RE: Cisco-AVPair store in MySQL4/freeradius1.0.0
Look at that:
| 5 | cit-10| cisco-avpair| += | ip:addr-pool=pool-10
| 6 | cit-10| cisco-avpair| += | ip:dns-servers*10.48.4.5
10.48.4.3
man 5 users
Attribute += Value
Always matches as a check item, and adds the current
attribute
with value to the list of configuration items.
As a reply item, it has an identical meaning, but the attribute
is
added to the reply items.
It means that if you want to return more than one attribute of the same
type, you have to use += instead of = in the Op field.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matthias
Wolf
Sent: Monday, July 12, 2004 9:39 PM
To: [EMAIL PROTECTED]
Subject: AW: Cisco-AVPair store in MySQL4/freeradius1.0.0
Where and why: += instead of =.?
Thanks, M. Wolf
-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Im Auftrag von Mikhail
Stepanov
Gesendet: Montag, 12. Juli 2004 16:23
An: [EMAIL PROTECTED]
Betreff: RE: Cisco-AVPair store in MySQL4/freeradius1.0.0
Cisco-AVPair = ip:source-ip=192.168.0.127
Cisco-AVPair = ip:source-port=4051
Cisco-AVPair = ip:destination-ip=10.10.10.1
Cisco-AVPair = ip:destination-port=23
...
But FreeRadius;sql.conf .'%{Cisco-AVPair}', . still returns only the
first instance of Cisco-AVPair. (ip:source-ip=192.168.0.127)
Usually I write += instead of =. Works fine.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: Monday, July 12, 2004 6:07 PM
To: [EMAIL PROTECTED]
Subject: Re: Cisco-AVPair store in MySQL4/freeradius1.0.0
Matthias Wolf [EMAIL PROTECTED] wrote:
had spent many time reading the FAQ but I'm still searching the solve
for Cisco-AVPair (PIX 525-Accounting) insert into Mysql database.
...
Cisco-AVPair = ip:source-ip=192.168.0.127
Cisco-AVPair = ip:source-port=4051
Cisco-AVPair = ip:destination-ip=10.10.10.1
Cisco-AVPair = ip:destination-port=23
...
But FreeRadius;sql.conf .'%{Cisco-AVPair}', . still returns only the
first instance of Cisco-AVPair. (ip:source-ip=192.168.0.127)
That's the intended behavior.
In the latest CVS snapshots, you can use:
%{Cisco-AVPair[0]} is the same as %{Cisco-AVPair}
%{Cisco-AVPair[1]) is the next one
%{Cisco-AVPair[2]) is the next one, etc.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to config eap-tls on FreeRadius chinese version
I make a pdf file help configure eap-tls on Freeradius is Chinese . thank FreeRadius is great software and thank Alan DeKok thank all people ;-) my English bad but i like unix and network :) http://my.chinaunix.net/wanghao/network.html -- http://my.chinaunix.net/wanghao/ http://www.chinaunix.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
test
-- http://my.chinaunix.net/wanghao/ http://www.chinaunix.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: Cisco-AVPair store in MySQL4/freeradius1.0.0
OK, I downloaded the latest Version. But during the make process there was an error: /usr/apps/freeradius-snapshot-20040712/libtool --mode=link gcc rlm_dbm_parser.o ../../lib/libradius.la -lcrypto -o rlm_dbm_parser gcc rlm_dbm_parser.o -o .libs/rlm_dbm_parser ../../lib/.libs/libradius.so -lcrypt -lcipher -lcrypto -Wl,--rpath -Wl,/usr/local/freeradius/lib ../../lib/.libs/libradius.so: undefined reference to `pthread_mutex_unlock' ../../lib/.libs/libradius.so: undefined reference to `pthread_mutex_lock' ../../lib/.libs/libradius.so: undefined reference to `pthread_mutex_init' gmake[5]: *** [rlm_dbm_parser] Error 1 gmake[5]: Leaving directory `/usr/apps/freeradius-snapshot-20040712/src/modules/rlm_dbm' gmake[4]: *** [common] Error 1 gmake[4]: Leaving directory `/usr/apps/freeradius-snapshot-20040712/src/modules' gmake[3]: *** [all] Error 2 gmake[3]: Leaving directory `/usr/apps/freeradius-snapshot-20040712/src/modules' gmake[2]: *** [common] Error 1 gmake[2]: Leaving directory `/usr/apps/freeradius-snapshot-20040712/src' gmake[1]: *** [all] Error 2 gmake[1]: Leaving directory `/usr/apps/freeradius-snapshot-20040712/src' gmake: *** [common] Error 1 *** Error code 2 Stop in /usr/apps/freeradius-snapshot-20040712. Why? Regards, M. Wolf -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Alan DeKok Gesendet: Montag, 12. Juli 2004 20:34 An: [EMAIL PROTECTED] Betreff: Re: AW: Cisco-AVPair store in MySQL4/freeradius1.0.0 And where can I find the latest CVS snapshots? On the FTP site. ftp://ftp.freeradius.org/pub/radius/ Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I have to make choice between GNUradius and freeradius. My requirements are generally those of ISP. Which one will you recommend to me???
