Re: Session-Timeout not set with pending Expiration
When a user logs in 23 hours and 59 minutes after the first connection, I expected freeradius to return the Session-Timeout attribute in the access-accept (with value 60). Actually it does not, so the user can stay connected well after the 24 hours limit. So... what does the server respond with? What does debugging mode say? I'ill give 2 detailed examples of what happens. We use the SQL schema given with freeradius, and the configuration is a very easy one : radius= select * from usergroup; id | username | groupname +--+--- 2 | joachim | users The requests for authorization, accounting and so on are the one in original postgresql.conf, we did not modify them. Let's assume we are on 2005 March 29, 10:50:00. In radcheck we put : radius= select * from radcheck; id | username | attribute | op |value +--+++-- 2 | joachim | PASSWORD | == | pwd_joachim 12 | joachim | Expiration | := | 28 Mar 2005 23:50:00 Then with NTradping we send an authentication request to our freeradius, which answers as we guessed : Access-Reject, Reply-Message=Password has expired. If we now set : radius= select * from radcheck; id | username | attribute | op |value +--+++-- 2 | joachim | PASSWORD | == | pwd_joachim 12 | joachim | Expiration | := | 29 Mar 2005 23:50:00 and resend an authentication request, we only get an Access-Accept, with no attribute. This is where we expected to see a Session-Timeout attribute, just like what happens when we set Login-Time in the radcheck table. You'll find what debugging mode says in this last example, at the end of this mail. I'm sorry for the dump, but I could not guess whether the request would be useful. I did not find any hint of what goes wrong, but maybe this is just a normal behavior. Joachim Here's what debugging mode says for example where : radius= select * from radcheck; id | username | attribute | op |value +--+++-- 2 | joachim | PASSWORD | == | pwd_joachim 12 | joachim | Expiration | := | 29 Mar 2005 23:50:00 and assuming the current date is 2005 March 29, 10:50:00 rad_recv: Access-Request packet from host 192.168.1.1:1571, id=17, length=53 User-Name = joachim User-Password = pwd_joachim NAS-Port = 5 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 16 modcall[authorize]: module preprocess returns ok for request 16 radius_xlat: 'joachim' rlm_sql (sql): sql_set_user escaped user -- 'joachim' radius_xlat: 'SELECT id, UserName, Attribute, Value, Op ??FROM radcheck ??WHERE Username = 'joachim' ??ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op ??FROM radcheck ??WHERE Username = 'joachim' ??ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = radius_xlat: 'SELECT radgroupcheck.id, radgroupcheck.GroupName, ??radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op ??FROM radgroupcheck, usergroup ??WHERE usergroup.Username = 'joachim' AND usergroup.GroupName = radgroupcheck.GroupName ??ORDER BY radgroupcheck.id' rlm_sql_postgresql: query: SELECT radgroupcheck.id, radgroupcheck.GroupName, ??radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op ??FROM radgroupcheck, usergroup ??WHERE usergroup.Username = 'joachim' AND usergroup.GroupName = radgroupcheck.GroupName ??ORDER BY radgroupcheck.id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = radius_xlat: 'SELECT id, UserName, Attribute, Value, Op ??FROM radreply ??WHERE Username = 'joachim' ??ORDER BY id' rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op ??FROM radreply ??WHERE Username = 'joachim' ??ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = radius_xlat: 'SELECT radgroupreply.id, radgroupreply.GroupName, radgroupreply.Attribute, ??radgroupreply.Value, radgroupreply.Op ??FROM radgroupreply,usergroup ??WHERE usergroup.Username = 'joachim' AND usergroup.GroupName = radgroupreply.GroupName ??ORDER BY radgroupreply.id' rlm_sql_postgresql: query: SELECT radgroupreply.id, radgroupreply.GroupName, radgroupreply.Attribute, ??radgroupreply.Value, radgroupreply.Op ??FROM radgroupreply,usergroup ??WHERE usergroup.Username = 'joachim' AND usergroup.GroupName = radgroupreply.GroupName ??ORDER BY radgroupreply.id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module sql returns ok for request 16 modcall: group authorize returns ok for request 16 auth: type Local auth: user supplied User-Password matches local User-Password Login OK: [joachim] (from client private-network-1 port 5) Sending Access-Accept of id 17 to
can someone point me to what I can read again?
Hello all, I have read a lot of docs in making the postgresql works with freeradius v 1.0.2 however, all my effort proves abortive. I will be glad if I can be directed to a mail on the list or docs to read to get freeradius work with postgresql. Thanks Adegoke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS + Postgresql Instructions (was: can someone point me to what I can read again?)
On Tuesday 29 March 2005 13:49, [EMAIL PROTECTED] wrote:
Hello all,
I have read a lot of docs in making the postgresql works with freeradius v
1.0.2 however, all my effort proves abortive.
I will be glad if I can be directed to a mail on the list or docs to read
to get freeradius work with postgresql.
You don't mention exactly what you are having problems with. If you were to
post some logs from radiusd-X we might be able to help you.
Getting FreeRADIUS to work with Postgresql is trivial.
