freeradius cisco command accounting
Dear's is there any feature in freeradius provide cisco command accouning means users run command on cisco router and radius provide me command log ?? per users i want to replace my tacace with freeradius $ cat ~/satish/url.txt System administrator ( Data Center ) please visit this site http://linux.tulipit.com - Heres a new way to find what you're looking for - Yahoo! Answers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Res: EAP-TTLS + Post-auth clear password
Erico Augusto wrote: I'm trying to forward username and password to my own app, using post-auth section, to perform user authentication, as described below ... is that possible? Yes. See the exec module. Why do you think the pap module has anything to do with it? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redundant SQL servers accounting problem, FreeRadius 1.1.4
Hello, Alan!
You wrote on Wed, 21 Mar 2007 12:57:46 +0100:
After Nicolas Baradakis's patch some things changed. Now I know that if
connection to PostgreSQL DB became broken, libpq does not free
pg_sock-conn, so PQfinish(pg_sock-conn) MUST be called.
AD If pg_sock-conn is freed, that pointer MUST be set to NULL.
Yes, I understand that.
AD No. sqlsocket-state is redundant. If the conn handle exists,
AD it
AD MUST be a valid connection handle. If it's not valid, it's NULL,
AD and
AD therefore the socket is disconnected.
Then each time sql_destroy_socket MUST be called after sql_close in database
drivers and especially in sql_init_socket when DB connection can't be
established. Of course, sqlsocket-state MUST be set then too, maybe in
sql_destroy_socket function. It concerns all SQL drivers.
In theory, sqlsocket-state can equals to sockconnected when actually
it is disconnected.
I make some additional tests. When DB connection suddenly breakes,
sqlsocket-state == sockconnected.
AD That's a bug. It's wrong and MUST be fixed.
It seemes to me it would be hard to do. The simplest way I see is to use
instead of sqlsocket-state a function that is declared in sql driver
module. For PostgreSQL it may look so:
static int IsConnected(SQLSOCK *sqlsocket);
{
rlm_sql_postgres_sock *pg_sock;
if (sqlsocket-conn != NULL) {
pg_sock = sqlsocket-conn;
if ((pg_sock-conn != NULL)
(PQstatus(pg_sock-conn) == CONNECTION_OK)) {
return -1;
}
else {
sql_close(sqlsocket,config);
sql_destroy(sqlsocket);
return 0;
}
}
else return 0;
}
It seemes to me, it's almost impossible to write code which will allow
sqlsocket-conn to provide accurate information about connection state. But
again, I'm not a programmer.
With best regards, Alexander V. Klepikov. E-mail: [EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redundant SQL servers accounting problem, FreeRadius 1.1.4
Alexander V. Klepikov wrote: It seemes to me, it's almost impossible to write code which will allow sqlsocket-conn to provide accurate information about connection state. But again, I'm not a programmer. If that's true, then we still need to audit all of the sql code. Some code does if (sqlsocket-conn)..., which would then be wrong. It should be if (sqlsocket-state == sqlconnected) ... And the enum defining sqlconnected and sqlunconnected should be changed so that 0 means unconnected. That change avoids other issues, too. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius mysql apache2 for Wi Fi hotspotsetup
Hi, I have installed free radius to work with mysql on Ubuntu 6.0.6 with radiusclient Nomadicx AG 2000 and it works fine. At present on Nomadix , internal web server is on and it gives the login and logout pages whenever a mysql databse username and passwords are submitted ,session starts on radius server I would like to make the login/logout pages from an external web server instead of internal webserver of nomadix which is configured on Nomadix and restrict users to go to loginpage forcefully , whenever the wifi customer has been assigned dynamic IP from Nomadix. Can any one help// Mini Jerome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : RE : RE : IP Pool management and Re-authentication
Thibault Le Meur wrote: I've patched the radiusplugin to add Framed-IP-Address to the re-auth request but rlm_ippool still allocates a new IP Address (I'm using FR 1.1.4). Ok. It seems like rlm_ippool should be updated to look for Framed-IP-Address in the request. That would be very useful, and would solve the problem you're seeing. Alan DeKok. Do you mean updated (to 1.1.5) or patched ? Never mind I found the answer by looking at the code from rlm_ippool.c. Currently, when an Access-Request arrives, rlm_ippool: * looks in the pool for an 'active' entry (flagged as active) with the key=NAS-IP/NAS-port * If no entry is found == rlm_ippool allocates an @IP from the pool * If an active entry is found == it is considered as a stale entry and is marked as not active (active=0) == then a new IP is allocated If rlm_ippool is 'updated' to take Framed-IP-Address into account what shoudl be the behaviour ? A simple patch would consist of doing nothing at Post-Auth time if the request contains a Framed-IP-Address. A