RE: Cisco-AVPair store in MySQL4/freeradius1.0.0
Look at that: | 5 | cit-10| cisco-avpair| += | ip:addr-pool=pool-10 | 6 | cit-10| cisco-avpair| += | ip:dns-servers*10.48.4.5 10.48.4.3 man 5 users Attribute += Value Always matches as a check item, and adds the current attribute with value to the list of configuration items. As a reply item, it has an identical meaning, but the attribute is added to the reply items. It means that if you want to return more than one attribute of the same type, you have to use += instead of = in the Op field. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthias Wolf Sent: Monday, July 12, 2004 9:39 PM To: [EMAIL PROTECTED] Subject: AW: Cisco-AVPair store in MySQL4/freeradius1.0.0 Where and why: += instead of =.? Thanks, M. Wolf -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Mikhail Stepanov Gesendet: Montag, 12. Juli 2004 16:23 An: [EMAIL PROTECTED] Betreff: RE: Cisco-AVPair store in MySQL4/freeradius1.0.0 Cisco-AVPair = ip:source-ip=192.168.0.127 Cisco-AVPair = ip:source-port=4051 Cisco-AVPair = ip:destination-ip=10.10.10.1 Cisco-AVPair = ip:destination-port=23 ... But FreeRadius;sql.conf .'%{Cisco-AVPair}', . still returns only the first instance of Cisco-AVPair. (ip:source-ip=192.168.0.127) Usually I write += instead of =. Works fine. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Monday, July 12, 2004 6:07 PM To: [EMAIL PROTECTED] Subject: Re: Cisco-AVPair store in MySQL4/freeradius1.0.0 Matthias Wolf [EMAIL PROTECTED] wrote: had spent many time reading the FAQ but I'm still searching the solve for Cisco-AVPair (PIX 525-Accounting) insert into Mysql database. ... Cisco-AVPair = ip:source-ip=192.168.0.127 Cisco-AVPair = ip:source-port=4051 Cisco-AVPair = ip:destination-ip=10.10.10.1 Cisco-AVPair = ip:destination-port=23 ... But FreeRadius;sql.conf .'%{Cisco-AVPair}', . still returns only the first instance of Cisco-AVPair. (ip:source-ip=192.168.0.127) That's the intended behavior. In the latest CVS snapshots, you can use: %{Cisco-AVPair[0]} is the same as %{Cisco-AVPair} %{Cisco-AVPair[1]) is the next one %{Cisco-AVPair[2]) is the next one, etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to config eap-tls on FreeRadius chinese version
I make a pdf file help configure eap-tls on Freeradius is Chinese . thank FreeRadius is great software and thank Alan DeKok thank all people ;-) my English bad but i like unix and network :) http://my.chinaunix.net/wanghao/network.html -- http://my.chinaunix.net/wanghao/ http://www.chinaunix.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
test
-- http://my.chinaunix.net/wanghao/ http://www.chinaunix.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: Cisco-AVPair store in MySQL4/freeradius1.0.0
OK, I downloaded the latest Version. But during the make process there was an error: /usr/apps/freeradius-snapshot-20040712/libtool --mode=link gcc rlm_dbm_parser.o ../../lib/libradius.la -lcrypto -o rlm_dbm_parser gcc rlm_dbm_parser.o -o .libs/rlm_dbm_parser ../../lib/.libs/libradius.so -lcrypt -lcipher -lcrypto -Wl,--rpath -Wl,/usr/local/freeradius/lib ../../lib/.libs/libradius.so: undefined reference to `pthread_mutex_unlock' ../../lib/.libs/libradius.so: undefined reference to `pthread_mutex_lock' ../../lib/.libs/libradius.so: undefined reference to `pthread_mutex_init' gmake[5]: *** [rlm_dbm_parser] Error 1 gmake[5]: Leaving directory `/usr/apps/freeradius-snapshot-20040712/src/modules/rlm_dbm' gmake[4]: *** [common] Error 1 gmake[4]: Leaving directory `/usr/apps/freeradius-snapshot-20040712/src/modules' gmake[3]: *** [all] Error 2 gmake[3]: Leaving directory `/usr/apps/freeradius-snapshot-20040712/src/modules' gmake[2]: *** [common] Error 1 gmake[2]: Leaving directory `/usr/apps/freeradius-snapshot-20040712/src' gmake[1]: *** [all] Error 2 gmake[1]: Leaving directory `/usr/apps/freeradius-snapshot-20040712/src' gmake: *** [common] Error 1 *** Error code 2 Stop in /usr/apps/freeradius-snapshot-20040712. Why? Regards, M. Wolf -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Alan DeKok Gesendet: Montag, 12. Juli 2004 20:34 An: [EMAIL PROTECTED] Betreff: Re: AW: Cisco-AVPair store in MySQL4/freeradius1.0.0 And where can I find the latest CVS snapshots? On the FTP site. ftp://ftp.freeradius.org/pub/radius/ Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I have to make choice between GNUradius and freeradius. My requirements are generally those of ISP. Which one will you recommend to me???