Here are instructions for SUSE 9.2:
Install postgresql-server from YaST
Install freeradius from YaST
# yast2 online_update (To make sure you have the updated versions)
# rcpostgresql start
# chkconfig postgresql on
set tcpip_socket = true in /var/lib/pgsql/data/postgresql.conf
Make sure there is a line in /var/lib/pgsql/data/pg_hba.conf like:
hostall all 127.0.0.1 trust
(Actually this config is not recommended for security reasons on a production
server but it will get you working for now)
Go to:
http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/modules/rlm_sql/drivers/rlm_sql_postgresql/db_postgresql.sql
Click on (download) for the most recent version and save it somewhere.
# rcpostgresql restart
# createdb -U postgres radius
# createlang -U postgres plpgsql radius (This step is optional. Without it
you will see a harmless error in the next step)
# psql -U postgres radius /path/to/downloaded/db_postgresql.sql
edit /etr/raddb/radiusd.conf to $INCLUDE ${confdir}/postgresql.conf INSTEAD
of $INCLUDE ${confdir}/sql.conf
enable sql in whichever sections of radiusd.conf you want to use it
(Accounting etc)
# rcradiusd start
This will give you a working FreeRADIUS 1.0.0 install. If you need/want a
newer version, then you will need to compile it yourself which obviously
requires a few extra steps...
Cheers
--
Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP proxying just the tunneled authentication
Hi I'm trying to proxy just the tunneled part of my PEAP authentication. The user is to log in as [EMAIL PROTECTED]. The tunnel is decoded locally and then the tunneled authentication is proxied to a remote server. I've added the following lines to the users file to configure this: # Proxy just the tunnel DEFAULTEAP-Type == MS-CHAP-V2, Auth-Type := EAP, Proxy-To-Realm := mydomain # Decode the tunnel localy DEFAULTRealm == mydomain, Proxy-To-Realm := LOCAL, Auth-Type := EAP This does not work. Even though the debug output says it will proxy the request to mydomain it then goes on to say Cancelling proxy to Realm LOCAL, as the Realm is local even though Proxy-To-Realm := mydomain is present in the config items. Is this a bug or have I mis-configured it some how? It looks to me as though it is reading the config items outside the tunnel rather than the ones inside. I have attached the log file. Thanks Mark radius.log.gz Description: GNU Zip compressed data
Re: LDAP Profiles vs. No-profiles
On Mon, 28 Mar 2005, Jarred Cleem wrote: I am setting up a test environment and I am having some problems. Any help would be great. I have the servers build very similarly to what is document at http://www.freeradius.org/radiusd/doc/ldap_howto.txt. I have created a few profiles like dialup, dsl, and isdn. I have the server working in the test environment and it seems to function very well. My question is how do I use profiles and still be able to pass specific attributes to the radius server that are dependent on the user. For example, if the user has been assigned a static IP address. Below is an example of an of the users file from the old Radius server that we are migrating off of. default profile: An ldap entry holding radius attributes. Defined in the ldap module configuration and used in all cases regular profile: An ldap entry holding radius attributes. Defined in the user entry as an attribute pointing to the dn of that entry. Used when authorizing that specific user. user profile: The attributes contained in the user entry. These attributes take precedence to the attributes defined in the above profiles. So in general you can use default/regular profiles to define default attributes used in most cases and then define any user specific attributes inside each user's entry. # Entry for Customer 1 dedicated dsl Customer1 Auth-Type = Local, Password = xx Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 192.168.1.69, Framed-IP-Netmask = 255.255.255.252, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = std.ppp, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP # Entry for customer 2 dedicated dsl Customer2 Auth-Type = Local, Password = xxx Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 192.168.1.65, Framed-IP-Netmask = 255.255.255.252, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = std.ppp, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP # Entry for customer 3 dedicated dsl Customer3 Auth-Type = Local, Password = xx Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 192.168.1.177, Framed-IP-Netmask = 255.255.255.248, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = std.ppp, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP DEFAULT Auth-Type = System Fall-Through = Yes DEFAULT Service-Type = Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes # # Default for PPP: dynamic IP address, PPP mode, VJ-compression. # NOTE: we do not use Hint = PPP, since PPP might also be auto-detected # by the terminal server in which case there may not be a P suffix. # The terminal server sends Framed-Protocol = PPP for auto PPP. # DEFAULT Framed-Protocol = PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP # # Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression. # DEFAULT Hint = CSLIP Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP # # Default for SLIP: dynamic IP address, SLIP mode. # DEFAULT Hint = SLIP Framed-Protocol = SLIP -- Jarred F. Cleem IS Manager Multiband 2000 44th Street SW Fargo, ND 58103 (W) 701-281-5376 (F)701-492-5376 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf
Authenticating and Blocking per client
Hi all, Up until now, we've used freeradius to authenticate a pool of RAS units. Moving forward, we want to authenticate some users on some RAS units, but deny them on others. What is the proper way to do this? Is this a function of the RAS or a function of the radius server? Any help would be greatly appreciated! Thanks! -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating and Blocking per client
