Hello,
Hi All I m new to AAA things.I want how can I support RSA ACE/Server in freeradius. Can anyone has details How interaction is made between RADIUS and RSA/ACE-server?. in general scenario Rgds DArshak - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Storing in SQL, Procedure call
Hi, I'm using freeradius with freetds and unixodbc. I am having an issue using a procedure call to insert to a Microsoft SQL Server. When I try to use the procedure call 'exec', I see the following errors: radius_xlat: 'exec ***rlm_sql (sql): Reserving sql socket id: 8query: exec *** rlm_sql_unixodbc: '0 ' rlm_sql (sql): Couldn't update SQL accounting ALIVE record - 0 But if I don't use aprocedure calland use an insert command in its place, it works just find. radius_xlat: 'INSERT rlm_sql (sql): Reserving sql socket id: 3rlm_sql (sql): Released sql socket id: 3 modcall[accounting]: module "sql" returns ok for request 6 My question is why can't I use a procedure call 'exec'? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: public secret and public radius server. Is it secure?
Hi, In my project, I don't own the hotspots, and don't know about the hotspots ISPs. The hotspots communicate to the radius server though the internet. I would suggest using another method to get a secure connection to the hotspot. Maybe IPSec. this is again an example where a RadSec extension would come in extremely handy. Short wrapup: RadSec establishes connections via TCP and TLS and transports the RADIUS payload over it, so clients can be identified by their TLS certificate; IPs and shred secrets become obsolete. Create a dedicated CA for your servers, then whoever tries to connect can be checked against your CA root. Make the hotspots talk RadSec and let them communicate with your FR server via this link. The only open problem is: right now there is only one implementation of RadSec in OSCs Radiator, and it could be better coded and more advanced. I am working on a formal specification of RadSec right now, of which I hope it will somehow find a way into the Informational RFC track. There is a lot more potential in it than the OSC Whitepaper suggests. It would be really great to get an implementation of this in FR. Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with Freeradius 1.1.2 OpenLDAP 2.3.20
Hello everyone, I am trying to make Freeradius 1.1.2 work with OpenLDAP2.3.20 (I was previously able to make it work perfectly with MySQL). When I try to configure and compile Freeradius without any options, I receive a Segmentation Fault. When I try to configure it with -- with-rlm-ldap-lib-dir= ... --with-rlm-ldap-include-dir= ... and when I run the ./configure, I have the following error : checking for ldap_init in -lldap_r ... no checking for ldap.h ... no configure: warning : silently not building rlm_ldap configure: warning : FAILURE : rlm_ldap requires libldap_r ldap.h I am sure my paths are correct, I am sure I have the file ldap.h in my OpenLDAP/include dir and I have a libldap_r directory in my OpenLDAP/libraries dir. My Linux is a Mandrake 10.2 Any idea of what is wrong ? Is it a version problem and so, should I try with older versions ? Did I miss something important ? Any help is welcome, Thanks, Nicolas Martin Ce courriel est envoyé au travers de l' interface IMP: ch-bourg01.fr Ce message a été passé automatiquement à l' antivirus This email have been sent through Imap Mail Program: ch-bourg01.fr This message have been scanned with an antivirus scanner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 14, Issue 19
I am on holiday between June 5 to June 9. I will return to my office on June 12. See you soon. Thanks, Gilbert Lo helpdesk at St. George's School - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius 1.1.2 rlm_unix on AMD 64
Hi all. I have a big problem woth freeradius and i need to fix it ASAP ! If someone can help me ... I'm using freeradius for a long time without any problem, but with the v1.1.2, i can't do anything ! When i want to start it, i'm always getting the message : Module: Instantiated pam (pam) radiusd.conf[604] Failed to link to module 'rlm_unix': /usr/lib64/rlm_unix.a: invalid ELF header radiusd.conf[1880] Unknown module unix. radiusd.conf[1840] Failed to parse authenticate section. I tried to downgrade, but no older version are available on Gentoo (ebuild). Please... I really need your help guys ! Thank you -- View this message in context: http://www.nabble.com/freeradius-1.1.2---rlm_unix-on-AMD-64-t1740156.html#a4728669 Sent from the FreeRadius - User forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: public secret and public radius server. Is it secure?