Thanks Paul. May I know reasons for preferring freeradius. Our current system is based on freeradius but we are planning to reengineer this to accommodate better features. Amit Gupta - Original Message - From: Paul Hampson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, July 12, 2004 6:31 AM Subject: Re: I have to make choice between GNUradius and freeradius. My requirements are generally those of ISP. Which one will you recommend to me??? On Mon, Jul 12, 2004 at 04:59:46PM -0700, Amit Gupta wrote: I have to make choice between GNUradius and freeradius. My requirements are generally those of ISP. Which one will you recommend to me??? I recommend FreeRADIUS. Otherwise I'd be a GNUradius developer. :-) -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.718 / Virus Database: 474 - Release Date: 7/9/2004 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Cisco-AVPair store in MySQL4/freeradius1.0.0
++--+--++---+ | id | UserName | Attribute| op | Value | ++--+--++---+ | 1 | cis | cisco-avpair | += | ip:source-ip=3D | | 2 | cis | cisco-avpair | += | ip:source-port=3D | ++--+--++---+ Ok, so far everything right. But how to modifying my sql-string? like that, perhaps: ... , '%{cisco-avpair}') ...? Regard, M. Wolf -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Mikhail Stepanov Gesendet: Dienstag, 13. Juli 2004 08:26 An: [EMAIL PROTECTED] Betreff: RE: Cisco-AVPair store in MySQL4/freeradius1.0.0 Look at that: | 5 | cit-10| cisco-avpair| += | ip:addr-pool=pool-10 | 6 | cit-10| cisco-avpair| += | ip:dns-servers*10.48.4.5 10.48.4.3 man 5 users Attribute += Value Always matches as a check item, and adds the current attribute with value to the list of configuration items. As a reply item, it has an identical meaning, but the attribute is added to the reply items. It means that if you want to return more than one attribute of the same type, you have to use += instead of = in the Op field. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthias Wolf Sent: Monday, July 12, 2004 9:39 PM To: [EMAIL PROTECTED] Subject: AW: Cisco-AVPair store in MySQL4/freeradius1.0.0 Where and why: += instead of =.? Thanks, M. Wolf -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Mikhail Stepanov Gesendet: Montag, 12. Juli 2004 16:23 An: [EMAIL PROTECTED] Betreff: RE: Cisco-AVPair store in MySQL4/freeradius1.0.0 Cisco-AVPair = ip:source-ip=192.168.0.127 Cisco-AVPair = ip:source-port=4051 Cisco-AVPair = ip:destination-ip=10.10.10.1 Cisco-AVPair = ip:destination-port=23 ... But FreeRadius;sql.conf .'%{Cisco-AVPair}', . still returns only the first instance of Cisco-AVPair. (ip:source-ip=192.168.0.127) Usually I write += instead of =. Works fine. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Monday, July 12, 2004 6:07 PM To: [EMAIL PROTECTED] Subject: Re: Cisco-AVPair store in MySQL4/freeradius1.0.0 Matthias Wolf [EMAIL PROTECTED] wrote: had spent many time reading the FAQ but I'm still searching the solve for Cisco-AVPair (PIX 525-Accounting) insert into Mysql database. ... Cisco-AVPair = ip:source-ip=192.168.0.127 Cisco-AVPair = ip:source-port=4051 Cisco-AVPair = ip:destination-ip=10.10.10.1 Cisco-AVPair = ip:destination-port=23 ... But FreeRadius;sql.conf .'%{Cisco-AVPair}', . still returns only the first instance of Cisco-AVPair. (ip:source-ip=192.168.0.127) That's the intended behavior. In the latest CVS snapshots, you can use: %{Cisco-AVPair[0]} is the same as %{Cisco-AVPair} %{Cisco-AVPair[1]) is the next one %{Cisco-AVPair[2]) is the next one, etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I have to make choice between GNUradius and freeradius. My requirements are generally those of ISP. Which one will you recommend to me???
On Tue, Jul 13, 2004 at 12:44:04PM -0700, Amit Gupta wrote: May I know reasons for preferring freeradius. Our current system is based on freeradius but we are planning to reengineer this to accommodate better features. I find it easy to use, good about following standards, with a wide base of developers, and it's pacakged for Debian. It has multi-platform support, and supports EAP like nothing else. It also is seeing strong support from VoIP people, and that's something I will be heading into. Its support for SQL is very easy to use, and with only one issue involving groups (in the FreeRADIUS bug database) it gives all the power of the files, but with the flexibility of an SQL database. It has an unimpeachable release policy, suitable for production server environments. The source is well structured, ensuring any problems can be quickly identified and reectified. Also features can be added with a minimum of fuss, although I think my plans for IPv6 work may prove a little intrusive initially. :-) It also helps that it's the annoited successor to Cistron RADIUSd, which _everyone_ knows and feels strongly about. :-) Also, the people on this mailing list _know_ their stuff, and the web is peppered with HOWTOs, usually involving FreeRADIUS as the RADIUS server. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS versus GNU radius
Amit Gupta wrote: Thanks Alan. May I know why FreeRADIUS is your *only* choice for wireless. freeradius is free :) Amit Gupta - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, July 12, 2004 7:12 AM Subject: FreeRADIUS versus GNU radius Amit Gupta [EMAIL PROTECTED] wrote: I have to make choice between GNUradius and freeradius. My requirements are generally those of ISP. Which one will you recommend to me??? What do you intend to use it for? If you're doing wireless, FreeRADIUS is your *only* choice. If you need to get configuration from an LDAP database, FreeRADIUS is your *only* choice. If you want to get configuration from Oracle, FreeRADIUS is your *only* choice. FreeRADIUS is also faster than GNU Radius, for a whole host of reasons. The one benefit that GNU radius has is it's rewrite language. It's neat. Oh, and there are usually more postings on this list in a day, than on the GNU radius list in a month. The user base of FreeRADIUS is *much* larger. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.718 / Virus Database: 474 - Release Date: 7/9/2004 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- http://my.chinaunix.net/wanghao/ http://www.chinaunix.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS versus GNU radius
Amit Gupta wrote: Thanks Alan. May I know why FreeRADIUS is your *only* choice for wireless. FreeRADIUS is free :-) Amit Gupta - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, July 12, 2004 7:12 AM Subject: FreeRADIUS versus GNU radius Amit Gupta [EMAIL PROTECTED] wrote: I have to make choice between GNUradius and freeradius. My requirements are generally those of ISP. Which one will you recommend to me??? What do you intend to use it for? If you're doing wireless, FreeRADIUS is your *only* choice. If you need to get configuration from an LDAP database, FreeRADIUS is your *only* choice. If you want to get configuration from Oracle, FreeRADIUS is your *only* choice. FreeRADIUS is also faster than GNU Radius, for a whole host of reasons. The one benefit that GNU radius has is it's rewrite language. It's neat. Oh, and there are usually more postings on this list in a day, than on the GNU radius list in a month. The user base of FreeRADIUS is *much* larger. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.718 / Virus Database: 474 - Release Date: 7/9/2004 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- http://my.chinaunix.net/wanghao/ http://www.chinaunix.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I have to make choice between GNUradius and freeradius. My requirements are generally those of ISP. Which one will you recommend to me???
