send detail log to syslog server?
Hi, Is it possible to get freeradius to send detail log data to a syslog server? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
primary backup configuration
Hi, I have two radius servers one primary and one backup one, on different ip addresses. They both have a mysql backend which runs on the same physical machine. I need the sql database and radius configuration files to be synchronised periodically (probably every 24hours). I guess this is a common setup, so I'd appreciate some ideas as to the best way to achieve this? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Backup/Primary Radius Config
Hi, I have two radius servers one primary and one backup one, on different ip addresses. They both have a mysql backend which runs on the same physical machine. I need the sql database and radius configuration files to be synchronised periodically (probably every 24hours). I guess this is a common setup, so I'd appreciate some ideas as to the best way to achieve this? Thanks -- --- Sohonet ltdhttp://www.sohonet.co.uk Taking digital sound and vision to the world since 1995 Tel:+44(0)20 7292 6900 Fax:+44(0)20 7292 6901 Sup:+44(0)20 7292 6909 Email:[EMAIL PROTECTED] --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using scripts for sql.conf
Thanks. Will this allow me to run 1 of a number of queries in sql.conf depending on whats in the access-request the server receives? So I need to run some queries every time an access-request packet is received and then choose which authorize query to run in sql.conf. Alan DeKok wrote: Maqbool Hashim [EMAIL PROTECTED] wrote: Is it possible to reference a script from within sql.conf? I'd like to do some checks and inserts on the sql database just before the auth_check query in sql.conf. Whats the best way of doing this? rlm_exec. List it before sql. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
using scripts for sql.conf
Hi, Is it possible to reference a script from within sql.conf? I'd like to do some checks and inserts on the sql database just before the auth_check query in sql.conf. Whats the best way of doing this? Thanks Maqbool - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
users file logic?
Hi, I have this in my users file: user Auth-Type := Local, User-Password = pass Tunnel-Type = 13, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 4016, Fall-Through = No I would like to assign a different vlan-id if the user doesn't authenticate successfully, i.e. the username is the same but he enters the wrong password. Is this actually possible, as the processing will stop once it matches the first entry for the user user? Regards, Maqbool Hashim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Making user logins expire after a certain time
Hi, Is it possible to tell radius to expire logins after a time period? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Making user logins expire after a certain time
Hi, Is it possible to tell radius to expire logins after a time period? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Making user logins expire after a certain time
Hi Peter, Thats a good way of solving it, especially as there doesn't seem to be any RADIUS attributes satisfying that requirement. Is the expiry field just a boolean field you set with a cronjob? Peter Hicks wrote: Hi Maq On Tue, Oct 11, 2005 at 02:29:03PM +0100, Maqbool Hashim wrote: Is it possible to tell radius to expire logins after a time period? One option which we can use with our in-house RADIUS servers is to have an 'expiry' field on the SQL table, with the authorize_check_query checking that the login hasn't yet expired. Peter. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Netscreen and Freeradius.
Hi, Has anyone used Radius for authentication with the Netscreens? It works fine, however there is one problem. Root-Admin for Radius authentication is no longer supported. This is the value of the NS-Admin-Privilege attribute in the Netscreen dictionary file which gives full access to the user. Consequently you have to use All-VSYS-Root-Admin which gives read-write access to the user, but disables some vital functions. One of which is tftping software and config on and off the device. Is anyone aware of any other limitations for All-VSYS-Root-Admin users? I'm posting this in the hope that other people have come across this issue and found a workaround. Hoping for the best, Maqbool Hashim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxying users
Hi, Is there a way that I can get my proxying radius server to append the realm for certain users. Basically I'm wondering if theres a way of having a realm based server where users don't have to type in the realm as part of their username. I'm wondering if I can get the radius server to do it as part of its processing before it proxies the access request. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
x99 token authentication
Hi, I have downloaded a trial version of the Cryptocard software from the website. This comes with 10 software tokens. I am trying to get these tokens to work with the x99 module in freeradius. Anyone have any ideas on how to extract the key for the Software tokens? The cryptocard software generates a .token file. I think the key is stored in here in an encrypted format. Has anyone managed to reverse engineer the file, or know another way of getting the key? Thanks in advance Regards, Maqbool - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: token card strong authentication
Thanks. How can I test the cryptocard tokens work with freeradius before buying the hardware? Also is there a particular token in the Cryptocard range that people recommend for use with freeradius? Also while I'm on this topic: From the documentation in freeradius I understand that the challenge response algorithm is weak because it uses DES. The work around suggested is to us sync mode. Fine. Is using 3DES to solve the problem not an option here? Alan DeKok wrote: Maqbool Hashim [EMAIL PROTECTED] wrote: I wish to use One Time Passwords with the freeradius server. I'm trying to find the best way to do this. Unfortunately there are not many of the token card manafacturers that support the freeradius server. At the moment it looks as if Cryptocard are the best bet. They're OK. I would be very interested to hear from anyone who has implemented any OTP solution with freeradius. I haven't personally, but I know a number of others have. e.g. rlm_x99_token has been used at Google with CryptoCard tokens. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: token card strong authentication
OK do you mean get the radius server to pass user credentials on to a OTP server? [EMAIL PROTECTED] wrote: Maqbool Hashim schrieb: Unfortunately there are not many of the token card manafacturers that support the freeradius server. At the moment it looks as if Cryptocard are the best bet. I would be very interested to hear from anyone who has implemented any OTP solution with freeradius. Sorry, but I don't quite see the problem... You always can use freeradius and proxy the OTP verification to a dedicated server, can't you? Regards, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
token card strong authentication