more complex patch should handle several different cases and decide what to do. For instance: * when Access-Request is received, look for an active entry in the pool with the search key NAS-IP/NAS-port * If no entry is found * If there is No Framed-IP-Address attribute in the Request == allocate a new @IP from the pool * If there is a Framed-IP-Address attribute in the Request * If the Framed-IP-Address belongs to the IP-range of the pool (but it is not assigned to this NAS-IP/NAS-port) == then issue a warning log (especially if this IP is allocated to an active entry for another NAS-IP/NAS-port) == do not allocate a new @IP ??? (Or should we enforce a new IP, without beeing sure the NAS will be able to use it ?) * If the Framed-IP-Address doesn't belong to the IP-range of the pool == do not allocate a new @IP * If an entry is found (there is already an allocated @IP for this NAS-IP/NAS-port) * If there is a Framed-IP-Address attribute in the Request * If this Framed-IP-Address is the same as the allocated IP from the entry found == then do nothing (no stale marking, no new @IP allocation) * If this Framed-IP-Address is NOT the same as the allocated IP from the entry found == then mark the current entry as staled (active=0) == report an error in the log because something went wrong (especially if the Framed-IP-Address received is allocated to another NAS-IP/NAS-port entry in the pool) == do not allocate a new @IP * If there is No Framed-IP-Address attribute in the Request == then mark the current entry as staled (active=0) == allocate a new @IP What do you think ? Is it already done in current developpement tree ? Regards, Thibault Le Meur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Questions about Freeradius counter
Hi guys!
I have two minor problems with the radius counter. I am using the radius
counter for counting the sessiontimeout, which works quite good.
counter sessiontimeout {
filename = ${logdir}/db.sessiontimeout
key = User-Name
count-attribute = Acct-Session-Time
reset = never
counter-name = Daily-Session-Time
check-name = Session-Timeout
cache-size = 5000
}
If the user reaches the saved allowed max session time, the connection
gets disconnected and the user is not allowed to connect again until the
time value has been reseted. Works great ...
I also want to achieve the same behavior for another counter, the
Acct-Input-Octets, but it doesn't really work. I can define a maximum
value for Input Octets and if the user exceeds this value, he cannot
connect again. Unfortunately, the connection doesn't get disconnected
after the user reached his limit, do I have to configure something
additional? It works for the Sessiontimeout, why doesn't it work for the
Input-Octets? Any ideas? Is it possible?
counter maxinput {
filename = ${logdir}/db.maxinput
key = User-Name
count-attribute = Acct-Input-Octets
reset = never
counter-name = Input-Octets
check-name = ChilliSpot-Max-Input-Octets
cache-size = 5000
}
The second problem is, that I have Acct-Input-Octets AND
Acct-Output-Octets in my radius dialog and I want to use ONE counter,
which should contain the sum of Acct-Input-Octets+Acct-Output-Octets, I
already tried to use
count-attribute = (Acct-Input-Octets+Acct-Output-Octets),
but it didn't work ... Any suggestions for that problem? Any ideas?
I appreciate every kind of help!
Thanks guys!
best regards
Peter Gastinger
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius mysql apache2 for Wi Fi hotspotsetup
Hi, Can any one help// not on this list, since it doesn't concern the *RADIUS* server. If you need a hotspot solution, take a look at Chillispot, it does what you want. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgpBjuCRecMaa.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Incomplete accounting sessions and IP pool resets
On Wed 21 Mar 2007 11:50, Ramm-Ericson, Johannes wrote: Hello Freeradius users! I have a recurring problem that I'm wondering if any of you have run into. I am currently running freeradius 1.1.4 (haven't had time to upgrade yet) on Suse Linux SLES 10 together with a Myql DB engine. I am using IP pools to supply users coming from various NAS:es with IP adresses. These IP pools seem to run out of IP adresses which is surprising given that I have more IP adresses than users for each NAS. Basically, new access requests don't get anywhere because there aren't any free IPs left. Once I stop freeradius, delete the ip pools and start freeradius again everything is fine. It is annoying however I suggest you take a look at the sqlippool module as you can both easily play with the expiry time, and script sql commands from cron instead of deleting files on disk. There are quite a few additions in cvs head (soon to be FreeRADIUS 2.0) so I suggest you run it instead of the 1.1.x branch.. Regards -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Solution: IP Pool management and Re-authentication
Thibault Le Meur wrote:
I've patched the radiusplugin to add Framed-IP-Address to
the re-auth
request but rlm_ippool still allocates a new IP Address
(I'm using FR
1.1.4).