Thanks Paul. Can you compare GNURadius wwith freeradius on feature by feature for me. Amit Gupta - Original Message - From: Paul Hampson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, July 13, 2004 12:37 AM Subject: Re: I have to make choice between GNUradius and freeradius. My requirements are generally those of ISP. Which one will you recommend to me??? On Tue, Jul 13, 2004 at 12:44:04PM -0700, Amit Gupta wrote: May I know reasons for preferring freeradius. Our current system is based on freeradius but we are planning to reengineer this to accommodate better features. I find it easy to use, good about following standards, with a wide base of developers, and it's pacakged for Debian. It has multi-platform support, and supports EAP like nothing else. It also is seeing strong support from VoIP people, and that's something I will be heading into. Its support for SQL is very easy to use, and with only one issue involving groups (in the FreeRADIUS bug database) it gives all the power of the files, but with the flexibility of an SQL database. It has an unimpeachable release policy, suitable for production server environments. The source is well structured, ensuring any problems can be quickly identified and reectified. Also features can be added with a minimum of fuss, although I think my plans for IPv6 work may prove a little intrusive initially. :-) It also helps that it's the annoited successor to Cistron RADIUSd, which _everyone_ knows and feels strongly about. :-) Also, the people on this mailing list _know_ their stuff, and the web is peppered with HOWTOs, usually involving FreeRADIUS as the RADIUS server. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.718 / Virus Database: 474 - Release Date: 7/9/2004 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I have to make choice between GNUradius and freeradius. My requirements are generally those of ISP. Which one will you recommend to me???
Thanks Everybody for your response. Can you compare GNURadius with freeradius on feature by feature for me. Amit Gupta --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.718 / Virus Database: 474 - Release Date: 7/9/2004 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I have to make choice between GNUradius and freeradius. My requirements are generally those of ISP. Which one will you recommend to me???
- Original Message - From: Amit Gupta [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, July 13, 2004 10:25 PM Subject: I have to make choice between GNUradius and freeradius. My requirements are generally those of ISP. Which one will you recommend to me??? Thanks Everybody for your response. Can you compare GNURadius with freeradius on feature by feature for me. I don't think anyone will do that Amit :) Just install and configure them both for your purpose and see what the results are. Amit Gupta --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.718 / Virus Database: 474 - Release Date: 7/9/2004 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius+Postfresqk+MAC problem
Hi! As I wrote earlier in this list, I'm trying to get Freeradius to authenticate my clients based on theirs NIC's MAC. This works great as long as I use the users file: DEFAULT Calling-Station-Id == CLIENT NIC, Auth-Type := Accept Filter-ID=profile=""> Now I'm trying to use a Postgresql as backend, but it won't work. Here is my radiusd.conf (the entire conf file is in the bottom of the mail): $INCLUDE ${confdir}/postgresql.conf authorize { preprocess sql } Here is my postgresql.conf: sql { driver = rlm_sql_postgresql server = localhost login = radius password = 123456 radius_db = radius acct_table1 = radacct acct_table2 = radacct authcheck_table = radcheck authreply_table = radreply groupcheck_table = radgroupcheck groupreply_table = radgroupreply usergroup_table = usergroup deletestalesessions = yes sqltrace = yes sqltracefile = ${logdir}/sqltrace.sql num_sql_socks = 5 sql_user_name = %{User-Name} SQL_User_Name = %{User-Name} authorize_check_query = SELECT id, UserName, Attribute, Value, Op \ FROM ${authcheck_table} WHERE username = '%{SQL-User-Name}' ORDER BY id # authorize_reply_query = SELECT id, UserName, Attribute, Value, Op \ # FROM ${authreply_table} WHERE username = '%{SQL-User-Name}' ORDER BY id # authenticate_query = SELECT Value,Attribute FROM ${authcheck_table} \ # WHERE UserName = '%{User-Name}' AND \ # ( Attribute = 'User-Password' OR Attribute = 'Crypt-Password' ) ORDER BY Attribute DESC } Here is a dump of my database: [EMAIL PROTECTED] 172.16.0.10]# psql -U radius radius= select * from radcheck; id | username | attribute | op | value +---+++- 1 | 00-04-23-4d-c4-3d | User-Password | == | 123456 2 | 00-20-e0-8d-05-94 | User-Password | == | 123456 (2 rows) And here is what my log says: Jul 12 14:39:02 linux radiusd: ^IUser-Name = 00-20-e0-8d-05-94 Jul 12 14:39:02 linux radiusd: ^IUser-Password = 123456 Jul 12 14:39:02 linux radiusd: ^INAS-IP-Address = 172.16.0.10 Jul 12 14:39:02 linux radiusd: ^INAS-Port = 0 Jul 12 14:39:02 linux radiusd: rlm_sql (sql): Reserving sql socket id: 3 Jul 12 14:39:02 linux radiusd: rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE username = '00-20-e0-8d-05-94' ORDER BY id Jul 12 14:39:02 linux postgres[19980]: [5-1] LOG: 0: duration: 5.637 ms Jul 12 