Thanks Paul. May I know reasons for preferring freeradius. Our current system is based on freeradius but we are planning to reengineer this to accommodate better features. Amit Gupta - Original Message - From: Paul Hampson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, July 12, 2004 6:31 AM Subject: Re: I have to make choice between GNUradius and freeradius. My requirements are generally those of ISP. Which one will you recommend to me??? On Mon, Jul 12, 2004 at 04:59:46PM -0700, Amit Gupta wrote: I have to make choice between GNUradius and freeradius. My requirements are generally those of ISP. Which one will you recommend to me??? I recommend FreeRADIUS. Otherwise I'd be a GNUradius developer. :-) -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.718 / Virus Database: 474 - Release Date: 7/9/2004 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Cisco-AVPair store in MySQL4/freeradius1.0.0
++--+--++---+
| id | UserName | Attribute| op | Value |
++--+--++---+
| 1 | cis | cisco-avpair | += | ip:source-ip=3D |
| 2 | cis | cisco-avpair | += | ip:source-port=3D |
++--+--++---+
Ok, so far everything right. But how to modifying my sql-string?
like that, perhaps: ... , '%{cisco-avpair}') ...?
Regard, M. Wolf
-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Im Auftrag von Mikhail
Stepanov
Gesendet: Dienstag, 13. Juli 2004 08:26
An: [EMAIL PROTECTED]
Betreff: RE: Cisco-AVPair store in MySQL4/freeradius1.0.0
Look at that:
| 5 | cit-10| cisco-avpair| += | ip:addr-pool=pool-10
| 6 | cit-10| cisco-avpair| += | ip:dns-servers*10.48.4.5
10.48.4.3
man 5 users
Attribute += Value
Always matches as a check item, and adds the current
attribute
with value to the list of configuration items.
As a reply item, it has an identical meaning, but the attribute
is
added to the reply items.
It means that if you want to return more than one attribute of the same
type, you have to use += instead of = in the Op field.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matthias
Wolf
Sent: Monday, July 12, 2004 9:39 PM
To: [EMAIL PROTECTED]
Subject: AW: Cisco-AVPair store in MySQL4/freeradius1.0.0
Where and why: += instead of =.?
Thanks, M. Wolf
-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Im Auftrag von Mikhail
Stepanov
Gesendet: Montag, 12. Juli 2004 16:23
An: [EMAIL PROTECTED]
Betreff: RE: Cisco-AVPair store in MySQL4/freeradius1.0.0
Cisco-AVPair = ip:source-ip=192.168.0.127
Cisco-AVPair = ip:source-port=4051
Cisco-AVPair = ip:destination-ip=10.10.10.1
Cisco-AVPair = ip:destination-port=23
...
But FreeRadius;sql.conf .'%{Cisco-AVPair}', . still returns only the
first instance of Cisco-AVPair. (ip:source-ip=192.168.0.127)
Usually I write += instead of =. Works fine.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: Monday, July 12, 2004 6:07 PM
To: [EMAIL PROTECTED]
Subject: Re: Cisco-AVPair store in MySQL4/freeradius1.0.0
Matthias Wolf [EMAIL PROTECTED] wrote:
had spent many time reading the FAQ but I'm still searching the solve
for Cisco-AVPair (PIX 525-Accounting) insert into Mysql database.
...
Cisco-AVPair = ip:source-ip=192.168.0.127
Cisco-AVPair = ip:source-port=4051
Cisco-AVPair = ip:destination-ip=10.10.10.1
Cisco-AVPair = ip:destination-port=23
...
But FreeRadius;sql.conf .'%{Cisco-AVPair}', . still returns only the
first instance of Cisco-AVPair. (ip:source-ip=192.168.0.127)
That's the intended behavior.
In the latest CVS snapshots, you can use:
%{Cisco-AVPair[0]} is the same as %{Cisco-AVPair}
%{Cisco-AVPair[1]) is the next one
%{Cisco-AVPair[2]) is the next one, etc.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I have to make choice between GNUradius and freeradius. My requirements are generally those of ISP. Which one will you recommend to me???
On Tue, Jul 13, 2004 at 12:44:04PM -0700, Amit Gupta wrote: May I know reasons for preferring freeradius. Our current system is based on freeradius but we are planning to reengineer this to accommodate better features. I find it easy to use, good about following standards, with a wide base of developers, and it's pacakged for Debian. It has multi-platform support, and supports EAP like nothing else. It also is seeing strong support from VoIP people, and that's something I will be heading into. Its support for SQL is very easy to use, and with only one issue involving groups (in the FreeRADIUS bug database) it gives all the power of the files, but with the flexibility of an SQL database. It has an unimpeachable release policy, suitable for production server environments. The source is well structured, ensuring any problems can be quickly identified and reectified. Also features can be added with a minimum of fuss, although I think my plans for IPv6 work may prove a little intrusive initially. :-) It also helps that it's the annoited successor to Cistron RADIUSd, which _everyone_ knows and feels strongly about. :-) Also, the people on this mailing list _know_ their stuff, and the web is peppered with HOWTOs, usually involving FreeRADIUS as the RADIUS server. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS versus GNU radius
Amit Gupta wrote: Thanks Alan. May I know why FreeRADIUS is your *only* choice for wireless. freeradius is free :) Amit Gupta - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, July 12, 2004 7:12 AM Subject: FreeRADIUS versus GNU radius Amit Gupta [EMAIL PROTECTED] wrote: I have to make choice between GNUradius and freeradius. My requirements are generally those of ISP. Which one will you recommend to me??? What do you intend to use it for? If you're doing wireless, FreeRADIUS is your *only* choice. If you need to get configuration from an LDAP database, FreeRADIUS is your *only* choice. If you want to get configuration from Oracle, FreeRADIUS is your *only* choice. FreeRADIUS is also faster than GNU Radius, for a whole host of reasons. The one benefit that GNU radius has is it's rewrite language. It's neat. Oh, and there are usually more postings on this list in a day, than on the GNU radius list in a month. The user base of FreeRADIUS is *much* larger. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.718 / Virus Database: 474 - Release Date: 7/9/2004 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- http://my.chinaunix.net/wanghao/ http://www.chinaunix.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS versus GNU radius
Amit Gupta wrote: Thanks Alan. May I know why FreeRADIUS is your *only* choice for wireless. FreeRADIUS is free :-) Amit Gupta - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, July 12, 2004 7:12 AM Subject: FreeRADIUS versus GNU radius Amit Gupta [EMAIL PROTECTED] wrote: I have to make choice between GNUradius and freeradius. My requirements are generally those of ISP. Which one will you recommend to me??? What do you intend to use it for? If you're doing wireless, FreeRADIUS is your *only* choice. If you need to get configuration from an LDAP database, FreeRADIUS is your *only* choice. If you want to get configuration from Oracle, FreeRADIUS is your *only* choice. FreeRADIUS is also faster than GNU Radius, for a whole host of reasons. The one benefit that GNU radius has is it's rewrite language. It's neat. Oh, and there are usually more postings on this list in a day, than on the GNU radius list in a month. The user base of FreeRADIUS is *much* larger. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.718 / Virus Database: 474 - Release Date: 7/9/2004 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- http://my.chinaunix.net/wanghao/ http://www.chinaunix.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I have to make choice between GNUradius and freeradius. My requirements are generally those of ISP. Which one will you recommend to me???
