Re: Newbie: General Questions About Installation
On Mon, Aug 08, 2005 at 08:20:25AM -0700, Kris Benson wrote: FreeRadius users mailing list freeradius-users@lists.freeradius.org on August 7, 2005 at 11:16 -0800 wrote: On Sun, 7 Aug 2005 15:05:50 +0100 Install FreeBSD, go to /usr/ports/net/freeradius and simply type make install clean Voila, all you need including dependiences will be automatically installed on your system. Or if you wanna go for a BSD wannabe in the Linux world, use Gentoo, there you just type emerge freeradius and you get the same result as on BSD. Dealing with Debian you either get outdated applications or pretty unstable system, depending of the Debian branch you may want to use. Please keep in mind this is my subjective opinion based on my long time experience. And BTW, the version you are trying to install is also outdated and with known security issues. Dude! He's trying to install the most recent version: 1.0.4... While I would agree that FreeBSD is generally a better choice than any Linux variant, YMMV. You are right about outdated packages -- the Debian Freeradius package is v1.0.2... and comes without EAP-TLS and anything that requires it. (This is directed at both the preceeding posters. I just didn't want to type it out twice. ^_^) You may want to do a modicum of research before throwing aspersions. Given that Debian/Sarge predated FreeRADIUS 1.0.4 (and 1.0.3), and the FreeRADIUS 1.0.2 package in Debian/Sarge contains all of the essential security and bug fixes that differentiate it from 1.0.4 [1], I'd hardly call it outdated. _I_ think it's the best 1.0.2-based version available for the time, and it's still serving _me_ quite well. If there were any other security problems, a new version would be put into Debian/sarge, so it's not like it's bitrotting into a security hole. (This is true of Debian/sarge in general.) Debian/sid and Debian/etch obviously contain FreeRADIUS 1.0.4 + whatever fixes will differentiate it from 1.0.5, as appropriate. [2] And the exclusion of EAP/TLS is due to the well documented conflict between the GPL license of rlm_eap_tls and the OpenSSL license, which makes distributing binaries of rlm_eap_tls that link against openssl impossible, legally. And since there are several various sets of instructions on building your own copy of FreeRADIUS for Debian with eap-tls included, I don't feel that not distributing unlicensed binaries is a big loss compared to distributing unlicensed binaries. And I'm not going to even start on people who think the solution to any computer problem is Blow away what you've got, install my favorite OS, and do things my way. I put time and effort into the Debian FreeRADIUS package, to make it the best it can be. You're welcome to level criticisms at it (Debian has a whole BTS to do that in ^_^) but the packages sucks and is outdated and has security holes based entirely on the upstream version number is a little on the wrong side of criticism for me. I'm also gonna resist the temptation to baselessly attack FreeBSD. Any opions I have on FreeBSD have been formed through FreeRADIUS, and as such are well documented on the freeradius-devel list. Certainly the preceeding preceeding poster demonstrated that their long experience may also have been a long time ago, back when Debian was only Stable and Unstable (Circa 1998 I think) and possible hadn't grasped the essential nature of the Debian distributions beyond their names. (Just like the essential nature of the FreeRADIUS version not being grasped beyond the upstream version number.) I think I'm sensing a theme here of judging books by their covers. [1] http://packages.debian.org/changelogs/pool/main/f/freeradius/freeradius_1.0.2-4/changelog [2] http://packages.debian.org/changelogs/pool/main/f/freeradius/freeradius_1.0.4-2/changelog -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Newbie: General Questions About Installation
On Sat, Aug 06, 2005 at 02:09:59PM -0700, Kris Benson wrote: FreeRadius users mailing list freeradius-users@lists.freeradius.org on August 6, 2005 at 00:25 -0800 wrote: in console just type apt-get install freeradius or use synaptic package managed (x windows / gnome ) and do a search for Freeradius. that will install and create the user/group freerad and put all the files in their appropriate place. once thats done your configuration files will be in /etc/freeradius edit radiusd.conf to your liking clients.conf etc There's one major issue with the Debian freeradius package -- any module that requires hooks to OpenSSL is not included due to some legal issue. This includes eap_tls, eap_ttls, eap_peap, etc. The compile-from-source solution works well -- you just need to apt-get install these: libmysqlclient14-dev libldap2-dev (if you want LDAP support) libssl-dev (When you're dpkg-buildpackaging, it should tell you what you're missing. If there's something you need that's not listed, please let me know, as it's a particularly nasty bug that needs fixing.) If you're compilling from source for Debian (either upstream or the Debian archives) and want EAP-TLS you'll need the patch from FreeRADIUS bug #75 (Attachment id=77, right down the bottom). Other OpenSSL depending stuff (rlm_sql_postgres and SNMP agent support come to mind) doesn't need this patch. It's just for crosslinking in rlm_eap, and will be going into the next Debian version, and the debian/ directory of 1.0.5 if either occurs. I'd recommend using the upstream tarball, as the version in the Debian archive explicitly disables OpenSSL support, the upstream tarball will detect it and use it if it's there. If you want the latest debian/ directory with less mucking about and without OpenSSL disabled, you can check out the latest Debian release (the CVS tag escapes me. debian_1_0_4_2 I think) to get pretty much exactly what's in Debian, but without the SSL disabled. You can check the Debian changelog for 1.0.4-2 [1] to see if there's anything you need compared to 1.0.4-0 (the upstream release). You'll need to check out release_1_0_4 first, then go into debian/ and cvs update -r debian_1_0_4_2 or whatever the tag is. (Check CVSWeb. ^_^) [1] http://packages.debian.org/changelogs/pool/main/f/freeradius/freeradius_1.0.4-2/changelog -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disconnect-Request packet
On Thu, Jul 28, 2005 at 06:20:35PM -0700, N White wrote: That's correct. Read my second reply. So other then writing custom scripts, is there a way for the RADIUS server(FreeRADIUS) to be told to send a disconnect packet to the NAS that a particular user is logged in to(NAS could vary - Portmaster, Cisco, PPPoE Server, VPN Server, etc))? Nope, you have to write custom scripts. FreeRADIUS has nothing to do with (and wants nothing to do with) the disconnect packets. Usually, you would have a script that checks for whatever condition you're basing the disconnect on, and calls radclient (or telnet, or whatever the interface your NAS/downstream provides for this) to do the disconnect. (I've also seen SNMP and SOAP, and I really don't think FreeRADIUS is the right tool to automate a phone call to the NOC. ^_^) While you _could_ integrate disconnect into FreeRADIUS using a mechanism similar to checkrad, it'd be pretty daft, since the authentication checks the wrong details (this is an administrative request, not a user request) and sends the wrong way (this is an unsolicited packet to a NAS, not to a RADIUS proxy). This last point seems trivial until you try to proxy backwards through a chain you have only the last hop of, and the last hop doesn't neccessarily know what the previous hop was. (I vaugely remember someone discussing a static reverse-NAS route config file at some point. Luckily, no one tried to turn that into code) Bash and perl are both simpler and easier shells for this than FreeRADIUS. ^_^ -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql_mysql make error for 1.0.4 and snapshot-20050718
On Mon, Jul 18, 2005 at 05:22:51PM +0200, Thor Spruyt wrote: Hi, `/home/thor/freeradius-1.0.4/src/modules/rlm_sql/drivers/rlm_sql_mysql' gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wal l -D_GNU_SOURCE -DNDEBUG -I../.. -I../../../../include -I'/usr/include/mysq l' -I/home/thor/freeradius-1.0.4/libltdl -c sql_mysql.c -o sql_mysql.o sql_mysql.c:39:20: errmsg.h: No such file or directory sql_mysql.c:40:19: mysql.h: No such file or directory The build process didn't find your mySQL headers. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help installing 1.0.4 on RHEL update 4
On Fri, Jul 08, 2005 at 11:36:33AM -0400, Ken George wrote:
I am not a RHEL expert, but have installed the 1.0.1 RPM of freeradius.
I am trying to get freeradius to authenticate against a Windows 2003
Active Directory.
Once I can get radtest to work on the server I'll configure the clients
(Cisco VPN 3005 and console access for all my other Cisco rotuers,
switches, etc).
Since 1.0.1 is older I thought I'd try to get 1.0.4 in before banging
out my .conf file problems.
I get the following errors when I try to ./configure 1.0.4
configure:7989: checking for ut_xtime in struct utmpx
configure:8005: gcc -c -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS
-DOPENSSL_NO_KRB5conftest.c 15
configure: In function `main':
configure:8001: structure has no member named `ut_xtime'-- the
first problem
configure: failed program was:
#line 7993 configure
#include confdefs.h
#include utmpx.h
#ifndef offsetof
#define offsetof(TYPE, MEMBER) ((int) ((TYPE *)0)-MEMBER)
#endif
int main() {
int foo = offsetof(struct utmpx, ut_xtime)
; return 0; }
There's no ut_xtime in struct utmpx. Why is this a problem?
configure:8336: checking for asn1.h,snmp.h,snmp_impl.h
configure:8364: gcc -c -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS
-DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG conftest.c 15
In file included from configure:8356:
/usr/include/ucd-snmp/asn1.h:7:2: #error Please update your headers or
configure using --enable-ucd-snmp-compatibility -- (this error then
occurs multiple times)
This is because you're using net-snmp in ucd-snmp compatibility
mode, and that is not supported in stock 1.0.4. You can try this
patch:
http://www.freeradius.org/cgi-bin/cvsweb.cgi/~checkout~/radiusd/debian/patches/Attic/01_NET-SNMP_build_support.dpatch?rev=1.1.2.2content-type=text/plainhideattic=0
although be warned that if your net-snmp is not configured exactly
the same as your FreeRADIUS, you _will_ get nasty nasty problems. I
believe these problems were first observed on a RedHat system, which
ships a net-snmp package which doesn't neccessarily match the defines
you need to build FreeRADIUS.
Your other choice is to upgrade to CVS HEAD, but that may not be in
working condition right now. (Someone mentioned a proxying problem
earlier...)
--
Paul TBBle Hampson, on an alternate email client.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [radius] Freeradius/MySql problem
On Sat, Jul 02, 2005 at 10:42:44AM -0700, Radius wrote:
OK, let me try this way, when our wholesale provider receives a realm,
they know where
to send the request.
If the user sends [EMAIL PROTECTED] or [EMAIL PROTECTED]
our radius regardless if I have lower_user before/after/no
They will be authenticated either way.
If we force it lower on our end, does not force lower on their end.
It's a mess. They said only this month they were going to issue credits
and that I needed to get my end to deny UPPER case logins.
I set the lower_user lower and lower_pass to no and a user will
all [EMAIL PROTECTED] will be authenticated. I guess mysql
doesn't care if it's upper or lower.
For what you want to do, you need to set lower_user to 'no',
and check your authorize_check_query to be sure you're using
the one that has STRCMP(Username, '%{SQL-User-Name}') and not the
one that has Username = '%{SQL-User-Name}'.
ie (this is in 1.0.4, and doesn't work with mysql 4 onwards.)
# Use these for case sensitive usernames. WARNING: Slower queries!
authorize_check_query = SELECT id,UserName,Attribute,Value,op FROM
${authcheck_table} WHERE STRCMP(Username, '%{SQL-User-Name}') = 0 ORDER BY id
authorize_reply_query = SELECT id,UserName,Attribute,Value,op FROM
${authreply_table} WHERE STRCMP(Username, '%{SQL-User-Name}') = 0 ORDER BY id
# authorize_check_query = SELECT id,UserName,Attribute,Value,op FROM
${authcheck_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id
# authorize_reply_query = SELECT id,UserName,Attribute,Value,op FROM
${authreply_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id
rather than the default.
# Use these for case sensitive usernames. WARNING: Slower queries!
# authorize_check_query = SELECT id,UserName,Attribute,Value,op FROM
${authcheck_table} WHERE STRCMP(Username, '%{SQL-User-Name}') = 0 ORDER BY id
# authorize_reply_query = SELECT id,UserName,Attribute,Value,op FROM
${authreply_table} WHERE STRCMP(Username, '%{SQL-User-Name}') = 0 ORDER BY id
authorize_check_query = SELECT id,UserName,Attribute,Value,op FROM
${authcheck_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id
authorize_reply_query = SELECT id,UserName,Attribute,Value,op FROM
${authreply_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id
(That's only moving the #s, not changing the query itself.)
This is the joy of mySQL, it's not case-sensitive for string
comparisons by default. ^_^
Alternatively, change the radcheck table's UserName column to be 'BINARY', see
http://dev.mysql.com/doc/mysql/en/case-sensitivity.html for details. (Although
that's mySQL 4.1. If you're using a packaged mySQL from a distribution, check
A.5.1 in the included manual for more specific details.)
In fact, I'd be interested to know if
authorize_check_query = SELECT id,UserName,Attribute,Value,op FROM
${authcheck_table} WHERE BINARY Username = '%{SQL-User-Name}' ORDER BY id
authorize_reply_query = SELECT id,UserName,Attribute,Value,op FROM
${authreply_table} WHERE BINARY Username = '%{SQL-User-Name}' ORDER BY id
fixes it, and if it works for mySQL 4, because it's more future-proofed
than STRCMP, which has already changed semantics.
