Calling-Station-Id in pam_radius_auth
Hi, a somewhat sophisticated problem: in a mail server, we'd like to record the IP address of the client that triggered the IMAP authentication request. The IMAP server uses PAM, specifically pam_radius_auth. Is there a way to tell pam_radius_auth to send a value in Calling-Station-Id? Is there a way at all to send variables to PAM at all, to be used for setting Calling-Station-Id within pam_radius_auth? We could also live with getting the value into PAM and then setting it into client_id= if Calling-Station-Id is not possible; string mangling on the server side would do nicely. Something like [EMAIL PROTECTED] as an option to pam_radius_auth? Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/PAP tunneling issue
Edwin van Zyl wrote: I've configured with the following options: ./configure --enable-debug --enable-developer and re-build, but still don't see the raw data. I've looked at the binary traces and can see that the EAP message contains encrypted application data and the size is less then 100bytes. Am I configuring with the wrong options? Hmm... try running with with -Xxx Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple NAS's and Mysql
Wayne Lee wrote:
What I need to be able to do is send back different info based on the
incoming request from a set of NAS's.
In 2.0, just write the policy. See man unlang.
Or, use virtual servers.
client foo {
ipaddr = 1.2.3.4
...
virtual_server = one # or two
}
See raddb/sites-available/README for more examples.
Current versions are (running on Debian sarge at the mo)
freeradius = 1.0.2-4sarge3
Ouch. Please upgrade.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR2 - proxying inner tunnel
Dmitry Sergienko wrote: Situation gets more clear if eap module is being called in post-proxy section of proxy-inner-tunnel: I've updated the proxy-inner-tunnel example to work. It sends the MS-CHAP2-Success as part of the EAP session. And please don't CC me on messages to the list. I get enough messages already. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting - no huntgroups
In 2.0, much of the huntgroup functionality can be done with a little
bit of magic:
client foo {
ipaddr = 127.0.0.1
secret = x
huntgroup = foo # invent ANYTHING here! foo = bar, x = y, etc.
}
Then in unlang:
...
if (%{client:huntgroup} == foo) {
...
}
i.e. you can use the configuration files to add arbitrary tags to a
client, and then check them at run time.
Woah, get that working with SQL and you have an insanely useful feature.
Oooo what VLANS does this NAS support, hmm i'll just check the client
VLAN tags. Where is this NAS located, hmm i'll just check the
arbitrarily populated location tag.
Who was meant to be updating the client list SQL features for 2.0 ?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/PAP tunneling issue
That worked. thx. rad_recv: Access-Request packet from host 127.0.0.1:50067, id=101, length=79 User-Name = edwinvanzyl Called-Station-Id = internet EAP-Message = 0x021001656477696e76616e7a796c Message-Authenticator = 0xd649ab055e13bef1b25863bcab47f81e Wed Feb 13 11:22:56 2008 : Debug: Processing the authorize section of radiusd.conf Wed Feb 13 11:22:56 2008 : Debug: modcall: entering group authorize for request 4 Wed Feb 13 11:22:56 2008 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 4 Wed Feb 13 11:22:56 2008 : Debug: rlm_eap: EAP packet type response id 0 length 16 Wed Feb 13 11:22:56 2008 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation Wed Feb 13 11:22:56 2008 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 4 Wed Feb 13 11:22:56 2008 : Debug: modcall[authorize]: module eap returns updated for request 4 Wed Feb 13 11:22:56 2008 : Debug: modsingle[authorize]: calling files (rlm_files) for request 4 Wed Feb 13 11:22:56 2008 : Debug: users: Matched entry edwinvanzyl at line 80 Wed Feb 13 11:22:56 2008 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 4 Wed Feb 13 11:22:56 2008 : Debug: modcall[authorize]: module files returns ok for request 4 Wed Feb 13 11:22:56 2008 : Debug: modcall: leaving group authorize (returns updated) for request 4 Wed Feb 13 11:22:56 2008 : Debug: rad_check_password: Found Auth- Type EAP Wed Feb 13 11:22:56 2008 : Debug: auth: type EAP Wed Feb 13 11:22:56 2008 : Debug: Processing the authenticate section of radiusd.conf Wed Feb 13 11:22:56 2008 : Debug: modcall: entering group authenticate for request 4 Wed Feb 13 11:22:56 2008 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 4 Wed Feb 13 11:22:56 2008 : Debug: rlm_eap: EAP Identity Wed Feb 13 11:22:56 2008 : Debug: rlm_eap: processing type tls Wed Feb 13 11:22:56 2008 : Debug: rlm_eap_tls: Initiate Wed Feb 13 11:22:56 2008 : Debug: rlm_eap_tls: Start returned 1 Wed Feb 13 11:22:56 2008 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 4 Wed Feb 13 11:22:56 2008 : Debug: modcall[authenticate]: module eap returns handled for request 4 Wed Feb 13 11:22:56 2008 : Debug: modcall: leaving group authenticate (returns handled) for request 4 Sending Access-Challenge of id 101 to 127.0.0.1 port 50067 EAP-Message = 0x010100061520 Message-Authenticator = 0x State = 0xad2f0e60790267d123b90ade481ecca5 Wed Feb 13 11:22:56 2008 : Debug: Finished request 4 Wed Feb 13 11:22:56 2008 : Debug: Going to the next request Wed Feb 13 11:22:56 2008 : Debug: --- Walking the entire request list --- Wed Feb 13 11:22:56 2008 : Debug: Waking up in 6 seconds... rad_recv: Access-Request packet from host 127.0.0.1:50067, id=102, length=145 User-Name = edwinvanzyl Called-Station-Id = internet State = 0xad2f0e60790267d123b90ade481ecca5 EAP-Message = 0x020100401580003a1603010031012d030147b2b6f06db8377eae44af2b54c47b7c102f291a22bb62187200777ccdf6621606002f003300320100 Message-Authenticator = 0x21c075be78867ae66bd77f002e447701 Wed Feb 13 11:22:56 2008 : Debug: Processing the authorize section of radiusd.conf Wed Feb 13 11:22:56 2008 : Debug: modcall: entering group authorize for request 5 Wed Feb 13 11:22:56 2008 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 5 Wed Feb 13 11:22:56 2008 : Debug: rlm_eap: EAP packet type response id 1 length 64 Wed Feb 13 11:22:56 2008 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation Wed Feb 13 11:22:56 2008 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 5 Wed Feb 13 11:22:56 2008 : Debug: modcall[authorize]: module eap returns updated for request 5 Wed Feb 13 11:22:56 2008 : Debug: modsingle[authorize]: calling files (rlm_files) for request 5 Wed Feb 13 11:22:56 2008 : Debug: users: Matched entry edwinvanzyl at line 80 Wed Feb 13 11:22:56 2008 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 5 Wed Feb 13 11:22:56 2008 : Debug: modcall[authorize]: module files returns ok for request 5 Wed Feb 13 11:22:56 2008 : Debug: modcall: leaving group authorize (returns updated) for request 5 Wed Feb 13 11:22:56 2008 : Debug: rad_check_password: Found Auth- Type EAP Wed Feb 13 11:22:56 2008 : Debug: auth: type EAP Wed Feb 13 11:22:56 2008 : Debug: Processing the authenticate section of radiusd.conf Wed Feb 13 11:22:56 2008 : Debug: modcall: entering group authenticate for request 5 Wed Feb 13 11:22:56 2008 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 5 Wed Feb 13 11:22:56 2008 : Debug: rlm_eap: Request found, released from the list Wed Feb 13 11:22:56 2008 : Debug: rlm_eap: EAP/ttls Wed Feb 13 11:22:56
Re: EAP-TTLS/PAP tunneling issue
Edwin van Zyl wrote: That worked. thx. ... Wed Feb 13 11:22:56 2008 : Debug: rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. TTLS tunnel data in : 01 0d 65 64 77 69 6e 76 61 6e 7a 79 6c 02 09 74 TTLS tunnel data in 0010: 65 73 74 69 6e 67 1e 0a 69 6e 74 65 72 6e 65 74 The supplicant is sending data inside the TTLS tunnel packed as *RADIUS* attributes. That's wrong. They attributes are supposed to be packed in the *Diameter* AVP format. Whatever supplicant you're using is broken, and WILL NOT work with *any* RADIUS server supporting TTLS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with OpenLDAP (Suse Enterprise 10) [SEC=UNCLASSIFIED]
Ranner, Frank MR wrote:
UNCLASSIFIED
Config as requested - I did uncomment and configure the identity
section
- is this not required?