Called-Station-Id ? -- Chris. I love deadlines. I especially love the whooshing sound they make as they fly by... - Douglas Adams, 'Hitchhiker's Guide to the Galaxy' - Original Message - From: Jason Frisvold [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Tuesday, March 29, 2005 4:18 PM Subject: Authenticating and Blocking per client Hi all, Up until now, we've used freeradius to authenticate a pool of RAS units. Moving forward, we want to authenticate some users on some RAS units, but deny them on others. What is the proper way to do this? Is this a function of the RAS or a function of the radius server? Any help would be greatly appreciated! Thanks! -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating and Blocking per client
On Tue, 29 Mar 2005 16:23:43 +0200, Chris Knipe [EMAIL PROTECTED] wrote: Called-Station-Id ? Radius checks this and allows/denies appropriately? Do you have a link to documentation on how to set something like this up? Thanks! -- Chris. -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating and Blocking per client
One way to do it is to add the users allowed to the huntgroups. Example: huntgroups... NAS1NAS-IP-Address == 1.2.3.4 User-Name == user1, User-Name == user2 NAS2NAS-IP-Address == 2.3.4.5 User-Name == user3, User-Name == user4 users... user1 Huntgroup-Name == NAS1, User-Password ... user2 Huntgroup-Name == NAS2, User-Password ... On Tue, 2005-03-29 at 07:18, Jason Frisvold wrote: Hi all, Up until now, we've used freeradius to authenticate a pool of RAS units. Moving forward, we want to authenticate some users on some RAS units, but deny them on others. What is the proper way to do this? Is this a function of the RAS or a function of the radius server? Any help would be greatly appreciated! Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating and Blocking per client
On Tue, 29 Mar 2005 07:51:41 -0700, Kenneth Grady [EMAIL PROTECTED] wrote: One way to do it is to add the users allowed to the huntgroups. Example: huntgroups... Ok, so now what happens when you start dealing with other devices like a redback? Can those be added into the huntgroups as well? -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 1.0.0 PEAP SP2
Hello,
I want to make an authentification with PEAP TLS.
I think that my tls tunnel works fine, but i can't authenticate any user
from my windows XP SP2. I have an AP netgear WG302, and my freeradius
run on Mandrake 10.1.
I read the FAQ and the news but, i am always in black ...
My conf.
users
---
totoUser-Password == toto
eap.conf
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
# If Private key Certificate are located in
# the same file, then private_key_file
# certificate_file must contain the same file
# name.
certificate_file = ${raddbdir}/certs/cert-srv.pem
# Trusted Root CA list
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
}
peap {
# The tunneled EAP session needs a default
# EAP type which is separate from the one for
# the non-tunneled EAP module. Inside of the
# PEAP tunnel, we recommend using MS-CHAPv2,
# as that is the default type supported by
# Windows clients.
default_eap_type = mschapv2
}
mschapv2 {
}
}
client.conf
---
client 134.214.202.181/23 {
secret = x
shortname = AP-netgear
}
radius.conf
--mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
}
authorize {
mschap
suffix
eap
files
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}
When i try to log
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/lib/freeradius
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = radius
main: group = radius
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded eap
eap: default_eap_type = peap
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = (null)
tls: pem_file_type = yes
tls: private_key_file =
Re: Authenticating and Blocking per client
Yes, it does. A sample from our users file #testy Auth-Type := Local, Simultaneous-Use := 1, Max-All-Session := 10800, Pool-Name := ippool-prepaid, Called-Station-Id = wcore-nasgw01, NAS-Port-Type == Ethernet # Acct-Interim-Interval = 300, # Rate-Limit = 256k/256k, # Service-Type = Framed-User, # Framed-Protocol = PPP, # Framed-Compression = Van-Jacobson-TCP-IP, # Framed-Routing = Broadcast-Listen, # MS-MPPE-Encryption-Policy = 1, # MS-MPPE-Encryption-Types = LS What the value of Called-Station-Id is supposed to be, is up to what your NAS sends to FR though. As the other reply also stated, huntgroups is another way to do this but it may not be a viable option to have all your user accounts in two (or more) places. Called-Station-Id also works very nicely as a check item in MySQL if you're using databases. -- Chris. I love deadlines. I especially love the whooshing sound they make as they fly by... - Douglas Adams, 'Hitchhiker's Guide to the Galaxy' - Original Message - From: Jason Frisvold [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Tuesday, March 29, 2005 4:37 PM Subject: Re: Authenticating and Blocking per client On Tue, 29 Mar 2005 16:23:43 +0200, Chris Knipe [EMAIL PROTECTED] wrote: Called-Station-Id ? Radius checks this and allows/denies appropriately? Do you have a link to documentation on how to set something like this up? Thanks! -- Chris. -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating and Blocking per client
On Tue, 29 Mar 2005 17:13:33 +0200, Chris Knipe [EMAIL PROTECTED] wrote: What the value of Called-Station-Id is supposed to be, is up to what your NAS sends to FR though. As the other reply also stated, huntgroups is another way to do this but it may not be a viable option to have all your user accounts in two (or more) places. *sigh* It looks like the RAS units send unknown as the called-station-id, and the redback sends nothing. Is it possible to do something similar to the above, but use NAS-IP-Address? And if so, how do you specify multiple addresses? Called-Station-Id also works very nicely as a check item in MySQL if you're using databases. How so? Do you mean in the radgroupcheck table? -- Chris. Thanks! -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
