date:20060606




Hi All
 I m new to AAA things.I 
want how can I support RSA ACE/Server in freeradius.
Can anyone has details How interaction is made 
between RADIUS and RSA/ACE-server?. in general scenario


Rgds
DArshak
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Storing in SQL, Procedure call

2006-06-06 Thread Jackie Lau




Hi,

I'm using freeradius 
with freetds and unixodbc. I am having an issue using a procedure call to 
insert to a Microsoft SQL Server. When I try to use the procedure call 
'exec', I see the following errors:

radius_xlat: 
'exec ***rlm_sql (sql): Reserving sql socket id: 8query: exec 
***
rlm_sql_unixodbc: 
'0 ' rlm_sql (sql): Couldn't update SQL accounting ALIVE record - 
0

But if I don't use 
aprocedure calland use an insert command in its place, it works just 
find. 

radius_xlat: 
'INSERT rlm_sql (sql): Reserving sql socket id: 3rlm_sql (sql): 
Released sql socket id: 3 modcall[accounting]: module "sql" returns ok 
for request 6

My question is why 
can't I use a procedure call 'exec'?

Thanks!


 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: public secret and public radius server. Is it secure?

2006-06-06 Thread Stefan Winter

Hi,

  In my project, I don't own the hotspots, and don't know about the
  hotspots ISPs.
  The hotspots communicate to the radius server though the internet.

   I would suggest using another method to get a secure connection to
 the hotspot.  Maybe IPSec.

this is again an example where a RadSec extension would come in extremely 
handy. Short wrapup: RadSec establishes connections via TCP and TLS and 
transports the RADIUS payload over it, so clients can be identified by their 
TLS certificate; IPs and shred secrets become obsolete. Create a dedicated CA 
for your servers, then whoever tries to connect can be checked against your 
CA root.
Make the hotspots talk RadSec and let them communicate with your FR server via 
this link.

The only open problem is: right now there is only one implementation of RadSec 
in OSCs Radiator, and it could be better coded and more advanced.

I am working on a formal specification of RadSec right now, of which I hope it 
will somehow find a way into the Informational RFC track. There is a lot more 
potential in it than the OSC Whitepaper suggests.

It would be really great to get an implementation of this in FR.

Greetings,

Stefan Winter

-- 
Stefan WINTER

Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingenieur Forschung  Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: [EMAIL PROTECTED]     Tel.:     +352 424409-1
http://www.restena.lu                Fax:      +352 422473

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Problem with Freeradius 1.1.2 OpenLDAP 2.3.20

2006-06-06 Thread Nicolas Martin

Hello everyone,

I am trying to make Freeradius 1.1.2 work with OpenLDAP2.3.20 (I was 
previously able to make it work perfectly with MySQL).

When I try to configure and compile Freeradius without any options, I 
receive a Segmentation Fault. When I try to configure it with --
with-rlm-ldap-lib-dir= ...  --with-rlm-ldap-include-dir= ... and 
when I run the ./configure, I have the following error :

checking for ldap_init in -lldap_r ... no
checking for ldap.h ... no
configure: warning : silently not building rlm_ldap
configure: warning : FAILURE : rlm_ldap requires libldap_r ldap.h

I am sure my paths are correct, I am sure I have the file ldap.h in 
my OpenLDAP/include dir and I have a libldap_r directory in my 
OpenLDAP/libraries dir.

My Linux is a Mandrake 10.2

Any idea of what is wrong ? Is it a version problem and so, should I 
try with older versions ? Did I miss something important ?

Any help is welcome,

Thanks,

Nicolas Martin


Ce courriel est envoyé au travers de l' interface IMP: ch-bourg01.fr
Ce message a été passé automatiquement à l' antivirus 
This email have been sent through   Imap Mail Program: ch-bourg01.fr
This message have been scanned with an antivirus scanner


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius-Users Digest, Vol 14, Issue 19

I am on holiday between June 5 to June 9. I will return to my office on
June 12. 

See you soon.
Thanks,
Gilbert Lo

helpdesk at St. George's School


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius 1.1.2 rlm_unix on AMD 64

2006-06-06 Thread MaKKrO


Hi all.
I have a big problem woth freeradius and i need to fix it ASAP !
If someone can help me ...

I'm using freeradius for a long time without any problem, but with the
v1.1.2, i can't do anything !

When i want to start it, i'm always getting the message :


Module: Instantiated pam (pam)
radiusd.conf[604] Failed to link to module 'rlm_unix':
/usr/lib64/rlm_unix.a: invalid ELF header
radiusd.conf[1880] Unknown module unix.
radiusd.conf[1840] Failed to parse authenticate section.


I tried to downgrade, but no older version are available on Gentoo (ebuild).

Please... I really need your help guys !

Thank you
--
View this message in context: 
http://www.nabble.com/freeradius-1.1.2---rlm_unix-on-AMD-64-t1740156.html#a4728669
Sent from the FreeRadius - User forum at Nabble.com.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: public secret and public radius server. Is it secure?

2006-06-06 Thread sophana





Stefan Winter wrote:

  Hi,

  
  

  In my project, I don't own the hotspots, and don't know about the
hotspots ISPs.
The hotspots communicate to the radius server though the internet.
  

  I would suggest using another method to get a secure connection to
the hotspot.  Maybe IPSec.

  
  
this is again an example where a RadSec extension would come in extremely 
handy. Short wrapup: RadSec establishes connections via TCP and TLS and 
transports the RADIUS payload over it, so clients can be identified by their 
TLS certificate; IPs and shred secrets become obsolete. Create a dedicated CA 
for your servers, then whoever tries to connect can be checked against your 
CA root.
Make the hotspots talk RadSec and let them communicate with your FR server via 
this link.

The only open problem is: right now there is only one implementation of RadSec 
in OSCs Radiator, and it could be better coded and more advanced.

I am working on a formal specification of RadSec right now, of which I hope it 
will somehow find a way into the Informational RFC track. There is a lot more 
potential in it than the OSC Whitepaper suggests.

It would be really great to get an implementation of this in FR.

Greetings,

Stefan Winter

  

I finally found a solution to this problem.
I will implement myself the dynamic ipaddress compatible radius server,
using the NAS-identifier attributes in requests to determine the secret
instead of the ipaddress.
I will implement this in python from pyrad, a very simple radius
implementation in python
For authentication, chillispot uses CHAP which is secure enough for me.
(I add some additionnal secret to the password)
The accounting request protected by a secret is also safe enough for
me. (at the beginning)

I am sure that this could be implemented quite easily in freeradius.
Maybe I'll do it if I have performance problems.

