RE: rlm_perl - Debian sarge
Hi, I have written a module for use with freeRADIUS which seems to work fine and dandy on my desktop Fedora box. However when I drop this module and config on one of the production (and now test) Debian Sarge boxes running the same initial config with same version of freeRADIUS I get : /usr/sbin/freeradius: relocation error: /usr/lib/perl5/auto/DBI/ DBI.so: undefined symbol: Perl_Gthr_key_ptr and freeRADIUS obvioulsy refuses to start. I solved it by starting freeradius (and changing the startup scripts) using LD_PRELOAD=/usr/lib/libperl.so freeradius $freeradiusargs J. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Static IP Address allocation database - Active Directory?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Has anyone experimented with using Active Directory as a database for Static IP Addressing? Yes, just assign a static ip in the AD dial-in properties for that user and adapt the ldap.attrmap accordingly, this works perfectly. There is no need to make a user member of a 'radius_staticip' Group. J. - -- Jonathan De Graeve IMELDA vzw Informatica Dienst Network System Engineer [EMAIL PROTECTED] +32(0)15/50.52.98 -BEGIN PGP SIGNATURE- Version: 9.5.0 (Build 1202) wsBVAwUBRUG6jdjY2X/BrZGJAQgslggAmOMNyQR2lingFOOZas2+tRm2DM7+LgrG A8PNHcGxeMIWhtksMm++/nWwwZgK0PrBXECeX13fJf+mmgt3U1V1oXsD58HUAFJj VW+PW9O8o8ef5Br+03pzrIV0enZ6N4AmUOz42JudO4qPrUdrE7SyKDkz41vu8gSz dhW7SO9nTR7h9r688XqJnQU+w6ZQi2AUTumQ+9rvNn6UMS7AhzoNm0naH5tTp0Ql LUPEMByf4O6e4Ucuqd1SJk+gyeKD+ZsZ93YzmFP8btevLAnIw3VK2lnT0gwcejlD FIlkGc7Rt+DJ9Dznn3BXk19hZxNqnsPBDs1rZOX8nGdo7uLdjHctSQ== =tLiY -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Open access
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 -Oorspronkelijk bericht- Van: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] Namens Sean Verzonden: vrijdag 27 oktober 2006 14:20 Aan: freeradius-users@lists.freeradius.org Onderwerp: Open access Hi, I want to grant access to any user or password on my backup server. I found DEFAULT Auth-Type := Accept in the FAQ, however it gives no hint as to where to put the code. I've been trying various parts of raddb.conf with no success. Place it in users - -- Jonathan De Graeve IMELDA vzw Informatica Dienst Network System Engineer [EMAIL PROTECTED] +32(0)15/50.52.98 -BEGIN PGP SIGNATURE- Version: 9.5.0 (Build 1202) wsBVAwUBRUIAydjY2X/BrZGJAQixcgf/Vs9sAwHNdeWNqZBlogAZCw2qXBDDg5s6 gcI8WqcqeALhdESu3oSr3AePbmrcDjZjTIqgGlNFY+Ps44xr15aRLk/kY4lPdI9N cN/Ljw1LxqrmvyI2AVHr+ELrakTWj9BYnhaRr4a/brJWgLKapz+7H7lRjPrhoimh eGgH2JgC7x4lkyWB28O/19qUR9qi/M43uSd07YxwegC8VYdtz47x5aA+uQtRt4wS lf3ZV0QHW3THMzhR1YifmDUDSWJW12fMh2D2m14mjI3+dpF005F5lzi9mpLRZ4fx Nse6gFOoEO3S6tWtn8awb0vaQMT9B5qTZl6G0v0ovymBTJP8llbtrA== =vRRD -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius and ntlm_auth howto
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 The debugging output is exactly saying whats wrong Exec-Program output: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc022) This dir should be readable by freeradius AND winbind. I thought 750 would work J. - -- Jonathan De Graeve IMELDA vzw Informatica Dienst Network System Engineer [EMAIL PROTECTED] +32(0)15/50.52.98 -Oorspronkelijk bericht- Van: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] Namens [EMAIL PROTECTED] Verzonden: donderdag 26 oktober 2006 16:24 Aan: freeradius-users@lists.freeradius.org Onderwerp: freeradius and ntlm_auth howto All, I am trying to authenticate my wifi users via our AD. I'm finding bits and pieces on the internet to configure things, but no completely usable howto. Can someone of the users look at the ouput below and point me to the correct solution/howto? I setup smb.conf,krb5.conf and freeradius. I joined the server to the domain and tested the connection with ntlm_auth: [EMAIL PROTECTED] ~]# /usr/bin/ntlm_auth --request-nt-key --username=sstruyf --domain=KMT-EU.KMTG.NET password: NT_STATUS_OK: Success (0x0) [EMAIL PROTECTED] ~]# rights of the winbind pipe: ls -l /var/cache/samba/winbindd_privileged total 0 srwxrwxrwx 1 root root 0 Oct 25 14:46 pipe below is the debug output of freeradius Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020900521a0209004d3137d2b9533b5dbce9ca720a00d56208c3 8a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972004b4d542d4555 2e4b4d54472e4e45545c73737472757966 PEAP: Setting User-Name to KMT-EU.KMTG.NET\sstruyf PEAP: Adding old state with a4 c3 PEAP: Sending tunneled request EAP-Message = 0x020900521a0209004d3137d2b9533b5dbce9ca720a00d56208c3 8a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972004b4d542d4555 2e4b4d54472e4e45545c73737472757966 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = KMT-EU.KMTG.NET\\sstruyf State = 0xa4c337a92357e8d90a5f8c64b37d2df1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module preprocess returns ok for request 7 modcall[authorize]: module mschap returns noop for request 7 rlm_realm: No '@' in User-Name = KMT-EU.KMTG.NET\sstruyf, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module kmt-eu.kmtg.net returns noop for request 7 rlm_realm: Looking up realm KMT-EU.KMTG.NET for User-Name = KMT- EU.KMTG.NET\sstruyf rlm_realm: Found realm KMT-EU.KMTG.NET rlm_realm: Adding Stripped-User-Name = sstruyf rlm_realm: Proxying request from user sstruyf to realm KMT-EU.KMTG.NET rlm_realm: Adding Realm = KMT-EU.KMTG.NET rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module ntdomain returns noop for request 7 rlm_eap: EAP packet type response id 9 length 82 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 7 users: Matched sstruyf at 98 modcall[authorize]: module files returns ok for request 7 modcall: group authorize returns updated for request 7 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 7 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack? rlm_mschap: Told to do MS-CHAPv2 for KMT-EU.KMTG.NET\sstruyf with NT- Password radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: 95 rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack? radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=sstruyf
RE: SQLcounter patch - Addition of reply-attribute
Jonathan De Graeve [EMAIL PROTECTED] wrote: I just made a patch against 1.1.3 for the SQLcounter module. Please submit patches on bugs.freeradius.org. It's easier to manage them that way. As requested: http://bugs.freeradius.org/showattachment.cgi?attach_id=187 -- Jonathan De Graeve IMELDA vzw Informatica Dienst Network System Engineer [EMAIL PROTECTED] +32(0)15/50.52.98 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius+hpidm+cisco
All, We have an hp infrastructure and use identity driven management to enforce some additional rights to users(as forcing vlan assignment). We have a mixed wireless environment with hp procurve and cisco(1200) For hp access points we don't have any problem, but when trying with cisco devices freeradius crasches with a segmentation fault. The segmentation fault happens when accessing the module hpidm.post- auth.conf which is loaded through radius.conf. (if i comment out this module i don't get the error, but then vlan assignment does't work for the hp's). It would be usefull to debug and to post whats in the hpidm.post-auth.conf J. -- Jonathan De Graeve IMELDA vzw Informatica Dienst Network System Engineer [EMAIL PROTECTED] +32(0)15/50.52.98 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Decreasing connection time (Session-Timeout)
Now, how could I subtract the elapsed time from the original Session- Timeout time? So that the user will, at the next login, only have 40minutes left. SQLcounter is the module you need. J. -- Jonathan De Graeve IMELDA vzw Informatica Dienst Network System Engineer [EMAIL PROTECTED] +32(0)15/50.52.98 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SQLcounter patch - Addition of reply-attribute
That's really what multiple module are for. Have the sqlcounter module return a special return code when the user is over the limit, and use module failover to switch on that return code, and run another module. Ok, any idea on the return code to be used? - char *counter_name; /* Daily-Session-Time */ - char *check_name; /* Max-Daily-Session */ - char *key_name; /* User-Name */ + char *counter_name; /* Daily-Session-Time */ Why? Gratuitous whitespace changes don't belong in a patch. My bad, sorry - if ((reply_item = pairfind(request-reply-vps, PW_SESSION_TIMEOUT)) != NULL) { + /* if ((reply_item = pairfind(request-reply-vps, PW_SESSION_TIMEOUT)) != NULL) { */ If you're changing code PLEASE do not leave the old code in comments. It's confusing, and pointless. CVS will tell you what the old code was. This practice is just unnecessary. This was for internal purposes only. I'll submit the patch in the form you want it to bugs.freeradius.org. I hope its compatible with the CVS code. J. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQLcounter patch - Addition of reply-attribute
{ char module_fmsg[MAX_STRING_LEN]; @@ -722,6 +778,7 @@ free(data-sqlmod_inst); free(data-counter_name); free(data-allowed_chars); + free(data-reply_name); allowed_chars = NULL; free(instance); /END OF PATCH Enjoy this patch, J. -- Jonathan De Graeve IMELDA vzw Informatica Dienst Network System Engineer [EMAIL PROTECTED] +32(0)15/50.52.98 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [sec: unclas] Huntgroupname checkitem in LDAP
Van: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] Namens Ranner, Frank MR Verzonden: dinsdag 17 oktober 2006 4:17 Aan: FreeRadius users mailing list Onderwerp: RE: [sec: unclas] Huntgroupname checkitem in LDAP DEFAULT Ldap-Group == `%{Huntgroup-Name}` Access-Level := RW, Service-Type = Administrative-User, Cisco-AVPair := shell:priv-lvl=15, Passport-Command-Impact = configuration Although this approach Works if you just want to add attributes for a certain huntgroup if a user is member of it. My problem is, I have 2 user databases, one being SQL the other being LDAP/AD I want to be able to specify to which NASses the LDAP/AD user has access too. If it were only LDAP/AD users, everything would work like this: DEFAULT Ldap-Group == `%{Huntgroup-Name}` Fall-Through = no DEFAULT Auth-Type := REJECT In this way, every user that is not a member of a specific Group that matches a Huntgroup name is denied access. But I still have the SQL users and the above rules breaks them. So I changed it to this: DEFAULT SQL-Group == `%{Huntgroup-Name}` Fall-Through = no DEFAULT Ldap-Group == `%{Huntgroup-Name}` Fall-Through = no DEFAULT Auth-Type := REJECT In this way, I need to change my SQL users setup from instead having the Huntgroup-Name in SQL as a checkitem (radgroupcheck) to add every SQL user to a SQL-group having the same name as the huntgroup. This behaviour works but is not really desirable. After searching and experimenting the trick to NOT break EAP/LDAP/SQL but still having everything working like I wanted it to be was just as follows: DEFAULT Ldap-Group == `%{Huntgroup-Name}` Fall-Through = no DEFAULT Auth-Type = LOCAL Fall-Through = Yes This configuration allows for the default SQL behaviour to stay the same, having EAP AND locking Ldap users to the NASes controlled by there groupmembership. Since I spent a long time figuring this out I wanted to share this to the list. My current setup has SQL users + Complete Active Directory integration (having EAP=NTLM) + LDAP(PAP/etc...) Kind Regards, J. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Huntgroupname checkitem in LDAP
