subject:"Re\: Help needed with Realms \(Freeradius\) Urgent\!"

Re: Help needed with Realms (Freeradius) Urgent!

2007-03-19 Thread Alan DeKok

[EMAIL PROTECTED] wrote:
 First line will check the password. You might need to add Auth-Type:=
 Local there.

  In 1.1.4 and following, that is no longer necessary.

  Do NOT recommend the use of Auth-Type.  It's almost always wrong.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help needed with Realms (Freeradius) Urgent!

2007-03-19 Thread virulence

Alright bro, after doing that i get a message that

Error: WARNING: Possible DoS attack from host 172.16.
1.104: Too many attributes in request (received 201, max 200 are allowed).

but after that it is ok any idea how to get rid of this error?

any one know wad's wrong... I'm still stuck at this...

virulence wrote:

Alright bro, after doing that i get a message that

Error: WARNING: Possible DoS attack from host 172.16.
1.104: Too many attributes in request (received 201, max 200 are allowed).

but after that it is ok any idea how to get rid of this error?

tnt wrote:

First line will check the password. You might need to add Auth-Type:=
Local there. On other lines you put reply items like Service-Type,
Framed-IP-Address etc. If there are items that are same for all users
put them in DEFAULT entry. Don't put Realm there or anywhere else in
users file.

Ivan Kalik
Kalik Informatika ISP

Dana 18/3/2007, virulence [EMAIL PROTECTED] piše:

Alright so it's

[EMAIL PROTECTED] Password := xyz
Framed sdfds = sfsdffs
Realm = company.com

Am I getting it right?

tnt wrote:

Just change username from abc to [EMAIL PROTECTED] . If you don't strip
and put Realm = whatever as check item, username abc still won't match.

Ivan Kalik
Kalik Informatika ISP

Dana 18/3/2007, virulence [EMAIL PROTECTED] piĹĄe:

So sorry, there was a misunderstanding in what was allocated to me and
I
would try what you said when I get back to office on Monday.

Btw, for the realms, the configuration is just by putting nostrip under
the
realm as in the proxy.conf
but for the users file, would putting realm = company.com work for
binding
realm @company.com to abc user for example. Or may I know what is the
full
configuration. Sorry for the trouble as this is the first time I'm
using
freeradius. Thanks

Alan DeKok-4 wrote:

virulence wrote:
But however, I needed the realms to be stripped as all my users auth
by
only
their username and password... Is there another way of doing it?

If you're insisting that the realms MUST be stripped, then you will
have the problem you noted, which you say you don't want. The
problem
is a direct result of your requirement that the realms be stripped.

The message you responded to told you how to solve the problem.
Try
the method that was suggested to you. Alternately, if you're not
going
to follow the help given on this list, I'm not sure why you're asking
for help.

Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

--
View this message in context:
http://www.nabble.com/Help-needed-with-Realms-%28Freeradius%29-Urgent%21-tf3412705.html#a9537046
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

--
View this message in context:
http://www.nabble.com/Help-needed-with-Realms-%28Freeradius%29-Urgent%21-tf3412705.html#a9539717
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

--
View this message in context:
http://www.nabble.com/Help-needed-with-Realms-%28Freeradius%29-Urgent%21-tf3412705.html#a9547937
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help needed with Realms (Freeradius) Urgent!

2007-03-19 Thread virulence


Dropping request (1025 is too many): from clie
nt abc :1818 - ID: 97   
Info: WARNING: Please check the radiusd.conf file. ?T
he value for 'max_requests' is probably set too low.

apparently this is what i get after setting the attrbutes to a higher level.
May I know what constitutes to the attribute level and how can i go about
this. I dun think it is a problem from the max-requests.


Alan DeKok-4 wrote:
 
 virulence wrote:
 Alright bro, after doing that i get a message that
 
 Error: WARNING: Possible DoS attack from host 172.16.
 1.104: Too many attributes in request (received 201, max 200 are
 allowed).
 
 but after that it is ok any idea how to get rid of this error?
 
   read radiusd.conf, look in the security section.
 
   Alan DeKok.
 --
   http://deployingradius.com   - The web site of the book
   http://deployingradius.com/blog/ - The blog
 - 
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
 
 

-- 
View this message in context: 
http://www.nabble.com/Help-needed-with-Realms-%28Freeradius%29-Urgent%21-tf3412705.html#a9548801
Sent from the FreeRadius - User mailing list archive at Nabble.com.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help needed with Realms (Freeradius) Urgent!

2007-03-19 Thread Alan DeKok

vir\ulence wrote:
 Dropping request (1025 is too many): from clie
 nt abc :1818 - ID: 97   
 Info: WARNING: Please check the radiusd.conf file. ?T
 he value for 'max_requests' is probably set too low.
 
 apparently this is what i get after setting the attrbutes to a higher level.

  Then I would say that something is seriously wrong in your network.

  Having more than 200 attributes in a RADIUS packet is extremely rare.
 As in: If it happens, it's probably because you're being attacked, and
you should go investigate.  That's what the log message says.

  So... did you check that the packets are what you expect?  Why are
there 200 attributes in the packet?

  And if the server is handling more than 1024 packets at a time, it's
either too slow (i.e. databases are slow or down), or it's being attacked.

  It looks like you just want configuration changes to make the error
messages go away.  That is absolutely the wrong approach.  Find the
cause of the problem, and fix it.  The messages will go away once the
problem goes away.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help needed with Realms (Freeradius) Urgent!