Stefan Winter wrote: Hi, In my project, I don't own the hotspots, and don't know about the hotspots ISPs. The hotspots communicate to the radius server though the internet. I would suggest using another method to get a secure connection to the hotspot. Maybe IPSec. this is again an example where a RadSec extension would come in extremely handy. Short wrapup: RadSec establishes connections via TCP and TLS and transports the RADIUS payload over it, so clients can be identified by their TLS certificate; IPs and shred secrets become obsolete. Create a dedicated CA for your servers, then whoever tries to connect can be checked against your CA root. Make the hotspots talk RadSec and let them communicate with your FR server via this link. The only open problem is: right now there is only one implementation of RadSec in OSCs Radiator, and it could be better coded and more advanced. I am working on a formal specification of RadSec right now, of which I hope it will somehow find a way into the Informational RFC track. There is a lot more potential in it than the OSC Whitepaper suggests. It would be really great to get an implementation of this in FR. Greetings, Stefan Winter I finally found a solution to this problem. I will implement myself the dynamic ipaddress compatible radius server, using the NAS-identifier attributes in requests to determine the secret instead of the ipaddress. I will implement this in python from pyrad, a very simple radius implementation in python For authentication, chillispot uses CHAP which is secure enough for me. (I add some additionnal secret to the password) The accounting request protected by a secret is also safe enough for me. (at the beginning) I am sure that this could be implemented quite easily in freeradius. Maybe I'll do it if I have performance problems. Regards Sophana KOK - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mikrotik Simultaneous Use
Hi, I have more than twenty Mikrotik RouterBoard, all device calling same freeradius server... now.. can I use "Simultaneous Use:=1" for check if a user is connected or not from another device? Thanks in advance.. Italo Morellato - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP-Authentication based on CHAP
Hello, despite the FAQ- Entry How do I make CHAP work with LDAP?: can anybody tell us if its basically possible to run a chap-Auth against an LDAP? I know, that a specific LDAP-Service must be able to retrieve a user-Pwd and often it cant, cause of the storage of the pwd as one-directioned (hashed). So, only a simple bind is ok. But if LDAP can run a chap-based password-check by retrieving a password: is the LDAP-Protocol (v3) basically capable of doing this? Hamburg/Germany, Rainer Brinkmann - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP-Authentication based on CHAP
On Tue, 6 Jun 2006, Rainer Brinkmann wrote: Hello, despite the FAQ- Entry How do I make CHAP work with LDAP?: can anybody tell us if its basically possible to run a chap-Auth against an LDAP? I know, that a specific LDAP-Service must be able to retrieve a user-Pwd and often it cant, cause of the storage of the pwd as one-directioned (hashed). So, only a simple bind is ok. But if LDAP can run a chap-based password-check by retrieving a password: is the LDAP-Protocol (v3) basically capable of doing this? If clear text passwords are available and can be retrieved by the ldap store then yes. Otherwise no. The ldap protocol has nothing to do with all this. Its only a matter of password availability. Hamburg/Germany, Rainer Brinkmann - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RP-pppoe
the attribute does not work with the GPL version of rp-pppoe --- Mordor Networks [EMAIL PROTECTED] wrote: Hello list! I wonder if someone used the RP-Upstream-Speed-Limit and RP-Downstream-Speed-Limit ATTRIBUTES from roaring pangiun rp-pppoe with mysql , if so can someone please tell me how to add the ATTRIBUTES to freeradius sql table radreply? thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OpenSSL weirdness
Hi there I'm currently trying to compile freeradius v1.1.2 and I'm having some trouble getting openssl to link in. Version 1.0.5 compiles fine using the same configure flags. My configure line is: ./configure --with-openssl-libraries=/usr/local/openssl --with-openssl-includes=/usr/local/openssl/include --prefix=/usr/local/radius I've pasted the entire output from configure at the end of the email in case it helps, but the important bits would seem to be these: checking for DH_new in -lcrypto... (cached) yes checking for SSL_new in -lssl... (cached) no configuring in ./types/rlm_eap_tls running /bin/sh ./configure --with-openssl-libraries=/usr/local/openssl --with-openssl-includes=/usr/local/openssl/include --prefix=/usr/local/radius --enable-ltdl-install --cache-file=../../../../.././config.cache --srcdir=. loading cache ../../../../.././config.cache checking for OpenSSL support... no configure: warning: silently not building rlm_eap_tls. I would appreciate any help you can give me -- Mick Tait fenrir:/usr/src/freeradius-1.1.2# ./configure --with-openssl-libraries=/usr/local/openssl --with-openssl-includes=/usr/local/openssl/include --prefix=/usr/local/radius loading cache ./config.cache checking for gcc... (cached) gcc checking whether the C compiler (gcc ) works... yes checking whether the C compiler (gcc ) is a cross-compiler... no checking whether we are using GNU C... (cached) yes checking whether gcc accepts -g... (cached) yes checking how to run the C preprocessor... (cached) gcc -E checking for AIX... no checking whether gcc needs -traditional... (cached) no checking whether we are using SUNPro C... (cached) no checking for ranlib... (cached) ranlib checking whether byte ordering is bigendian... (cached) no checking for gmake... (cached) no checking for make... (cached) /usr/bin/make checking for lt_dlinit in -lltdl... (cached) yes checking for Cygwin environment... (cached) no checking for mingw32 environment... (cached) no checking host system type... i686-pc-linux-gnu checking build system type... i686-pc-linux-gnu checking for ld used by GCC... (cached) /usr/bin/ld checking if the linker (/usr/bin/ld) is GNU ld... (cached) yes checking for /usr/bin/ld option to reload object files... (cached) -r checking for BSD-compatible nm... (cached) /usr/bin/nm -B checking whether ln -s works... (cached) yes checking how to recognise dependant libraries... (cached) pass_all checking for object suffix... (cached) o checking for executable suffix... (cached) no checking command to parse /usr/bin/nm -B output... (cached) ok checking for dlfcn.h... (cached) yes checking for ranlib... (cached) ranlib checking for strip... (cached) strip checking for objdir... .libs checking for gcc option to produce PIC... (cached) -fPIC checking if gcc PIC flag -fPIC works... (cached) yes