Hi, I wish to use One Time Passwords with the freeradius server. I'm trying to find the best way to do this. Unfortunately there are not many of the token card manafacturers that support the freeradius server. At the moment it looks as if Cryptocard are the best bet. I would be very interested to hear from anyone who has implemented any OTP solution with freeradius. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Token Card Support
Hi, Token card support is based on the now obsolete X9.9 ANSI standard, correct? From the documentation in freeradius I understand that the challenge response algorithm is weak because it uses DES. The work around suggested is to us sync mode. Fine. Is using 3DES to solve the problem not an option here? Also while I'm asking these questions I'd be interested to hear of token cards which integrate well with Freeradius that people are using? Thanks in advance. Regards, Maqbool - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: deployment question
Sorry, what I'm trying to ask is: Most secure way to create a unix login whose sole function is to execute adduser to add users to the /etc/passwd file. I'm running openbsd. Hmmm... as I finish writing this question it looks like this is rather off topic. Anyhows any ideas welcome. Thanks Dustin Doris wrote: Dustin any input on this one? Maqbool Hashim wrote: Hi there, I've finally come to a decision as to what sort of backend we're going to use. Thanks for all the discussion it was very helpful in coming to the final decision. Heres what I'm going to go with: Use the UNIX password file on the machine that holds the radius server to authenticate users against. Users will be able to add users on that machine, with a special login. They won't have access to the radius configuration files at all. Users will only be able to login to the RADIUS machine over the LAN. The idea is that we trust our users and they will only be allowed to login to the RADIUS machine over the LAN. I was thinking of creating a UNIX login, which instead of providing a shell, executes a script to add the new radius user. Ideas on doing this as securely as possible would be appreciated. I have freeradius running on OpenBSD. We have something similar to this in our network. Users can telnet into the box and they don't get a shell, but instead are given some kind of menu. Its been years since I've looked at it, but I'll see if I can track down if we still have it and see if I can find anything about it. Maybe I can send you a partial copy of the code, or at least how it was built and with what tools. -Dusty - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: deployment question
Hi there, I've finally come to a decision as to what sort of backend we're going to use. Thanks for all the discussion it was very helpful in coming to the final decision. Heres what I'm going to go with: Use the UNIX password file on the machine that holds the radius server to authenticate users against. Users will be able to add users on that machine, with a special login. They won't have access to the radius configuration files at all. Users will only be able to login to the RADIUS machine over the LAN. The idea is that we trust our users and they will only be allowed to login to the RADIUS machine over the LAN. I was thinking of creating a UNIX login, which instead of providing a shell, executes a script to add the new radius user. Ideas on doing this as securely as possible would be appreciated. I have freeradius running on OpenBSD. Dustin Doris wrote: On Wed, 13 Apr 2005, Maqbool Hashim wrote: True. Just coming back to your earlier mail: Put the front-end on a different machine and have it only run apache. Put the ldap server on your private network and have the radius server and webserver with an interface on that network. The problem I can see with this is a PHP vulnerability would mean access to the backend. Basically putting the backend on the LAN doesn't really give us extra security, because the frontend will have full access to the Users table. The only extra security is if you're using ldap then you don't need to hardcode a master username/password into the webserver. So, in theory if someone hacked your webserver via php vulnerability or whatever else, they still wouldn't have any way to do any damage to your ldap directory or even view it. If you were to use mysql, then you'd need to hardcode some user that has write access to the whole database into your front-end. They get your webserver, they've now got your db. Same with berkely db. You might have to run the berkely db and radius servers on the same machine as the webserver. Or run some kind of ssh script to access the remote server and modify the db. I don't know if you can modify a berkely db remotely. Same problem, you'll have some kind of ssh key that will get them in or they'll have local access to it. Of course, if you use ldap, someone gets into your webserver and you then have an ssh exploit on your ldap directory you're out of luck again. But that's the engineers fault for not keeping it up to date. You could always try to firewall the public website to only allow your IP space into it. That way if someone does mess it up, you can track it back to that person and kick their ass. :) hehe. I guess we've got to have a weak link somewhere huh? Unfortunately. Anytime something has to be publicly available, there is bound to be a hole somewhere. Dustin Doris wrote: dbm would be very fast and simple. I've never used it directly though, so I can't provide any help. Openldap does use berkerly db as the backend db for datastorage, so you are really just taking off a layer and making it much simpler. Mysql even offers a berkely db backend. You will need to build some sort of front-end with access to write to that db though. This will get you back to the security issue before as you'll have to have the logic of who can change what built into the front-end. You'll also have to write that front-end so it knows how to write correctly to the db. If you can do it, it should be real fast. Thats very helpful thank you. I was actually thinking of something similar except using mysql, but obviously ldap would be better as it directly provides that feature. However I was just reading some of the rlm_dbm file and it seems like the ideal backend for us, as it doesn't require any addtional server software, fast etc. However I'm not too familiar with db and whether it would be easy to acheive the same thing, i.e. users be able to change their own record in the dbm users file. Any ideas? Dustin Doris wrote: Ldap will provide that feature for you. An openldap acl might look like this. access to attr=userPassword by self write by anonymous auth by * none access to dn.one=ou=useraccounts,dc=yourdomain,dc=com by self write by dn=cn=freeradius,dc=yourdomain,dc=com read by anonymous auth by * none That means you can login and change your own stuff, but can't see anyone elses. Freeradius can read for authorization. This doesn't include reading passwords, which is shown as none in the prior acl. You then build a webpage front-end, such as with php. Have the user login to the webpage and change their password. The webpage will then send the username/password of the user logged in to ldap for the password change. This means that the webpage itself won't have super user rights and can only change the username/password of the person that is logged in and if they provide the correct username/password in the first place