Regards
Sophana KOK



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Mikrotik Simultaneous Use

2006-06-06 Thread Italo Morellato




Hi,
I have more than twenty Mikrotik RouterBoard, all 
device calling same freeradius server...
now.. can I use "Simultaneous Use:=1" for check if 
a user is connected or not from another device?
Thanks in advance..

Italo Morellato
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

LDAP-Authentication based on CHAP

2006-06-06 Thread Rainer Brinkmann


Hello,
despite the FAQ- Entry How do I make CHAP work with LDAP?:

can anybody tell us if its basically possible to run  a chap-Auth against an 
LDAP?
I know, that a specific LDAP-Service must be able to retrieve a user-Pwd and 
often it cant, cause of the storage of the pwd as one-directioned 
(hashed). So, only a simple bind is ok.
But if LDAP can run a chap-based password-check by retrieving a password: is 
the LDAP-Protocol (v3)  basically capable of doing this?


Hamburg/Germany,
Rainer Brinkmann 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP-Authentication based on CHAP

2006-06-06 Thread Kostas Kalevras


On Tue, 6 Jun 2006, Rainer Brinkmann wrote:


Hello,
despite the FAQ- Entry How do I make CHAP work with LDAP?:

can anybody tell us if its basically possible to run  a chap-Auth against an 
LDAP?
I know, that a specific LDAP-Service must be able to retrieve a user-Pwd and 
often it cant, cause of the storage of the pwd as one-directioned (hashed). 
So, only a simple bind is ok.
But if LDAP can run a chap-based password-check by retrieving a password: is 
the LDAP-Protocol (v3)  basically capable of doing this?


If clear text passwords are available and can be retrieved by the ldap store 
then yes. Otherwise no. The ldap protocol has nothing to do with all this. Its 
only a matter of password availability.




Hamburg/Germany,
Rainer Brinkmann 
- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html




--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RP-pppoe

2006-06-06 Thread root linux

the attribute does not work with the GPL version of
rp-pppoe


--- Mordor Networks [EMAIL PROTECTED] wrote:

 Hello list!
 I wonder if someone used the RP-Upstream-Speed-Limit
 and
 RP-Downstream-Speed-Limit ATTRIBUTES from roaring
 pangiun rp-pppoe with
 mysql , if so can someone please tell me how to add
 the ATTRIBUTES to
 freeradius sql table radreply?
 thanks
  - 
 List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

OpenSSL weirdness


Hi there

I'm currently trying to compile freeradius v1.1.2 and I'm having some 
trouble getting openssl to link in. Version 1.0.5 compiles fine using 
the same configure flags.


My configure line is:

./configure --with-openssl-libraries=/usr/local/openssl 
--with-openssl-includes=/usr/local/openssl/include 
--prefix=/usr/local/radius


I've pasted the entire output from configure at the end of the email in 
case it helps, but the important bits would seem to be these:


checking for DH_new in -lcrypto... (cached) yes
checking for SSL_new in -lssl... (cached) no

configuring in ./types/rlm_eap_tls
running /bin/sh ./configure  --with-openssl-libraries=/usr/local/openssl 
--with-openssl-includes=/usr/local/openssl/include 
--prefix=/usr/local/radius --enable-ltdl-install 
--cache-file=../../../../.././config.cache --srcdir=.

loading cache ../../../../.././config.cache
checking for OpenSSL support... no
configure: warning: silently not building rlm_eap_tls.

I would appreciate any help you can give me

--
Mick Tait





fenrir:/usr/src/freeradius-1.1.2#  ./configure 
--with-openssl-libraries=/usr/local/openssl 
--with-openssl-includes=/usr/local/openssl/include 
--prefix=/usr/local/radius

loading cache ./config.cache
checking for gcc... (cached) gcc
checking whether the C compiler (gcc  ) works... yes
checking whether the C compiler (gcc  ) is a cross-compiler... no
checking whether we are using GNU C... (cached) yes
checking whether gcc accepts -g... (cached) yes
checking how to run the C preprocessor... (cached) gcc -E
checking for AIX... no
checking whether gcc needs -traditional... (cached) no
checking whether we are using SUNPro C... (cached) no
checking for ranlib... (cached) ranlib
checking whether byte ordering is bigendian... (cached) no
checking for gmake... (cached) no
checking for make... (cached) /usr/bin/make
checking for lt_dlinit in -lltdl... (cached) yes
checking for Cygwin environment... (cached) no
checking for mingw32 environment... (cached) no
checking host system type... i686-pc-linux-gnu
checking build system type... i686-pc-linux-gnu
checking for ld used by GCC... (cached) /usr/bin/ld
checking if the linker (/usr/bin/ld) is GNU ld... (cached) yes
checking for /usr/bin/ld option to reload object files... (cached) -r
checking for BSD-compatible nm... (cached) /usr/bin/nm -B
checking whether ln -s works... (cached) yes
checking how to recognise dependant libraries... (cached) pass_all
checking for object suffix... (cached) o
checking for executable suffix... (cached) no
checking command to parse /usr/bin/nm -B output... (cached) ok
checking for dlfcn.h... (cached) yes
checking for ranlib... (cached) ranlib
checking for strip... (cached) strip
checking for objdir... .libs
checking for gcc option to produce PIC... 
(cached)   -fPIC
checking if gcc PIC flag   -fPIC 
works... (cached) yes

checking if gcc static flag -static works... (cached) yes
checking if gcc supports -c -o file.o... (cached) yes
checking if gcc supports -c -o file.lo... (cached) yes
checking if gcc supports -fno-rtti -fno-exceptions... yes
checking whether the linker (/usr/bin/ld) supports shared libraries... yes
checking how to hardcode library paths into programs... immediate
checking whether stripping libraries is possible... yes
checking dynamic linker characteristics... GNU/Linux ld.so
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... yes
checking for shl_load... (cached) no
checking for shl_load in -ldld... (cached) no
checking for dlopen... (cached) no
checking for dlopen in -ldl... (cached) yes
checking whether a program can dlopen itself... (cached) yes
checking whether a statically linked program can dlopen itself... 
(cached) no

checking whether -lc should be explicitly linked in... (cached) no
creating libtool
checking logdir... ${localstatedir}/log/radius
checking radacctdir... ${logdir}/radacct
checking raddbdir... ${sysconfdir}/raddb
checking for perl... (cached) /usr/bin/perl
checking for snmpget... no
configure: warning: snmpget not found - Simultaneous-Use and checkrad.pl 
may not work

checking for snmpwalk... no
configure: warning: snmpwalk not found - Simultaneous-Use and 
checkrad.pl may not work

checking for rusers... (cached) /usr/bin/rusers
checking for working aclocal... found
checking for working autoconf... found
checking for working autoheader... found
checking for locate... (cached) /usr/bin/locate
checking for dirname... (cached) /usr/bin/dirname
checking for grep... (cached) /bin/grep
checking for pthread.h... (cached) yes
checking for pthread_create in -lpthread... (cached) yes
checking for library containing sem_init... (cached) none required
checking for getsockname in -lsocket... (cached) no
checking for inet_aton in -lresolv... (cached) yes
checking for inet_ntoa in -lnsl... (cached) yes
checking for DH_new in

Re: Freeradius-Users Digest, Vol 14, Issue 20

I am on holiday between June 5 to June 9. I will return to my office on
June 12. 