ldap {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = localhost
identity = cn=Administrator,dc=dxi,dc=net
password = trPic4n03
basedn = dc=dxi,dc=net
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
#base_filter = (objectclass=radiusprofile)
# How many connections to keep open to the LDAP
server.
# This saves time over opening a new LDAP socket for
# every authentication request.
ldap_connections_number = 5
# seconds to wait for LDAP query to finish.
default: 20
timeout = 4
# seconds LDAP server has to process the query
(server-side
# time limit). default: 20
#
# LDAP_OPT_TIMELIMIT is set to this value.
timelimit = 3
#
# seconds to wait for response of the server.
(network
# failures) default: 10
#
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
net_timeout = 1
tls {
# Set this to 'yes' to use TLS encrypted
connections
# to the LDAP database by using the StartTLS
extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 689) connections
start_tls = no
# cacertfile= /path/to/cacert.pem
# cacertdir = /path/to/ca/dir/
# certfile = /path/to/radius.crt
# keyfile = /path/to/radius.key
# randfile = /path/to/rnd
# Certificate Verification requirements. Can
be:
#never (don't even bother trying)
#allow (try, but don't fail if
the cerificate
# can't be verified)
#demand (fail if the
certificate doesn't
verify.)
#
# The default is allow
# require_cert = demand
}
# default_profile =
cn=radprofile,ou=dialup,o=My Org,c=UA
# profile_attribute = radiusProfileDn
# access_attr = dialupAccess
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${confdir}/ldap.attrmap
# Set password_attribute = nspmPassword to get the
# user's password from a Novell eDirectory
# backend. This will work ONLY IF FreeRADIUS has been
# built with the --with-edir configure option.
#
# password_attribute = userPassword
Thanks for the tip - tried it and it didnt work
Worth a try tho - so thanks
David
rlm_ldap: - authorize
rlm_ldap: performing user authorization for belld
WARNING: Deprecated conditional expansion :-. See man unlang for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=belld)
expand: dc=dxi,dc=net - dc=dxi,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld)
rlm_ldap: Added User-Password = {crypt}e/2iGeomYrGLo in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user belld authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
rad_check_password: Found Auth-Type
!!!
!!!Replacing User-Password in config items with
Cleartext-Password. !!!
!!!
!!! Please update your configuration so that the known
good !!!
!!! clear text password is in Cleartext-Password, and not in
User-Password. !!!
Re: FR2 - proxying inner tunnel
Hi, Tue Feb 12 23:45:21 2008 : Error: Warning: Found 2 auth-types on request for user '[EMAIL PROTECTED]' Tue Feb 12 23:45:21 2008 : Debug: rad_check_password: Auth-Type = Accept, accepting the user whoah. WinXP is very fussy (as should all EAP clients) about getting a proper EAP return. you seem to have thrown an 'Accept' straight back to the challenge rather than let the EAP engine do its business. config file or startup debug output please alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting - no huntgroups
Phil Mayers wrote:
I've never had cause to look at it before, but I discovered today that
accouting doesn't support huntgroups; specifically, an attempt to match
on Huntgroup-Name in acct_users
Is this expected?
The preprocess module doesn't do huntgroups for accounting requests.
This should be relatively easy to fix.
How does one normally specify Acct-Type based on a
huntgroup, if (say) the Class attribute is already being used?
In 2.0, much of the huntgroup functionality can be done with a little
bit of magic:
client foo {
ipaddr = 127.0.0.1
secret = x
huntgroup = foo # invent ANYTHING here! foo = bar, x = y, etc.
}
Then in unlang:
...
if (%{client:huntgroup} == foo) {
...
}
i.e. you can use the configuration files to add arbitrary tags to a
client, and then check them at run time.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting - no huntgroups
Arran Cudbard-Bell wrote:
Woah, get that working with SQL and you have an insanely useful feature.
Oooo what VLANS does this NAS support, hmm i'll just check the client
VLAN tags. Where is this NAS located, hmm i'll just check the
arbitrarily populated location tag.
Err... why? You can do that already:
if (%{sql: SELECT ... WHERE client = %{client:shortname} ...}
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Send the Accounting to two servers
Ashraf Al-Basti wrote: Dear All, im using freeradius as a proxy radius and need to proxy the accounting to two different servers, can i do that? Yes and no. You can proxy it to another server, *and* log to a detail file. You can then have it read the detail file, and proxy that to another server. You may need CVS head (or 2.0.2, out this week) for that functionality to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting - no huntgroups
Hi,
Arran Cudbard-Bell wrote:
Woah, get that working with SQL and you have an insanely useful feature.
Oooo what VLANS does this NAS support, hmm i'll just check the client
VLAN tags. Where is this NAS located, hmm i'll just check the
arbitrarily populated location tag.