Thanks Paul. Can you compare GNURadius wwith freeradius on feature by feature for me. Amit Gupta - Original Message - From: Paul Hampson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, July 13, 2004 12:37 AM Subject: Re: I have to make choice between GNUradius and freeradius. My requirements are generally those of ISP. Which one will you recommend to me??? On Tue, Jul 13, 2004 at 12:44:04PM -0700, Amit Gupta wrote: May I know reasons for preferring freeradius. Our current system is based on freeradius but we are planning to reengineer this to accommodate better features. I find it easy to use, good about following standards, with a wide base of developers, and it's pacakged for Debian. It has multi-platform support, and supports EAP like nothing else. It also is seeing strong support from VoIP people, and that's something I will be heading into. Its support for SQL is very easy to use, and with only one issue involving groups (in the FreeRADIUS bug database) it gives all the power of the files, but with the flexibility of an SQL database. It has an unimpeachable release policy, suitable for production server environments. The source is well structured, ensuring any problems can be quickly identified and reectified. Also features can be added with a minimum of fuss, although I think my plans for IPv6 work may prove a little intrusive initially. :-) It also helps that it's the annoited successor to Cistron RADIUSd, which _everyone_ knows and feels strongly about. :-) Also, the people on this mailing list _know_ their stuff, and the web is peppered with HOWTOs, usually involving FreeRADIUS as the RADIUS server. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.718 / Virus Database: 474 - Release Date: 7/9/2004 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I have to make choice between GNUradius and freeradius. My requirements are generally those of ISP. Which one will you recommend to me???
Thanks Everybody for your response. Can you compare GNURadius with freeradius on feature by feature for me. Amit Gupta --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.718 / Virus Database: 474 - Release Date: 7/9/2004 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I have to make choice between GNUradius and freeradius. My requirements are generally those of ISP. Which one will you recommend to me???
- Original Message - From: Amit Gupta [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, July 13, 2004 10:25 PM Subject: I have to make choice between GNUradius and freeradius. My requirements are generally those of ISP. Which one will you recommend to me??? Thanks Everybody for your response. Can you compare GNURadius with freeradius on feature by feature for me. I don't think anyone will do that Amit :) Just install and configure them both for your purpose and see what the results are. Amit Gupta --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.718 / Virus Database: 474 - Release Date: 7/9/2004 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius+Postfresqk+MAC problem
Hi!
As I wrote earlier in this list, I'm trying to get Freeradius to authenticate my clients based on theirs NIC's MAC.
This works great as long as I use the users file:
DEFAULT Calling-Station-Id == CLIENT NIC, Auth-Type := Accept
Filter-ID=profile="">
Now I'm trying to use a Postgresql as backend, but it won't work.
Here is my radiusd.conf (the entire conf file is in the bottom of the mail):
$INCLUDE ${confdir}/postgresql.conf
authorize {
preprocess
sql
}
Here is my postgresql.conf:
sql {
driver = rlm_sql_postgresql
server = localhost
login = radius
password = 123456
radius_db = radius
acct_table1 = radacct
acct_table2 = radacct
authcheck_table = radcheck
authreply_table = radreply
groupcheck_table = radgroupcheck
groupreply_table = radgroupreply
usergroup_table = usergroup
deletestalesessions = yes
sqltrace = yes
sqltracefile = ${logdir}/sqltrace.sql
num_sql_socks = 5
sql_user_name = %{User-Name}
SQL_User_Name = %{User-Name}
authorize_check_query = SELECT id, UserName, Attribute, Value, Op \
FROM ${authcheck_table} WHERE username = '%{SQL-User-Name}' ORDER BY id
# authorize_reply_query = SELECT id, UserName, Attribute, Value, Op \
# FROM ${authreply_table} WHERE username = '%{SQL-User-Name}' ORDER BY id
# authenticate_query = SELECT Value,Attribute FROM ${authcheck_table} \
# WHERE UserName = '%{User-Name}' AND \
# ( Attribute = 'User-Password' OR Attribute = 'Crypt-Password' ) ORDER BY Attribute DESC
}
Here is a dump of my database:
[EMAIL PROTECTED] 172.16.0.10]# psql -U radius
radius= select * from radcheck;
id | username | attribute | op | value
+---+++-
1 | 00-04-23-4d-c4-3d | User-Password | == | 123456
2 | 00-20-e0-8d-05-94 | User-Password | == | 123456
(2 rows)
And here is what my log says:
Jul 12 14:39:02 linux radiusd: ^IUser-Name = 00-20-e0-8d-05-94
Jul 12 14:39:02 linux radiusd: ^IUser-Password = 123456
Jul 12 14:39:02 linux radiusd: ^INAS-IP-Address = 172.16.0.10
Jul 12 14:39:02 linux radiusd: ^INAS-Port = 0
Jul 12 14:39:02 linux radiusd: rlm_sql (sql): Reserving sql socket id: 3
Jul 12 14:39:02 linux radiusd: rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE username = '00-20-e0-8d-05-94' ORDER BY id
Jul 12 14:39:02 linux postgres[19980]: [5-1] LOG: 0: duration: 5.637 ms