14:39:02 linux postgres[19980]: [5-2] LOCATION: exec_simple_query, postgres.c:960 Jul 12 14:39:02 linux postgres[19980]: [6-1] LOG: 0: duration: 5.637 ms statement: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE username = Jul 12 14:39:02 linux postgres[19980]: [6-2] '00-20-e0-8d-05-94' ORDER BY id Jul 12 14:39:02 linux postgres[19980]: [6-3] LOCATION: exec_simple_query, postgres.c:974 Jul 12 14:39:02 linux radiusd: rlm_sql_postgresql: Status: PGRES_TUPLES_OK Jul 12 14:39:02 linux radiusd: rlm_sql_postgresql: affected rows = Jul 12 14:39:02 linux radiusd: rlm_sql (sql): No matching entry in the database for request from user [00-20-e0-8d-05-94] Jul 12 14:39:02 linux radiusd: rlm_sql (sql): Released sql socket id: 3 Jul 12 14:39:02 linux radiusd: Login incorrect: [00-20-e0-8d-05-94/123456] (from client testap1 port 0) Jul 12 14:39:05 linux radiusd: rad_recv: Access-Request packet from host 172.16.0.10:6001, id=63, length=69 Jul 12 14:39:05 linux radiusd: Sending Access-Reject of id 63 to 172.16.0.10:6001 I really don't know what I'm doing wrong - Could anyone of give me a hint? If you need to see any other configuration files please let me know. Thanks Christoffer Me entire radiusd.conf: prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = /usr/lib pidfile = ${run_dir}/radiusd.pid user = radiusd group = radiusd max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = yes regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = yes log_auth_badpass = yes log_auth_goodpass = yes usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { encryption_scheme = crypt } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 shadow = /etc/shadow radwtmp = ${logdir}/radwtmp } eap { default_eap_type = md5 timer_expire = 60 md5 { } leap { } } mschap {
What Protocol does freeradius rely on?
Hello, So far as i know,radius protocol which described by RFC28XX is less powerful than radius+ protocol which was extended by some device producer.The difference is that radius+ support Server Control and dynamic user service quality adjust. Does freeradius support radius+? or i can modify freeradius to fit the NAS ? Regards Yyc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco-AVPair store in MySQL4/freeradius1.0.0
Ok, so far everything right. But how to modifying my sql-string? Like that, perhaps: ... , '%{cisco-avpair}') ...? I can't understand what do you want to do. You needn't to modify any sql-queries in freeradius. It returns all AV-pairs automatically. Mikhail Stepanov. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Cisco-AVPair store in MySQL4/freeradius1.0.0
Escuche. I want to write the Cisco-AVPair into the radacct.MySQL.Table. Every time my sql-string , '%{cisco-avpair}') in the sql.conf, returns only the ip address and not the other stuff like ports and so on. Here my modified SQL-String: accounting_update_query_alt = INSERT into ${acct_table1} \ (AcctSessionId,AcctUniqueId,UserName, \ Realm, NASIPAddress, NASPortId, NASPortType, \ AcctStartTime, AcctSessionTime, AcctAuthentic, \ ConnectInfo_start, AcctInputOctets, AcctOutputOctets, \ CalledStationId, CallingStationId, ServiceType, FramedProtocol, \ FramedIPAddress, AcctStartDelay, CISCO, CISCO2) \ values('%{Acct-Session-Id}', \ %{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', \ '%{NAS-Port}', '%{NAS-Port-Type}', \ DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), \ '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Acct-Input-Octets}', \ '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', \ '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', \ '%{Cisco-AVPair}', '%{Cisco-AVPair}') # Cisco-AVPair always returns ip:source-ip=3D10.10.10.23 Thanks, M. Wolf -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Mikhail Stepanov Gesendet: Dienstag, 13. Juli 2004 10:59 An: [EMAIL PROTECTED] Betreff: RE: Cisco-AVPair store in MySQL4/freeradius1.0.0 Ok, so far everything right. But how to modifying my sql-string? Like that, perhaps: ... , '%{cisco-avpair}') ...? I can't understand what do you want to do. You needn't to modify any sql-queries in freeradius. It returns all AV-pairs automatically. Mikhail Stepanov. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to give attributes to PAM
Hello, My question can be a little simple, but, i've been searching for it but I found nothing. Here is my problem: I'd like to use a PAM module to check several informations in a specified OID(object) of an LDAP database, and this OID would be in an attribute given with an ACCESS-REQUEST. So, is it possible? and how is it possible to give more arguments than a login and a password to a PAM module. Thanks for your help, Jeff Créez gratuitement votre Yahoo! Mail avec 100 Mo de stockage ! Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ Dialoguez en direct avec vos amis grâce à Yahoo! Messenger !Téléchargez Yahoo! Messenger sur http://fr.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius+Postfresqk+MAC problem