Err... why? You can do that already:
if (%{sql: SELECT ... WHERE client = %{client:shortname} ...}
yep - but i think the default schema for clients didnt have these
extra features added. at least someone mentioned synchronising them
recently
more importantly for other people - do these attributes get passed
through the message structure for PERL and Python?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple NAS's and Mysql
Perhaps you mis-read my post, I have read the SQL howto (and the FAQ and Wiki) before posting to the list and the server it is currently working fine using SQL , I just did not understand how to reply to different NAS's with different info.like I said my SQl foo is rubbish. I guess what I'm really after is some pointers on what the SQL queries would look like or do I not need to edit the queries in sql.conf? I'll upgrade to the latest version and therefore included updated docs. Wayne On Feb 12, 2008 7:19 PM, [EMAIL PROTECTED] wrote: hi, a single FreeRADIUS server can do this. simply put each range of NASs into different groups and then use the group and groupreply tables in the SQL to do your return code work. if you cant google for SQL howto freeradius then http://wiki.freeradius.org/SQL_HOWTO#Configuring_FreeRadius_to_use_SQL if that document does help you enough, then please post to the list with its weaknesses so that it may be strenghtened that HOWTO link is posted each week on this list. how can we make it more obvious? (open question to others who struggle with the SQL and FReeRADIUS) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap authentication and cpu utilization
Simple authentication with login/password can be handled in large numbers with a recent cpu and freeradius. . EAP authentication on the other hand requires a great amount of cpu processing. Therefore I have a simple(?) question: Did someone already calcute the theoretically maximum number of eap authentications per second, that a recent x86 cpu is able to handle? Or did someone some practical research on that issue? Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Could not link driver rlm_sql_mysql
Hi Alan, Thanks for helping me in configuring my freeradius with mysql. I've uncommented the sql in the file /usr/local/etc/raddb/sites-enabled/default . And now I've seen message trying to commucinate with mysql. But still there is a problem of not getting the mysql driver. I am using MySql 4.1.2. Please suggest to work out. Here is the piece of output emphasizing the errors. rlm_sql (sql): Could not link driver rlm_sql_mysql: rlm_sql_mysql.so: cannot open shared object file: No such file or directory rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search path of your system's ld. /usr/local/etc/raddb/sql.conf[22]: Instantiation failed for module sql /usr/local/etc/raddb/sites-enabled/default[123]: Failed to find module sql. /usr/local/etc/raddb/sites-enabled/default[33]: Errors parsing authorize section. With Regards, Elangbam Johnson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
checkval - Calling-Station-Id
Hi
I use freeradius 1.1.7 (PLD Linux distribution).
In default configuration freeradius work OK but I have problem
checking Calling-Station-Id - for check mac adres client validation.
My user file contains:
Waldi User-Password == 12345,
It's working. It also works when I add ip verification:
Waldi User-Password == 12345, Client-IP-Address == 192.168.1.10
But after adding mac verification always got Access-Reject
Waldi User-Password == 12345, Client-IP-Address ==
192.168.1.10, Calling-Station-Id ==
- client mac adress.
For test I use NTRadPing Test Utility 1.5.
In radiusd.conf:
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
notfound-reject = yes
}
What is wrong or what did I forgot about?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help.. MD5 with PAP
Hi,
I have configured freeradius 2.0.0 EAP-ttls and
configured a mysql db to store the users.
It was working fine until i recently decided to
convert the database-stored passwords to md5
encryption. Since then, i am getting the below output,
despite all my efforts. I tried all the things i could
find on the internet with no result. Can anybody help?
( I am a beginner for freeradius server, so it may be
very simple though) .
Kind regards,
I have
authenticate {
Auth-Type PAP {
pap
}
Auth-Type md5 {
pap
}
in the authenticate section, and
pap {
encryption_scheme = md5
authtype = md5
auto_header = yes
}
in the modules/radiusd.conf file.
I have the following in my mysql - radcheck
definition.
++--+++--+--+
| id | username | attribute | op |
value| operator
|
++--+++--+--+
| 90 | t1 | Crypt-Password | := |
83f1535f99ab0bf4e9d02dfd85d3e3f7 | cengiz
|
and the following in radgroupcheck table.
++---+--++-+
| id | groupname | attribute| op | value |
++---+--++-+
| 1 | dynamic | Auth-Type| := | MD5 |
| 2 | dynamic | Service-Type | == | Framed-User |
++---+--++-+
radiusd -X
radtest t1 t1 10.1.1.170 0 testing123
rad_recv: Access-Request packet from host 10.1.1.170
port 32878, id=131, length=54
User-Name = t1
User-Password = t1
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
+- entering group authorize
++[preprocess] returns ok
expand:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
-
/usr/local/var/log/radius/radacct/10.1.1.170/auth-detail-20080213
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/var/log/radius/radacct/10.1.1.170/auth-detail-20080213
expand: %t - Wed Feb 13 13:36:39 2008
++[auth_log] returns ok
rlm_realm: No '@' in User-Name = t1, looking up
realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
expand: %{User-Name} - t1
rlm_sql (sql): sql_set_user escaped user -- 't1'
rlm_sql (sql): Reserving sql socket id: 4
expand: SELECT id, username, attribute, value,
op FROM radcheck WHERE username =
'%{SQL-User-Name}' ORDER BY id - SELECT id,
username, attribute, value, op FROM radcheck
WHERE username = 't1' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value,
op FROM radreply WHERE username =
'%{SQL-User-Name}' ORDER BY id - SELECT id,
username, attribute, value, op FROM radreply
WHERE username = 't1' ORDER BY id
expand: SELECT groupname FROM
radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority -
SELECT groupname FROM radusergroup
WHERE username = 't1' ORDER BY priority
expand: SELECT id, groupname, attribute,
Value, op FROM radgroupcheck
WHERE groupname = '%{Sql-Group}' ORDER BY id
- SELECT id, groupname, attribute, Value,
op FROM radgroupcheck WHERE
groupname = 'dynamic' ORDER BY id
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
rad_check_password: Found Auth-Type
auth: type PAP
+- entering group PAP
rlm_pap: login attempt with password t1
rlm_pap: No password configured for the user. Cannot
do authentication
++[pap] returns fail
auth: Failed to validate the user.
Login incorrect: [t1/t1] (from client
testUserShortName port 0)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - t1
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 131 to 10.1.1.170 port
32878
Waking up in 4.9 seconds.
Cleaning up request 0 ID 131 with timestamp +2
Ready to process requests.
Looking for last minute shopping deals?
Find them fast with Yahoo! Search.
