Re: Problems Using Digest-HA1 with MySQL storage backend

2006-06-15 Thread Philippe Sultan 

That fixed it, thank you Alan


Tavis, could you please fill a 1.4.2 paragraph in the wiki that
describes your FR setup with an SQL backend?
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Regarding on Auth-Type 'digest' in authenticate section

2006-05-10 Thread Philippe Sultan 

On 5/10/06, raviprakash sunkara [EMAIL PROTECTED] wrote:

Hello Everybody,

I'm working on Openser currently . Now I integrated FreeRadius in openser.

I installed freeradius and radiusclient-ng in to box..

In client.conf file
- - - - - - - - - - - - - - - - -
client 192.168.2.55  {
 secret = radiustest
  shortname = hyperion.
 nastype =other.
}

users file
- - - - - - - - - - - - - - - - -
 test   Auth-Type :=Accept,
Service-Type ==  SIP-Caller-AVPs
testNAS-IP-Address == 192.168.2.55 , Auth-Type := Digest, Password
== test,
   Reply-Message == Hello  777 user id testing the radius server in
openser. bbye
* * * * ** * * * * * * * * * * * * * * *  *


Try this in the users file :

test User-Password := test
  Reply-Message == Hello  777 user id testing the radius
server in openser. bbye

Auth-Type is not necessary, but set  it to digest instead of
Digest if you really want it.

Philippe

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using a LDAP attribute value as the complete HA1 digest string

2006-03-21 Thread Philippe Sultan 
In order to avoid confusion, you might want to store a 'digestHA1'
LDAP attribute in your LDAP directory, and tell FreeRADIUS to map this
attribute to Digest-HA1 by inserting this line in you ldap.attrmap
file :

checkItem  Digest-HA1 digestHA1

Note that you *must* store a 32 bytes text string in 'digestHA1'.

Philippe

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius-1.1.0 - rlm_digest with MD5 passwords in a MySQL db

2006-01-23 Thread Philippe Sultan 
Hi Evan,

I don't have much experience with the FR 'sql' module. I know it is
possible to achieve what you want using LDAP as a backend database. In
this case, the password is mapped to an LDAP attribute (ex.
userPassword), which value is pulled out during the 'authorize'
process. I don't know whether a similar operation can be expected with
'sql', maybe someone else has an answer.

On 1/23/06, Evan Borgström [EMAIL PROTECTED] wrote:
 Hey All,

I've been spending my day trying to get rlm_digest to work with
 encrypted passwords in a MySQL database. When I use the User-Password
 attribute with a plain text password then digest authentication works
 fine, however when I change the attribute to MD5-Password I get the
 following on the console when running radiusd -X;

 rlm_digest: Configuration item User-Password or MD5-Password is
 required for authentication.

Just for testing purpose, have you tried using the 'users' file?

So, how do I get encrypted password storage to work? Does anyone have
 any pointers on where to go from here?

The following URL might help :
http://wiki.freeradius.org/index.php/Digest

Regards,

Philippe

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius Configure Help me

2005-12-22 Thread Philippe Sultan 
On 12/22/05, Kai Geek [EMAIL PROTECTED] wrote:
 Hello,
 i am install Slackware 10.2 on freeradius server.

In this order?

 [EMAIL PROTECTED]:/etc/raddb# radiusd
 Thu Dec 22 12:07:48 2005 : Info: Starting - reading configuration files ...
 [EMAIL PROTECTED]:/etc/raddb#

You successfully launched the radiusd daemon. Try radiusd -X to keep
output to your terminal.

Bye,

Philippe

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius Configure Help me

2005-12-22 Thread Philippe Sultan 
 Errors reading dictionary: dict_init: /usr/share/freeradius/dictionary[14]: 
 Couldn't open dictionary /usr/share/freeradius/d
 ictionary: Too many open files

It is not a FreeRADIUS problem. You should check your system limits
values with ulimit and/or sysctl.

Bye,

Philippe

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: (no subject)

2005-12-07 Thread Philippe Sultan 
Hi, Josh.

the following describes the 'group lock' feature, considering a  Cisco
VPN 3000 concentrator and a RADIUS server (check the RADIUS Class
attribute) :
http://www.cisco.com/en/US/customer/tech/tk59/technologies_configuration_example09186a00800946a2.shtml

It is mentioned hereafter that the Cisco PIX Security Appliance
supports RADIUS group locking :
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_data_sheet0900aecd801a9de9.html

It looks like your RADIUS client is actually a Cisco PIX SA (beware of
Cisco's terminology though), so I hope this can help you solve your
problem.

Regards,

Philippe

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question on FreeRADIUS digest authentication with SIP proxy

2005-10-18 Thread Philippe Sultan 
Hi, Cheng.

maybe you can check the proposed patch for current CVS version if you find some time:
http://bugs.freeradius.org/show_bug.cgi?id=287

It avoids the digest module configuration option given earlier (in the FreeRADIUS 1.0.5 patch), and uses the MD5-Password attribute to store H(username:realm:password).
Note that it has been tested with option 'auto_header' in radiusd.conf set to 'yes', as the 'password_header' option is deprecated in CVS.
I also successfully tested it along with an LDAP server, with password pullout during the authorization process.