--
Paul TBBle Hampson, on an alternate email client.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: external script in defunct state
On Mon, Jun 27, 2005 at 12:29:27PM +0500, rashad wrote: I wan to run external script when Acct-Stop packets received. My acct_users file: DEFAULT Acct-Status-Type == Stop Exec-Program = /usr/local/sbin/testacct.php Script runs and executes normally but stays in defunct state for every call: 5154 ?Z 0:00 [testacct.php defunct] 5159 ?Z 0:00 [testacct.php defunct] 5161 ?Z 0:00 [testacct.php defunct] .. Where is the mistake can be? This is a known problem for versions before 1.0.3. If you've not upgraded to 1.0.4, please do so, and try it again. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: external script stays in defunct state after executing
On Mon, Jun 27, 2005 at 09:02:04PM +0500, rashad wrote: External script stays in defunct state after successfull executing. My configuration: OS: Debian Linux 3.0 Freeradius: 1.0.4 acct_users file: DEFAULT Acct-Status-Type == Stop Exec-Program = /usr/local/sbin/testacct.php Note that this problem was not in my old freeradius 1.0.1 installation in the machine with the same configuration. I'd suggest upgrading to Debian 3.1, and trying the FreeRADIUS in _that_. (Or getting the source, and building it locally) The threading changes between 1.0.2 and 1.0.3 are also included in the Debian 1.0.2-4 package, so that will identify if the problem is the fixed threading code, or something else that changed between 1.0.1 and 1.0.4. (Or something else that changed between 1.0.1 and 1.0.2 I guess) -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: x99_rlm.c:550: error: label at end of compound statement
On Sat, Jun 25, 2005 at 02:00:27PM +0600, [EMAIL PROTECTED] wrote: Здравствуйте, Paul. Вы писали 25 июня 2005 г., 6:49:39: PH On Fri, Jun 24, 2005 at 02:58:14PM +0600, [EMAIL PROTECTED] wrote: make faild with this error... but new error was occured :( gmake[6]: Entering directory `/tmp/freeradius-1.0.1/src/modules/rlm_x99_token' gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I../../include -DX99_MODULE_NAME=\rlm_x99_token\ -DFREERADIUS -c x99_rlm.c -o x99_rlm.o x99_rlm.c: In function `x99_token_authenticate': x99_rlm.c:550: error: label at end of compound statement gmake[6]: *** [x99_rlm.o] Error 1 Umm, I think that was fixed at some point since 1.0.1... Anyway, that's normally a warning... Are you building with gcc 4 by some chance? Maybe they upgraded it to an error at some point. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian .deb Installation Version 1.0.2 Ca.all dosn' exist
On Tue, Jun 21, 2005 at 03:21:17PM +0200, Michael Langer wrote: HI, you have done it at weekend? Today i try apt-upgrade and nothing has changed. The current Version is 1.0.2 in sarge, isn't it? Sorry, I didn't do the update until Monday, and my sponsor picked a problem with it, so I've just resent the update, corrected. It will hopefully appear in Debian unstable in a day or two, and migrate to testing about a fortnight from now, give or take. However, Debian Sarge will not gain the package automatically. Your best bet is to either grab the source from the archive and build it locally, or wait until I become a Debian Developer, and backports.org moves up to Sarge, as I intend to maintain a FreeRADIUS backport there for Sarge. (My own RADIUS server runs Debian Sarge so you're in good company. ^_^) The package I uploaded _may_ install directly on Sarge, but I can't promise such. However, when I do get time to build 1.0.4 for sarge for my own box, I'll post packages somewhere and let the list know, until I start using backports.org. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to solve alive user who actually has loged off
On Mon, Jun 20, 2005 at 06:54:45PM +0800, ??? wrote: I want to do something to make freeradius to believe that user testuser is not alive,but do not konw how to do.Is there a way to solve the problem? Have a look at Simultaneous-Use in the docs directory. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: stripping a slash?
On Fri, Jun 17, 2005 at 10:00:16AM -0500, Chris Sigler wrote: Okay, checked into it, and we don't use a / as a delimiter at any point that we can find. In that case, freeradius -X and see if you can spot where it's happening. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.0.4
On Thu, Jun 16, 2005 at 10:51:09AM +0200, Nicolas Baradakis wrote: Paul Hampson wrote: Could you also get 1.0.4 ready? It should be released soon, and I've been busy... 1.0.4's autoconf'd and tagged in CVS as release_1_0_4, and I believe is ready to ship. (Only build-tested with Debian by me, bug reports welcome. ^_^) Is it too late now to include in 1.0.4 the clients.conf(5) manpage added recently in CVS head ? Only if Alan's already taken a snapshot to tarball. I've just imported and tagged it for release_1_0_4. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.0.4
On Thu, Jun 16, 2005 at 12:04:51PM +0200, Nicolas Baradakis wrote: Paul Hampson wrote: Is it too late now to include in 1.0.4 the clients.conf(5) manpage added recently in CVS head ? Only if Alan's already taken a snapshot to tarball. I've just imported and tagged it for release_1_0_4. Thankyou, it was added very quickly. What can I say? The Thursday night TV lineup is very ordinary this season. ^_^ I also noted a small-tiny-minor thing in debian/control. In Debian stable the default version of MySQL is now 4.0.24-10, therefore I think we could ask for libmysqlclient12-dev instead of libmysqlclient10-dev. Nice catch, and done. I did it in the Debian Archive version already... I'll have to see if there's anything else I've missed when I upload 1.0.4 to Debian. dpatch is about to become my new best friend. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Undefined symbol with eaptls / freeradius 1.0.3 (debian)
On Thu, Jun 16, 2005 at 02:57:37PM +0200, Antonio-Blasco Bonito wrote: I compiled and installed freeradius-1.0.3 on debian sarge. It runs. But when using rlm_eap_ttls-1.0.3.so I'm having the same problem described six months ago by Julien (see below). Then I tried the latest freeradius-snapshot-20050615 but I get errors in the install phase: I think the rlm_eap stuff in CVS HEAD (where the snapshot comes from) is in flux. Try adding --with-static-modues=rlm_eap_tls to the configure line in debian/rules, and see if that helps. If not, try --enable-static --disable-dynamic instead. *** Warning: Linking the shared library rlm_eap_peap.la against the loadable module *** rlm_eap_tls.so is not portable! *** Warning: Linking the shared library rlm_eap_peap.la against the loadable module *** libeap.so is not portable! gcc -shared .libs/rlm_eap_peap.o .libs/peap.o -Wl,--rpath -Wl,/usr/local/lib -L/usr/local/lib -lradius -lrlm_eap_tls -L/usr/local/src/freeradius-snapshot-20050615/src/modules/rlm_eap/libeap -leap -lssl -lnsl -lresolv -lpthread -lcrypto -Wl,-soname -Wl,rlm_eap_peap-1.1.0-pre0.so -o .libs/rlm_eap_peap-1.1.0-pre0.so /usr/bin/ld: cannot find -lrlm_eap_tls collect2: ld returned 1 exit status libtool: install: error: relink `rlm_eap_peap.la' with the above command before installing it make[11]: *** [install] Error 1 Cna somebody give me any hints how to get out of this problem? You'll have to provide more output, you've trimmed the interesting stuff, I think. (The rlm_eap_tls build output, for a start) There was a patch on the list more recently than that which might help. Or maybe it was in the FreeRADIUS bug tracker? -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: stripping a slash?
On Thu, Jun 16, 2005 at 04:51:53PM -0500, Chris Sigler wrote: For some reason, when we run a query against radius and the username starts with a slash, it seems to ignore the slash. As a result, a user is able to log in with both bob and /bob, although only one is right. Any ideas what could be the cause of this? Check if you've got a realm module in preprocess which is set to use '/' as the delimiter. I think the default config does... -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: stripping a slash?
On Thu, Jun 16, 2005 at 08:15:32PM -0500, Chris Sigler wrote: We're using mysql to authenticate... Sorry, I guess I should have mentioned that. If I'm not mistaken, this won't apply... Nope. Using rlm_sql has no bearing on which preprocess modules are run (unless you've got a very very strange setup... I can't even imagine the fail-over stanzas needed to do that). Otherwise, realms and proxying would be impossible when using rlm_sql to authorise. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generating freeradius 1.0.3
On Mon, Jun 13, 2005 at 01:43:36PM -0400, Software Development Group wrote: Running Debian, I have done a $ fakeroot dpkg-buildpackage -b on the freeradius 1.0.3 directory. I get a warning saying That should be dpkg-buildpackage -rfakeroot -b, although the above should also work... remember to run 'libtool --finish /usr/lib/freeradius' which I do when the process finishes, and three error messages: That looks correct to me. dpkg-shlibdeps: warning: could not find path for libeap-1.0.3.so dpkg-shlibdeps: warning: could not find path for libradius-1.0.3.so dpkg-shlibdeps: warning: could not find path for libradius-1.0.3.so That's a surprise, but not completely unexpected... They're only warnings, did you get packages out in the end? -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian .deb Installation Version 1.0.2 Ca.all dosn' exist
On Tue, Jun 14, 2005 at 03:09:20PM +0200, Michael Langer wrote: Hi @all, i read some HowTo's for installing FreeRadius/PEAP and they have used the CA.all script to create the certificats. But i can't find this script after installing FreeRadius deb version 1.0.2 on my PC. I have to install other packets ? Openssl is already installed. (After installing Freeradius) Oh. Wow. You're the first person to notice that I completely missed the scripts/ directory in the FreeRADIUS package. _ If you're working from the version in the Debian archive, I'll make an upload of 1.0.3 to address this by the weekend. If you're working from the release on the website, you'll have to grab the release_1_0 tree from CVS once I fix this. For CVS head, this should be caught when I rearrange the debian/ directory there to use dpatch, real soon now. ^_^ I'll prolly put 'em in /usr/share/doc/freeradius/examples/, unless you want to jump up with a better idea? .../scripts/ comes to mind too. I might do that instead. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generating freeradius 1.0.3
On Wed, Jun 15, 2005 at 10:24:23AM -0400, Software Development Group wrote: Yes, it generated .deb packages. I have run them and apparently they installed correctly but when I run the application I get an: radiusd.conf[2] Failed to link to module 'rlm_sqlcounter': /usr/lib/freeradius/rlm_sqlcounter.a: invalid ELF header That's a worry, since it should be linking to the .so, not the .a (which is a static archive, not a dynamically linked file and so does not _have_ an ELF header.) I'll have a look at it now. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1.0.4
On Thu, Jun 16, 2005 at 03:29:05PM +1200, Andrew Thompson wrote: Hi, I maintain the FreeRADIUS port for FreeBSD and am holding off upgrading from 1.0.2 due to the imminent release of 1.0.4 (06 June). There doesn't seem to be any discussion on the mailing lists, is 1.0.4 due soon or should I upgrade to 1.0.3 in the interim? Sorry about the delay. I'm just about to go prep and tag it, so a release in the next few hours, I hope. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
1.0.4 (Was: Debian .deb Installation Version 1.0.2 Ca.all dosn' exist)
On Wed, Jun 15, 2005 at 12:53:49PM -0400, Alan DeKok wrote: [EMAIL PROTECTED] (Paul Hampson) wrote: If you're working from the version in the Debian archive, I'll make an upload of 1.0.3 to address this by the weekend. If you're working from the release on the website, you'll have to grab the release_1_0 tree from CVS once I fix this. Could you also get 1.0.4 ready? It should be released soon, and I've been busy... 1.0.4's autoconf'd and tagged in CVS as release_1_0_4, and I believe is ready to ship. (Only build-tested with Debian by me, bug reports welcome. ^_^) I'll prolly put 'em in /usr/share/doc/freeradius/examples/, unless you want to jump up with a better idea? examples/scripts examples/conf I'll leave this for the weekend. I'll fix it all up in HEAD. Unless we do a 1.0.5 (O_O) I won't bother playing with the release_1_0 branch anymore, but I will do it for the Debian package of 1.0.4. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait vs rlm_exec
On Thu, May 05, 2005 at 08:22:44AM -0600, [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: On Tue, May 03, 2005 at 10:23:05AM -0600, [EMAIL PROTECTED] wrote: Hi, what do you consider the best solution wheen you need to run an external program to make aditional checks when an access request in received, exec-program-wait or rlm_exec, im using exec-program-wait, sould i use rlm_exec instead, the script check some item like credit amount and returns 0 or 1 if success or fail , thanks I like rlm_exec because it gives you more control over _where_ the execution happens, and also you can have more than one, and control the output attribute's destination and (with the eventual 1.1.0 release) you can control the quoting of the environment variables and actually get to return an RLM_-type result so it can participate in failover. And exec-program-wait is deprecated. ^_^ deprecated ?, Ok, i must have to pay more atention to the mailling list, In my config, i run diferent scripts depending on the group of the username (table usergroup), can be this be done using rlm_exec?, you can point me on some docuemtation on the options of rlm_exec, i cant found anything on the web. The exec echo example is very basic, I do this with Post-Auth-Type. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrading freeradius 1.0.2 with freeradius-snapshot-20050502
On Thu, May 05, 2005 at 01:05:33PM -0400, Alan DeKok wrote: [EMAIL PROTECTED] (Paul Hampson) wrote: Which will give you the current 1.0.3 candidate. Then you can cvs update whenever something else comitted to it. We should probably release 1.0.3 soon. Well, I've just been handed some rlm_sql (possible) security bugs, which I'm going to look hard at this weekend. Then we can release 1.0.3. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=307720 you won't get the files that Debian cannot distribute as free software... That's only later RFCs as I recall. That still bugs me. The documents say if you edit them you can't claim they're RFC's. Other than that, distribution is unlimited. There is no conflict with the GPL. It's not a GPL issue, it's a DFSG issue. Oh well. There have been enough flame wars about this on the debian lists already. Yeah. The old adage about poking sleeping crocodiles... I think the CVS snapshots at the moment are in flux... If not, you're the second person I've seen hit this, so... Hmm. It's fixed. The CVS snapshot now does IPv6, among other changes. Excellent. ^_^ I guess I better get off my ass and convert it to dpatch at some point before it ships. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrading freeradius 1.0.2 with freeradius-snapshot-20050502
On Mon, May 02, 2005 at 10:54:39PM -0700, Abdul Lateef wrote: Hi guys, I installed freeradius 1.0.2 on my redhat box. all thing is working well. But there is some error like: Mon May 2 14:43:09 2005 : Error: Exec-Program: Abnormal child exit: No child processes Mon May 2 15:06:36 2005 : Error: Dropping conflicting packet from client 10.0.0.28:1812 - ID: 12 due to unfinished request 2065 In radius log file. I read more threads about this error, and at last i found, that i have to upgrade with snapshot. I don't have any idea how to upgrade but for the test I downloaded it from the web site and i tried to install using following commond: http://www.freeradius.org/development.html#cvs Best thing to do would be... cvs -d :pserver:[EMAIL PROTECTED]:/source login (CVS password: anoncvs) cvs -d :pserver:[EMAIL PROTECTED]:/source checkout -j release_1_0 radiusd Which will give you the current 1.0.3 candidate. Then you can cvs update whenever something else comitted to it. Alternatively, you can grab the source and patch for Debian's 1.0.2-3 from your nearest debian mirror (That's pool/main/f/freeradius/, grab freeradius_1.0.2-3.diff.gz and freeradius_1.0.2.orig.tar.gz) although you won't get the files that Debian cannot distribute as free software... That's only later RFCs as I recall. Of course, if you were running Debian this fix would be only an apt-get away. ^_^ $ ./configure $ make install But when i am running make. I found 2 error which i am going to post following macsha1.c -fPIC -DPIC -o .libs/hmacsha1.o In file included from hmacsha1.c:15: ../include/sha1.h:15: syntax error before uint32_t ../include/sha1.h:15: warning: no semicolon at end of I think the CVS snapshots at the moment are in flux... If not, you're the second person I've seen hit this, so... Hmm. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait vs rlm_exec
On Tue, May 03, 2005 at 10:23:05AM -0600, [EMAIL PROTECTED] wrote: Hi, what do you consider the best solution wheen you need to run an external program to make aditional checks when an access request in received, exec-program-wait or rlm_exec, im using exec-program-wait, sould i use rlm_exec instead, the script check some item like credit amount and returns 0 or 1 if success or fail , thanks I like rlm_exec because it gives you more control over _where_ the execution happens, and also you can have more than one, and control the output attribute's destination and (with the eventual 1.1.0 release) you can control the quoting of the environment variables and actually get to return an RLM_-type result so it can participate in failover. And exec-program-wait is deprecated. ^_^ -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: clients.conf - allowing all?
