Re: pam_radius_auth
Dan Delaney wrote: Does anyone know how to change the service type that pam_radius_auth passes to the server? Source code modifications. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Address based proxy forward
freeradius wrote: Is there a way or another to check on a network basis like 192.168.2.100/30 ? Yes and no. Regular expressions work, but they're ugly. In our productive architecture, the number of ip addresses should be a /21 subnet (2046 hosts)... I can write one line per ip but maybe there is a better way to configure it ? Regular expressions. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius, ldap error - HELP ME!
peppeska wrote: ... rad_recv: Access-Request packet from host 127.0.0.1:1027, id=118, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = peppeska NAS-IP-Address = 127.0.0.1 NAS-Port = 0 rad_check_password: Found Auth-Type MS-CHAP auth: type MS-CHAP Where did the Auth-Type = MS-CHAP come from? It's not in the default configuration. i.e. you edited the server configuration to break it. Don't do that. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 23, Issue 90
Arran Cudbard-Bell wrote: Am I right in thinking that for radius to be able to proxy eap successfully, the request_list module would have to be updated to hold information as to which home radius server the session was being handled by. No. There has to be a separate in-memory table. With the sessions id being the unique acct id (which could be recorded at the same time as the eap start message), Nope. The Acct-Session-Id attribute isn't in the Access-Request most of the time. and then direct future packets to that server for an arbitrary length of time, say as long as the nas's authentication timeout and/or until it detected a accept/reject packet for that authentication session. Nope. Just key off of (src ip/port, State), and map that to (dst IP/port). That's all that's needed. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS outer identity accounting
[EMAIL PROTECTED] wrote:
confirm tha EAP-TTLS userid's used to work with freeradius (1.0.5 era
through to 1.1.3) but then only anonymous was seen. i've been following
this User-Name = %{User-Name} etc thread with interest
Ouch. It needs fixing, then. I'm at a conference this week, so I'll
see what I can do in a few days.
It would be nice to have regression tests for the server...
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius, ldap error - HELP ME!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alan DeKok ha scritto: peppeska wrote: ... rad_recv: Access-Request packet from host 127.0.0.1:1027, id=118, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = peppeska NAS-IP-Address = 127.0.0.1 NAS-Port = 0 rad_check_password: Found Auth-Type MS-CHAP auth: type MS-CHAP Where did the Auth-Type = MS-CHAP come from? It's not in the default configuration. ok I make some change in my configuration file.. Now my configuration in user file is: DEFAULT Auth-Type = LDAP Fall-Through = 1 But the output now is: rad_recv: Access-Request packet from host 127.0.0.1:1030, id=65, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = peppeska NAS-IP-Address = 127.0.0.1 NAS-Port = 0 ^ - -Where is User-Password attribute? - Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = peppeska, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 155 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for peppeska radius_xlat: '(cn=peppeska)' radius_xlat: 'dc=example' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=admin,dc=example/root to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=example, with filter (cn=peppeska) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user peppeska authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type LDAP auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 rlm_ldap: - authenticate rlm_ldap: Attribute User-Password is required for authentication. - - m depend to ppp version? it's possible? - -- modcall[authenticate]: module ldap returns invalid for request 0 modcall: leaving group LDAP (returns invalid) for request 0 auth: Failed to validate the user. Login incorrect: [peppeska/no User-Password attribute] (from client localhost port 0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request - --- Walking the entire request list --- Waking up in 1 seconds... - --- Walking the entire request list --- Sending Access-Reject of id 65 to 127.0.0.1 port 1030 Waking up in 2 seconds... - --- Walking the entire request list --- Cleaning up request 0 ID 65 with timestamp 4600fb5f Nothing to do. Sleeping until we see a request. ok.. I my ldap.attrmap contain: checkItem User-Password lmPassword checkItem LM-Password lmPassword checkItem NT-Password ntPassword And the ldap section in radiusd.conf contain: password_attribute = User-Password What's the problem? - -- -- |Giuseppe Moscato aka peppeska - Linux User - no html messages---| |[EMAIL PROTECTED] - http://peppeska.altervista.org--| |Fingerprint = 90DC 05A8 2D65 BC04 BD1B 4C07 C389 434B 3201 319D| -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGAP5skA6hcnFZI/YRAmuUAJ9Ql6J+TImJf7/mmPyJ0z54pSfiBwCgrMkQ rk1f2Cwt+EFPc6rqBLjrGJk= =ocug -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius, ldap error - HELP ME!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alan DeKok ha scritto: peppeska wrote: ... rad_recv: Access-Request packet from host 127.0.0.1:1027, id=118, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = peppeska NAS-IP-Address = 127.0.0.1 NAS-Port = 0 rad_check_password: Found Auth-Type MS-CHAP auth: type MS-CHAP Where did the Auth-Type = MS-CHAP come from? It's not in the default configuration. ok I make some change in my configuration file.. Now my configuration in user file is: DEFAULT Auth-Type = LDAP Fall-Through = 1 But the output now is: rad_recv: Access-Request packet from host 127.0.0.1:1030, id=65, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = peppeska NAS-IP-Address = 127.0.0.1 NAS-Port = 0 ^ - -Where is User-Password attribute? - Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = peppeska, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 155 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for peppeska radius_xlat: '(cn=peppeska)' radius_xlat: 'dc=example' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=admin,dc=example/root to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=example, with filter (cn=peppeska) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user peppeska authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type LDAP auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 rlm_ldap: - authenticate rlm_ldap: Attribute User-Password is required for authentication. - - m depend to ppp version? it's possible? - -- modcall[authenticate]: module ldap returns invalid for request 0 modcall: leaving group LDAP (returns invalid) for request 0 auth: Failed to validate the user. Login incorrect: [peppeska/no User-Password attribute] (from client localhost port 0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request - --- Walking the entire request list --- Waking up in 1 seconds... - --- Walking the entire request list --- Sending Access-Reject of id 65 to 127.0.0.1 port 1030 Waking up in 2 seconds... - --- Walking the entire request list --- Cleaning up request 0 ID 65 with timestamp 4600fb5f Nothing to do. Sleeping until we see a request. ok.. I my ldap.attrmap contain: checkItem User-Password lmPassword checkItem LM-Password lmPassword checkItem NT-Password ntPassword And the ldap section in radiusd.conf contain: password_attribute = User-Password What's the problem? - -- -- |Giuseppe Moscato aka peppeska - Linux User - no html messages---| |[EMAIL PROTECTED] - http://peppeska.altervista.org--| |Fingerprint = 90DC 05A8 2D65 BC04 BD1B 4C07 C389 434B 3201 319D| -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGAP+4kA6hcnFZI/YRAgF+AKC7+GLE/xihS1DkdHcHk9pvTINsOgCgm4s8 ejjPb/Qg2uW/D2ddqSWj0Ao= =cvka -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Incomplete accounting sessions and IP pool resets
Hello Freeradius users! I have a recurring problem that I'm wondering if any of you have run into. I am currently running freeradius 1.1.4 (haven't had time to upgrade yet) on Suse Linux SLES 10 together with a Myql DB engine. I am using IP pools to supply users coming from various NAS:es with IP adresses. These IP pools seem to run out of IP adresses which is surprising given that I have more IP adresses than users for each NAS. Basically, new access requests don't get anywhere because there aren't any free IPs left. Once I stop freeradius, delete the ip pools and start freeradius again everything is fine. It is annoying however I suspect the problem may be related to the fact that some sessions do not recieve accounting session stop packets. This happens alot so currently I'm working around the issue by way of a cron jobb that deletes the IP pools and restarts freeradius every night - but this is a workaround and I really would like a better solution. Particularly since the problem creeps up in daily operations aswell. Also; I have no control over the NAS:es but I can discuss the issue with the NAS admins if i know what to look for! Does anyone have any suggestions / ideas / experiences with this sort of problem? Thanks and Best Regards, Johannes R-E - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius, ldap error - HELP ME!
peppeska wrote: Now my configuration in user file is: DEFAULT Auth-Type = LDAP Fall-Through = 1 Can you explain why you're setting Auth-Type? All of the docs say to NOT DO THAT. But the output now is: rad_recv: Access-Request packet from host 127.0.0.1:1030, id=65, length=54 ... ^ -Where is User-Password attribute? Ask the NAS. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Incomplete accounting sessions and IP pool resets
Ramm-Ericson, Johannes wrote: I suspect the problem may be related to the fact that some sessions do not recieve accounting session stop packets. Yes. if the server isn't told that the IP is free, what is it supposed to do? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : freeradius, ldap error - HELP ME!
But the output now is: rad_recv: Access-Request packet from host 127.0.0.1:1030, id=65, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = peppeska NAS-IP-Address = 127.0.0.1 NAS-Port = 0 ^ - -Where is User-Password attribute? - A good question indeed, that one should be asked to your NAS ;-) It's up to the NAS to send User-Password: unless it is setup to do something else (for instance MSCHAP). Have you setup ppp to use mschap (require-mschap-v2 option) ? Are you using the radiusclient library ? If yes, could you check that you radiusclient dictionnary file includes Microsoft attributes: * check the dictionary path-to-dict-file line of /etc/radiusclient-ng/radiusclient.conf file (or /etc/radiusclient/radiusclient.conf file) * check that the file path-to-dict-file contains a reference to other dictionnary files such as: INCLUDE /usr/share/radiusclient-ng/dictionary.merit INCLUDE /usr/share/radiusclient-ng/dictionary.microsoft * check that you have these 2 extra dictionnary files (especially the microsoft one) == I've attached the two files Regards, Thibault Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = peppeska, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 155 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for peppeska radius_xlat: '(cn=peppeska)' radius_xlat: 'dc=example' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=admin,dc=example/root to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=example, with filter (cn=peppeska) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user peppeska authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type LDAP auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 rlm_ldap: - authenticate rlm_ldap: Attribute User-Password is required for authentication. - - m depend to ppp version? it's possible? - -- modcall[authenticate]: module ldap returns invalid for request 0 modcall: leaving group LDAP (returns invalid) for request 0 auth: Failed to validate the user. Login incorrect: [peppeska/no User-Password attribute] (from client localhost port 0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request - --- Walking the entire request list --- Waking up in 1 seconds... - --- Walking the entire request list --- Sending Access-Reject of id 65 to 127.0.0.1 port 1030 Waking up in 2 seconds... - --- Walking the entire request list --- Cleaning up request 0 ID 65 with timestamp 4600fb5f Nothing to do. Sleeping until we see a request. ok.. I my ldap.attrmap contain: checkItem User-Password lmPassword checkItem LM-Password lmPassword checkItem NT-Password ntPassword And the ldap section in radiusd.conf contain: password_attribute = User-Password What's the problem? - -- -- |Giuseppe Moscato aka peppeska - Linux User - no html messages---| |[EMAIL PROTECTED] - http://peppeska.altervista.org--| |Fingerprint = 90DC 05A8 2D65 BC04 BD1B 4C07 C389 434B 3201 319D| -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGAP+4kA6hcnFZI/YRAgF+AKC7+GLE/xihS1DkdHcHk9pvTINsOgCgm4s8 ejjPb/Qg2uW/D2ddqSWj0Ao= =cvka -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html dictionary.merit Description: Binary data
Re: Apache2 - PAM - freeRADIUS - users
Michael Messner wrote: hey, freeRADIUS works quite good and it's possible to authenticate via PAM, for example local logins, ssh-logins, su, chsh, gdm, ... are working quite fine. The only thing is the htaccess from apache2 which will not work. The Radius gets the request and permits the user: I would suggest finding out why Apache is requiring more from PAM than everyone else does. It's not really a pam_radius problem, because it works with everything else. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redundant SQL servers accounting problem, FreeRadius 1.1.4
Hello, Alan!