checking if gcc static flag -static works... (cached) yes checking if gcc supports -c -o file.o... (cached) yes checking if gcc supports -c -o file.lo... (cached) yes checking if gcc supports -fno-rtti -fno-exceptions... yes checking whether the linker (/usr/bin/ld) supports shared libraries... yes checking how to hardcode library paths into programs... immediate checking whether stripping libraries is possible... yes checking dynamic linker characteristics... GNU/Linux ld.so checking if libtool supports shared libraries... yes checking whether to build shared libraries... yes checking whether to build static libraries... yes checking for shl_load... (cached) no checking for shl_load in -ldld... (cached) no checking for dlopen... (cached) no checking for dlopen in -ldl... (cached) yes checking whether a program can dlopen itself... (cached) yes checking whether a statically linked program can dlopen itself... (cached) no checking whether -lc should be explicitly linked in... (cached) no creating libtool checking logdir... ${localstatedir}/log/radius checking radacctdir... ${logdir}/radacct checking raddbdir... ${sysconfdir}/raddb checking for perl... (cached) /usr/bin/perl checking for snmpget... no configure: warning: snmpget not found - Simultaneous-Use and checkrad.pl may not work checking for snmpwalk... no configure: warning: snmpwalk not found - Simultaneous-Use and checkrad.pl may not work checking for rusers... (cached) /usr/bin/rusers checking for working aclocal... found checking for working autoconf... found checking for working autoheader... found checking for locate... (cached) /usr/bin/locate checking for dirname... (cached) /usr/bin/dirname checking for grep... (cached) /bin/grep checking for pthread.h... (cached) yes checking for pthread_create in -lpthread... (cached) yes checking for library containing sem_init... (cached) none required checking for getsockname in -lsocket... (cached) no checking for inet_aton in -lresolv... (cached) yes checking for inet_ntoa in -lnsl... (cached) yes checking for DH_new in
Re: Freeradius-Users Digest, Vol 14, Issue 20
I am on holiday between June 5 to June 9. I will return to my office on June 12. See you soon. Thanks, Gilbert Lo helpdesk at St. George's School - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 14, Issue 21
I am on holiday between June 5 to June 9. I will return to my office on June 12. See you soon. Thanks, Gilbert Lo helpdesk at St. George's School - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Freeradius 1.1.2 OpenLDAP 2.3.20
En réponse à Nicolas Martin : checking for ldap_init in -lldap_r ... no checking for ldap.h ... no configure: warning : silently not building rlm_ldap configure: warning : FAILURE : rlm_ldap requires libldap_r ldap.h I am sure my paths are correct, I am sure I have the file ldap.h in my OpenLDAP/include dir and I have a libldap_r directory in my OpenLDAP/libraries dir. Any idea of what is wrong ? Is it a version problem and so, should I try with older versions ? Did I miss something important ? Please look for error messages in src/modules/rlm_ldap/config.log -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Storing in SQL, Procedure call
Im using the same setup for access to some ancient Sybase and it works fine. However, the query doesn't use EXEC ... it's plain : accounting_stop_query = sp_my_stored_procedure_name '%{SQL-User-Name}','%{Realm}', I did have problems with freetds 0.62.3, tho, so I installed 0.63 and had no problems with Sybase access since then. On the other hand, Oracle setup (using rlm_sql_oracle) with EXEC SP_NAME(...) didn't work either, so I had to change it to BEGIN SP_NAME(...); END; Maybe that would work for your unixODBC/freetds setup too. -- Best regards, Marko Dinic, System Engineer - YUnet International http://www.eunet.yu Dubrovacka 35/III, 11000 Belgrade Tel: +381 11 311 9901; Fax: + 381 11 311 9901 - This e-mail is confidential and intended only for the recipient. Unauthorized distribution, modification or disclosure of its contents is prohibited. If you have received this e-mail in error, please notify the sender by telephone +381 11 311 9901. - Hi, I'm using freeradius with freetds and unixodbc. I am having an issue using a procedure call to insert to a Microsoft SQL Server. When I try to use the procedure call 'exec', I see the following errors: radius_xlat: 'exec *** rlm_sql (sql): Reserving sql socket id: 8 query: exec *** rlm_sql_unixodbc: '0 ' rlm_sql (sql): Couldn't update SQL accounting ALIVE record - 0 But if I don't use a procedure call and use an insert command in its place, it works just find. radius_xlat: 'INSERT rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): Released sql socket id: 3 modcall[accounting]: module sql returns ok for request 6 My question is why can't I use a procedure call 'exec'? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Freeradius 1.1.2 OpenLDAP 2.3.20
Please look for error messages in src/modules/rlm_ldap/config.log -- Nicolas Baradakis The two main errors I can find are: /usr/bin/ld: cannot find -lldap_r collect2: ld returned 1 exit status configure: failed program was: #line 974 configure #include confdefs.h (3 times) and In file included from .../ldap.h:30 .../lber.h:29:24: lber_types.h: no such file or directory (and after that, an enormous number of syntax errors in lber.h) It is true that I don't have any lber_types.h file, I only have a file called lber_types.hin. But renaming this file does not solve the problem ... Thanks, Nicolas Martin Ce courriel est envoyé au travers de l' interface IMP: ch-bourg01.fr Ce message a été passé automatiquement à l' antivirus This email have been sent through Imap Mail Program: ch-bourg01.fr This message have been scanned with an antivirus scanner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SSL error using MS-CHAPv2 - new in 1.1.2
Hi, I logged in via PEAP after a brand-new upgrade to 1.1.2 today, and saw a new error message (everything worked fine though): Error: TLS_accept:error in SSLv3 read client certificate A Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Info: rlm_eap_mschapv2: Issuing Challenge Auth: Login OK: [EMAIL PROTECTED] (from client localhost port 0) these new errors in rlm_eap are somewhat intriguing. Anyone a clue? Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hello,
