Re: Problems Using Digest-HA1 with MySQL storage backend
That fixed it, thank you Alan Tavis, could you please fill a 1.4.2 paragraph in the wiki that describes your FR setup with an SQL backend? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regarding on Auth-Type 'digest' in authenticate section
On 5/10/06, raviprakash sunkara [EMAIL PROTECTED] wrote: Hello Everybody, I'm working on Openser currently . Now I integrated FreeRadius in openser. I installed freeradius and radiusclient-ng in to box.. In client.conf file - - - - - - - - - - - - - - - - - client 192.168.2.55 { secret = radiustest shortname = hyperion. nastype =other. } users file - - - - - - - - - - - - - - - - - test Auth-Type :=Accept, Service-Type == SIP-Caller-AVPs testNAS-IP-Address == 192.168.2.55 , Auth-Type := Digest, Password == test, Reply-Message == Hello 777 user id testing the radius server in openser. bbye * * * * ** * * * * * * * * * * * * * * * * Try this in the users file : test User-Password := test Reply-Message == Hello 777 user id testing the radius server in openser. bbye Auth-Type is not necessary, but set it to digest instead of Digest if you really want it. Philippe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using a LDAP attribute value as the complete HA1 digest string
In order to avoid confusion, you might want to store a 'digestHA1' LDAP attribute in your LDAP directory, and tell FreeRADIUS to map this attribute to Digest-HA1 by inserting this line in you ldap.attrmap file : checkItem Digest-HA1 digestHA1 Note that you *must* store a 32 bytes text string in 'digestHA1'. Philippe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius-1.1.0 - rlm_digest with MD5 passwords in a MySQL db
Hi Evan, I don't have much experience with the FR 'sql' module. I know it is possible to achieve what you want using LDAP as a backend database. In this case, the password is mapped to an LDAP attribute (ex. userPassword), which value is pulled out during the 'authorize' process. I don't know whether a similar operation can be expected with 'sql', maybe someone else has an answer. On 1/23/06, Evan Borgström [EMAIL PROTECTED] wrote: Hey All, I've been spending my day trying to get rlm_digest to work with encrypted passwords in a MySQL database. When I use the User-Password attribute with a plain text password then digest authentication works fine, however when I change the attribute to MD5-Password I get the following on the console when running radiusd -X; rlm_digest: Configuration item User-Password or MD5-Password is required for authentication. Just for testing purpose, have you tried using the 'users' file? So, how do I get encrypted password storage to work? Does anyone have any pointers on where to go from here? The following URL might help : http://wiki.freeradius.org/index.php/Digest Regards, Philippe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Configure Help me
On 12/22/05, Kai Geek [EMAIL PROTECTED] wrote: Hello, i am install Slackware 10.2 on freeradius server. In this order? [EMAIL PROTECTED]:/etc/raddb# radiusd Thu Dec 22 12:07:48 2005 : Info: Starting - reading configuration files ... [EMAIL PROTECTED]:/etc/raddb# You successfully launched the radiusd daemon. Try radiusd -X to keep output to your terminal. Bye, Philippe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Configure Help me
Errors reading dictionary: dict_init: /usr/share/freeradius/dictionary[14]: Couldn't open dictionary /usr/share/freeradius/d ictionary: Too many open files It is not a FreeRADIUS problem. You should check your system limits values with ulimit and/or sysctl. Bye, Philippe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (no subject)
Hi, Josh. the following describes the 'group lock' feature, considering a Cisco VPN 3000 concentrator and a RADIUS server (check the RADIUS Class attribute) : http://www.cisco.com/en/US/customer/tech/tk59/technologies_configuration_example09186a00800946a2.shtml It is mentioned hereafter that the Cisco PIX Security Appliance supports RADIUS group locking : http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_data_sheet0900aecd801a9de9.html It looks like your RADIUS client is actually a Cisco PIX SA (beware of Cisco's terminology though), so I hope this can help you solve your problem. Regards, Philippe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on FreeRADIUS digest authentication with SIP proxy