Hmmm, Looks like most everything is correct - from what you have sent here... A couple of things: 1. Is postgresql case sensitive ( I play with MySQL)??? If so check the case (caps or lower case) of the record field names to make sure the schema's match for the database and queries. 2. Check the debug logs for the database to see exactly what is being done on the database side! From what I see here it looks like the Freeradius is doing it's job properly... As an aside note: When you had the users file setup and the Auth-Type := Accept you were basically telling Freeradius to "accept" any default caller unconditionally - that is what the "Accept" means {grin}... gm... - Original Message - From: Christoffer Dahl Petersen To: [EMAIL PROTECTED] Sent: Tuesday, July 13, 2004 4:40 AM Subject: Freeradius+Postfresqk+MAC problem Hi!As I wrote earlier in this list, I'm trying to get Freeradius to authenticate my clients based on theirs NIC's MAC.This works great as long as I use the "users" file:DEFAULT Calling-Station-Id == "CLIENT NIC", Auth-Type := Accept Filter-ID="profile="">Now I'm trying to use a Postgresql as backend, but it won't work.Here is my radiusd.conf (the entire conf file is in the bottom of the mail):$INCLUDE ${confdir}/postgresql.confauthorize { preprocess sql}Here is my postgresql.conf:sql { driver = "rlm_sql_postgresql" server = "localhost" login = "radius" password = "123456" radius_db = "radius" acct_table1 = "radacct" acct_table2 = "radacct" authcheck_table = "radcheck" authreply_table = "radreply" groupcheck_table = "radgroupcheck" groupreply_table = "radgroupreply" usergroup_table = "usergroup" deletestalesessions = yes sqltrace = yes sqltracefile = ${logdir}/sqltrace.sql num_sql_socks = 5 sql_user_name = "%{User-Name}" SQL_User_Name = "%{User-Name}" authorize_check_query = "SELECT id, UserName, Attribute, Value, Op \FROM ${authcheck_table} WHERE username = '%{SQL-User-Name}' ORDER BY id"# authorize_reply_query = "SELECT id, UserName, Attribute, Value, Op \# FROM ${authreply_table} WHERE username = '%{SQL-User-Name}' ORDER BY id"# authenticate_query = "SELECT Value,Attribute FROM ${authcheck_table} \# WHERE UserName = '%{User-Name}' AND \# ( Attribute = 'User-Password' OR Attribute = 'Crypt-Password' ) ORDER BY Attribute DESC"}Here is a dump of my database:[EMAIL PROTECTED] 172.16.0.10]# psql -U radiusradius= select * from radcheck;id | username | attribute | op | value+---+++- 1 | 00-04-23-4d-c4-3d | User-Password | == | 123456 2 | 00-20-e0-8d-05-94 | User-Password | == | 123456(2 rows)And here is what my log says:Jul 12 14:39:02 linux radiusd: ^IUser-Name = "00-20-e0-8d-05-94"Jul 12 14:39:02 linux radiusd: ^IUser-Password = "123456"Jul 12 14:39:02 linux radiusd: ^INAS-IP-Address = 172.16.0.10Jul 12 14:39:02 linux radiusd: ^INAS-Port = 0Jul 12 14:39:02 linux radiusd: rlm_sql (sql): Reserving sql socket id: 3Jul 12 14:39:02 linux radiusd: rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE username = '00-20-e0-8d-05-94' ORDER BY idJul 12 14:39:02 linux postgres[19980]: [5-1] LOG: 0: duration: 5.637 msJul 12 14:39:02 linux postgres[19980]: [5-2] LOCATION: exec_simple_query, postgres.c:960Jul 12 14:39:02 linux postgres[19980]: [6-1] LOG: 0: duration: 5.637 ms statement: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE username =Jul 12 14:39:02 linux postgres[19980]: [6-2] '00-20-e0-8d-05-94' ORDER BY idJul 12 14:39:02 linux postgres[19980]: [6-3] LOCATION: exec_simple_query, postgres.c:974Jul 12 14:39:02 linux radiusd: rlm_sql_postgresql: Status: PGRES_TUPLES_OKJul 12 14:39:02 linux radiusd: rlm_sql_postgresql: affected rows =Jul 12 14:39:02 linux radiusd: rlm_sql (sql): No matching entry in the database for request from user [00-20-e0-8d-05-94]Jul 12 14:39:02 linux radiusd: rlm_sql (sql): Released sql socket id: 3Jul 12 14:39:02 linux radiusd: Login incorrect: [00-20-e0-8d-05-94/123456] (from client testap1 port 0)Jul 12 14:39:05 linux radiusd: rad_recv: Access-Request packet from host 172.16.0.10:6001, id=63, length=69Jul 12 14:39:05 linux radiusd: Sending Access-Reject of id 63 to 172.16.0.10:6001I really don't know what I'm doing wrong - Could anyone of give me a hint?If you need to see any other configuration files please let me know.ThanksChristofferMe entire radiusd.conf:prefix = /usrexec_prefix = /usrsysconfdir = /etclocalstatedir = /varsbindir = /usr/sbinlogdir = ${localstatedir}/log/radiusraddbdir = ${sysconfdir}/raddbradacctdir = ${logdir}/radacctconfdir = ${raddbdir}run_dir = ${localstatedir}/run/radiusdlog_file = ${logdir}/radius.loglibdir = /usr/libpidfile =
wireless authentication
Hi, I'm new to radius, I've installed freeradius on my redhad-linux server in order to authenticate my wireless clients. I've ZyXEL 650HW ADSL router which is also a wireless access point. this device has radius server configuration. I want to authenticate my wireless clients accross radius server. But I'm new to radius server. How can i find some help from internet. Is there applications like this. Teber zceyhan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fall-Through in acct_users
Hello, Is it possible to use Fall-Through in acct_users like in users file ? -- Andrey Lakhno, land-ripe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS versus GNU radius
Amit Gupta [EMAIL PROTECTED] wrote: May I know why FreeRADIUS is your *only* choice for wireless. Because no other open source server supports wireless. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I have to make choice between GNUradius and freeradius. My requirements are generally those of ISP. Which one will you recommend to me???