It would be difficult to say how RADIUS would interact with the actual ACE server since it's a proprietary system. In 2002 I thought about going down this route and I'm summarizing from the 5 page SecurId integration document. You must write code that uses RSA's 'RSA Agent' software to communicate with the RSA ACE server. You must become a partner a a cost of ten thousand dollars for each product each year you provide the product(s). You must pay RSA twenty percent of your product's licensing fee. And you must have RSA certify it and may be required to provide a training program for RSA certification technicians. The sublicense agreement with RSA is incompatible with any open source software. The best thing to do is use FreeRadius as a proxy to the RSA RADIUS server. From a client's point of view the ACE RADIUS server may require a simple CHAP/PAP transaction or there may be challenges asking for more information. It depends on the RSA server configuration. darshak wrote: Hi All I m new to AAA things.I want how can I support RSA ACE/Server in freeradius. Can anyone has details How interaction is made between RADIUS and RSA/ACE-server?. in general scenario Rgds DArshak - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSL error using MS-CHAPv2 - new in 1.1.2
Despite this Error the Authentification works well ? because I've got the same error but LDAP authentification fail and I don't know if it's due to that client certificate error ? Thomas Hahusseau2006/6/6, Stefan Winter [EMAIL PROTECTED]: Hi,I logged in via PEAP after a brand-new upgrade to 1.1.2 today, and saw a newerror message (everything worked fine though):Error: TLS_accept:error in SSLv3 read client certificate AError: rlm_eap: SSL error error::lib(0):func(0):reason(0) Error: rlm_eap: SSL error error::lib(0):func(0):reason(0)Info: rlm_eap_mschapv2: Issuing ChallengeAuth: Login OK: [[EMAIL PROTECTED]] (from client localhost port 0) these new errors in rlm_eap are somewhat intriguing. Anyone a clue?Greetings,Stefan Winter--Stefan WINTERStiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la RechercheIngenieur Forschung Entwicklung6, rue Richard Coudenhove-KalergiL-1359 LuxembourgE-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSL error using MS-CHAPv2 - new in 1.1.2
Hi, Error: TLS_accept:error in SSLv3 read client certificate A Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Info: rlm_eap_mschapv2: Issuing Challenge Auth: Login OK: [EMAIL PROTECTED] (from client localhost port 0) Despite this Error the Authentification works well ? because I've got the same error but LDAP authentification fail and I don't know if it's due to that client certificate error ? It works well. The client certificate error is no error at all, and it's not the reason why I'm asking here. I ask because of the two lines below, which is _not_ business as usual. Oh, I should have mentioned initially: it's OpenSSL 0.9.8a. Unchanged in FR 1.1.1, but 1.1.1 didn't spit out these errors. Greetings, Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 14, Issue 22
I am on holiday between June 5 to June 9. I will return to my office on June 12. See you soon. Thanks, Gilbert Lo helpdesk at St. George's School - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hello,
many thanxs to u.This has helped me greatly. Some doubts i have : If I use My radius as proxy ,then this should based upon realm or something like that? And such configuration will not need to write Any s/w from my end? right? Rgds Darshak - Original Message - From: Michael Lecuyer [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, June 06, 2006 6:38 PM Subject: Re: Hello, It would be difficult to say how RADIUS would interact with the actual ACE server since it's a proprietary system. In 2002 I thought about going down this route and I'm summarizing from the 5 page SecurId integration document. You must write code that uses RSA's 'RSA Agent' software to communicate with the RSA ACE server. You must become a partner a a cost of ten thousand dollars for each product each year you provide the product(s). You must pay RSA twenty percent of your product's licensing fee. And you must have RSA certify it and may be required to provide a training program for RSA certification technicians. The sublicense agreement with RSA is incompatible with any open source software. The best thing to do is use FreeRadius as a proxy to the RSA RADIUS server. From a client's point of view the ACE RADIUS server may require a simple CHAP/PAP transaction or there may be challenges asking for more information. It depends on the RSA server configuration. darshak wrote: Hi All I m new to AAA things.I want how can I support RSA ACE/Server in freeradius. Can anyone has details How interaction is made between RADIUS and RSA/ACE-server?. in general scenario Rgds DArshak - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hello,
Am Dienstag, 6. Juni 2006 15:56 schrieb darshak: many thanxs to u.This has helped me greatly. Some doubts i have : If I use My radius as proxy ,then this should based upon realm or something like that? And such configuration will not need to write Any s/w from my end? right? If you have the RSA RADIUS, why do you want to use FreeRADIUS as proxy only system? Does this config make sense? If yes read proxy docu in the doc/ directory. -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 pgpEJTMAWUG5q.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP authentication with freerad ?
I assume by PEAP, you mean the most-often-seen PEAP/EAP-MSCHAPv2. In this case, MD5 is not involved anywhere. The passwords are hashed differently. As such, you must either have an NT hashed password (which is actually a unicode-encoded MD4 hash of the password) or a cleartext password in your directory. --Mike On Jun 6, 2006, at 3:36 AM, thomas hahusseau wrote: Hello, I would like to use PEAP to perfome authentication of wlan users , I choose PEAP because Users and Passwords are in an LDAP Server (OPEN-LDAP). According to me PEAP works like this : Phase 1 :: TLS handshake the server authenticate to the client as a trusted radius serveur and a cipher tunel is created. Phase 2 :: Login + Password + Domain hashed with MD5 are send to the Radius Server which ask LDAP server for password and login. acording to the doc file : realm_eap , freeradius supports only eap-tls (authentication based only on certificates (client + server ) lead and eap-MD5 ( according to me even if PEAP use MD5 hash , the EAP-MD5 is different with no mutual autenthication and no TLS handshake ) I dont want to use a full certifcate based solution like EAP-TLS or a authentification with no ciphered tunel like with EAP-MD5 Anyone could help me for using PEAP (or at least authentication with the two phases described upper) with freeradius ? thank you. Ps : sorry for english mistakes :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 14, Issue 22
On Tuesday 06 June 2006 09:39, Gilbert Lo wrote: I am on holiday between June 5 to June 9. I will return to my office on June 12. See you soon. Thanks, Gilbert Lo Great! When you return, you should have someone fix your auto-responder so we don't see these annoying messages. At least you're just responding to digests though... -Kevin pgpSaRn1BnOYO.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP authentication with freerad ?