You wrote on Tue, 20 Mar 2007 12:47:01 +0100:
AD Alexander V. Klepikov wrote:
I applied the patch and it does not work. It seemes to me, it's
becuase
SQL socket may be unconnected and sqlsocket-conn != NULL,
AD That sounds like a bug to me.
It seemes to me I begin to understand, what is going on in the module
rlm_sql_postgresql, but it is very difficult to me to write my conclusions
in english.
I'm afraid this is not a bug. I looked in the sources, and I found that in
module rlm_sql_postgresql in all functions is used construction
rlm_sql_postgres_sock *pg_sock = sqlsocket-conn;
Then all calls to libpq (the real PostgreSQL driver) deal with
pg_sock-conn. Here is one of the best illustrations, function
sql_init_socket :
=Beginning of the citation==
static int sql_init_socket(SQLSOCK *sqlsocket, SQL_CONFIG *config) {
char connstring[2048];
char *port, *host;
rlm_sql_postgres_sock *pg_sock;
if (config-sql_server[0] != '\0') {
host = host=;
} else {
host = ;
}
if (config-sql_port[0] != '\0') {
port = port=;
} else {
port = ;
}
if (!sqlsocket-conn) {
sqlsocket-conn = (rlm_sql_postgres_sock
*)rad_malloc(sizeof(rlm_sql_postgres_sock));
if (!sqlsocket-conn) {
return -1;
}
}
pg_sock = sqlsocket-conn;
memset(pg_sock, 0, sizeof(*pg_sock));
snprintf(connstring, sizeof(connstring),
dbname=%s%s%s%s%s user=%s password=%s,
config-sql_db, host, config-sql_server,
port, config-sql_port,
config-sql_login, config-sql_password);
pg_sock-row=NULL;
pg_sock-result=NULL;
pg_sock-conn=PQconnectdb(connstring);
if (PQstatus(pg_sock-conn) == CONNECTION_BAD) {
radlog(L_ERR, rlm_sql_postgresql: Couldn't connect socket
to PostgreSQL server [EMAIL PROTECTED]:%s, config-sql_login, co
radlog(L_ERR, rlm_sql_postgresql: Postgresql error '%s',
PQerrorMessage(pg_sock-conn));
PQfinish(pg_sock-conn);
return SQL_DOWN;
}
return 0;
}
=The end of the citation
You see, first sqlsocket-conn is inited and all database parameters are
set.Then a connection attempt is made: pg_sock-conn=PQconnectdb(connstring)
. If connection to DB fails, PQfinish(pg_sock-conn) is called, which frees
pg_sock-conn - need to do this is described in libpq docs. So even in case
of unsuccessefull connection we have good database handle sqlsocket-conn,
which should not be NULL. When FreeRadius starts, sql_init_socketpool is
called. It inits all SQL sockets and attempts to connect to database(s).
I did not find any information about what is going on when database or SQL
server suddenly comes down, but it looks like pg_sock-conn is freed when
connection to DB became broken. And pg_sock-conn != NULL . That's why libpq
crashes when PQfinish(pg_sock-conn) in sql_close function is called. As far
I understand, this is expected behavior.
According to this, I can make a conclusion that when database handle is
checked for connectivity (in rlm_sql module), sqlsocket-state should be
used. In theory, sqlsocket-state can equals to sockconnected when actually
it is disconnected. It seemes to me, actually this can happen very rarely.
May be, state of connection should be checked before running every SQL query
to minimize risk of operation on disconnected DB, but I believe it's not
necessary yet. Besides, it will require to modify all sql drivers.
I think there is few places left in rlm_sql module where sqlsocket-conn
should be replaced with sqlsocket-state. I'm sure I can find and patch
them.
With best regards, Alexander V. Klepikov. E-mail: [EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius, ldap error - HELP ME!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alan DeKok ha scritto: peppeska wrote: Now my configuration in user file is: DEFAULT Auth-Type = LDAP Fall-Through = 1 Can you explain why you're setting Auth-Type? All of the docs say to NOT DO THAT. ook I comment that but now: rad_recv: Access-Request packet from host 127.0.0.1:1030, id=66, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = peppeska NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = peppeska, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for peppeska radius_xlat: '(cn=peppeska)' radius_xlat: 'dc=example' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=admin,dc=example/root to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=example, with filter (cn=peppeska) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user peppeska authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user ^^^ auth: Failed to validate the user. Login incorrect: [peppeska/no User-Password attribute] (from client localhost port 0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request - --- Walking the entire request list --- Waking up in 1 seconds... - --- Walking the entire request list --- Sending Access-Reject of id 66 to 127.0.0.1 port 1030 Cleaning up request 0 ID 66 with timestamp 46010854 Nothing to do. Sleeping until we see a request. But the output now is: rad_recv: Access-Request packet from host 127.0.0.1:1030, id=65, length=54 ... ^ -Where is User-Password attribute? Ask the NAS. what? - -- -- |Giuseppe Moscato aka peppeska - Linux User - no html messages---| |[EMAIL PROTECTED] - http://peppeska.altervista.org--| |Fingerprint = 90DC 05A8 2D65 BC04 BD1B 4C07 C389 434B 3201 319D| -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGAQj5kA6hcnFZI/YRAsKoAKCXuWuZ4YpaZpYqs/iyqHfu50j9EwCgrGOh 6G3Y8O4ZhWZESvofWdiOEAY= =UNNH -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeRadius 1.1.5 compile errors - please help
I am trying to build/compile freeRadius 1.1.5. My Cygwin environment is 1.5.24-2 from www.cygwin.com. freeRadius 1.1.5 from www.freeradius.org. I ran configure for freeRadius with following parameters: ./configure -without-snmp -disable-shared -enable-static -without-rlm_perl. Configure and make outputlogs are attached to this email. configure log http://www.nabble.com/file/7292/config.log config.log make log http://www.nabble.com/file/7293/make.log make.log -- View this message in context: http://www.nabble.com/freeRadius-1.1.5-compile-errors---please-help-tf3434397.html#a9574830 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redundant SQL servers accounting problem, FreeRadius 1.1.4
Alexander V. Klepikov wrote:
I did not find any information about what is going on when database or SQL
server suddenly comes down, but it looks like pg_sock-conn is freed when
connection to DB became broken. And pg_sock-conn != NULL . That's why libpq
crashes when PQfinish(pg_sock-conn) in sql_close function is called.
It seems to me this is the real cause of the problem: pg_sock-conn becomes
an invalid pointer. The libpq manpage says the PGconn pointer should not be
used after PQfinish has been called.
Please try the following patch:
Index: src/modules/rlm_sql/drivers/rlm_sql_postgresql/sql_postgresql.c
===
RCS file:
/source/radiusd/src/modules/rlm_sql/drivers/rlm_sql_postgresql/sql_postgresql.c,v
retrieving revision 1.38.4.1
diff -u -r1.38.4.1 sql_postgresql.c
--- src/modules/rlm_sql/drivers/rlm_sql_postgresql/sql_postgresql.c 14 Dec
2005 18:32:03 - 1.38.4.1
+++ src/modules/rlm_sql/drivers/rlm_sql_postgresql/sql_postgresql.c 21 Mar
2007 11:28:17 -
@@ -61,6 +61,7 @@
/* Prototypes */
static int sql_store_result(SQLSOCK * sqlsocket, SQL_CONFIG *config);
static int sql_num_fields(SQLSOCK * sqlsocket, SQL_CONFIG *config);
+static int sql_close(SQLSOCK * sqlsocket, SQL_CONFIG *config);
/* Internal function. Return true if the postgresql status value
* indicates successful completion of the query. Return false otherwise
@@ -181,7 +182,7 @@
if (PQstatus(pg_sock-conn) == CONNECTION_BAD) {
radlog(L_ERR, rlm_sql_postgresql: Couldn't connect socket to
PostgreSQL server [EMAIL PROTECTED]:%s, config-sql_login, config-sql_server,
config-sql_db);
radlog(L_ERR, rlm_sql_postgresql: Postgresql error '%s',
PQerrorMessage(pg_sock-conn));
- PQfinish(pg_sock-conn);
+ sql_close(sqlsocket, config);
return SQL_DOWN;
}
--
Nicolas Baradakis
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius-1.1.5 and FC4
I installed freeradius-1.1.4 in FC4 and i got all the compilation without error. However, when i tried to run the radiusd in debug mode i got the error below Can someone pls point out my problem to me. Goksie [EMAIL PROTECTED] ~]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib *** glibc detected *** radiusd: double free or corruption (fasttop): 0x090fcde8 *** === Backtrace: = /lib/libc.so.6[0x1b7424] /lib/libc.so.6(__libc_free+0x77)[0x1b795f] /usr/local/lib/libltdl.so.3[0xd9da50] /usr/local/lib/libltdl.so.3(lt_dlopenext+0xc3)[0xd9e51f] radiusd(find_module_instance+0x1bd)[0xe98fb5] radiusd(setup_modules+0x1c0)[0xe997b0] radiusd(main+0x3b0)[0xe9c814] /lib/libc.so.6(__libc_start_main+0xc6)[0x168de6] radiusd[0xe91cb5] === Memory map: 00111000-0012b000 r-xp fd:00 9865492/lib/ld-2.3.5.so 0012b000-0012c000 r-xp 00019000 fd:00 9865492/lib/ld-2.3.5.so 0012c000-0012d000 rwxp 0001a000 fd:00 9865492/lib/ld-2.3.5.so 0012d000-0013b000 r-xp fd:00 9865497/lib/libpthread-2.3.5.so 0013b000-0013c000 r-xp d000 fd:00 9865497/lib/libpthread-2.3.5.so 0013c000-0013d000 rwxp e000 fd:00 9865497/lib/libpthread-2.3.5.so 0013d000-0013f000 rwxp 0013d000 00:00 0 0013f000-00152000 r-xp fd:00 12243222 /usr/local/lib/libradius-1.1.5.so 00152000-00153000 rwxp 00013000 fd:00 12243222 /usr/local/lib/libradius-1.1.5.so 00153000-00154000 rwxp 00153000 00:00 0 00154000-00278000 r-xp fd:00 9865493/lib/libc-2.3.5.so 