Hello, im looking for a way to have my huntgroups defined in LDAP similar to the way they are in SQL. For example if a user belongs to Ldap-Group vpn, the Group in ldap contains an attribute containing the huntgroup names which the Group gives access to. I tried adding checkItem Huntgroup-Name info to my ldap.attrmap with attribute info having value: =~ ^(vpn|sslvpn)$ (without succes) I had success with the following setup: In users: DEFAULT Huntgroup-Name == vpn, Ldap-Group == vpn Fall-Through = no DEFAULT Huntgroup-Name == sslvpn, Ldap-Group == sslvpn Fall-Through = no DEFAULT Auth-Type := Reject This allows to specify which user has access to which nasgroup by adding groupmemberships to the user. But it breaks the users existing in SQL. I could off course also add the specific SQL-Groups into the users file but this would still require a reorganisation of the SQL users since they only have a Huntgroup-Name attribtue for there grouplevel which specifies multiple huntgroups by using regexp. Im kinda stuck in how to implement it. Any advice would be greatly appreciated. J. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP-MSCHAPv2 against AD
validfromcreation returns noop for request 252 rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module uploadlimit returns noop for request 252 rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module volumelimit returns noop for request 252 rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module prepaidcounter returns noop for request 252 modcall: leaving group authorize (returns updated) for request 252 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 252 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 252 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for jonathan with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: 05 radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: Running registered xlat function of module mschap for string 'NT-Domain' radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=IMZ\\jonathan --challenge=d13cab581e1c3097 --nt-response=1337f654a247b82ba252becd3320cdd94974567666fa0818 --require-membership-of=S-1-5-21-3816208617-2573269785-2633524980-1134 --domain=IMZ' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=IMZ\\jonathan --challenge=d13cab581e1c3097 --nt-response=1337f654a247b82ba252becd3320cdd94974567666fa0818 --require-membership-of=S-1-5-21-3816208617-2573269785-2633524980-1134 --domain=IMZ Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 252 modcall: leaving group MS-CHAP (returns reject) for request 252 rlm_eap: Freeing handler modcall[authenticate]: module eap returns reject for request 252 modcall: leaving group authenticate (returns reject) for request 252 auth: Failed to validate the user. Login incorrect: [IMZ\\jonathan/no User-Password attribute] (from client localhost port 4 cli 004096ab4eed) PEAP: Got tunneled reply RADIUS code 3 MS-CHAP-Error = \010E=691 R=1 EAP-Message = 0x04080004 Message-Authenticator = 0x PEAP: Processing from tunneled session code 0x8978750 3 MS-CHAP-Error = \010E=691 R=1 EAP-Message = 0x04080004 Message-Authenticator = 0x PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE Anyone out there who nows how to solve this problem? PS I'm running freeradius 1.1.3 Thx in advance, J. -- Jonathan De Graeve Network/System Engineer Imelda vzw Informatica Dienst +32 15/50.52.98 [EMAIL PROTECTED] - Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP-MSCHAPv2 against AD
Never mind, found the solutions as: ntlm_auth --username=%{mschap:User-Name} --foobar J. -- Jonathan De Graeve Network/System Engineer Imelda vzw Informatica Dienst +32 15/50.52.98 [EMAIL PROTECTED] - Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite - -Oorspronkelijk bericht- Van: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] Namens Jonathan De Graeve Verzonden: maandag 25 september 2006 17:34 Aan: FreeRadius users mailing list Onderwerp: PEAP-MSCHAPv2 against AD I'm trying todo PEAP-MSCHAPv2 with authentication against an AD Currently I have the following problem: When the domain is in the username the authentication fails, if the domainname isn't in the authentication the authentication succeeds. I'm using the following ntlm_auth line in radiusd.conf: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --require-membership-of=S-1-5-21-3816208617-2573269785-2633524980-1134 --domain=%{mschap:NT-Domain:-IMZ} The with_ntdomain_hack = yes is enabled in the mschap {} Output from shell: radius1:/etc/freeradius# /usr/bin/ntlm_auth --request-nt-key --username=IMZ\\beheerder --challenge=e456e008c25a9ac7 --nt-response=28e9d997b30267a36af64a4fcb530cd6b08f1141c09bc580 --require-membership-of=S-1-5-21-3816208617-2573269785-2633524980-1134 --domain=IMZ Logon failure (0xc06d) radius1:/etc/freeradius# /usr/bin/ntlm_auth --request-nt-key --username=beheerder --challenge=e456e008c25a9ac7 --nt-response=28e9d997b30267a36af64a4fcb530cd6b08f1141c09bc580 --require-membership-of=S-1-5-21-3816208617-2573269785-2633524980-1134 --domain=IMZ NT_KEY: EB23807FB13B1CAB06F4F0BBE5C199D0 Debugging information (with a different user) Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 252 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020800471a0208004231f622919de18b1fdab0ca9902b9729d4913 37f654a247b82ba252becd3320cdd94974567666fa081800494d5a5c6a6f6e617468616e PEAP: Setting User-Name to IMZ\jonathan PEAP: Adding old state with 8f f9 PEAP: Sending tunneled request EAP-Message = 0x020800471a0208004231f622919de18b1fdab0ca9902b9729d4913 37f654a247b82ba252becd3320cdd94974567666fa081800494d5a5c6a6f6e617468616e FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = IMZ\\jonathan State = 0x8ff913e6997d7ca8d6a9b4832ff5c931 NAS-IP-Address = 194.8.52.161 Connect-Info = CONNECT 802.11 Called-Station-Id = 000fb5df0524 Calling-Station-Id = 004096ab4eed NAS-Identifier = ap NAS-Port-Type = Wireless-802.11 NAS-Port = 4 NAS-Port-Id = 4 Framed-MTU = 1400 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 252 modcall[authorize]: module preprocess returns ok for request 252 modcall[authorize]: module attr_filter returns noop for request 252 modcall[authorize]: module chap returns noop for request 252 modcall[authorize]: module mschap returns noop for request 252 modcall[authorize]: module digest returns noop for request 252 rlm_realm: No '@' in User-Name = IMZ\jonathan, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 252 rlm_eap: EAP packet type response id 8 length 71 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 252 modcall[authorize]: module files returns notfound for request 252 radius_xlat: 'IMZ\\jonathan' rlm_sql (sql): sql_set_user escaped user -- 'IMZ\\jonathan' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'IMZ=5C=5C=5C=5Cjonathan' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): User IMZ\\jonathan not found in radcheck radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgrou pcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'IMZ=5C=5C=5C=5Cjonathan' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute
RE: PEAP-MSCHAPv2 against AD
Login incorrect: [IMZ\\jonathan/no User-Password attribute] (from Do you have: realm IMZ { type= radius authhost= LOCAL accthost= LOCAL } In your proxy.conf file? You don't need the realm (I already tried that one and that didn't work) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication against Active Directory page
Indeed, in my own tests I had to setup a kerberos realm and recompile the standard debian packages with the extra --with-ads rule. Does somebody know when machine authentication is supported in samba and if there is a patch for the 3.0.14 (debian stable) version? Kind Regards, J. -- Jonathan De Graeve Network/System Engineer Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] -Oorspronkelijk bericht- Van: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] Namens King, Michael Verzonden: zaterdag 23 september 2006 4:47 Aan: FreeRadius users mailing list Onderwerp: RE: Authentication against Active Directory page Alan, What domain were you testing against? 2000 or 2003? (I ask, because I was under the impression that KRB5 had to be setup as well) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, September 22, 2006 3:26 PM To: FreeRadius users mailing list Subject: Authentication against Active Directory page http://deployingradius.com/documents/configuration/active_directory.html It describes a minimal set of steps to take to get authentication working against Active Directory. It works in my limited tests, but if anyone runs into problems, please email me, and I'll update the page. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 1.1.3 not forking child processes
Hello, I just installed 1.1.3 on my system and it doesn't fork the 5 freeradius processes. (start_servers = 5) No errors in radius.log and offcourse debugging mode doesn't help because that only starts a single process. Build from scratch on a debian sarge system with adapted configure rules: ---./configure \ --$(confflags) \ config-cache \ prefix=/usr \ exec-prefix=/usr \ mandir=$(mandir) \ sysconfdir=/etc \ libdir=$(libdir) \ datadir=/usr/share \ localstatedir=/var \ with-raddbdir=$(raddbdir) \ with-logdir=/var/log/$(package) \ -with-system-libtool -disable-ltdl-install \ -with-large-files --with-udpfromto -with-edir \ -with-snmp \ -enable-strict-dependencies \ enable-developer \ with-rlm-perl-lib-dir=/usr/lib/libperl.so \ with-experimental-modules \ ---${buildssl} Kind Regards, J. -- Jonathan De Graeve Network/System Engineer Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Locking realm access to a specific huntgroup
Hello, I have different NAS and each type of NAS is grouped together in a huntgroup. I need to make an addition to my radius setup to proxy requests with a certain realm to a specified server. Proxying is already working but I want to lock the users using that specific realm to a specific huntgroup so that its only possible for them to login on predefined NASgroup. I don't have access to the remote proxy server. Using attr_filter isn't an option since this only filters replys. Anyone knows how to do this? Thx in advance and kind regards, Jonathan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Locking realm access to a specific huntgroup
You could try to manually set the Proxy-To-Realm variable in the users file instead of using the realm module. For example, test with something like that: DEFAULT User-Name =~ @foo\.net$, Huntgroup-Name == bar, Proxy-To-Realm := foo.net Ok, this is working :) (I tried the same with a wrong regexp) Using attr_filter isn't an option since this only filters replys. The attr_filter module can be used in both pre-proxy and post-proxy sections. Indeed but if I understand it right, you can't distinct between the 2 types? Furthermore, this only changes/filters attributes while I needed to check the huntgroup to the local radius. Since the DEFAULT trick works, I'm happy :) Thx a lot ;) J. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to patch dialupadmin
Van: Mordor Networks [mailto:[EMAIL PROTECTED] Verzonden: zondag 23 april 2006 5:39 Aan: Jonathan De Graeve Onderwerp: Hello can you tell me please how to use your patch with dialup admin? i mean how to patchh it? thanks Put the patch into the location where freeradius-dialupadmin is installed (or in the source dir of freeradius-1.0.5/) and go into that directory. Do patch -p0 dialup_admin-1.0.5.diff Only tested it against 1.0.5 so I don't know what happens on 1.0.5 -- Jonathan De Graeve - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Bugzilla account creation broken?