On Wed, May 04, 2005 at 06:33:13AM -0700, Jacques wrote: Hi. Quick question. Is there any way to do some sort of allow all on clients.conf. So FreeRadius wont care where the client is coming from, as long as it has the secret. The reason (obviously) is my radius server is external and NAS is on a dynamic ip. Can you maybe have your NAS connect to you over a VPN of some kind? Then you could lock the clients.conf down to the IP addresses that VPN can assign to that NAS. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Best Way to Run Radius Server over Multi - Satellite Pops
On Mon, May 02, 2005 at 11:28:52PM +0200, Sarkis Gabriel wrote: Brilliant that is something to work on, i am already using mysql as a backend for my user list, so i can use that with replication. I just want to make sure does it replicate both ways or just main Replication server to Slave. The reason i ask that because of alot of Accounting stuff will be gathered localy. MySQL only replicates one way. In theory you can have two dbs circularly replicating back and forth (maybe only with 4.1?) but for this you will probably be better with radrelay, since you really just want to push accounting data up to a central server, while authentication data flows down _from_ the central server. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Dropping conflicting packet due to unfinished request
On Thu, Apr 07, 2005 at 02:05:04PM -0400, Alan DeKok wrote: Juan Nin [EMAIL PROTECTED] wrote: also, another issue that worries me is that if I change my authentication method on /etc/raddb/users so as to be the following: Ah... That's a bug in the run external program code. It's fixed in the latest CVS snapshot. Which's this fix? I hit the same problem, but hadn't had a chance to debug it, but I can't see the change in CVS that either caused or fixed it. (It only started happening to me when I moved from my PPC machine to an i386 machine, so I was blaming NPTL for the problem and just rewrote around all my wait=yes rlm_exec modules) -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Automated logout for rogue/zombie user sessions
On Wed, Apr 06, 2005 at 03:05:41PM +0200, John Eckert wrote:
Hi List,
is there a way to log out zombie users. I mean users that
did a login (auth. + acct.) but no logout because of a
problem with the NAS. This happens when the NAS gets rebooted
due to a power fault with logged in users. No volitional
reboot.
Doesn't the NAS send an Accounting-ON packet or something?
If it does, you can use that the clear the logged-on sessions
from that NAS.
I have simultaneous sessions = 1 so the user cannot login
after reboot of the NAS, because the RADIUS server says he
is still logged in.
The NAS send every 2 Minutes a Alive Message, so perhaps
there is a way to log out every user for whom there was no
Alive message is the last 5 Minutes??
I use a cron job to scan the logged in users, and spot those
who've not had an ALIVE packet in a little while. It used to
call radzap, but a problem with RadAcctID truncation means I
can't generate correct radzap calls from radwho, so I dropped
radutmp and just do it against the database.
select UserName, NASIPAddress, NASPortId, (UNIX_TIMESTAMP(NOW()) -
UNIX_TIMESTAMP(AcctStartTime + INTERVAL AcctSessionTime SECOND))/60 AS
Minutes, NasPortType, RadAcctId, FramedIPAddress from
radacct where AcctStopTime = 0;
Then for each record, either:
radzap -r radiusserver {NASIPAddress} {NASPortId} {UserName}
or
UPDATE radacct SET AcctStopTime=NOW() WHERE UserName = {UserName}
AND RadAcctId = {RadAcctId} AND AcctStopTime = 0;
That's in a cron job every ten minutes:
*/10 * * * * /usr/local/sbin/loststop.pl
And you're done.
I will be moving soon to being able to query the NAS for
simultaneous-use information instead, since the ALIVE packets
only come every half-hour. _
The other disadvantage I hit with the SQL solution was that
Daylight's savings changeover always bites me. In spring, I
get users disconnected too quickly. In autumn, I get them
disconnected too late.
--
Paul TBBle Hampson, on an alternate email client.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and MySQL -- missing libraries?
On Fri, Apr 01, 2005 at 12:42:18PM -0800, Rick Kunkel wrote: Hello all, When I run an ldd though, I see this: # ldd rlm_sql_mysql.so libmysqlclient.so.12 = not found libz.so.1 = /usr/lib/libz.so.1 (0x4000b000) libcrypt.so.1 = /lib/libcrypt.so.1 (0x40019000) libnsl.so.1 = /lib/libnsl.so.1 (0x40046000) libm.so.6 = /lib/libm.so.6 (0x4005a000) libc.so.6 = /lib/libc.so.6 (0x4007b000) /lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x8000) Am I getting that error in debugging more since libmysqlclient.so.12 is missing, which causes rlm_sql_mysql.so to fail as well? Yes. OK..on the OTHER RADIUS machine, when attempting to implement SQL, I get: rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql_mysql: Couldn't connect socket to MySQL server [EMAIL PROTECTED]:radius rlm_sql_mysql: Mysql error 'Client does not support authentication protocol requested by server; consider upgrading MySQL client' This machine DOES have the libmysqlclient libraries, but maybe they're too old? That's right. You'll find you've got a mySQL 4.1 server, and libmysqlclient.so.10 (from mySQL 3.x) installed. They won't work together out of the box. You can tell the mySQL server to use the old style of password authentication, as a workaround, I believe. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec: Wait=yes but no output defined
On Thu, Mar 31, 2005 at 11:33:00AM -0800, Rick Kunkel wrote: Heya all, I'm getting this warning when running. The longer version, in debuggin mode, is this: Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? This doesn't seem to be a section I'm using. Should I just comment it out? Or maybe put output = none after input_pairs = request? It seems a harmless error, but I figured I'd clean it up anyhow. That's a known bug (and harmless, as you say) in 1.0.2. The error message _should_ say output_pairs=none but if you put that, it will refuse to start because output_pairs is defined and wait=no are incompatible. FreeRADIUS 1.1's default for output_pairs is none, so for wait=no you can leave it blank. (A null-program'd exec is a different case) Or at least I think it is... Gotta check that. Is this the default setting? And if so, why not simply comment it out or put that output = none in by default too? -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Running radiusd as the nobody user
On Thu, Mar 31, 2005 at 04:29:28PM -0600, Dennis Comeaux wrote: Our security team wants radiusd running as a secure user. I've attempted to run it as nobody by editing radiusd.conf but I get a bunch of permission denied errors: The debian build scripts (debian/rules and debian/*.postinst) install such that FreeRADIUS runs as user freerad, if that's any help for how to do it. Although there's a problem at the moment with dialupadmin trying to access things the www-data user hasn't permission for. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and MySQL+SSL
On Fri, Apr 01, 2005 at 01:34:37AM +0200, Wolfram Schlich wrote: * Wolfram Schlich [EMAIL PROTECTED] [2005-03-19 13:11]: * Paul Hampson [EMAIL PROTECTED] [2005-03-19 04:56]: On Sat, Mar 19, 2005 at 03:52:52AM +0100, Wolfram Schlich wrote: * Wolfram Schlich [EMAIL PROTECTED] [2005-03-17 00:55]: [ FreeRADIUS + MySQL + SSL ] Ok, I have sat down and hacked something together, with a little help from a friend. I probably did something wrong or suboptimal (as I said, I am not a C coder), but at a first glance, it seems to work fine. Here's the patch: http://dev.gentoo.org/~wschlich/src/freeradius-1.0.2-mysql-ssl.patch [...] I don't give it much chance of getting into 1.0.3, especially since MySQL don't distribute SSL-enabled binaries. What does the MySQL client distribution policy have to do with this?! *wonder* They're apparently moving away from OpenSSL in the server, but no indication that they're going to un-OpenSSL the _client_ libraries. [1] [2] Well, OpenSSL or GnuTLS -- it doesn't matter as long as the MySQL protocol keeps supporting SSL'd connections... I have posted a comment to [2] in order to get some more information from that MySQL guy. There's some news: MySQL is going for yaSSL in the 5.0 tree: http://bugs.mysql.com/bug.php?id=8508error=lp Anyway, it won't affect the mysql_ssl_set() function I guess. Hmm. For the record, [1] too. Yassl looks interesting. You're right though, as long as they don't change the libmysqlclient API, all the previous comments about protecting it with a #define based on a header function check are sufficient. [1] http://bugs.mysql.com/bug.php?id=6924 -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No FreeRADIUS on Debian in the future ?
On Wed, Mar 30, 2005 at 06:28:46PM +, Mark Wasmer wrote: Today i've read the Debian-Weekly-News March 29th, 2005 and got worried : Build-Dependency against libtool 1.4. Andrew Pollock noticed that five packages still declare a build-dependency against libtool 1.4 which is orphaned and will be removed. Frank Lichtenheld proposed to open bug reports against packages that use libtool 1.4 files to upgrade to version 1.5 which was considered a good idea. Henrique de Moraes Holschuh also suggested to force the use of newer libtool, autoconf and gettext utilities. FreeRADIUS depends on this package - can someone tell me what this means to me in the future as i like to use FreeRADIUS on Debian Sarge ? There is already a bug report open against FreeRADIUS in Debian about libtool 1.4. The decision the release managers and myself came to was that forward-porting FreeRADIUS 1.0 to autoconf2.5/libtool1.5 was not feasable, and we do not want a non-released (CVS pull) FreeRADIUS in Debian/stable (ie. Sarge when its released). Post-sarge, I'm expecting FreeRADIUS 1.1 will be out, and we can get rid of libtool1.4. I didn't read the Debian Weekly News article, and unless this thread appeared on Debian-Devel in the last couple of days, it's not been discussed anywhere I'm party to. So it's a bit of a surprise to me. In short, I think this is an issue that was dealt with last year, and I full expect Sarge will include libtool1.4, as agreed previously. Of course, if FreeRADIUS 1.1 is out before Sarge ships, I will consider trying to get it into Sarge. But that is not to my mind very likely to occur. We'll burn that bridge when we come to it. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (Fwd) Problem using Freeradius and Mysql
On Fri, Mar 25, 2005 at 11:52:03AM +0100, Christoph Galuschka wrote: Hello, solved the problem myself. There seems to be a change in rlm_sql.c which causes the difference in translation of %. thanks and regards Christoph Galuschka --- Forwarded message follows --- From: Christoph Galuschka [EMAIL PROTECTED] Organization: Ti.KOM Tirol Kommunikation GmbH To: freeradius-users@lists.freeradius.org Subject: Problem using Freeradius and Mysql Priority: normal Send reply to:freeradius-users@lists.freeradius.org Date sent:Thu, 24 Mar 2005 19:30:57 +0100 [ Double-click this line for list subscription options ] Hello, I seem to be running in a little problem. I'm just setting up a second RADIUS server for backup purposes. Both machines use mysql, replication is done by mysql itself. The older machine runs 1.0.1, the new one should run 1.0.2. Bot machines are pretty much the same (same SuSE release, similar kernel). Some of our users have to use the % in their names. On 1.0.1 this gets translated to =3D25. On the 1.0.2 release this gets translated to =25, so authentication doesn't work anymore. The change is that it's not getting encoded twice anymore. (Which was wrong) ie in 1.0.1 % = '=25' and then '=25' = '=3D25' in 1.0.2 % = '=25'. That is to say '=' = '=3D'. ^_^ -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and MySQL+SSL
On Sat, Mar 19, 2005 at 02:06:56PM +0100, Wolfram Schlich wrote: * Paul Hampson [EMAIL PROTECTED] [2005-03-19 04:56]: On Sat, Mar 19, 2005 at 03:52:52AM +0100, Wolfram Schlich wrote: * Wolfram Schlich [EMAIL PROTECTED] [2005-03-17 00:55]: * Wolfram Schlich [EMAIL PROTECTED] [2005-03-16 09:05]: Hey guys, we would like to implement the following setup: - FreeRADIUS radiusd on machine A - MySQL mysqld on machine B FreeRADIUS should use the MySQL database on machine A over an SSL secured connection. Does FreeRADIUS support SSL for MySQL connections? I'm not a C coder, but! :) I had a look at the sql_mysql.c file as well as the mysql sources (/usr/include/mysql/mysql.h). It looks like you need to call mysql_ssl_set() with the needed parameters (mysql socket connection, ssl key file, ssl cert file, ssl ca file, ssl ca path and ssl cipher) right after the mysql_init() call, which is located in line 76 of the sql_mysql.c file (at least in the FreeRADIUS-1.0.2 distribution source tarball, subdirectory src/modules/rlm_sql/drivers/rlm_sql_mysql). Any volunteers for coding a test implementation? :) Ok, I have sat down and hacked something together, with a little help from a friend. I probably did something wrong or suboptimal (as I said, I am not a C coder), but at a first glance, it seems to work fine. Here's the patch: http://dev.gentoo.org/~wschlich/src/freeradius-1.0.2-mysql-ssl.patch Please remember to post patches to the list for easier discussion. Ok, sorry. And also, this sort of patch would probably be best against HEAD. The patch wasn't meant as an official submission for upstream, but as a basis for a discussion :) Yeah, sorry about that. I didn't notice this was on -user intead of -devel, and treated it as if it was on the latter. _ I don't give it much chance of getting into 1.0.3, especially since MySQL don't distribute SSL-enabled binaries. What does the MySQL client distribution policy have to do with this?! *wonder* Basically, things going into 1.0.3 (if it happens) are bug fixes, not feature changes. The fact that you have to recompile your mySQL locally anyway to enable SSL makes it reasonable to me to say this change is something you can patch in yourself as well. If upstream binaries were coming SSL-enabled, we could almost build a case that this is a bug, rather than a new feature. Still, it has to get into HEAD before I'll consider it for 1.0.3, so one hurdle at a time. They're apparently moving away from OpenSSL in the server, but no indication that they're going to un-OpenSSL the _client_ libraries. [1] [2] Well, OpenSSL or GnuTLS -- it doesn't matter as long as the MySQL protocol keeps supporting SSL'd connections... I have posted a comment to [2] in order to get some more information from that MySQL guy. It matters as far as distributing binaries goes. You can't distribute a binary that links GPL code without any exception (such as FreeRADIUS and many of its depended-on libraries) with OpenSSL. It's slightly more complicated than that, but there is a license issue of some kind which needs to be looked out for. It doesn't really affect _us_, but it's something to be mindful of when playing with these things. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and MySQL+SSL