00278000-0027a000 r-xp 00124000 fd:00 9865493/lib/libc-2.3.5.so 0027a000-0027c000 rwxp 00126000 fd:00 9865493/lib/libc-2.3.5.so 0027c000-0027e000 rwxp 0027c000 00:00 0 0027e000-002ed000 r-xp fd:00 12243158 /usr/lib/libkrb5.so.3.2 002ed000-002f rwxp 0006e000 fd:00 12243158 /usr/lib/libkrb5.so.3.2 002f-002f2000 r-xp fd:00 9865501/lib/libcom_err.so.2.1 002f2000-002f3000 rwxp 1000 fd:00 9865501/lib/libcom_err.so.2.1 002f3000-002f5000 r-xp fd:00 12235980 /usr/lib/libkrb5support.so.0.0 002f5000-002f6000 rwxp 1000 fd:00 12235980 /usr/lib/libkrb5support.so.0.0 0030a000-00313000 r-xp fd:00 9863221/lib/libnss_files-2.3.5.so 00313000-00314000 r-xp 8000 fd:00 9863221/lib/libnss_files-2.3.5.so 00314000-00315000 rwxp 9000 fd:00 9863221/lib/libnss_files-2.3.5.so 00331000-00333000 r-xp fd:00 12243500 /usr/local/lib/rlm_exec-1.1.5.so 00333000-00334000 rwxp 1000 fd:00 12243500 /usr/local/lib/rlm_exec-1.1.5.so 0072f000-00738000 r-xp fd:00 9865500 /lib/libgcc_s-4.0.0-20050520.so.1 00738000-00739000 rwxp 9000 fd:00 9865500 /lib/libgcc_s-4.0.0-20050520.so.1 00841000-00864000 r-xp fd:00 12243157 /usr/lib/libk5crypto.so.3.0 00864000-00865000 rwxp 00023000 fd:00 12243157 /usr/lib/libk5crypto.so.3.0 00b06000-00bfe000 r-xp fd:00 9865496/lib/libcrypto.so.0.9.7f 00bfe000-00c1 rwxp 000f8000 fd:00 9865496/lib/libcrypto.so.0.9.7f 00c1-00c13000 rwxp 00c1 00:00 0 00c6c000-00c7e000 r-xp fd:00 12227470 /usr/lib/libz.so.1.2.2.2 00c7e000-00c7f000 rwxp 00011000 fd:00 12227470 /usr/lib/libz.so.1.2.2.2 00d64000-00d65000 r-xp 00d64000 00:00 0
Re: Redundant SQL servers accounting problem, FreeRadius 1.1.4
Alexander V. Klepikov wrote: ... If connection to DB fails, PQfinish(pg_sock-conn) is called, which frees pg_sock-conn - need to do this is described in libpq docs. So even in case of unsuccessefull connection we have good database handle sqlsocket-conn, which should not be NULL. If pg_sock-conn is freed, that pointer MUST be set to NULL. According to this, I can make a conclusion that when database handle is checked for connectivity (in rlm_sql module), sqlsocket-state should be used. No. sqlsocket-state is redundant. If the conn handle exists, it MUST be a valid connection handle. If it's not valid, it's NULL, and therefore the socket is disconnected. In theory, sqlsocket-state can equals to sockconnected when actually it is disconnected. That's a bug. It's wrong and MUST be fixed. It seemes to me, actually this can happen very rarely. May be, state of connection should be checked before running every SQL query to minimize risk of operation on disconnected DB, but I believe it's not necessary yet. Besides, it will require to modify all sql drivers. Then we modify all of the SQL drivers. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redundant SQL servers accounting problem, FreeRadius 1.1.4
Nicolas Baradakis wrote: It seems to me this is the real cause of the problem: pg_sock-conn becomes an invalid pointer. The libpq manpage says the PGconn pointer should not be used after PQfinish has been called. Please try the following patch: I think it should be applied, independent of anything else. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius, ldap error - HELP ME!
peppeska wrote: rad_recv: Access-Request packet from host 127.0.0.1:1030, id=65, length=54 ^^ -Where is User-Password attribute? Ask the NAS. what? In this case I have a suspicion the NAS could be radclient... How are you sending requests to freeRADIUS? regards, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redundant SQL servers accounting problem, FreeRadius 1.1.4
Hello, Nicolas! You wrote on Wed, 21 Mar 2007 12:37:03 +0100: NB It seems to me this is the real cause of the problem: pg_sock-conn NB becomes NB an invalid pointer. The libpq manpage says the PGconn pointer should NB not be NB used after PQfinish has been called. NB Please try the following patch: [Sorry, skipped] Yes, it solves the problem. Thank you! Very simple solution! But according to Alan it looks like we have discovered a real problem... With best regards, Alexander V. Klepikov. E-mail: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius, ldap error - HELP ME!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael Mitchell ha scritto: peppeska wrote: rad_recv: Access-Request packet from host 127.0.0.1:1030, id=65, length=54 ^^ -Where is User-Password attribute? Ask the NAS. what? In this case I have a suspicion the NAS could be radclient... How are you sending requests to freeRADIUS? Freeradius recive request from pppoe-server, I try to connect to pppoe-server from a linux box - -- -- |Giuseppe Moscato aka peppeska - Linux User - no html messages---| |[EMAIL PROTECTED] - http://peppeska.altervista.org--| |Fingerprint = 90DC 05A8 2D65 BC04 BD1B 4C07 C389 434B 3201 319D| -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGASiekA6hcnFZI/YRAmonAKC876X/8o6xWoOM73C07JyIeem2YwCdE05H XjpsMgzBUspOONgapXx3gXg= =Vy07 -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : freeradius, ldap error - HELP ME!
-Message d'origine- De : [EMAIL PROTECTED] radius.org [mailto:[EMAIL PROTECTED] sts.freeradius.org] De la part de peppeska Envoyé : mercredi 21 mars 2007 13:44 À : FreeRadius users mailing list Objet : Re: freeradius, ldap error - HELP ME! -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael Mitchell ha scritto: peppeska wrote: rad_recv: Access-Request packet from host 127.0.0.1:1030, id=65, length=54 ^^ -Where is User-Password attribute? Ask the NAS. what? In this case I have a suspicion the NAS could be radclient... How are you sending requests to freeRADIUS? Freeradius recive request from pppoe-server, I try to connect to pppoe-server from a linux box Is your pppoe-server a linux server ? Is your pppoe client or pppoe server configured to use ms-chap authentication ? If your pppoe server is a linux box, have you checked that the radiusclient library contains the microsoft dictionnary as I described in my previous email ? Regards, Thibault Le Meur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : freeradius, ldap error - HELP ME!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thibault Le Meur ha scritto: -Message d'origine- De : [EMAIL PROTECTED] radius.org [mailto:[EMAIL PROTECTED] sts.freeradius.org] De la part de peppeska Envoyé : mercredi 21 mars 2007 13:44 À : FreeRadius users mailing list Objet : Re: freeradius, ldap error - HELP ME! -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael Mitchell ha scritto: peppeska wrote: rad_recv: Access-Request packet from host 127.0.0.1:1030, id=65, length=54 ^^ -Where is User-Password attribute? Ask the NAS. what? In this case I have a suspicion the NAS could be radclient... How are you sending requests to freeRADIUS? Freeradius recive request from pppoe-server, I try to connect to pppoe-server from a linux box Is your pppoe-server a linux server ? Is your pppoe client or pppoe server configured to use ms-chap authentication ? If your pppoe server is a linux box, have you checked that the radiusclient library contains the microsoft dictionnary as I described in my previous email ? Thibault Le Meur ha scritto: But the output now is: rad_recv: Access-Request packet from host 127.0.0.1:1030, id=65, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = peppeska NAS-IP-Address = 127.0.0.1 NAS-Port = 0 ^ - -Where is User-Password attribute? - A good question indeed, that one should be asked to your NAS ;-) It's up to the NAS to send User-Password: unless it is setup to do something else (for instance MSCHAP). Have you setup ppp to use mschap (require-mschap-v2 option) ? Are you using the radiusclient library ? refuse-pap refuse-chap require-mschap require-mschap-v2 require-mppe If yes, could you check that you radiusclient dictionnary file includes Microsoft attributes: * check the dictionary path-to-dict-file line of /etc/radiusclient-ng/radiusclient.conf file (or /etc/radiusclient/radiusclient.conf file) * check that the file path-to-dict-file contains a reference to other dictionnary files such as: INCLUDE /usr/share/radiusclient-ng/dictionary.merit INCLUDE /usr/share/radiusclient-ng/dictionary.microsoft * check that you have these 2 extra dictionnary files (especially the microsoft one) == I've attached the two files in my radiusclient.conf there is: # dictionary of allowed attributes and values # just like in the normal RADIUS distributions dictionary /etc/radiusclient/dictionary and in the dictonary file: $INCLUDE /etc/radiusclient/dictionary.microsoft $INCLUDE /etc/radiusclient/dictionary.ascend $INCLUDE /etc/radiusclient/dictionary.compat $INCLUDE /etc/radiusclient/dictionary.merit $INCLUDE /usr/share/freeradius/dictionary But... whitout declaretion of Default Auth-Type in the users file: rlm_ldap: user peppeska authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [peppeska/no User-Password attribute] (from client localhost port 0) Delaying request 0 for 1 seconds Finished request 0 - -- -- |Giuseppe Moscato aka peppeska - Linux User - no html messages---| |[EMAIL PROTECTED] - http://peppeska.altervista.org--| |Fingerprint = 90DC 05A8 2D65 BC04 BD1B 4C07 C389 434B 3201 319D| -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGATavkA6hcnFZI/YRAtO2AKCvLofpLFkKzqJ3pHWgCB5WfU+PZQCdFCKU 5BM2fsuNTyacCHdX5z6hCjA= =y9bX -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : RE : freeradius, ldap error - HELP ME!