Its now been 12hours ago that I requests a password for the bugzilla. I still didn't receive any email. Is there something wrong with it? J. -Oorspronkelijk bericht- Van: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] Namens Nicolas Baradakis Verzonden: zaterdag 22 april 2006 18:09 Aan: FreeRadius users mailing list Onderwerp: Re: Changes to dialupadmin Jonathan De Graeve wrote: I want to publish my enhancements to dialupadmin to the freeradius devels. How can I do this? Please post your patches to the bugzilla. http://bugs.freeradius.org/ -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Changes to dialupadmin
I want to publish my enhancements to dialupadmin to the freeradius devels. How can I do this? J. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Patch adding Monthly volume statistics
This patch adds monthly volume statistics to the user_accounting.php3 page. Patch agains freeradius-1.0.5 dialupadmin.diff Description: dialupadmin.diff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Changes to dialupadmin
Latest version attached, hope you can add it to the bugzilla Thx J. -Oorspronkelijk bericht- Van: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] Namens Nicolas Baradakis Verzonden: zaterdag 22 april 2006 18:09 Aan: FreeRadius users mailing list Onderwerp: Re: Changes to dialupadmin Jonathan De Graeve wrote: I want to publish my enhancements to dialupadmin to the freeradius devels. How can I do this? Please post your patches to the bugzilla. http://bugs.freeradius.org/ -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html dialup_admin.diff Description: dialup_admin.diff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Different user attributes based on NAS-IP-Address? AlsoSuffixwildcards available?
The NAS-IP-Address can be used as a check item, just like anything else. DEFAULT NAS-IP-Address == 1.2.3.4 Reply-Message = Hello you guy from 1.2.3.4 The same config can be applied to SQL. But not with the current dialup_admin IIRC you have to put it in manually not? J. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Different user attributes based on NAS-IP-Address? AlsoSuffixwildcards available?
Uh, huntgroups? J. -Oorspronkelijk bericht- Van: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] Namens John Mylchreest Verzonden: maandag 27 maart 2006 15:00 Aan: FreeRadius users mailing list Onderwerp: RE: Different user attributes based on NAS-IP-Address? AlsoSuffixwildcards available? Funnily enough, I asked the very same thing recently. We do it quite crudely at the moment, but it works. We add an nshortname field to radreply/anything else necessary, and in sql.conf we link it to the user reply. Ie: Something like this would work: authorize_reply_query = SELECT radreply.id,UserName,Attribute,Value,Op FROM radreply, nas WHERE Username = '%{SQL-User-Name}' AND nas.ipaddr = %{Client-IP-Address}' AND (radreply.nshortname = nas.shortname OR radreply.nshortname is NULL) ORDER BY id If you find any cleaner solution using the default schema, I would LOVE to hear about it, since that's the problem/task I'm currently facing. -Original Message- From: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Andy Coates Sent: 27 March 2006 13:35 To: freeradius-users@lists.freeradius.org Subject: Different user attributes based on NAS-IP-Address? Also Suffixwildcards available? Hey, Is this even possible? The basic problem is that I have 2 devices that will use the same username. For example, one device handles dialup, one handles DSL. I'd like the user to have the same username, and depending on the NAS sending the request the correct IP/Netmask would be returned. I've setup huntgroups for the NAS, and can match them in various setups in the users file - but this only seems like it would work for group based attributes (i.e. common fields). Returning unique fields for each user based on the NAS-IP-Address doesn't seem possible? That aside, does anyone know if its possible to use wildcards with Suffix when stripping usernames? I've tried @* or @*.domain.com and it doesn't seem to match :( Thanks in advance, Andy. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Communications on or through ioko's computer systems may be monitored or recorded to secure effective system operation and for other lawful purposes. Unless otherwise agreed expressly in writing, this communication is to be treated as confidential and the information in it may not be used or disclosed except for the purpose for which it has been sent. If you have reason to believe that you are not the intended recipient of this communication, please contact the sender immediately. No employee is authorised to conclude any binding agreement on behalf of ioko with another party by e-mail without prior express written confirmation. ioko365 Ltd. VAT reg 656 2443 31. Reg no 3048367. All rights reserved. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Network of NAS
It works with me J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst +32 15/50.52.98 [EMAIL PROTECTED] - Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite - -Oorspronkelijk bericht- Van: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] Namens David Roze Verzonden: donderdag 9 maart 2006 13:36 Aan: FreeRadius users mailing list Onderwerp: Network of NAS Hi everyone, I have all my NAS in the same subnet and would like to add the whole range in the list of NAS, not every single IP. It seems it works when doing this in clients.conf, but not in the Mysql NAS table. Is this a bug or have I done something wrong? Clients.conf: client 10.230.0.0/24 { secret = secret shortname = test } Idnasname shortname typeports secret community 710.230.0.0/24 10.230.0.0/24 cisco NULLsecret NULL Thanks David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Network of NAS
Using 1.0.5 J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] -Oorspronkelijk bericht- Van: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] Namens David Roze Verzonden: donderdag 9 maart 2006 18:43 Aan: FreeRadius users mailing list Onderwerp: RE: Network of NAS Are you using version 1.1.0? I used other versions before but never tried to put the list of NAS in the database. Thanks David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan De Graeve Sent: 09 March 2006 13:21 To: FreeRadius users mailing list Subject: RE: Network of NAS It works with me J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst +32 15/50.52.98 [EMAIL PROTECTED] - Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite - -Oorspronkelijk bericht- Van: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] Namens David Roze Verzonden: donderdag 9 maart 2006 13:36 Aan: FreeRadius users mailing list Onderwerp: Network of NAS Hi everyone, I have all my NAS in the same subnet and would like to add the whole range in the list of NAS, not every single IP. It seems it works when doing this in clients.conf, but not in the Mysql NAS table. Is this a bug or have I done something wrong? Clients.conf: client 10.230.0.0/24 { secret = secret shortname = test } Id nasname shortname typeports secret community 7 10.230.0.0/24 10.230.0.0/24 cisco NULLsecret NULL Thanks David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: type of lvalue in VALUE_PAIR
-Oorspronkelijk bericht- Van: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] Namens Alan DeKok Verzonden: maandag 27 februari 2006 23:17 Aan: [EMAIL PROTECTED]; FreeRadius users mailing list Onderwerp: Re: type of lvalue in VALUE_PAIR Seferovic Edvin [EMAIL PROTECTED] wrote: Okay - but I suppose I will have to patch my NAS ( Poptop server ) to use Acct-Input-GigaWords and Output- instead of Octets. Still if I patch my NAS to send GigaWords.. when I use sqlcounter to count the MBs I will still not be able to compare the check-name which is written into uint32 variable. Shouldn't this be patched too ( I am not a professional programmer - so excuse my silly question ). Yes, but that doesn't have much to do with RADIUS attributes. If your NAS doesn't send the Gigawords attributes, then why are you worried about people using more than 4G of traffic? Your NAS will never tell the server that the user had more than 4G of traffic. The nice thingy about this is that most nasses just wrap around 2GB (2^31, signed int instead of 2^32,unsigned int) Poptop server accepts Session-Octets-Limit for the traffic limit ( actually it is ppp that is doing the limiting ). So Ive added this attribute to my dictionary. PPP also needs Octets-Direction so it can know which traffic flow to count. Ive added both attributes and it is working ( for 2^32 ). Ah, Ok. Can you give me some directives how to implement this. Maybe to extend the config of sqlcounter and value_pair struct? I don't see how that will help if your NAS doesn't send the Gigaword attributes. If it does send them, then yes, you'll have to update the sqlcounter module to handle 64-bit numbers. But you don't need to update any of the valuepair structures. You could do it by using a multiplicator, say using kbytes/mbytes instead of bits/bytes. That will save you the 64-bit numbering within sqlcounter. SQL can handle this with the builtin calculation functions J. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Adding Ascend-Data-Filter to MySQL
But when I add the same Ascend-Data-Filter information above into mysql database file (radgroupcheck table), although authenticates fine, I don't get Ascend-VSA-Data-Filter=\0x01\0x01\0x01 in attribute dump. Below is what is added to the table: GroupName Attribute op Value Dialup Auth-Type := LOCAL Dialup Service-Type = Framed-User Dialup Framed-Protocol = PPP Dialup Framed-Compression = Van-Jacobsen-TCP-IP Dialup Ascend-Data-Filter += ip in forward tcp est Dialup Ascend-Data-Filter += ip in forward dstip a.b.c.0/20 Dialup Ascend-Data-Filter += ip in forward tcp dstport = 25 Dialup Ascend-Data-Filter += ip in forward It should be in radgroupreply table J. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: $INCLUDE dictionary.fortinet is missed in dictionary infreeradius-1.1.0
Can you also include the changes for the bay dictionary which I send 2weeks ago? Kind Regards, J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst +32 15/50.52.98 [EMAIL PROTECTED] - Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite - -Oorspronkelijk bericht- Van: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] Namens Alan DeKok Verzonden: dinsdag 14 februari 2006 1:19 Aan: FreeRadius users mailing list Onderwerp: Re: $INCLUDE dictionary.fortinet is missed in dictionary infreeradius-1.1.0 Richie Lee [EMAIL PROTECTED] wrote: Could you please add the line to dictionary file? It should be in 1.1.1. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: multiple huntgroup, same NAS-IP
regexps huh!! care you post an example please? Thanks, =~ ^(huntgroup1|huntgroup2)$ Kind Regards Jonathan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: multiple huntgroup, same NAS-IP
-Oorspronkelijk bericht- Van: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] Namens Agent Smith Verzonden: zaterdag 11 februari 2006 18:08 Aan: FreeRadius users mailing list Onderwerp: Re: multiple huntgroup, same NAS-IP I have 100s of users but here is an example. goal: user u1: has access from NAS-IP 192.168.50.5 user u2: has access from NAS-IP 192.168.5 and 6 currently I have huntgroup defination such as, hu1 NAS-IP-Address 192.168.50.5 hu2 NAS-IP-Adderss 192.168.50.6 Then in the users file, (sorry if the syntax is not exactly correct here) u1 Auth-by: Local, huntgroup: hu1 u2 Auth-by: Local, hungrroup: hu2 #then also, u1 Auth-by: Local, huntgroup: hu2 Using regexp you can match both, that's how I do it - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: multiple huntgroup, same NAS-IP
Is it possible for same NAS-IP to be in multiple huntgroups? I'm not sure. No, it will match the first huntgroup it reaches in the huntgroups file. I tried that to. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dictionary updates: Bay/Nortel
The file is a changed 1.0.5 dictionary file, I looked at CVS and it seems that it isn't changed in 1.1.0 This dictionary file adds support for radius attributes/values needed to login on the Nortel Passport 8000 series switches with RADIUS authentication/accounting enabled. Tested and working on all current PP 3.5.x.x, 3.7.x.x and 4.x.x.x versions. I hope you can add this one also to the CVS Kind Regards, J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst +32 15/50.52.98 [EMAIL PROTECTED] - Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite - dictionary.bay Description: dictionary.bay dictionary.bay.diff Description: dictionary.bay.diff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: User groups, HELP!!!