Jul 12 14:39:02 linux postgres[19980]: [5-2] LOCATION: exec_simple_query, postgres.c:960
Jul 12 14:39:02 linux postgres[19980]: [6-1] LOG: 0: duration: 5.637 ms statement: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE username =
Jul 12 14:39:02 linux postgres[19980]: [6-2] '00-20-e0-8d-05-94' ORDER BY id
Jul 12 14:39:02 linux postgres[19980]: [6-3] LOCATION: exec_simple_query, postgres.c:974
Jul 12 14:39:02 linux radiusd: rlm_sql_postgresql: Status: PGRES_TUPLES_OK
Jul 12 14:39:02 linux radiusd: rlm_sql_postgresql: affected rows =
Jul 12 14:39:02 linux radiusd: rlm_sql (sql): No matching entry in the database for request from user [00-20-e0-8d-05-94]
Jul 12 14:39:02 linux radiusd: rlm_sql (sql): Released sql socket id: 3
Jul 12 14:39:02 linux radiusd: Login incorrect: [00-20-e0-8d-05-94/123456] (from client testap1 port 0)
Jul 12 14:39:05 linux radiusd: rad_recv: Access-Request packet from host 172.16.0.10:6001, id=63, length=69
Jul 12 14:39:05 linux radiusd: Sending Access-Reject of id 63 to 172.16.0.10:6001
I really don't know what I'm doing wrong - Could anyone of give me a hint?
If you need to see any other configuration files please let me know.
Thanks
Christoffer
Me entire radiusd.conf:
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = /usr/lib
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = yes
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
shadow = /etc/shadow
radwtmp = ${logdir}/radwtmp
}
eap {
default_eap_type = md5
timer_expire = 60
md5 {
}
leap {
}
}
mschap {
What Protocol does freeradius rely on?
Hello, So far as i know,radius protocol which described by RFC28XX is less powerful than radius+ protocol which was extended by some device producer.The difference is that radius+ support Server Control and dynamic user service quality adjust. Does freeradius support radius+? or i can modify freeradius to fit the NAS ? Regards Yyc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco-AVPair store in MySQL4/freeradius1.0.0
Ok, so far everything right. But how to modifying my sql-string?
Like that, perhaps: ... , '%{cisco-avpair}') ...?
I can't understand what do you want to do. You needn't to modify any
sql-queries in freeradius. It returns all AV-pairs automatically.
Mikhail Stepanov.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Cisco-AVPair store in MySQL4/freeradius1.0.0
Escuche. I want to write the Cisco-AVPair into the radacct.MySQL.Table.
Every time my sql-string , '%{cisco-avpair}') in the sql.conf, returns
only the ip address and not the other stuff like ports and so on.
Here my modified SQL-String:
accounting_update_query_alt = INSERT into ${acct_table1} \
(AcctSessionId,AcctUniqueId,UserName, \
Realm, NASIPAddress, NASPortId, NASPortType, \
AcctStartTime, AcctSessionTime, AcctAuthentic, \
ConnectInfo_start, AcctInputOctets, AcctOutputOctets, \
CalledStationId, CallingStationId, ServiceType, FramedProtocol, \
FramedIPAddress, AcctStartDelay, CISCO, CISCO2) \
values('%{Acct-Session-Id}', \
%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}',
'%{NAS-IP-Address}', \
'%{NAS-Port}', '%{NAS-Port-Type}', \
DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0})
SECOND), \
'%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Acct-Input-Octets}', \
'%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', \
'%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', \
'%{Cisco-AVPair}', '%{Cisco-AVPair}')
# Cisco-AVPair always returns ip:source-ip=3D10.10.10.23
Thanks, M. Wolf
-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Im Auftrag von Mikhail
Stepanov
Gesendet: Dienstag, 13. Juli 2004 10:59
An: [EMAIL PROTECTED]
Betreff: RE: Cisco-AVPair store in MySQL4/freeradius1.0.0
Ok, so far everything right. But how to modifying my sql-string?
Like that, perhaps: ... , '%{cisco-avpair}') ...?
I can't understand what do you want to do. You needn't to modify any
sql-queries in freeradius. It returns all AV-pairs automatically.
Mikhail Stepanov.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to give attributes to PAM
Hello, My question can be a little simple, but, i've been searching for it but I found nothing. Here is my problem: I'd like to use a PAM module to check several informations in a specified OID(object) of an LDAP database, and this OID would be in an attribute given with an ACCESS-REQUEST. So, is it possible? and how is it possible to give more arguments than a login and a password to a PAM module. Thanks for your help, Jeff Créez gratuitement votre Yahoo! Mail avec 100 Mo de stockage ! Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ Dialoguez en direct avec vos amis grâce à Yahoo! Messenger !Téléchargez Yahoo! Messenger sur http://fr.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius+Postfresqk+MAC problem
Hmmm,
Looks like most everything is correct - from what
you have sent here...
A couple of things:
1. Is postgresql case sensitive ( I play with
MySQL)??? If so check the case (caps or lower case) of the record field
names to make sure the schema's match for the database and queries.
2. Check the debug logs for the database to see
exactly what is being done on the database side!
From what I see here it looks like the Freeradius
is doing it's job properly...