Ok. It seems like rlm_ippool should be updated to look for
Framed-IP-Address in the request.
That would be very useful, and would solve the problem
you're seeing.
Alan DeKok.
For those interested in an interim solution, here is a workaround:
1- make sure your NAS sends a Framed-IP-Address attribute in the
Access-Request when a re-authentication is performed (that is to say for
openvpn, use a patched version of radiusplugin)
2- Setup 2 Post-Auth-Types in the post-auth section:
Post-Auth-Type postauth.ovpn {
Ovpn_Main_Pool
reply_log
}
Post-Auth-Type postauth.ovpn.reauth {
reply_log
}
3- in the users file (for instance) dispatch incomming Access-Requests based
on the presence of the Framed-IP-Address attribute:
DEFAULT Framed-IP-Address !* Any, Huntgroup-Name == srvs-vpn-ovpn,
Post-Auth-type := postauth.ovpn
Fall-Through = no
DEFAULT Framed-IP-Address =* Any, Huntgroup-Name == srvs-vpn-ovpn,
Post-Auth-type := postauth.ovpn.reauth
Fall-Through = no
Thanks Alan for your help,
Regards,
Thibault
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
bandwidth and volume limit
HI all, I'm running freeradius 1.0.2 on a debian stable. For new clients, I need to implement 2 functions: * a bandwidth limit on a per-user basis. I mean, I need to be able to set, for a user, a value for his upstream and downstream bw, which is sent by the radius as a reply attribute. Are they predefined attributes to do this? * a volume limit: I'd like to be able to set a maximum amount of data monthly downloadable for each user. I tried with rlm_slqcounter, changing the sql request to check AcctInputOctet instead of SessionTime, but the problem is that radius always reply an attribute called MaxSessionTime (or sthg like that), containing the remaining data volume for the user... is there as way to change the name of the attribute answered by freeradius?? Many thaks, Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: bandwidth and volume limit
Change it in the sqlcounter code ! First functionality shouldnt be a problem if you know your NAS ! Regards, E:S -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of Mathieu Lemaitre Sent: Donnerstag, 22. März 2007 12:31 To: freeradius-users@lists.freeradius.org Subject: bandwidth and volume limit HI all, I'm running freeradius 1.0.2 on a debian stable. For new clients, I need to implement 2 functions: * a bandwidth limit on a per-user basis. I mean, I need to be able to set, for a user, a value for his upstream and downstream bw, which is sent by the radius as a reply attribute. Are they predefined attributes to do this? * a volume limit: I'd like to be able to set a maximum amount of data monthly downloadable for each user. I tried with rlm_slqcounter, changing the sql request to check AcctInputOctet instead of SessionTime, but the problem is that radius always reply an attribute called MaxSessionTime (or sthg like that), containing the remaining data volume for the user... is there as way to change the name of the attribute answered by freeradius?? Many thaks, Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help by freeradius plaese
hello, my name is elmalhi and i´ m a student in Germany, so i want too playing with freeradius 1.1.5 but i have a bug : *** glibc detected *** radiusd: double free or corruption (fasttop): 0x086ab1c8 *** i want know if freeradius run under Fedora core 6 whitout problems. regards. Abdelghani ELMALHI Devesestr. 1 45897 Gelsenkirchen Deutschland Tel. 00 49 176 65 84 38 50 - Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help by freeradius plaese