aaa authentication enable on cisco
Cisco sends $enable15$ as a user name to radius for enable authentications is there a way not to store the password in etc/raddb/users? I don't think linux will allow a username to start with a $. Or can I encrypt the password some how in the users files? Thanks, Matthew
Re: Authenticating and Blocking per client
- Original Message - From: Jason Frisvold [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Tuesday, March 29, 2005 5:51 PM Subject: Re: Authenticating and Blocking per client On Tue, 29 Mar 2005 17:13:33 +0200, Chris Knipe [EMAIL PROTECTED] wrote: What the value of Called-Station-Id is supposed to be, is up to what your NAS sends to FR though. As the other reply also stated, huntgroups is another way to do this but it may not be a viable option to have all your user accounts in two (or more) places. *sigh* It looks like the RAS units send unknown as the called-station-id, and the redback sends nothing. Is it possible to do something similar to the above, but use NAS-IP-Address? And if so, how do you specify multiple addresses? Yep. Should work. Multiple addresses... Hmmm... try adding it multiple times? NAS-IP-Address = x.x.x.x, NAS-IP-Address = y.y.y.y, etc Called-Station-Id also works very nicely as a check item in MySQL if you're using databases. How so? Do you mean in the radgroupcheck table? Yep. Or radcheck (if you want to do it per user vs per group). -- Chris. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: aaa authentication enable on cisco
On Tue, 29 Mar 2005 09:54:42 -0600, Matthew Opoka [EMAIL PROTECTED] wrote: Cisco sends $enable15$ as a user name to radius for enable authentications is there a way not to store the password in etc/raddb/users? I don't think linux will allow a username to start with a $. Or can I encrypt the password some how in the users files? I believe you can put the password in the users file as an md5 encrypted password. Then surround the username in the users file with quotes... Someone check me on that.. :) Thanks, Matthew -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: aaa authentication enable on cisco
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Frisvold Sent: Tuesday, March 29, 2005 9:59 AM To: freeradius-users@lists.freeradius.org Subject: Re: aaa authentication enable on cisco On Tue, 29 Mar 2005 09:54:42 -0600, Matthew Opoka [EMAIL PROTECTED] wrote: Cisco sends $enable15$ as a user name to radius for enable authentications is there a way not to store the password in etc/raddb/users? I don't think linux will allow a username to start with a $. Or can I encrypt the password some how in the users files? I believe you can put the password in the users file as an md5 encrypted password. Then surround the username in the users file with quotes... If so is there a command the encrypts the text password in the users file? How do I get an encrypted password? Someone check me on that.. :) Thanks, Matthew -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authenticate local - if not found proxy
I would like to know if it is possible to set up freeradius to first authenticate against the local database and if not found proxy the request off to another radius server. I am running freeradius 0.9.3 on a postgres database Jaco van Tonder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: calling-station-id problem...
kolargol [EMAIL PROTECTED] wrote: I have problem with Calling-Station-Id set up in user file: kolargol User-Password == xxx, Calling-Station-Id == 000ce5475611 during auth debug log shows: Not much of anything useful. As a hint: reading the last little bit of the debug log isn't enough. You have to read ALL of it. well i can't figure it why it claims that there is login incorrect? It told you earlier in the debug log why the user was rejected, but you're not reading that portion. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 1.0.0 PEAP SP2
Mametz Laurent [EMAIL PROTECTED] wrote: I want to make an authentification with PEAP TLS. I think that my tls tunnel works fine, but i can't authenticate any user from my windows XP SP2. SP2 doesn't work with non-MS RADIUS servers. There is a fix. Read their knowledge base, or search the list archives. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 1.0.0 PEAP SP2
On Tue, Mar 29, 2005, Mametz Laurent wrote:
Hello,
I want to make an authentification with PEAP TLS.
I think that my tls tunnel works fine, but i can't authenticate any user
from my windows XP SP2. I have an AP netgear WG302, and my freeradius
run on Mandrake 10.1.
I read the FAQ and the news but, i am always in black ...
My conf.
users
---
totoUser-Password == toto
That is useless if you just want to authenticate by validating the
client SSL certificate.
eap.conf
eap {
peap {
default_eap_type = mschapv2
}
}
mschapv2 {
}
Your freeradius is configured to do PEAP MSCHAPv2 by default, and not
PEAP TLS. I suppose it's just a default behavior and it won't interfere
if the supplicant explicitely requests PEAP TLS, but maybe you should
disable the MSCHAP stuff and set default_eap_type = tls in the PEAP
section. It would make your config file cleaner, if nothing else.
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
eaptls_verify returned 3
eaptls_process returned 3
TLS_accept:error in SSLv3 read client certificate A
rlm_eap_peap: EAPTLS_SUCCESS
modcall[authenticate]: module eap returns handled for request 3
modcall: group authenticate returns handled for request 3
Sending Access-Challenge of id 27 to 134.214.202.181:1035
I don'y know OpenSSL and its obscure error messages well, but it seems
to have a problem with your client certificate. If i were you, i would
check that the right certificate and authentication method are selected
in the client's configuration.