As an aside note: When you had the users file setup
and the Auth-Type := Accept you were basically telling Freeradius to "accept"
any default caller unconditionally - that is what the "Accept" means
{grin}...
gm...
- Original Message -
From:
Christoffer Dahl
Petersen
To: [EMAIL PROTECTED]
Sent: Tuesday, July 13, 2004 4:40
AM
Subject: Freeradius+Postfresqk+MAC
problem
Hi!As I wrote earlier in this list, I'm trying to get
Freeradius to authenticate my clients based on theirs NIC's MAC.This works
great as long as I use the "users" file:DEFAULT Calling-Station-Id ==
"CLIENT NIC", Auth-Type :=
Accept
Filter-ID="profile="">Now I'm trying to use a Postgresql as
backend, but it won't work.Here is my radiusd.conf (the entire conf file
is in the bottom of the mail):$INCLUDE
${confdir}/postgresql.confauthorize
{
preprocess
sql}Here is my postgresql.conf:sql
{ driver =
"rlm_sql_postgresql" server =
"localhost" login =
"radius" password =
"123456" radius_db =
"radius" acct_table1 =
"radacct" acct_table2 =
"radacct" authcheck_table =
"radcheck" authreply_table =
"radreply" groupcheck_table
= "radgroupcheck"
groupreply_table =
"radgroupreply"
usergroup_table =
"usergroup"
deletestalesessions = yes
sqltrace = yes sqltracefile =
${logdir}/sqltrace.sql
num_sql_socks = 5
sql_user_name = "%{User-Name}"
SQL_User_Name =
"%{User-Name}"
authorize_check_query = "SELECT id, UserName, Attribute, Value, Op \FROM
${authcheck_table} WHERE username = '%{SQL-User-Name}' ORDER BY
id"# authorize_reply_query =
"SELECT id, UserName, Attribute, Value, Op \# FROM ${authreply_table}
WHERE username = '%{SQL-User-Name}' ORDER BY
id"# authenticate_query =
"SELECT Value,Attribute FROM ${authcheck_table} \# WHERE UserName =
'%{User-Name}' AND \# ( Attribute = 'User-Password' OR Attribute =
'Crypt-Password' ) ORDER BY Attribute DESC"}Here is a dump
of my database:[EMAIL PROTECTED] 172.16.0.10]# psql -U radiusradius=
select * from radcheck;id |
username |
attribute | op |
value+---+++- 1
| 00-04-23-4d-c4-3d | User-Password | == | 123456 2 |
00-20-e0-8d-05-94 | User-Password | == | 123456(2
rows)And here is what my log says:Jul 12 14:39:02 linux
radiusd: ^IUser-Name = "00-20-e0-8d-05-94"Jul 12 14:39:02 linux radiusd:
^IUser-Password = "123456"Jul 12 14:39:02 linux radiusd: ^INAS-IP-Address
= 172.16.0.10Jul 12 14:39:02 linux radiusd: ^INAS-Port = 0Jul 12
14:39:02 linux radiusd: rlm_sql (sql): Reserving sql socket id: 3Jul 12
14:39:02 linux radiusd: rlm_sql_postgresql: query: SELECT id, UserName,
Attribute, Value, Op FROM radcheck WHERE username = '00-20-e0-8d-05-94' ORDER
BY idJul 12 14:39:02 linux postgres[19980]: [5-1] LOG: 0:
duration: 5.637 msJul 12 14:39:02 linux postgres[19980]: [5-2]
LOCATION: exec_simple_query, postgres.c:960Jul 12 14:39:02 linux
postgres[19980]: [6-1] LOG: 0: duration: 5.637 ms statement:
SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE username
=Jul 12 14:39:02 linux postgres[19980]: [6-2] '00-20-e0-8d-05-94'
ORDER BY idJul 12 14:39:02 linux postgres[19980]: [6-3] LOCATION:
exec_simple_query, postgres.c:974Jul 12 14:39:02 linux radiusd:
rlm_sql_postgresql: Status: PGRES_TUPLES_OKJul 12 14:39:02 linux radiusd:
rlm_sql_postgresql: affected rows =Jul 12 14:39:02 linux radiusd: rlm_sql
(sql): No matching entry in the database for request from user
[00-20-e0-8d-05-94]Jul 12 14:39:02 linux radiusd: rlm_sql (sql): Released
sql socket id: 3Jul 12 14:39:02 linux radiusd: Login incorrect:
[00-20-e0-8d-05-94/123456] (from client testap1 port 0)Jul 12 14:39:05
linux radiusd: rad_recv: Access-Request packet from host 172.16.0.10:6001,
id=63, length=69Jul 12 14:39:05 linux radiusd: Sending Access-Reject of id
63 to 172.16.0.10:6001I really don't know what I'm doing wrong -
Could anyone of give me a hint?If you need to see any other configuration
files please let me know.ThanksChristofferMe entire
radiusd.conf:prefix = /usrexec_prefix = /usrsysconfdir =
/etclocalstatedir = /varsbindir = /usr/sbinlogdir =
${localstatedir}/log/radiusraddbdir = ${sysconfdir}/raddbradacctdir =
${logdir}/radacctconfdir = ${raddbdir}run_dir =
${localstatedir}/run/radiusdlog_file = ${logdir}/radius.loglibdir =
/usr/libpidfile =
wireless authentication
Hi, I'm new to radius, I've installed freeradius on my redhad-linux server in order to authenticate my wireless clients. I've ZyXEL 650HW ADSL router which is also a wireless access point. this device has radius server configuration. I want to authenticate my wireless clients accross radius server. But I'm new to radius server. How can i find some help from internet. Is there applications like this. Teber zceyhan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fall-Through in acct_users
Hello, Is it possible to use Fall-Through in acct_users like in users file ? -- Andrey Lakhno, land-ripe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS versus GNU radius
Amit Gupta [EMAIL PROTECTED] wrote: May I know why FreeRADIUS is your *only* choice for wireless. Because no other open source server supports wireless. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I have to make choice between GNUradius and freeradius. My requirements are generally those of ISP. Which one will you recommend to me???