See you soon.
Thanks,
Gilbert Lo

helpdesk at St. George's School


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius-Users Digest, Vol 14, Issue 21

I am on holiday between June 5 to June 9. I will return to my office on
June 12. 

See you soon.
Thanks,
Gilbert Lo

helpdesk at St. George's School


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with Freeradius 1.1.2 OpenLDAP 2.3.20

2006-06-06 Thread Nicolas Baradakis

En réponse à Nicolas Martin :

 checking for ldap_init in -lldap_r ... no
 checking for ldap.h ... no
 configure: warning : silently not building rlm_ldap
 configure: warning : FAILURE : rlm_ldap requires libldap_r ldap.h

 I am sure my paths are correct, I am sure I have the file ldap.h in 
 my OpenLDAP/include dir and I have a libldap_r directory in my 
 OpenLDAP/libraries dir.

 Any idea of what is wrong ? Is it a version problem and so, should I 
 try with older versions ? Did I miss something important ?

Please look for error messages in src/modules/rlm_ldap/config.log

-- 
Nicolas Baradakis

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Storing in SQL, Procedure call

2006-06-06 Thread Marko Dinic


Im using the same setup for access to some ancient Sybase and it works
fine. However, the query doesn't use EXEC ... it's plain :

 accounting_stop_query = sp_my_stored_procedure_name 
'%{SQL-User-Name}','%{Realm}', 

I did have problems with freetds 0.62.3, tho, so I installed 0.63 and had no 
problems
with Sybase access since then.

On the other hand, Oracle setup (using rlm_sql_oracle) with EXEC SP_NAME(...)
didn't work either, so I had to change it to BEGIN SP_NAME(...); END;
Maybe that would work for your unixODBC/freetds setup too.

-- 
Best regards,

Marko Dinic, System Engineer
- 
YUnet International  http://www.eunet.yu
Dubrovacka 35/III,   11000 Belgrade
Tel: +381 11 311 9901;  Fax: + 381 11 311 9901
-
This  e-mail  is confidential and intended only for the recipient.
Unauthorized  distribution,  modification  or  disclosure  of  its
contents is prohibited. If you have received this e-mail in error,
please notify the sender by telephone  +381 11 311 9901.
-

 Hi,
  
 I'm using freeradius with freetds and unixodbc.  I am having an issue
 using a procedure call to insert to a Microsoft SQL Server.  When I try
 to use the procedure call 'exec', I see the following errors:
  
 radius_xlat:  'exec ***
 rlm_sql (sql): Reserving sql socket id: 8
 query:  exec ***
 rlm_sql_unixodbc: '0 ' 
 rlm_sql (sql): Couldn't update SQL accounting ALIVE record - 0
  
 But if I don't use a procedure call and use an insert command in its
 place, it works just find.   
 
 radius_xlat:  'INSERT 
 rlm_sql (sql): Reserving sql socket id: 3
 rlm_sql (sql): Released sql socket id: 3
   modcall[accounting]: module sql returns ok for request 6
  
 My question is why can't I use a procedure call 'exec'?
  
 Thanks!
  
  
 
 
 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with Freeradius 1.1.2 OpenLDAP 2.3.20

2006-06-06 Thread Nicolas Martin

 Please look for error messages in
 src/modules/rlm_ldap/config.log
 
 -- 
 Nicolas Baradakis
 

The two main errors I can find are:

/usr/bin/ld: cannot find -lldap_r 
collect2: ld returned 1 exit status
configure: failed program was:
#line 974 configure
#include confdefs.h

(3 times)

and

In file included from .../ldap.h:30
.../lber.h:29:24: lber_types.h: no such file or directory

(and after that, an enormous number of syntax errors in lber.h) 

It is true that I don't have any lber_types.h file, I only have a 
file called lber_types.hin. But renaming this file does not solve 
the problem ...

Thanks,

Nicolas Martin


Ce courriel est envoyé au travers de l' interface IMP: ch-bourg01.fr
Ce message a été passé automatiquement à l' antivirus 
This email have been sent through   Imap Mail Program: ch-bourg01.fr
This message have been scanned with an antivirus scanner


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

SSL error using MS-CHAPv2 - new in 1.1.2

2006-06-06 Thread Stefan Winter

Hi,

I logged in via PEAP after a brand-new upgrade to 1.1.2 today, and saw a new 
error message (everything worked fine though):

Error: TLS_accept:error in SSLv3 read client certificate A
Error: rlm_eap: SSL error error::lib(0):func(0):reason(0)
Error: rlm_eap: SSL error error::lib(0):func(0):reason(0)
Info: rlm_eap_mschapv2: Issuing Challenge
Auth: Login OK: [EMAIL PROTECTED] (from client localhost port 0)

these new errors in rlm_eap are somewhat intriguing. Anyone a clue?

Greetings,

Stefan Winter

-- 
Stefan WINTER

Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingenieur Forschung  Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: [EMAIL PROTECTED]     Tel.:     +352 424409-1
http://www.restena.lu                Fax:      +352 422473

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Hello,

2006-06-06 Thread Michael Lecuyer

It would be difficult to say how RADIUS would interact with the actual 
ACE server since it's a proprietary system.  In 2002 I thought about 
going down this route and I'm summarizing from the 5 page SecurId 
integration document.


You must write code that uses RSA's 'RSA Agent' software to communicate 
with the RSA ACE server. You must become a partner a a cost of ten 
thousand dollars for each product each year you provide the product(s). 
You must pay RSA twenty percent of your product's licensing fee. And you 
must have RSA certify it and may be required to provide a training 
program for RSA certification technicians. The sublicense agreement with 
RSA is incompatible with any open source software.


The best thing to do is use FreeRadius as a proxy to the RSA RADIUS server.

From a client's point of view the ACE RADIUS server may require a 
simple  CHAP/PAP transaction or there may be challenges asking for more 
information. It depends on the RSA server configuration.


darshak wrote:

Hi All
 I m new to AAA things.I want how can I support RSA ACE/Server in 
freeradius.
Can anyone has details How interaction is made between RADIUS and 
RSA/ACE-server?. in general scenario
 
 
Rgds

DArshak




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SSL error using MS-CHAPv2 - new in 1.1.2

2006-06-06 Thread thomas hahusseau

Despite this Error the Authentification works well ? because I've got
the same error but LDAP authentification fail and I don't know if it's
due to that client certificate error ?