On Sat, Mar 19, 2005 at 03:52:52AM +0100, Wolfram Schlich wrote: * Wolfram Schlich [EMAIL PROTECTED] [2005-03-17 00:55]: * Wolfram Schlich [EMAIL PROTECTED] [2005-03-16 09:05]: Hey guys, we would like to implement the following setup: - FreeRADIUS radiusd on machine A - MySQL mysqld on machine B FreeRADIUS should use the MySQL database on machine A over an SSL secured connection. Does FreeRADIUS support SSL for MySQL connections? I'm not a C coder, but! :) I had a look at the sql_mysql.c file as well as the mysql sources (/usr/include/mysql/mysql.h). It looks like you need to call mysql_ssl_set() with the needed parameters (mysql socket connection, ssl key file, ssl cert file, ssl ca file, ssl ca path and ssl cipher) right after the mysql_init() call, which is located in line 76 of the sql_mysql.c file (at least in the FreeRADIUS-1.0.2 distribution source tarball, subdirectory src/modules/rlm_sql/drivers/rlm_sql_mysql). Any volunteers for coding a test implementation? :) Ok, I have sat down and hacked something together, with a little help from a friend. I probably did something wrong or suboptimal (as I said, I am not a C coder), but at a first glance, it seems to work fine. Here's the patch: http://dev.gentoo.org/~wschlich/src/freeradius-1.0.2-mysql-ssl.patch Please remember to post patches to the list for easier discussion. And also, this sort of patch would probably be best against HEAD. I don't give it much chance of getting into 1.0.3, especially since MySQL don't distribute SSL-enabled binaries. They're apparently moving away from OpenSSL in the server, but no indication that they're going to un-OpenSSL the _client_ libraries. [1] [2] That said, this patch looks OK to me, although it does raise the question of when that function was added to the mySQL client library. It's not a problem if the client was built without SSL support, as the function will still exist and run, but is effectively a no-op. [3] I'd maybe be happier if it was a configure option, so that people who _need_ to link against the LGPL libmysqlclient10 (or whatever it's called outside Debian. ^_^) don't get stuck unable to build rlm_sql_mysql. And with that configure option, I expect the configure help to mention what version of the client library is needed. ^_^ (For reference, a quick check in Debian suggests that in 3.23.49, the function is only present if mySQL was compiled with --with-ssl, while in 4.0.23 it was always available. So this _does_ have to be done before it can be accepted.) If you like, you can probably make it a configure test that checks for mysql_ssl_set being available in mysql.h, and flags it accordingly to make it easier for the user. (eg. They have to do exactly nothing to use their SSL-enabled libmysqlclient with FreeRADIUS.) This should only be a line or two in configure.in. ^_^ [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=291945 [2] http://bugs.mysql.com/bug.php?id=8508 [3] http://dev.mysql.com/doc/mysql/en/mysql-ssl-set.html -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compiling freeradius 1.0.2 with mssql support
On Wed, Mar 16, 2005 at 01:46:09PM +0100, Achim Schmidt wrote: Hello, I'm stoill trying to compile freeradius-1.0.2 with mssql support and without mysql. Freetds is installed and working. I cant find that the lib is builded in the make run. Also i'm missing an other file. If I look into the source-tree of the freeradius, in subdir: src/modules/rlm_sql/drivers/rlm_sql_freetds I saw a only a Makefile. In this there is a reference to a file called sql_freetds.c You'd have to pull it from the CVS Attic, it's been removed for over two years for causing problems. FreeTDS was (according to upstream advice at the time) an internal API and it was a moving target, so it got dropped. http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/modules/rlm_sql/drivers/rlm_sql_freetds/ -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about ippools
On Thu, Mar 10, 2005 at 11:31:48AM -0900, Terry J Fike Jr wrote: I'm wondering if it is possible to set up an ippool for a single user? Right now our users are flatfiled in the users file. anyone with a static has the info with their username, all the rest of the users get their ip assigned by the NAS device they are logging in through. From what i've read of the documentation, it seems the ippool set up is for all users in all NAS devices (or did i read this wrong?) At this point i believe the pool will be for us by the user no matter what NAS device they are coming from (which i think is how it is supposed to work anyways right?) It all depends on how you get the Pool-Name attribute added to the user's configuration attribute list. If it's added for one user when that user comes from a specific NAS, then only that user on that specific NAS will get an IP from the relevant pool. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about ippools
On Thu, Mar 10, 2005 at 03:45:24PM -0900, Terry J Fike Jr wrote: It all depends on how you get the Pool-Name attribute added to the user's configuration attribute list. If it's added for one user when that user comes from a specific NAS, then only that user on that specific NAS will get an IP from the relevant pool. Okay, i see in the radiusd.conf where to set the pools, but where do define them as a per NAS? (ie: pool 1.2.3.0/24 to NAS1 and 1.2.4.0/24 to NAS2) then in the user's info just add Pool-name := poolname right? what is the Group == poolname part for in the DEFAULT?? would that be for the fallthroughs? I'd use Post-Auth-Type along with Huntgroups or something similar to set the Pool-Name correctly. It's not something _built_ in, it's just something you can do with the framework. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Packet of Disconnect
On Tue, Mar 01, 2005 at 12:52:52PM +1100, Mitchell, Michael J wrote: The information is in the PoD request. Kind of. From the NAS's perspecitive, the PoD only needs to contains the Acct-Session-Id. However obviously in order to proxy a request we at least need the NAS-IP-Address. I use this to map back to a Realm or a NAS which will ultimately handle the PoD. To ensure that bad things don't happen, the PoD *should* be treated sort of like an Access-Accept, and the server should see where the packet is proxied to. IF the home server is where the PoD request came from, then it's a real PoD request, and is sent to the NAS. Otherwise, it's dropped. I must admit, my solution is not that comprehensive, and I'm not sure if it would even be possible. A PoD doesn't REQUIRE a User-Name attribute, so it would be difficult in that instance to map a PoD back to an appropriate home server for the specified session (NAS-IP-Address Acct-Session-Id). The only attributes that are guaranteed (in my case) are NAS-IP-Address and Acct-Session-Id. My solution met my needs at the time as I had very specific requirements, and using freeRADIUS was the quickest way to a solution, as freeRADIUS obviously already has all the proxy and RADIUS packet handling logic, and is nice and modular, so its easy to add this stuff quickly (even if its not the best solution). I also haven't tried proxying directly to a NAS. Should be easy enough to set this up in our test lab though. Alan would be disgusted at my current butcher job ;-). However, I'll review what I have done (it was several months ago now) and report back as soon as I can (may take a few days though) - hopefully with something a little more elegant than I have currently. I'm also thinking about multi-level proxies... For the setup I'm using, the NAS talks to a pool of RADIUS proxies, which talk to my RADIUS server, which may then (based on realm) proxy to _another_ RADIUS server. I can't talk directly to the NAS (or at least, I doubt I can) so I can generate PoD and send them to the proxy server pool attached to the NAS, but if the one I'm proxying to wants to PoD, then I need some kind of reverse-realm map so I can determine where the PoD has to go, as unlike an Access-Accept, there's no Access-Request structure sitting in memory describing where to reply to. In my case, the reverse map can key by either NAS-IP-Address or Realm... I look forward to whatever you come up with. ^_^ Maybe an extension of the clients.conf? Your NAS or PoD next hop should be in there already... ^_^ There's also _another_ NAS + proxy pool that proxies to me, but they don't do PoD. (They have a webpage, but I've not been game to set up a wget-of-death). -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: SSL_new in -lssl...no - went thru the docs and faq and google already before posting....
On Mon, Feb 28, 2005 at 12:05:33AM +1100, Michael Mitchell wrote: Thanks for the reply Stefan, I haven't tried linking freeRADIUS with static libraries yet, and I must admit I missed the --disable-shared in J.Ho's email. Well picked up... I'm guessing the problem stems from this part of the configure.in script, where it's checking for DH_new in -lcrypto prior to testing for SSL_new in -lssl: # Look for the OpenSSL libraries. smart_try_dir=$OPENSSL_LIB_DIR FR_SMART_CHECK_LIB(crypto, DH_new) if test x$ac_cv_lib_crypto_DH_new = xyes; then It passes this OK. FR_SMART_CHECK_LIB(ssl, SSL_new) if test x$ac_cv_lib_ssl_SSL_new = xyes; then and barfs on this. and, with this, you can just tell things are going to be messy: OPENSSL_LIBS=$OPENSSL_LIBS -lcrypto -lssl -lcrypto That's needed because the linker doesn't try to back-resolve dependancies, and OpenSSL's static libraries are interdependant or something. The config.logs will prove more enlightening. ;-) If I get some time (schedule is tight at the moment!) I'll have a play around with it to see if things can be improved, even just for my own curiosity and learning how these things work! I've got issues with the rlm_ldap configure script also that I'd like to finally sort out. I also build on Solaris 9, so maybe we can get some of these issues that seem to affect Solaris more than other systems sorted out... I'm all for trying to make life easier for future upgrades! Keep in mind that the configure scripts have been upgraded to 2.57 in CVS HEAD, which will be 1.1.0 sooner or later (hopefully sooner ^_^) and this may already be fixed in CVS head. Oh, and I'm sure Alan wouldn't say no to patches if you already have some fixes... ;-) I'm happy to look at patches for 1.0.2 (everyone's talking about 1.0.1 here, I'm not taking patches for _that_) to fix this, unless we already did so between 1.0.1 and 1.0.2. But unless they're obviously safe, I'll need a hand testing them on various interesting implementations to be sure everything still works no worse than 1.0.2. And if we're lucky, there won't be a pressing need for 1.0.3 before 1.1.0 ships. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Undefined symbol with eaptls / freeradius 1.0.1 (debian)
On Tue, Feb 22, 2005 at 10:44:08AM +1100, Tom wrote: I've setup freeradius 1.0.1 on debian (sarge 2.6 kernel). I've included all the modules and set freeradius to use PEAP. When my authenticator passes the request over to the freeradius server I get (among other things): freeradius: relocation error: /usr/lib/freeradius/rlm_eap_peap-1.0.1.so: undefined symbol: eaptls_process After which the server immediately crashes. I've found this link: http://lists.cistron.nl/pipermail/freeradius-users/2004-December/038781.html which I believe relates to my situation. The reply there is - Yes. The libltdl in Debian includes a patch from the CVS version of libtool, which breaks the linkage used by rlm_eap_ttls and rlm_eap_peap into rlm_eap_tls. Try 1.1.0, which should work with the libltdl in Debian/sarge or Debian/sid. I've installed the latest version of libtool (1.5-something) using apt-get but I still have the same problem. I'm not too sure where to link where to what - what is it that freeradius is looking for and what should I do to point it in the right direction? I'm not familiar with libltdl at all so it hasn't been easy to google this out, any help is greatly appreciated :) Just upgrading libtool won't work, as libtool 1.5 requires a more recent version of autoconf than is used in FreeRADIUS 1.0.1. As the above post suggests, try 1.1.0 (eg. CVS head) which builds with libtool 1.5 and autoconf 2.57 and where PEAP and TTLS _should_ work. (Although I've not tested them myself) -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Undefined symbol with eaptls / freeradius 1.0.1 (debian)
On Wed, Feb 23, 2005 at 10:24:45AM +1100, Tom wrote: Thanks very much for your reply I appreciate your help and I've just got a couple of followup questions. Just upgrading libtool won't work, as libtool 1.5 requires a more recent version of autoconf than is used in FreeRADIUS 1.0.1. As the above post suggests, try 1.1.0 (eg. CVS head) which builds with By 1.1.0 does that mean I should download the radiusd module using CVS? (Not sure if you're referring to that or 1.1.0 of something else?). Yeah. 'eg' should have been 'ie' libtool 1.5 and autoconf 2.57 and where PEAP and TTLS _should_ work. (Although I've not tested them myself) So the hypothesis is download the CVS head, re-package+compile it and try again? Sorry about the relatively simple questions but I didn't know there was a version of freeradius higher than 1.0.1 - I guess looking at the CVS tree there are a number of files updated there but I'm not sure if that constitutes v1.1.0 so I'm a bit lost as to what I'm looking for. Sorry. Yes, FreeRADIUS 1.1.0 doesn't exist per se, I meant the head branch of CVS. You should be able to just grab it from CVS or a snapshot, and dpkg-buildpackage -us -uc -rfakeroot -b and get a whole bunch of packages out. I'm considering going to dpatch in the CVS version, to make it easier to support in Debian, but I've not got the time to convert yet, and have to upload 1.0.2 to Debian first. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ippool - reliance on NAS-Port parameter
On Fri, Feb 18, 2005 at 12:19:05PM -0500, Jeff Synnestvedt wrote: I'm a little confused as to the necessity of having the NAS-Port because wouldn't a normal accounting Stop packet have the IP address in it anyway which would tell rlm_ippool which IP to free up. And if the Stop packet is misplaced, the next Start on that same NAS/port will let rlm_ippool know that that IP address is free. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how can freeradius log the transaction and failed logins?