Amit Gupta [EMAIL PROTECTED] wrote: Thanks Everybody for your response. Can you compare GNURadius with freeradius on feature by feature for me. No. If you do such a comparison, please post it here, so others won't have to re-do the work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What Protocol does freeradius rely on?
Yyc [EMAIL PROTECTED] wrote: So far as i know,radius protocol which described by RFC28XX is less powerful than radius+ protocol which was extended by some device producer. RADIUS+ is also non-standard. The difference is that radius+ support Server Control and dynamic user service quality adjust. See RFC 3576. The server doesn't support sending RADIUS packets to a NAS, as that's not the job of the server. Radclient does have support for some of those packets, though. Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to give attributes to PAM
=?iso-8859-1?q?jeff=20x?= [EMAIL PROTECTED] wrote: I'd like to use a PAM module to check several informations in a specified OID(object) of an LDAP database, and this OID would be in an attribute given with an ACCESS-REQUEST. So, is it possible? Not really. I suggest asking on a PAM list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fall-Through in acct_users
Andrey Lakhno [EMAIL PROTECTED] wrote: Is it possible to use Fall-Through in acct_users like in users file ? Try it and see. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fall-Through in acct_users
Hello, On Tue, 13 Jul 2004, Alan DeKok wrote: Is it possible to use Fall-Through in acct_users like in users file ? Try it and see. It does not work. May be I done something incorrectly ? acct_users: DEFAULT NAS-IP-Address == x.x.x.x, Acct-Status-Type == Stop Exec-Program = /home/voip/aaa/acct_call_generic, Fall-Through = Yes DEFAULT NAS-IP-Address == x.x.x.x, Acct-Status-Type == Stop Exec-Program = /home/voip/aaa/test -- Andrey Lakhno, land-ripe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fall-Through in acct_users
Andrey Lakhno [EMAIL PROTECTED] wrote: It does not work. May be I done something incorrectly ? acct_users: DEFAULT NAS-IP-Address == x.x.x.x, Acct-Status-Type == Stop Exec-Program = /home/voip/aaa/acct_call_generic, Fall-Through = Yes DEFAULT NAS-IP-Address == x.x.x.x, Acct-Status-Type == Stop Exec-Program = /home/voip/aaa/test Fall-Through works. See the debugging output, where it will show you that it's matching *both* of the above lines. What doesn't work is having two Exec-Program attributes. The server supports only one. If you need to run two scripts, I suggest creating one script which will run both of them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeRADIUS patch for EAP-TLS n-tier server/aaa certificate chain support
Hi:
Currently the freeRADIUS server (including R1.0.0
pre-3) doesn't support sending server certificate
chains during the SERVER-HELLO handshake to the
EAP-TLS client/supplicant.
This patch allows freeRADIUS to have certificate chain
of depth greater than 2 in the server/aaa certificate.
This patch is built on the OpenSSL
SSL_CTX_use_certificate_chain_file(ctx,
conf-certificate_file)
API call and if the server certificate is passed as a
certificate chain in PEM format by concatinating the
server certificate, server sub-CA certificate, ..,
server root certificate then OpenSSL builds the
certificate chain and sends the complete chain
as the server certificate.
For more info on how users could use freeRADIUS with
n-tier server certificate chains please refer to
OpenSSL documentation on
SSL_CTX_use_certificate_chain_file(ctx,
conf-certificate_file)
command. The following enhancement only applies to PEM
files that have certificate chains as part of the
server certificates. For all other certificate types
there will be no change, also if the
AAA server certificate doesn't have n-tier certificate
chain (it only uses a server root and server
certificate hierarchy then they would also work just
as previously.
We've used and tested this patch and it works fine. If
you need more details on this please contact me.
Thanks.
Regards,
Mohammed.
Mohammed H. Petiwala
Senior Staff Engineer
Motorola Inc.
@@
--- rlm_eap_tls.c.orig 2004-06-29 13:11:15.0
-0500
+++ rlm_eap_tls.c 2004-06-29 13:17:09.0 -0500
@@ -147,15 +147,6 @@
type = SSL_FILETYPE_ASN1;
}
- /* Load the CAs we trust */
- if (!(SSL_CTX_load_verify_locations(ctx,
conf-ca_file, conf-ca_path)) ||
- (!SSL_CTX_set_default_verify_paths(ctx))) {
- ERR_print_errors_fp(stderr);
- radlog(L_ERR, rlm_eap_tls: Error reading Trusted
root CA list);
- return NULL;
- }
- SSL_CTX_set_client_CA_list(ctx,
SSL_load_client_CA_file(conf-ca_file));
-
/*
* Set the password to load private key
*/
@@ -165,10 +156,22 @@
}
/* Load our keys and certificates*/
- if (!(SSL_CTX_use_certificate_file(ctx,
conf-certificate_file, type))) {
- ERR_print_errors_fp(stderr);
- radlog(L_ERR, rlm_eap_tls: Error reading
certificate file);
- return NULL;
+ /* if certificates are of type PEM then we can make
use of cert chain */
+ /* authentication using openssl api call
SSL_CTX_use_certificate_chain_file */
+ /* Please see how the cert chain needs to be given
in PEM from openSSL.org */
+ if(type == SSL_FILETYPE_PEM) {
+ if (!(SSL_CTX_use_certificate_chain_file(ctx,
conf-certificate_file))) {
+ ERR_print_errors_fp(stderr);
+ radlog(L_ERR, rlm_eap_tls: Error reading
certificate file);
+ return NULL;
+ }
+ }
+ else {
+ if (!(SSL_CTX_use_certificate_file(ctx,
conf-certificate_file, type))) {
+ ERR_print_errors_fp(stderr);
+ radlog(L_ERR, rlm_eap_tls: Error reading
certificate file);
+ return NULL;
+ }
}
if (!(SSL_CTX_use_PrivateKey_file(ctx,
conf-private_key_file, type))) {
@@ -185,6 +188,15 @@
return NULL;
}
+ /* Load the CAs we trust */
+ if (!(SSL_CTX_load_verify_locations(ctx,
conf-ca_file, conf-ca_path)) ||
+ (!SSL_CTX_set_default_verify_paths(ctx))) {
+ ERR_print_errors_fp(stderr);
+ radlog(L_ERR, rlm_eap_tls: Error reading Trusted
root CA list);
+ return NULL;
+ }
+ SSL_CTX_set_client_CA_list(ctx,
SSL_load_client_CA_file(conf-ca_file));
+
/*
* Set ctx_options
*/
__
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: Cisco-AVPair store in MySQL4/freeradius1.0.0
Matthias Wolf [EMAIL PROTECTED] wrote:
Escuche. I want to write the Cisco-AVPair into the radacct.MySQL.Table.