Thank you for your feedback regarding this problem,

Regards,

Philippe
On 10/12/05, Philippe Sultan [EMAIL PROTECTED] wrote:

ok Cheng.

Note that it should be fixed in the CVS version within a few days, without changing the configuration of rlm_digest.
The MD5-Password (present in CVS) fits our need in this case, I will try to bring a fix next week including LDAP password pullout during authorization.

Bye,

Philippe
On 10/12/05, Cheng Zhang [EMAIL PROTECTED]
 wrote: 

Thanks Philippe. It works for me as well. I will also let people onserusers and openser-users mailing lists to know. Without your patch, 
AFATK, the password has to be in clear text form if using RADIUS to dothe authentication.Thanks again.On 10/12/05, Philippe Sultan 
[EMAIL PROTECTED]  wrote: Hi, Chen. There is ongoing discussion on this topic : 
http://lists.freeradius.org/pipermail/freeradius-users/2005-October/047606.html  You might also want to check this, for information related to digest authentication with RADIUS and LDAP :
 http://www-rocq.inria.fr/who/Philippe.Sultan/Asterisk/asterisk_sip_external_authentication.html
 Bye, Philippe-List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question on FreeRADIUS digest authentication with SIP proxy

2005-10-12 Thread Philippe Sultan 
ok Cheng.

Note that it should be fixed in the CVS version within a few days, without changing the configuration of rlm_digest.
The MD5-Password (present in CVS) fits our need in this case, I will try to bring a fix next week including LDAP password pullout during authorization.

Bye,

Philippe
On 10/12/05, Cheng Zhang [EMAIL PROTECTED] wrote:
Thanks Philippe. It works for me as well. I will also let people onserusers and openser-users mailing lists to know. Without your patch,
AFATK, the password has to be in clear text form if using RADIUS to dothe authentication.Thanks again.On 10/12/05, Philippe Sultan [EMAIL PROTECTED]
 wrote: Hi, Chen. There is ongoing discussion on this topic : http://lists.freeradius.org/pipermail/freeradius-users/2005-October/047606.html
 You might also want to check this, for information related to digest authentication with RADIUS and LDAP : 
http://www-rocq.inria.fr/who/Philippe.Sultan/Asterisk/asterisk_sip_external_authentication.html Bye, Philippe-List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re : Crypted Password Problem with DIGEST

2005-10-10 Thread Philippe Sultan 
Hi, Meltem.

DIGEST mode does not workwith encrypted passwords. However, one way to havean encrypted password storage is to store a hash value of the username:realm:password string in the User-Password field of your entry.


digest module configuration must include this line :
digest {
 enc_mode=yes
}

Auth-Type might be set to Digest, but it is not necessary since Freeradius will trigger the rlm_digest module when parsing the Access-Request.

If you want to build the hash value, try this command :
echo -n 'username:realm:password' | md5sum

You might want to test this patch for that purpose :
http://bugs.freeradius.org/show_bug.cgi?id=287

Please give some feedback if you ever test it, since I suspect some modifications are needed. The advice of Freeradius managers is also needed, since a configuration option to the rlm_digest module has been added.


Best regards,

Philippe

---
Mon, 10 Oct 2005 01:25:09 -0700 
Hello,

I am using SIP Express Router(SER) version 0.9.3 and freeRADIUS version 1.0.4. SIP uses digest as authentication scheme.
I am trying to keep the user passwords as encrypted in freeRadius DB which is mySql table radcheck. The system is working with plaintext password, but it does not work with encrypted passwords even I tried all type of configurations. 
My first question is Does DIGEST work with ENCRYPTED PASSWORDS ???
Since Digest is a must for SIP.

If NOT, what authentication scheme can I use to make SIP work with freeRADIUS? If DIGEST works with encrypted passwords, what should be the configuration 
files: 1) in radiusd.conf ?

2) What should be the value of Auth-Type parameter in radcheck or radgroupchek tables ? 3) What should be the attribute for password in radcheck table ? Is it 
User-Password or Chap-Password or Crypt-Password ??

I'll appreciate very much if anyone can help.

Regards,
Meltem Kirisci


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re : Crypted Password Problem with DIGEST

2005-10-10 Thread Philippe Sultan 
I'll add a similar patch to the CVS head, which already has aMD5-Password attribute defined.So no configuration changes are 
required there.

Certainly more appropriate.

However, if one wants to store H(username:realm:password) in LDAP as a userPassword attribute (this is our case at INRIA), will the MD5-Password be replaced by the retrieved attribute during the Authorization phase and then computed by rlm_digest? 


As far as I know from testing, the userPassword LDAPvalue replaces the User-Password RADIUS value if the line password_attribute = userPassword is set in the ldap module configuration section, if ldap is activated in Authorization. Thisis the reason why we patched the digest module to have the User-Passwordvalue modified. 


We might need then to adjust the ldap module configuration as well if we want to store encrypted passwords in an LDAP server. Right?

Best Regards,

Philippe Sultan
INRIA
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html