Re: Res: Res: EAP-TTLS + Post-auth clear password
Erico Augusto wrote:
as suggested, I'm working with exec module.
radiusd.conf:
...
exec {
post-auth:User-Password =
`%{exec:/usr/local/etc/raddb/jradius.forward}`
wait = yes
input_pairs = request
}
...
the content of /usr/local/etc/raddb/jradius.forward script is just:
#!/bin/bash
echo 123456
so, the user's password that I'm using is 123456(inserted at secureW2
Windows XP popup), but I'm yet receiving ciphered User-Password at
destination custom app...
All I can say is huh? You want to use a custom app, and you
solution is to write a shell script that does... nothing?
Perhaps you could explain how the custom app *currently* interacts
with FreeRADIUS. From the examples you've posted, it doesn't.
My suggestion was to write a program that would send the username
password to the custom app. See the documentation for how to see the
username password in a shell script run by rlm_exec.
I have changing the content of jradius.forward script to
#!/bin/bash
echo 123456789
just to see if the password sended is the one returned by
jradius.forward script,
What makes you think that the shell script changes the password?
Nothing in the documentation or examples would lead you to believe that
simple echoing a number would have the magic side-effect of changing the
password.
some idea about what is wrong?
The configurations you've shown don't match the documentation. i.e.
You think they do one thing, but the documentation says they do
something else.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/MSCHAPv2 and WinXP
Damian Davalos wrote: The only way I can get this setup to work, is if I import my root certificate onto my client machine. Otherwise, I get the typical Access-Request and Access-Challenge back and forth. Yes. My question: Is importing the root certificate onto your client necessary when self-signing your own server certificate? Yes. The EAP-TLS howto PDF on the web site includes this step. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius problem : need help
check radwatch is runing or not is runing then kill radwatch it is for watching radiusd deamon for monitoring radius process elmalhi abdelghani [EMAIL PROTECTED] wrote: what means plaese this : There appears to be another RADIUS server running on the authentication port 1812 and if I typ for example the command:' ps a ' i don't found radiusd ? regards. - Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html $ cat ~/satish/url.txt System administrator ( Data Center ) please visit this site http://linux.tulipit.com - Heres a new way to find what you're looking for - Yahoo! Answers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: bandwidth and volume limit
u can limit bandwith per users basis i am using cisco AV-pair attributes for limiting bandwidth for users upload and download u can see my document on last posted ans Alan DeKok [EMAIL PROTECTED] wrote: Mathieu Lemaitre wrote: HI all, I'm running freeradius 1.0.2 on a debian stable. For new clients, I need to implement 2 functions: * a bandwidth limit on a per-user basis. I mean, I need to be able to set, for a user, a value for his upstream and downstream bw, which is sent by the radius as a reply attribute. Are they predefined attributes to do this? No. See the NAS documentation. It may do this, but likely not. * a volume limit: I'd like to be able to set a maximum amount of data monthly downloadable for each user. There is no standard way to do that. See the NAS documentation. It may do this, but likely not. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html $ cat ~/satish/url.txt System administrator ( Data Center ) please visit this site http://linux.tulipit.com - Heres a new way to find what you're looking for - Yahoo! Answers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
There appears to be another RADIUS server running on the authentication port 1812