--
Alexandre Coninx
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating and Blocking per client
On Tue, 29 Mar 2005 17:59:13 +0200, Chris Knipe [EMAIL PROTECTED] wrote: Yep. Should work. Multiple addresses... Hmmm... try adding it multiple times? Ok, so I added multiple NAS-IP-Address entries in the database. Tested it from a RAS that wasn't in that list, and got on without a problem. So... I'm missing something. Is there some special module that needs to be active? -- Chris. -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating and Blocking per client
On Tue, 29 Mar 2005 12:09:46 -0500, Jason Frisvold [EMAIL PROTECTED] wrote: Ok, so I added multiple NAS-IP-Address entries in the database. Tested it from a RAS that wasn't in that list, and got on without a problem. So... I'm missing something. Is there some special module that needs to be active? Aha! checkval .. So, can checkval check for multiple values? Or can there be multiple different checkval modules? -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd
Hi, Environment: FreeRADIUS 1.0.2 WinXP Pro (patched) I'm almost there. I've got FreeRADIUS authenticating the WinXP Pro client (Intel PRO/Wireless 2915 and NetGear FWAG114, btw) using the smbpasswd file on the server *if* I configure XP *not* to use my Windows login name and password, which gets it to ask for username and password the first time it sees the WLAN. I'd prefer to let users avoid (mucking-up) the additional step. I've searched and searched, and tried every hint I could find, and cannot seem to make it work using the Windows login name and password. Is it possible? Thanks, Jim -- Note: My mail server employs *very* aggressive anti-spam filtering. If you reply to this email and your email is rejected, please accept my apologies and let me know via my web form at http://jimsun.linxnet.com/scform.php. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_passwd core dumps with 1.0.2
* Jason Ornstein [EMAIL PROTECTED] [2005-03-25 17:11:57 -0700]:
Fri Mar 25 09:01:45 2005 : Debug: auth: type Crypt
Segmentation Fault - core dumped
radiusd
(gdb) where
#0 0xff257590 in DES_ncbc_encrypt () from /usr/local/ssl/lib/libcrypto.so
#1 0xff259b4c in _des_crypt () from /usr/local/ssl/lib/libcrypto.so
#2 0xff33fcb4 in lrad_crypt_check (key=0xffbeda00 ,
crypted=0x1a5024 encryptedpassword) at crypt.c:60
Looking at this again on a new day something is jumping out at me as
being wrong. This is the call in lrad_crypt_check
passwd = crypt(key, crypted);
Doing some reading on the Internet this works because key should be the
unencrypted password and crypted should be the encrypted password and
only the salt part of the encrypted password gets used. Okay, now I
have to figure out why they key doesn't have my plaintext password.
Thinking that maybe this was a fluke, I made a slight change to my
radiusd.conf file. I forced PAP authentication
passwd admins {
filename = ${raddbdir}/passwords/admins
format = *User-Name:Crypt-Password
hashsize = 100
delimiter = :
authtype = PAP
}
with the additionof of 'authtype = PAP' as it wasn't doing this before.
And this time the debug looks something like this
rlm_passwd: Added Crypt-Password: 'encryptedpw' to config_items
rlm_passwd: Adding Auth-Type = PAP
modcall[authorize]: module admins returns ok for request 0
users: Matched entry DEFAULT at line 11
modcall[authorize]: module files returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type PAP
auth: type PAP
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_pap: login attempt by jornstei with password cleartextpw
rlm_pap: Using password encryptedpw for user jornstei
authentication.
rlm_pap: Using CRYPT encryption.
Segmentation Fault - core dumped
radiusd
and looking at the core dump shows the same issue as using CRYPT
authentication
#0 0xff257590 in DES_ncbc_encrypt () from
/usr/local/ssl/lib/libcrypto.so
#1 0xff259b4c in _des_crypt () from /usr/local/ssl/lib/libcrypto.so
#2 0xff33fcb4 in lrad_crypt_check (key=0xffbed5e8 ,
crypted=0x1a55cc encryptedpw) at crypt.c:60
Would there be something in my setup that would be causing the plaintext
password not to be in the pointer pointed to by key?
-jason
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Profiles
Not sure how to ask my next question so I will try my best. We have some users who receive static IP addresses and other special attributes that are unique to only that user. Then we have some who receive the same attributes and attribute values as the next person. The big difference is those users who receive a static IP verses a dynamic IP out of the DHCP pool. It is my understanding that after LDAP has verified the user it tells RADIUS all the group info. RADIUS then goes through the RADIUS Groups info and tries to find the first match. Once the match is found RADIUS then returns to the NAS the attributes for the profile not the actual user attributes. How do I setup the servers so that sometimes it returns the profile info (in the case of DHCP type customers) and sometimes returns specific attributes (in the case of static IP customers)? You can send back any reply values you want for the individual users by putting those entries into their ldap entry. eg: uid=somestaticuser,ou=radius,dc=yourdomain,dc=com objectclass: radiusprofile radiusgroupname: dial radiusgroupname: isdn radiusframedipaddress: 1.1.1.1 radiusframedipnetmask: 255.255.255.252 That will send back the reply attributes of framedipaddress and framedipnetmask for only that user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
checkrad
Hi there, Am I right in that the checkrad program needs to be customized per environment? It appears, at least thus far, that the checkrad program doesn't check the naspasswd file for patton RAS units... Is this accurate? -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Php code for freeradius
Can someone send me a sample of a php login page that hits the freeradius server? I have the server running with mysql as the db backend and it is working just fine. Now I need the php code calls the radiusd process and returns the results (which I will forward to an Access Point). Never used anything like that before, but it sounded interesting to me. At least maybe to build a helpdesk application so they verify someone can login or something. Anyway, quick google search led me to these two, you might want to checkout. http://pear.php.net/package/Auth_RADIUS/docs/1.0.4/li_Auth_RADIUS.html http://www.mavetju.org/programming/php.php - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
checkrad, check_with_nas, and sql
Wow.. today seems to be the day I sent a lot of mail to the freeradius
list.. :)
Hopefully an answer to this will finish off what I need to accomplish... :)
In my radiusd.conf file, I have enabled sql for simultaneous use checking :
session {
sql
}
I don't have radutmp enabled. I noticed, however, in the radutmp
module definition, the check_with_nas option. It appears that this
causes the checkrad program to be called. If radutmp is not enabled,
checkrad isn't called.. I think.