Use SQL groups based on huntgroups J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Vadimv82 (sent by Nabble.com) Verzonden: maandag 30 januari 2006 11:34 Aan: freeradius-users@lists.freeradius.org Onderwerp: User groups, HELP!!! Hello. I run FreeRadius with MySQL. And need help with authentification groups. Imagine i have many WiFi hot spots each with own NAS and IP. Any user can register and get a password and login, but he can only get access through certain NAS where he registered at, if he goes to another spot he cant login there with it. So i have to create access groups by NAS IP on Radius server, how do i do that? I tried to use huntgroups, but i dont really understand how they work. And i can't put every user into 'users' conf, cuz then every time somebody registeres i need to restart Radius server so it would reload 'users' conf. How can i do that? I need to create a group once for each Hot Spot, and then user registeres for access, he automaticaly gets a certain group status, and when he tries to login, radius server checks his NAS ip and his group, if they match, NAS gives him access to internet. Thank u, for ur help. Vadim. View this message in context: User groups, HELP!!! Sent from the FreeRadius - User forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Restricting access to a NAS
I'm doing this with huntgroups J. -Oorspronkelijk bericht- Van: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] Namens Lewis Bergman Verzonden: dinsdag 24 januari 2006 18:01 Aan: FreeRadius users mailing list Onderwerp: Re: Restricting access to a NAS Laker Netman wrote: I have a Cisco 3660 router configured for dialup AAA through FR (1.0.5) to access our LAN. I also have the login to the router itself, for admin, authenticating through FR (MySQL backend). The same DB is used for all auth, so currently anyone with a dialup account could also telnet into the router. This leaves only my 'enable' password to prevent problems. I want to configure FR to eliminate this ability for all but a select group of users (admins). There are other devices I would like to add to the list later. I've been looking at huntgroups as the solution, but was unsure how (or if) this could be handled via sql rather than the users file. Is anyone doing this and could provide a sample config layout? I am not currently doing this but plan to tackle it by using something like a realm of admin when I do get to it. So a user needing admin privs would have to log in like [EMAIL PROTECTED] to get access. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_sqlcounter and something else than Session-Timeout
So if they're under the limit at the start of the session, they can go over during the session, and no one will notice. This has NOTHING to do with changing the limits during a session. The problem I think most people (and also me) now have appears when you have max-octet limits. If a user exceeded his monthly usage, he can't login anymore until the next month starts. But if he didn't so the remainder is returned as Session-Timeout. The problem with this is that all nasses take this value as 'seconds' instead as octets which will logout a user. Lets say if he got 4GB as remainder, the system will logout the user in 4s (which isn't the behaviour we want offcourse) That's the reason (IMHO) most people want the possibility to set the reply attribute. J. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Two routers using the same Radius server?
Client ip adres in combination with huntgroups if you work with a mysql db and usergroups -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] - Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite - -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Mark Tunnell Verzonden: woensdag 14 december 2005 1:59 Aan: FreeRadius users mailing list Onderwerp: Re: Two routers using the same Radius server? Nice! That gets me almost all the way there. I'm able to authenticate using Auth-Type := Local. Now I just need to figure out how to authenticate that type of user name ([EMAIL PROTECTED]) using Auth-Type := System. Any ideas how to go about that? Thanks, Mark Lewis Bergman wrote: Mark Tunnell wrote: Suppose I have two Cisco routers both configured to authenticate to the same radius server. How do I allow a particular user access to one router but not the other? Is there a place in the clients.conf or users file to configure this? Oh yea, Alan gave me a trick with the hints file that adds a realm to a client if one is not present that could also help. DEFAULT User-Name !~ .*@, NAS-IP-Address == ip of client User-Name := [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Fall-through and different NAS IP Settings
I'm just asking this for my understanding, am I still going to want to use Client-IP-Address even though from what I can see here, the NAS-IP- Address attribute is appearing within the output of debugging? I would suggest using Client-IP-Address, unless you know that the NAS will always send that attribute with that value. As for why it doesn't match, I'm not sure. Try editing the users file entry to see if you can narrow down the problem. How do you explain this then? I have a NAS that DOESN'T sent NAS-IP-Address attribute to the radius server (only nas-identifier) but all my huntgroups based on NAS-IP-Address work without any problem... Is this then somewhere in the code? If (!NAS-IP-Address Client-IP-Address) NAS-IP-Address = Client-IP-Address J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS Mac Authentication
I'm looking for a document that describes in detail the working of RADIUS MAC Authentication. (which attributes are sent in the access-request, which values should be in there etc) This because I'm going to write code to allow RADIUS MAC Authentication in our NAS. Thx in advance -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SQL Mac-Authentication based on Call-Check
If I understand this correctly I could have 3 ways to do RADIUS MAC Authentication: 1) (enterasys seems to do it like this) Username == mac, password == default password set in the nas and that matches the pass in the 'radcheck' table but different from the nas secret 2) (like it seems most vendors are doing it): Username == mac, password == nas-secret (but this also needs username(mac)/password(nas-secret) pairs in 'radcheck' table 3) calling-station-id == mac, username == mac, password == NULL, service-type == Call Check (10) and Auth-Type := Accept My questions: a)could I have a security problem with 2 or 3? b)any suggestions to choose between 1, 2 or 3 or 'just choose whatever works'? Kind Regards, -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] Namens Alan DeKok Verzonden: woensdag 23 november 2005 19:33 Aan: FreeRadius users mailing list Onderwerp: Re: SQL Mac-Authentication based on Call-Check florian broder [EMAIL PROTECTED] wrote: The only thing I'm currently unaware of is, where I can tell freeradius to use Call-Check together with mysql, I think it's somewhere in sql.conf? No, it's also in the radcheck table. Only thing that need to be done IMO is to tell radius, that there is no username and authentication needs to be done on a caller-id basis. In radcheck, also set Auth-Type := Accept if the MAC Call-Check match. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius vs. ActiveDirectory
Title: Nachricht What about the password? I thought this was a kerberos one and didnt reside into the ldap itself? -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] - Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite - Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Völker, Christian Verzonden: maandag 14 november 2005 11:22 Aan: freeradius-users@lists.freeradius.org Onderwerp: Freeradius vs. ActiveDirectory Yohoo! Yes!I did it! ;) My freeradius (1.0.1-1.RHEL3) authenticates again our ActiveDirectory (on 2003 Server). Without ntlm_auth! Below I have added a short summary how I realized it here. But now I have a question and I can't solve it for myself. I want to retreive some group informations from AD. In an users account I find several values memberOf and the DN of the group, where the user belong to. Now I want to give access via freeradius only to some special groups. I have figuered out, that there are these parameters: groupname_attribute, groupmembership_filter and groupmembership_attribute combined with some entries in the users-file. I've read the doc/rlm_ldap, but I didn't find any deeper hints or explanation. Questions: 1. Where can I find some docs about the %{...} Values in groupmebership_filter? Which one should I use in combination with my AD? 2. Which value should I use then in the users-file? 3. Is there anyone who can give a little help in further authenticating with group? -short summary how to authenticate vs. ActiveDirectory --- /etc/raddb/radiusd.conf [...] ldap { #servername with an AD-Server running Win2003Srv server = adsrv.qsc.de #TheUseraccountfor querying AD (anonymous query is disabled) identity = cn=man,ou=ServiceAdmins,dc=qsc,dc=de #The password for the Query-User password = 'xx' #base DN foruser search; all our Users are in ou=employees. Without this ou=..., no user will be found. \ #I don't understand why basedn = ou=employees,dc=qsc,dc=de # I've copied the below string, because I didn't understand the meanings of the %{...} filter = (sAMAccountname=%{Stripped-User-Name:-%{User-Name}}) # I had to increase the timeouts timeout = 40 timelimit = 30 net_timeout = 10 } The users-file left on default, no changes. I hope, I could help some people trying to use AD for radius. And, I hope, someone will help me with my user-problem. Greets Christian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: possible bug in rlm_preprocess parsing of huntgroups?