Hi, what means plaese this : There appears to be another RADIUS server running on the authentication port 1812. what i can do ? and i don´t found process radiud ? output of ps auxf: [EMAIL PROTECTED] radius]# ps auxf USER PID %CPU %MEMVSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.2 2032 620 ?Ss 10:13 0:02 init [5] root 2 0.0 0.0 0 0 ?S10:13 0:00 [migration/0] root 3 0.0 0.0 0 0 ?SN 10:13 0:00 [ksoftirqd/0] root 4 0.0 0.0 0 0 ?S10:13 0:00 [watchdog/0] root 5 0.0 0.0 0 0 ?S 10:13 0:00 [events/0] root 6 0.0 0.0 0 0 ?S 10:13 0:00 [khelper] root 7 0.0 0.0 0 0 ? S 10:13 0:00 [kthread] root10 0.0 0.0 0 0 ?S 10:13 0:00 \_ [kblockd/0] root11 0.0 0.0 0 0 ?S 10:13 0:00 \_ [kacpid] root73 0.0 0.0 0 0 ?S 10:13 0:00 \_ [cqueue/0] root76 0.0 0.0 0 0 ?S 10:13 0:00 \_ [khubd] root78 0.0 0.0 0 0 ?S 10:13 0:00 \_ [kseriod] root 130 0.0 0.0 0 0 ?S10:13 0:00 \_ [pdflush] root 131 0.0 0.0 0 0 ?S10:13 0:02 \_ [pdflush] root 132 0.0 0.0 0 0 ?S 10:13 0:00 \_ [kswapd0] root133 0.0 0.0 0 0 ?S 10:13 0:00 \_ [aio/0] root 287 0.0 0.0 0 0 ?S 10:13 0:00 \_ [kpsmoused] root 308 0.0 0.0 0 0 ?S 10:13 0:00 \_ [kmirrord] root 318 0.0 0.0 0 0 ?S 10:13 0:00 \_ [kjournald] root 344 0.0 0.0 0 0 ?S 10:14 0:00 \_ [kauditd] root 807 0.0 0.0 0 0 ?S 10:14 0:00 \_ [kgameportd] root 1239 0.0 0.0 0 0 ?S 10:14 0:00 \_ [kmpathd/0] root 1263 0.0 0.0 0 0 ?S 10:14 0:00 \_ [kjournald] root 370 0.0 0.1 2908 456 ?Ss 10:14 0:01 /sbin/udevd -d root 1624 0.0 0.1 2276 340 ?Ss 10:14 0:00 /sbin/dhclient -1 -q -lf /var/lib/dhcli root 1694 0.0 0.1 8348 484 ?Ss 10:14 0:00 /usr/sbin/restorecond root 1703 0.0 0.2 1792 712 ?Ss 10:14 0:00 syslogd -m 0 root 1706 0.0 0.1 1640 400 ?Ss 10:14 0:00 klogd -x root 1729 0.0 0.1 2124 384 ? Ss 10:14 0:00 mcstransd rpc 1740 0.0 0.2 1772 544 ?Ss 10:14 0:00 portmap root 1759 0.0 0.3 1888 792 ?Ss 10:14 0:00 rpc.statd root 1788 0.0 0.2 4928 556 ?Ss 10:14 0:00 rpc.idmapd dbus 1802 0.1 0.5 13644 1364 ?Ssl 10:14 0:25 dbus-daemon --system root 1812 0.0 0.2 2344 660 ?Ss 10:14 0:00 hcid: processing events root 1824 0.0 0.1 1712 368 ?Ss 10:14 0:00 /usr/sbin/sdpd root 1836 0.0 0.0 0 0 ?S 10:14 0:00 [krfcommd] root 1870 0.0 0.2 33176 608 ?Ssl 10:14 0:00 pcscd root 1888 0.0 0.1 1876 352 ?Ss 10:14 0:00 /usr/bin/hidd --server root 1905 0.0 0.2 9036 744 ?Ssl 10:14 0:00 automount root 1922 0.0 0.1 1640 436 ?Ss 10:14 0:00 /usr/sbin/acpid root 1931 0.0 0.1 5056 488 ?Ss 10:14 0:00 ./hpiod root 1936 0.0 0.5 12840 1408 ?S10:14 0:00 python ./hpssd.py root 1942 0.0 0.4 4484 1032 ?S10:14 0:00 /bin/sh /usr/local/mvts/bin/mp_kerneld. root 2012 0.0 0.9 34220 2344 ?S10:15 0:00 \_ /usr/local/mvts/./bin/mp_kerneld.x root 2013 0.0 0.9 34220 2344 ?S10:15 0:00 \_ /usr/local/mvts/./bin/mp_kernel root 2014 0.0 0.9 34220 2344 ?S10:15 0:00 \_ /usr/local/mvts/./bin/mp_ke root 2015 0.0 0.9 34220 2344 ?S10:15 0:00 \_ /usr/local/mvts/./bin/mp_ke root 2016 0.0 0.9 34220 2344 ?S10:150:00 \_ /usr/local/mvts/./bin/mp_ke root 2017 0.0 0.9 34220 2344 ?S10:15 0:00 \_ /usr/local/mvts/./bin/mp_ke root 2019 0.0 0.9 34220 2344 ?R10:15 0:01 \_ /usr/local/mvts/./bin/mp_ke root 2023 0.0 0.9 34220 2344 ?S10:15 0:00 \_ /usr/local/mvts/./bin/mp_ke root 2024 0.0 0.9 34220 2344 ?S10:15 0:00 \_ /usr/local/mvts/./bin/mp_ke root 2025 0.0 0.9 34220 2344 ?S10:15 0:00 \_ /usr/local/mvts/./bin/mp_ke root 2026 0.0 0.9 34220 2344 ?S10:15 0:00 \_ /usr/local/mvts/./bin/mp_ke root 2027 0.0 0.9 34220 2344 ?S10:15
Re: There appears to be another RADIUS server running on the authentication port 1812
what means plaese this : There appears to be another RADIUS server running on the authentication port 1812. what i can do ? and i don´t found process radiud ? output of ps auxf: Jeez. What a process table. And not at all relevant concerning port usage. try netstat -tunelup which gives you all the ports your machine listens on and the process doing it. (Linux at least, don't know about others). Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgpyENAFO8AwU.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: There appears to be another RADIUS server running on the authentication port 1812
Hi, please reply to the list. And if you do contact me personally, my list of preferred languages is German, Luxembourgish, English, French, Spanish. French is fairly low down on this list, and may result in unexpected misunderstandings. Comments inline below. -- rebonjour monsieur, quand j´ ai donner la commande netstat -tunelup, voial la r´eponse : [EMAIL PROTECTED] raddb]# netstat -tunelup Aktive Internetverbindungen (Nur Server) Proto Recv-Q Send-Q Local Address Foreign Address State Benutzer Inode PID/Program name [...] udp 0 0 192.168.100.207:1812 0.0.0.0:* 0 7223 2012/mp_kerneld.x udp 0 0 192.168.100.207:1813 0.0.0.0:* 0 7224 2012/mp_kerneld.x udp 0 0 192.168.100.207:1814 0.0.0.0:* 0 7225 2012/mp_kerneld.x [...] There you are. Some program named mp_kerneld.x is occupying the port. That's why freeradius won't start. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgpMBlywDUp07.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : There appears to be another RADIUS server runningon the authentication port 1812