Amit Gupta [EMAIL PROTECTED] wrote: Thanks Everybody for your response. Can you compare GNURadius with freeradius on feature by feature for me. No. If you do such a comparison, please post it here, so others won't have to re-do the work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What Protocol does freeradius rely on?
Yyc [EMAIL PROTECTED] wrote: So far as i know,radius protocol which described by RFC28XX is less powerful than radius+ protocol which was extended by some device producer. RADIUS+ is also non-standard. The difference is that radius+ support Server Control and dynamic user service quality adjust. See RFC 3576. The server doesn't support sending RADIUS packets to a NAS, as that's not the job of the server. Radclient does have support for some of those packets, though. Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to give attributes to PAM
=?iso-8859-1?q?jeff=20x?= [EMAIL PROTECTED] wrote: I'd like to use a PAM module to check several informations in a specified OID(object) of an LDAP database, and this OID would be in an attribute given with an ACCESS-REQUEST. So, is it possible? Not really. I suggest asking on a PAM list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fall-Through in acct_users
Andrey Lakhno [EMAIL PROTECTED] wrote: Is it possible to use Fall-Through in acct_users like in users file ? Try it and see. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fall-Through in acct_users
Hello, On Tue, 13 Jul 2004, Alan DeKok wrote: Is it possible to use Fall-Through in acct_users like in users file ? Try it and see. It does not work. May be I done something incorrectly ? acct_users: DEFAULT NAS-IP-Address == x.x.x.x, Acct-Status-Type == Stop Exec-Program = /home/voip/aaa/acct_call_generic, Fall-Through = Yes DEFAULT NAS-IP-Address == x.x.x.x, Acct-Status-Type == Stop Exec-Program = /home/voip/aaa/test -- Andrey Lakhno, land-ripe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fall-Through in acct_users
Andrey Lakhno [EMAIL PROTECTED] wrote: It does not work. May be I done something incorrectly ? acct_users: DEFAULT NAS-IP-Address == x.x.x.x, Acct-Status-Type == Stop Exec-Program = /home/voip/aaa/acct_call_generic, Fall-Through = Yes DEFAULT NAS-IP-Address == x.x.x.x, Acct-Status-Type == Stop Exec-Program = /home/voip/aaa/test Fall-Through works. See the debugging output, where it will show you that it's matching *both* of the above lines. What doesn't work is having two Exec-Program attributes. The server supports only one. If you need to run two scripts, I suggest creating one script which will run both of them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeRADIUS patch for EAP-TLS n-tier server/aaa certificate chain support
Hi: Currently the freeRADIUS server (including R1.0.0 pre-3) doesn't support sending server certificate chains during the SERVER-HELLO handshake to the EAP-TLS client/supplicant. This patch allows freeRADIUS to have certificate chain of depth greater than 2 in the server/aaa certificate. This patch is built on the OpenSSL SSL_CTX_use_certificate_chain_file(ctx, conf-certificate_file) API call and if the server certificate is passed as a certificate chain in PEM format by concatinating the server certificate, server sub-CA certificate, .., server root certificate then OpenSSL builds the certificate chain and sends the complete chain as the server certificate. For more info on how users could use freeRADIUS with n-tier server certificate chains please refer to OpenSSL documentation on SSL_CTX_use_certificate_chain_file(ctx, conf-certificate_file) command. The following enhancement only applies to PEM files that have certificate chains as part of the server certificates. For all other certificate types there will be no change, also if the AAA server certificate doesn't have n-tier certificate chain (it only uses a server root and server certificate hierarchy then they would also work just as previously. We've used and tested this patch and it works fine. If you need more details on this please contact me. Thanks. Regards, Mohammed. Mohammed H. Petiwala Senior Staff Engineer Motorola Inc. @@ --- rlm_eap_tls.c.orig 2004-06-29 13:11:15.0 -0500 +++ rlm_eap_tls.c 2004-06-29 13:17:09.0 -0500 @@ -147,15 +147,6 @@ type = SSL_FILETYPE_ASN1; } - /* Load the CAs we trust */ - if (!(SSL_CTX_load_verify_locations(ctx, conf-ca_file, conf-ca_path)) || - (!SSL_CTX_set_default_verify_paths(ctx))) { - ERR_print_errors_fp(stderr); - radlog(L_ERR, rlm_eap_tls: Error reading Trusted root CA list); - return NULL; - } - SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(conf-ca_file)); - /* * Set the password to load private key */ @@ -165,10 +156,22 @@ } /* Load our keys and certificates*/ - if (!(SSL_CTX_use_certificate_file(ctx, conf-certificate_file, type))) { - ERR_print_errors_fp(stderr); - radlog(L_ERR, rlm_eap_tls: Error reading certificate file); - return NULL; + /* if certificates are of type PEM then we can make use of cert chain */ + /* authentication using openssl api call SSL_CTX_use_certificate_chain_file */ + /* Please see how the cert chain needs to be given in PEM from openSSL.org */ + if(type == SSL_FILETYPE_PEM) { + if (!(SSL_CTX_use_certificate_chain_file(ctx, conf-certificate_file))) { + ERR_print_errors_fp(stderr); + radlog(L_ERR, rlm_eap_tls: Error reading certificate file); + return NULL; + } + } + else { + if (!(SSL_CTX_use_certificate_file(ctx, conf-certificate_file, type))) { + ERR_print_errors_fp(stderr); + radlog(L_ERR, rlm_eap_tls: Error reading certificate file); + return NULL; + } } if (!(SSL_CTX_use_PrivateKey_file(ctx, conf-private_key_file, type))) { @@ -185,6 +188,15 @@ return NULL; } + /* Load the CAs we trust */ + if (!(SSL_CTX_load_verify_locations(ctx, conf-ca_file, conf-ca_path)) || + (!SSL_CTX_set_default_verify_paths(ctx))) { + ERR_print_errors_fp(stderr); + radlog(L_ERR, rlm_eap_tls: Error reading Trusted root CA list); + return NULL; + } + SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(conf-ca_file)); + /* * Set ctx_options */ __ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: Cisco-AVPair store in MySQL4/freeradius1.0.0