On Fri, Feb 04, 2005 at 08:59:54PM +0700, Marendra Nutriaji wrote: Hi all, I use Freeradius 1.0.1 dialupadmin, and mysql under Fedora core 2, nad Using Patton 2960 as my Nas. Everything works fine, except when my user failed logging in with any reason, freeradius didnot put those failed transactions into the database. and then how can i make freeradius put any events happen into the database when a user try to dial the number, ringing, authenticating, and then online or dead the connection. Like System Log. FreeRADIUS can only log things that cause RADIUS packets to arrive at the server. RADIUS Accounting (Start, Stop, Alive) should take care of being online or dropping the connection. Until the user is authenticating, FreeRADIUS isn't involved, so logging ringing is not possible in FreeRADIUS. To log good and bad logins, have a look at the postauth stuff in the sql.conf, you can give it a query to run that is called from the post-auth stanza in the configuration, so you can log whether the login was good or bad, for example. is 'log_auth' does any good in this matter? i tried to uncomment it in radiusd.conf, but still not working That affects the radius.log file, not the database. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disabling radwtmp/radutmp For Some Clients
On Fri, Feb 04, 2005 at 03:05:59PM -0800, A. Clausen wrote: I was wondering if there was a way I could disable writing to radutmp and radwtmp for some clients, or whether this is an all or nothing proposition. I think you can apply Post-Auth-Type (see the documentation) to this problem, but that depends on the details of the situation. From what you've asked, I'd say probably. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configure script nightmare with ucd-snmp
On Tue, Feb 01, 2005 at 06:59:36PM +1100, Mitchell, Michael J wrote: I'm attempting to build freeRADIUS 1.0.1 on Solaris 9 with ucd-snmp 4.2.6 I've been struggling to get the configure script to successfully recognise ucd-snmp and thus enable it for compilation in freeradius. I'm on Solaris 9, and what I've finally had to do is hack the configure script where it attempts to detect -lsnmp to include a -L flag to point to the location of libscrypto.so, as well as include -lcrypto and -lkstat. I'm not sure if this is due to the way I've built ucd-snmp, or if its because I've installed ucd-snmp in my home directory rather than the default /usr/local, or if its just a Solaris cc peculiarity...or I'm just plain stupid... The (undocumented, as it happens) --with-snmp-include-dir and --with-snmp-lib-dir options should be able to take care of having build ucd-snmp in your home directory. And the script tries linking against libcrypto if it can't link without. However, it doesn't (currently) try libkstat or libscrypto... I guess it wouldn't be hard to add another iteration to aclocal.m4 to try with libcrypto _and_ libkstat. Is libscrypto a typo? I assume you meant libsnmp unless your ucd-snmp depends on _other_ home-compiled libraries? You're looking for the block around line 3925 in aclocal.m4, with the following comment block: dnl # dnl # That didn't work. Try adding the '-lcrypto' line. dnl # Some SNMP libraries are linked against SSL... dnl # Copy from the next line through fi, paste below the fi, and change the line with LIBS and SNMP_LIBS to include -lkstat. Run aclocal and then autoconf (from the autotools2.13 release, not any autotools 2.5x release) and try configuring again with --with-snmp-lib-dir and --with-snmp-include-dir. It _ought_ to work. ^_^ Let us know if this works, since it looks like a fairly safe change which could make 1.0.2 if you're quick. ^_^ If you're still stuck, config.log has a wealth of information about what's going in in your configure process, including the errors from the linker. Has anyone else experienced such configure woes on Solaris? If anyone can offer some advice, I'd greatly appreciate it! This is all general stuff, I don't have access to a Solaris machine sadly. I hope it helps though. I've been asked to support net-snmp with freeRADIUS - I'm not even game to try after today's effort! FreeRADIUS 1.1.0 supports net-snmp in ucd-compatibility mode. If you want to patch 1.0.1 to also support this, I've got patches in the Debian release of FreeRADIUS 1.0.1 which I could split out if you like. I don't recall if they made it into 1.0.2 though. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwtmp trouble
On Wed, Jan 19, 2005 at 01:11:55PM -0600, Sam wrote: I think there may be a problem in the way radwtmp is being written (at least in the Freeradius that ships with RedHat ES3). Testing: I copied a radwtmp file over from my old RedHat 7.2 server (running Cistron 1.6) and both last and radlast (from Freeradius on the RH ES3 server) read the file fine. Neither last nor radlast will read the radwtmp file that is being created by Freeradius that ships with RH ES3. For further testing I took the radwtmp created by Freeradius on the RH ES3 server and put it on the old 7.2 server running Cistron. It wouldn't read it, and gave exactly the same output as I got from last and radlast on the RH ES3 server. Any thoughts? Grab a hex dumper, and see what the structure is, and how it's different from the expected. If I recall correctly, radwtmp is written based on the wtmp format provided on the compile system, so possibly the compilation system had a different format than the installation system. You could try compiling a local copy and seeing if that works. Otherwise, if it doesn't contain anything confidential and isn't too big, you could put a copy of it somewhere and let someone have a poke at it to see what's wrong. (I would, but I'm leaving for Queensland for a week tomorrow morning so am unlikely to be in a position to check it before then.) -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radutmp woes
On Sun, Jan 16, 2005 at 11:15:35PM -0600, Sam Morris wrote: Hello After much hair pulling I have Freeradius 1.0.1 working nearly 100%. But I'm having issues with radutmp (at least I think that's where the trouble lies). When I do a radlast, it says this: [EMAIL PROTECTED] radius]# radlast radwtmp begins Sun Jan 16 17:00:27 2005 Radlast uses radwtmp, radutmp is used by radwho... radutmp has it's own module, but radwtmp is written by the unix module, which I'm gonna guess you've disabled since you're not using unix accounts to authenticate. If that's true, you can just put the unix instance in the accounting section, and all if will do is write to radwtmp. (Which is pretty neat, actually. ^_^) This even though hundreds of people have logged in (via dialup). radlast username also shows nothing. So it is authenticating people and logging those authentications just fine. It's also writing the detail files in /var/log/radius/radacct/nas The radutmp and radwtmp files ARE getting written in /var/log/radius/here I found something was creating radwtmp even though I'm not using it, but I haven't bothered to find out _what_... I think something in the default start script must touch it, since it seems to exist but be 0 bytes long. Presumably this is to ensure correct permissions on the file, since I think it is by default treated like wtmp and readable by anyone. (Like safe_radutmp and unlike radutmp instances in the default radius.conf) -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic IP addres on EAP/TLS session
On Mon, Jan 17, 2005 at 05:23:04PM +1100, Jacques VUVANT wrote: How Can I allow dynamic IP address for a EAP/TLS session. DHCP server on same machine as Freeradius, seems not to work. The DHCP server needs to be on the EAP gatekeeper (I forget the proper name, the thing that isn't the Supplicant, and isn't the RADIUS server.) as far as I recall. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic IP addres on EAP/TLS session
On Mon, Jan 17, 2005 at 09:49:48AM -0600, Justin Guidroz wrote: I'm running Freeradius on the same server that also serves as my LDAP server, DHCP server, and DNS server, and I have had no problems getting DHCP addresses using EAP-TTLS or EAP-TLS. Does the EAP gateway thingy relay DHCP requests to your FreeRADIUS box? -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Solaris vs. Linux: eap - mschap - mschapv2 failure: smbencryptNT-pa ssword hash different for Sparc and Intel
On Mon, Jan 17, 2005 at 07:01:22PM +0100, [EMAIL PROTECTED] wrote: Ok, summary: 1. EAP on Solaris fails, EAP on Linux works. 2. Version problems with freeradius can be excluded, can we ? Try the current 1.0.2 snapshot from the CVS release_1_0 tree. This could be a bigendian/64 bit issue with the md4 code, which was broken (by me) in FreeRADIUS 1.0.1. I'm pretty sure ms-chap uses md4. ^_^ 4. Check of smbencrypt: /usr/bin/smbencrypt y LM Hash-Solaris 5EE48ABDB55D077DAAD3B435B51404EE LM Hash-Linux 5EE48ABDB55D077DAAD3B435B51404EE NT Hash-Solaris DA2798D017BDEBFD4A515999FBF0C1D3 NT Hash-Linux 075F36789B3133386FBCD952ED3FC23F -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: character substitution
On Thu, Jan 13, 2005 at 11:55:40AM -0500, Brian Fennimore wrote: I'm having a problem with freeradius interpreting special characters incorrectly. It's translating the UTF-8 to some kind of quoted-printable form when it prepares the information for accounting. You could add the relevant bytes to the safe-characters configuration entry in the sql configuration, but that'd be pretty daft. Is UTF-8 generally safe in SQL? I always thought SQL was ASCII, with anything else being DB-server specific (I know postgresql lets you specify the character encoding for new databases for example). The authentication/authorization appears to be unaffected by this. The usernames are printing into the logs correctly and are authenticated fine by the home server I'm proxying to. The escaping is done by the rlm_sql module, right before it passes it to the queries defined in the sql configuration. These are two examples of entries I'm seeing in my accounting table. They also appear as such in the sqltrace file so I do not suspect a problem on the database side (I'm using postgres). Unfortunately the offending data appears in two forms in the database and only in one form in my logs and I can't explain the inconsistency. [EMAIL PROTECTED] This appears to be the below, escaped again. I think this was fixed in either 1.0.1 or the (any time now) 1.0.2 release. [EMAIL PROTECTED] Login OK: [ [EMAIL PROTECTED]/cb29dec] If you add '\' to the safe-characters entry in the sql configuration, that'll fix that. And make sure '=' is there too. However, check your SQL server's documentation to be sure '\' isn't an escape character. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian testing = no PEAP/TLS/TTLS support?
On Sat, Jan 15, 2005 at 06:47:38AM +0100, Sven Juergensen wrote: the start/stop script of the debian freeradius package is faulty as well. let me know if you need a modified script and i'll mail it to you. Alternatively, file a bug report and then everyone can benefit from a fix to whatever's wrong with the init script. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian testing = no PEAP/TLS/TTLS support?
On Sat, Jan 15, 2005 at 11:30:03AM +0100, pascal wrote: Hi, rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc rlm_eap: Failed to link EAP-Type/tls: rlm_eap_tls.so: cannot open shared object file: No such file or directory It seems I have teh same problem. On a Debian Sarge system. I know there is a bugreport for this problem, but I hoped it would be fixed with a newer version. It was recently discussed on the Debian-Legal mailling list, and I have a list of packages to check for OpenSSL-linkability. If they all pass, and the licenses of the various chunks of FreeRADIUS can be changed (which is a harder problem) we can then add an exception to the GPL to allow linking aginst OpenSSL. Alternatively, someone who has their head wrapped around SSL can convert the various OpenSSL-users in FreeRADIUS to optionally use gnuTLS instead, controlled by the configure.in system. I plan on doing this, but I'm a bit of a TLS Barbie. ^_^ However, that change will only affect FreeRADIUS 1.1.0 or later, since I don't want to be trying to mangle _two_ sets of autoconf scripts. In the meantime, locally compiled FreeRADIUS packages with a build-depends on libssl-dev instead of a build-conflicts will contain the appropriate libraries without any other code changes. If you version it as current Debian version.0.0.1, then it'll be safe from apt replacing it from the archive, and if you put it on hold, then apt-get upgrade won't touch it. I try not to upload too frequently, and so you can take your time to consider if you need to rebuild any new Debian revisions or just leave the current version held. Alternatively, you can build from the release_1_0 branch in CVS, which will give you what will hopefully soon be 1.0.2, and I try and keep the debian/ directory upstream the same as the one in Debian's archive, so the packages should mesh fine. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reading other radius server's radutmp instead of using radrelay
On Thu, Jan 06, 2005 at 05:23:45PM +0800, Rohaizam Abu Bakar wrote: what is the setting related in order for radius to check database (insted of radutmp) in order to control single login (or Simultaneous use)... Put an instance of rlm_sql in the session stanza in radius.conf, and look in sql.conf for the queries it uses. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: make fails because of libltdl
On Fri, Dec 31, 2004 at 01:33:45AM +0100, Thor Spruyt wrote: I downloaded lastest nightly build and the libltdl isssue is still there. [EMAIL PROTECTED] freeradius-snapshot-20041230]$ make gmake[1]: Entering directory `/home/thor/freeradius-snapshot-20041230' Making all in libltdl... gmake[2]: Entering directory `/home/thor/freeradius-snapshot-20041230/libltdl' gmake[2]: *** No rule to make target `all'. Stop. gmake[2]: Leaving directory `/home/thor/freeradius-snapshot-20041230/libltdl' gmake[1]: *** [common] Error 1 gmake[1]: Leaving directory `/home/thor/freeradius-snapshot-20041230' make: *** [all] Error 2 Can you use the system libltdl? I hadn't realised this issue still existed, but I build with the system libltdl, not the one in FreeRADIUS. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_mschap compilation error - Where to look ?
On Wed, Dec 29, 2004 at 10:37:20AM -0500, Alan DeKok wrote: Aime [EMAIL PROTECTED] wrote: When compiling Freeradius , i have the following error during rlm_mschap compilation. Where do I have to look ? The radius_exec_program function was changed yesterday. rlm_mschap wasn't updated, but it should be updated in a day or so. Actually, it was the other way 'round. The changes to rlm_mschap got comitted by accident, but radius_exec_program wasn't. I've comitted them now, so this problem should go away. I apologise for the inconvinience. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with radutmp
On Fri, Dec 24, 2004 at 09:39:58AM -0200, Luiz Gustavo Anflor Pereira wrote:
I am using freeradius 1.0.1.
Let me try to understand. If a client loses its connection, we can use radzap
to
comunicate with the NAS. Then it sends back a stop packet, and the login is
released. Is that correct?
No. When you use radzap, it reads the radutmp file and uses the data
in it to construct an Accounting STOP packet, which it sends to the
RADIUS server, so the RADIUS server can do all its processing as if
the NAS had sent the STOP packet. The NAS is totally unaware, as we
are assuming the NAS _does_ think the session is released already,
most likely due to a lost STOP packet from the NAS. (Otherwise, there
may be a different bug to fix eg. mismatching numbers somewhere.)
But due to session_id is too long, it is not working. To fix it, we can use
the
mysql function RIGHT(%{Acct-Session-Id}, 8). But in which query?
I ended up with accounting_stop_query changing
WHERE AcctSessionId = '%{Acct-Session-Id}'
to
WHERE AcctSessionId LIKE CONCAT('%%','%{Acct-Session-Id}')
for reasons that escape me, compared to RIGHT(%{Acct-Session-Id}, 8). I
think the difference was that using RIGHT assumed the length, while
what I actually did does a substring match against the end of the
stored AcctSessionId.
And if we use it, the checkrad is gonna work? When the checkrad is runned?
Yeah, this means that checkrad (which pulls the Acct-Session-Id from
radutmp)'s STOP packet will match both SQL and radutmp...