Yes i use PEAP/MsChapv2 , and password in OpenLDAP are stocked in clear mode , but there is a really strange eror while I try an autothentication via EAP-PEAP (MSCHAPv2) here is the output of Freeradius : lm_ldap: checking if remote access for test is allowed by uid rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 6 modcall: group authorize returns ok for request 6 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 6 modcall: group Auth-Type returns reject for request 6 rlm_eap: Freeing handler modcall[authenticate]: module eap returns reject for request 6 modcall: group authenticate returns reject for request 6 auth: Failed to validate the user. Login incorrect: [test/no User-Password attribute] (from client localhost port 0) PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE I dont know if that error is due to an impossible comporason beetwen hashed password in mschap and clear openldap password or if there is problems fields NT/LM-Password. 2006/6/6, Michael Griego [EMAIL PROTECTED]: I assume by PEAP, you mean the most-often-seen PEAP/EAP-MSCHAPv2.Inthis case, MD5 is not involved anywhere.The passwords are hasheddifferently.As such, you must either have an NT hashed password(which is actually a unicode-encoded MD4 hash of the password) or a cleartext password in your directory.--MikeOn Jun 6, 2006, at 3:36 AM, thomas hahusseau wrote: Hello, I would like to use PEAP to perfome authentication of wlan users , I choose PEAP because Users and Passwords are in an LDAP Server (OPEN-LDAP). According to me PEAP works like this : Phase 1 :: TLS handshake the server authenticate to the client as a trusted radius serveur and a cipher tunel is created. Phase 2 :: Login + Password + Domain hashed with MD5 are send to the Radius Server which ask LDAP server for password and login. acording to the doc file :realm_eap , freeradius supports only eap-tls (authentication based only on certificates (client + server ) lead and eap-MD5 ( according to me even if PEAP use MD5 hash , the EAP-MD5 is different with no mutual autenthication and no TLS handshake ) I dont want to use a full certifcate based solution like EAP-TLS or a authentification with no ciphered tunel like with EAP-MD5 Anyone could help me for using PEAP (or at least authentication with the two phases described upper) with freeradius ? thank you. Ps : sorry for english mistakes :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 14, Issue 23
I am on holiday between June 5 to June 9. I will return to my office on June 12. See you soon. Thanks, Gilbert Lo helpdesk at St. George's School - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSL error using MS-CHAPv2 - new in 1.1.2
Stefan Winter [EMAIL PROTECTED] wrote: I logged in via PEAP after a brand-new upgrade to 1.1.2 today, and saw a new error message (everything worked fine though): Error: TLS_accept:error in SSLv3 read client certificate A Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Info: rlm_eap_mschapv2: Issuing Challenge Auth: Login OK: [EMAIL PROTECTED] (from client localhost port 0) these new errors in rlm_eap are somewhat intriguing. Anyone a clue? doc/ChangeLog Prior to 1.1.2, SSL errors went to stderr, which in daemon mode was /dev/null. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP authentication with freerad ?
thomas hahusseau [EMAIL PROTECTED] wrote: modcall: entering group Auth-Type for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. This means that the server has no clear-text password. i.e. it wasn't retrieved from LDAP. See the rest of the debug log to see what was retrieved from LDAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: public secret and public radius server. Is it secure?
Stefan Winter [EMAIL PROTECTED] wrote: this is again an example where a RadSec extension would come in extremely handy. Short wrapup: RadSec establishes connections via TCP and TLS and transports the RADIUS payload over it, so clients can be identified by their TLS certificate; IPs and shred secrets become obsolete. This is *extremely* useful, and solves a lot of deployment problems. I am working on a formal specification of RadSec right now, of which I hope it will somehow find a way into the Informational RFC track. There is a lot more potential in it than the OSC Whitepaper suggests. I'm available to work on it too, if you need help. It would be really great to get an implementation of this in FR. I don't think it's that hard, it just needs to be done. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1.1.2 rlm_unix on AMD 64
MaKKrO [EMAIL PROTECTED] wrote: radiusd.conf[604] Failed to link to module 'rlm_unix': /usr/lib64/rlm_unix.a: invalid ELF header Build the server with shared library support. Why do some modules work, and others fail? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OpenSSL weirdness
Mick Tait [EMAIL PROTECTED] wrote: I've pasted the entire output from configure at the end of the email in case it helps, but the important bits would seem to be these: checking for DH_new in -lcrypto... (cached) yes checking for SSL_new in -lssl... (cached) no See config.log for reasons why a particular check failed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Freeradius 1.1.2 OpenLDAP 2.3.20
Nicolas Martin [EMAIL PROTECTED] wrote: In file included from .../ldap.h:30 .../lber.h:29:24: lber_types.h: no such file or directory ... It is true that I don't have any lber_types.h file The LDAP headers are telling you they need that lber_types.h. If you don't have it, then nothing you do to FreeRADIUS will change anything. You MUST fix your LDAP installation so that it works. , I only have a file called lber_types.hin. But renaming this file does not solve the problem ... Where is this file? It looks like you didn't install the LDAP client code... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SecurID authentication
Darshak, I'm not a legal representative, but Michael's response is for someone that wishes to sell or distribute(?) a product that uses the SecurID service While doing a RADIUS proxy to for the new RADIUS server may be the correct approach, if you are an owner of a SecurID server solution, you can certainly develop code to use your licensed server for whatever application you wish. The product offering includes an ACE Client SDK which gives you a C-language API for doing SecurID authentication. It would be fairly straight forward to develop your own Free RADIUS module, but there are details with New Pin assignment and Next Token mode that get messy. The server uses Access-Challenge for them. Also the new server includes EAP support for several methods. So proxy may still be the best path. David Mitton Software Development, RSA Security, Inc. PS: I urge all senders to use meaningful Subject lines, the original message was discarded by me on first pass as spam. - Original Message - From: Michael Lecuyer [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: Hello, Date: Tue, 06 Jun 2006 09:08:16 -0400 It would be difficult to say how RADIUS would interact with the actual ACE server since it's a proprietary system. In 2002 I thought about going down this route and I'm summarizing from the 5 page SecurId integration document. You must write code that uses RSA's 'RSA Agent' software to communicate with the RSA ACE server. You must become a partner a a cost of ten thousand dollars for each product each year you provide the product(s). You must pay RSA twenty percent of your product's licensing fee. And you must have RSA certify it and may be required to provide a training program for RSA certification technicians. The sublicense agreement with RSA is incompatible with any open source software. The best thing to do is use FreeRadius as a proxy to the RSA RADIUS server. From a client's point of view the ACE RADIUS server may require a simple CHAP/PAP transaction or there may be challenges asking for more information. It depends on the RSA server configuration. darshak wrote: Hi All I m new to AAA things.I want how can I support RSA ACE/Server in freeradius. Can anyone has details How interaction is made between RADIUS and RSA/ACE-server?. in general scenario Rgds DArshak - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem building the rlm_mysql module