Matthias Wolf [EMAIL PROTECTED] wrote: Escuche. I want to write the Cisco-AVPair into the radacct.MySQL.Table. Every time my sql-string , '%{cisco-avpair}') in the sql.conf, returns only the ip address and not the other stuff like ports and so on. It returns the *first* Cisco-AVPair attribute. The CVS snapshot from tomorrow will allow %{Cisco-AVPair[*]}. See doc/variables.txt for more details. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius+Postfresqk+MAC problem
Hi again 1. It doesn't seem to be casesensitive. 2. I have tried to turn on the debug option on the pgsql, and I can see that the query is accepted and the db is returning a result set (with the information requested). I'm not sure that I understand how the Freeradius works with a db as backend, could you (or anyone else) confirm that I'm on the right track: As you can see in my earlier mail I have comment out authorize_reply_query and authenticate_query, which only leave the authorize_check_query back, when this query is tried against the db, it should return a result set, if the MAC is allowed to access my net. So if result set != null Access-Accept Is that right? - Christoffer tir, 2004-07-13 kl. 12:46 skrev Gary McKinney: Hmmm, Looks like most everything is correct - from what you have sent here... A couple of things: 1. Is postgresql case sensitive ( I play with MySQL)??? If so check the case (caps or lower case) of the record field names to make sure the schema's match for the database and queries. 2. Check the debug logs for the database to see exactly what is being done on the database side! From what I see here it looks like the Freeradius is doing it's job properly... As an aside note: When you had the users file setup and the Auth-Type := Accept you were basically telling Freeradius to accept any default caller unconditionally - that is what the Accept means {grin}... gm...
Re: Injecting multiple routes into NAS
Milver, I'm trying to do this automatically by using the radius, the Idea is if user is connected with ADSL and his/her ADSL disconnects the ISDN would connect, and the radius would change their route by injecting the route into whichever NAS they connected to at the time, this works fine so far, but the problem arises if the user happens to have to subnets and I need to pass route for those two subnets to the NAS, for some reason the first attribute is the one that gets injected into the router and the second subnet is ignored. Thanks in advance Milver S. Nisay wrote: Hi Guys, We have remote users using ADSL to connect back to the head office and that works fine. As each user connects the radius passes the route to the NAS and that is fine. My question is if I wanted to pass to routes for two subnets (i.e ip:route 10.10.10.0 255.255.255.0 and ip:route 172.16.1.0 255.255.255.0) how would you do it? doing the routes statically can be done from the client side either windows/linux workstations. //milver - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_unix error invalid password
I am having the problem of no user being able to pass the correct password. The below message and the thread it came from did solve the problem, however I was wondering if there is another way to fix this problem besides forcing radiusd to run as root. Brian From: Ivo Simicevic Subject: Re: rlm_unix error invalid password Date: Wed, 03 Sep 2003 06:47:44 -0700 Try commenting lines user= and group= in radiusd.conf and start radiusd as root. I had the same problem. Although daemon's group was listed as being member of shadow group it seems it wasn't working i.e. it was unable to read /etc/shadow file . Regards, Ivo. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius server on different subnet
Hello... I'd like to ask, can Radius server be used on a different segment as the network that needs to be authenticated?? For example, i would like to authenticate the network with IPs 192.168.30.* and the Radius server is located on IP 192.168.31.1. Could that be possible? thanx before.. :) -Mirta- __ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_unix error invalid password
[EMAIL PROTECTED] wrote: I am having the problem of no user being able to pass the correct password. The below message and the thread it came from did solve the problem, however I was wondering if there is another way to fix this problem besides forcing radiusd to run as root. Make a shadow group, and do: chgrp shadow /etc/shadow chmod g+r /etc/shadow and have FreeRADIUS run as user radius, group shadow. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius server on different subnet
Mirta Amalia [EMAIL PROTECTED] wrote: I'd like to ask, can Radius server be used on a different segment as the network that needs to be authenticated?? For example, i would like to authenticate the network with IPs 192.168.30.* and the Radius server is located on IP 192.168.31.1. Could that be possible? Yes. That's what routers are for. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fall-Through in acct_users
On Tue, Jul 13, 2004 at 11:07:59AM -0400, Alan DeKok wrote: Andrey Lakhno [EMAIL PROTECTED] wrote: It does not work. May be I done something incorrectly ? acct_users: DEFAULT NAS-IP-Address == x.x.x.x, Acct-Status-Type == Stop Exec-Program = /home/voip/aaa/acct_call_generic, Fall-Through = Yes DEFAULT NAS-IP-Address == x.x.x.x, Acct-Status-Type == Stop Exec-Program = /home/voip/aaa/test At least you should have used += instead of =. What doesn't work is having two Exec-Program attributes. The server supports only one. But why? Was it just not implemented or there are some other reasons? -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: AW: Cisco-AVPair store in MySQL4/freeradius1.0.0