At any rate, I tried enabling simultaneous checking with sql and the
checkrad program never got called. Unfortunately, this means that a
lot of users are being rejected incorrectly..
So, the question is this.. does radutmp need to be enabled? Or is it
possible to have checkrad called when using sql?
Thanks!
--
Jason 'XenoPhage' Frisvold
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad, check_with_nas, and sql
I don't have radutmp enabled. I noticed, however, in the radutmp module definition, the check_with_nas option. It appears that this causes the checkrad program to be called. If radutmp is not enabled, checkrad isn't called.. I think. To my knowledge, checkrad is never called if utmp isn't available. At any rate, I tried enabling simultaneous checking with sql and the checkrad program never got called. Unfortunately, this means that a lot of users are being rejected incorrectly.. You must run utmp. Even if it is just for simul. use. You can stil have all your accounting in SQL instead of detailed files, but utmp must be there for checkrad. It may actually be a good idea to get checkrad to be called if utmp *OR* SQL thinks a user is loged in twice But that will require some source hacking I think. As always.. I may be wrong - I think I'm right :) -- Chris. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad, check_with_nas, and sql
On Tue, 29 Mar 2005 20:58:45 +0200, Chris Knipe [EMAIL PROTECTED] wrote: You must run utmp. Even if it is just for simul. use. You can stil have all your accounting in SQL instead of detailed files, but utmp must be there for checkrad. Ugh.. So, if my primary radius server fails to backup, and the backup utmp has nothing in it, then wouldn't users be able to simul at least once before it ever called checkrad? It may actually be a good idea to get checkrad to be called if utmp *OR* SQL thinks a user is loged in twice But that will require some source hacking I think. I guess I don't understand the purpose of the simul checks in the sql.conf file then.. If utmp is the only thing that checks for simul use, then why have the sql checks? The sql checks *are* working, they definitely block users who appear to be online already, but without checkrad, it never double checks the nas ... As always.. I may be wrong - I think I'm right :) :) -- Chris. -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad, check_with_nas, and sql
It may actually be a good idea to get checkrad to be called if utmp *OR* SQL thinks a user is loged in twice But that will require some source hacking I think. I guess I don't understand the purpose of the simul checks in the sql.conf file then.. If utmp is the only thing that checks for simul use, then why have the sql checks? The sql checks *are* working, they definitely block users who appear to be online already, but without checkrad, it never double checks the nas ... Again, I am guessing this is incomplete code (at this stage). To my understanding, SQL Simul queries check to see whether a user is already loged in based on Radius Accounting. Yes, this works and is all fine and dandy. However, the SQL Accounting data is not always up to date. Say, for example your NAS gets restarted due to a power failure. When the NAS comes back online, your users won't be able to log in because according to SQL Accounting records, they already are loged in. In this situation, the correct approach would be for checkrad to be called from FR yes - something, which for some reason it is not doing. If a utmp is in place, in the above occurance, checkrad would be called which will verify that the user is NOT logged into the NAS, and thus will allow the auth. You will however still sit with the stale accounting records in SQL, which means that if *only* SQL's simul use query was used, you will end up calling checkrad for each and every authentication request eventually (or in the current case where checkrad is never called for SQL simul use, sit with a situation where nobody will be able to log in untill you manually reset all the SQL acocunting records)... I hope I'm making sense... Again, IMHO checkrad should be called if SQL's simul use query returns more than x records, but again, to my understanding, this has not yet been implemented in FR. You can use FR proxing (I think) to proxy accounting to the backup FR server - which should then create a backup utmp. I'm not 100% right now of the top of my head whether the utmp entry is made on a auth request or the acct-start request, but it may be worth looking into. You should also be able to proxy auth requests to the backup servers as well, which means that all the FR servers will have a replicated utmp file. -- Chris. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad, check_with_nas, and sql
On Tue, 29 Mar 2005 21:18:06 +0200, Chris Knipe [EMAIL PROTECTED] wrote: Again, I am guessing this is incomplete code (at this stage). snip you manually reset all the SQL acocunting records)... I hope I'm making sense... Yup.. seems clear anough.. Again, IMHO checkrad should be called if SQL's simul use query returns more than x records, but again, to my understanding, this has not yet been implemented in FR. Agreed.. And no, it doesn't look like that's been implemented yet You can use FR proxing (I think) to proxy accounting to the backup FR server - which should then create a backup utmp. I'm not 100% right now of the top of my head whether the utmp entry is made on a auth request or the acct-start request, but it may be worth looking into. You should also be able to proxy auth requests to the backup servers as well, which means that all the FR servers will have a replicated utmp file. Hrm... Yeah, I guess this is doable.. Seems like a lot of work.. I wish there was some way to determine if/when sql simul checking will be finished .. Thank you for your help... I enabled radutmp and that's working.. I'll live with it as-is for now and we'll see what the future holds... -- Chris. -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad, check_with_nas, and sql