Thomas Hahusseau2006/6/6, Stefan Winter [EMAIL PROTECTED]:
Hi,I logged in via PEAP after a brand-new upgrade to 1.1.2 today, and saw a newerror message (everything worked fine though):Error: TLS_accept:error in SSLv3 read client certificate AError: rlm_eap: SSL error error::lib(0):func(0):reason(0)
Error: rlm_eap: SSL error error::lib(0):func(0):reason(0)Info: rlm_eap_mschapv2: Issuing ChallengeAuth: Login OK: [[EMAIL PROTECTED]] (from client localhost port 0)
these new errors in rlm_eap are somewhat intriguing. Anyone a clue?Greetings,Stefan Winter--Stefan WINTERStiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de
la RechercheIngenieur Forschung  Entwicklung6, rue Richard Coudenhove-KalergiL-1359 LuxembourgE-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1
http://www.restena.lu Fax: +352 422473-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SSL error using MS-CHAPv2 - new in 1.1.2

2006-06-06 Thread Stefan Winter

Hi,

  Error: TLS_accept:error in SSLv3 read client certificate A
  Error: rlm_eap: SSL error error::lib(0):func(0):reason(0)
  Error: rlm_eap: SSL error error::lib(0):func(0):reason(0)
  Info: rlm_eap_mschapv2: Issuing Challenge
  Auth: Login OK: [EMAIL PROTECTED] (from client localhost port 0)

 Despite this Error the Authentification works well ? because I've got the
 same error but LDAP authentification fail and I don't know if it's due to
 that client certificate error ?

It works well. The client certificate error is no error at all, and it's not 
the reason why I'm asking here.
I ask because of the two lines below, which is _not_ business as usual.

Oh, I should have mentioned initially: it's OpenSSL 0.9.8a. Unchanged in FR 
1.1.1, but 1.1.1 didn't spit out these errors.

Greetings,

Stefan

-- 
Stefan WINTER

Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingenieur Forschung  Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: [EMAIL PROTECTED]     Tel.:     +352 424409-1
http://www.restena.lu                Fax:      +352 422473

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius-Users Digest, Vol 14, Issue 22

I am on holiday between June 5 to June 9. I will return to my office on
June 12. 

See you soon.
Thanks,
Gilbert Lo

helpdesk at St. George's School


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Hello,


many thanxs to u.This has helped me greatly.

Some doubts i have :
   If  I use My radius as proxy ,then this should based upon realm or 
something like that?

And such configuration will not need to write Any s/w from my end? right?

Rgds
Darshak
- Original Message - 
From: Michael Lecuyer [EMAIL PROTECTED]

To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Tuesday, June 06, 2006 6:38 PM
Subject: Re: Hello,


It would be difficult to say how RADIUS would interact with the actual ACE 
server since it's a proprietary system.  In 2002 I thought about going 
down this route and I'm summarizing from the 5 page SecurId integration 
document.


You must write code that uses RSA's 'RSA Agent' software to communicate 
with the RSA ACE server. You must become a partner a a cost of ten 
thousand dollars for each product each year you provide the product(s). 
You must pay RSA twenty percent of your product's licensing fee. And you 
must have RSA certify it and may be required to provide a training program 
for RSA certification technicians. The sublicense agreement with RSA is 
incompatible with any open source software.


The best thing to do is use FreeRadius as a proxy to the RSA RADIUS 
server.


From a client's point of view the ACE RADIUS server may require a simple 
CHAP/PAP transaction or there may be challenges asking for more 
information. It depends on the RSA server configuration.


darshak wrote:

Hi All
 I m new to AAA things.I want how can I support RSA ACE/Server in 
freeradius.
Can anyone has details How interaction is made between RADIUS and 
RSA/ACE-server?. in general scenario

 Rgds
DArshak




- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html






- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Hello,

2006-06-06 Thread Michael Schwartzkopff

Am Dienstag, 6. Juni 2006 15:56 schrieb darshak:
 many thanxs to u.This has helped me greatly.

 Some doubts i have :
 If  I use My radius as proxy ,then this should based upon realm or
 something like that?
 And such configuration will not need to write Any s/w from my end? right?

If you have the RSA RADIUS, why do you want to use FreeRADIUS as proxy only 
system? Does this config make sense? If yes read proxy docu in the doc/ 
directory.

-- 
Dr. Michael Schwartzkopff
MultiNET Services GmbH
Bretonischer Ring 7
85630 Grasbrunn

Tel: (+49 89) 456 911 - 0
Fax: (+49 89) 456 911 - 21
mob: (+49 174) 343 28 75

PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B
Skype: misch42


pgpEJTMAWUG5q.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP authentication with freerad ?

2006-06-06 Thread Michael Griego

I assume by PEAP, you mean the most-often-seen PEAP/EAP-MSCHAPv2.  In  
this case, MD5 is not involved anywhere.  The passwords are hashed  
differently.  As such, you must either have an NT hashed password  
(which is actually a unicode-encoded MD4 hash of the password) or a  
cleartext password in your directory.


--Mike

On Jun 6, 2006, at 3:36 AM, thomas hahusseau wrote:


Hello,

I would like to use PEAP to perfome authentication of wlan users ,  
I choose PEAP because Users and Passwords are in an LDAP Server  
(OPEN-LDAP). According to me PEAP works like this :


Phase 1 :: TLS handshake the server authenticate to the client as a  
trusted radius serveur and a cipher tunel is created.
Phase 2 :: Login + Password + Domain hashed with MD5 are send to  
the Radius Server which ask LDAP server for password and login.


acording to the doc file :  realm_eap , freeradius supports only  
eap-tls (authentication based only on certificates (client +  
server ) lead and eap-MD5 ( according to me even if PEAP use MD5  
hash , the EAP-MD5 is different with no mutual autenthication and  
no TLS handshake )


I dont want to use a full certifcate based solution like EAP-TLS or  
a authentification with no ciphered tunel like with EAP-MD5


Anyone could help me for using PEAP (or at least authentication  
with the two phases described upper) with freeradius ?


thank you.

Ps : sorry for english mistakes :)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
users.html




smime.p7s
Description: S/MIME cryptographic signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius-Users Digest, Vol 14, Issue 22

2006-06-06 Thread Kevin Bonner

On Tuesday 06 June 2006 09:39, Gilbert Lo wrote:
 I am on holiday between June 5 to June 9. I will return to my office on
 June 12.