This time it DID match on the proper huntgroup. Radiusd debugging confirms this, but for the sake of brevity I omitted it here. This email is already long enough. Is this a bug or am I clearly doing something wrong? This behavior is not seen in freeradius-0.9.3. It seems to surface after 1.x. Prior to 1.x users file huntgroup matching happens perfectly regardless of order and quantity of huntgroups. Any ideas? Thanks in advance! There's nothing wrong with Freeradius. The code is: first matched, first served. The order in which you setup huntgroups is important, that's all. So you always need to specify the exceptions first and later on the default stuff J. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: sqlcounter and session-timeout
I am trying to use sqlcounter to count octets and am having the same problem. It seems that sqlcounter module was designed to handle the amount of time a user is allowed online and as such is hardcoded to return the Session-Timeout value according to the sql query. how can i override the value of session-timeout, lets say for 10 minutes (i dont care if a user can stay connected until 0:10) ?? I put a seperate entry in the radcheckgroup table with the session-timeout value but freeradius seems to always return the lower of the two values... again presumably to limit online usage. Anyway let me know if you find a way... I am going to see if I can make sense of rlm_sqlcounter.c with my limited c knowledge :-) I have the same problem and this by configured my nas to discard the session timeout. It would be nice if you could have a config parameter if the system should return session-timeout for the specific sqlcounter or return it as another 'defined by admin' radius attribute (for octets in the case of Nomadix lets say: Nomadix-MaxBytesDown/Nomadix-MaxBytesUp) J. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius for securing wlan in big installation
Its possible with SSL-VPN Just use your SSL-VPN appliance as the captive-portal page (with help from a router) In this way, clients with different oses can login (you always need authentication) and have a ssl-vpn where all traffic goes over J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] Namens Josh Howlett Verzonden: vrijdag 11 november 2005 14:18 Aan: FreeRadius users mailing list; [EMAIL PROTECTED] Onderwerp: Re: Freeradius for securing wlan in big installation Hi Thomas, What you're asking for is not possible, with any combination of existing technologies. Drop the web portal, and use an 802.1X supplicant. FreeRADIUS does this well :-) best regards, josh. Thomas Widhalm wrote: Hi everyone! I'm searching for a way to secure our wireless Lan with encryption, but we don't want any sort of authentication. This is, because we have another way of authenticating our users (a webportal, they have to log in, before getting access to the wlan) What we want is an encrypted wlan without our helpdesk installing software or passing keys to our users. They are using all kinds of OSs. Can freeradius actually provide us with that or do we have to search for another solution? Sorry if the answer is obvious, but we are running out of time and so I got to ask around a lot. Thanks and regards, Thomas Widhalm - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x
Chillispot certainly does! M0n0wall almost ;) Dont know about nocat J. Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Alex M Verzonden: woensdag 2 november 2005 19:19 Aan: 'FreeRadius users mailing list' Onderwerp: RE: 802.1x Ok, will call Dlink to see if that have something (the hotspot itself has that functionality internally though) Also do you know if opensources such as NoCAT and ChillBox support such features? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Reilly Sent: Wednesday, November 02, 2005 1:08 PM To: FreeRadius users mailing list Subject: RE: 802.1x AV = ATTRIBUTE VALUE ? D-Link what? D-Link makes lots of stuff... generally great price... but not the most feature rich products. To get the features you desire you'll likely need a higher-end box. I'm not a big proponent of pitchingspecific productsin this forum. Suffice it to say there are vendors that will (or attempt) to provide CoS / filtering on Wireless... jmr Original Message Subject: RE: 802.1x From: Alex M [EMAIL PROTECTED] Date: Wed, November 02, 2005 10:04 am To: 'FreeRadius users mailing list' freeradius-users@lists.freeradius.org Ok I got it By the way what is AV pair? And how do you get NAS related attributes to control bandwidth from vendors? Like if im using D-Link how could I get attributes from them? Thanks! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Reilly Sent: Wednesday, November 02, 2005 11:53 AM To: FreeRadius users mailing list Subject: RE: 802.1x Alex, Features such as 'bandwidth and port blocking (if any) are allocated/configured on the _NAS_ (in this case a NAS port) via AV pair/s provided by RADIUS...the '802.1x Supplicant (Client/Endpoint) in simple terms... provides a secure/standardconduit which facilitates the communication of credentials (from the Supplicant to the Authenticator). The '802.1x Authenticator (or NAS) _MAY_provision/enforce Authorization for the specific endpoint in the context of a user or group... The management granularity of this functionality verifies greatly by switch vendor as a result providing this functionality across a multi-vendor environment... in a large scale deployment... is often too complex to seriously consider.?? jmr Original Message Subject: RE: 802.1x From: Alex M [EMAIL PROTECTED] Date: Wed, November 02, 2005 9:10 am To: 'FreeRadius users mailing list' freeradius-users@lists.freeradius.org Now im totally lost... Can u give me an example what 802.1x does? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, November 02, 2005 11:04 AM To: FreeRadius users mailing list Subject: Re: 802.1x Alex M [EMAIL PROTECTED] wrote: So then such features as bandwidth and port blocking could be controlled via 802.1x? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SUSPENSION OF ACCOUNT
I don't think it's possible with the module sqlcounter. You have to change the value of the attribute Expiration when the account is renewed. Its possible with Expiration AND/OR Sqlcounter J. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: adding a stop packet
I use automatic timestamps on update /default and run a script every minute to check if there are some records which hasn't been updated for 15minutes or more J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Michael Markstaller Verzonden: dinsdag 25 oktober 2005 20:58 Aan: FreeRadius users mailing list Onderwerp: RE: adding a stop packet I'm running something like this from crontab: UPDATE radacct SET AcctStopTime = FROM_UNIXTIME(unix_timestamp(AcctStartTime) + AcctSessionTime), AcctTerminateCause = 'NoStopRecv', AcctStopDelay = (unix_timestamp(now()) - (unix_timestamp(AcctStartTime) + AcctSessionTime)), AcctSessionTime = AcctSessionTime + 300 WHERE AcctStopTime = '' AND (unix_timestamp(now()) - (unix_timestamp(AcctStartTime) + AcctSessionTime)) 3660 AND AcctSessiontime 0 ; UPDATE radacct SET AcctStopTime = AcctStartTime, AcctTerminateCause = 'NoStop-AliveRecv', AcctStopDelay = (unix_timestamp(now()) - (unix_timestamp(AcctStartTime))) WHERE AcctStopTime = '' AND AcctSessionTime = 0 AND (unix_timestamp(now()) - unix_timestamp(AcctStartTime)) 86400 ; /* Purge failed attempts */ DELETE FROM radacct WHERE AcctStopTime 0 AND AcctSessionTime = 0 AND AcctStopTime = DATE_SUB(CURDATE(),INTERVAL 7 DAY); Michael -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Sent: Tuesday, October 25, 2005 8:30 PM To: freeradius-users@lists.freeradius.org Subject: adding a stop packet We are using freeradius with mysql. Is there some kind of script to easily add a fake stop date/time to a user when one gets missed? Currently I am looking them up in the accounting table and manually editing the entry. Would like to find something that just takes username as input and creates a stop based on current date/time. We don't use the accounting for anything other than getting usage reports so if a few users are incorrect , no matter. This happens frequently ( several times a week) that we don't get stop packets from our upstream. Then when users attempt a login, simultaneous use check item kicks in and denies them. They claim there is nothing they can do about it. -- Chuck - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Counter reset
Yes there's a 4GB limit in the counter You have to use smaller values (change your sql query to divided all values by a given value) J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] - Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite - -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Andreas Korber Verzonden: donderdag 13 oktober 2005 9:37 Aan: freeradius-users@lists.freeradius.org Onderwerp: Counter reset Hi, i´m running freeradius 1.0.4 with mysql chilli. Most of them works good :-) But i have some users, which won´t log out. And now comes the problem: if a user has something like 4GB traffic up or download in one session his traffic would get lost and the counter resets. i´m not sure, but is there a buffer wich will overflowed? Or something like this?? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Counter reset
In your SQL query J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] - Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite - -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Andreas Korber Verzonden: donderdag 13 oktober 2005 16:51 Aan: 'FreeRadius users mailing list' Onderwerp: AW: Counter reset Ok, now i understand. Thanks. One more question. Where to set the octets value for recalculation? Thanks -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Jonathan De Graeve Gesendet: Donnerstag, 13. Oktober 2005 15:22 An: FreeRadius users mailing list Betreff: RE: Counter reset Octet values are in bytes So just calculated what it would be in MB or in GB. I recalculate the value to be in MB so I force the max octets to like 1024MB for 1GB Divide your end result with 1024*1024 or something J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] - Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite - -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Andreas Korber Verzonden: donderdag 13 oktober 2005 15:13 Aan: 'FreeRadius users mailing list' Onderwerp: AW: Counter reset Sorry Which value. What query Thanks for helping me, but i don´t really understand andi -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Jonathan De Graeve Gesendet: Donnerstag, 13. Oktober 2005 11:59 An: FreeRadius users mailing list Betreff: RE: Counter reset Yes there's a 4GB limit in the counter You have to use smaller values (change your sql query to divided all values by a given value) J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] - Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite - -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Andreas Korber Verzonden: donderdag 13 oktober 2005 9:37 Aan: freeradius-users@lists.freeradius.org Onderwerp: Counter reset Hi, i´m running freeradius 1.0.4 with mysql chilli. Most of them works good :-) But i have some users, which won´t log out. And now comes the problem: if a user has something like 4GB traffic up or download in one session his traffic would get lost and the counter resets. i´m not sure, but is there a buffer wich will overflowed? Or something like this?? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Value of Calling-station-id on ethernet
Is this value the mac or the ip address on Ethernet networks. I need to know since I'm programming a radiusclient. J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius from inetd
Put it in your startup scripts? J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] - Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite - -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Adharsh P Verzonden: maandag 10 oktober 2005 7:58 Aan: Alan DeKok; freeradius-users@lists.freeradius.org Onderwerp: Re: Freeradius from inetd Hello Alan, Thanks, I am wondering, is there any other way that I can start radiusd automatically after every boot. Thanks and regards, adharsh -- I am trying to start radiusd from inetd.conf. Don't. It won't work. Alan DeKok. -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x client question
I'm using securew2 for that... J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Adam KOSA Verzonden: maandag 10 oktober 2005 22:09 Aan: freeradius-users@lists.freeradius.org Onderwerp: 802.1x client question Hi All, this question may be off-topic, but the windows list i was asking could not help. i set up a 802.1x wired authentication in an ethernet network, with all of the following: eap-tls, eap-md5, eap-peap, with freeradius. everything is working great except one thing: 2k and xp is not able to cache the authentication info. with the certificate, the most i could achieve that when logging on, the auth is automatic. but no network until i log on. this is not a radius problem, since the radius and the authentication process is working great. the reason i'm writing is maybe some of you have solved this problem and could help me please. how am i supposed to configure the client to remember the password? I'm open to any solution, even to forget eap-* and use something less secure. thanks Adam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RE: access for 24 hours after first login?