Chris Knipe [EMAIL PROTECTED] wrote: In this situation, the correct approach would be for checkrad to be called from FR yes - something, which for some reason it is not doing. It should, but I'm not sure why. If a utmp is in place, in the above occurance, checkrad would be called which will verify that the user is NOT logged into the NAS, and thus will allow the auth. You will however still sit with the stale accounting records in SQL No. See src/main/session.c. If the user is no longer logged in, then the server zaps the login records by sending a fake accounting stop packet to itself. Again, IMHO checkrad should be called if SQL's simul use query returns more than x records, but again, to my understanding, this has not yet been implemented in FR. I believe it is. See src/modules/rlm_sql/rlm_sql.c, which calls rad_check_ts(). Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad, check_with_nas, and sql
If a utmp is in place, in the above occurance, checkrad would be called which will verify that the user is NOT logged into the NAS, and thus will allow the auth. You will however still sit with the stale accounting records in SQL No. See src/main/session.c. If the user is no longer logged in, then the server zaps the login records by sending a fake accounting stop packet to itself. You learn something new every day Again, I'll have to verify because on our systems using MySQL Accounting + radutmp + checkrad, we sit with quite allot of stale accounting data in the SQL tables (Frankly, we have cron jobs to purge stale records every couple of days - even dialupadmin purge stale accounting records every day)... Maybe it's caused by something else then. Again, IMHO checkrad should be called if SQL's simul use query returns more than x records, but again, to my understanding, this has not yet been implemented in FR. I believe it is. See src/modules/rlm_sql/rlm_sql.c, which calls rad_check_ts(). Will do. On almost all our older implementations, we where forced to use checkrad from utmp. Will setup a test rig with some NASes I know works + latest FR and see what happens... Will be VERY good if the above is actually working :) -- Chris. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
log off user problem
Hi I'm having some problems getting Session_Timeout to function - when thetime limit is reached nothing happens (I assume it is suposed to sendsome sort of disconnect message). Is there anything else that needs setalongside this to have it function? because when the user is connected there isn't a problem but he just disconnect when is clicked tha disconnect opcionin the chillispot page default.I'm using Alchemy (chillispot+openwrt) and Aradial (Radius server),but thestandard skills I supposse that are the same with free-radius. So please help me. I thinkthat is something with the sessiontimeout, but i don't really know how is the communication between alchemy and radius.Thanks.Do You Yahoo!? Todo lo que quieres saber de Estados Unidos, América Latina y el resto del Mundo. Visíta Yahoo! Noticias.
Re: checkrad, check_with_nas, and sql
On Tue, 29 Mar 2005 14:36:42 -0500, Alan DeKok [EMAIL PROTECTED] wrote: I believe it is. See src/modules/rlm_sql/rlm_sql.c, which calls rad_check_ts(). Yup, I definitely see that.. And now that I'm digging deeper, I'm seeing the problem.. *sigh* So here's what I'm guessing is going on... We changed IP addresses a while back. The old IP's no longer exist, but there are apparently a number of radacct records that were never stopped correctly. So when the checkrad process runs, it sees these old records, can't identify the NAS, and reports that it's skipping them. Even if there are no records for a recognized NAS, the presence of old records there causes a reject. I tried looking through the source and I can see where this message is sent. It sends a return value of 1 if this happens, and it appears that a return of 1 indicates an MPP attempt... Is that about right? So I guess my best course of action right now is to clear out those old records. :) Alan DeKok. -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: log off user problem
Janet [EMAIL PROTECTED] wrote: I'm having some problems getting Session_Timeout to function - when the time limit is reached nothing happens (I assume it is suposed to send some sort of disconnect message). No. The NAS is supposed to disconnect the user. I'm using Alchemy (chillispot+openwrt) and Aradial (Radius server) Then ask Alchemy or Aradial how to solve your problem. Do not continue to post your questions on this list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Load Balancing
On the FreeRADIUS website, it says that it supports load balancing, but I cannot find any documentation at all on how to set it up. I found some stuff on module failovers, but nothing on load balancing. Does anyone have any more information on this? I'm not really that interested in load balancing the RADIUS traffic between multiple RADIUS servers so much as I am the database traffic between the RADIUS server and some SQL servers. Ideally, I would have two SQL servers and just do a round-robin load balancing across the two servers. The one exception would be when one server fails, it gets automatically removed from the list until it becomes alive again. Anyone have any insight on how to configure this, or even if it can be done at all? Eliot Gable Certified Wireless Network Administrator (CWNA) Cisco Certified Network Associate (CCNA) Network and Systems Administrator Great Lakes Internet, Inc. 112 North Howard Croswell, MI 48422 (810) 679-3395 (877) 558-8324 Now offering Broadband Wireless Internet access in Croswell, Lexington, Brown City, Yale, and Sandusky. Call for details. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP Radius