http://tools.search.yahoo.com/newsearch/category.php?category=shopping
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list
RE: MLPPP - Maybe off topic
I've followed the Cisco docs as much possible, and believe I have done all that is required. My Cisco config now has the following: aaa new-model ! ! aaa authentication ppp default group radius aaa authorization network default group radius if-authenticated aaa accounting delay-start aaa accounting delay-start vrf default aaa accounting update periodic 60 aaa accounting network default start-stop group radius ! aaa nas port extended radius-server host 192.168.1.1 auth-port 1645 acct-port 1646 key 7 xx radius-server vsa send authentication ### Which are the parts it says to add. The radius profile for the user now has: Cisco-AVPair += preauth:ppp-multilink=1 Added. But the user just gets logged in twice like so: Vi2.519 [EMAIL PROTECTED] PPPoVPDN -10.0.0.88 Vi2.1560 [EMAIL PROTECTED] PPPoVPDN -10.0.0.88 With the same static IP, this is the IP address that is assigned to the user anyway. I would expect to see something like: ### Vi2.519 [EMAIL PROTECTED] PPPoVPDN 00:00:07 Vi2.1560 [EMAIL PROTECTED] MLP Bundle 00:00:13 10.0.0.88 ### We are using a Cisco 7304 as our NAS running IOS version 12.2(28)SB9 and Freeradius version 2.0.1 with a MySQL backend. If anyone has any suggestions or has this working I would appreciate any help. Here is some debug from the Cisco, debugging radius authentication when the user logged in. # *Feb 13 11:36:24.610 GMT: RADIUS/ENCODE: Best Local IP-Address 192.168.1.88 for Radius-Server 192.168.1.1 *Feb 13 11:36:24.610 GMT: RADIUS(00113478): Send Access-Request to 192.168.1.1:1645 id 1645/210, len 127 *Feb 13 11:36:24.610 GMT: RADIUS: authenticator 74 BF BC 30 CC 6A 29 01 - 30 74 A1 B8 EA E4 77 DF *Feb 13 11:36:24.610 GMT: RADIUS: Framed-Protocol [7] 6 PPP [1] *Feb 13 11:36:24.610 GMT: RADIUS: User-Name [1] 31 [EMAIL PROTECTED] *Feb 13 11:36:24.610 GMT: RADIUS: CHAP-Password [3] 19 * *Feb 13 11:36:24.610 GMT: RADIUS: NAS-Port-Type [61] 6 Virtual [5] *Feb 13 11:36:24.610 GMT: RADIUS: NAS-Port[5] 6 2440 *Feb 13 11:36:24.610 GMT: RADIUS: NAS-Port-Id [87] 18 Uniq-Sess-ID2440 *Feb 13 11:36:24.610 GMT: RADIUS: Connect-Info[77] 9 8083000 *Feb 13 11:36:24.610 GMT: RADIUS: Service-Type[6] 6 Framed [2] *Feb 13 11:36:24.610 GMT: RADIUS: NAS-IP-Address [4] 6 192.168.1.88 *Feb 13 11:36:24.614 GMT: RADIUS: Received from id 1645/210 192.168.1.1:1645, Access-Accept, len 142 *Feb 13 11:36:24.614 GMT: RADIUS: authenticator 22 AC 91 C8 A6 99 E6 01 - 55 C1 6C E6 7E DF 0F 6A *Feb 13 11:36:24.614 GMT: RADIUS: Framed-IP-Address [8] 6 10.0.0.88 *Feb 13 11:36:24.614 GMT: RADIUS: Framed-IP-Netmask [9] 6 255.255.255.255 *Feb 13 11:36:24.614 GMT: RADIUS: Vendor, Cisco [26] 61 *Feb 13 11:36:24.618 GMT: RADIUS: Cisco AVpair [1] 55 ip:route= 192.168.3.0 255.255.255.248 10.0.0.88 *Feb 13 11:36:24.618 GMT: RADIUS: Acct-Interim-Interva[85] 6 7200 *Feb 13 11:36:24.618 GMT: RADIUS: Vendor, Cisco [26] 31 *Feb 13 11:36:24.618 GMT: RADIUS: Cisco AVpair [1] 25 preauth:ppp-multilink=1 *Feb 13 11:36:24.618 GMT: RADIUS: Service-Type[6] 6 Framed [2] *Feb 13 11:36:24.618 GMT: RADIUS: Framed-Protocol [7] 6 PPP [1] *Feb 13 11:36:24.618 GMT: RADIUS(00113478): Received from id 1645/210 ### Thanks in advance Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 09 February 2008 07:44 To: FreeRadius users mailing list Subject: Re: MLPPP - Maybe off topic Tony Spencer wrote: We are trying to bond 2 DSL lines for a customer who has 2 phone lines and 2 DSL circuits in his office. You may also need to set the standard RADIUS attributes for doing multilink. See the Cisco docs for more information. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008 12:21 No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.4/1275 - Release Date: 12/02/2008 15:20 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting - no huntgroups
Alan DeKok wrote:
Arran Cudbard-Bell wrote:
Woah, get that working with SQL and you have an insanely useful feature.
Oooo what VLANS does this NAS support, hmm i'll just check the client
VLAN tags. Where is this NAS located, hmm i'll just check the
arbitrarily populated location tag.
Err... why? You can do that already:
if (%{sql: SELECT ... WHERE client = %{client:shortname} ...}
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Yeah ... I know.
It's just with static information, you don't really want to be querying
the database again and again for each query. Lodging the information
against the client is far more efficient, especially with VLAN
information which isn't going to be changing regularly.
--
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radiusd dying
Hi there ! After 1.1.7 had been running for about a month without any problems, radiusd has now died silently or completely stuck (it has to be kill -9ed) a couple of times. In either case, I get no logs about what's wrong. My platform is Solaris 10/x64 with quite current patches. Are there any known issues? TIA fw - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I can't get 'access-accept' from Linux clients (SOLVED)
2008/1/10, [EMAIL PROTECTED] [EMAIL PROTECTED]:
Hi,
Hi,
I can't still figure it out why I can't access from Linux clients.
I use version 1.1.7 of freeradius. Linux client is a Fedora 8 system.
what is the linux client config?
i see the following in your debug
rlm_eap: Request found, released from the list
rlm_eap: EAP/md5
rlm_eap: processing type md5
rlm_eap_md5: User-Password is required for EAP-MD5 authentication
rlm_eap: Handler failed in EAP/md5
rlm_eap: Failed in EAP select
modcall[authenticate]: module eap returns invalid for request 84
modcall: leaving group authenticate (returns invalid) for request 84
auth: Failed to validate the user.
i would also advise that you upgrade to 2.0.0 - not only could this
issue be resolves anyway - its a hell of a lof easier to debug - far
less EAP messages!
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Well, Finally I get the blessed Access-Accept for Linux clients too.
How I did that? Well, I upgraded to radius 2.0.1.
maybe it could be helpful for many people my settings, well I won't
hide as alchemy secret ;)
radiusd.conf
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = xxx.qq.yyy.pp
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions= yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp= no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
auto_header = yes
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
$INCLUDE ${confdir}/eap.conf
mschap {
use_mppe = no
require_encryption = yes
}
ldap {
server = ldap.cadorna.biz
port = 636
identity = cn=freeradius,ou=applications,dc=cadorna,dc=biz
password = sambombas
basedn = ou=people,dc=palermo,dc=edu
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
ldap_debug = 0x0028
tls_cacertfile = /etc/raddb/cacert.pem
tls_randfile= /dev/urandom
tls_require_cert= allow
access_attr = radiusAllowed
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = userPassword
edir_account_policy_check=no
timeout = 4
timelimit = 3
net_timeout = 1
}
realm IPASS {
format = prefix
delimiter = /
ignore_default = no
ignore_null = no
}
realm suffix {
format = suffix
delimiter = @
ignore_default = no
ignore_null = no
}
realm realmpercent {
format = suffix
delimiter = %
ignore_default = no
ignore_null = no
}
realm ntdomain {
format = prefix
delimiter = \\
ignore_default = no
ignore_null = no
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}
detail {
detailfile =
Re: Could not link driver rlm_sql_mysql
johnson elangbam wrote: rlm_sql (sql): Could not link driver rlm_sql_mysql: rlm_sql_mysql.so: cannot open shared object file: No such file or directory rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search path of your system's ld. Read the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with OpenLDAP (Suse Enterprise 10) [SEC=UNCLASSIFIED]
David W Bell wrote:
Ranner, Frank MR wrote:
UNCLASSIFIED
Config as requested - I did uncomment and configure the identity
section
- is this not required?
ldap {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = localhost
identity = cn=Administrator,dc=dxi,dc=net
password = trPic4n03
basedn = dc=dxi,dc=net
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
#base_filter = (objectclass=radiusprofile)
# How many connections to keep open to the LDAP
server.