Hi, Very strange I didn't get this email ? See my comments below: Thibault Le Meur ha scritto: But the output now is: rad_recv: Access-Request packet from host 127.0.0.1:1030, id=65, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = peppeska NAS-IP-Address = 127.0.0.1 NAS-Port = 0 ^ - -Where is User-Password attribute? - A good question indeed, that one should be asked to your NAS ;-) It's up to the NAS to send User-Password: unless it is setup to do something else (for instance MSCHAP). Have you setup ppp to use mschap (require-mschap-v2 option) ? Are you using the radiusclient library ? refuse-pap refuse-chap require-mschap require-mschap-v2 require-mppe Ok so that your NAS don't have to send User-Password but a MS-CHAP challenge instead: that's what I thought. If yes, could you check that you radiusclient dictionnary file includes Microsoft attributes: * check the dictionary path-to-dict-file line of /etc/radiusclient-ng/radiusclient.conf file (or /etc/radiusclient/radiusclient.conf file) * check that the file path-to-dict-file contains a reference to other dictionnary files such as: INCLUDE /usr/share/radiusclient-ng/dictionary.merit INCLUDE /usr/share/radiusclient-ng/dictionary.microsoft * check that you have these 2 extra dictionnary files (especially the microsoft one) == I've attached the two files in my radiusclient.conf there is: # dictionary of allowed attributes and values # just like in the normal RADIUS distributions dictionary /etc/radiusclient/dictionary and in the dictonary file: $INCLUDE /etc/radiusclient/dictionary.microsoft $INCLUDE /etc/radiusclient/dictionary.ascend $INCLUDE /etc/radiusclient/dictionary.compat $INCLUDE /etc/radiusclient/dictionary.merit $INCLUDE /usr/share/freeradius/dictionary Don't write $INCLUDE but INCLUDE without the $: this is the syntax for radiusclient. But... whitout declaretion of Default Auth-Type in the users file: rlm_ldap: user peppeska authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [peppeska/no User-Password attribute] (from client localhost port 0) Delaying request 0 for 1 seconds Finished request 0 Sure, because Auth-Type must be set to MS-CHAP (automatically, don't use Auth-Type:=): this will be the case if FR receives MS-CHAP challenge. But this can work only if radiusclient knows the MS-CHAP Radius attributes, which is not the case for the momenet (see above the INCLUDE issue). Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS outer identity accounting
Hi, Ouch. It needs fixing, then. I'm at a conference this week, so I'll see what I can do in a few days. It would be nice to have regression tests for the server... certainly for eg the glibc double-free issue that has hitbut otherwise there are so many different permutations and combinations that really thats what the end-user is for ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying/Rewriting Accounting Packets
Jason Hodges wrote: ... Here are the debug results: radius_xlat: '0210xxx' radius_xlat: Running registered xlat function of module exec for string '/usr/local/freeradius/bin/mdn_lookup.sh' rlm_exec (exec): Executing /usr/local/freeradius/bin/mdn_lookup.sh rlm_exec (exec): result 0 radius_xlat: '' rlm_attr_rewrite: xlat on replace string failed. Thoughts? What have I missed? The script you write didn't output anything. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Apache2 - PAM - freeRADIUS - users
Hello Michael, freeRADIUS works quite good and it's possible to authenticate via PAM, for example local logins, ssh-logins, su, chsh, gdm, ... are working quite fine. The only thing is the htaccess from apache2 which will not work. The Radius gets the request and permits the user: I would suggest finding out why Apache is requiring more from PAM than everyone else does. It's not really a pam_radius problem, because it works with everything else. we had similar problems with radius and Apache2 (it is not a RADIUS/PAM problem!) PAM didn't work for us neither, so a colleague found another radius module for Apache 2: http://www.outoforder.cc/projects/apache/mod_auth_xradius/ But it only works with Apache 2.0.x. With Apache 2.2.x we didn't manage to get any radius authentication working. Greetings - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying/Rewriting Accounting Packets
Thank you for the response. I did cover that base as well. I should have pasted the script into the original email. Here is the script that I tested with (where xxx are numbers): #!/bin/sh if [ $1 = ]; then #Example 0xx echo 0xx else echo 1xx fi Even if no variable was passed to the script, it outputs something. I also used other system commands (exec:/bin/echo testing ... exec:/bin/cat some file) just in case. It seems as long as I was using exec, I got that same error. If I just substituted with a static value, it worked fine. Your time is appreciated. Thanks again for the response. Regards, Jason --- Alan DeKok [EMAIL PROTECTED] wrote: Jason Hodges wrote: ... Here are the debug results: radius_xlat: '0210xxx' radius_xlat: Running registered xlat function of module exec for string '/usr/local/freeradius/bin/mdn_lookup.sh' rlm_exec (exec): Executing /usr/local/freeradius/bin/mdn_lookup.sh rlm_exec (exec): result 0 radius_xlat: '' rlm_attr_rewrite: xlat on replace string failed. Thoughts? What have I missed? The script you write didn't output anything. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Sucker-punch spam with award-winning protection. Try the free Yahoo! Mail Beta. http://advision.webevents.yahoo.com/mailbeta/features_spam.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : IP Pool management and Re-authentication
Hi Alan, I'd like to patch the openvpn-radiusplugin so that an extra attribute is sent in the Access-Accept packets so that FR will be able to differentiate Initial and Renegociation Access-Accept requests and only assign new IP address from the pool on Initial Access-Accept requests. I think you mean Access-Request packet. Sorry for the mistake, I meant Access-Request of course If it doesn't have a Framed-IP-Address attribute, FreeRADIUS can allocate send one in an Access-Accept. If openvpn re-authenticates a session with an existing IP address, it should send Framed-IP-Address in the Access-Request. I get you right, my patch may be as easy as to make radiusplugin add the Framed-IP-Address attribute in the Access-Request packet with the already assigned IP Address when it is a renegotiation. I've patched the radiusplugin to add Framed-IP-Address to the re-auth request but rlm_ippool still allocates a new IP Address (I'm using FR 1.1.4). I can see this in radiusd -X: modcall: entering group postauth.ovpn for request 3 rlm_ippool: Searching for an entry for nas/port: 192.168.1.1/1 rlm_ippool: Found a stale entry for ip/port: 10.1.1.1/1 rlm_ippool: num: 0 rlm_ippool: Searching for an entry for nas/port: 192.168.1.1/1 rlm_ippool: Allocating ip to nas/port: 192.168.1.1/1 rlm_ippool: num: 1 rlm_ippool: Allocated ip 10.1.1.2 to client on nas 192.168.1.1,port 1 modcall[post-auth]: module Ovpn_Main_Pool returns ok for request 3 Where: * 192.168.1.1 is the NAS IP Address * 10.1.1.1 is the IP address allocated at connection time * 10.1.1.2 is the IP address allocated at re-authentication time Maybe I didn't understand you well: * Is rlm_ippool supposed to return NOOP if a Framed-IP-Address attribute is present in the Request ? OR * is it up to me to bypass the rlm_ippool (by setting another Post-Auth-Type) when a Re-Auth Request is performed (that is to say when a Framed-IP-Address attribute is present in the Request) ? Thanks in advance, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : RE : freeradius, ldap error - HELP ME!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thibault Le Meur ha scritto: Have you setup ppp to use mschap (require-mschap-v2 option) ? Are you using the radiusclient library ? refuse-pap refuse-chap require-mschap require-mschap-v2 require-mppe Ok so that your NAS don't have to send User-Password but a MS-CHAP challenge instead: that's what I thought. oook and in the dictonary file: $INCLUDE /etc/radiusclient/dictionary.microsoft $INCLUDE /etc/radiusclient/dictionary.ascend $INCLUDE /etc/radiusclient/dictionary.compat $INCLUDE /etc/radiusclient/dictionary.merit $INCLUDE /usr/share/freeradius/dictionary Don't write $INCLUDE but INCLUDE without the $: this is the syntax for radiusclient. Now.. without $ But... whitout declaretion of Default Auth-Type in the users file: rlm_ldap: user peppeska authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [peppeska/no User-Password attribute] (from client localhost port 0) Delaying request 0 for 1 seconds Finished request 0 Sure, because Auth-Type must be set to MS-CHAP (automatically, don't use Auth-Type:=): this will be the case if FR receives MS-CHAP challenge. k the /etc/freeradius/users file now contain: DEFAULT Auth-Type = MS-CHAP Fall-Through = yes But this can work only if radiusclient knows the MS-CHAP Radius attributes, which is not the case for the momenet (see above the INCLUDE issue). Well.. I try now... and(roll of drumps): Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. NOTHING the freeradius don't recive request (uff) and: debian:~# plog Mar 21 16:13:52 debian pppd[3885]: sent [LCP TermAck id=0x2] Mar 21 16:13:52 debian pppd[3885]: rcvd [LCP TermAck id=0x2] Mar 21 16:13:52 debian pppd[3885]: Connection terminated. Mar 21 16:13:52 debian pppd[3885]: Waiting for 1 child processes... Mar 21 16:13:52 debian pppd[3885]: script /usr/sbin/pppoe -n -I eth1 - -e 2:32:c8:93:a2:15:29 -T 60 -S '', pid 3886 Mar 21 16:13:52 debian pppd[3885]: Script /usr/sbin/pppoe -n -I eth1 -e 2:32:c8:93:a2:15:29 -T 60 -S '' finished (pid 3886), status = 0x1 Mar 21 16:13:52 debian pppd[3885]: Exit. debian:~# MMM damn! why freeradius don't want work with me? P.S. without the Deafult Auth-Type in the users file...it's the same... If I put $INCLUDE instead INCLUDE... work like before... and now? - -- -- |Giuseppe Moscato aka peppeska - Linux User - no html messages---| |[EMAIL PROTECTED] - http://peppeska.altervista.org--| |Fingerprint = 90DC 05A8 2D65 BC04 BD1B 4C07 C389 434B 3201 319D| -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGAU0RkA6hcnFZI/YRAtfvAJ4nxFC9JTgLR1FEJ6E1eyMxP/yXWwCeKDYZ sFZqyoJilQMJxh7wxCHoWyI= =ZmIX -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: pam_radius_auth
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, March 21, 2007 2:46 AM To: FreeRadius users mailing list Subject: Re: pam_radius_auth Dan Delaney wrote: Does anyone know how to change the service type that pam_radius_auth passes to the server? Source code modifications. Do you know what files and lines I need to change in the pam_radius source? I am fairly new to this pam.d and radius stuff Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : IP Pool management and Re-authentication
Thibault Le Meur wrote: I've patched the radiusplugin to add Framed-IP-Address to the re-auth request but rlm_ippool still allocates a new IP Address (I'm using FR 1.1.4). Ok. It seems like rlm_ippool should be updated to look for Framed-IP-Address in the request. That would be very useful, and would solve the problem you're seeing. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
New Server Build
Hello All, I am attempting to build a new and different FR server than I currently use. The new one is running the latest FR release and MySql. I am also running the dialup admin software. Before I attach a bunch of logs and eat up bandwidth, I want to make sure that I am testing correctly. When I run the radtest utility that comes with FR, I get an access-reject, even though the user is in the radius database. Running FR with the -X parameter, it does appear to be check the database. Am I testing correctly for this type of FR MySQL setup? Thanks in advance, Scott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : RE : RE : freeradius, ldap error - HELP ME!