I am having a problem building the rlm_mysql module. Can someone tell me what im doing wrong here? Please help. OS: RedHat Enterprise 3 WS - Clean install Hardware: Sunfire 20z AMD-64bit Mysql Package: MySQL-client-standard-5.0.22-0.rhel3.x86_64.rpm MySQL-devel-standard-5.0.22-0.rhel3.x86_64.rpm MySQL-server-standard-5.0.22-0.rhel3.x86_64.rpm MySQL-shared-compat-5.0.22-0.rhel3.x86_64.rpm I tried to build the module just for debugging my problem directly in the module sources directory. [EMAIL PROTECTED] rlm_sql_mysql]$ make all /home/abaker/src/freeradius-1.1.2/libtool --mode=compile gcc -g -O2 -I../.. -I/home/abaker/src/freeradius-1.1.2/src/include -I/usr/include/mysql -g -pipe -c sql_mysql.c mkdir .libs gcc -g -O2 -I../.. -I/home/abaker/src/freeradius-1.1.2/src/include -I/usr/include/mysql -g -pipe -c sql_mysql.c -fPIC -DPIC -o .libs/sql_mysql.lo sql_mysql.c: In function `sql_error': sql_mysql.c:333: warning: return discards qualifiers from pointer target type gcc -g -O2 -I../.. -I/home/abaker/src/freeradius-1.1.2/src/include -I/usr/include/mysql -g -pipe -c sql_mysql.c -o sql_mysql.o /dev/null 21 mv -f .libs/sql_mysql.lo sql_mysql.lo /home/abaker/src/freeradius-1.1.2/libtool --mode=link gcc -release 1.1.2 \ -module -export-dynamic -o rlm_sql_mysql.la \ -rpath /clique/freeradius-1.1.2/lib sql_mysql.lo -L/usr/lib64/mysql -lmysqlclient_r -lz -lpthread -lcrypt -lnsl -lm -lpthread *** Warning: This library needs some functionality provided by /usr/lib64/mysql/libmysqlclient_r.la. *** I have the capability to make that library automatically link in when *** you link to this library. But I can only do this if you have a *** shared version of the library, which you do not appear to have. *** Therefore, libtool will create a static module, that should work *** as long as the dlopening application is linked with the -dlopen flag. rm -fr .libs/rlm_sql_mysql.la .libs/rlm_sql_mysql.* .libs/rlm_sql_mysql-1.1.2.* ar cru .libs/rlm_sql_mysql.a sql_mysql.o ranlib .libs/rlm_sql_mysql.a creating rlm_sql_mysql.la (cd .libs rm -f rlm_sql_mysql.la ln -s ../rlm_sql_mysql.la rlm_sql_mysql.la) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OpenSSL weirdness
Alan DeKok wrote: Mick Tait [EMAIL PROTECTED] wrote: I've pasted the entire output from configure at the end of the email in case it helps, but the important bits would seem to be these: checking for DH_new in -lcrypto... (cached) yes checking for SSL_new in -lssl... (cached) no See config.log for reasons why a particular check failed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hi Alan, Thanks for the response. I did look through this file and every other file I could find that might shed some light on this. Unfortunately I found nothing that made any sense to me as regards this issue. Rather than paste them here and increase the amount of stuff coming through the list I'm pasting URL's to the files instead. http://www.bmnetworks.co.uk/freeradius I'd appreciate any help you can give. Thank you -- Mick Tait - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP authentication with freerad ?
/huntgroups preprocess: hints = /opt/freeradius/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = yes preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded detail detail: detailfile = /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (auth_log) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) realm: format = prefix realm: delimiter = \ realm: ignore_default = yes realm: ignore_null = yes Module: Instantiated realm (ntdomain) Module: Loaded files files: usersfile = /opt/freeradius/etc/raddb/users files: acctusersfile = /opt/freeradius/etc/raddb/acct_users files: preproxy_usersfile = /opt/freeradius/etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) detail: detailfile = /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = /var/log/freeradius/radutmp radutmp: username = %{User-Name} radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) detail: detailfile = /var/log/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (reply_log) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.0.5:3314, id=139, length=116 NAS-IP-Address = 192.168.0.5 NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Framed-MTU = 1400 User-Name = test Calling-Station-Id = 004096a1ce69 Called-Station-Id = 000fcb00f04c NAS-Identifier = DIST-AP EAP-Message = 0x020100090174657374 Message-Authenticator = 0x04e30ce26d28e459d6f26e8cefe9c11b Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 radius_xlat: '/var/log/freeradius/radacct/192.168.0.5/auth-detail-20060606' rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.0.5/auth-detail-20060606 modcall[authorize]: module auth_log returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = test, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_realm: No '\' in User-Name = test, skipping NULL due to config. modcall[authorize]: module ntdomain returns noop for request 0 users: Matched entry DEFAULT at line 215 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for test radius_xlat: '(uid=test)' radius_xlat: 'dc=dist,dc=demo,dc=net' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as / to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=dist,dc=demo,dc=net, with filter (uid=test) rlm_ldap: checking if remote access for test is allowed by uid rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 139 to 192.168.0.5:3314 EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0xe2babc9392179f148e247671f72305a5 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.0.5:3315, id=140, length=231 NAS-IP-Address = 192.168.0.5 NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Framed-MTU
Re: Freeradius-Users Digest, Vol 14, Issue 24
I am on holiday between June 5 to June 9. I will return to my office on June 12. See you soon. Thanks, Gilbert Lo helpdesk at St. George's School - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Storing in SQL, Procedure call
I tried both suggestions and still no luck. Any other suggestion on how to get a Stored Procedure to work with FreeRadius, unixODBC/FreeTDS and Microsoft SQL Server 2000? For some reason when trying to call a Stored Procedure rlm_sql module is trying to perform a query rather then the procedure call. Thanks! -Original Message- From: Marko Dinic [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 06, 2006 4:16 AM To: freeradius-users@lists.freeradius.org Cc: Jackie Lau Subject: Re: Storing in SQL, Procedure call Im using the same setup for access to some ancient Sybase and it works fine. However, the query doesn't use EXEC ... it's plain : accounting_stop_query = sp_my_stored_procedure_name '%{SQL-User-Name}','%{Realm}', I did have problems with freetds 0.62.3, tho, so I installed 0.63 and had no problems with Sybase access since then. On the other hand, Oracle setup (using rlm_sql_oracle) with EXEC SP_NAME(...) didn't work either, so I had to change it to BEGIN SP_NAME(...); END; Maybe that would work for your unixODBC/freetds setup too. -- Best regards, Marko Dinic, System Engineer - YUnet International http://www.eunet.yu Dubrovacka 35/III, 11000 Belgrade Tel: +381 11 311 9901; Fax: + 381 11 311 9901 - This e-mail is confidential and intended only for the recipient. Unauthorized distribution, modification or disclosure of its contents is prohibited. If you have received this e-mail in error, please notify the sender by telephone +381 11 311 9901. - Hi, I'm using freeradius with freetds and unixodbc. I am having an issue using a procedure call to insert to a Microsoft SQL Server. When I try to use the procedure call 'exec', I see the following errors: radius_xlat: 'exec *** rlm_sql (sql): Reserving sql socket id: 8 query: exec *** rlm_sql_unixodbc: '0 ' rlm_sql (sql): Couldn't update SQL accounting ALIVE record - 0 But if I don't use a procedure call and use an insert command in its place, it works just find. radius_xlat: 'INSERT rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): Released sql socket id: 3 modcall[accounting]: module sql returns ok for request 6 My question is why can't I use a procedure call 'exec'? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 14, Issue 25
I am on holiday between June 5 to June 9. I will return to my office on June 12. See you soon. Thanks, Gilbert Lo helpdesk at St. George's School - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP authentication with freerad ?