--
Paul TBBle Hampson, on an alternate email client.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: regarding stale IP in ippool
On Wed, Dec 22, 2004 at 07:10:32PM +0100, Alfred H. Dahl wrote: If a Mikrotik pppoe-server stops, or the accounting-stop-packet from the pppoe-server does not reach the radius-server, the IP-address is not freed from the ip_pool, meaning we get stale sessions in the IP-Pool. Now I think about it, there's supposed to be an accounting packet that comes in when a NAS is shut down... I just don't recall if rlm_ippool processes it or not. ^_^ the rlm_ippool processes only the accounting_STOP-packets, (and, of course, the start-packet as well) I am not able to zap the IP from the pool using radzap - but as long as the rlm_ippool processes accounting_stop-packets, I should be able to use radclient, as in echo User-Name = username, Password=password | radclient radiusip method radius-password I am, however, unsure of how to construct this command line in order to send an accounting_stop-packet. Anyone have any experience here? Isn't that what radzap does for you? -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with radutmp
On Mon, Dec 20, 2004 at 02:19:11PM -0200, Luiz Gustavo Anflor Pereira wrote: hello all I have a problema concerning radutmp. Here is the situation: The command radwho | grep 7969 gives me the output: rsf7969rsf7969 PPP 999 Fri 16:20 200.96.10 If i use the option -r, so radwho -r | grep 7969, the output is: rsf7969,rsf7969,PPP,S-2145975988,Fri 16:20,200.96.100.254, I vaugely remember there's some problem with radutmp and the large port numbers you're getting... A signedness issue, which I thought I'd fixed in CVS, but I ended up dropping rlm_unix due to other radutmp problems, but I'm thinking about trying to reimplement it. ^_^ What version of FreeRADIUS are you using? *Checks CVS logs* Whoops, guess I never comitted that. _ I'm gonna take a stab in the dark, and guess that the records are not being deleted because the Accounting Session ID you're getting is too long for the session_id field in radutmp... See FreeRADIUS bug 62 at http://bugs.freeradius.org/show_bug.cgi?id=62 By some chance, are you receiving RADIUS packets from an ERX? -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian compile issues in conjunction with eap
On Fri, Dec 17, 2004 at 03:47:31AM +0100, Sven Juergensen wrote: and again, http://bugs.freeradius.org/show_bug.cgi?id=98 configuring with --disable-shared make halts at the message of my first email, something with the rlm_x99_token. some strace output: [..] [..] /usr/local/lib/rlm_eap_tls.la, like the strace output suggests, isn't there. Check you've got libssl-dev installed. It is quite possibly silently not building rlm_eap_tls due to lack of OpenSSL or wrongly-version openSSL, the same thing that'd cause rlm_x99_token to not build. rlm_eap_gtc, if it depends on rlm_eap_tls, should skip itself the same way rlm_eap_ttls does (or I think it does) if it won't be built... Then you'd get the more useful error the rlm_eap_gtc wasn't built. ^_^ -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Execute a script at the end of a session
On Thu, Dec 16, 2004 at 09:12:59AM +, Santiago Balaguer García wrote:
The action you proposed is create a new attribute, for instance,
Exec-Program-End, and insert in the radreply table. For example, if I have
this entries in this table:
+-+--+---++--+
| id | UserName | Attribute | op | Value|
+-+--+---++--+
| 168 | 11101| Exec-Program-Wait | = | /home/blackbox/start_script.sh
%u %n |
| 169 | 11101| Session-Timeout | := | |
| 170 | 11101| Idle-Timeout | := | 300 |
The information for this user would be:
+-+--+---++--+
| id | UserName | Attribute | op | Value|
+-+--+---++--+
| 168 | 11101| Exec-Program-Wait | = | /home/blackbox/start_script.sh
%u %n |
| 169 | 11101| Session-Timeout | := | |
| 170 | 11101| Idle-Timeout | := | 300 |
| 171 | 11101| Exec-Program-End | = | /home/blackbox/finish_script.sh
%u %n |
I should point out that Exec-Program-Wait is executed at the end of
authentication, not the start of accounting. It's probably fairly close
though.
I locate the accounting section, but I unknown what I must modify. So I
attach my radius.conf.
Here's what I meant:
This won't quite work, since the contents of radreply doesn't go into
accounting packet responses. But this should give you the idea... You
might be better off using the acct_users file to set the
Exec-Program-End attribute, if it's as generic as the above.
_Or_ unify your scripts into one script for every user, and use the
parameters to determine what to do.
#
# This is a more general example of the execute module.
#
# If you wish to execute an external program in more than
# one section (e.g. 'authorize', 'pre_proxy', etc), then it
# is probably best to define a different instance of the
# 'exec' module for every section.
#
exec echo {
#
# Wait for the program to finish.
#
# If we do NOT wait, then the program is fire and
# forget, and any output attributes from it are ignored.
#
# If we are looking for the program to output
# attributes, and want to add those attributes to the
# request, then we MUST wait for the program to
# finish, and therefore set 'wait=yes'
#
# allowed values: {no, yes}
wait = yes
#
# The name of the program to execute, and it's
# arguments. Dynamic translation is done on this
# field, so things like the following example will
# work.
#
program = /bin/echo %{User-Name}
#
# The attributes which are placed into the
# environment variables for the program.
#
# Allowed values are:
#
# request attributes from the request
# reply attributes from the reply
# proxy-request attributes from the proxy request
# proxy-reply attributes from the proxy reply
#
# Note that some attributes may not exist at some
# stages. e.g. There may be no proxy-reply
# attributes if this module is used in the
# 'authorize' section.
#
input_pairs = request
#
# Where to place the output attributes (if any) from
# the executed program. The values allowed, and the
# restrictions as to availability, are the same as
# for the input_pairs.
#
output_pairs = reply
#
# When to execute the program. If the packet
# type does NOT match what's listed here, then
# the module does NOT execute the program.
#
# For a list of allowed packet types, see
# the 'dictionary' file, and look for VALUEs
# of the Packet-Type attribute.
#
# By default, the module executes on ANY packet.
# Un-comment out the following line to tell the
# module to execute only if an Access-Accept is
# being sent to the NAS.
#
#packet_type = Access-Accept
}
exec endofacct {
Re: regarding stale IP in ippool
On Thu, Dec 16, 2004 at 09:34:21PM +0100, Alfred H. Dahl wrote: we have a problem with our IP-POOL. We run pppoe-servers from Mikrotik, and we assign IP to the client using freeradius 0.9.3. If a Mikrotik pppoe-server stops, or the accounting-stop-packet from the pppoe-server does not reach the radius-server, the IP-address is not freed from the ip_pool, meaning we get stale sessions in the IP-Pool. Now I think about it, there's supposed to be an accounting packet that comes in when a NAS is shut down... I just don't recall if rlm_ippool processes it or not. ^_^ Depending on the port-numbers you're getting from the pppoe server, this shouldn't be a problem. If your port numbers are densely populated, and there are less than the entries in your IP pool, stale entries aren't a problem. what does this mean? If the IP is marked as active - will the plugin check to see if the session still exist, and if not, free the IP? If a new session comes in on a NAS/port combination with an IP address marked as active, the ippool code frees that IP before it tries to allocate one. Or at least that's how I remember it, code unseen. what happens when all the IP's are marked as active, and the server receives yet another login? Then you have more ports than IP addresses, and rlm_ippool has issues, as I said above, or you have exactly the same number of ports as IP addresses, and the incoming request should clear the old IP address on that port/IP, and then reassign it again. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap_tls not built because OpenSSL not found
On Fri, Dec 10, 2004 at 03:02:54AM -0600, Tim Winders wrote: I have tried both 1.01 and cvs-20041209 with the same results. I would like to be able to use eap/tls, but, in the configure, I keep getting a warning that eap/tls will silently not be built because it requires OpenSSL. I have openssl installed and it is found, but, -lssl for SSL_New doesn't seem to work. What version of OpenSSL? It needs to be 0.9.7... From memory, the symbol names changed between 0.9.6 and 0.9.7, too. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Execute a script at the end of a session
On Fri, Dec 10, 2004 at 09:23:12AM +, Santiago Balaguer García wrote: Hi, I am using RADIUS for more than 9 months and for each client a initial script is executed since the radreply table in MySQL has a field: * id *UserName * Attribute * OP * Value * * 25859 * aaaj100 * Idle-Timeout * := * 300 * * 25858 * aaaj100 * Session-Timeout * := * 3600 * * 25857 * aaaj100 * Exec-Program-Wait * = * /home/blackbox/todo.sh %u %n * * If the attribite name of start session is Exec-Program-Wait, I want to know the attibute name of the end of session and if I must put in radreply table. For an end of session script (eg. Accounting Stop) you want to use rlm_exec with the Packet-Type set to Stop (off the top of my head) in your accounting section of the FreeRADIUS configuration. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Execute a script at the end of a session
On Fri, Dec 10, 2004 at 04:38:05PM +, Santiago Balaguer García wrote: I read acct_users and others files, but what I want to do is to add some register in the MySQL DB and can execute a different script to each user. Create yourself a new attribute, with the name of the script, create a new instance of the exec module and call it in the accounting stanza of radius.conf. Of course, if the script name is the same as the user name or some other attribute, you don't need to add a new one. ^_^ Find the exec echo instance in radius.conf for an example. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: regarding stale IP in ippool
On Fri, Dec 10, 2004 at 10:20:36AM +0100, Alfred H. Dahl wrote: we have a problem with our IP-POOL. We run pppoe-servers from Mikrotik, and we assign IP to the client using freeradius 0.9.3. If a Mikrotik pppoe-server stops, or the accounting-stop-packet from the pppoe-server does not reach the radius-server, the IP-address is not freed from the ip_pool, meaning we get stale sessions in the IP-Pool. Depending on the port-numbers you're getting from the pppoe server, this shouldn't be a problem. If your port numbers are densely populated, and there are less than the entries in your IP pool, stale entries aren't a problem. Is there a way to manipulate the active-flag in the IP-Pool for a given IP? Does the radzap-routine also remove the active entry from the IP-POOL when the corresponding account is zap'ed? rlm_ippool_tool should be able to do it... Be careful though, the file format changed (I think) in the 1.0.0 release. On the other hand, I don't recall when rlm_ippool_tool was integrated into FreeRADIUS... You may have to glance at the CVS logs for rlm_ipool_tool.c for that sort of detail. ^_^ radzap _ought_ to clear entries from the ippool, but I never had any luck with it in 0.9.3. Kostas made some large improvements for the 1.0.0 release involving some locking issues, and it seems to be working much better here. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Undefined symbol with eaptls / freeradius 1.0.1 (debian)
On Tue, Dec 07, 2004 at 03:16:47PM +0100, Julien CABESSUT wrote: I'm trying to set up a freeradius server on a debian box to authenticate wireless users. The current debian (sid) package for 1.0.1 doesn't include eap_tls, eap_ttls, nor eap_peap due to licensing issues - yet I needed them. So I downloaded the source package, removed the three lines in debian/rules which were preventing the compilation of those modules, built a brand new package, and installed it. Now I have an error which makes the server crash when someone tries to authenticate : freeradius: relocation error: /usr/lib/freeradius/rlm_eap_peap-1.0.1.so: undefined symbol: eaptls_process Any suggestion on what could cause this problem ? Yes. The libltdl in Debian includes a patch from the CVS version of libtool, which breaks the linkage used by rlm_eap_ttls and rlm_eap_peap into rlm_eap_tls. Try 1.1.0, which should work with the libltdl in Debian/sarge or Debian/sid. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: migrating external programs from xtradius to freeradius
On Tue, Dec 07, 2004 at 12:40:41PM -0800, L.C. (Laurentiu C. Badea) wrote: Xtradius uses Auth-Type = External, freeradius appears to need Auth-Type = Accept with an external script. Not a big deal, just thought I should mention it because it is somewhat less intuitive (since after all, you can turn it into a Reject via exit code). You could add an Auth-Type to your local dictionary, and force Auth-Type to that in authorization, if you're only ever going to authenticate from that external script. Otherwise, an rlm_exec in authorization which checks for conditions and sets your custom Auth-Type would be the obvious method to me. _Or_ your could put your script in post-auth, so it's always called, and just have the authorisation section always return accept. ^_^ I guess there's no External Auth-Type because very few people are doing checking that can't be handled in one of the auth-types supplied already? -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: installaion problem
On Wed, Dec 08, 2004 at 12:53:48PM +0800, Spades wrote: While installing Freeradius 1.0.1, i managed to run ./configure, however.. I'm unable to run 'make' in my Fedora Core 2. gives me error Any idea what went wrong? -- Making static dynamic in rlm_krb5... gmake[6]: Entering directory `/home/software/freeradius-1.0.1/src/modules/rlm_krb5' gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I../../include -c rlm_krb5.c -o rlm_krb5.o rlm_krb5.c:40:21: com_err.h: No such file or directory Fedora Core 2 appears to have put com_err.h somewhere surprising, or you don't have the kerberos5 development packages installed. Both of these should have solutions findable in the mailing list archives. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Postauth section skipped when rejected by external script
On Mon, Nov 29, 2004 at 08:53:30PM +0100, Thor Spruyt wrote: Hi, I have configured freeradius to check against a postgresql database and when the user is valid, execute an external script. (which works fine) I have configured freeradius to store authentication results in a postgresql database which works fine if the user is either accepted or when the user is invalid (not found or incorrect password from the database). When when the user is valid (correct username and password from the database), but the external script rejects the user, freeradius doesn't go through the post-auth section and doesn't store the info in the database. Try using rlm_exec and the patch I posted here: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg11332.html This more neatly integrates your external script as a FreeRADIUS module than anything Exec-Program-Wait can do. I'll commit it to 1.1.0 once I get _some_ kind of positive feedback. ^_^ However, this is not a 1.0.2 candidate at this point, as it's not a bug per se, but a feature change. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error rlm_eap_peap_1.0.1.so
On Tue, Nov 30, 2004 at 11:22:39AM +, [EMAIL PROTECTED] wrote: freeradius:relocation error:usr/local/lib/rlm_eap_peap_1.0.1.so:undefined symbol:eaptls_process I didn't understand the rest of the email, but this suggests your libltdl is too recent, and the cross-module linking used in 1.0.1 won't work. Try upgrading to a CVS version, and see if that works. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap_md5: User-Password is required for EAP-MD5 authentication
On Fri, Nov 26, 2004 at 02:01:00PM +0800, Chan Min Wai wrote:
Alan DeKok wrote:
Chan Min Wai (System Administrator) [EMAIL PROTECTED] wrote:
CLEAR text passwords are required for EAP-MD5. Crypt passwords will
NEVER work.
Anyway to make it work? somehow?
No. It's impossible.
I know this have been bugging you From Or since freeradius support LDAP
And I do saw a lot of people are looking for such sultion.
May I know in more technical term why it is not possible?
I know there is no way to get the plain text password back from {crypt}
but I just wonder what is the password send from the EAPOL (Wire MD5).
Is there anyway to make such that this password is hashed in the same
way and product a same password as {cyprt} in the LDAP and we go to
compare that?
If that worked, it would be effectively the same as using plain text
passwords _everywhere_ since someone could just capture the cypted
password in the login request, and use _that_ to login.
Basically, the user and the server must share a secret. Either that
secret is sent from the client to the server (PAP), or some extra piece
of information is send, modified by a process identical on both ends
that uses the secret as input, and the resulting output is sent to the
server for comparing. (Everything but PAP)
*note: the below is as I understand CHAP. I'm sure there are other
tricky things EAP does, but I think my point is still clear*
If that third piece of information is constant, someone could simply
intercept the output of the process and send it everytime they were
asked, making it as good as having the password.
Since this extra piece of information must change, either the server
must store the input to the process (the plain-text password) or the
output of the process for each possible input. (That is, if the function
is f(password,extra) it must store either password or f(password,extra)
for every value of extra.
If extra ranged from one to ten, for example, you'd have ten items to
store in your database, and an attacker would have to watch ten logins
to have the right answer for each possible extra. _Or_ they can watch
one login, and be successful on one try in ten.
If your extra ranged from one to 100, you would need to store 100
versions of the output, and an attacker could get in one time in 100.
That's the easy part.
However, usually 'extra' includes something time-dependant. Time only
moves forward (barring daylights savings ending ^_^) so extra now has
a possible value limited only by your imagination. If extra was the
seconds since 2001-01-01 00:00 UTC, and you used, say, a 32-bit value,
(so your authentication system would work only until early February
2137) then you would need to store 4 294 967 296 passwords in your
database for each user, less the number of seconds that have already
passed since 2001-01-01 00:00 UTC. In this case, the attacker wouldn't
be able to use any old hashes captured from the wire, as the clock
would never repeat over that period.