Re: deployment question
Dustin any input on this one? Maqbool Hashim wrote: Hi there, I've finally come to a decision as to what sort of backend we're going to use. Thanks for all the discussion it was very helpful in coming to the final decision. Heres what I'm going to go with: Use the UNIX password file on the machine that holds the radius server to authenticate users against. Users will be able to add users on that machine, with a special login. They won't have access to the radius configuration files at all. Users will only be able to login to the RADIUS machine over the LAN. The idea is that we trust our users and they will only be allowed to login to the RADIUS machine over the LAN. I was thinking of creating a UNIX login, which instead of providing a shell, executes a script to add the new radius user. Ideas on doing this as securely as possible would be appreciated. I have freeradius running on OpenBSD. Dustin Doris wrote: On Wed, 13 Apr 2005, Maqbool Hashim wrote: True. Just coming back to your earlier mail: Put the front-end on a different machine and have it only run apache. Put the ldap server on your private network and have the radius server and webserver with an interface on that network. The problem I can see with this is a PHP vulnerability would mean access to the backend. Basically putting the backend on the LAN doesn't really give us extra security, because the frontend will have full access to the Users table. The only extra security is if you're using ldap then you don't need to hardcode a master username/password into the webserver. So, in theory if someone hacked your webserver via php vulnerability or whatever else, they still wouldn't have any way to do any damage to your ldap directory or even view it. If you were to use mysql, then you'd need to hardcode some user that has write access to the whole database into your front-end. They get your webserver, they've now got your db. Same with berkely db. You might have to run the berkely db and radius servers on the same machine as the webserver. Or run some kind of ssh script to access the remote server and modify the db. I don't know if you can modify a berkely db remotely. Same problem, you'll have some kind of ssh key that will get them in or they'll have local access to it. Of course, if you use ldap, someone gets into your webserver and you then have an ssh exploit on your ldap directory you're out of luck again. But that's the engineers fault for not keeping it up to date. You could always try to firewall the public website to only allow your IP space into it. That way if someone does mess it up, you can track it back to that person and kick their ass. :) hehe. I guess we've got to have a weak link somewhere huh? Unfortunately. Anytime something has to be publicly available, there is bound to be a hole somewhere. Dustin Doris wrote: dbm would be very fast and simple. I've never used it directly though, so I can't provide any help. Openldap does use berkerly db as the backend db for datastorage, so you are really just taking off a layer and making it much simpler. Mysql even offers a berkely db backend. You will need to build some sort of front-end with access to write to that db though. This will get you back to the security issue before as you'll have to have the logic of who can change what built into the front-end. You'll also have to write that front-end so it knows how to write correctly to the db. If you can do it, it should be real fast. Thats very helpful thank you. I was actually thinking of something similar except using mysql, but obviously ldap would be better as it directly provides that feature. However I was just reading some of the rlm_dbm file and it seems like the ideal backend for us, as it doesn't require any addtional server software, fast etc. However I'm not too familiar with db and whether it would be easy to acheive the same thing, i.e. users be able to change their own record in the dbm users file. Any ideas? Dustin Doris wrote: Ldap will provide that feature for you. An openldap acl might look like this. access to attr=userPassword by self write by anonymous auth by * none access to dn.one=ou=useraccounts,dc=yourdomain,dc=com by self write by dn=cn=freeradius,dc=yourdomain,dc=com read by anonymous auth by * none That means you can login and change your own stuff, but can't see anyone elses. Freeradius can read for authorization. This doesn't include reading passwords, which is shown as none in the prior acl. You then build a webpage front-end, such as with php. Have the user login to the webpage and change their password. The webpage will then send the username/password of the user logged in to ldap for the password change. This means that the webpage itself won't have super user rights and can only change the username/password of the person that is logged in and if they provide
deployment question
Hi there, After some trouble I have managed to get freeradius to compile on openbsd! Now I have a question about the backend database to use with freeradius. Requirements: 1) Users can access the database and change their own password. 2) Users cannot see or change any other users passwords. 3) The database we use is as small and cut down as possible while including the above two features. I have thought about using MYSQL and table priveleges to acheive this. However my concern is that MYSQL is a little bloated and would prefer to acheive the above using the most cut down db I can. By the way this configuration has only one realm. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: deployment question
Thanks, I'm just thinking that mysql is a big and complex program which offers a lot of features. Our requirements are quite specific. I'm not saying I'm ruling out using mysql, just would like to hear whether there are any alternatives. Also, I notice that the mysql schema has a a users table. Isn't it going to be difficult to give a single user access to change their password while hiding other users passwords? Miles Mawyer wrote: However my concern is that MYSQL is a little bloated and would prefer to Bloated? How so? How many users are we talking about here? Sounds like a decent task for MySQL to me :) If you are worried about database size etc. I'd do a shell script or something to throw in X number of dummy users and see what you end up with. ... Miles Mawyer -=- Webmaster . Centralva.net ... ... [EMAIL PROTECTED] ... ... 434.385.5053 ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Maqbool Hashim Sent: Wednesday, April 13, 2005 8:57 AM To: freeradius-users@lists.freeradius.org Subject: deployment question Hi there, After some trouble I have managed to get freeradius to compile on openbsd! Now I have a question about the backend database to use with freeradius. Requirements: 1) Users can access the database and change their own password. 2) Users cannot see or change any other users passwords. 3) The database we use is as small and cut down as possible while including the above two features. I have thought about using MYSQL and table priveleges to acheive this. However my concern is that MYSQL is a little bloated and would prefer to acheive the above using the most cut down db I can. By the way this configuration has only one realm. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: deployment question