elmalhi abdelghani wrote: hello, my name is elmalhi and i´ m a student in Germany, so i want too playing with freeradius 1.1.5 but i have a bug : *** glibc detected *** radiusd: double free or corruption (fasttop): 0x086ab1c8 *** Get -r branch_1_1 from CVS. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: bandwidth and volume limit
Mathieu Lemaitre wrote: HI all, I'm running freeradius 1.0.2 on a debian stable. For new clients, I need to implement 2 functions: * a bandwidth limit on a per-user basis. I mean, I need to be able to set, for a user, a value for his upstream and downstream bw, which is sent by the radius as a reply attribute. Are they predefined attributes to do this? No. See the NAS documentation. It may do this, but likely not. * a volume limit: I'd like to be able to set a maximum amount of data monthly downloadable for each user. There is no standard way to do that. See the NAS documentation. It may do this, but likely not. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius problem : need help
what means plaese this : There appears to be another RADIUS server running on the authentication port 1812 and if I typ for example the command:' ps a ' i don't found radiusd ? regards. - Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius problem : need help
Hi! elmalhi abdelghani said the following, On 22-Mar-07 15:31: what means plaese this : There appears to be another RADIUS server running on the authentication port 1812 and if I typ for example the command:' ps a ' i don't found radiusd ? Try 'ps auxf' Bye, Ian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : Re: freeradius problem : need help
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ian van Marwijk wrote: what means plaese this error : There appears to be another RADIUS server running on the authentication port 1812 It means that you already have an instance of radiusd running on the daemon port. Whats the output of 'ps auxf' on your box? Netstat will tell you what's using which port. Do instead: # netstat -tnp | grep 1812 example output: tcp0 0 192.168.30.107:49182192.168.30.1:5222 ESTABLISHED 5938/gaim - -- == +-+ Martin Gadbois | Please answer by yes or no.| Sr. SW Designer| Uncooperative user waste precious CPU time | Colubris Networks Inc. | -- The Andromeda Strain, M. Crichton, 1969 | -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGAp3j9Y3/iTTCEDkRAgD2AJ0ZypEV4lDuXmFPCGzQW8tEw/OvAwCfYBDI 07Yw4mpJtVFyID/oXTEaQzM= =waew -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : RE : Re: freeradius problem : need help
Whats the output of 'ps auxf' on your box? Netstat will tell you what's using which port. Do instead: # netstat -tnp | grep 1812 example output: tcp0 0 192.168.30.107:49182192.168.30.1:5222 ESTABLISHED 5938/gaim And better if you have the lsof binary installed, try: # lsof -iUDP -P | grep 1812 Example output: radiusd 13804 radiusd3u IPv4 1334215 UDP *:1812 ^^ | Name of the binary having the port opened - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : Re: freeradius problem : need help
Hi, so i have tryed with ps auxf but no way ! so too with grep. what means plaese this error : There appears to be another RADIUS server running on the authentication port 1812 - Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : Re: freeradius problem : need help