2007-03-19 Thread virulence

Sorry Alan,
I do not really understand you. firstly, the server is a totally empty
server as it was set up by my colleague for me for testing before
implementation and secondly is there a way to check the packets that i am
suppose to be expecting. By the way, the results came as a result of a
radtest. Sorry for the noobness.

Alan DeKok-4 wrote:

vir\ulence wrote:
Dropping request (1025 is too many): from clie
nt abc :1818 - ID: 97
Info: WARNING: Please check the radiusd.conf file. ?T
he value for 'max_requests' is probably set too low.

apparently this is what i get after setting the attrbutes to a higher
level.

Then I would say that something is seriously wrong in your network.

Having more than 200 attributes in a RADIUS packet is extremely rare.
As in: If it happens, it's probably because you're being attacked, and
you should go investigate. That's what the log message says.

So... did you check that the packets are what you expect? Why are
there 200 attributes in the packet?

And if the server is handling more than 1024 packets at a time, it's
either too slow (i.e. databases are slow or down), or it's being attacked.

It looks like you just want configuration changes to make the error
messages go away. That is absolutely the wrong approach. Find the
cause of the problem, and fix it. The messages will go away once the
problem goes away.

Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

--
View this message in context:
http://www.nabble.com/Help-needed-with-Realms-%28Freeradius%29-Urgent%21-tf3412705.html#a9555658
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help needed with Realms (Freeradius) Urgent!

2007-03-19 Thread Alan DeKok

virulence wrote:
 Sorry Alan,
 I do not really understand you. firstly, the server is a totally empty
 server as it was set up by my colleague for me for testing before
 implementation

  That doesn't matter.  The client is sending packets.  The
configuration items that generate those error messages are about the
packets that the client is sending.

 and secondly is there a way to check the packets that i am
 suppose to be expecting. By the way, the results came as a result of a
 radtest. Sorry for the noobness.

  Ah.  If the more than 200 attributes packet came in via radtest,
then you've configured the server wrong.

  i.e. You've told the server to proxy requests to itself.  Don't do that.

  See proxy.conf.  One of the realms entries has the same IP and
port that the server is listening on.  Change that IP:port to LOCAL.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help needed with Realms (Freeradius) Urgent!

2007-03-18 Thread virulence

So sorry, there was a misunderstanding in what was allocated to me and I
would try what you said when I get back to office on Monday.

Btw, for the realms, the configuration is just by putting nostrip under the
realm as in the proxy.conf
but for the users file, would putting realm = company.com work for binding
realm @company.com to abc user for example. Or may I know what is the full
configuration. Sorry for the trouble as this is the first time I'm using
freeradius. Thanks

Alan DeKok-4 wrote:

virulence wrote:
But however, I needed the realms to be stripped as all my users auth by
only
their username and password... Is there another way of doing it?

If you're insisting that the realms MUST be stripped, then you will
have the problem you noted, which you say you don't want. The problem
is a direct result of your requirement that the realms be stripped.

The message you responded to told you how to solve the problem. Try
the method that was suggested to you. Alternately, if you're not going
to follow the help given on this list, I'm not sure why you're asking
for help.

Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

--
View this message in context:
http://www.nabble.com/Help-needed-with-Realms-%28Freeradius%29-Urgent%21-tf3412705.html#a9537046
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help needed with Realms (Freeradius) Urgent!

2007-03-18 Thread tnt

Just change username from abc to [EMAIL PROTECTED] . If you don't strip
and put Realm = whatever as check item, username abc still won't match.

Ivan Kalik
Kalik Informatika ISP

Dana 18/3/2007, virulence [EMAIL PROTECTED] piše:

So sorry, there was a misunderstanding in what was allocated to me and I
would try what you said when I get back to office on Monday.

Btw, for the realms, the configuration is just by putting nostrip under the
realm as in the proxy.conf
but for the users file, would putting realm = company.com work for binding
realm @company.com to abc user for example. Or may I know what is the full
configuration. Sorry for the trouble as this is the first time I'm using
freeradius. Thanks

Alan DeKok-4 wrote:

virulence wrote:
But however, I needed the realms to be stripped as all my users auth by
only
their username and password... Is there another way of doing it?

If you're insisting that the realms MUST be stripped, then you will
have the problem you noted, which you say you don't want. The problem
is a direct result of your requirement that the realms be stripped.

The message you responded to told you how to solve the problem. Try
the method that was suggested to you. Alternately, if you're not going
to follow the help given on this list, I'm not sure why you're asking
for help.

Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

--
View this message in context:
http://www.nabble.com/Help-needed-with-Realms-%28Freeradius%29-Urgent%21-tf3412705.html#a9537046
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help needed with Realms (Freeradius) Urgent!

2007-03-18 Thread virulence

Alright so it's

[EMAIL PROTECTED] Password := xyz
Framed sdfds = sfsdffs
Realm = company.com

Am I getting it right?

tnt wrote:

Just change username from abc to [EMAIL PROTECTED] . If you don't strip
and put Realm = whatever as check item, username abc still won't match.

Ivan Kalik
Kalik Informatika ISP

Dana 18/3/2007, virulence [EMAIL PROTECTED] piše:

So sorry, there was a misunderstanding in what was allocated to me and I
would try what you said when I get back to office on Monday.

Btw, for the realms, the configuration is just by putting nostrip under
the
realm as in the proxy.conf
but for the users file, would putting realm = company.com work for binding
realm @company.com to abc user for example. Or may I know what is the full
configuration. Sorry for the trouble as this is the first time I'm using
freeradius. Thanks