how is the actual comparision of the calculated value in query done, does it mean, that the value returned by query has to be smaller than the one referred to by check-name (in your example Max-Secs-Passed)? It works quite simple If ( (Max-Secs-Passed - All-Secs-Passed 0) = allow access what does the line sqlmod-inst = sql mean (in /usr/share/doc/freeradius/rlm_sqlcounter there is also the value sqlcc3, what does this do?) It are the defined SQL instances in sql.conf what about the following: SELECT TO_DAYS(NOW()) - TO_DAYS(AcctStartTime) from radacct WHERE UserName = '%(%k)' LIMIT 1; This query works but I don't use it because of the rounding it gives me... would this mean that a user can login until 23:59 after logged in the first time that day? Yes, since he doesn't look at the hour/minutes/seconds... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SQL Integration
1. It is possible with to get free radius to failed logins to the sql database, as well as logging to another table that a successful login occurred yes 2 is it possible to populate the utmp / wtmp files into a database as well instead of a flat file? Yes Thanks all in advance No problem J. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Grab caller id and insert into radcheck how to
You should use: IF NOT EXISTS -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Shane Hart Verzonden: vrijdag 7 oktober 2005 13:22 Aan: FreeRadius users mailing list Onderwerp: Grab caller id and insert into radcheck how to Hi all, I an attempting to add an additional attribute upon the first login for user accounts and I am a bit lost. The way I am testing this is with postauth query. postauth_query = INSERT into ${authcheck_table} (id, UserName, Attribute, op, value) values('', '%{SQL-User-Name}', 'Calling-Station-Id', '==', '%{Calling-Station-Id}' ) This works great but it adds a new record every time the user successfully authenticates. Not a problem really but there are also users I don't need to lock to a caller id. I tried using postauth_query = UPDATE in various ways but I just can't get my head around it. If I manually create an entry in radcheck for a user with the attribute Calling-Station-Id and a NULL value, then the user can't login obviously. Does anybody have any ideas how to have this attribute somehow dynamically created when the user first logs in if they are a member of a group and ultimately not create it if the record already exists? Any ideas or pointers greatly appreciated. Thanks Shane - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: access for 24 hours after first login?
This is how I do this Use SQLcounter module Put this in sqlcounter.conf (expecting that sqlcounter is already configged in the radiusd.conf) sqlcounter validity { counter-name = All-Secs-Passed check-name = Max-Secs-Passed sqlmod-inst = sql key = User-Name reset = never query = SELECT UNIX_TIMESTAMP() - UNIX_TIMESTAMP(AcctStartTime) secs_passed_since_start FROM radacct WHERE UserName = '%{%k}' LIMIT 1 Create in the config dictionary file an attribute of Max-Secs-Passed For example: #ATTRIBUTE My-Local-String 3000string #ATTRIBUTE My-Local-IPAddr 3001ipaddr #ATTRIBUTE My-Local-Integer3002integer ATTRIBUTE Max-Secs-Passed 3000 integer In radiusd.conf: Authorize {} section: Put this: validity The Max-Secs-Passed var is defined in seconds. So if you want a user only to be able to logon in the first 24hours after his first logon, Max-Secs-Passed should be set to 86400 (60secs * 60minutes * 24) Hope this helps the question I think many people will have. You could use other check or counter-names, its just an example You also could combine this with volume limits, max total session time etc... Kind Regards -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Markus Krause Verzonden: donderdag 6 oktober 2005 12:57 Aan: freeradius-users@lists.freeradius.org Onderwerp: Re: access for 24 hours after first login? Zitat von Alan DeKok [EMAIL PROTECTED]: Markus Krause [EMAIL PROTECTED] wrote: i set up freeradius succesfully for authentification against pam and users file :-) Please don't use authentification. It's authentication. sorry for my poor english, it's not my mother-tongue ... now i want to enhance the functionality about the following feature: setting up several predefined (guest) accounts with a generated username and password. this account should be valid from the first time it is used (first login) for 24 hours (or even better until 23:59 that day). rlm_counter. Set it for 24 hours of access, and reset=never. i read about this, but does this not mean that the user has an online time of 24 hours (or whatever i set in Max-All-Session-Time), so he can login until he has been active for 24 hours in sum? thanks in advance for your help! markus Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Markus Krause email: [EMAIL PROTECTED] Computing CenterTel.: 089 - 89 40 85 99 Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98 - This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [m0n0wall] RE: access for 24 hours after first login?
And here the query in case you don't like seconds ;) SELECT HOUR(SEC_TO_TIME(UNIX_TIMESTAMP() - UNIX_TIMESTAMP(AcctStartTime))) FROM radacct WHERE UserName = '%{%k}' LIMIT 1; Then All-Secs-Passed/Max-Secs-Passed should be All-Hours-Passed/Max-Hours-Passed and Max-Hours-Passed specified in Hours instead of seconds Also note this is for MySQL. Don't know if it also works on oracle and Postgres -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] -Oorspronkelijk bericht- Van: Jonathan De Graeve [mailto:[EMAIL PROTECTED] Verzonden: donderdag 6 oktober 2005 15:51 Aan: FreeRadius users mailing list CC: [EMAIL PROTECTED] Onderwerp: [m0n0wall] RE: access for 24 hours after first login? This is how I do this Use SQLcounter module Put this in sqlcounter.conf (expecting that sqlcounter is already configged in the radiusd.conf) sqlcounter validity { counter-name = All-Secs-Passed check-name = Max-Secs-Passed sqlmod-inst = sql key = User-Name reset = never query = SELECT UNIX_TIMESTAMP() - UNIX_TIMESTAMP(AcctStartTime) secs_passed_since_start FROM radacct WHERE UserName = '%{%k}' LIMIT 1 Create in the config dictionary file an attribute of Max-Secs-Passed For example: #ATTRIBUTE My-Local-String 3000string #ATTRIBUTE My-Local-IPAddr 3001ipaddr #ATTRIBUTE My-Local-Integer3002integer ATTRIBUTE Max-Secs-Passed 3000 integer In radiusd.conf: Authorize {} section: Put this: validity The Max-Secs-Passed var is defined in seconds. So if you want a user only to be able to logon in the first 24hours after his first logon, Max-Secs-Passed should be set to 86400 (60secs * 60minutes * 24) Hope this helps the question I think many people will have. You could use other check or counter-names, its just an example You also could combine this with volume limits, max total session time etc... Kind Regards -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Markus Krause Verzonden: donderdag 6 oktober 2005 12:57 Aan: freeradius-users@lists.freeradius.org Onderwerp: Re: access for 24 hours after first login? Zitat von Alan DeKok [EMAIL PROTECTED]: Markus Krause [EMAIL PROTECTED] wrote: i set up freeradius succesfully for authentification against pam and users file :-) Please don't use authentification. It's authentication. sorry for my poor english, it's not my mother-tongue ... now i want to enhance the functionality about the following feature: setting up several predefined (guest) accounts with a generated username and password. this account should be valid from the first time it is used (first login) for 24 hours (or even better until 23:59 that day). rlm_counter. Set it for 24 hours of access, and reset=never. i read about this, but does this not mean that the user has an online time of 24 hours (or whatever i set in Max-All-Session-Time), so he can login until he has been active for 24 hours in sum? thanks in advance for your help! markus Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Markus Krause email: [EMAIL PROTECTED] Computing CenterTel.: 089 - 89 40 85 99 Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98 - This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RE: access for 24 hours after first login?
It doesn't work on postgresql v7.4.6 that I tried it on.. howver, I used SELECT now() - AcctStartTime FROM radacct WHERE UserName = '%{%k}' LIMIT 1; Be carefull with this! SELECT now() - AcctStartTime Secs FROM radacct WHERE UserName = '%{k}' LIMIT 1; Gives for example with username 'test': +---+ | Secs | +---+ | 684042112 | +---+ Recalculated in days: 7917,1540740740740740740740740741 days Is NOT the same as: SELECT UNIX_TIMESTAMP() - UNIX_TIMESTAMP(AcctStartTime) Secs FROM radacct WHERE UserName = '%{%k}' LIMIT 1 Gives for example with username 'test': +--+ | Secs | +--+ | 17119330 | +--+ Recalculated in days: 198,14039351851851851851851851852 198days is the correct calculation... So as you can see, it isn't the same, at least in MySQL, don't know with other databases. So before you you begin: think, try and check your things. J. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PID variable
Pidof freeradius will also do -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] - Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite - -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Josh Howlett Verzonden: woensdag 5 oktober 2005 11:21 Aan: FreeRadius users mailing list Onderwerp: Re: PID variable [EMAIL PROTECTED] ~]# cat /var/run/radiusd.pid 10163 josh. Abdul Lateef wrote: Hi all, How i can retrive the current pid value of freeradius in Shell script. I wanted to create one shell script to run in linux corn commond. because our database is very slow and always radius is going to crashed when it receives more than 1000 request. so my script will check if the radius is crashed it will start automatically using cron. Is anyone have good logic to auto restart radius when it will be crashed? Yours, Abdul Lateef Computer Programmer HATIF COM Mob: +974 - 5405022 Tel: +974 - 4883068 ICQ: 276994704 YM!: abdul_zu Fax: +974 - 4883063 Doha Qatar http://www.hatif.com __ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Call-Check
From the site: RADIUS Debugging File FreeRADIUS server does not support preauthentication. There is no example for this case. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens King, Michael Verzonden: woensdag 5 oktober 2005 20:08 Aan: FreeRadius users mailing list Onderwerp: RE: Call-Check I wonder if it's this one? http://www.cisco.com/univercd/cc/td/doc/product/voice/sipproxy/radiusps/ radpreau.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, October 05, 2005 2:01 PM To: FreeRadius users mailing list Subject: Re: Call-Check Ivo [EMAIL PROTECTED] wrote: Can someone tell me is it possible to get freeradius respond to Service-Type==Call-Check requests? I don't see why niot. I have read on cisco's web pages that it is not possible. Please post the URL. Namely, I would like to check for valid caller-id before answering the call and going on with username/password check. Sure. It's just data in RADIUS packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: installing problem on Debian
In the compile you have to manually specify which library to use Run configure with this: --with-rlm-perl-lib-dir=/usr/lib/libperl.so J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Alexei Chetroi Verzonden: zondag 2 oktober 2005 13:21 Aan: FreeRadius users mailing list Onderwerp: Re: installing problem on Debian On Sun, Oct 02, 2005 at 04:10:17AM +0200, Ciolo_-^DusT^-_WebMaster wrote: Date: Sun, 2 Oct 2005 04:10:17 +0200 From: Ciolo_-^DusT^-_WebMaster [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Subject: installing problem on Debian *** Warning: Linking the shared library rlm_perl.la against the *** static library /usr/lib/perl/5.8/auto/DynaLoader/DynaLoader.a is not portable! rm -fr .libs/rlm_perl.la .libs/rlm_perl.* .libs/rlm_perl-1.0.0-pre0.* gcc -shared rlm_perl.lo -L/usr/local/lib /usr/lib/perl/5.8/auto/DynaLoader/DynaLoader.a -L/usr/lib/perl/5.8/CORE -lperl -ldl -lm -lpthread -lc -lcrypt -lnsl -lresolv -lpthread -Wl,-E -Wl,-soname -Wl,rlm_perl-1.0.0-pre0.so -o .libs/rlm_perl-1.0.0-pre0.so /usr/bin/ld: cannot find -lperl collect2: ld returned 1 exit status make[6]: *** [rlm_perl.la] Error 1 make[6]: Leaving directory Do you have libperl-dev package installed? Best wishes -- Alexei Chetroi Smile... Tomorrow will be worse. (c) Murphy's Law - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxy of Accounting Requests