and in the dictonary file: $INCLUDE /etc/radiusclient/dictionary.microsoft $INCLUDE /etc/radiusclient/dictionary.ascend $INCLUDE /etc/radiusclient/dictionary.compat $INCLUDE /etc/radiusclient/dictionary.merit $INCLUDE /usr/share/freeradius/dictionary Don't write $INCLUDE but INCLUDE without the $: this is the syntax for radiusclient. Now.. without $ the /etc/freeradius/users file now contain: DEFAULT Auth-Type = MS-CHAP Fall-Through = yes Not a good idea ;-) But this can work only if radiusclient knows the MS-CHAP Radius attributes, which is not the case for the momenet (see above the INCLUDE issue). Well.. I try now... and(roll of drumps): Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. NOTHING the freeradius don't recive request (uff) That's because the NAS doesn't send packets (or because you have firewall rules droppig packets, but this shouldn't be the case since you got packets in the past). and: debian:~# plog Mar 21 16:13:52 debian pppd[3885]: sent [LCP TermAck id=0x2] Mar 21 16:13:52 debian pppd[3885]: rcvd [LCP TermAck id=0x2] Mar 21 16:13:52 debian pppd[3885]: Connection terminated. Mar 21 16:13:52 debian pppd[3885]: Waiting for 1 child processes... Mar 21 16:13:52 debian pppd[3885]: script /usr/sbin/pppoe -n -I eth1 - -e 2:32:c8:93:a2:15:29 -T 60 -S '', pid 3886 Mar 21 16:13:52 debian pppd[3885]: Script /usr/sbin/pppoe -n -I eth1 -e 2:32:c8:93:a2:15:29 -T 60 -S '' finished (pid 3886), status = 0x1 Mar 21 16:13:52 debian pppd[3885]: Exit. debian:~# MMM damn! why freeradius don't want work with me? It's not a Freeradius issue, but a ppp/radiusclient issue ;-) P.S. without the Deafult Auth-Type in the users file...it's the same... If I put $INCLUDE instead INCLUDE... work like before... Very strange I've got several servers her using radiusclient with the INCLUDE syntax !! Or may it be an issue with the dictionnary files ? $INCLUDE /usr/share/freeradius/dictionary Avoid this one, it shouldn't be necessary. $INCLUDE /etc/radiusclient/dictionary.microsoft $INCLUDE /etc/radiusclient/dictionary.ascend $INCLUDE /etc/radiusclient/dictionary.compat $INCLUDE /etc/radiusclient/dictionary.merit Are these dictionaries from the radiusclient distro or did you copy the dictionaries from freeradius ? Please use only dictionaries from the radiusclient distributions. (Or try the one I posted if you don't have them in the distro). Let me know, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : RE : IP Pool management and Re-authentication
Thibault Le Meur wrote: I've patched the radiusplugin to add Framed-IP-Address to the re-auth request but rlm_ippool still allocates a new IP Address (I'm using FR 1.1.4). Ok. It seems like rlm_ippool should be updated to look for Framed-IP-Address in the request. That would be very useful, and would solve the problem you're seeing. Alan DeKok. Do you mean updated (to 1.1.5) or patched ? I made a quick diff between rlm_ippool.c from 1.1.4 and 1.1.5 and I can't see any difference so I think the problem I'm seeing is still present in 1.1.5. Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS outer identity accounting
I can also vouch for freeradius 1.0.5 after building retro-fitting
my configuration to it. I'll probably just downgrade to an earlier
1.1.x build, since I haven't seen any major security
vulnerabilities/
fixes since the early 1.0.x builds.
On Tue, 20 Mar 2007 16:53:26 -0500 [EMAIL PROTECTED] wrote:
Hi,
It worked for me right out of the box at one time, too. I have a
feeling it was using either freeradius 1.1.3 or 1.0.3 (or
whatever
FC2 came pre-packaged with). I'll probably test my configuration
against
an earlier version later see if I can establish it as a bug.
The
version I've been trying to coerce into working is 1.1.4, which
was
compiled from source.
confirm tha EAP-TTLS userid's used to work with freeradius (1.0.5
era
through to 1.1.3) but then only anonymous was seen. i've been
following
this User-Name = %{User-Name} etc thread with interest
alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Click for free info on adult education and start making $150k/ year
http://tagline.hushmail.com/fc/CAaCXv1S62Vv8OSHDKTNmFu0PsjugCd8/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More debug info about LDAP?
Hi guys, I am trying to establish a secure connection between freeradius and a Novell eDirectory LDAP server. After configuring LDAP in radiusd.conf it seemed to work, almost: rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 192.168.1.5:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /usr/local/etc/raddb/ldap_ca_cert.pem rlm_ldap: setting TLS Require Cert to demand rlm_ldap: starting TLS rlm_ldap: ldap_start_tls_s() rlm_ldap: could not start TLS Operations error rlm_ldap: (re)connection attempt failed Because I don't know how to get logs from the eDirectory side, I recorded the traffic between both hosts and saw that the TLS handshake had been done, both mashines had exchanged cipher key and begun to send data. After 3 or 4 packets the LDAP server sent a encrypted alert and disconnected. Since these data are encrypted I could not see what happened indeed. My question: is it possible to get more debug info from the freeradius side? If yes, how? Thanks, Rickan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : RE : RE : RE : freeradius, ldap error - HELP ME!
MMM damn! why freeradius don't want work with me? It's not a Freeradius issue, but a ppp/radiusclient issue ;-) P.S. without the Deafult Auth-Type in the users file...it's the same... If I put $INCLUDE instead INCLUDE... work like before... Very strange I've got several servers her using radiusclient with the INCLUDE syntax !! Very very curious, I've checked radiusclient's original code and it seems it is $INCLUDE syntax that is the good one. So keep with this one for now. I just have no clue on why on my system only INCLUDE works !! Sorry for this wrong information ! Had you got new results ? Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : RE : IP Pool management and Re-authentication
I've been using OpenVPN + Ralf's Radiusplugin for several months and recently moved away from server-side IP assignment. However, while I did use it, I found that in my configuration FreeRADIUS only assigned new IPs when the accounting for that user had stopped (ie, if it recieved a STOP packet). This meant, that once I'd crashed the openvpn server 3 times with users on it :-) there were many IP's who were 'lost' - their sessions had never ended, hence the IP was never returned to the pool. I was doing renegotiation every 20 minutes if I remember correctly, and the freeradius replied with the same IP for the user time and time again. Hence, I'm beginning to wonder if it's configuration-specific, because I didn't have any problems. Hope this helps, Jan On 21/03/07, Thibault Le Meur [EMAIL PROTECTED] wrote: Thibault Le Meur wrote: I've patched the radiusplugin to add Framed-IP-Address to the re-auth request but rlm_ippool still allocates a new IP Address (I'm using FR 1.1.4). Ok. It seems like rlm_ippool should be updated to look for Framed-IP-Address in the request. That would be very useful, and would solve the problem you're seeing. Alan DeKok. Do you mean updated (to 1.1.5) or patched ? I made a quick diff between rlm_ippool.c from 1.1.4 and 1.1.5 and I can't see any difference so I think the problem I'm seeing is still present in 1.1.5. Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : RE : RE : freeradius, ldap error - HELP ME!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ok!!! Now I have this configuration INCLUDE /etc/radiusclient/dictionary.microsoft INCLUDE /etc/radiusclient/dictionary.ascend INCLUDE /etc/radiusclient/dictionary.compat INCLUDE /etc/radiusclient/dictionary.merit $INCLUDE /usr/share/freeradius/dictionary And... (same roll of drumps) rad_recv: Access-Request packet from host 127.0.0.1:1028, id=40, length=136 Service-Type = Framed-User Framed-Protocol = PPP User-Name = peppeska MS-CHAP-Challenge = 0x2b05b4344fc7309510ee443fac5c90bf MS-CHAP2-Response = 0x05006a01dac8d579188fab13d4f5b10524c274aba52270d19850e5169d1e6410fe36c608d63ff061a401 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' modcall[authorize]: module mschap returns ok for request 1 rlm_realm: No '@' in User-Name = peppeska, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 1 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module files returns ok for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for peppeska radius_xlat: '(cn=peppeska)' radius_xlat: 'dc=example' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=example, with filter (cn=peppeska) rlm_ldap: Added password billuzzo in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user peppeska authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type MS-CHAP auth: type MS-CHAP Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 1 rlm_mschap: Told to do MS-CHAPv2 for peppeska with NT-Password rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module mschap returns ok for request 1 modcall: leaving group MS-CHAP (returns ok) for request 1 Login OK: [peppeska/no User-Password attribute] (from client localhost port 0) Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 1 modcall[post-auth]: module ldap returns noop for request 1 modcall: leaving group post-auth (returns noop) for request 1 Sending Access-Accept of id 40 to 127.0.0.1 port 1028 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP MS-CHAP2-Success = 0x05533d4638413436383038343733323138354344333539453836393339463645323432363332373143 MS-MPPE-Recv-Key = 0xeb3b2b7a46dfff70bdee5eb89a755804 MS-MPPE-Send-Key = 0xe0d003c9754115e0063f7f832015f1c6 MS-MPPE-Encryption-Policy = 0x0002 MS-MPPE-Encryption-Types = 0x0004 Finished request 1 Going to the next request - --- Walking the entire request list --- Waking up in 6 seconds... - --- Walking the entire request list --- Cleaning up request 1 ID 40 with timestamp 4601688f Nothing to do. Sleeping until we see a request. Well! it work! or not? because.. this is the pppoe-server log debian:~# plog Mar 21 18:33:54 debian pppd[4306]: sent [LCP TermAck id=0x2] Mar 21 18:33:54 debian pppd[4306]: rcvd [LCP TermAck id=0x2] Mar 21 18:33:54 debian pppd[4306]: Connection terminated. Mar 21 18:33:54 debian pppd[4306]: Waiting for 1 child processes... Mar 21 18:33:54 debian pppd[4306]: script /usr/sbin/pppoe -n -I eth1 - -e 5:32:c8:93:a2:15:29 -T 60 -S '', pid 4307 Mar 21 18:33:55 debian pppd[4306]: Script /usr/sbin/pppoe -n -I eth1 -e 5:32:c8:93:a2:15:29 -T 60 -S '' finished (pid 4307), status = 0x1 Mar 21 18:33:55 debian pppd[4306]: Exit. debian:~# boh!! I realy don't now why... - -- -- |Giuseppe Moscato aka peppeska - Linux User - no html messages---| |[EMAIL PROTECTED] - http://peppeska.altervista.org--| |Fingerprint = 90DC 05A8 2D65 BC04 BD1B 4C07 C389 434B 3201 319D| -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGAW0PkA6hcnFZI/YRAsv4AJ9wRB4Vl/2clx6Knw8P0zbTrZI1YQCfXmgF skR/gztg4MHbO4l/vq+xiRI= =Gb65 -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : IP Pool management and Re-authentication
quote I've been using OpenVPN + Ralf's Radiusplugin for several months and recently moved away from server-side IP assignment. However, while I did use it, I found that in my configuration FreeRADIUS only assigned new IPs when the accounting for that user had stopped (ie, if it recieved a STOP packet). /quote Curious this is not what I see here ?? What is/was your FR server version ? Anyway, Alan said that a 'good nas' should send the Framed-IP-Address in the Access-Request if it has been already assigned one: this wasn't done by radiusplugin, thus I think I'll keep the pacth. quote This meant, that once I'd crashed the openvpn server 3 times with users on it :-) there were many IP's who were 'lost' - their sessions had never ended, hence the IP was never returned to the pool. /quote Sure, this is also true for my others NAS (pppd based), but they are quite robust (I hope openvpn is/will be as robust ;-)). quote I was doing renegotiation every 20 minutes if I remember correctly, and the freeradius replied with the same IP for the user time and time again. /quote Interesting, what could explain that mine allocate new IP addresses each time ? Should rlm_ippool allocate the same IP for a NAS-IP/NAS-port couple if the entry isn't cleaned from the pool ? (Anyway, I think it's better to have FR not re-send Framed-IP-Address since it would cause an unsuseful write to the client-config file from the radiusplugin.) quote Hence, I'm beginning to wonder if it's configuration-specific, because I didn't have any problems. /quote I can trust you, but I don't know where to search for a setup mistake. Does someone has an idea ? Thanks in advance, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : RE : RE : freeradius, ldap error - HELP ME!
peppeska wrote: Ok!!! Now I have this configuration INCLUDE /etc/radiusclient/dictionary.microsoft INCLUDE /etc/radiusclient/dictionary.ascend INCLUDE /etc/radiusclient/dictionary.compat INCLUDE /etc/radiusclient/dictionary.merit $INCLUDE /usr/share/freeradius/dictionary No. radiusclient can't use the FreeRADIUS dictionaries. Once freeradius-client is updated, it will use the FreeRADIUS dictionaries. But radiusclient can't. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : freeradius, ldap error - HELP ME!