# This saves time over opening a new LDAP socket for
# every authentication request.
ldap_connections_number = 5
# seconds to wait for LDAP query to finish. default: 20
timeout = 4
# seconds LDAP server has to process the query
(server-side
# time limit). default: 20
#
# LDAP_OPT_TIMELIMIT is set to this value.
timelimit = 3
#
# seconds to wait for response of the server. (network
# failures) default: 10
#
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
net_timeout = 1
tls {
# Set this to 'yes' to use TLS encrypted
connections
# to the LDAP database by using the StartTLS
extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 689) connections
start_tls = no
# cacertfile= /path/to/cacert.pem
# cacertdir = /path/to/ca/dir/
# certfile = /path/to/radius.crt
# keyfile = /path/to/radius.key
# randfile = /path/to/rnd
# Certificate Verification requirements. Can
be:
#never (don't even bother trying)
#allow (try, but don't fail if the
cerificate
# can't be verified)
#demand (fail if the certificate doesn't
verify.)
#
# The default is allow
# require_cert = demand
}
# default_profile =
cn=radprofile,ou=dialup,o=My Org,c=UA
# profile_attribute = radiusProfileDn
# access_attr = dialupAccess
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${confdir}/ldap.attrmap
# Set password_attribute = nspmPassword to get the
# user's password from a Novell eDirectory
# backend. This will work ONLY IF FreeRADIUS has been
# built with the --with-edir configure option.
#
# password_attribute = userPassword
Thanks for the tip - tried it and it didnt work
Worth a try tho - so thanks
David
rlm_ldap: - authorize
rlm_ldap: performing user authorization for belld
WARNING: Deprecated conditional expansion :-. See man unlang for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=belld)
expand: dc=dxi,dc=net - dc=dxi,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to
localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld)
rlm_ldap: Added User-Password = {crypt}e/2iGeomYrGLo in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user belld authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
rad_check_password: Found Auth-Type
!!!
!!!Replacing User-Password in config items with
Cleartext-Password. !!!
!!!
!!! Please update your configuration so that the known
good !!!
!!! clear text password is in Cleartext-Password, and not in
User-Password. !!!
Re: eap authentication and cpu utilization
Norbert Wegener wrote: Simple authentication with login/password can be handled in large numbers with a recent cpu and freeradius. . EAP authentication on the other hand requires a great amount of cpu processing. It's all in the SSL rsa keying setup. Therefore I have a simple(?) question: Did someone already calcute the theoretically maximum number of eap authentications per second, that a recent x86 cpu is able to handle? $ openssl speed Or $ openssl speed rsa http://www.madboa.com/geek/openssl/#benchmark-speed For 2048 bit rsa keys, the web page gives 77 signs/s for a 2GHz Intel Core 2. My 1GHz laptop gives around 20/s. That number becomes the limiting factor for any TLS-based EAP method. It doesn't matter if the rest of the server can handle 5k PAP requests/s. If it can only do 77 rsa signings/s, that is the maximum number of EAP-TLS/TTLS/PEAP sessions that it can do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I can't get 'access-accept' from Linux clients (SOLVED)
Ooops, because of the emotion I pasted old config files. Well here are
the fresh files:
prefix = /usr/local2
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
db_dir = $(raddbdir)
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
ipaddr = zzz.zz.zz.zzz
port = 0
type = auth
}
listen {
ipaddr = zzz.zz.zz.zzz
port = 0
type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions= yes
log {
destination = files
syslog_facility = daemon
file = ${logdir}/radius.log
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
snmp= no
$INCLUDE snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
auto_header = yes
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
radwtmp = ${logdir}/radwtmp
}
$INCLUDE eap.conf
mschap {
}
ldap {
server = ldap.cadorna.biz
port = 636
identity = cn=freeradius,ou=applications,dc=cadorna,dc=biz
password = sambombas
basedn = ou=people,dc=cadorna,dc=biz
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
cacertfile = /etc/raddb2/cacert.pem
randfile= /dev/urandom
require_cert= allow
}
access_attr = radiusAllowed
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
}
realm IPASS {
format = prefix
delimiter = /
}
realm suffix {
format = suffix
delimiter = @
}
realm realmpercent {
format = suffix
delimiter = %
}
realm ntdomain {
format = prefix
delimiter = \\
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
header = %t
}
acct_unique {
key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port
}
$INCLUDE sql.conf
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = yes
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = no
}
attr_filter attr_filter.post-proxy {
attrsfile = ${confdir}/attrs
}
attr_filter attr_filter.pre-proxy {
attrsfile = ${confdir}/attrs.pre-proxy
}
attr_filter attr_filter.access_reject {
key = %{User-Name}
attrsfile = ${confdir}/attrs.access_reject
}
attr_filter attr_filter.accounting_response {
key = %{User-Name}
attrsfile = ${confdir}/attrs.accounting_response
}
counter daily {
filename = ${db_dir}/db.daily
key
Re: radiusd dying
Frank Winkler wrote: After 1.1.7 had been running for about a month without any problems, radiusd has now died silently or completely stuck (it has to be kill -9ed) a couple of times. In either case, I get no logs about what's wrong. My platform is Solaris 10/x64 with quite current patches. Are there any known issues? No idea. Try grabbing CVS of branch_1_1: $ cvs -d :pserver:[EMAIL PROTECTED]:/source checkout -r branch_1_1 radiusd and in the checkout: $ cvs diff -u -r release_1_1_7 -r branch_1_1 There are a number of fixes post 1.1.7 which may help. These may be rolled into a 1.1.8 at some point, but it's a very low priority. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/PAP tunneling issue
Edwin van Zyl wrote: I've been simulating the traffic with JRadiusSimulator and used the EAP-TTLS/PAP option. It *should* be working... Is there any other simulator you know of which I can use to simulate EAP-TTLS/(PAP and MS-CHAPv1)? I appreciate your help. eapol_test, which is part of wpa_supplicant. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I can't get 'access-accept' from Linux clients
2008/1/11, Arran Cudbard-Bell [EMAIL PROTECTED]:
[EMAIL PROTECTED] wrote:
Store cleartext passwords and all eap types will work. Real problem is
the encrypted password not the eap type.
Ivan Kalik
Kalik Informatika ISP
Dana 11/1/2008, Sergio Belkin [EMAIL PROTECTED] piše:
2008/1/10, Ivan Kalik [EMAIL PROTECTED]:
...
rlm_ldap: Added password
{SSHA}F8XliBuxscoShNf0k7RxlC7niB7ISswp in check items
...
rlm_eap_md5: User-Password is required for EAP-MD5 authentication
...