Hi! elmalhi abdelghani said the following, On 22-Mar-07 15:49: Hi, so i have tryed with ps auxf but no way ! so too with grep. what means plaese this error : There appears to be another RADIUS server running on the authentication port 1812 It means that you already have an instance of radiusd running on the daemon port. Whats the output of 'ps auxf' on your box? Bye, Ian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : Re: freeradius problem : need help
You can do: netstat -an | grep 1812 or netstat -a | grep radius Qui, 2007-03-22 às 11:16 -0400, Martin Gadbois escreveu: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ian van Marwijk wrote: what means plaese this error : There appears to be another RADIUS server running on the authentication port 1812 It means that you already have an instance of radiusd running on the daemon port. Whats the output of 'ps auxf' on your box? Netstat will tell you what's using which port. Do instead: # netstat -tnp | grep 1812 example output: tcp0 0 192.168.30.107:49182192.168.30.1:5222 ESTABLISHED 5938/gaim - -- == +-+ Martin Gadbois | Please answer by yes or no.| Sr. SW Designer| Uncooperative user waste precious CPU time | Colubris Networks Inc. | -- The Andromeda Strain, M. Crichton, 1969 | -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGAp3j9Y3/iTTCEDkRAgD2AJ0ZypEV4lDuXmFPCGzQW8tEw/OvAwCfYBDI 07Yw4mpJtVFyID/oXTEaQzM= =waew -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Nelson Vale Critical Links, S.A. Parque Industrial de Taveiro, Lote 48 3045-504 Coimbra PORTUGAL Tel: +351.239989100 Fax: +351.239989119 Web: www.critical-links.com/ Email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : Re: RE : Re: freeradius problem : need help
hi , output of ps auxf: [EMAIL PROTECTED] radius]# ps auxf USER PID %CPU %MEMVSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.2 2032 620 ?Ss 10:13 0:02 init [5] root 2 0.0 0.0 0 0 ?S10:13 0:00 [migration/0] root 3 0.0 0.0 0 0 ?SN 10:13 0:00 [ksoftirqd/0] root 4 0.0 0.0 0 0 ?S10:13 0:00 [watchdog/0] root 5 0.0 0.0 0 0 ?S 10:13 0:00 [events/0] root 6 0.0 0.0 0 0 ?S 10:13 0:00 [khelper] root 7 0.0 0.0 0 0 ?S 10:13 0:00 [kthread] root10 0.0 0.0 0 0 ?S 10:13 0:00 \_ [kblockd/0] root11 0.0 0.0 0 0 ?S 10:13 0:00 \_ [kacpid] root73 0.0 0.0 0 0 ?S 10:13 0:00 \_ [cqueue/0] root76 0.0 0.0 0 0 ?S 10:13 0:00 \_ [khubd] root78 0.0 0.0 0 0 ?S 10:13 0:00 \_ [kseriod] root 130 0.0 0.0 0 0 ?S10:13 0:00 \_ [pdflush] root 131 0.0 0.0 0 0 ?S10:13 0:02 \_ [pdflush] root 132 0.0 0.0 0 0 ?S 10:13 0:00 \_ [kswapd0] root 133 0.0 0.0 0 0 ?S 10:13 0:00 \_ [aio/0] root 287 0.0 0.0 0 0 ?S 10:13 0:00 \_ [kpsmoused] root 308 0.0 0.0 0 0 ?S 10:13 0:00 \_ [kmirrord] root 318 0.0 0.0 0 0 ?S 10:13 0:00 \_ [kjournald] root 344 0.0 0.0 0 0 ?S 10:14 0:00 \_ [kauditd] root 807 0.0 0.0 0 0 ?S 10:14 0:00 \_ [kgameportd] root 1239 0.0 0.0 0 0 ?S 10:14 0:00 \_ [kmpathd/0] root 1263 0.0 0.0 0 0 ?S 10:14 0:00 \_ [kjournald] root 370 0.0 0.1 2908 456 ?Ss 10:14 0:01 /sbin/udevd -d root 1624 0.0 0.1 2276 340 ?Ss 10:14 0:00 /sbin/dhclient -1 -q -lf /var/lib/dhcli root 1694 0.0 0.1 8348 484 ?Ss 10:14 0:00 /usr/sbin/restorecond root 1703 0.0 0.2 1792 712 ?Ss 10:14 0:00 syslogd -m 0 root 1706 0.0 0.1 1640 400 ?Ss 10:14 0:00 klogd -x root 1729 0.0 0.1 2124 384 ?Ss 10:14 0:00 