-Message d'origine- De : [EMAIL PROTECTED] radius.org [mailto:[EMAIL PROTECTED] sts.freeradius.org] De la part de peppeska Envoyé : mercredi 21 mars 2007 18:36 À : FreeRadius users mailing list Objet : Re: RE : RE : RE : freeradius, ldap error - HELP ME! -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ok!!! Now I have this configuration INCLUDE /etc/radiusclient/dictionary.microsoft INCLUDE /etc/radiusclient/dictionary.ascend INCLUDE /etc/radiusclient/dictionary.compat INCLUDE /etc/radiusclient/dictionary.merit $INCLUDE /usr/share/freeradius/dictionary Very Very Very Weird I'm curious about one thing: when you remove the last $INCLUDE line, does it work as described below ? I'm also wondering why only INCLUDE statement work unless the radiusclient code uses a hardoced $INCLUDE strncmp in dict.c Alan, I thought there was a plan to make the radiusclient hosted at freeradius.org so that It will benefit from Freeradius developpment: is it always a plan ? And... (same roll of drumps) rad_recv: Access-Request packet from host 127.0.0.1:1028, id=40, length=136 Service-Type = Framed-User Framed-Protocol = PPP User-Name = peppeska MS-CHAP-Challenge = 0x2b05b4344fc7309510ee443fac5c90bf MS-CHAP2-Response = 0x05006a01dac8d579188fab13d4f5b10524c274aba522 70d19850e5169d1e6410fe36c608d63ff061a401 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Better, Sending Access-Accept of id 40 to 127.0.0.1 port 1028 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP MS-CHAP2-Success = 0x05533d463841343638303834373332313835434433353945383639333946 3645323432363332373143 MS-MPPE-Recv-Key = 0xeb3b2b7a46dfff70bdee5eb89a755804 MS-MPPE-Send-Key = 0xe0d003c9754115e0063f7f832015f1c6 MS-MPPE-Encryption-Policy = 0x0002 MS-MPPE-Encryption-Types = 0x0004 Ok, you're done with Freeradius. Well! it work! or not? As far as Freeradius is concerned yes. because.. this is the pppoe-server log debian:~# plog Mar 21 18:33:54 debian pppd[4306]: sent [LCP TermAck id=0x2] Mar 21 18:33:54 debian pppd[4306]: rcvd [LCP TermAck id=0x2] Mar 21 18:33:54 debian pppd[4306]: Connection terminated. Mar 21 18:33:54 debian pppd[4306]: Waiting for 1 child processes... Mar 21 18:33:54 debian pppd[4306]: script /usr/sbin/pppoe -n -I eth1 - -e 5:32:c8:93:a2:15:29 -T 60 -S '', pid 4307 Mar 21 18:33:55 debian pppd[4306]: Script /usr/sbin/pppoe -n -I eth1 -e 5:32:c8:93:a2:15:29 -T 60 -S '' finished (pid 4307), status = 0x1 Mar 21 18:33:55 debian pppd[4306]: Exit. debian:~# boh!! I realy don't now why... Just a question: who is suposed to assign the IP address: Freeradius in Framed-IP-Address Attribute or your pppoe server ? Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : RE : RE : freeradius, ldap error - HELP ME!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alan DeKok ha scritto: peppeska wrote: Ok!!! Now I have this configuration INCLUDE /etc/radiusclient/dictionary.microsoft INCLUDE /etc/radiusclient/dictionary.ascend INCLUDE /etc/radiusclient/dictionary.compat INCLUDE /etc/radiusclient/dictionary.merit $INCLUDE /usr/share/freeradius/dictionary No. radiusclient can't use the FreeRADIUS dictionaries. ook now I don't have the freeradius dictionary... now the freradius: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:1028, id=50, length=136 Service-Type = Framed-User Framed-Protocol = PPP User-Name = peppeska MS-CHAP-Challenge = 0x3733ba43d6d8debb5b0302f590250afd MS-CHAP2-Response = 0x0f00997701aa0d8775038e203d7c0487880fe6ba63b22268fbe23624491c47a9744354f94591fc730a90 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' modcall[authorize]: module mschap returns ok for request 0 rlm_realm: No '@' in User-Name = peppeska, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for peppeska radius_xlat: '(cn=peppeska)' radius_xlat: 'dc=example' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=admin,dc=example/root to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=example, with filter (cn=peppeska) rlm_ldap: Added password billuzzo in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user peppeska authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type MS-CHAP auth: type MS-CHAP Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 0 rlm_mschap: Told to do MS-CHAPv2 for peppeska with NT-Password rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module mschap returns ok for request 0 modcall: leaving group MS-CHAP (returns ok) for request 0 Login OK: [peppeska/no User-Password attribute] (from client localhost port 0) Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 0 modcall[post-auth]: module ldap returns noop for request 0 modcall: leaving group post-auth (returns noop) for request 0 Sending Access-Accept of id 50 to 127.0.0.1 port 1028 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP MS-CHAP2-Success = 0x0f533d33344135313830413334423831353141383738414532454632414341303830394341423344393945 MS-MPPE-Recv-Key = 0x923e2c93c2156b71231ea782495f5b99 MS-MPPE-Send-Key = 0x44fe16f0095f4b51b33c59a5387f512c MS-MPPE-Encryption-Policy = 0x0002 MS-MPPE-Encryption-Types = 0x0004 Finished request 0 Going to the next request - --- Walking the entire request list --- Waking up in 6 seconds... - --- Walking the entire request list --- Cleaning up request 0 ID 50 with timestamp 4601790a Nothing to do. Sleeping until we see a request. but plog: [EMAIL PROTECTED]:/home/peppeska# plog Mar 21 19:21:18 applejack pppd[18527]: Plugin rp-pppoe.so loaded. Mar 21 19:21:18 applejack pppd[18529]: pppd 2.4.4 started by root, uid 0 Mar 21 19:21:19 applejack pppd[18529]: PPP session is 6 Mar 21 19:21:19 applejack pppd[18529]: Using interface ppp0 Mar 21 19:21:19 applejack pppd[18529]: Connect: ppp0 -- tap1 Mar 21 19:21:41 applejack pppd[18529]: MS-CHAP authentication failed: Mar 21 19:21:41 applejack pppd[18529]: CHAP authentication failed Mar 21 19:21:41 applejack pppd[18529]: Connection terminated. [EMAIL PROTECTED]:/home/peppeska# poff UFFA!!! I promitt that I send a Cassata Siciliana to who resolv my problem... - -- -- |Giuseppe Moscato aka peppeska - Linux User - no html messages---| |[EMAIL PROTECTED] - http://peppeska.altervista.org--| |Fingerprint = 90DC 05A8 2D65 BC04 BD1B 4C07 C389 434B 3201 319D|
Re: RE : RE : RE : freeradius, ldap error - HELP ME!
peppeska wrote: ... Sending Access-Accept of id 50 to 127.0.0.1 port 1028 ... Mar 21 19:21:41 applejack pppd[18529]: MS-CHAP authentication failed: PPPD is broken. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : RE : RE : freeradius, ldap error - HELP ME!
but plog: [EMAIL PROTECTED]:/home/peppeska# plog Mar 21 19:21:18 applejack pppd[18527]: Plugin rp-pppoe.so loaded. Mar 21 19:21:18 applejack pppd[18529]: pppd 2.4.4 started by root, uid 0 Mar 21 19:21:19 applejack pppd[18529]: PPP session is 6 Mar 21 19:21:19 applejack pppd[18529]: Using interface ppp0 Mar 21 19:21:19 applejack pppd[18529]: Connect: ppp0 -- tap1 Mar 21 19:21:41 applejack pppd[18529]: MS-CHAP authentication failed: Mar 21 19:21:41 applejack pppd[18529]: CHAP authentication failed Mar 21 19:21:41 applejack pppd[18529]: Connection terminated. [EMAIL PROTECTED]:/home/peppeska# poff UFFA!!! I promitt that I send a Cassata Siciliana to who resolv my problem... plog may not be enough: could you check the /var/log/messages Moreover, what dictionnary.microsoft file are you using ? Maybe it is lacking some attributes and radiusclient doesn't understand them. If you're not using the one I posted today, could you test with this one instead ? Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : RE : RE : freeradius, ldap error - HELP ME!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alan DeKok ha scritto: peppeska wrote: ... Sending Access-Accept of id 50 to 127.0.0.1 port 1028 ... Mar 21 19:21:41 applejack pppd[18529]: MS-CHAP authentication failed: PPPD is broken. And wath I most do now? @Thibault Le Meur I use Your dictonary... the final respone is: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:1028, id=51, length=136 Service-Type = Framed-User Framed-Protocol = PPP User-Name = peppeska MS-CHAP-Challenge = 0xb6b462d0d978bcbfe51e4783f4a3dd32 MS-CHAP2-Response = 0xa0002138a2441156e5ed33506db0e19e960db1cfdb576490d5d29b54d30317856b01d0780f1d51ef5fa7 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' modcall[authorize]: module mschap returns ok for request 0 rlm_realm: No '@' in User-Name = peppeska, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for peppeska radius_xlat: '(cn=peppeska)' radius_xlat: 'dc=example' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=admin,dc=example/root to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=example, with filter (cn=peppeska) rlm_ldap: Added password billuzzo in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user peppeska authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type MS-CHAP auth: type MS-CHAP Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 0 rlm_mschap: Told to do MS-CHAPv2 for peppeska with NT-Password rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module mschap returns ok for request 0 modcall: leaving group MS-CHAP (returns ok) for request 0 Login OK: [peppeska/no User-Password attribute] (from client localhost port 0) Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 0 modcall[post-auth]: module ldap returns noop for request 0 modcall: leaving group post-auth (returns noop) for request 0 Sending Access-Accept of id 51 to 127.0.0.1 port 1028 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP MS-CHAP2-Success = 0xa0533d32463945383842443446423034313543303139374631363834344244424532413836423234323346 MS-MPPE-Recv-Key = 0xee31ff0993d0e3b1589a2920ac31b3d8 MS-MPPE-Send-Key = 0x61bccd9e7dbd48aa264d2117a72ed2cc MS-MPPE-Encryption-Policy = 0x0002 MS-MPPE-Encryption-Types = 0x0004 Finished request 0 Going to the next request - --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 127.0.0.1:1028, id=51, length=136 Sending duplicate reply to client localhost:1028 - ID: 51 Re-sending Access-Accept of id 51 to 127.0.0.1 port 1028 - --- Walking the entire request list --- Cleaning up request 0 ID 51 with timestamp 46018448 Nothing to do. Sleeping until we see a request. debian:/etc/freeradius# tail /var/log/messages Mar 21 19:38:15 debian -- MARK -- Mar 21 19:58:19 debian -- MARK -- Mar 21 20:15:14 debian pppd[4426]: Plugin radius.so loaded. Mar 21 20:15:14 debian pppd[4426]: RADIUS plugin initialized. Mar 21 20:15:15 debian pppd[4426]: pppd 2.4.4 started by root, uid 0 Mar 21 20:15:17 debian pppd[4426]: Using interface ppp0 Mar 21 20:15:17 debian pppd[4426]: Connect: ppp0 -- /dev/pts/2 Mar 21 20:15:32 debian pppd[4426]: Peer peppeska failed CHAP authentication Mar 21 20:15:32 debian pppd[4426]: Connection terminated. Mar 21 20:15:33 debian pppd[4426]: Exit. debian:/etc/freeradius# ma script to start pppoe-server is debian:~# cat start-pppoe2.sh #!/bin/bash MAX=250 BASE=10.67.7.1 NAT=10.67.7.0/24 MYIP=193.205.94.13 iptables -A INPUT -i eth0 -s $NAT -j DROP iptables -t nat -A POSTROUTING -s $NAT -j SNAT --to-source $MYIP pppoe-server -T 60 -I eth1 -N $MAX -C PPPoE-R
Is anyone using dialup_admin with a PHP version newer than 4.2.0?