 See you soon.
 Thanks,
 Gilbert Lo

Great!  When you return, you should have someone fix your auto-responder so we 
don't see these annoying messages.  At least you're just responding to 
digests though...

-Kevin


pgpSaRn1BnOYO.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP authentication with freerad ?

2006-06-06 Thread thomas hahusseau

Yes i use PEAP/MsChapv2 , and password in OpenLDAP are stocked in clear
mode , but there is a really strange eror while I try an
autothentication via EAP-PEAP (MSCHAPv2) here is the output of
Freeradius :

lm_ldap: checking if remote access for test is allowed by uid
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user test authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 6
modcall: group authorize returns ok for request 6
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 6
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password
rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module mschap returns reject for request 6
modcall: group Auth-Type returns reject for request 6
rlm_eap: Freeing handler
modcall[authenticate]: module eap returns reject for request 6
modcall: group authenticate returns reject for request 6
auth: Failed to validate the user.
Login incorrect: [test/no User-Password attribute] (from client localhost port 0)
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE

I dont know if that error is due to an impossible comporason beetwen
hashed password in mschap and clear openldap password or if there
is problems fields NT/LM-Password.
2006/6/6, Michael Griego [EMAIL PROTECTED]:

I assume by PEAP, you mean the most-often-seen PEAP/EAP-MSCHAPv2.Inthis case, MD5 is not involved anywhere.The passwords are hasheddifferently.As such, you must either have an NT hashed password(which is actually a unicode-encoded MD4 hash of the password) or a
cleartext password in your directory.--MikeOn Jun 6, 2006, at 3:36 AM, thomas hahusseau wrote: Hello, I would like to use PEAP to perfome authentication of wlan users ,
I choose PEAP because Users and Passwords are in an LDAP Server
(OPEN-LDAP). According to me PEAP works like this : Phase 1 :: TLS handshake the server authenticate to the client as a trusted radius serveur and a cipher tunel is created. Phase 2 :: Login + Password + Domain hashed with MD5 are send to
the Radius Server which ask LDAP server for password and login. acording to the doc file :realm_eap , freeradius supports only eap-tls (authentication based only on certificates (client +
server ) lead and eap-MD5 ( according to me even if PEAP use MD5 hash , the EAP-MD5 is different with no mutual autenthication and no TLS handshake ) I dont want to use a full certifcate based solution like EAP-TLS or
a authentification with no ciphered tunel like with EAP-MD5 Anyone could help me for using PEAP (or at least authentication with the two phases described upper) with freeradius ?

thank you. Ps : sorry for english mistakes :) - List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/ users.html
-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius-Users Digest, Vol 14, Issue 23

I am on holiday between June 5 to June 9. I will return to my office on
June 12. 

See you soon.
Thanks,
Gilbert Lo

helpdesk at St. George's School


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SSL error using MS-CHAPv2 - new in 1.1.2

Stefan Winter [EMAIL PROTECTED] wrote:
 I logged in via PEAP after a brand-new upgrade to 1.1.2 today, and saw a new 
 error message (everything worked fine though):
 
 Error: TLS_accept:error in SSLv3 read client certificate A
 Error: rlm_eap: SSL error error::lib(0):func(0):reason(0)
 Error: rlm_eap: SSL error error::lib(0):func(0):reason(0)
 Info: rlm_eap_mschapv2: Issuing Challenge
 Auth: Login OK: [EMAIL PROTECTED] (from client localhost port 0)
 
 these new errors in rlm_eap are somewhat intriguing. Anyone a clue?

  doc/ChangeLog

  Prior to 1.1.2, SSL errors went to stderr, which in daemon mode was
/dev/null.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP authentication with freerad ?

thomas hahusseau [EMAIL PROTECTED] wrote:
 modcall: entering group Auth-Type for request 6
   rlm_mschap: No User-Password configured.  Cannot create LM-Password.
   rlm_mschap: No User-Password configured.  Cannot create NT-Password.

  This means that the server has no clear-text password.  i.e. it
wasn't retrieved from LDAP.  See the rest of the debug log to see what
was retrieved from LDAP.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: public secret and public radius server. Is it secure?

Stefan Winter [EMAIL PROTECTED] wrote:
 this is again an example where a RadSec extension would come in extremely 
 handy. Short wrapup: RadSec establishes connections via TCP and TLS and 
 transports the RADIUS payload over it, so clients can be identified by their 
 TLS certificate; IPs and shred secrets become obsolete.

  This is *extremely* useful, and solves a lot of deployment problems.

 I am working on a formal specification of RadSec right now, of which
 I hope it will somehow find a way into the Informational RFC
 track. There is a lot more potential in it than the OSC Whitepaper
 suggests.

  I'm available to work on it too, if you need help.

 It would be really great to get an implementation of this in FR.

  I don't think it's that hard, it just needs to be done.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius 1.1.2 rlm_unix on AMD 64

MaKKrO [EMAIL PROTECTED] wrote:
 radiusd.conf[604] Failed to link to module 'rlm_unix':
 /usr/lib64/rlm_unix.a: invalid ELF header

  Build the server with shared library support.

  Why do some modules work, and others fail?

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: OpenSSL weirdness

Mick Tait [EMAIL PROTECTED] wrote:
 I've pasted the entire output from configure at the end of the email in 
 case it helps, but the important bits would seem to be these:
 
 checking for DH_new in -lcrypto... (cached) yes
 checking for SSL_new in -lssl... (cached) no

  See config.log for reasons why a particular check failed.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with Freeradius 1.1.2 OpenLDAP 2.3.20

Nicolas Martin [EMAIL PROTECTED] wrote:
 In file included from .../ldap.h:30
 .../lber.h:29:24: lber_types.h: no such file or directory
...
 It is true that I don't have any lber_types.h file

  The LDAP headers are telling you they need that lber_types.h.  If
you don't have it, then nothing you do to FreeRADIUS will change
anything.

  You MUST fix your LDAP installation so that it works.

 , I only have a file called lber_types.hin. But renaming this file
 does not solve the problem ...

  Where is this file?  It looks like you didn't install the LDAP
client code...

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: SecurID authentication

2006-06-06 Thread David Mitton

Darshak,

I'm not a legal representative, but Michael's response is for
someone that wishes to sell or distribute(?) a product that uses the
SecurID service

While doing a RADIUS proxy to for the new RADIUS server may be the correct
approach, if you are an owner of a SecurID server solution, you can
certainly develop code to use your licensed server for whatever
application you wish.

The product offering includes an ACE Client SDK which gives you a
C-language API for doing SecurID authentication.   It would be fairly
straight forward to develop your own Free RADIUS module, but there are
details with New Pin assignment and Next Token mode that get messy.  The
server uses Access-Challenge for them.