sorry I'm not being clear here. When I meant was, if all users are contained in the same table, how can I allow a user to change just the row which corresponds to their username without revealing the rest of the table? Miles Mawyer wrote: Isn't it going to be difficult to give a single user access to change their password while hiding other users passwords? Well, I suppose that depends on what you mean by give them access. Are you you talking direct access via mysql command line or phpmyadmin? I don't know your specifics BUT, it sounds to me like a job for a php front end of some sort. That would certainly make that a moot point. ... Miles Mawyer -=- Webmaster . Centralva.net ... ... [EMAIL PROTECTED] ... ... 434.385.5053 ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Maqbool Hashim Sent: Wednesday, April 13, 2005 9:09 AM To: freeradius-users@lists.freeradius.org Subject: Re: deployment question Thanks, I'm just thinking that mysql is a big and complex program which offers a lot of features. Our requirements are quite specific. I'm not saying I'm ruling out using mysql, just would like to hear whether there are any alternatives. Also, I notice that the mysql schema has a a users table. Isn't it going to be difficult to give a single user access to change their password while hiding other users passwords? Miles Mawyer wrote: However my concern is that MYSQL is a little bloated and would prefer to Bloated? How so? How many users are we talking about here? Sounds like a decent task for MySQL to me :) If you are worried about database size etc. I'd do a shell script or something to throw in X number of dummy users and see what you end up with. ... Miles Mawyer -=- Webmaster . Centralva.net ... ... [EMAIL PROTECTED] ... ... 434.385.5053 ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Maqbool Hashim Sent: Wednesday, April 13, 2005 8:57 AM To: freeradius-users@lists.freeradius.org Subject: deployment question Hi there, After some trouble I have managed to get freeradius to compile on openbsd! Now I have a question about the backend database to use with freeradius. Requirements: 1) Users can access the database and change their own password. 2) Users cannot see or change any other users passwords. 3) The database we use is as small and cut down as possible while including the above two features. I have thought about using MYSQL and table priveleges to acheive this. However my concern is that MYSQL is a little bloated and would prefer to acheive the above using the most cut down db I can. By the way this configuration has only one realm. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: deployment question
That makes sense. So effectively the php program has a login for the database. The user has a login for the php frontend. What the user sees depends on the credentials he supplies to the php frontend. Therefore the security rests with the php frontend. Right? Miles Mawyer wrote: See previous answer :P A php or perl frontend to pull JUST that users record. Have them authenticate FIRST via the current password, then update the record that contains that username. Make sense? I don't see a need for them to view the whole table if you use a method such as this. ... Miles Mawyer -=- Webmaster . Centralva.net ... ... [EMAIL PROTECTED] ... ... 434.385.5053 ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Maqbool Hashim Sent: Wednesday, April 13, 2005 9:22 AM To: freeradius-users@lists.freeradius.org Subject: Re: deployment question sorry I'm not being clear here. When I meant was, if all users are contained in the same table, how can I allow a user to change just the row which corresponds to their username without revealing the rest of the table? Miles Mawyer wrote: Isn't it going to be difficult to give a single user access to change their password while hiding other users passwords? Well, I suppose that depends on what you mean by give them access. Are you you talking direct access via mysql command line or phpmyadmin? I don't know your specifics BUT, it sounds to me like a job for a php front end of some sort. That would certainly make that a moot point. ... Miles Mawyer -=- Webmaster . Centralva.net ... ... [EMAIL PROTECTED] ... ... 434.385.5053 ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Maqbool Hashim Sent: Wednesday, April 13, 2005 9:09 AM To: freeradius-users@lists.freeradius.org Subject: Re: deployment question Thanks, I'm just thinking that mysql is a big and complex program which offers a lot of features. Our requirements are quite specific. I'm not saying I'm ruling out using mysql, just would like to hear whether there are any alternatives. Also, I notice that the mysql schema has a a users table. Isn't it going to be difficult to give a single user access to change their password while hiding other users passwords? Miles Mawyer wrote: However my concern is that MYSQL is a little bloated and would prefer to Bloated? How so? How many users are we talking about here? Sounds like a decent task for MySQL to me :) If you are worried about database size etc. I'd do a shell script or something to throw in X number of dummy users and see what you end up with. ... Miles Mawyer -=- Webmaster . Centralva.net ... ... [EMAIL PROTECTED] ... ... 434.385.5053 ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Maqbool Hashim Sent: Wednesday, April 13, 2005 8:57 AM To: freeradius-users@lists.freeradius.org Subject: deployment question Hi there, After some trouble I have managed to get freeradius to compile on openbsd! Now I have a question about the backend database to use with freeradius. Requirements: 1) Users can access the database and change their own password. 2) Users cannot see or change any other users passwords. 3) The database we use is as small and cut down as possible while including the above two features. I have thought about using MYSQL and table priveleges to acheive this. However my concern is that MYSQL is a little bloated and would prefer to acheive the above using the most cut down db I can. By the way this configuration has only one realm. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: deployment question
I'm with you. Thank you kindly. Now sorry to keep going on about this but. Can you think of an alternative to mysql? Something like a command line password change tool which accesses the users database. I'm just trying to find a way of acheiving this without having to install apache and mysql. More features, more complexity, harder to secure. Miles Mawyer wrote: Right. The user has a login for the php frontend. The frontend would simply use the info from the user table. Username / old password / new password supplied via webform for example, php connect to mysql, and looks for a matching record in the user table for username / old password, compares, voila! ... Miles Mawyer -=- Webmaster . Centralva.net ... ... [EMAIL PROTECTED] ... ... 434.385.5053 ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Maqbool Hashim Sent: Wednesday, April 13, 2005 9:47 AM To: freeradius-users@lists.freeradius.org Subject: Re: deployment question That makes sense. So effectively the php program has a login for the database. The user has a login for the php frontend. What the user sees depends on the credentials he supplies to the php frontend. Therefore the security rests with the php frontend. Right? Miles Mawyer wrote: See previous answer :P A php or perl frontend to pull JUST that users record. Have them authenticate FIRST via the current password, then update the record that contains that username. Make sense? I don't see a need for them to view the whole table if you use a method such as this. ... Miles Mawyer -=- Webmaster . Centralva.net ... ... [EMAIL PROTECTED] ... ... 