You can't use encrypted passwords with EAP-MD5.
http://deployingradius.com/documents/protocols/compatibility.html
Ivan Kalik
Kalik Informatika ISP
Thanks Ivan! So what default eap type should I use in mixed
environment (I mean: Linux and Windows Clientes)?
EAP-TTLS with PAP inner encryption.
Though you'd need to use SecureW2 or the Open SEA supplicant for the
windows side.
Otherwise you'd need NT-Hashes for MSChap based methods
Sorry for the stupid and moron question, but how should I do that? Of
course I don't ask you that you tell me the step by step, only a clue
to follow...
thanks in advance
, or the password
stored in the clear.
TIA
--
Arran Cudbard-Bell ([EMAIL PROTECTED])
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/PAP tunneling issue
I've been simulating the traffic with JRadiusSimulator and used the EAP-TTLS/PAP option. Is there any other simulator you know of which I can use to simulate EAP-TTLS/(PAP and MS-CHAPv1)? I appreciate your help. On 13 Feb 2008, at 12:20 PM, Alan DeKok wrote: Edwin van Zyl wrote: That worked. thx. ... Wed Feb 13 11:22:56 2008 : Debug: rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. TTLS tunnel data in : 01 0d 65 64 77 69 6e 76 61 6e 7a 79 6c 02 09 74 TTLS tunnel data in 0010: 65 73 74 69 6e 67 1e 0a 69 6e 74 65 72 6e 65 74 The supplicant is sending data inside the TTLS tunnel packed as *RADIUS* attributes. That's wrong. They attributes are supposed to be packed in the *Diameter* AVP format. Whatever supplicant you're using is broken, and WILL NOT work with *any* RADIUS server supporting TTLS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting - no huntgroups
[EMAIL PROTECTED] wrote:
yep - but i think the default schema for clients didnt have these
extra features added. at least someone mentioned synchronising them
recently
more importantly for other people - do these attributes get passed
through the message structure for PERL and Python?
Nope. They're only in the configuration file, and only available via
the run-time expansion.
But you *can* do:
update request {
Client-Foo = %{client:foo}
}
Which is good enough for most purposes.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help.. MD5 with PAP
cengiz coþkun wrote:
Hi,
I have configured freeradius 2.0.0 EAP-ttls and
configured a mysql db to store the users.
It was working fine until i recently decided to
convert the database-stored passwords to md5
encryption.
Store the passwords as MD5-Password. See man rlm_pap.
You do NOT need to edit anything in the default configuration.
Auth-Type md5 {
pap
This is not necessary. Delete it.
pap {
encryption_scheme = md5
authtype = md5
auto_header = yes
Did you even read the comments in radiusd.conf for the pap module?
The encryption_scheme should *not* be used in 2.0, and it is *not*
documented as a working configuration.
-+--+++--+--+
| 90 | t1 | Crypt-Password | := |
83f1535f99ab0bf4e9d02dfd85d3e3f7 | cengiz
Read man rlm_pap. Really, it explains almost everything...
and the following in radgroupcheck table.
++---+--++-+
| id | groupname | attribute| op | value |
++---+--++-+
| 1 | dynamic | Auth-Type| := | MD5 |
Delete that entry. It's wrong.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ippool error problem
Dear All :
rlm_ippool return duplicate ip address
in past i used version Version 1.0.5 , so i thought that may be bug in the
version
so i installed Version 2.0.1 and the problem is still appears
but in the last version the problem appears always in specific ips for example
x.x.117.63 , x.x .119.162
after lot of debug i doubte in the pool defintions starting not from 1 and the
mask
ippool nonsub_pool {
range-start = x.x.116.177
range-stop = x.x.119.254
netmask = 255.255.252.0
cache-size = 833
session-db = ${raddbdir}/dbnon.ippool
ip-index = ${raddbdir}/dbnon.ipindex
override = no
}
any idea or hint please
Thanks
_
Connect and share in new ways with Windows Live.
http://www.windowslive.com/share.html?ocid=TXT_TAGHM_Wave2_sharelife_012008
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Calling-Station-Id in pam_radius_auth
Stefan Winter wrote: Is there a way to tell pam_radius_auth to send a value in Calling-Station-Id? Source code edits. Is there a way at all to send variables to PAM at all, to be used for setting Calling-Station-Id within pam_radius_auth? Source code edits. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/PAP tunneling issue
Hi, I've been simulating the traffic with JRadiusSimulator and used the EAP-TTLS/PAP option. Is there any other simulator you know of which I can use to simulate EAP-TTLS/(PAP and MS-CHAPv1)? I appreciate your help. wpa_supplicant is a good tool alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL Escape Chars
Hi, Am I right in thinking that most alpha numeric characters are escaped before being inserted into SQL databases, and that the resultant string is =Ascii value as hex ? For example, the Reply-Message 'HP Networking equipment makes me sad, angry and staby.' would be entered as 'HP Networking equipment makes me sad=2C angry and staby.' Or is it just sensitive SQL chars that are written in this form ? Is this going to change at some point in the future, or can I safely start replacing these with HTML special when displaying FreeRADIUS'd attributes ... -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with OpenLDAP (Suse Enterprise 10) [SEC=UNCLASSIFIED]
David W Bell wrote:
David W Bell wrote:
Ranner, Frank MR wrote:
UNCLASSIFIED
Config as requested - I did uncomment and configure the identity
section
- is this not required?
ldap {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = localhost
identity = cn=Administrator,dc=dxi,dc=net
password = trPic4n03
basedn = dc=dxi,dc=net
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
#base_filter = (objectclass=radiusprofile)
# How many connections to keep open to the LDAP
server.
# This saves time over opening a new LDAP socket for
# every authentication request.
ldap_connections_number = 5
# seconds to wait for LDAP query to finish.
default: 20
timeout = 4
# seconds LDAP server has to process the query
(server-side
# time limit). default: 20
#
# LDAP_OPT_TIMELIMIT is set to this value.
timelimit = 3
#
# seconds to wait for response of the server.
(network
# failures) default: 10
#
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
net_timeout = 1
tls {
# Set this to 'yes' to use TLS encrypted
connections
# to the LDAP database by using the
StartTLS extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 689) connections
start_tls = no
# cacertfile= /path/to/cacert.pem
# cacertdir = /path/to/ca/dir/
# certfile = /path/to/radius.crt
# keyfile = /path/to/radius.key
# randfile = /path/to/rnd
# Certificate Verification requirements. Can
be:
#never (don't even bother trying)
#allow (try, but don't fail if the
cerificate
# can't be verified)
#demand (fail if the certificate doesn't
verify.)
#
# The default is allow
# require_cert = demand
}
# default_profile =
cn=radprofile,ou=dialup,o=My Org,c=UA
# profile_attribute = radiusProfileDn
# access_attr = dialupAccess
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${confdir}/ldap.attrmap
# Set password_attribute = nspmPassword to get the
# user's password from a Novell eDirectory
# backend. This will work ONLY IF FreeRADIUS has been
# built with the --with-edir configure option.
#
# password_attribute = userPassword
Thanks for the tip - tried it and it didnt work
Worth a try tho - so thanks
David
rlm_ldap: - authorize
rlm_ldap: performing user authorization for belld
WARNING: Deprecated conditional expansion :-. See man unlang for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=belld)
expand: dc=dxi,dc=net - dc=dxi,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to
localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld)
rlm_ldap: Added User-Password = {crypt}e/2iGeomYrGLo in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user belld authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
rad_check_password: Found Auth-Type
!!!