Every time my sql-string , '%{cisco-avpair}') in the sql.conf, returns
only the ip address and not the other stuff like ports and so on.
It returns the *first* Cisco-AVPair attribute.
The CVS snapshot from tomorrow will allow %{Cisco-AVPair[*]}. See
doc/variables.txt for more details.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius+Postfresqk+MAC problem
Hi again
1. It doesn't seem to be casesensitive.
2. I have tried to turn on the debug option on the pgsql, and I can see that the query is accepted and the db is returning a result set (with the information requested).
I'm not sure that I understand how the Freeradius works with a db as backend, could you (or anyone else) confirm that I'm on the right track:
As you can see in my earlier mail I have comment out authorize_reply_query and authenticate_query, which only leave the authorize_check_query back, when this query is tried against the db, it should return a result set, if the MAC is allowed to access my net.
So if result set != null Access-Accept
Is that right?
- Christoffer
tir, 2004-07-13 kl. 12:46 skrev Gary McKinney:
Hmmm,
Looks like most everything is correct - from what you have sent here...
A couple of things:
1. Is postgresql case sensitive ( I play with MySQL)??? If so check the case (caps or lower case) of the record field names to make sure the schema's match for the database and queries.
2. Check the debug logs for the database to see exactly what is being done on the database side!
From what I see here it looks like the Freeradius is doing it's job properly...
As an aside note: When you had the users file setup and the Auth-Type := Accept you were basically telling Freeradius to accept any default caller unconditionally - that is what the Accept means {grin}...
gm...
Re: Injecting multiple routes into NAS
Milver, I'm trying to do this automatically by using the radius, the Idea is if user is connected with ADSL and his/her ADSL disconnects the ISDN would connect, and the radius would change their route by injecting the route into whichever NAS they connected to at the time, this works fine so far, but the problem arises if the user happens to have to subnets and I need to pass route for those two subnets to the NAS, for some reason the first attribute is the one that gets injected into the router and the second subnet is ignored. Thanks in advance Milver S. Nisay wrote: Hi Guys, We have remote users using ADSL to connect back to the head office and that works fine. As each user connects the radius passes the route to the NAS and that is fine. My question is if I wanted to pass to routes for two subnets (i.e ip:route 10.10.10.0 255.255.255.0 and ip:route 172.16.1.0 255.255.255.0) how would you do it? doing the routes statically can be done from the client side either windows/linux workstations. //milver - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_unix error invalid password
I am having the problem of no user being able to pass the correct password. The below message and the thread it came from did solve the problem, however I was wondering if there is another way to fix this problem besides forcing radiusd to run as root. Brian From: Ivo Simicevic Subject: Re: rlm_unix error invalid password Date: Wed, 03 Sep 2003 06:47:44 -0700 Try commenting lines user= and group= in radiusd.conf and start radiusd as root. I had the same problem. Although daemon's group was listed as being member of shadow group it seems it wasn't working i.e. it was unable to read /etc/shadow file . Regards, Ivo. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius server on different subnet
Hello... I'd like to ask, can Radius server be used on a different segment as the network that needs to be authenticated?? For example, i would like to authenticate the network with IPs 192.168.30.* and the Radius server is located on IP 192.168.31.1. Could that be possible? thanx before.. :) -Mirta- __ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_unix error invalid password
[EMAIL PROTECTED] wrote: I am having the problem of no user being able to pass the correct password. The below message and the thread it came from did solve the problem, however I was wondering if there is another way to fix this problem besides forcing radiusd to run as root. Make a shadow group, and do: chgrp shadow /etc/shadow chmod g+r /etc/shadow and have FreeRADIUS run as user radius, group shadow. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius server on different subnet
Mirta Amalia [EMAIL PROTECTED] wrote: I'd like to ask, can Radius server be used on a different segment as the network that needs to be authenticated?? For example, i would like to authenticate the network with IPs 192.168.30.* and the Radius server is located on IP 192.168.31.1. Could that be possible? Yes. That's what routers are for. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fall-Through in acct_users
On Tue, Jul 13, 2004 at 11:07:59AM -0400, Alan DeKok wrote: Andrey Lakhno [EMAIL PROTECTED] wrote: It does not work. May be I done something incorrectly ? acct_users: DEFAULT NAS-IP-Address == x.x.x.x, Acct-Status-Type == Stop Exec-Program = /home/voip/aaa/acct_call_generic, Fall-Through = Yes DEFAULT NAS-IP-Address == x.x.x.x, Acct-Status-Type == Stop Exec-Program = /home/voip/aaa/test At least you should have used += instead of =. What doesn't work is having two Exec-Program attributes. The server supports only one. But why? Was it just not implemented or there are some other reasons? -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: AW: Cisco-AVPair store in MySQL4/freeradius1.0.0
Matthias Wolf [EMAIL PROTECTED] wrote: OK, I downloaded the latest Version. But during the make process there was an error: gcc rlm_dbm_parser.o -o .libs/rlm_dbm_parser ... ../../lib/.libs/libradius.so: undefined reference to `pthread_mutex_unlock' ../../lib/.libs/libradius.so: undefined reference to `pthread_mutex_lock' I don't see why. If you have pthreads, it should be included in the LIBS line with everything else. Just delete the rlm_dbm directory, and continue. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can't seem to use configurable failover for an expired account
Hi all,
This is a rather detailed question, since it relates to the source code of freeRADIUS,
but I'm trolling to see if anyone has come across this or what a freeRADIUS expert
might suggest as a solution.