434.385.5053 ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Maqbool Hashim Sent: Wednesday, April 13, 2005 9:22 AM To: freeradius-users@lists.freeradius.org Subject: Re: deployment question sorry I'm not being clear here. When I meant was, if all users are contained in the same table, how can I allow a user to change just the row which corresponds to their username without revealing the rest of the table? Miles Mawyer wrote: Isn't it going to be difficult to give a single user access to change their password while hiding other users passwords? Well, I suppose that depends on what you mean by give them access. Are you you talking direct access via mysql command line or phpmyadmin? I don't know your specifics BUT, it sounds to me like a job for a php front end of some sort. That would certainly make that a moot point. ... Miles Mawyer -=- Webmaster . Centralva.net ... ... [EMAIL PROTECTED] ... ... 434.385.5053 ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Maqbool Hashim Sent: Wednesday, April 13, 2005 9:09 AM To: freeradius-users@lists.freeradius.org Subject: Re: deployment question Thanks, I'm just thinking that mysql is a big and complex program which offers a lot of features. Our requirements are quite specific. I'm not saying I'm ruling out using mysql, just would like to hear whether there are any alternatives. Also, I notice that the mysql schema has a a users table. Isn't it going to be difficult to give a single user access to change their password while hiding other users passwords? Miles Mawyer wrote: However my concern is that MYSQL is a little bloated and would prefer to Bloated? How so? How many users are we talking about here? Sounds like a decent task for MySQL to me :) If you are worried about database size etc. I'd do a shell script or something to throw in X number of dummy users and see what you end up with. ... Miles Mawyer -=- Webmaster . Centralva.net ... ... [EMAIL PROTECTED] ... ... 434.385.5053 ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Maqbool Hashim Sent: Wednesday, April 13, 2005 8:57 AM To: freeradius-users@lists.freeradius.org Subject: deployment question Hi there, After some trouble I have managed to get freeradius to compile on openbsd! Now I have a question about the backend database to use with freeradius. Requirements: 1) Users can access the database and change their own password. 2) Users cannot see or change any other users passwords. 3) The database we use is as small and cut down as possible while including the above two features. I have thought about using MYSQL and table priveleges to acheive this. However my concern is that MYSQL is a little bloated and would prefer to acheive the above using the most cut down db I can. By the way this configuration has only one realm. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See
Re: deployment question
Thats very helpful thank you. I was actually thinking of something similar except using mysql, but obviously ldap would be better as it directly provides that feature. However I was just reading some of the rlm_dbm file and it seems like the ideal backend for us, as it doesn't require any addtional server software, fast etc. However I'm not too familiar with db and whether it would be easy to acheive the same thing, i.e. users be able to change their own record in the dbm users file. Any ideas? Dustin Doris wrote: Ldap will provide that feature for you. An openldap acl might look like this. access to attr=userPassword by self write by anonymous auth by * none access to dn.one=ou=useraccounts,dc=yourdomain,dc=com by self write by dn=cn=freeradius,dc=yourdomain,dc=com read by anonymous auth by * none That means you can login and change your own stuff, but can't see anyone elses. Freeradius can read for authorization. This doesn't include reading passwords, which is shown as none in the prior acl. You then build a webpage front-end, such as with php. Have the user login to the webpage and change their password. The webpage will then send the username/password of the user logged in to ldap for the password change. This means that the webpage itself won't have super user rights and can only change the username/password of the person that is logged in and if they provide the correct username/password in the first place. Don't want apache? Then build a commandline tool users can use that does the same thing. You can write a shell wrapper over the ldapmodify client that comes with openldap. Then again if you are allowing users local access to a machine in the first place, that is less secure than building a webserver. You want a command line tool for clients to use on their own computer? That is starting to get hard to support now. I would stay away from that. If you're not hardcoding any superuser username/password in the webserver, then you know that users can't obtain that information and do anything to the ldap directory. Put the front-end on a different machine and have it only run apache. Put the ldap server on your private network and have the radius server and webserver with an interface on that network. That way the ldap traffic is only going through over private network. More complex, yes, but its not too bad. Less secure? Anytime you want to add functionality, such as password changes, you will open security. But this setup should be pretty secure. On Wed, 13 Apr 2005, Maqbool Hashim wrote: I'm with you. Thank you kindly. Now sorry to keep going on about this but. Can you think of an alternative to mysql? Something like a command line password change tool which accesses the users database. I'm just trying to find a way of acheiving this without having to install apache and mysql. More features, more complexity, harder to secure. Miles Mawyer wrote: Right. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius deployment question
Great, thanks to everyone who made suggestions, I'm going to go ahead and implement according to Alan's suggestion because of the amount of seperation that it gives and it seems the best way of acheiving this. One other point, if we are using a an sql backend then the radiusd process would never have to be restarted as well right? Alan DeKok wrote: The benefit with this approach is that no matter what the customer does to the database, it's *impossible* for them to affect any other customer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius deployment question
