0 are perfectly valid hosts. Rgds, Guy On 14/02/06, DilipSimha.N.M [EMAIL PROTECTED] wrote: hi, why does FREERADIUS accept the client ip-address as: aaa.aaa.aaa.255/32 ??? (in clients.conf) this doesn't have any meaning as source address. what purpose does this serve? --DilipSimha - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS online/offline?
A stale session in radacct could happen simply due to the loss of a udp packet with the accounting information in it. RADIUS is totally stateless and has no reliable mechanism for deciding if a user is present or not. If simultaneous use relies entirely upon the contents of radacct, it's very vulnerable to packet loss and also, if you're using multiple radius servers for authentication/authorization and for accounting, you may not have access to all the logs anyway. I was under the impression (possibly falsely) that simultaneous use relied upon the presence of snmp to function properly (I've certainly seen warnings when compiling that snmp isn't present so simultaneous use may not function correctly). Rgds, Guy On 07/02/06, nikwan (sent by Nabble.com) [EMAIL PROTECTED] wrote: Thank you very much for your reply. Let me phrase my question differently. In particular, we have a problem that when a NAS goes down, we get a stale session in radacct. It stays there indefinitely. How can we clean this up? View this message in context: RE: NAS online/offline? Sent from the FreeRadius - User forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to kick a logged user
On Mon, 2006-06-02 at 11:47 -0500, Eduardo Bejar wrote: Hi, I´ve been searching a while about how to kick a logged user or force terminate it´s session. It seems that this has been asked before on the list, but I didn´t find an answer different from radius can´t do that. The only answer that I´ve found is that it´s required an external script for this. Section 4.3 of the Freeradius FAQ mentions a radkill program, but the link included is dead. And also says try using SNMP. I haven´t also been able to find information on how to use SNMP for this, so I ask the list: Can anyone post a link to download radkill? Or Can anyone explain me how to do this with SNMP? Or perhaps, Can anyone post a procedure to kick a logged user? Thanks for your replies, Edo It depends entirely on your NAS. Radius is not designed to kick off users. Check the documentation for your NAS. The radkill script was designed to work with Livingston Portmasters and does not work with many other products, but may be a good place to start to build your own. We rarely needed to kick users off, and when we did we just logged into the NAS and booted them from there. I looked into it briefly for Cisco 5248 and determined that by setting the interface administratively down would boot the user, then setting it back to up would allow it to accept access again. The tricky part was matching the user to the interface so you would kick the right user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VSA Problem
Hi Romao,What are you using to view the packet? Many packet analysis and RADIUS check tools require their own dictionary (e.g. NTRadPing). If this is the case and you've not updated the dictionary for that tool, then that's exactly what I'd expect you to see. Rgds,GuyOn 26/01/06, Romao Izumi Ito [EMAIL PROTECTED] wrote: Hello, I'm working with Nortel Network Passport and I'm trying to configure a new dictionary on the freeradius. In the vendors doc we have following VSA and Vendor-ID: VENDOR nortel 562 ATTRIBUTE Passport-Command-Scope 200 integer nortel ATTRIBUTE Passport-Command-Impact 201 integer nortel ATTRIBUTE Passport-Customer-Identifier 202 integer nortel ATTRIBUTE Passport-Allowed-Access 203 integer nortel ATTRIBUTE Passport-AllowedOut-Access 204 integer nortel ATTRIBUTE Passport-Login-Directory 205 string nortel ATTRIBUTE Passport-Timeout-Protocol 206 integer nortel ATTRIBUTE Passport-Role 207 string nortel ... I configure the file dictionary.nortel in /etc/raddb and include it in dictionary file. Also I tried it in /usr/share/freeradius/. I added this attributes in the users file but when I look at the radius packet I see: Vendor Specific(26), Vendor: Undefined(562) Unknown Type(200), Value: Unknown Value type What am I doing wrong? Thank you, Romao. -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows WPA