Configurable failover in working for me in the authorize section. Also, I've built an
authenticate section in rlm_files so that now configurable failover is working in the
authenticate section (for MS-CHAP in my case). In both cases I'm proxying to another
realm as the failover.
Now my problem: Somewhere between authorize and MS-CHAP authenticate, I need to
configure failover if an account is expired, since account expiration doesn't seem to
be part of the authorize section.
Code details:
In src/main/auth.c:rad_authenticate, it loops over the registered and configured
modules with an authorize section, then it checks to see if it needs to proxy, then it
performs the authentication. Authentication starts by checking the account expiration
followed by checking the password, and so on. Checking the password
(rad_check_password) includes calling the appropriate module_authenticate. So
checking account expiration is stuck in a no mans land between authorization and
authentication. Is there a way for me to include expiration as a rejection of
authentication in configurable failover or do I need to hack the source code ?
Around line 550 of src/main/auth.c in rad_authenticate:
/*
* Validate the user
*/
do {
if ((result = check_expiration(request)) 0)
break;
...
Around line 710 of src/main/auth.c in rad_authenticate:
/*
* Result should be = 0 here - if not, we return.
*/
if (result 0) {
return RLM_MODULE_OK;
}
Note: check_expiration returns -1 if the account has expired.
Thanks in advance,
Daniel
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fall-Through in acct_users
Alexander M. Pravking [EMAIL PROTECTED] wrote: Exec-Program = /home/voip/aaa/test At least you should have used += instead of =. It won't make any difference. What doesn't work is having two Exec-Program attributes. The server supports only one. But why? Was it just not implemented or there are some other reasons? Historical reasons. It's not implemented, and should probably be removed from src/main/auth.c, and moved into a post-auth module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS proxying
I hope this is not a totally stupid question. Suppose a user [EMAIL PROTECTED] wants to access the network at org-2 by authenticating at org-1 via the proxy mechanism. Suppose we want to use PAP-TTLS. It would seem natural that the proxying is done on the basis of the outer identity and the tunneled data is never revealed to the proxy server at org-2. Unfortunately our tests seem to show that the server at org-2 needs to get the user data, including the password. Is it possible to configure things in the secure way? Of course, the servers need to trust each other, but some trust is one thing and seeing passwords in plain text is another. I realise that other forms of authentication, which do not transmit passwords will not have that problem. Yours Tomasz -- Tomasz M. Wolniewicz [EMAIL PROTECTED]http://www.uni.torun.pl/~twoln Uczelniane Centrum Informatyczne InformationCommunication Technology Centre Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University, pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.: +48-693-032-576 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
realm-based auth?
HI folks,
I run a DSL service in the traditional PPPoE manner via my local telco. For
simplicity's sake, let's say anything @a.com comes to me, @b.com goes to the
competition, etc.
I have just got them to route @c.com to me as well for a different service.
I currently have ...
realm a.com {
type= radius
authhost= LOCAL
accthost= LOCAL
}
realm c.com {
type= radius
authhost= LOCAL
accthost= LOCAL
}
... working off the same password file. I would like to differentiate
services based on the realm - ie
[EMAIL PROTECTED] Auth-Type := System
cisco-avpair = ip:addr-pool=private
What's the best way to go about this?
Thanks
Rob
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
error message in log file
I've searched through the archive and web but am having difficulty determining what is causing this problem... This is the entry made in the log when I try to test my radius server using the radclient. Tue Jul 13 14:30:28 2004 : Error: WARNING: Malformed RADIUS packet from host 172.24.4.31: too short (received 8 minimum 20) The response from my radclient command is: Received response ID 23, code 3, length = 20 I believe a code 2 indicates success (rather than code 3) and I'm not sure what the problem is. -shawn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error message in log file
Shawn Simpson [EMAIL PROTECTED] wrote: This is the entry made in the log when I try to test my radius server using the radclient. Tue Jul 13 14:30:28 2004 : Error: WARNING: Malformed RADIUS packet from host 172.24.4.31: too short (received 8 minimum 20) RADIUS packets have at least 20 bytes of a RADIUS header. If a packet is shorter than that, it is NOT a RADIUS packet, and the server discards it. I have a hard time seeing how radclient will send the server a packet which is too short, as it is very well tested. The response from my radclient command is: Received response ID 23, code 3, length = 20 I doubt that. When the server prints the error message you quoted, it does NOT respond to the request, as the packet was NOT a RADIUS request. Double-check what you're using to send the packet, what kind of packet is sent, and what the server does when it receives the packet. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