Hi, Do you mean I could seperate users from different realms into different database tables? Is this what it means my using schemas? So rather than have one users table, I can have many different tables with users from different realms? And allow customers access to only the user table which apply to their firewall? Dana Hudes wrote: at the database level you can create a database user and GRANT them rights on the users table. That would, howeer, allow them to mess with users of other external customrs. If you tag vpn users so you can identify to whom the user belongs, you can use an application which authenticates the customer and allows control only over custoers tagged appreioately. Anohter possibilty I suppose would be a per-customer schema over whcih ty have rights but otherc customer's users are in their own respetive schemas and unafected. this would irequire ajdustments on the user auth side, you'd need to add explicit schema support. On Wed, 25 Aug 2004, Maqbool Hashim wrote: I'd like to know if it is possible to allow external customers limited access to add users to our RADIUS configuration. We manage many firewalls for different customers. VPN users on the firewalls can be authenticated via our Freeradius server. So when another VPN needs to be setup on the firewall, we add a user into the users file or the SQL table. Is it possible to for us to allow customers to be able to add users to the SQL table, without these users being authenticated for all of the other customers firewalls? So we want customer A to be able to add users which are to be authenticated on Firewall A without, these users being able to be authenticated on Firewalls B, C and D. Is this possible? I know this will involve realms, but how can we get the customer to update the RADIUS configuration without giving them too much access to the RADIUS files? Has anyone got a similar setup or know how this can be achieved? Regards Maqbool - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius deployment question
Alan DeKok wrote: You would be better of having the customers manage their own RADIUS servers, and having you just proxy to those servers. If the customers don't want to manage their own servers, you can still have a server locally, per-customer. That way, you can give each customer limited access to the SQL database, and be guaranteed that they can't affect other customers. Ok so the way this would work is to have an instance of the radiusd program running for every customer. Just point it at the right configuration files for the customer and bind it to a different port for each customer.Then give the customer access to the users table in the correct SQL database for their radius server. Put a proxying server in front of these other servers, and proxy based on realms. Then stick a proxying server on the normal radius port and proxy based on realms. Is this how it would work? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius deployment question
I'd like to know if it is possible to allow external customers limited access to add users to our RADIUS configuration. We manage many firewalls for different customers. VPN users on the firewalls can be authenticated via our Freeradius server. So when another VPN needs to be setup on the firewall, we add a user into the users file or the SQL table. Is it possible to for us to allow customers to be able to add users to the SQL table, without these users being authenticated for all of the other customers firewalls? So we want customer A to be able to add users which are to be authenticated on Firewall A without, these users being able to be authenticated on Firewalls B, C and D. Is this possible? I know this will involve realms, but how can we get the customer to update the RADIUS configuration without giving them too much access to the RADIUS files? Has anyone got a similar setup or know how this can be achieved? Regards Maqbool - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with radius accounting when using mysql
Anson Rinesmith wrote: Run radius in debug mode (radiusd -X) and see if you can figure out what is happening. -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Maqbool Hashim Sent: Wednesday, June 30, 2004 11:24 AM To: [EMAIL PROTECTED] Subject: problems with radius accounting when using mysql Hi, I have radius set up to get authentication information from a mysql database. I want it to log accounting information to the radacct table in my mysql database. I have set up the accounting section in my radiusd.conf file as follows: accounting { acct_unique detail unix sql radutmp } However radius is still logging accounting information to the files and I can't see anything in the radacct table in my database. (I have rebooted the radius server). Am I missing a crucial setting here? Regards, Maqbool - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks, I had another look at the debug messages from the radiusd server, I can't see anything that illuminating in there. I see the sql module being loaded: Module: Loaded SQL . . . . sql: accounting_update_query = UPDATE radacct SET FramedIPAddress = '%{Framed-IP-Address}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStopTime = 0 sql: accounting_update_query_alt = Thats the sql query that should get executed when the accounting section is processed. However when there is an authentication request from a NAS, I only see sql queries and connections to the mysql server during the authorize section: modcall[authorize]: module suffix returns noop for request 1 radius_xlat: 'ben' rlm_sql (sql): sql_set_user escaped user -- 'ben' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'ben' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'ben' ORDER BY id : : : But I don't see anything like modcall[accounting] and an sql query. Should I be? And if I'm not what setting have I missed? The accounting section in radiusd.conf looks as I gave above. Regards, Maqbool - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting and SQL, help!
Anson Rinesmith wrote: Run radius in debug mode (radiusd -X) and see if you can figure out what is happening. -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Maqbool Hashim Sent: Wednesday, June 30, 2004 11:24 AM To: [EMAIL PROTECTED] Subject: problems with radius accounting when using mysql Hi, I have radius set up to get authentication information from a mysql database. I want it to log accounting information to the radacct table in my mysql database. I have set up the accounting section in my radiusd.conf file as follows: accounting { acct_unique detail unix sql radutmp } However radius is still logging accounting information to the files and I can't see anything in the radacct table in my database. (I have rebooted the radius server). Am I missing a crucial setting here? Regards, Maqbool - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks, I had another look at the debug messages from the radiusd server, I can't see anything that illuminating in there. I see the sql module being loaded: Module: Loaded SQL . . . . sql: accounting_update_query = UPDATE radacct SET FramedIPAddress = '%{Framed-IP-Address}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStopTime = 0 sql: accounting_update_query_alt = Thats the sql query that should get executed when the accounting section is processed. However when there is an authentication request from a NAS, I only see sql queries and connections to the mysql server during the authorize section: modcall[authorize]: module suffix returns noop for request 1 radius_xlat: 'ben' rlm_sql (sql): sql_set_user escaped user -- 'ben' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'ben' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'ben' ORDER BY id : : : But I don't see anything like modcall[accounting] and an sql query. Should I be? And if I'm not what setting have I missed? The accounting section in radiusd.conf looks as I gave above. Regards, Maqbool - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting and SQL, help!