Hi, all,
This is a refinement of my earlier request for information, honed
after half a week of trying to untangle things.
I've been grubbing through all the code for dialup_admin 1.80 (from
the 20070320 CVS snapshot) and am entirely unconvinced that it works
with version of PHP newer than 4.2.0. I'm using PHP 4.3.0, since
that's what comes with RedHat Enterprise Linux 4. I've turned on
register_globals, but I can't get the dialup_admin code to stop
throwing warnings about variable names, etc.
Let's take $login as an example. In config.php3, there's code to
scrub bad characters out of it, and to strip the realm if requested.
Unfortunately, in my environment, just going to the entry point of
the dialup_admin application results in...
[client 127.0.0.1] PHP Notice: Undefined variable: login in
/usr/local/dialup_admin/conf/config.php3 on line 92, referer:
http://localhost/dialup/
[client 127.0.0.1] PHP Notice: Undefined variable: login in
/usr/local/dialup_admin/conf/config.php3 on line 95, referer:
http://localhost/dialup/
(ignore the exact line numbers - they won't match the code in CVS
because I have some debugging stuff further up right now).
I realize that this is a notice level message and that messages can
be turned off by twiddling error_reporting, but that's not the point -
the point is not simply that there are hundreds of these 'notices'
getting logged when I bounce around dialup_admin. The point is that
these notices are caused by PHP trying to do the right thing and
getting it wrong because the dialup_admin code is chock-a-block with
$login rather than the now-accepted practice of $_GET['login], and in
any case, because of how the URLs and PHP code interrelate, modules
like config.php3 aren't always called from other modules that were
invoked with a GET method with those exact elements, thus variables
like $login and $find_user and any other variables which appear to be
implicly created under older versions of PHP might or might not be
defined, but the code is written as if they are always defined, albeit
occasionally empty.
I'm entirely willing to accept that I've missed a step in the
installation, but I did try to follow the steps in the TODO file and
don't believe I missed any. Do people just use the freeRADIUS server
and manipulate the user database manually? Are there any dialup_admin
users running on operating systems less than a year old? All I'm
really after is a user management GUI - I don't really care if it's
dialup_admin or not. If there's something that other people prefer,
I'd love to hear about it.
In terms of getting this all going, I'm about to start forcing
variables to be something useful, as in...
$login = ;
$max_results = ;
if (!empty($_GET)) {
$login = $_GET['login'];
$max_results = $_GET['max_results'];
}
... just to quiet down the logged errors in the code so I can drill
down to why I can't click on new user and get a page that lets me
enter a new user. I'm also open to other suggestions to clean up the
dialup_admin code and get it up to snuff w.r.t. presently-shipping
versions of PHP. This will be an essential step to getting this code
running under php5, as all of these globalisms have been deprecated
because they lead to massive vulnerabilities.
Thanks,
-ethan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Apache2 - PAM - freeRADIUS - users
On 3/21/07, Helmut Tröbs [EMAIL PROTECTED] wrote: Hello Michael, freeRADIUS works quite good and it's possible to authenticate via PAM, for example local logins, ssh-logins, su, chsh, gdm, ... are working quite fine. The only thing is the htaccess from apache2 which will not work. The Radius gets the request and permits the user: I would suggest finding out why Apache is requiring more from PAM than everyone else does. It's not really a pam_radius problem, because it works with everything else. we had similar problems with radius and Apache2 (it is not a RADIUS/PAM problem!) PAM didn't work for us neither, so a colleague found another radius module for Apache 2: http://www.outoforder.cc/projects/apache/mod_auth_xradius/ But it only works with Apache 2.0.x. With Apache 2.2.x we didn't manage to get any radius authentication working. I got apache - radius working with mod_auth_xradius with apache-2.2.2 on FC6. a very basic how-to is here: http://www.howtoforge.com/apache_radius_two_factor_authentication hth. nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 (desk) 404.542.9453 (cell) http://www.wikidsystems.com At last, two-factor authentication, without the hassle factor Now open source: http://sourceforge.net/projects/wikid-twofactor/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with PAP, upgrading from 1.1.3
I figured this out. I had to use {sha} instead of {sha1}.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS + Post-auth clear password
Hi, I would like to send clear-text password at post-auth using eap-ttls. is there a way? I'm avoiding to write a lot of details about the question. Just using post-auth I got to send User-password attribute, but it's cyphered at destination(Yes, there is all the TLS tunneling stuff, but I'm trying to see the problem at a simpler-unknown perspective). I'm using SecureW2 as supplicant(PAP), freeradius-1.1.2+jradius patch. Thanks a lot. Erico. - Mensagem original De: Nick Owen [EMAIL PROTECTED] Para: FreeRadius users mailing list freeradius-users@lists.freeradius.org Enviadas: Quarta-feira, 21 de Março de 2007 16:45:43 Assunto: Re: Apache2 - PAM - freeRADIUS - users On 3/21/07, Helmut Tröbs [EMAIL PROTECTED] wrote: Hello Michael, freeRADIUS works quite good and it's possible to authenticate via PAM, for example local logins, ssh-logins, su, chsh, gdm, ... are working quite fine. The only thing is the htaccess from apache2 which will not work. The Radius gets the request and permits the user: I would suggest finding out why Apache is requiring more from PAM than everyone else does. It's not really a pam_radius problem, because it works with everything else. we had similar problems with radius and Apache2 (it is not a RADIUS/PAM problem!) PAM didn't work for us neither, so a colleague found another radius module for Apache 2: http://www.outoforder.cc/projects/apache/mod_auth_xradius/ But it only works with Apache 2.0.x. With Apache 2.2.x we didn't manage to get any radius authentication working. I got apache - radius working with mod_auth_xradius with apache-2.2.2 on FC6. a very basic how-to is here: http://www.howtoforge.com/apache_radius_two_factor_authentication hth. nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 (desk) 404.542.9453 (cell) http://www.wikidsystems.com At last, two-factor authentication, without the hassle factor Now open source: http://sourceforge.net/projects/wikid-twofactor/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Fale com seus amigos de graça com o novo Yahoo! Messenger http://br.messenger.yahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS + Post-auth clear password
Erico Augusto wrote: Hi, I would like to send clear-text password at post-auth using eap-ttls. is there a way? I'm avoiding to write a lot of details about the question. Just using post-auth I got to send User-password attribute, but it's cyphered at destination(Yes, there is all the TLS tunneling stuff, but I'm trying to see the problem at a simpler-unknown perspective). i think by default pap is an md5 hash, you should be able to change that tho in the radiusd.conf (altho i could be totally insane.) in 1.1.4+ this looks to have changed to be auto negotiated. other people will know better than me but, i think this is accurate. Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is anyone using dialup_admin with a PHP version newer than, 4.2.0?
Message: 4
Date: Wed, 21 Mar 2007 15:33:11 -0400
From: Ethan Dicks [EMAIL PROTECTED]
Subject: Is anyone using dialup_admin with a PHP version newer than
4.2.0?
To: freeradius-users@lists.freeradius.org
Message-ID:
[EMAIL PROTECTED]
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Hi, all,
This is a refinement of my earlier request for information, honed
after half a week of trying to untangle things.
I've been grubbing through all the code for dialup_admin 1.80 (from
the 20070320 CVS snapshot) and am entirely unconvinced that it works
with version of PHP newer than 4.2.0. I'm using PHP 4.3.0, since
that's what comes with RedHat Enterprise Linux 4. I've turned on
register_globals, but I can't get the dialup_admin code to stop
throwing warnings about variable names, etc.
Let's take $login as an example. In config.php3, there's code to
scrub bad characters out of it, and to strip the realm if requested.
Unfortunately, in my environment, just going to the entry point of
the dialup_admin application results in...
[client 127.0.0.1] PHP Notice: Undefined variable: login in
/usr/local/dialup_admin/conf/config.php3 on line 92, referer:
http://localhost/dialup/
[client 127.0.0.1] PHP Notice: Undefined variable: login in
/usr/local/dialup_admin/conf/config.php3 on line 95, referer:
http://localhost/dialup/
(ignore the exact line numbers - they won't match the code in CVS
because I have some debugging stuff further up right now).
I realize that this is a notice level message and that messages can
be turned off by twiddling error_reporting, but that's not the point -
the point is not simply that there are hundreds of these 'notices'
getting logged when I bounce around dialup_admin. The point is that
these notices are caused by PHP trying to do the right thing and
getting it wrong because the dialup_admin code is chock-a-block with
$login rather than the now-accepted practice of $_GET['login], and in
any case, because of how the URLs and PHP code interrelate, modules
like config.php3 aren't always called from other modules that were
invoked with a GET method with those exact elements, thus variables
like $login and $find_user and any other variables which appear to be
implicly created under older versions of PHP might or might not be
defined, but the code is written as if they are always defined, albeit
occasionally empty.
I'm entirely willing to accept that I've missed a step in the
installation, but I did try to follow the steps in the TODO file and
don't believe I missed any. Do people just use the freeRADIUS server
and manipulate the user database manually? Are there any dialup_admin
users running on operating systems less than a year old? All I'm
really after is a user management GUI - I don't really care if it's
dialup_admin or not. If there's something that other people prefer,
I'd love to hear about it.
In terms of getting this all going, I'm about to start forcing
variables to be something useful, as in...