Hi, Cheng. maybe you can check the proposed patch for current CVS version if you find some time: http://bugs.freeradius.org/show_bug.cgi?id=287 It avoids the digest module configuration option given earlier (in the FreeRADIUS 1.0.5 patch), and uses the MD5-Password attribute to store H(username:realm:password). Note that it has been tested with option 'auto_header' in radiusd.conf set to 'yes', as the 'password_header' option is deprecated in CVS. I also successfully tested it along with an LDAP server, with password pullout during the authorization process. Thank you for your feedback regarding this problem, Regards, Philippe On 10/12/05, Philippe Sultan [EMAIL PROTECTED] wrote: ok Cheng. Note that it should be fixed in the CVS version within a few days, without changing the configuration of rlm_digest. The MD5-Password (present in CVS) fits our need in this case, I will try to bring a fix next week including LDAP password pullout during authorization. Bye, Philippe On 10/12/05, Cheng Zhang [EMAIL PROTECTED] wrote: Thanks Philippe. It works for me as well. I will also let people onserusers and openser-users mailing lists to know. Without your patch, AFATK, the password has to be in clear text form if using RADIUS to dothe authentication.Thanks again.On 10/12/05, Philippe Sultan [EMAIL PROTECTED] wrote: Hi, Chen. There is ongoing discussion on this topic : http://lists.freeradius.org/pipermail/freeradius-users/2005-October/047606.html You might also want to check this, for information related to digest authentication with RADIUS and LDAP : http://www-rocq.inria.fr/who/Philippe.Sultan/Asterisk/asterisk_sip_external_authentication.html Bye, Philippe-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on FreeRADIUS digest authentication with SIP proxy
ok Cheng. Note that it should be fixed in the CVS version within a few days, without changing the configuration of rlm_digest. The MD5-Password (present in CVS) fits our need in this case, I will try to bring a fix next week including LDAP password pullout during authorization. Bye, Philippe On 10/12/05, Cheng Zhang [EMAIL PROTECTED] wrote: Thanks Philippe. It works for me as well. I will also let people onserusers and openser-users mailing lists to know. Without your patch, AFATK, the password has to be in clear text form if using RADIUS to dothe authentication.Thanks again.On 10/12/05, Philippe Sultan [EMAIL PROTECTED] wrote: Hi, Chen. There is ongoing discussion on this topic : http://lists.freeradius.org/pipermail/freeradius-users/2005-October/047606.html You might also want to check this, for information related to digest authentication with RADIUS and LDAP : http://www-rocq.inria.fr/who/Philippe.Sultan/Asterisk/asterisk_sip_external_authentication.html Bye, Philippe-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : Crypted Password Problem with DIGEST
Hi, Meltem. DIGEST mode does not workwith encrypted passwords. However, one way to havean encrypted password storage is to store a hash value of the username:realm:password string in the User-Password field of your entry. digest module configuration must include this line : digest { enc_mode=yes } Auth-Type might be set to Digest, but it is not necessary since Freeradius will trigger the rlm_digest module when parsing the Access-Request. If you want to build the hash value, try this command : echo -n 'username:realm:password' | md5sum You might want to test this patch for that purpose : http://bugs.freeradius.org/show_bug.cgi?id=287 Please give some feedback if you ever test it, since I suspect some modifications are needed. The advice of Freeradius managers is also needed, since a configuration option to the rlm_digest module has been added. Best regards, Philippe --- Mon, 10 Oct 2005 01:25:09 -0700 Hello, I am using SIP Express Router(SER) version 0.9.3 and freeRADIUS version 1.0.4. SIP uses digest as authentication scheme. I am trying to keep the user passwords as encrypted in freeRadius DB which is mySql table radcheck. The system is working with plaintext password, but it does not work with encrypted passwords even I tried all type of configurations. My first question is Does DIGEST work with ENCRYPTED PASSWORDS ??? Since Digest is a must for SIP. If NOT, what authentication scheme can I use to make SIP work with freeRADIUS? If DIGEST works with encrypted passwords, what should be the configuration files: 1) in radiusd.conf ? 2) What should be the value of Auth-Type parameter in radcheck or radgroupchek tables ? 3) What should be the attribute for password in radcheck table ? Is it User-Password or Chap-Password or Crypt-Password ?? I'll appreciate very much if anyone can help. Regards, Meltem Kirisci - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : Crypted Password Problem with DIGEST
I'll add a similar patch to the CVS head, which already has aMD5-Password attribute defined.So no configuration changes are required there. Certainly more appropriate. However, if one wants to store H(username:realm:password) in LDAP as a userPassword attribute (this is our case at INRIA), will the MD5-Password be replaced by the retrieved attribute during the Authorization phase and then computed by rlm_digest? As far as I know from testing, the userPassword LDAPvalue replaces the User-Password RADIUS value if the line password_attribute = userPassword is set in the ldap module configuration section, if ldap is activated in Authorization. Thisis the reason why we patched the digest module to have the User-Passwordvalue modified. We might need then to adjust the ldap module configuration as well if we want to store encrypted passwords in an LDAP server. Right? Best Regards, Philippe Sultan INRIA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html