If you wanted to skimp, you could only store enough passwords to last
until the user's account expired (say, one month's worth, 2 629 800 or
so) as long as every time they renew, you create another 2 629 800
password entries to last the next month. And remember, you need their
plain-text password to regenerate the password list.
And _then_, an attacker who sent their request in the same second as
the user would still be able to use the reply to break in, unless you
add more to the 'extra' value... Say, a number from one to 1000. Then
you store a thousand passwords for every second second, or roughly
two thousand million passwords per user-month.
Frankly, that won't be _useful_ until we have quantum computing or
similar, at which point the attacker can probably break your passwords
anyway by sending four thousand million simultaneous authentication
requests.
So in short, yes, it's possible. But I don't plan to implement any
such system, and no one else has shown much interest.
Patches welcome, as always. ^_^
--
Paul TBBle Hampson, on an alternate email client.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ippool - not releasing ip addresses
On Sat, Nov 20, 2004 at 10:51:32AM +1030, Mike O'Connor wrote: Thanks for you comments, I used you suggestion as a biases and have found that the accounting stop records do not always have the same port id. This means it does not match correctly and does not release the port. I do not see any way of fixing this from the nas end, so I plan to write some software which checks if a port has been release (using the Alive and Stop records) and then sends a Acct Stop record with the correct port details. In most cases this won't be a problem, as a new ippool call with a port number rlm_ipaddr thinks is still in use should free the IP address up, so it can later be reallocated. It's a problem if you have more ports than IP addresses. ^_^ (As I do here. _) I tried using radkill, but that was more trouble than worth, as the radutmp file was getting boned for entirely different reasons. I have some scripts here which will process a ip pool file (using rlm_ippool_tool) against radwho or a radacct table, which I used to clean out rm_ippool's data every so often. The problem is that any non-FreeRADIUS modification of the database needs to be done while FreeRADIUS is stopped. I'd love to improve rlm_ippool_tool, but if I ever work on it again, it'll be to SQLise rlm_ippool instead, (as I believe someone has done and posted a patch to the list), as part of my heartfelt desire to turn FreeRADIUS into some kind of unusual SQL database frontend. ^_^ -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec fail V reject
On Thu, Nov 18, 2004 at 05:14:47PM -0800, Jev wrote:
Ok, great Paul, thank you!
Is it this patch:
http://lists.freeradius.org/archives/freeradius-users/2004/09/frm00132.html
that you plan to apply? Is the patch in that post the most recent? I ask
because I may attempt to apply and build it my self, so I can proceed
with some testing that I need this feature for...
That patch, with the changes described here:
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg10746.html
except the line number in rlm_exec is wrong...
Oh heck, here's the patch as it sits in my source tree. ^_^
(No documentation changes yet though. That'll come, but the
changes are pretty much fully descriped in the above threads.
Index: src/main/exec.c
===
RCS file: /source/radiusd/src/main/exec.c,v
retrieving revision 1.44
diff -u -r1.44 exec.c
--- src/main/exec.c 12 Oct 2004 17:46:39 - 1.44
+++ src/main/exec.c 19 Nov 2004 02:40:46 -
@@ -562,5 +562,5 @@
radlog(L_ERR|L_CONS, Exec-Program: Abnormal child exit: %s,
strerror(errno));
- return 1;
+ return 2;
}
Index: src/modules/rlm_exec/rlm_exec.c
===
RCS file: /source/radiusd/src/modules/rlm_exec/rlm_exec.c,v
retrieving revision 1.11
diff -u -r1.11 rlm_exec.c
--- src/modules/rlm_exec/rlm_exec.c 26 Feb 2004 19:04:32 - 1.11
+++ src/modules/rlm_exec/rlm_exec.c 19 Nov 2004 02:40:47 -
@@ -332,7 +332,7 @@
result = radius_exec_program(inst-program, request,
inst-wait, NULL, 0,
*input_pairs, answer);
- if (result != 0) {
+ if (result 0) {
radlog(L_ERR, rlm_exec (%s): External script failed,
inst-xlat_name);
return RLM_MODULE_FAIL;
@@ -347,7 +347,13 @@
pairfree(answer);
- return RLM_MODULE_OK;
+ if (result == 0) {
+ return RLM_MODULE_OK;
+ }
+ if (result RLM_MODULE_NUMCODES) {
+ return RLM_MODULE_FAIL;
+ }
+ return result-1;
}
--
Paul TBBle Hampson, on an alternate email client.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Just getting started
On Thu, Nov 18, 2004 at 12:17:28AM -0600, Dallas Graves wrote: Ok, so I have looked all over the web but cant really find any good how-to articles on freeradius when it comes to setting up a dial-up server. Anyone have any links or even a book that might help? If you're looking at setting a computer to answer modems for dial-in use, you'll find the documentation for _that_ will usually tell you where to use FreeRADIUS. RADIUS is a back-end protocol so it's rarely documented in a HOWTO in it's own regard. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error in compilation (make)
On Thu, Nov 11, 2004 at 04:46:25PM +0200, Eva Kolega wrote: Paul , Please do not off-list email me without asking first. My personal email archives are not available on the web (as far as I know) so any answer I give privately would have much less value than if I answer on-list. I enclose the whole make report. The problem starts where the lines are in bold format. To be precise, I have installed mysql-standard-4.0.21-sun-solaris2.9-sparc-64bit.tar.gz with nothing else. I mean no mysql client, no devel, no share. But I guess this is the full mysql installation. I mean we run mysql on a number of machines for various services. We have not faced any problems yet. The ps command output follows: ./configure --prefix=/usr/local/freeradius --exec-prefix=/usr/local/freeradius --with-mysql-include-dir=/usr/local/mysql/include with-openldap-include-dir=/usr/local/openldap Every time I do a google search I find answers consearning freeradius installation on Linux !! Well, I am using Sol 9. That's because you've picked the last problem, not the first: Making static dynamic in rlm_eap... make[6]: Entering directory `/usr/local/src/freeradius-1.0.1/src/modules/rlm_eap' /usr/local/src/freeradius-1.0.1/libtool --mode=link ld \ -module -static -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I../../include -I./libeap types/rlm_eap_leap/rlm_eap_leap.a types/rlm_eap_md5/rlm_eap_md5.a rlm_eap.o eap.o mem.o state.o -o rlm_eap.a ar cru rlm_eap.a rlm_eap.o eap.o mem.o state.o types/rlm_eap_leap/rlm_eap_leap.a types/rlm_eap_md5/rlm_eap_md5.a types/rlm_eap_leap/rlm_eap_leap.a types/rlm_eap_md5/rlm_eap_md5.a types/rlm_eap_leap/rlm_eap_leap.a types/rlm_eap_md5/rlm_eap_md5.a ar: types/rlm_eap_leap/rlm_eap_leap.a is in archive format - embedded archives are not allowed ar: types/rlm_eap_md5/rlm_eap_md5.a is in archive format - embedded archives are not allowed ar: types/rlm_eap_leap/rlm_eap_leap.a is in archive format - embedded archives are not allowed ar: types/rlm_eap_md5/rlm_eap_md5.a is in archive format - embedded archives are not allowed ar: types/rlm_eap_leap/rlm_eap_leap.a is in archive format - embedded archives are not allowed ar: types/rlm_eap_md5/rlm_eap_md5.a is in archive format - embedded archives are not allowed ranlib rlm_eap.a This batch of errors suggests to me that the toolchain you're using is not up to the task. I don't think we support non-Gnu toolchains, and in this case the dynamic linker doesn't appear to support whatever it is we (or libtool ) are trying to do. Also, this is a recompile, so there may have been previous errors which are not showing up in the pre-libtool stage. You might need to 'make clean' and start again from './configure ...' before posting any more build output, assuming using a Gnu toolchain doesn't solve the problem. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: list-related suggestion
On Wed, Nov 10, 2004 at 01:33:10PM -0500, Samuel Sullivan wrote: Hi. I joined this list about a week ago. A suggestion for whoever maintains the list...perhaps adding an identifying tag to the subject lines of list messages? Something like [freeradiuslist] or some-such. Something to make the emails from the list easier to identify, and in turn filter to a dedicated folder. I could be wrong, but I think this was discussed here sometime last year. Check the list archives, maybe, and see what was said then. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error in compilation (make)
On Tue, Nov 09, 2004 at 05:49:56PM +0200, Eva Kolega at NTUA wrote: I have installed mysql-standard-4.0.21-sun-solaris2.9-sparc-64bit.tar.gz, Apache2, php4.3.9 and openldap. The problem is when I try to run make, though configure run ok, gcc: sql_mysql.c: linker input file unused because linking not done Can we have the lines above this? At this point whatever the problem is has already occurred and so we get the error messages below. /usr/local/src/freeradius-1.0.1/libtool --mode=link ld -module -static -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I../.. -I../../../../include -I/usr/local/mysql/include -Xa -xstrconst -mt -D_FORTEC_ -xarch=v9 sql_mysql.o -o rlm_sql_mysql.a mkdir .libs (cd . ln -s sql_mysql.lo sql_mysql.o) ar cru rlm_sql_mysql.a sql_mysql.o ar: cannot open sql_mysql.o No such file or directory ar: sql_mysql.o not found make[10]: *** [rlm_sql_mysql.a] Error 1 -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x and assigning IP address to the supllicant
On Tue, Nov 09, 2004 at 01:39:33AM +0200, iVAN G wrote: How do u do LAN 802.1x + IP leasing (dhcp,radius,supplicant) 802.1x via RADIUS. IP leasing via DHCP. They are configured completely independently. ]- yeah i know :) i was asking is there a way to combine both in a way so that the client (supplicant) can not forge the IP address That will depend on the switch's ability to only allow traffic from the authorized IP address through that port, and so it is independant of RADIUS, unless the switch expects RADIUS to tell it to enable this mode with a Vendor-Specific Attribute (VSA) of some kind. I'm assuming from this that the 802.1x-supporting switch will be the last switch before the 802.1x supplicant devices? -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ippool Or DHCP Server.
On Wed, Nov 03, 2004 at 07:04:09PM +0800, Chan Min Wai wrote: I hope that radius server can talk to the DHCP server and tell the DHCP server what ip address to be allocate... Write a script in that adds the authenticated client's MAC address and the IP Address you've assigned to the DHCP server's config and reloads the DHCP server. It'll also have to get rid of other stanzas for that MAC address/IP address (trusting rlm_ippool to know what IP addresses are free, which means you need to be getting Accounting packets, I expect.) This assumes rlm_ippool can even work with 802.1x... What does it use for NAS-Port? Put this in an rlm_exec with (wait=1) after your rlm_ippool module. Again, this assumes 802.1x (did I call it 802.11x earlier???) happens before DHCP does. ^_^ -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Build problem on Debian 3
On Mon, Nov 01, 2004 at 12:22:04PM +0400, rashad wrote: Build process breaks down at following point: /usr/bin/ld: cannot find -lz Where is the problem? As I recall, libmysqlclient-dev was missing libz-dev as a dependancy in Debian/Woody. You'll need to install it yourself. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ippool Or DHCP Server.
On Wed, Nov 03, 2004 at 02:19:21PM +0800, Chan Min Wai wrote: Dana Hudes wrote: On Wed, 3 Nov 2004, Chan Min Wai wrote: Go back to the defintion of RADIUS: Remote Authentication Dial-In User System. Now think. How do dialup users connect? They use SLIP/PPP. PPP has provision for sending the IP address info for the connection. It is part of the NCP (authentication happens in LCP). Now you are connecting on an WLAN. There is no PPP. So how can the client get an IP address when you set it to 'obtain IP address automatically'? Same as on a wired LAN: BOOTP or DHCP. The 802.11 MAC doesn't get you IP address. I see So unless that, this Switch is smart enough to do a PPP connection and only then this IP address will be able to be distribute by the switch to the client. No, WLAN has nothing to do with PPP. PPP is the Point to Point Protocol, it is a protocol for talking over lines with two ends and passing layer3 traffic across them. It is a layer 2 protocol. WLAN uses a different layer2 protocol (or protocols?), defined in the 802.11 standards. Well, I guess if someone extended PPPoE to PPPo802.11, then yes? But that would be very very daft... So no other way round to distribute ip address (other then using DHCP Server) In _theory_ the RADIUS server can send an IP address to the AP to give to the device (via DHCP) but I don't think any do... (Of course, I could be wrong... 802.1x happens before an IP address is assigned, right?) If you need a solution like that, maybe a self-built AP using a WLAN card that lets you use hostAP or similar? Strikes me as a major pain, frankly. my other Question is, how I recorded what IP I've been assign to them using that way? Should be in the Accounting-Start packet. If you don't get an Accounting-Start packet (which is quite likely _) then no, no way to record it via RADIUS. You _might_ be able to rlm_exec a script to go fetch it from the AP's web-based management interface, but that seems like an awful lot of hard work to me. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program output: freeradius not reading response?
On Tue, Oct 26, 2004 at 02:54:45PM -0700, Nate M wrote:
I've done some troubleshooting of my own, and unsure if this is helpful or
not, but the process appears to be hanging indefinitely until cleaned up
within this section of threads.c (beginning line 1141). The line in
particular it hangs on is the rcode = ... line. I am not enuff of a C
guru to know where to go from here though.
re_wait:
rcode = sem_wait(forkers[found].child_done);
if ((rcode != 0) (errno == EINTR)) {
goto re_wait;
}
}
Your time and help in troubleshooting this has been greatly appreciated!
=)
Additionally.. I just compiled 2.4.27 kernel on this machine and the problem
stops. 2.6.5, 2.6.8.1 and 2.6.9 all vomit. 2.6 bug perhaps?
Hmm. It might be an NPTL issue... Try setting the following environment
variable for FreeRADIUS and see if that fixes it:
LD_ASSUME_KERNEL=2.4.1
(This _should_ make it run with LinuxThreads, rather than NPTL.)
(See http://people.redhat.com/drepper/assumekernel.html for details of
what LD_ASSUME_KERNEL does.)