Also the new server includes EAP support for several methods.  So proxy
may still be the best path.

David Mitton
Software Development,
RSA Security, Inc.

PS: I urge all senders to use meaningful Subject lines, the original
message was discarded by me on first pass as spam.

- Original Message -

From: Michael Lecuyer [EMAIL PROTECTED]
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Subject: Re: Hello,
Date: Tue, 06 Jun 2006 09:08:16 -0400


It would be difficult to say how RADIUS would interact with the actual
ACE 
server since it's a proprietary system.  In 2002 I thought about going
down 
this route and I'm summarizing from the 5 page SecurId integration
document.

You must write code that uses RSA's 'RSA Agent' software to communicate
with 
the RSA ACE server. You must become a partner a a cost of ten thousand
dollars 
for each product each year you provide the product(s). You must pay RSA
twenty 
percent of your product's licensing fee. And you must have RSA certify
it and 
may be required to provide a training program for RSA certification 
technicians. The sublicense agreement with RSA is incompatible with any
open 
source software.

The best thing to do is use FreeRadius as a proxy to the RSA RADIUS
server.

 From a client's point of view the ACE RADIUS server may require a
simple  
CHAP/PAP transaction or there may be challenges asking for more
information. 
It depends on the RSA server configuration.

darshak wrote:
 Hi All
  I m new to AAA things.I want how can I support RSA ACE/Server in 
 freeradius.
 Can anyone has details How interaction is made between RADIUS and 
 RSA/ACE-server?. in general scenario


 Rgds
 DArshak





- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Problem building the rlm_mysql module

2006-06-06 Thread Alan

I am having a problem building the rlm_mysql module. Can someone tell me
what im doing wrong here? Please help. 

OS:
RedHat Enterprise 3 WS - Clean install

Hardware:
Sunfire 20z AMD-64bit

Mysql Package:
MySQL-client-standard-5.0.22-0.rhel3.x86_64.rpm
MySQL-devel-standard-5.0.22-0.rhel3.x86_64.rpm
MySQL-server-standard-5.0.22-0.rhel3.x86_64.rpm
MySQL-shared-compat-5.0.22-0.rhel3.x86_64.rpm



I tried to build the module just for debugging my problem directly in the
module sources directory.


[EMAIL PROTECTED] rlm_sql_mysql]$ make all
/home/abaker/src/freeradius-1.1.2/libtool --mode=compile gcc  -g -O2
-I../.. -I/home/abaker/src/freeradius-1.1.2/src/include -I/usr/include/mysql
-g -pipe  -c sql_mysql.c
mkdir .libs
gcc -g -O2 -I../.. -I/home/abaker/src/freeradius-1.1.2/src/include
-I/usr/include/mysql -g -pipe -c sql_mysql.c  -fPIC -DPIC -o
.libs/sql_mysql.lo
sql_mysql.c: In function `sql_error':
sql_mysql.c:333: warning: return discards qualifiers from pointer target
type
gcc -g -O2 -I../.. -I/home/abaker/src/freeradius-1.1.2/src/include
-I/usr/include/mysql -g -pipe -c sql_mysql.c -o sql_mysql.o /dev/null 21
mv -f .libs/sql_mysql.lo sql_mysql.lo
/home/abaker/src/freeradius-1.1.2/libtool --mode=link gcc -release 1.1.2 \
-module -export-dynamic   -o rlm_sql_mysql.la \
-rpath /clique/freeradius-1.1.2/lib sql_mysql.lo -L/usr/lib64/mysql
-lmysqlclient_r -lz -lpthread -lcrypt -lnsl -lm -lpthread 
 
*** Warning: This library needs some functionality provided by
/usr/lib64/mysql/libmysqlclient_r.la.
*** I have the capability to make that library automatically link in when
*** you link to this library.  But I can only do this if you have a
*** shared version of the library, which you do not appear to have.
*** Therefore, libtool will create a static module, that should work 
*** as long as the dlopening application is linked with the -dlopen flag.
rm -fr .libs/rlm_sql_mysql.la .libs/rlm_sql_mysql.*
.libs/rlm_sql_mysql-1.1.2.*
ar cru .libs/rlm_sql_mysql.a  sql_mysql.o 
ranlib .libs/rlm_sql_mysql.a
creating rlm_sql_mysql.la
(cd .libs  rm -f rlm_sql_mysql.la  ln -s ../rlm_sql_mysql.la
rlm_sql_mysql.la)

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: OpenSSL weirdness


Alan DeKok wrote:

Mick Tait [EMAIL PROTECTED] wrote:
  
I've pasted the entire output from configure at the end of the email in 
case it helps, but the important bits would seem to be these:


checking for DH_new in -lcrypto... (cached) yes
checking for SSL_new in -lssl... (cached) no



  See config.log for reasons why a particular check failed.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  

Hi Alan,

Thanks for the response. I did look through this file and every other 
file I could find that might shed some light on this. Unfortunately I 
found nothing that made any sense to me as regards this issue. Rather 
than paste them here and increase the amount of stuff coming through the 
list I'm pasting URL's to the files instead.


http://www.bmnetworks.co.uk/freeradius

I'd appreciate any help you can give.

Thank you
--
Mick Tait
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP authentication with freerad ?