Gary McKinney wrote: Are you sure the NAS is sending accounting packets gm... H... I'll check that out using ethereal, thanks. However I am seeing the following being logged to files: modcall: entering group post-auth for request 2 radius_xlat: '/usr/local/var/log/radius/radacct/reply-detail-all' rlm_detail: /usr/local/var/log/radius/radacct/reply-detail-all expands to /usr/local/var/log/radius/radacct/reply-detail-all modcall[post-auth]: module reply_log returns ok for request 2 modcall: group post-auth returns ok for request 2 Is there not a way to get that logged to sql database? I take it this is information the radius server logs itself, independent of accounting packets that the NAS might send. However it would be nice if this could be stuck into sql tables and accessed via a php web interface. Cheers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using Tunnel Attributes
Hi, I've been looking at the radius attributes page and I think the tunnel attributes may be useful for something I'm trying to achieve with radius. I'll describe an example scenario below. I have a firewall which is connected to an internal network and the Internet. A freeradius server sits on the internal network behind the firewall. We have many remote users who wish to setup VPN tunnels to the internal network behind the firewall. Is it possible to get RADIUS to setup the VPN tunnel between the user and the firewall as part of the authentication process using the tunnel attributes? So then only changes to the RADIUS users file need be changed to contain the VPN settings for every new user. Can someone tell me if I have got things completely mixed up. If I have, then how do we use these tunnel attributes and what are they for? Also is it possible to achieve the above with RADIUS? Regards, Maqbool - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting and SQL, help!
Thanks, I think the problem is the firewall, (Netscreen 25) is not actually sending accounting packets to RADIUS. After some research via google it appears they haven't implemented the accounting function, which is really annoying. Anyone else have experience with these firewalls? Also, I understand that what I pasted below is authentication logs, but still I have to ask the question: Is there a way to get to stick that logging into sql database as well as the files? Alan DeKok wrote: Maqbool Hashim [EMAIL PROTECTED] wrote: modcall[post-auth]: module reply_log returns ok for request 2 modcall: group post-auth returns ok for request 2 Is there not a way to get that logged to sql database? No, You're still looking at authentication requests. You can look at them forever, and not understand why accounting isn't working, because they're completely independent. Send the server accounting requests. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problems with radius accounting when using mysql
Hi, I have radius set up to get authentication information from a mysql database. I want it to log accounting information to the radacct table in my mysql database. I have set up the accounting section in my radiusd.conf file as follows: accounting { acct_unique detail unix sql radutmp } However radius is still logging accounting information to the files and I can't see anything in the radacct table in my database. (I have rebooted the radius server). Am I missing a crucial setting here? Regards, Maqbool - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dialup admin
Hi, I've just started using dialup admin and I have a couple of problems/queries: When adding users with the crypt option in the config file set to md5, users are not being authenticated. I take it that this is because the encrypted string in the radcheck table doesn't match the password that is sent in the query to the database. Have I forgotten some setting here? The reason is that when i set crypt option to clear everything works fine. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius Solutions question
I wish to implement the following using Freeradius: We provide a customer with a managed firewall. We set up a dialup vpn pool on the firewall. We wish to authenticate dialup users via our radius server. The firewall obviously has an entry in our clients file. Now what we would like is for the customer to be able to add dialup users, which can be authenticated by Radius. I will be using mysql with dialup_admin as a frontend. Is it possible for the customer to add the dialup users, without those users having the ability to change settings on our other NAS equipment? I think what I am asking here is, how can we give customers the ability to add and remove dialup vpn users for their own firewall, without giving them access to other NAS equipment that is authenticated by our RADIUS server. We would like to do this without setting up another RADIUS server on the customer site and using proxying etc. Any susggestions on how to achieve this would be very welcome. Regards, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup admin
Thanks for the suggestion I have actually tried that Amedzekor Kafui wrote: Try changing the attribute from User-password to Crypt-Password --- Maqbool Hashim [EMAIL PROTECTED] wrote: Hi, I've just started using dialup admin and I have a couple of problems/queries: When adding users with the crypt option in the config file set to md5, users are not being authenticated. I take it that this is because the encrypted string in the radcheck table doesn't match the password that is sent in the query to the database. Have I forgotten some setting here? The reason is that when i set crypt option to clear everything works fine. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius and VPN configurations
Hi, Is it possible to do the following with radius? I have a vpn setup on my netscreen firewall. This netscreen will be a radius client. I wish to ease the administration headache for adding new vpn users. So when a new user wants to connect to the vpn with his dlink router or similar, I want to be able to add the relevant vpn settings on the radius server. So all the authentication and vpn settings are moved to the radius server rather than us having to change the firewall settings every time. So this will mean that customers who want to set up home users to be able to vpn into the firewall, will only have to add these users on the radius server and we won't have to do anything on the firewall. Any suggestions would be very welcome. Regards, Maqbool Hashim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Restricting attributes that radius admin can change
Hi, Thanks for all the replies on my previous questions. They were very helpful. I have another question: I wish to allow customers to add users to our RADIUS users file. Probably via dialup admin using mysql as backend. Now I only want the customers to be able to add users with the following attributes: User-Name Password I don't want the customers to be able to edit any other attributes or add users with any other attributes. Furthermore, I only want the customer to be able to edit users that they have added, not any that already exist or have been added by other people. Is this possible? Is there groups or different levels of admin for the freeradius server? Regards, Maqbool Hashim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dialup_admin