Matthias Wolf [EMAIL PROTECTED] wrote: OK, I downloaded the latest Version. But during the make process there was an error: gcc rlm_dbm_parser.o -o .libs/rlm_dbm_parser ... ../../lib/.libs/libradius.so: undefined reference to `pthread_mutex_unlock' ../../lib/.libs/libradius.so: undefined reference to `pthread_mutex_lock' I don't see why. If you have pthreads, it should be included in the LIBS line with everything else. Just delete the rlm_dbm directory, and continue. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can't seem to use configurable failover for an expired account
Hi all, This is a rather detailed question, since it relates to the source code of freeRADIUS, but I'm trolling to see if anyone has come across this or what a freeRADIUS expert might suggest as a solution. Configurable failover in working for me in the authorize section. Also, I've built an authenticate section in rlm_files so that now configurable failover is working in the authenticate section (for MS-CHAP in my case). In both cases I'm proxying to another realm as the failover. Now my problem: Somewhere between authorize and MS-CHAP authenticate, I need to configure failover if an account is expired, since account expiration doesn't seem to be part of the authorize section. Code details: In src/main/auth.c:rad_authenticate, it loops over the registered and configured modules with an authorize section, then it checks to see if it needs to proxy, then it performs the authentication. Authentication starts by checking the account expiration followed by checking the password, and so on. Checking the password (rad_check_password) includes calling the appropriate module_authenticate. So checking account expiration is stuck in a no mans land between authorization and authentication. Is there a way for me to include expiration as a rejection of authentication in configurable failover or do I need to hack the source code ? Around line 550 of src/main/auth.c in rad_authenticate: /* * Validate the user */ do { if ((result = check_expiration(request)) 0) break; ... Around line 710 of src/main/auth.c in rad_authenticate: /* * Result should be = 0 here - if not, we return. */ if (result 0) { return RLM_MODULE_OK; } Note: check_expiration returns -1 if the account has expired. Thanks in advance, Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fall-Through in acct_users
Alexander M. Pravking [EMAIL PROTECTED] wrote: Exec-Program = /home/voip/aaa/test At least you should have used += instead of =. It won't make any difference. What doesn't work is having two Exec-Program attributes. The server supports only one. But why? Was it just not implemented or there are some other reasons? Historical reasons. It's not implemented, and should probably be removed from src/main/auth.c, and moved into a post-auth module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS proxying
I hope this is not a totally stupid question. Suppose a user [EMAIL PROTECTED] wants to access the network at org-2 by authenticating at org-1 via the proxy mechanism. Suppose we want to use PAP-TTLS. It would seem natural that the proxying is done on the basis of the outer identity and the tunneled data is never revealed to the proxy server at org-2. Unfortunately our tests seem to show that the server at org-2 needs to get the user data, including the password. Is it possible to configure things in the secure way? Of course, the servers need to trust each other, but some trust is one thing and seeing passwords in plain text is another. I realise that other forms of authentication, which do not transmit passwords will not have that problem. Yours Tomasz -- Tomasz M. Wolniewicz [EMAIL PROTECTED]http://www.uni.torun.pl/~twoln Uczelniane Centrum Informatyczne InformationCommunication Technology Centre Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University, pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.: +48-693-032-576 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
realm-based auth?
HI folks, I run a DSL service in the traditional PPPoE manner via my local telco. For simplicity's sake, let's say anything @a.com comes to me, @b.com goes to the competition, etc. I have just got them to route @c.com to me as well for a different service. I currently have ... realm a.com { type= radius authhost= LOCAL accthost= LOCAL } realm c.com { type= radius authhost= LOCAL accthost= LOCAL } ... working off the same password file. I would like to differentiate services based on the realm - ie [EMAIL PROTECTED] Auth-Type := System cisco-avpair = ip:addr-pool=private What's the best way to go about this? Thanks Rob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
error message in log file
I've searched through the archive and web but am having difficulty determining what is causing this problem... This is the entry made in the log when I try to test my radius server using the radclient. Tue Jul 13 14:30:28 2004 : Error: WARNING: Malformed RADIUS packet from host 172.24.4.31: too short (received 8 minimum 20) The response from my radclient command is: Received response ID 23, code 3, length = 20 I believe a code 2 indicates success (rather than code 3) and I'm not sure what the problem is. -shawn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error message in log file
Shawn Simpson [EMAIL PROTECTED] wrote: This is the entry made in the log when I try to test my radius server using the radclient. Tue Jul 13 14:30:28 2004 : Error: WARNING: Malformed RADIUS packet from host 172.24.4.31: too short (received 8 minimum 20) RADIUS packets have at least 20 bytes of a RADIUS header. If a packet is shorter than that, it is NOT a RADIUS packet, and the server discards it. I have a hard time seeing how radclient will send the server a packet which is too short, as it is very well tested. The response from my radclient command is: Received response ID 23, code 3, length = 20 I doubt that. When the server prints the error message you quoted, it does NOT respond to the request, as the packet was NOT a RADIUS request. Double-check what you're using to send the packet, what kind of packet is sent, and what the server does when it receives the packet. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html