2006-06-06 Thread thomas hahusseau

/huntgroups
 preprocess: hints = /opt/freeradius/etc/raddb/hints
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = yes
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess) 
Module: Loaded detail 
 detail: detailfile = 
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
 detail: detailperm = 384
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (auth_log) 
Module: Loaded realm 
 realm: format = suffix
 realm: delimiter = @
 realm: ignore_default = no
 realm: ignore_null = no
Module: Instantiated realm (suffix) 
 realm: format = prefix
 realm: delimiter = \
 realm: ignore_default = yes
 realm: ignore_null = yes
Module: Instantiated realm (ntdomain) 
Module: Loaded files 
 files: usersfile = /opt/freeradius/etc/raddb/users
 files: acctusersfile = /opt/freeradius/etc/raddb/acct_users
 files: preproxy_usersfile = /opt/freeradius/etc/raddb/preproxy_users
 files: compat = no
Module: Instantiated files (files) 
 detail: detailfile = 
/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d
 detail: detailperm = 384
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (detail) 
Module: Loaded radutmp 
 radutmp: filename = /var/log/freeradius/radutmp
 radutmp: username = %{User-Name}
 radutmp: case_sensitive = yes
 radutmp: check_with_nas = yes
 radutmp: perm = 384
 radutmp: callerid = yes
Module: Instantiated radutmp (radutmp) 
 detail: detailfile = 
/var/log/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
 detail: detailperm = 384
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (reply_log) 
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.0.5:3314, id=139, length=116
NAS-IP-Address = 192.168.0.5
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Framed-MTU = 1400
User-Name = test
Calling-Station-Id = 004096a1ce69
Called-Station-Id = 000fcb00f04c
NAS-Identifier = DIST-AP
EAP-Message = 0x020100090174657374
Message-Authenticator = 0x04e30ce26d28e459d6f26e8cefe9c11b
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module preprocess returns ok for request 0
radius_xlat:  '/var/log/freeradius/radacct/192.168.0.5/auth-detail-20060606'
rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d 
expands to /var/log/freeradius/radacct/192.168.0.5/auth-detail-20060606
  modcall[authorize]: module auth_log returns ok for request 0
  modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = test, looking up realm NULL
rlm_realm: No such realm NULL
  modcall[authorize]: module suffix returns noop for request 0
rlm_realm: No '\' in User-Name = test, skipping NULL due to config.
  modcall[authorize]: module ntdomain returns noop for request 0
users: Matched entry DEFAULT at line 215
  modcall[authorize]: module files returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for test
radius_xlat:  '(uid=test)'
radius_xlat:  'dc=dist,dc=demo,dc=net'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as / to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=dist,dc=demo,dc=net, with filter (uid=test)
rlm_ldap: checking if remote access for test is allowed by uid
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user test authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module ldap returns ok for request 0
modcall: group authorize returns ok for request 0
  rad_check_password:  Found Auth-Type EAP
auth: type EAP
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
  modcall[authenticate]: module eap returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 139 to 192.168.0.5:3314
EAP-Message = 0x010200061920
Message-Authenticator = 0x
State = 0xe2babc9392179f148e247671f72305a5
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.0.5:3315, id=140, length=231
NAS-IP-Address = 192.168.0.5
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Framed-MTU

Re: Freeradius-Users Digest, Vol 14, Issue 24

I am on holiday between June 5 to June 9. I will return to my office on
June 12. 

See you soon.
Thanks,
Gilbert Lo

helpdesk at St. George's School


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Storing in SQL, Procedure call

2006-06-06 Thread Jackie Lau

I tried both suggestions and still no luck.  Any other suggestion on how
to get a Stored Procedure to work with FreeRadius, unixODBC/FreeTDS and
Microsoft SQL Server 2000?  For some reason when trying to call a Stored
Procedure rlm_sql module is trying to perform a query rather then the
procedure call.  Thanks! 

-Original Message-
From: Marko Dinic [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, June 06, 2006 4:16 AM
To: freeradius-users@lists.freeradius.org
Cc: Jackie Lau
Subject: Re: Storing in SQL, Procedure call

Im using the same setup for access to some ancient Sybase and it works
fine. However, the query doesn't use EXEC ... it's plain :

 accounting_stop_query = sp_my_stored_procedure_name
'%{SQL-User-Name}','%{Realm}', 

I did have problems with freetds 0.62.3, tho, so I installed 0.63 and
had no problems with Sybase access since then.

On the other hand, Oracle setup (using rlm_sql_oracle) with EXEC
SP_NAME(...)
didn't work either, so I had to change it to BEGIN SP_NAME(...); END;
Maybe that would work for your unixODBC/freetds setup too.

--
Best regards,

Marko Dinic, System Engineer
-
YUnet International  http://www.eunet.yu
Dubrovacka 35/III,   11000 Belgrade
Tel: +381 11 311 9901;  Fax: + 381 11 311 9901
-
This  e-mail  is confidential and intended only for the recipient.
Unauthorized  distribution,  modification  or  disclosure  of  its
contents is prohibited. If you have received this e-mail in error,
please notify the sender by telephone  +381 11 311 9901.
-

 Hi,

 I'm using freeradius with freetds and unixodbc.  I am having an issue 
 using a procedure call to insert to a Microsoft SQL Server.  When I 
 try to use the procedure call 'exec', I see the following errors:

 radius_xlat:  'exec ***
 rlm_sql (sql): Reserving sql socket id: 8
 query:  exec ***
 rlm_sql_unixodbc: '0 ' 
 rlm_sql (sql): Couldn't update SQL accounting ALIVE record - 0

 But if I don't use a procedure call and use an insert command in its
 place, it works just find.   

 radius_xlat:  'INSERT 
 rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): Released sql 
 socket id: 3
   modcall[accounting]: module sql returns ok for request 6

 My question is why can't I use a procedure call 'exec'?

 Thanks!

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius-Users Digest, Vol 14, Issue 25

I am on holiday between June 5 to June 9. I will return to my office on
June 12. 

See you soon.
Thanks,
Gilbert Lo

helpdesk at St. George's School


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP authentication with freerad ?

thomas hahusseau [EMAIL PROTECTED] wrote:
 First : If I uncomment eap in authorize section of radiusd.conf :

  Which you MUST do, or EAP doesn't work.

   rlm_eap_peap:  Had sent TLV failure, rejecting.

  sigh Why are you insisting on looking at only a portion of the
debug output?  Look PREVIOUSLY in the output to see what's going
wrong, and why.

  And if you see the same No User-Password message, please don't
post that.

 Second : If I comment eap in authorize section of radiusd.conf

  It doesn't work.

 I hope you could help I'm blocked on that problem for 2 weeks and the end of
 my training period is close and I would like to finish it before :).

  I really don't understand.

  1) get CHAP working with LDAP, where the clear-text passwords are
 read from LDAP If that doesn't work, it won't work for EAP.

  2) Put a different user  clear-text password in users.  Get EAP
 working.

  3) Try EAP with the username from (1).  If it doesn't work, I will
 be EXTREMELY surprised.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: OpenSSL weirdness

Mick Tait [EMAIL PROTECTED] wrote:
 Thanks for the response. I did look through this file and every other 
 file I could find that might shed some light on this. Unfortunately I 
 found nothing that made any sense to me as regards this issue. Rather 
 than paste them here and increase the amount of stuff coming through the 
 list I'm pasting URL's to the files instead.

  The config.log file looks like most of the content has been removed.
i.e. when it says checking for X, it should then contain lines
running gcc, etc.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

postgresql and freeradius (dialupadmin)

2006-06-06 Thread Krzysztof Matusik

Hello

I've got freeradius running with postgresql backend but since I can't get 
(IMHO correctly configured) dialupadmin running I'm not even sure it runs ok. 
My apache2 says something like:
[notice] child pid 27829 exit signal Segmentation fault (11)
and postgres daemon:
could not accesp SSL connection: connection terminated ...
while http browser gives something like 'connection terminated' whenever I'm 
trying to perform any operation excluding just the 'home page'.