$login = ;
$max_results = ;
if (!empty($_GET)) {
$login = $_GET['login'];
$max_results = $_GET['max_results'];
}
... just to quiet down the logged errors in the code so I can drill
down to why I can't click on new user and get a page that lets me
enter a new user. I'm also open to other suggestions to clean up the
dialup_admin code and get it up to snuff w.r.t. presently-shipping
versions of PHP. This will be an essential step to getting this code
running under php5, as all of these globalisms have been deprecated
because they lead to massive vulnerabilities.
Thanks,
-ethan
You could try phpRadmin
http://freshmeat.net/projects/phpradmin/
Still in alpha last time I checked but very pretty and featurefull gui :)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounts disappears!
hi Alan, Thank you for the reply, You are a great help for this list, _AS_USUAL_ However, Do you have any hint or know anything about disappearing users in mysql database? Thank you. Marwan Sultan wrote: This system is up and running since september 2006, last week, we start to see a strange problem some account are disappearing from the system!! FreeRADIUS doesn't do SQL writes to delete accounts. The problem lies elsewhere. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Don't just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Res: EAP-TTLS + Post-auth clear password
thanks joe,
my pap's modules section is already as follows:
pap {
encryption_scheme = clear
}
I'm trying to forward username and password to my own app, using post-auth
section, to perform user authentication, as described below ... is that
possible?
Erico.
- Mensagem original
De: joe vieira [EMAIL PROTECTED]
Para: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Enviadas: Quarta-feira, 21 de Março de 2007 17:17:18
Assunto: Re: EAP-TTLS + Post-auth clear password
Erico Augusto wrote:
Hi,
I would like to send clear-text password at post-auth using eap-ttls.
is there a way?
I'm avoiding to write a lot of details about the question. Just using
post-auth I got to send User-password attribute, but it's cyphered at
destination(Yes, there is all the TLS tunneling stuff, but I'm trying
to see the problem at a simpler-unknown perspective).
I'm using SecureW2 as supplicant(PAP), freeradius-1.1.2+jradius patch.
i think by default pap is an md5 hash, you should be able to change that
tho in the radiusd.conf (altho i could be totally insane.) in 1.1.4+
this looks to have changed to be auto negotiated. other people will
know better than me but, i think this is accurate.
Joe
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__
Fale com seus amigos de graça com o novo Yahoo! Messenger
http://br.messenger.yahoo.com/ -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounts disappears!
Marwan Sultan wrote: Do you have any hint or know anything about disappearing users in mysql database? Turn on mysql query logging. Wait for user to disappear. Check log. See what generated that query. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is anyone using dialup_admin with a PHP version newer than, 4.2.0?
On 3/21/07, Arran Cudbard-Bell [EMAIL PROTECTED] wrote: You could try phpRadmin http://freshmeat.net/projects/phpradmin/ Still in alpha last time I checked but very pretty and featurefull gui :) Freshmeat lists it as pre-alpha, but it looks worth a look. Thanks! -ethan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is anyone using dialup_admin with a PHP version newer than 4.2.0?
O/H Ethan Dicks έγραψε:
Hi, all,
This is a refinement of my earlier request for information, honed
after half a week of trying to untangle things.
I've been grubbing through all the code for dialup_admin 1.80 (from
the 20070320 CVS snapshot) and am entirely unconvinced that it works
with version of PHP newer than 4.2.0. I'm using PHP 4.3.0, since
that's what comes with RedHat Enterprise Linux 4. I've turned on
register_globals, but I can't get the dialup_admin code to stop
throwing warnings about variable names, etc.
Let's take $login as an example. In config.php3, there's code to
scrub bad characters out of it, and to strip the realm if requested.
Unfortunately, in my environment, just going to the entry point of
the dialup_admin application results in...
[client 127.0.0.1] PHP Notice: Undefined variable: login in
/usr/local/dialup_admin/conf/config.php3 on line 92, referer:
http://localhost/dialup/
[client 127.0.0.1] PHP Notice: Undefined variable: login in
/usr/local/dialup_admin/conf/config.php3 on line 95, referer:
http://localhost/dialup/
Well as you probably have seen config.php3 will call
import_request_variables('GPC') so you should not normally have problems
with variables like $login.
I have dialupadmin running on php-5.0.3 without a problem.
(ignore the exact line numbers - they won't match the code in CVS
because I have some debugging stuff further up right now).
I realize that this is a notice level message and that messages can
be turned off by twiddling error_reporting, but that's not the point -
the point is not simply that there are hundreds of these 'notices'
getting logged when I bounce around dialup_admin. The point is that
these notices are caused by PHP trying to do the right thing and
getting it wrong because the dialup_admin code is chock-a-block with
$login rather than the now-accepted practice of $_GET['login], and in
any case, because of how the URLs and PHP code interrelate, modules
like config.php3 aren't always called from other modules that were
invoked with a GET method with those exact elements, thus variables
like $login and $find_user and any other variables which appear to be
implicly created under older versions of PHP might or might not be
defined, but the code is written as if they are always defined, albeit
occasionally empty.
I'm entirely willing to accept that I've missed a step in the
installation, but I did try to follow the steps in the TODO file and
don't believe I missed any. Do people just use the freeRADIUS server
and manipulate the user database manually? Are there any dialup_admin
users running on operating systems less than a year old? All I'm
really after is a user management GUI - I don't really care if it's
dialup_admin or not. If there's something that other people prefer,
I'd love to hear about it.
In terms of getting this all going, I'm about to start forcing
variables to be something useful, as in...
$login = ;
$max_results = ;
if (!empty($_GET)) {
$login = $_GET['login'];
$max_results = $_GET['max_results'];
}
... just to quiet down the logged errors in the code so I can drill
down to why I can't click on new user and get a page that lets me
enter a new user. I'm also open to other suggestions to clean up the
dialup_admin code and get it up to snuff w.r.t. presently-shipping
versions of PHP. This will be an essential step to getting this code
running under php5, as all of these globalisms have been deprecated
because they lead to massive vulnerabilities.
Thanks,
-ethan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is anyone using dialup_admin with a PHP version newer than 4.2.0?
O/H Ethan Dicks έγραψε:
Hi, all,
This is a refinement of my earlier request for information, honed
after half a week of trying to untangle things.
I've been grubbing through all the code for dialup_admin 1.80 (from
the 20070320 CVS snapshot) and am entirely unconvinced that it works
with version of PHP newer than 4.2.0. I'm using PHP 4.3.0, since
that's what comes with RedHat Enterprise Linux 4. I've turned on
register_globals, but I can't get the dialup_admin code to stop
throwing warnings about variable names, etc.
Let's take $login as an example. In config.php3, there's code to
scrub bad characters out of it, and to strip the realm if requested.
Unfortunately, in my environment, just going to the entry point of
the dialup_admin application results in...
[client 127.0.0.1] PHP Notice: Undefined variable: login in
/usr/local/dialup_admin/conf/config.php3 on line 92, referer:
http://localhost/dialup/
[client 127.0.0.1] PHP Notice: Undefined variable: login in
/usr/local/dialup_admin/conf/config.php3 on line 95, referer:
http://localhost/dialup/
Well as you probably have seen config.php3 will call
import_request_variables('GPC') so you should not normally have problems
with variables like $login.
I have dialupadmin running on php-5.0.3 without a problem.
(ignore the exact line numbers - they won't match the code in CVS
because I have some debugging stuff further up right now).
I realize that this is a notice level message and that messages can
be turned off by twiddling error_reporting, but that's not the point -
the point is not simply that there are hundreds of these 'notices'
getting logged when I bounce around dialup_admin. The point is that
these notices are caused by PHP trying to do the right thing and
getting it wrong because the dialup_admin code is chock-a-block with
$login rather than the now-accepted practice of $_GET['login], and in
any case, because of how the URLs and PHP code interrelate, modules
like config.php3 aren't always called from other modules that were
invoked with a GET method with those exact elements, thus variables
like $login and $find_user and any other variables which appear to be
implicly created under older versions of PHP might or might not be
defined, but the code is written as if they are always defined, albeit
occasionally empty.
I'm entirely willing to accept that I've missed a step in the
installation, but I did try to follow the steps in the TODO file and
don't believe I missed any. Do people just use the freeRADIUS server
and manipulate the user database manually? Are there any dialup_admin
users running on operating systems less than a year old? All I'm
really after is a user management GUI - I don't really care if it's
dialup_admin or not. If there's something that other people prefer,
I'd love to hear about it.
In terms of getting this all going, I'm about to start forcing
variables to be something useful, as in...
$login = ;
$max_results = ;
if (!empty($_GET)) {
$login = $_GET['login'];
$max_results = $_GET['max_results'];
}
... just to quiet down the logged errors in the code so I can drill
down to why I can't click on new user and get a page that lets me
enter a new user. I'm also open to other suggestions to clean up the
dialup_admin code and get it up to snuff w.r.t. presently-shipping
versions of PHP. This will be an essential step to getting this code
running under php5, as all of these globalisms have been deprecated
because they lead to massive vulnerabilities.
Thanks,
-ethan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is anyone using dialup_admin with a PHP version newer than 4.2.0?
On 3/21/07, Kostas Kalevras [EMAIL PROTECTED] wrote:
O/H Ethan Dicks έγραψε:
... I'm using PHP 4.3.0, since
that's what comes with RedHat Enterprise Linux 4. I've turned on
register_globals, but I can't get the dialup_admin code to stop
throwing warnings about variable names, etc.
Well as you probably have seen config.php3 will call
import_request_variables('GPC') so you should not normally have problems
with variables like $login.
Hmm... I have seen that call at the top of config.php3, but I'm seeing
behavior that's consistent with it not working. Odd.
I have dialupadmin running on php-5.0.3 without a problem.
Thank you for letting me know that it works with a newer version of
php. I'm back to the drawing board about where I might be missing an
installation step, then.
Thanks,
-ethan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
A request for your input.
Hello My name is Lara Thynne and I am a PhD candidate at Deakin University Australia. I am currently researching the boundary between work and leisure activities directly related to the open source community and open source program development. As part of this I am running a survey at the following address. https://dcarf.deakin.edu.au/surveys/oss/ The survey is completely confidential and looks at your views and motivations to use Open Source software and to participate in the community. It will only take a five to ten minutes to complete and your contact details will not be recorded. You can withdraw your participation at any stage. I sincerely apologize for the spammish nature of this e-mail - I don't mean to abuse this list. I am trying to collect responses from as many open source developers and users as possible and a mailing list like can be the only way to reach many developers. Thanks again Lara P.S The program that I am using is open source, of course (www.phpsurveyor.org)! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius radwho output 999
Dear 's I have useing freeradius-1.1.0 with mssql when i run radwho i have seen this optout #radwho mlpm482mlpm482 PPP 999 Thu 10:11 192.168.1 10.100.13.205 mlpm636mlpm636 PPP 999 Thu 11:31 192.168.1 10.100.14.178 so what is 999 this is error or somting else can anybody explain me what is this ?? $ cat ~/satish/url.txt System administrator ( Data Center ) please visit this site http://linux.tulipit.com - Heres a new way to find what you're looking for - Yahoo! Answers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