!!!Replacing User-Password in config items with
Cleartext-Password. !!!
!!!
!!! Please update your configuration so that the known
good !!!
!!! clear text password is in Cleartext-Password, and not in
Re: eap authentication and cpu utilization
Alan DeKok wrote: .. $ openssl speed Or $ openssl speed rsa http://www.madboa.com/geek/openssl/#benchmark-speed For 2048 bit rsa keys, the web page gives 77 signs/s for a 2GHz Intel Core 2. My 1GHz laptop gives around 20/s. That number becomes the limiting factor for any TLS-based EAP method. It doesn't matter if the rest of the server can handle 5k PAP requests/s. If it can only do 77 rsa signings/s, that is the maximum number of EAP-TLS/TTLS/PEAP sessions that it can do. Fine, that openssl switch has been new to me. Do you also have experience in how many percent of that theoretic value can be reached in practise with a database backend on the same machine where beside freeradius and the database nothing else is running? Norbert Wegener Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Acct-Authentic changing usernames
We're bringing a Cisco (formerly Airespace) lightweight wireless system
online, and I'm seeing some odd things in the accounting.
Specifically, the usernames can change in the accounting packets. This
causes the default SQL queries (at least, the ones for Postgres under
1.1.7) to generate duplicate entries for the session, because the
where clause includes the username.
For example, I might see this:
User-Name = unknown
NAS-Port = 29
NAS-IP-Address = 172.16.x.x
Framed-IP-Address = 192.168.x.x
NAS-Identifier = wlan-wism-1-1
Airespace-Wlan-Id = 2
Acct-Session-Id = 47b3193c/00:aa:bb:cc:dd:ee/5746
Acct-Authentic = Remote
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 3602
Acct-Status-Type = Start
Calling-Station-Id = 00:aa:bb:cc:dd:ee
Called-Station-Id = 00:1b:d5:08:01:00
...then a few seconds later
User-Name = THEUSER
NAS-Port = 29
NAS-IP-Address = 172.16.x.x
Framed-IP-Address = 192.168.x.x
NAS-Identifier = wlan-wism-1-1
Airespace-Wlan-Id = 2
Acct-Session-Id = 47b3193c/00:aa:bb:cc:dd:ee/5746
Acct-Authentic = RADIUS
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 3602
Acct-Status-Type = Interim-Update
Acct-Input-Octets = 105078
Acct-Output-Octets = 72551
Acct-Input-Packets = 754
Acct-Output-Packets = 300
Acct-Session-Time = 74
Acct-Delay-Time = 0
Calling-Station-Id = 00:aa:bb:cc:dd:ee
Called-Station-Id = 00:1b:d5:08:01:00
If the user is on e.g. a windows XP laptop and logs out, I might finally
see:
User-Name = host/thelaptop.domain.com
NAS-Port = 29
NAS-IP-Address = 172.16.x.x
Framed-IP-Address = 192.168.x.x
NAS-Identifier = wlan-wism-1-1
Airespace-Wlan-Id = 2
Acct-Session-Id = 47b3193c/00:aa:bb:cc:dd:ee/5746
Acct-Authentic = Remote
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 3602
Acct-Status-Type = Stop
Acct-Input-Octets = 1852445
Acct-Output-Octets = 5401691
Acct-Input-Packets = 17608
Acct-Output-Packets = 8630
Acct-Terminate-Cause = User-Request
Acct-Session-Time = 30517
Acct-Delay-Time = 0
Calling-Station-Id = 00:aa:bb:cc:dd:ee
Called-Station-Id = 00:1b:d5:08:01:00
It seems the NAS is having a changing view of the authentication
username as various events take place, presumably at the EAPOL layer.
However it seems to consistently set Acct-Authentic to RADIUS for real
usernames, and Remote for unknown or non-authenticated usernames, so
it sort of knows this is happening.
Now the Cisco WLC (nee Airespace) is a weird bit of kit anyway; it sort
of holds onto client sessions in case they come back shortly (not
unusual for wireless) but I'm wondering if this behaviour is legal, sane
or what?
I can probably fix our SQL queries, but I thought people might be
interested; for interest, what was the original rationale behind the
where clause in the default SQL queries:
where username='%{SQL-User-Name}'
??
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/PAP tunneling issue
Your comment *should* focussed my attention on the JRadius simulator and I finally got it to work. Problem: Old version of JRadiusSimulator. The one I used, I've downloaded from http://sourceforge.net/projects/jradius . Rather use the java web start option at http://coova.org/wiki/index.php/JRadius/Simulator for the latest version. Thx for your assistance. Kind Regards, Edwin On 13 Feb 2008, at 4:33 PM, Alan DeKok wrote: Edwin van Zyl wrote: I've been simulating the traffic with JRadiusSimulator and used the EAP-TTLS/PAP option. It *should* be working... Is there any other simulator you know of which I can use to simulate EAP-TTLS/(PAP and MS-CHAPv1)? I appreciate your help. eapol_test, which is part of wpa_supplicant. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help needed to configure Challenge Response
Can someone guide me with the steps to enable the Challenge Response in Freeradius server? Thanks, Deepak - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is tunnel right? (EAP-TTLS)
Hi,
I am using EAP-TTLS with eap.conf, it is working, but I was looking in
debugging messages and output of sniffing that I can see the User-Name
(pepino, in this example), earlier in radius 1.17 only showed
anonymous... I see no passwords (I think that it's safe onto tunnel,
isn't it?). Is that right? That's is the debug output:
rad_recv: Access-Request packet from host 10.30.1.83 port 2053, id=0, length=125
User-Name = pepino
NAS-IP-Address = 10.30.1.83
Called-Station-Id = 000625f17036
Calling-Station-Id = 000e35bf5118
NAS-Identifier = 000625f17036
NAS-Port = 54
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020b016d6261726265
Message-Authenticator = 0xef93fe76912976e965bb1b2a20401ef3
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = pepino, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: EAP packet type response id 0 length 11
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for pepino
WARNING: Deprecated conditional expansion :-. See man unlang for details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=pepino)
expand: ou=people,dc=saltamontes,dc=edu -
ou=people,dc=saltamontes,dc=edu
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.saltamontes.edu:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /etc/raddb2/cacert.pem
rlm_ldap: setting TLS Key File to /dev/urandom
rlm_ldap: bind as
cn=freeradius,ou=applications,dc=saltamontes,dc=edu/pepe to
ldap.saltamontes.edu:636
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=people,dc=saltamontes,dc=edu, with
filter (uid=pepino)
rlm_ldap: checking if remote access for pepino is allowed by radiusAllowed
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure
that the user is configured correctly?
rlm_ldap: user pepino authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type EAP
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.30.1.83 port 2053
EAP-Message = 0x010100061520
Message-Authenticator = 0x
State = 0x09eceb5c09edfe065d8607a9b4fe1db7
Finished request 0.