thomas hahusseau [EMAIL PROTECTED] wrote: First : If I uncomment eap in authorize section of radiusd.conf : Which you MUST do, or EAP doesn't work. rlm_eap_peap: Had sent TLV failure, rejecting. sigh Why are you insisting on looking at only a portion of the debug output? Look PREVIOUSLY in the output to see what's going wrong, and why. And if you see the same No User-Password message, please don't post that. Second : If I comment eap in authorize section of radiusd.conf It doesn't work. I hope you could help I'm blocked on that problem for 2 weeks and the end of my training period is close and I would like to finish it before :). I really don't understand. 1) get CHAP working with LDAP, where the clear-text passwords are read from LDAP If that doesn't work, it won't work for EAP. 2) Put a different user clear-text password in users. Get EAP working. 3) Try EAP with the username from (1). If it doesn't work, I will be EXTREMELY surprised. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OpenSSL weirdness
Mick Tait [EMAIL PROTECTED] wrote: Thanks for the response. I did look through this file and every other file I could find that might shed some light on this. Unfortunately I found nothing that made any sense to me as regards this issue. Rather than paste them here and increase the amount of stuff coming through the list I'm pasting URL's to the files instead. The config.log file looks like most of the content has been removed. i.e. when it says checking for X, it should then contain lines running gcc, etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
postgresql and freeradius (dialupadmin)
Hello I've got freeradius running with postgresql backend but since I can't get (IMHO correctly configured) dialupadmin running I'm not even sure it runs ok. My apache2 says something like: [notice] child pid 27829 exit signal Segmentation fault (11) and postgres daemon: could not accesp SSL connection: connection terminated ... while http browser gives something like 'connection terminated' whenever I'm trying to perform any operation excluding just the 'home page'. I've been trying and googling to get any solution but found only some (crappy?) posts from few years ago. Is it that my database is corrupted? (I've had some problems creating it). Does anybody could help me with the solution? Thanks in advance. Krzysztof - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OpenSSL weirdness
Alan DeKok wrote: Mick Tait [EMAIL PROTECTED] wrote: Thanks for the response. I did look through this file and every other file I could find that might shed some light on this. Unfortunately I found nothing that made any sense to me as regards this issue. Rather than paste them here and increase the amount of stuff coming through the list I'm pasting URL's to the files instead. The config.log file looks like most of the content has been removed. i.e. when it says checking for X, it should then contain lines running gcc, etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thats odd to say the least. All I did was simlink to the file itself, so something else must have upset the log - either that or there's something happened to my system. I'll try deleting the source directory, extracting the tarball and starting again. Thanks -- Mick Tait - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: postgresql and freeradius (dialupadmin)
I would say it is rather an apache2 problem. Update it to the latest version and be sure that your apache2+php+postgres works before you start dialupadmin. Regards, Edvin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of Krzysztof Matusik Sent: Mittwoch, 07. Juni 2006 01:03 To: freeradius-users@lists.freeradius.org Subject: postgresql and freeradius (dialupadmin) Hello I've got freeradius running with postgresql backend but since I can't get (IMHO correctly configured) dialupadmin running I'm not even sure it runs ok. My apache2 says something like: [notice] child pid 27829 exit signal Segmentation fault (11) and postgres daemon: could not accesp SSL connection: connection terminated ... while http browser gives something like 'connection terminated' whenever I'm trying to perform any operation excluding just the 'home page'. I've been trying and googling to get any solution but found only some (crappy?) posts from few years ago. Is it that my database is corrupted? (I've had some problems creating it). Does anybody could help me with the solution? Thanks in advance. Krzysztof - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OpenSSL weirdness
Alan DeKok wrote: The config.log file looks like most of the content has been removed. i.e. when it says checking for X, it should then contain lines running gcc, etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thats odd to say the least. All I did was simlink to the file itself, so something else must have upset the log - either that or there's something happened to my system. I'll try deleting the source directory, extracting the tarball and starting again. Thanks -- Mick Tait - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Bloody hell. This time it linked in and compiled cleanly. I have no idea what's different this time around, but hell its working so I'm not complaining. Thanks for your time, and sorry to have wasted it. -- Mick Tait - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
session tracking
I have read over the docs but haven't found a clear way to turn off session tracking. I just want the radius server to give an Accept or Reject for user auth (which I have working with mysql) and not track the session (start/stop records etc...) Thanks Jeremy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: session tracking