I have to admit that I'm using a paid for client (Funk Odyssey). It's very good but at around £25 to £30 per seat (depending upon numbers) it isn't cheap. SecureW2 used to be free and wasvery good. I seem to remember them going open source but I've not really investigated that product in a while. I would say that the time taken to correctly configure the client is no different than the windows supplicant. It generally takes me a couple of minutes a seat to configure a user with EAP-TTLS/PAP against a RADIUS server with existing LDAP links to an AD server. I'd also have to specifically identify the CACertificate that the client should use to authenticate the RADIUS server's certificate. So I don't consider that an extra cost. Rgds, Guy On 22/12/05, Phil Mayers [EMAIL PROTECTED] wrote: Guy Davies wrote: The other alternative is to use a third party 802.1x supplicant with a decent GINA module.This behaves *exactly* as you want.It accepts the users' credentials at the windows login, stops the windows login process, logs the user into the network, then returns control to windows to login the user to the AD.I've been doing this with EAP-TTLS/PAP to an AD backend with LDAP (no NTLM :-) for a while.Sure, though there's typically cost (sometimes money, sometimes justtime) and of course the need for custom software there.Are you using a for-pay one, or are they any good free ones these days? -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Postgres
On Thu, 2005-08-12 at 15:57 -0500, Brian A. Seklecki wrote: On Wed, 7 Dec 2005, leunam atebro wrote: I am new to this freeradius server, can you give me some idea on how to authenticate freeradius in a postgres database? Also, I need sample configuration Working, tested, proven sample configuration files are [what this project is in] in desperate need of. Very few changes need to be made to make FreeRadius work with PostgreSQL using the default configuration files, the main change is selecting the postgres configuration file. The schema and configuration files are included. There isn't information on how to configure PostgreSQL, because they have their own documentation and mailing list. I have provided data sets for testing PostgreSQL in the past and are likely still in the archives. I did extensive testing prior to the release of version 1.0 to ensure that the PostgreSQL driver had equivalent capability to the default MySQL driver. Most problems configuring FreeRadius for use with SQL backends is misconfiguration of the SQL system. Test the SQL connection using the username, password, host and port from the radius server using the values you have configured in the config files using the databases command line utilities to ensure you have properly configured your database. In many cases you will need to edit the host based authentication and configuration files to enable IP connectivity and allow authentication for the SQL backend from the FreeRadius server. All of this is part of the SQL server configuration and is not covered by FreeRadius, because it is covered by the database documentation. In the mean time, search the mailing list archives. Just out of curiousity, are you just wanting to control AAA access to the CLI or are you authenticating a dialin port on the AUX? ~BAS to test the server. My NAS client is CISCO(2500) with 11.3 IOS. Help is highly appreciated.. Thank you... Nuel __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Guy Fraser Network Administrator The Internet Centre 1-888-450-6787 (780)450-6787 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: question on ldap_escape_func in rlm_ldap.c
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicolas Baradakis Sent: 07 December 2005 13:18 To: FreeRadius users mailing list Subject: Re: question on ldap_escape_func in rlm_ldap.c Qin Zhen wrote: so in lastest version (1.0.5), a username 'jam\' will be converted into 'jam\5c' and ldapsearch will be based on 'jam\5c' right? so this username is supposed not to be found in ldap in this case? but how come in my server, the ldapsearch will base on 'jam' and those invalid charactors r just simply eliminated? scratching head...pls assist..thanks so much That's what is said in http://www.ietf.org/rfc/rfc2254.txt If a value should contain any of the following characters Character ASCII value --- * 0x2a ( 0x28 ) 0x29 \ 0x5c NUL 0x00 the character must be encoded as the backslash '\' character (ASCII 0x5c) followed by the two hexadecimal digits representing the ASCII value of the encoded character. The case of the two hexadecimal digits is not significant. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This e-mail is private and may be confidential and is for the intended recipient only. If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed. If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it. We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free. You should undertake your own virus checking. The right to monitor e-mail communications through our network is reserved by us. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html