mcstransd rpc 1740 0.0 0.2 1772 544 ?Ss 10:14 0:00 portmap root 1759 0.0 0.3 1888 792 ?Ss 10:14 0:00 rpc.statd root 1788 0.0 0.2 4928 556 ?Ss 10:14 0:00 rpc.idmapd dbus 1802 0.1 0.5 13644 1364 ?Ssl 10:14 0:25 dbus-daemon --system root 1812 0.0 0.2 2344 660 ?Ss 10:14 0:00 hcid: processing events root 1824 0.0 0.1 1712 368 ?Ss 10:14 0:00 /usr/sbin/sdpd root 1836 0.0 0.0 0 0 ?S 10:14 0:00 [krfcommd] root 1870 0.0 0.2 33176 608 ?Ssl 10:14 0:00 pcscd root 1888 0.0 0.1 1876 352 ?Ss 10:14 0:00 /usr/bin/hidd --server root 1905 0.0 0.2 9036 744 ?Ssl 10:14 0:00 automount root 1922 0.0 0.1 1640 436 ?Ss 10:14 0:00 /usr/sbin/acpid root 1931 0.0 0.1 5056 488 ?Ss 10:14 0:00 ./hpiod root 1936 0.0 0.5 12840 1408 ?S10:14 0:00 python ./hpssd.py root 1942 0.0 0.4 4484 1032 ?S10:14 0:00 /bin/sh /usr/local/mvts/bin/mp_kerneld. root 2012 0.0 0.9 34220 2344 ?S10:15 0:00 \_ /usr/local/mvts/./bin/mp_kerneld.x root 2013 0.0 0.9 34220 2344 ?S10:15 0:00 \_ /usr/local/mvts/./bin/mp_kernel root 2014 0.0 0.9 34220 2344 ?S10:15 0:00 \_ /usr/local/mvts/./bin/mp_ke root 2015 0.0 0.9 34220 2344 ?S10:15 0:00 \_ /usr/local/mvts/./bin/mp_ke root 2016 0.0 0.9 34220 2344 ?S10:15 0:00 \_ /usr/local/mvts/./bin/mp_ke root 2017 0.0 0.9 34220 2344 ?S10:15 0:00 \_ /usr/local/mvts/./bin/mp_ke root 2019 0.0 0.9 34220 2344 ?R10:15 0:01 \_ /usr/local/mvts/./bin/mp_ke root 2023 0.0 0.9 34220 2344 ?S10:15 0:00 \_ /usr/local/mvts/./bin/mp_ke root 2024 0.0 0.9 34220 2344 ?S10:15 0:00 \_ /usr/local/mvts/./bin/mp_ke root 2025 0.0 0.9 34220 2344 ?S10:15 0:00 \_ /usr/local/mvts/./bin/mp_ke root 2026 0.0 0.9 34220 2344 ?S10:15 0:00 \_ /usr/local/mvts/./bin/mp_ke root 2027 0.0 0.9 34220 2344 ?S10:15 0:00 \_ /usr/local/mvts/./bin/mp_ke root 1953 0.0 0.5 9980 1328 ?Ss 10:14 0:00 cupsd root 1963 0.0 0.2 5168 708 ?Ss 10:14 0:00
Res: Res: EAP-TTLS + Post-auth clear password
Hi,
as suggested, I'm working with exec module.
radiusd.conf:
...
exec {
post-auth:User-Password =
`%{exec:/usr/local/etc/raddb/jradius.forward}`
wait = yes
input_pairs = request
}
...
the content of /usr/local/etc/raddb/jradius.forward script is just:
#!/bin/bash
echo 123456
so, the user's password that I'm using is 123456(inserted at secureW2 Windows
XP popup), but I'm yet receiving ciphered User-Password at destination custom
app...
I have changing the content of jradius.forward script to
#!/bin/bash
echo 123456789
just to see if the password sended is the one returned by jradius.forward
script, but all entries at radiusd -X shows:
...
Processing the post-auth section of radiusd.conf
...
rlm_jradius: packing attribute User-Password (type: 2; len: 6)
...
Conclusion: the User-Password attribute is not been changed by the external
script, once the length should be 9 ...
some idea about what is wrong?
one more point: I'm setting user's password at etc/raddb/users file (it mey be
a problem, i mean ... does it fixing the password?).
thanks a lot,
Erico.
- Mensagem original
De: Alan DeKok [EMAIL PROTECTED]
Para: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Enviadas: Quinta-feira, 22 de Março de 2007 5:29:24
Assunto: Re: Res: EAP-TTLS + Post-auth clear password
Erico Augusto wrote:
I'm trying to forward username and password to my own app, using
post-auth section, to perform user authentication, as described below
... is that possible?
Yes. See the exec module. Why do you think the pap module has
anything to do with it?