Hi, session tracking is called - accounting ! the last A in AAA ;) Just empty the accounting { } part in your radiusd.conf file. If your NAS sends accounting info - turn it off ! Regards, Edvin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of Jeremy Ford Sent: Mittwoch, 07. Juni 2006 01:58 To: 'FreeRadius users mailing list' Subject: session tracking I have read over the docs but haven't found a clear way to turn off session tracking. I just want the radius server to give an Accept or Reject for user auth (which I have working with mysql) and not track the session (start/stop records etc...) Thanks Jeremy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SecurID authentication
Thanxs David,This has been useful to me . Although proxy is best answer.I just wanna go in some details. If i own RSA ACE/server,then does it come with RSa Ace/client agent? Then what i need to do is write a code that talks with Freeradius and RSA ACE/client? Or I need not do it? Is this RSA/Ace server comes with client that talks to RADIUS? and I can be free from coding burden? Can u please explain How RADIUS --RSA/ACe server talk to each other?[if i not use proxy ] I have read that Lucent and SBR supports this RSA/ACE SecurID so how they actually support?Do they have coded extra or by proxy ? Thanxs again for your help Rgds Darshak - Original Message - From: David Mitton [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Tuesday, June 06, 2006 10:23 PM Subject: RE: SecurID authentication Darshak, I'm not a legal representative, but Michael's response is for someone that wishes to sell or distribute(?) a product that uses the SecurID service While doing a RADIUS proxy to for the new RADIUS server may be the correct approach, if you are an owner of a SecurID server solution, you can certainly develop code to use your licensed server for whatever application you wish. The product offering includes an ACE Client SDK which gives you a C-language API for doing SecurID authentication. It would be fairly straight forward to develop your own Free RADIUS module, but there are details with New Pin assignment and Next Token mode that get messy. The server uses Access-Challenge for them. Also the new server includes EAP support for several methods. So proxy may still be the best path. David Mitton Software Development, RSA Security, Inc. PS: I urge all senders to use meaningful Subject lines, the original message was discarded by me on first pass as spam. - Original Message - From: Michael Lecuyer [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: Hello, Date: Tue, 06 Jun 2006 09:08:16 -0400 It would be difficult to say how RADIUS would interact with the actual ACE server since it's a proprietary system. In 2002 I thought about going down this route and I'm summarizing from the 5 page SecurId integration document. You must write code that uses RSA's 'RSA Agent' software to communicate with the RSA ACE server. You must become a partner a a cost of ten thousand dollars for each product each year you provide the product(s). You must pay RSA twenty percent of your product's licensing fee. And you must have RSA certify it and may be required to provide a training program for RSA certification technicians. The sublicense agreement with RSA is incompatible with any open source software. The best thing to do is use FreeRadius as a proxy to the RSA RADIUS server. From a client's point of view the ACE RADIUS server may require a simple CHAP/PAP transaction or there may be challenges asking for more information. It depends on the RSA server configuration. darshak wrote: Hi All I m new to AAA things.I want how can I support RSA ACE/Server in freeradius. Can anyone has details How interaction is made between RADIUS and RSA/ACE-server?. in general scenario Rgds DArshak - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Peap/leap/wap
Does free radius support PEAP/LEAP 802.1x authentication? How can i configure it? - Original Message - From: Michael Griego [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, June 06, 2006 7:52 PM Subject: Re: PEAP authentication with freerad ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1.1.2 rlm_unix on AMD 64
OK, but how I can do that ??? Thanks -- View this message in context: http://www.nabble.com/freeradius-1.1.2---rlm_unix-on-AMD-64-t1740156.html#a4745504 Sent from the FreeRadius - User forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program and length of arguments
Hi. If I add to users file this: bob Auth-Type := Local, User-Password == bob Reply-Message = Hello, %u, Exec-Program = /home/engineer/acrad.pl User-Name=%{User-Name} Service-Type=%{Service-Type} Acct-Status-Type=%{Acct-Status-Type} Acct-Session-Id=%{Acct-Session-Id} Framed-Protocol=%{Framed-Protocol} NAS-Identifier=%{NAS-Identifier} NAS-Port-Id=%{NAS-Port-Id} it work. But I need to pass more arguments to my program, but as far as I can see there is some limit. If I add this: Exec-Program = /home/engineer/acrad.sh User-Name=%{User-Name} Service-Type=%{Service-Type} Acct-Status-Type=%{Acct-Status-Type} Acct-Session-Id=%{Acct-Session-Id} Framed-Protocol=%{Framed-Protocol} NAS-Identifier=%{NAS-Identifier} NAS-Port-Id=%{NAS-Port-Id} NAS-IP-Address=%{NAS-IP-Address} Calling-Station-Id=%{Calling-Station-Id} Called-Station-Id=%{Called-Station-Id} Framed-IP-Address=%{Framed-IP-Address} Acct-Input-Octets=%{Acct-Input-Octets} Acct-Output-Octets=%{Acct-Output-Octets} Acct-Input-Packets=%{Acct-Input-Packets} Acct-Output-Packets=%{Acct-Output-Packets} Acct-Session-Time=%{Acct-Session-Time} Acct-Terminate-Cause=%{Acct-Terminate-Cause} # radiusd -sfxxyz -l stdout 21 ... Module: Loaded files files: usersfile = /etc/raddb/users files: acctusersfile = /etc/raddb/acct_users files: preproxy_usersfile = /etc/raddb/preproxy_users files: compat = no /etc/raddb/users[220]: Parse error (reply) for entry bob: Expected end of line or comma Errors reading /etc/raddb/users radiusd.conf[1047]: files: Module instantiation failed. radiusd.conf[1791] Unknown module files. radiusd.conf[1727] Failed to parse authorize section. and same with hints file. The main goal is that I need to do some accounting by my script. I saw at experimental.conf (at perl section), but for now I not understand can I utilize it for my needs somehow. What can I do? -- engineer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html