Can you also do this in SQL? J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] - Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite - -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Nicolas Baradakis Verzonden: donderdag 29 september 2005 13:55 Aan: FreeRadius users mailing list Onderwerp: Re: Proxy of Accounting Requests Ashwin Gobind wrote: I want to proxy accounting requests originating from certain hosts to another server, how can I do this. You could add something like this in file acct_users: DEFAULT Client-IP-Address == 10.0.0.1, Proxy-To-Realm := realm1 DEFAULT Client-IP-Address == 10.0.0.2, Proxy-To-Realm := realm2 -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-TLS reject if CN not in MySQL
In Doc: imply a group that changes the default ACTIONs to something like fail = 1 everythingelse = return Tried in config: everythingelse = return radiusd.conf[1637] Unknown module rcode 'everythingelse'. Also tried: everything_else = return radiusd.conf[1637] Unknown module rcode 'everything_else'. Any ideas? -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] - Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite - -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Ben Dowling Verzonden: dinsdag 27 september 2005 22:42 Aan: FreeRadius users mailing list Onderwerp: Re: EAP-TLS reject if CN not in MySQL Brilliant, that does the trick. Thanks a lot, Ben On Tue, 2005-09-27 at 16:05 -0400, Alan DeKok wrote: Ben Dowling [EMAIL PROTECTED] wrote: Sorry I was referring to the username, the CN in the certificate gets sent as the username. My problem is how to reject users with valid certificates, but no entry in the database? doc/configurable_failover configure a module always reject (see radiusd.conf) In authorize, do: ... group { sql { notfound = 1 ok = return fail = return everything_else = return } reject } That says if the user isn't found in SQL, reject Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Maximum size Input-Octets/Output-Octets
So is it 2147483648 or 2147483647? J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Guy Fraser Verzonden: maandag 26 september 2005 17:45 Aan: freeradius-users@lists.freeradius.org Onderwerp: RE: Maximum size Input-Octets/Output-Octets On Fri, 2005-23-09 at 19:42 +0200, Jonathan De Graeve wrote: What radacct are you talking about? The Acct-Input-Octets stops at 2G because the RFC dictates that it's a 32-bit integer. That's why the Acct-Input-Gigawords attribute was defined. It goes past 2G. I'm talking about the detail file from freeradius. This is what I found in RFC2869 5.1. Acct-Input-Gigawords Description This attribute indicates how many times the Acct-Input-Octets counter has wrapped around 2^32 over the course of this service being provided, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop or Interim- Update. So I assumed that the wrapping went @ 4GB instead of 2GB From RFC2866: Value The Value field is four octets. Also: integer 32 bit unsigned value, most significant octet first. So its 32bit. (4GB right??) I will use 2147483647 for now. But I can't find the definition which says that it should be 2GB so I need to be sure. J. What is right and what is in common use may be two different things. In my experience, some NAS vendors generate negative numbers when the Octet Value is greater than 2^31. By the way a GigaWord is 2147483648 bytes since a Word = 2 Bytes and Giga = 1024*1024*1024 = 1073741824. It would therefore make sense to use a modulo of 2147483648 for the Octet value which holds the remainder of the full byte count. Just in case you were wondering what a TeraQuad was after watching a Star Trek NG episode it is 4398046511104 Bytes. ;^) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Maximum size Input-Octets/Output-Octets
2147483647 it is :))) -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Jonathan De Graeve Verzonden: maandag 26 september 2005 17:49 Aan: FreeRadius users mailing list Onderwerp: RE: Maximum size Input-Octets/Output-Octets So is it 2147483648 or 2147483647? J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Guy Fraser Verzonden: maandag 26 september 2005 17:45 Aan: freeradius-users@lists.freeradius.org Onderwerp: RE: Maximum size Input-Octets/Output-Octets On Fri, 2005-23-09 at 19:42 +0200, Jonathan De Graeve wrote: What radacct are you talking about? The Acct-Input-Octets stops at 2G because the RFC dictates that it's a 32-bit integer. That's why the Acct-Input-Gigawords attribute was defined. It goes past 2G. I'm talking about the detail file from freeradius. This is what I found in RFC2869 5.1. Acct-Input-Gigawords Description This attribute indicates how many times the Acct-Input-Octets counter has wrapped around 2^32 over the course of this service being provided, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop or Interim- Update. So I assumed that the wrapping went @ 4GB instead of 2GB From RFC2866: Value The Value field is four octets. Also: integer 32 bit unsigned value, most significant octet first. So its 32bit. (4GB right??) I will use 2147483647 for now. But I can't find the definition which says that it should be 2GB so I need to be sure. J. What is right and what is in common use may be two different things. In my experience, some NAS vendors generate negative numbers when the Octet Value is greater than 2^31. By the way a GigaWord is 2147483648 bytes since a Word = 2 Bytes and Giga = 1024*1024*1024 = 1073741824. It would therefore make sense to use a modulo of 2147483648 for the Octet value which holds the remainder of the full byte count. Just in case you were wondering what a TeraQuad was after watching a Star Trek NG episode it is 4398046511104 Bytes. ;^) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Maximum size Input-Octets/Output-Octets
Is it 2^32 or (2^32 - 1) I'm programming a radius client and i'm at the gigawords stuff... J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] - Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Maximum size Input-Octets/Output-Octets
Ok, I also have another question: Freeradius seems to use signed integers for the Acc-Input/Output-Octets Fri Sep 23 16:59:03 2005 Service-Type = Login-User User-Name = jonathan NAS-Identifier = hotspot-2.wlan.imz.be NAS-Port = 0 NAS-Port-Type = Ethernet Acct-Status-Type = Alive Acct-Authentic = RADIUS Acct-Session-Id = 4bd8b325bdeafd2d Acct-Terminate-Cause = User-Request Acct-Session-Time = 1353 Acct-Input-Octets = 46596288 Acct-Input-Packets = 1163323 Acct-Input-Gigawords = 0 Acct-Output-Octets = 2147483647 Acct-Output-Packets = 1787355 Acct-Output-Gigawords = 0 Called-Station-Id = 194.8.52.38 Calling-Station-Id = 192.168.2.255 Framed-IP-Address = 192.168.2.255 NAS-IP-Address = 194.8.52.38 Proxy-State = 0x3836 Client-IP-Address = 194.8.52.85 Acct-Unique-Session-Id = 925f85fa82a0afb0 Timestamp = 1127487543 The source really sends unsigned 32bit. Any idea why radacct just stops @ 2GB I've implemented Gigawords as follows: function gigawords($bytes) { /* We use BCMath functions since normal integers don't work */ $gigawords = bcdiv( bcsub( $bytes, remainder($bytes) ) , 4294967295); return $gigawords; } function remainder($bytes) { /* Calculate the remainder */ $bytes = bcmod($bytes, 4294967295); return $bytes; -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] - Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite - -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Alan DeKok Verzonden: vrijdag 23 september 2005 16:39 Aan: FreeRadius users mailing list Onderwerp: Re: Maximum size Input-Octets/Output-Octets Jonathan De Graeve [EMAIL PROTECTED] wrote: Is it 2^32 or (2^32 - 1) 2^32 can't be represented in a 32-bit number. It has 33 bits of data... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Maximum size Input-Octets/Output-Octets
What radacct are you talking about? The Acct-Input-Octets stops at 2G because the RFC dictates that it's a 32-bit integer. That's why the Acct-Input-Gigawords attribute was defined. It goes past 2G. I'm talking about the detail file from freeradius. This is what I found in RFC2869 5.1. Acct-Input-Gigawords Description This attribute indicates how many times the Acct-Input-Octets counter has wrapped around 2^32 over the course of this service being provided, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop or Interim- Update. So I assumed that the wrapping went @ 4GB instead of 2GB From RFC2866: Value The Value field is four octets. Also: integer 32 bit unsigned value, most significant octet first. So its 32bit. (4GB right??) I will use 2147483647 for now. But I can't find the definition which says that it should be 2GB so I need to be sure. J. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: choosing userprofile by NAS
I'm looking for the same thing but then with an SQL backend instead of LDAP J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] - Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite - -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Florian Prester Verzonden: donderdag 22 september 2005 10:33 Aan: FreeRadius users mailing list Onderwerp: choosing userprofile by NAS Hi, how can I serve different information to the same user depending on the Huntgroup having all information stored in a LDAP-server? meaning: userA logging in NAS_A: receives IP-A supplied by LDAP userA logging in NAS_B: receives IP-B supplied by LDAP -- -- Dipl. Inf. Florian Prester Network Administration Regionales RechenZentrum Erlangen Universitaet Erlangen-Nuernberg Germany Tel.: +499131 8527813 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Weird huntgroup issue
Hello, I have a weird huntgroup issue. I have users in a group 'artsen' with HuntgroupName = == ^(vpn|ras)$ I have users in group 'stagiars' with HuntgroupName = == hotspot On the radiussystem itself I can successfully authenticate users from group artsen but not from group stagiairs. But I can login with a user from group stagiars from a nas with ip 194.8.52.37 My NASclients from SQL: 17 | localhost | localhost | other | 0 |... Huntgroup file: # VPN infrastructure vpn NAS-IP-Address == 10.2.254.1 vpn NAS-IP-Address == 10.2.254.2 vpn NAS-IP-Address == localhost # ras NAS-IP-Address == 10.2.254.81 ras NAS-IP-Address == 10.2.254.82 ras NAS-IP-Address == localhost # hotspot NAS-IP-Address == x.y.z.37 hotspot NAS-IP-Address == x.y.z.38 hotspot NAS-IP-Address == localhost This comes in the logging when I do a check on the radiusystem itself with following arguments: radtest lvanhoey0 password localhost:1812 0 passwordhere radius_xlat: 'lvanhoey0' rlm_sql (sql): sql_set_user escaped user -- 'lvanhoey0' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'lvanhoey0' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgrou pcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'lvanhoey0' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'lvanhoey0' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrou preply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'lvanhoey0' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): No matching entry in the database for request from user [lvanhoey0] rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module sql returns notfound for request 0 rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module uploadlimit returns noop for request 0 rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module volumelimit returns noop for request 0 rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module prepaidcounter returns noop for request 0 modcall: group authorize returns ok for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [lvanhoey0/jo0clni3] (from client localhost port 0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- And logging when login in from nas-ipadress modcall: entering group authorize for request 12 modcall[authorize]: module preprocess returns ok for request 12 modcall[authorize]: module chap returns noop for request 12 modcall[authorize]: module mschap returns noop for request 12 modcall[authorize]: module digest returns noop for request 12 rlm_realm: No '@' in User-Name = lvanhoey0, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 12 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 12 radius_xlat: 'lvanhoey0' rlm_sql (sql): sql_set_user escaped user -- 'lvanhoey0' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'lvanhoey0' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 1 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgrou pcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'lvanhoey0' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'lvanhoey0' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrou preply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'lvanhoey0' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 1 modcall[authorize]: module sql returns ok for request 12 rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module uploadlimit returns noop for request 12 rlm_sqlcounter: Entering module authorize code Any idea's??? -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] - Always read the manual