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__
Fale com seus amigos de graça com o novo Yahoo! Messenger
http://br.messenger.yahoo.com/ -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New Server Build
Alan, Thanks for the reply. I am using the 'radtest' utility. The actual command I am typing (from the command line of the server itself is: radtest test1 test1 192.168.1.5:1812 0 testing123. I am attempting to make sure everything is okay on the server itself, before attempting to connect to the server with a client. The DB structure is: 8 tables as follows: nas, radacct, radcheck, radgroupcheck, radgroupreply, radpostauth, radreply, usergroup. Scott Scott Hughes wrote: When I run the radtest utility that comes with FR, I get an access-reject, even though the user is in the radius database. Running FR with the -X parameter, it does appear to be check the database. Am I testing correctly for this type of FR MySQL setup? Likely, yes. What's in the DB, and what kinds of packets are you sending for tests? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP/MSCHAPv2 and WinXP
Hello, I have a question I can't seem to answer with the mail archives or documentation. Let me begin by explaining what I'm trying to do: - PEAP/MSCHAPv2 authentication, no client certificates, with a WinXP supplicant. - The server certificate is self-signed. From the FAQ, I have: - Installed the hot fix from MS KB 885453 - Included the required OID 1.3.6.1.5.5.7.3.1 in the server certificate - Followed MS requirements for server certificates in KB 814394 The only way I can get this setup to work, is if I import my root certificate onto my client machine. Otherwise, I get the typical Access-Request and Access-Challenge back and forth. My question: Is importing the root certificate onto your client necessary when self-signing your own server certificate? If not, then I guess I'm still doing something wrong, but I would like to make sure before I continue to troubleshoot. Any help is greatly appreciated. Regards, Damian Davalos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [unclas] freeradius cisco command accounting
No, the cisco devices do not send command logs via radius. I compiled a tacacs server and configured it to handle accounting records. I then used the following to set up aaa on the router: aaa new-model aaa authentication login default group radius local aaa authentication login localauth local aaa authentication ppp default if-needed group radius local aaa authorization exec default group radius local aaa authorization network default group radius local aaa accounting send stop-record authentication failure aaa accounting exec default stop-only group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting network default wait-start group radius aaa accounting system default start-stop group radius tacacs-server host 192.168.0.15 tacacs-server key radius-server host 192.168.0.15 auth-port 1812 acct-port 1813 key radius-server retransmit 3 radius-server vsa send accounting The tacacs server is avaliable here: http://www.pro-bono-publico.de/projects/ regards, Frank Ranner From: [EMAIL PROTECTED] g [mailto:[EMAIL PROTECTED] adius.org] On Behalf Of satish patel Sent: Thursday, 22 March 2007 17:33 To: freeradius-users Subject: freeradius cisco command accounting Dear's is there any feature in freeradius provide cisco command accouning means users run command on cisco router and radius provide me command log ?? per users i want to replace my tacace with freeradius - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [unclas] freeradius cisco command accounting [resend]
__ From: [EMAIL PROTECTED] g [mailto:[EMAIL PROTECTED] adius.org] On Behalf Of satish patel Sent: Thursday, 22 March 2007 17:33 To: freeradius-users Subject: freeradius cisco command accounting Dear's is there any feature in freeradius provide cisco command accouning means users run command on cisco router and radius provide me command log ?? per users i want to replace my tacace with freeradius Sorry about previous top posted html junk (thank you outlook) No, the cisco devices do not send command logs via radius. I compiled a tacacs server and configured it to handle accounting records. I then used the following to set up aaa on the router: aaa new-model aaa authentication login default group radius local aaa authentication login localauth local aaa authentication ppp default if-needed group radius local aaa authorization exec default group radius local aaa authorization network default group radius local aaa accounting send stop-record authentication failure aaa accounting exec default stop-only group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting network default wait-start group radius aaa accounting system default start-stop group radius tacacs-server host 192.168.0.15 tacacs-server key radius-server host 192.168.0.15 auth-port 1812 acct-port 1813 key radius-server retransmit 3 radius-server vsa send accounting The tacacs server is avaliable here: http://www.pro-bono-publico.de/projects/ regards, Frank Ranner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS authentication
Hi I am using freeradius 1.1 on linux suse 10.1. I have implemented EAP-TTLS, EAP-TLS and UAM. I want to know is there any way to know by which method user is authenticated. I mean if user is authenticated using UAM, EAP-TLS or EAP-TTLS. is there any attribute whose value we can store in radius database tables. there are two attributes Digest-Algorithm and EAP-Message , but I dont know how to put their values in radius tables. thanks deepak - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New Server Build
Scott Hughes wrote: .. The DB structure is: 8 tables as follows: nas, radacct, radcheck, radgroupcheck, radgroupreply, radpostauth, radreply, usergroup. Yes... but what's *in* the DB? What attributes, operators, and values are there, that you expect to match? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS authentication
deepak kumar wrote: Hi I am using freeradius 1.1 on linux suse 10.1. I have implemented EAP-TTLS, EAP-TLS and UAM. I want to know is there any way to know by which method user is authenticated. I mean if user is authenticated using UAM, EAP-TLS or EAP-TTLS. is there any attribute whose value we can store in radius database tables. there are two attributes Digest-Algorithm and EAP-Message , but I dont know how to put their values in radius tables. You should use EAP-Type, which is an attribute generated by the server that tells you the name of the EAP type being used. And to store attributes in the table, see doc/variables.txt. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