Does someone have a good howto on setting up Radius to make use of an LDAP group. I read the ldap docs at freeradius.org and that seemed like overkill I just want to have a group and put the user in the group to give them access? Douglas Sterner
RADIUS and DHCP server
I try to use my linux server with a wireless router to setup a WPA + RADIUS wireless network. If I use static IP on the wireless client, WPA + RADIUS works. If I dont use RADIUS, and only use WEP or WPA-PSK with open authentication, the wireless client can get IP from my DHCP server on my linux box. By using WPA + RADIUS, my wireless client can not get IP from the HDCP server which is on the same linux server as RADIUS daemon runs on. Can anybody help me on this? To make WPA + RADIUS + DHCP work. RADIUS can have an IP pool. But it is different from a DHCP server. I dont know how to configure the default gateway and DNS server addresses for the IP pool in RADIUS, so that RADUIS can send the default gateway and DNS server addresses to the wireless client. Thanks, Howard You
Re: rlm_passwd core dumps with 1.0.2
* Jason Ornstein [EMAIL PROTECTED] [2005-03-29 11:10:32 -0700]: (gdb) where #0 0xff257590 in DES_ncbc_encrypt () from /usr/local/ssl/lib/libcrypto.so #1 0xff259b4c in _des_crypt () from /usr/local/ssl/lib/libcrypto.so #2 0xff33fcb4 in lrad_crypt_check (key=0xffbeda00 , crypted=0x1a5024 encryptedpassword) at crypt.c:60 All of my issues with crypt were caused by this line in the rc.radiusd startup script: LD_PRELOAD=/usr/local/ssl/lib/libcrypto.so I removed that line and now everything is working as it should be. -jason - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Load Balancing
Eliot, GLI wireless tech support [EMAIL PROTECTED] wrote: On the FreeRADIUS website, it says that it supports load balancing, but I cannot find any documentation at all on how to set it up. I found some stuff on module failovers, but nothing on load balancing. Does anyone have any more information on this? In the CVS snapshot, see doc/load-balance.txt. Load-balancing requests to SQL servers (or any other database) is documented there. Ideally, I would have two SQL servers and just do a round-robin load balancing across the two servers. The one exception would be when one server fails, it gets automatically removed from the list until it becomes alive again. Read the file. It documents exactly this case. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_passwd core dumps with 1.0.2
Jason Ornstein [EMAIL PROTECTED] wrote: All of my issues with crypt were caused by this line in the rc.radiusd startup script: LD_PRELOAD=/usr/local/ssl/lib/libcrypto.so I removed that line and now everything is working as it should be. sigh OpenSSL implements a version of crypt() which is incompatible with the standard crypt(). Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
why my adsl-connect only keep 0.4 miniutes?
each time i connect to the server,the adsl-connect only keep 0.4 minutes,and then the modem hangup,and the auto reconnect. is there some attribute i didn't set a right value in mysql or other problem? thanks. _ MSN Messenger: http://messenger.msn.com/cn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd
Hello! I've searched and searched, and tried every hint I could find, and cannot seem to make it work using the Windows login name and password. Is it possible? Make your users set a password for their login on the XP machine. That is the username/password combination XP will use for authentication when you check the box. Then list these users with the appropriate passwords in your radiusd backend (smbpasswd in your case). Then it should work. [At least I think so; someone please correct me if I'm wrong] Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Rseau Tlinformatique de l'Education Nationale et de la Recherche Ingnieur rseau et systme 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg email: [EMAIL PROTECTED] tl.: +352 424409-33 http://www.restena.lu fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Number of Simultaneous Requests from FreeRadius
Dear All, Simultaneous Could any one tell us how many users/requests can be connected/transferred to FreeRADIUS at the same time through NASs for different issues (Authentication, Authorization, and Accounting purposes). Thanks, JT * The contents of this email and any attachments are confidential. It is intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to any one or make copies. * PALTEL E-Safety System scanned this email and found NO viruses, vandals or malicious content. * Should you need any information or clarifications regarding this system, please do not hesitate to contact our team at the IP Dep. <[EMAIL PROTECTED]>. *
Re: Php code for freeradius
On Tue, 29 Mar 2005 09:41:50 +0200, Sebastian Wild [EMAIL PROTECTED] wrote: Mark Nichols wrote: Can someone send me a sample of a php login page that hits the freeradius server? I have the server running with mysql as the db backend and it is working just fine. Now I need the php code calls the radiusd process and returns the results (which I will forward to an Access Point). Thanks, Mark Nichols www.profitservices.net [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Did u have a look at the chillispot project? Chillispot is free software that uses freeradius + mysql as backup and does exactly what u want. I'm just not sure if it was written in php or not.. www.chillispot.org cheers Sebastian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Can chillispot be used for wired network like nocat? Thanks Ery - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