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 10.30.1.83 port 2053, id=0, length=192
Cleaning up request 0 ID 0 with timestamp +76
User-Name = pepino
NAS-IP-Address = 10.30.1.83
Called-Station-Id = 000625f17036
Calling-Station-Id = 000e35bf5118
NAS-Identifier = 000625f17036
NAS-Port = 54
Framed-MTU = 1400
State = 0x09eceb5c09edfe065d8607a9b4fe1db7
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0201003c15800032160301002d01290301b3354670c815c498b03d3c14301c2e8510e09178ba9ac6cb27077efc961addd802000a0100
Message-Authenticator = 0x30363c19771b184b796c396e6ef5438b
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = pepino, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: EAP packet type response id 1 length 60
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type EAP
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
TLS Length 50
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: TLS 1.0 Handshake [length 002d], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: TLS 1.0 Handshake [length 0852], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server
Re: Acct-Authentic changing usernames
Phil Mayers wrote:
We're bringing a Cisco (formerly Airespace) lightweight wireless system
online, and I'm seeing some odd things in the accounting.
Specifically, the usernames can change in the accounting packets. This
causes the default SQL queries (at least, the ones for Postgres under
1.1.7) to generate duplicate entries for the session, because the
where clause includes the username.
For example, I might see this:
User-Name = unknown
NAS-Port = 29
NAS-IP-Address = 172.16.x.x
Framed-IP-Address = 192.168.x.x
NAS-Identifier = wlan-wism-1-1
Airespace-Wlan-Id = 2
Acct-Session-Id = 47b3193c/00:aa:bb:cc:dd:ee/5746
Acct-Authentic = Remote
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 3602
Acct-Status-Type = Start
Calling-Station-Id = 00:aa:bb:cc:dd:ee
Called-Station-Id = 00:1b:d5:08:01:00
...then a few seconds later
User-Name = THEUSER
NAS-Port = 29
NAS-IP-Address = 172.16.x.x
Framed-IP-Address = 192.168.x.x
NAS-Identifier = wlan-wism-1-1
Airespace-Wlan-Id = 2
Acct-Session-Id = 47b3193c/00:aa:bb:cc:dd:ee/5746
Acct-Authentic = RADIUS
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 3602
Acct-Status-Type = Interim-Update
Acct-Input-Octets = 105078
Acct-Output-Octets = 72551
Acct-Input-Packets = 754
Acct-Output-Packets = 300
Acct-Session-Time = 74
Acct-Delay-Time = 0
Calling-Station-Id = 00:aa:bb:cc:dd:ee
Called-Station-Id = 00:1b:d5:08:01:00
If the user is on e.g. a windows XP laptop and logs out, I might finally
see:
User-Name = host/thelaptop.domain.com
NAS-Port = 29
NAS-IP-Address = 172.16.x.x
Framed-IP-Address = 192.168.x.x
NAS-Identifier = wlan-wism-1-1
Airespace-Wlan-Id = 2
Acct-Session-Id = 47b3193c/00:aa:bb:cc:dd:ee/5746
Acct-Authentic = Remote
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 3602
Acct-Status-Type = Stop
Acct-Input-Octets = 1852445
Acct-Output-Octets = 5401691
Acct-Input-Packets = 17608
Acct-Output-Packets = 8630
Acct-Terminate-Cause = User-Request
Acct-Session-Time = 30517
Acct-Delay-Time = 0
Calling-Station-Id = 00:aa:bb:cc:dd:ee
Called-Station-Id = 00:1b:d5:08:01:00
It seems the NAS is having a changing view of the authentication
username as various events take place, presumably at the EAPOL layer.
However it seems to consistently set Acct-Authentic to RADIUS for real
usernames, and Remote for unknown or non-authenticated usernames, so
it sort of knows this is happening.
Have you tried specifying a User-Name in your Access-Accept packets?
According the original RFC specs, the AP should use that User-Name in
all subsequent accounting packets.
If your doing that already, try just returning a canned User-Name string
and see where in turns up in the accounting packets.
If I were to guess, I'd say the Acct-Start was sent prior to the
supplicant responding to the EAP Identity Request, at the point of
wireless association.
The interim packet was using a returned User-Name, and the stop packet
was using the outer identity in the EAP Ident Response.
Weird ...
Now the Cisco WLC (nee Airespace) is a weird bit of kit anyway; it sort
of holds onto client sessions in case they come back shortly (not
unusual for wireless) but I'm wondering if this behaviour is legal, sane
or what?
I can probably fix our SQL queries, but I thought people might be
interested; for interest, what was the original rationale behind the
where clause in the default SQL queries:
where username='%{SQL-User-Name}'
??
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR Unix pws
I am using FreeRADIUS v1.0.5 in a non-production lab environment. I am using the group and passwd files for RADIUS authentication. I'm not using the standard ones, but copies that I have created just for FreeRADIUS and stored in another directory (so it doesn't interfere with regular systems administration). What hashing algorithm is used to store passwords in passwd? Does FreeRADIUS have an option to read passwords in clear text? Is there an easy way to create hashed passwords from some Unix command-line utility? Thanks for your time! 4 out of 10 women surveyed think Alan DeKok is a sex magnet. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Hello, I want to use freeradius 2.0.1 to do
accouting for my DSL users.
I would like to acheive the following setup:
NASes send request to the first radius (SunOS
radius) which only handles authentication request
and proxies accouting request to Freeradius
(v2.0.1). I'd like freeradius to do several things:
1 - Do accounting to a mysql database
2 - Send accounting responses to the first radius
3 - proxy/copy accouting data to severals home
server (3 servers: 1 billing server and 2 content
filtering servers)
To do this I setup freeradius 2.0.1 with 1 default
virtual server writing accouting to mysql and to a
detail file and one other virtual server which
listen the detail file ( listen { type = detail}
) and proxies request
The problem is that the proxying is done for one
request and stops when the response has been
received so others request that are in the
detail file are not proxied!
does anybody have an idea / use this kind of setup?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR Unix pws
Lemaster, Rob wrote: I am using FreeRADIUS v1.0.5 in a non-production lab environment. Well... I suggest upgrading. What hashing algorithm is used to store passwords in passwd? $ man passwd i.e. whatever your system supports. Does FreeRADIUS have an option to read passwords in clear text? Sure. See the passwd module documentation in FreeRADIUS. Is there an easy way to create hashed passwords from some Unix command-line utility? The simplest is Apache's htpasswd program. 4 out of 10 women surveyed think Alan DeKok is a sex magnet. Then they cry themselves to sleep at night. I'm not available. :( Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:
Alexandre Chapellon wrote:
To do this I setup freeradius 2.0.1 with 1 default
virtual server writing accouting to mysql and to a
detail file and one other virtual server which
listen the detail file ( listen { type = detail}
) and proxies request
The problem is that the proxying is done for one
request and stops when the response has been
received so others request that are in the
detail file are not proxied!
This bug was fixed recently. 2.0.2 will be released either today or
tomorrow, and will contain the fix.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