--
Paul TBBle Hampson, on an alternate email client.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait question and rlm_exec
On Tue, Oct 26, 2004 at 05:17:57PM +0300, Kostas Zorbadelos wrote: On Tue, Oct 26, 2004 at 10:20:48AM -0400, Alan DeKok wrote: Kostas Zorbadelos [EMAIL PROTECTED] wrote: First of all I have a question for Exec-Program-Wait. I need to run an external C program that expects in its environment a proper LD_LIBRARY_PATH to run. I followed the obvious solution of using a wrapper bash shell script, that sets the environment and calls the C program via exec. Can I avoid this? No. I'd suggest adding a patch to rlm_exec, so that it can take a configuration directive for LD_LIBRARY_PATH, and maybe others. The second thing I want to bring up again is the rlm_exec module. Back in September (thread rlm_exec vs Exec-Program-Wait attribute) summarized in http://lists.freeradius.org/archives/freeradius-users/2004/09/frm00161.html, a set of changes to rlm_exec were proposed to also handle the case of having attributes in access-reject. Are these changes going to be accepted finally and if so in which version? Probably, but I haven't had time to look over them yet. If sufficient people use the patch and like it, it can be added. Actually the conversation in that thread ended by mentioning the ideas rlm_exec should follow. I didn't see any patch that implemented them. If there is such a patch please direct me to it and I will test it. My patch was here: http://lists.freeradius.org/archives/freeradius-users/2004/09/frm00132.html and the conversation suggested the following changes: Return RLM_MODULE_OK when result ==0 and RLM_MODULE_FAIL when result RLM_MODULE_NUMCODES Change return 1 in src/main/exec.c line 390 to return 2 so a failed execute returns RLM_MODULE_FAIL rather than RLM_MODULE_REJECT. (As suggested above the patch.) The disadvantage of my patch is that the values returned are actually one higher than the values in the header (eg 1-based instead of 0-based) I did this so that programs returning 0 (The normal case) wouldn't suddenly start failing. And I'm not happy about it, but cannot see a better way. (If only FreeRADIUS defined RLM_MODULE_OK as 0... =^_^=) I'm sorry, but I've not had a chance to either commit it or even give it a thorough testing. It's a simple enough patch that I feel it is already correct, but I'll not commit it myself until someone uses it and gives a report that it works OK. (The use to which I intended to put it myself is now on hold, pending business decisions. And it'll need the new-type SQL group handling support too, and I can't recall if that's gone in yet either. _) -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian .rules file for building postgres support?
On Mon, Oct 25, 2004 at 01:31:06PM +1000, Tech wrote: Does anybody have a modified .rules file for building a 1.0.1 .deb with Postgres support? Thanks in advance. You'll find one in the freeradius 1.0.1 release on the FreeRADIUS website. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem : segmentation fault
On Fri, Oct 08, 2004 at 06:28:17AM +, atul dhingra wrote: [Some HTML stuff] Please don't post HTML-only. Anyway, try OpenSSL 0.9.7... From memory it's required by something in there. Otherwise, after reading the mailing list rules, there's a document (bugs.txt?) which describes how to report this sort of problem ina way that lets us help solve it. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program and iproute2
On Tue, Oct 05, 2004 at 04:59:13PM -0700, Ivo Petrov wrote: Thanks for advice but in radiusd.conf I wrote: user root group root and radiusd runs as root or that is not enough. I tried running simple script and it works, but when I change the script with the one that makes shaping then nothing hapens. Forgive me but I didn't understand how to use wraper. Can you tell me how to do it. If you're using a script to run the shaping code, just make it output it's variables and things into a temporary file, so that when it runs you can check that it's not doing anything wrong or surprising. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program help
On Tue, Oct 05, 2004 at 05:02:55PM -0700, Ivo Petrov wrote: Thanks much but I need the script executed after successful authentication not before that. Any way thanks my simple script was executed correctly. You might want to look at rlm_exec, which gives better control on when the script is executed. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Net-SNMP Support
On Wed, Oct 06, 2004 at 02:48:30PM -, David wrote:
I have been running FreeRadius version 1.0.0 with SNMP support
enabled using UCD-SNMP. Will version 1.0.0 work with Net-SNMP
now?
No, but 1.1.0 does, as does the 1.0.0 and 1.0.1 Debian packaged
versions (although it is disabled for license reasons).
Here's the patch. (Sorry if it gets mangled by my terminal. _)
(It's against 1.0.1, but 1.0.0 should be the same, give or take)
If it won't apply, leave out the patch to configure, and then
regenerate it using autoconf2.13.
--- freeradius-1.0.1.orig/aclocal.m4
+++ freeradius-1.0.1/aclocal.m4
@@ -3770,6 +3770,7 @@
#ifdef HAVE_UNISTD_H
#include unistd.h
#endif
+#include ucd-snmp/ucd-snmp-config.h
#include ucd-snmp/asn1.h
#include ucd-snmp/snmp.h
#include ucd-snmp/snmp_impl.h],
@@ -3800,6 +3801,7 @@
#ifdef HAVE_UNISTD_H
#include unistd.h
#endif
+#include ucd-snmp/ucd-snmp-config.h
#include ucd-snmp/asn1.h
#include ucd-snmp/snmp.h
#include ucd-snmp/snmp_impl.h],
--- freeradius-1.0.1.orig/src/include/radius_snmp.h
+++ freeradius-1.0.1/src/include/radius_snmp.h
@@ -11,6 +11,7 @@
#include snmp_impl.h
#else
#ifdef HAVE_UCD_SNMP_ASN1_SNMP_SNMPIMPL_H
+#include ucd-snmp/ucd-snmp-config.h
#include ucd-snmp/asn1.h
#include ucd-snmp/snmp.h
#include ucd-snmp/snmp_impl.h
--- freeradius-1.0.1.orig/configure
+++ freeradius-1.0.1/configure
@@ -8252,6 +8252,7 @@
#ifdef HAVE_UNISTD_H
#include unistd.h
#endif
+#include ucd-snmp/ucd-snmp-config.h
#include ucd-snmp/asn1.h
#include ucd-snmp/snmp.h
#include ucd-snmp/snmp_impl.h
@@ -8259,7 +8260,7 @@
int a = 1;
; return 0; }
EOF
-if { (eval echo configure:8263: \$ac_compile\) 15; (eval $ac_compile) 25; };
then
+if { (eval echo configure:8264: \$ac_compile\) 15; (eval $ac_compile) 25; };
then
rm -rf conftest*
SNMP_INCLUDE=;ucdsnmp=yes
else
@@ -8275,7 +8276,7 @@
for try in /usr/include /usr/local/include $snmp_include_dir; do
CFLAGS=$old_CFLAGS -I$try
cat conftest.$ac_ext EOF
-#line 8279 configure
+#line 8280 configure
#include confdefs.h
#ifdef HAVE_SYS_TYPES_H
@@ -8293,6 +8294,7 @@
#ifdef HAVE_UNISTD_H
#include unistd.h
#endif
+#include ucd-snmp/ucd-snmp-config.h
#include ucd-snmp/asn1.h
#include ucd-snmp/snmp.h
#include ucd-snmp/snmp_impl.h
@@ -8300,7 +8302,7 @@
int a = 1;
; return 0; }
EOF
-if { (eval echo configure:8304: \$ac_compile\) 15; (eval $ac_compile) 25; };
then
+if { (eval echo configure:8306: \$ac_compile\) 15; (eval $ac_compile) 25; };
then
rm -rf conftest*
SNMP_INCLUDE=-I$try;ucdsnmp=yes
else
@@ -8322,7 +8324,7 @@
for try in /usr/include/ucd-snmp /usr/local/include/ucd-snmp
$snmp_include_dir; do
CFLAGS=$old_CFLAGS -I$try
cat conftest.$ac_ext EOF
-#line 8326 configure
+#line 8328 configure
#include confdefs.h
#ifdef HAVE_SYS_TYPES_H
@@ -8347,7 +8349,7 @@
int a = 1;
; return 0; }
EOF
-if { (eval echo configure:8351: \$ac_compile\) 15; (eval $ac_compile) 25; };
then
+if { (eval echo configure:8353: \$ac_compile\) 15; (eval $ac_compile) 25; };
then
rm -rf conftest*
SNMP_INCLUDE=;ucdsnmp=no
else
@@ -8369,7 +8371,7 @@
for try in /usr/include/ucd-snmp /usr/local/include/ucd-snmp
$snmp_include_dir; do
CFLAGS=$old_CFLAGS -I$try
cat conftest.$ac_ext EOF
-#line 8373 configure
+#line 8375 configure
#include confdefs.h
#ifdef HAVE_SYS_TYPES_H
@@ -8394,7 +8396,7 @@
int a = 1;
; return 0; }
EOF
-if { (eval echo configure:8398: \$ac_compile\) 15; (eval $ac_compile) 25; };
then
+if { (eval echo configure:8400: \$ac_compile\) 15; (eval $ac_compile) 25; };
then
rm -rf conftest*
SNMP_INCLUDE=-I$try;ucdsnmp=no
else
@@ -8428,19 +8430,19 @@
fi
echo $ac_n checking for snmp_build_var_op in -lsnmp... $ac_c 16
-echo configure:8432: checking for snmp_build_var_op in -lsnmp 5
+echo configure:8434: checking for snmp_build_var_op in -lsnmp 5
old_LIBS=$LIBS
LIBS=$old_LIBS -lsnmp
cat conftest.$ac_ext EOF
-#line 8437 configure
+#line 8439 configure
#include confdefs.h
extern char snmp_build_var_op();
int main() {
snmp_build_var_op()
; return 0; }
EOF
-if { (eval echo configure:8444: \$ac_link\) 15; (eval $ac_link) 25; } test
-s conftest${ac_exeext}; then
+if { (eval echo configure:8446: \$ac_link\) 15; (eval $ac_link) 25; } test
-s conftest${ac_exeext}; then
rm -rf conftest*
SNMP_LIBS=-lsnmp
else
@@ -8455,14 +8457,14 @@
for try in /usr/lib /usr/local/lib /usr/local/snmp/lib
$snmp_lib_dir; do
LIBS=$old_LIBS -L$try -lsnmp
cat conftest.$ac_ext EOF
-#line 8459 configure
+#line 8461 configure
#include confdefs.h
extern char snmp_build_var_op();
int main() {
snmp_build_var_op()
; return 0; }
EOF
-if { (eval echo configure:8466: \$ac_link\) 15; (eval $ac_link) 25; } test
-s conftest${ac_exeext}; then
+if { (eval echo configure:8468: \$ac_link\) 15; (eval $ac_link) 25; } test
-s conftest${ac_exeext}; then
rm -rf conftest*
SNMP_LIBS=-L$try -lsnmp
else
@@ -8477,14
Re: Exec-Program and iproute2
On Sun, Oct 03, 2004 at 02:22:17AM -0700, Ivo Petrov wrote: Hi all, I'm trying to shape ppp+ interfaces after successful authentication using Exec-Program. radiusd runs as root, in mysql radreply table the last row for the user contains: Exec-Program = '/etc/ppp/shd %f'. Freeradius version is 1.0.1,MySQL 4.0.21, Slackware 10, pptpd 1.2.1, iproute2(ip, tc). When user connects to the pptpd everythink is OK, link goes up, but the ppp interface is not shaped. If I run shaping script outside the radius it works. In radius.log the stage of executing the script is noted with correctly transfered value of attribute %f, script is owned by root(same as radiusd), there isnn't an error of any kind, but this automation doesn't work. radiusd may be owned by root, but FreeRADIUS may be set to drop permissions. I'd suggest a wrapper script that logs calls so you can see what's happening or not happening. Can anyone tell me where could the mistake or my misunderstanding in implementing Exec-Program attribute. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program help
On Mon, Oct 04, 2004 at 02:20:49AM -0700, Ivo Petrov wrote: I have a problem using Exec-Program. I've put the line in radreply table (4,'test1','Exec-Program',':=','/path/script') but the script was not executed. Can anybody tell me why? script : #!/bin/bash ps aux | grep radiusd result When I executed the script from the shell(Linux) it works but nothing hapens when it is called from radiusd. Are you sure it didn't run... Try redirecting to an absolute path rather than relative... Somewhere the user FreeRADIUS is running as has permission to use. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pools question
On Wed, Sep 22, 2004 at 04:20:23AM -0700, Evren Yurtesen wrote: Hello, I want to use the freeradius ip pools. I just wonder something though ever ip pool name I define should be included in the accounting and post-auth sections? Its kind of confusing, whats the point of defining the Pool-Name attribute in users file and then define the same name in accounting and post-auth sections? The Pool-Name attribute is attached to a RADIUS request, and is checked by the rlm_ippool module before any action is taken. Its existance does not depend on the rlm_ippool module, but nothing else (to my knowledge) uses it. Putting the pool name into the sections of the config file triggers the instance of the rlm_ipool module to act upon the current request, as it passes through that stage of processing. rlm_ippool allocates IP addresses when called from post-auth, and marks IP addresses as free again when called from accounting. I hope that clarifies things. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian packages for woody and sarge
On Mon, Sep 20, 2004 at 05:30:10AM -0700, Aime wrote: Thanks for the suggestion. Now i progressed a little bit compiling freeradius on Woody. The problem I am having now is about mysql . What library must be in place . libmysqlclient-dev I think... The one below looks right,.. What's the error? This is what i have : ii libmysqlclient 3.23.49-8.7mysql database development files -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian packages for woody and sarge
On Sun, Sep 19, 2004 at 08:24:13AM -0700, Aime wrote: OK. I did what you suggested but now I have problem with OpenSSL. It cannot find Openssl. But it is ther , I know. I just compiled Openssl on the machine. Do you also have the OpenSSL package? I'd suggest not building a local copy, but using the 0.9.7 packaged in Woody. That'll keep you in security fixes too. ^_^ How can I use dpkg-buildpackage -uc -us -b -rfakeroot but forcing configure to use parameter --with-openssl-includes=/usr/local/openssl/include ? You add that configure option to debian/rules. Don't forget the trailing backslash for the previous line. ^_^ -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian packages for woody and sarge
On Sat, Sep 18, 2004 at 05:40:02AM -0700, Aime wrote: Hello Marcus, Please can you layout here the steps you did to get freeradius compiled on Woody. I tried what you said in your mail (by commenting dh_installpam --name=radiusd ), but still get dependency problems about libsasl2-dev and debhelper. After removing the dh_installpam line, you can take the versioning off the debhelper dependancy. And for woody, change libsasl2-dev to libsasl-dev. Then dpkg-buildpackage -us -uc -b -rfakeroot should work. I'd also recommend adding a new debian/changelog entry, so you can tell your package from anyone else's. ^_^ -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Status bug #122
On Sun, Sep 12, 2004 at 04:34:30PM +0200, Thor Spruyt wrote: Regarding bug #122, which actually isn't a bug, but rather an enhancement... Will the patch in bug #122 be apllied so the changes are in 1.0.1? The only justification I can see to put this into 1.0.1 is if it's invalid to have two Reply-Message attributes in a RADIUS reply. If it can't make 1.0.1, what has to be done in order to get it into the next release? A good and clear explanation why rlm_exec does not and cannot fufill your requirement. Unless I am mistaken, Exec-Program-Wait is deprecated, in favour of rlm_exec, so I'm not inclined towards accepting enhancements to it myself. I speak only for myself here. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