I've been trying and googling to get any solution but found only some 
(crappy?) posts from few years ago.

Is it that my database is corrupted? (I've had some problems creating it).

Does anybody could help me with the solution?

Thanks in advance.

Krzysztof
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: OpenSSL weirdness


Alan DeKok wrote:

Mick Tait [EMAIL PROTECTED] wrote:
  
Thanks for the response. I did look through this file and every other 
file I could find that might shed some light on this. Unfortunately I 
found nothing that made any sense to me as regards this issue. Rather 
than paste them here and increase the amount of stuff coming through the 
list I'm pasting URL's to the files instead.



  The config.log file looks like most of the content has been removed.
i.e. when it says checking for X, it should then contain lines
running gcc, etc.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  
Thats odd to say the least. All I did was simlink to the file itself, so 
something else must have upset the log - either that or there's 
something happened to my system.


I'll try deleting the source directory, extracting the tarball and 
starting again.


Thanks

--
Mick Tait
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: postgresql and freeradius (dialupadmin)

2006-06-06 Thread Seferovic Edvin

I would say it is rather an apache2 problem. Update it to the latest version
and be sure that your apache2+php+postgres works before you start
dialupadmin.

Regards,
Edvin

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
g] On Behalf Of Krzysztof Matusik
Sent: Mittwoch, 07. Juni 2006 01:03
To: freeradius-users@lists.freeradius.org
Subject: postgresql and freeradius (dialupadmin)

Hello

I've got freeradius running with postgresql backend but since I can't get 
(IMHO correctly configured) dialupadmin running I'm not even sure it runs
ok. 
My apache2 says something like:
[notice] child pid 27829 exit signal Segmentation fault (11)
and postgres daemon:
could not accesp SSL connection: connection terminated ...
while http browser gives something like 'connection terminated' whenever I'm

trying to perform any operation excluding just the 'home page'.

I've been trying and googling to get any solution but found only some 
(crappy?) posts from few years ago.

Is it that my database is corrupted? (I've had some problems creating it).

Does anybody could help me with the solution?

Thanks in advance.

Krzysztof
- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: OpenSSL weirdness


Alan DeKok wrote:


  The config.log file looks like most of the content has been removed.
i.e. when it says checking for X, it should then contain lines
running gcc, etc.

  Alan DeKok.
- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html
  
Thats odd to say the least. All I did was simlink to the file itself, 
so something else must have upset the log - either that or there's 
something happened to my system.


I'll try deleting the source directory, extracting the tarball and 
starting again.


Thanks

--
Mick Tait
- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


Bloody hell. This time it linked in and compiled cleanly. I have no idea 
what's different this time around, but hell its working so I'm not 
complaining.


Thanks for your time, and sorry to have wasted it.

--
Mick Tait
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

session tracking

2006-06-06 Thread Jeremy Ford

I have read over the docs but haven't found a clear way to turn off session
tracking. I just want the radius server to give an Accept or Reject for user
auth (which I have working with mysql) and not track the session (start/stop
records etc...)

Thanks
Jeremy

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: session tracking

2006-06-06 Thread Seferovic Edvin

Hi,

session tracking is called - accounting ! the last A in AAA ;)

Just empty the accounting { } part in your radiusd.conf file. If your NAS
sends accounting info - turn it off !

Regards,
Edvin

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
g] On Behalf Of Jeremy Ford
Sent: Mittwoch, 07. Juni 2006 01:58
To: 'FreeRadius users mailing list'
Subject: session tracking

I have read over the docs but haven't found a clear way to turn off session
tracking. I just want the radius server to give an Accept or Reject for user
auth (which I have working with mysql) and not track the session (start/stop
records etc...)

Thanks
Jeremy

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SecurID authentication


Thanxs David,This has been useful to me .
Although proxy is best answer.I just wanna go in some details.
If i own RSA ACE/server,then does it come with RSa Ace/client agent? Then 
what i need to do is write a code that talks with Freeradius and RSA 
ACE/client?

Or I need not do it?
Is this RSA/Ace server comes with client that talks to RADIUS? and I can be 
free from coding burden?

Can u please explain How
RADIUS --RSA/ACe server talk to each other?[if i not use proxy ]
I have read that Lucent and SBR supports this RSA/ACE SecurID so how they 
actually support?Do they have coded extra or by proxy ?

Thanxs again for your help

Rgds
Darshak


- Original Message - 
From: David Mitton [EMAIL PROTECTED]

To: freeradius-users@lists.freeradius.org
Sent: Tuesday, June 06, 2006 10:23 PM
Subject: RE: SecurID authentication



Darshak,

I'm not a legal representative, but Michael's response is for
someone that wishes to sell or distribute(?) a product that uses the
SecurID service

While doing a RADIUS proxy to for the new RADIUS server may be the correct
approach, if you are an owner of a SecurID server solution, you can
certainly develop code to use your licensed server for whatever
application you wish.

The product offering includes an ACE Client SDK which gives you a
C-language API for doing SecurID authentication.   It would be fairly
straight forward to develop your own Free RADIUS module, but there are
details with New Pin assignment and Next Token mode that get messy.  The
server uses Access-Challenge for them.

Also the new server includes EAP support for several methods.  So proxy
may still be the best path.

David Mitton
Software Development,
RSA Security, Inc.

PS: I urge all senders to use meaningful Subject lines, the original
message was discarded by me on first pass as spam.

- Original Message -

From: Michael Lecuyer [EMAIL PROTECTED]
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Subject: Re: Hello,
Date: Tue, 06 Jun 2006 09:08:16 -0400


It would be difficult to say how RADIUS would interact with the actual
ACE
server since it's a proprietary system.  In 2002 I thought about going
down
this route and I'm summarizing from the 5 page SecurId integration
document.

You must write code that uses RSA's 'RSA Agent' software to communicate
with
the RSA ACE server. You must become a partner a a cost of ten thousand
dollars
for each product each year you provide the product(s). You must pay RSA
twenty
percent of your product's licensing fee. And you must have RSA certify
it and
may be required to provide a training program for RSA certification
technicians. The sublicense agreement with RSA is incompatible with any
open
source software.

The best thing to do is use FreeRadius as a proxy to the RSA RADIUS
server.

From a client's point of view the ACE RADIUS server may require a
simple
CHAP/PAP transaction or there may be challenges asking for more
information.
It depends on the RSA server configuration.

darshak wrote:

Hi All
 I m new to AAA things.I want how can I support RSA ACE/Server in
freeradius.
Can anyone has details How interaction is made between RADIUS and
RSA/ACE-server?. in general scenario


Rgds
DArshak






-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html






- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Peap/leap/wap