RE: Nortel Networks Passport 8600 + Radius AAA
There were bugs in that release. Upgrade to 3.5.10.0 J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] - Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite - Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Inci Gedik Verzonden: dinsdag 20 september 2005 10:53 Aan: freeradius-users@lists.freeradius.org Onderwerp: Nortel Networks Passport 8600 + Radius AAA Hi Everyone, I have the same problem. Could someone send me the correct configuration Radiusd.conf , users, clients.conf or if it is necessary dictionary files? Thanks Inci Gedik --I am in the testing phase using Nortel 8600's (8010 is the chassis), Nodictionary needed. I have had no problems. but I am also using 3.5code. maybe trying the current version of code might help. Just athought [EMAIL PROTECTED] 1/15/2004 9:01:32 AM HiWe have just bought a few Nortel Passport 8010, and I like to usefreeradius to authenticate the user that want to log on to configure thisswitches.I can se the Radius server is sending Access-Accept back to the switch,but I don't get any login prompt, but ask me again about login name.Have someone got this to work or have any hints for me ?I can't find any dictionary for Nortel, do I need that ?users file:jon Auth-Type := local, User-Password == jon,Huntgroup-Name ==pp8600 Service-Type = Login-User, Fall-Through = NOdebuging from radiusd -X:modcall: group authorize returns ok rad_check_password: Found Auth-Type local auth: type Local auth: user supplied User-Password matches local User-Password Sending Access-Accept of id 23 to 10.10.9.51:1051 Service-Type = Login-UserFinished request 0 Going to the next requestThe PP8610 config,Software Release 3.2.3.0 configuration:LAB_550:5/config/radius/server# enable trueLAB_550:5/config/radius/server# create 10.10.1.2 secret testLAB_550:5/config/radius/server# set 10.10.1.2 secret test- List info/subscribe/unsubscribe? Seehttp://www.freeradius.org/list/users.html-This message is intended only for certain recipients and may beprivileged or confidential. If you have received it in error, pleasenotify sender and delete it without making or retaining a copy.-*P*H*L* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Transmitted packet
Actie voltooid. Wordt naar zowel Wendy als kathleen gestuurd. J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] - Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite - -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Iandc Davies Verzonden: dinsdag 20 september 2005 15:05 Aan: freeradius-users@lists.freeradius.org Onderwerp: Transmitted packet All, The contents of the transmitted packet include an uint8_t *data. What exactly is this pointing to ? The radius.c code sems to check it the first time round against NULL ? Ian Davies {02476 564662} Internal (x740 4662) IMS-SIPAC Software Development Engineer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS Specific Attributes
Hello, I'm searching a way to sent specific attributes to certain nas devices. I'm already using huntgroups in combination with an mysql backend for user and accounting storage and accept or deny user access based on the SQL group the user is in and which Huntgroup the calling nas matches. Group IT has HuntgroupName ~= ^(vpn|ras)$ I want to give VPN Nasses extra attributes like CES-Group and Session-Timeout Any idea's on how to do this? J. - Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
BAY Dictionary Attribute Adding
--- dictionary.bay.orig 2005-09-13 10:58:13.0 +0200 +++ dictionary.bay 2005-09-13 10:59:04.0 +0200 @@ -81,6 +81,9 @@ ATTRIBUTE Annex-User-Level100 integer Bay-Networks ATTRIBUTE Annex-Audit-Level 101 integer Bay-Networks +# Contivity Specific Attributes +ATTRIBUTE CES-Group 102 string + # Annex Tunnel Authen Type Values This attribute is necessary for the new Contivity software Please add this to the new freeradius server. J. - Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radwtmp
You need to enable large-file support J. ---Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Rich Verzonden: dinsdag 13 september 2005 20:23 Aan: freeradius-users@lists.freeradius.org Onderwerp: radwtmp I just had a FreeRadius server 'crash' because 'radwtmp' filled up to 2GB... I have 'googled' and 'faq'd' but haven't found an answer to: do I need it? can I logrotate it? can I just config it away in radius.conf? I am taking over admin after our setup guy left... still learning. Thanks, Rich - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mysql connections - segmentation fault
Have freeradius running on Debian 3.0 and Debian 3.1 without any problems. J. -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Andreas M. Verzonden: zondag 11 september 2005 10:54 Aan: freeradius-users@lists.freeradius.org Onderwerp: mysql connections - segmentation fault Hello, i´ve installed FR 1.0.4, now when i start the server, during the connection to a mysql database, after the first one there is a segmentation fault. It is working with just one connection , but i can´t find the reason for this. Maybe it has already been reported, i found similar in the internet, but no solution. I´m running FR on a Debian 3.01 machine. Thanks for all, Andreas M - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Huntgroup-Name
Putted this into the database: \^(vpn|ras)$\ I also tried this: ^(vpn|ras)$ Any idea's? -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Nicolas Baradakis Verzonden: zondag 11 september 2005 18:07 Aan: FreeRadius users mailing list Onderwerp: Re: Huntgroup-Name Jonathan De Graeve wrote: Is it possible to specify multiple huntgroup names in sql? Lets say sqlgroup IT can connect to devices in the huntgroup vpn and ras (something like Huntgroup-Name == vpn,ras in sql??) Huntgroup-Name =~ ^(vpn|ras)$ -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Huntgroup-Name
Is it possible to specify multiple huntgroup names in sql? Lets say sqlgroup IT can connect to devices in the huntgroup vpn and ras (something like Huntgroup-Name == vpn,ras in sql??) J. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_perl / rlm_python
I think there's a bug in the latest perl versions. When you are running Debian 3.1 (perl 5.8.4) and want experimental package you may want to link libperl.so into freeradius, if you don't you get an error when you start the freeradius server with rlm_perl enabled Like: /usr/sbin/freeradius: relocation error: /usr/lib/perl/5.8/auto/IO/IO.so: undefined symbol: Perl_Tstack_sp_ptr (failed! run '/usr/sbin/freeradius -x' to find out why.) I solved this with recompile configure option: --with-rlm-perl-lib-dir=/usr/lib/libperl.so.5.8.4 You also can do LD_PRELOAD=/usr/lib/libperl.so freeradius but I would suggest the first option... J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Thor Spruyt Verzonden: vrijdag 9 september 2005 23:19 Aan: FreeRadius users mailing list Onderwerp: Re: rlm_perl / rlm_python [EMAIL PROTECTED] wrote: Hi there, Could someone tell me what versions of freeradius have rlm_perl? All latest version have it. But it's unstable and therefore you have to compile from source using --with-experimental-modules Do I have to install the 1.0.4 version to get rlm_perl? No, but latest version is best :) A very subjective question here... what is better to use rlm_perl or rlm_python? I think that rlm_perl is likely to be supported better than rlm_python. I would have to learn python, but if the general concensus is to go with python I'll do it. Go for rlm_perl -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Mixed-mode authentication enviornment
Is this also possible with EAP or MS-CHAP authentication? J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Alan DeKok Verzonden: woensdag 7 september 2005 23:59 Aan: FreeRadius users mailing list Onderwerp: Re: Mixed-mode authentication enviornment Daniel Corbe [EMAIL PROTECTED] wrote: Since the SIP server requires DIGEST authentication, the Auth-Type attribute is present and it is set to DIGEST which forces FreeRADIUS to attempt a digest authentication. Once this fails an Access-Reject packet is sent back to the RADIUS client You don't say who's setting Auth-Type. In the example config, the digest module sets it. If you're setting it yourself, there's a high likelihood that something will go wrong. Is there a way to configure FreeRADIUS so it first attempts a DIGEST authentication, and when that fails, we go ahead and attempt normal authentication? No. That doesn't make sense. There IS a way to configure the server to try digest authentication only when the RADIUS packet contains digest attributes. Uncomment the lines referring to digest in radiusd.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius
Is it also possible to add multiple 'Huntgroup-Name's into the database? In my first test it doesn't seemed to be possible -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 -Oorspronkelijk bericht- Van: Tobias Frank [mailto:[EMAIL PROTECTED] Verzonden: donderdag 8 september 2005 12:36 Aan: Jonathan De Graeve Onderwerp: Re: Freeradius Hello again Jonathan De Graeve schrieb: What I want to do is distinct users from NASSes. Lets say, users in the mysqlgroup IT can connect to the NASSES 1 2 3 while patients only can connect to NAS 3. This can be done with huntgroups but don't know how to do this with an SQL based implementation forget my last mail. it is quite simpler. create your huntgroups and insert into radcheck (username, attribute, op, value) values ('Tobi', 'Huntgroup-Name', '==', 'IT'); -- Synergy Systems GmbH Tobias Frank Leiter Entwicklung Konrad-Zuse-Platz 8 81829 München Fon +49 (0)89 89080-500 Fax +49 (0)89 89080-600 mailto:[EMAIL PROTECTED] Best Connections - www.synergysystems.de - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
huntgroups and bad_logins
Hello, I bought the radius book from OReilly and its a good book except when you want to use freeradius mainly with an SQL backend. (default users profiles in SQL) Also the principle of huntgroups isnt very well explained. What I want to do is the following: NAS1: 10.1.1.1 NAS2: 10.1.1.2 SQL usergroups: patients, it IT may connect to NAS12, patients only to NAS2. Ive been looking on the internet how to do this but didnt found it. I also have problems with the bad_login perlscript. When I run this script, it doesn't do anything (just hangs with no given output) Kind Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html