Hi, I am trying to get the dialup_admin script to work. I'm using dialup_admin that was bundled with Freeradius 1.0.0 prerelease 3. The steps I've taken so far: 1) Set up mysql server and have it running on localhost. 2) Used radclient to check that Radius could authenticate users via mysql database 3) Set up apache server with support for php and have it running on localhost 4) Followed instructions in dialup_admin HOWTO. The problem I have is when I try to access http://localhost/dialup_admin, I get: Forbidden You don't have permission to access /dialup/index.html on this server. Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request. My understanding was that I should get a username and password prompt, which I added to the .htpasswd file using htpasswd utility. Have I misunderstood completely, or is there some vital configuration detail I am missing? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dialup admin
oops, me being silly, I have added the link with a higher privelege than the apache server is running. thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius Web Frontend
Are there any web frontends for Freeradius? There is a link to Chris Shenton's frontend, but there is not documentation for it as it was written for an internal project. Has anyone used his frontend with success? Or even found any other web frontends for freeradius? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius and windows
Is it possible to get a Windows Domain Controller to authenticate via radius? Has anyone got this working? I think what I'm asking is: Is there a radclient for Windows Domain Controllers? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius and windows
Thanks, I suppose could just use LDAP to authenticate Windows Domain Controllers. I am not actually asking this question for Domain Controllers which I personally run, but for clients who might have these things and I would like to be able to authenticate these windows machines via our radius server. Am I right in thinking that LDAP would work? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(no subject)
Is it possible to get a Windows Domain Controller to authenticate via radius? Has anyone got this working? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with radwho,
Still having problems with radwho and utmp type logging, can someone give me a clue? Maqbool Hashim wrote: Hi, I'm having problems getting utmp accounting to work properly on FreeRadius (latest version). When the NAS sends an account-request packet to radius, everything seems ok except for the following line seen in the debug window: rlm_radutmp: No NAS-Port seen. Cannot do anything. rlm_radumtp: WARNING: checkrad will probably not work! The corresponding Access Request packet from the NAS contains: NAS-Port-Type = Virtual. I'm using a HP Procurve 6108 switch. I suspect that radius wants me to set the NAS-Port-Type to ethernet or similar, however I do not know how to get the switch to send a NAS-Port-Type that radius will like. radwho also does not work for my netscreen boxes. Does anyone have any ideas on how I can get radwho to work with my NAS gear? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dictionary file for hp 6108
Hi, Where can I find a dictionary file for a HP 6108 router? not on the website or included in the latest freeradius tarball. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problems with radwho,
Hi, I'm having problems getting utmp accounting to work properly on FreeRadius (latest version). When the NAS sends an account-request packet to radius, everything seems ok except for the following line seen in the debug window: rlm_radutmp: No NAS-Port seen. Cannot do anything. rlm_radumtp: WARNING: checkrad will probably not work! The corresponding Access Request packet from the NAS contains: NAS-Port-Type = Virtual. I'm using a HP Procurve 6108 switch. I suspect that radius wants me to set the NAS-Port-Type to ethernet or similar, however I do not know how to get the switch to send a NAS-Port-Type that radius will like. radwho also does not work for my netscreen boxes. Does anyone have any ideas on how I can get radwho to work with my NAS gear? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
netscreen dictionary
I am trying to get radius to work with netscreen firewall. I have the netscreen dictionary and have included it in the master dictionary file. Can I now use the attributes in the netscreen dictionary file to specify attributes in the users file??? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
netscreen dictionary attributes
Please can someone tell me where I can find more information on the netscreen attributes defined in the dictionary file produced by netscreen. I have tried the vendor site, with no success. At present I am stabbing in the dark. I would very much appreciate some help from someone who has configured freeradius with netscreen. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to get PAM to use RADIUS to authenticate a user?
FreeRadius version: 0.9.3 Redhat Linux 9.0 I have installed FreeRadius on my system and to get familiar with it I am attempting to the Unix login program to authenticate using the radius server.In order to this I am using the radius pam module pam_radius_auth. So PAM is the radius client. (All programs are running on the same machine, client and radius server). Heres what I have in /etc/pam.d/login : #%PAM-1.0 auth required pam_securetty.so auth sufficient /lib/security/pam_radius_auth.so debug auth required pam_stack.so service=system-auth auth required pam_nologin.so accountrequired pam_stack.so service=system-auth password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionoptional pam_console.so and in /raddb/users I have the following default line: DEFAULT Auth-Type := System Service-Type = Login-User I start the radius server as follows: radiusd -i 127.0.0.1 -X then in another terminal I execute login and try to login as a normal user. The login program returns with: Authentication service cannot retrieve authentication info. Now I check the radius server debugging info and from that side it seems to be authenticating the user fine: users: Matched DEFAULT at 140 modcall[authorize]: module files returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type System modcall: entering group authenticate for request 0 modcall[authenticate]: module unix returns ok for request 0 modcall: group authenticate returns ok for request 0 Sending Access-Accept of id 206 to 127.0.0.1:5735 Service-Type = Login-User Finished request 0 This problem has me confused. If anyone can shed any light on the matter I would appreciate it. Perhaps the problem lies in the .../pam.d/login configuration? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to get PAM to use RADIUS to authenticate a user?
Y ou just ahve to put Auth-Type := pam in the users file = Déborah Malka Thanks for the reply Deborah, unfortunately the suggestion you made below doesn't seem to work. When I change auth-type from system to pam... this is what happens: When I run login it behaves very strangely... it asks for password twice. After I enter the password for the second time I get the same message as before: login: test Password: Password: Authentication service cannot retrieve authentication info. On the Radius server I now get an access-reject message: rad_check_password: Found Auth-Type pam auth: type PAM auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 125 to 127.0.0.1:6512 Waking up in 4 seconds... Also I think that using Auth-Type = Pam, makes radius authenticate via pam. Whereas what I am trying to do is to get the unix login program to authenticate via my radius server using pam module. Anyone have any further ideas? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html