# netstat -tunelup Aktive Internetverbindungen (Nur Server) Proto Recv-Q Send-Q Local Address Foreign Address State Benutzer Inode PID/Program name [...] udp 0 0 192.168.100.207:1812 0.0.0.0:* 0 7223 2012/mp_kerneld.x udp 0 0 192.168.100.207:1813 0.0.0.0:* 0 7224 2012/mp_kerneld.x udp 0 0 192.168.100.207:1814 0.0.0.0:* 0 7225 2012/mp_kerneld.x [...] There you are. Some program named mp_kerneld.x is occupying the port. That's why freeradius won't start. See this Thread: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg33532.h tml HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/MSCHAPv2 and WinXP
Hi Damian, I have configured freeradius for PEAP/MSCHAPv2 authentication, no client certificates, with a WinXP supplicant. When i created the certificates i studied these guides : http://www.linuxjournal.com/article/8095 , http://www.linuxjournal.com/article/8151. I copied the server certificate to the radius server as the guide said , and some other files like dh , random. I did not make client certificates. In PEAP/MSCHAPv2 authentication client certificates are not necessary. On Thu, 2007-03-22 at 15:30 -0700, Damian Davalos wrote: Hello, I have a question I can't seem to answer with the mail archives or documentation. Let me begin by explaining what I'm trying to do: - PEAP/MSCHAPv2 authentication, no client certificates, with a WinXP supplicant. - The server certificate is self-signed. From the FAQ, I have: - Installed the hot fix from MS KB 885453 - Included the required OID 1.3.6.1.5.5.7.3.1 in the server certificate - Followed MS requirements for server certificates in KB 814394 The only way I can get this setup to work, is if I import my root certificate onto my client machine. Otherwise, I get the typical Access-Request and Access-Challenge back and forth. My question: Is importing the root certificate onto your client necessary when self-signing your own server certificate? If not, then I guess I'm still doing something wrong, but I would like to make sure before I continue to troubleshoot. Any help is greatly appreciated. Regards, Damian Davalos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ___ Inbox full of spam? Get leading spam protection and 1GB storage with All New Yahoo! Mail. http://uk.docs.yahoo.com/nowyoucan.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP + groups problem
Hello,
We are using freeradius with a ldap backend for my users. We have a few
services authenticating against the radius server that need to filter
some groups of users
For users we have a posix schema: Our users has the posixAccount schema
whith its main group in the attribute gidNumber. Something like this:
dn: uid=myuser,ou=Users,dc=domain.com
objectClass: posixAccount
objectClass: shadowAccount
objectClass: CourierMailAccount
uid: myuser
uidNumber: 123456
gidNumber: 1001
loginShell: /bin/bash
mail: [EMAIL PROTECTED]
...
For the group entry we have:
dn: cn=groupA,ou=Groups,dc=domain.com
cn: groupA
gidNumber: 1001
objectClass: posixGroup
objectClass: top
For user's secondary groups we have:
dn: cn=groupB,ou=Groups,dc=domain.com
cn: groupB
gidNumber: 1002
objectClass: posixGroup
objectClass: top
memberUid: myuser
so, this user belongs to groupA (main group) and groupB (secondary
group). This is similar to /etc/passwd and /etc/group files.
What I want is that the below users' entry reject access to user
myuser:
DEFAULT Ldap-Group == groupB, Auth-Type := Reject
Reply-Message = groupB users are not allowed to login
I am trying varios configurations but I don't get the good one. I have
try to configure as:
groupname_attribute = gidNumber
groupmembership_filter = ((objectClass=posixAccount)(uid=
%{Stripped-User-Name:-%{User-Name}}))
groupmembership_attribute = uid
but with this configuration I can filter just by the main group (myuser
is still allowed).
The configuration:
groupname_attribute = cn
groupmembership_filter = ((objectClass=posixGroup)(memberUid=
%{Stripped-User-Name:-%{User-Name}}))
groupmembership_attribute = memberUid
seems to look just in secondary groups.
Is there any way to configure taking count of main and secondary groups
with this structure?
Thanks in advance
--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información _o)
y las Comunicaciones Aplicadas (ATICA) / \\
http://www.um.es/atica_(___V
Tfo: 968367590
Fax: 968398337
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius unistalling
Hi, how i can uninstall freeradius, i dont found make uninstall thank´s Abdelghani ELMALHI Devesestr. 1 45897 Gelsenkirchen Deutschland Tel. 00 49 176 65 84 38 50 - Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : freeradius unistalling
make clean == Benjamin K. Eshun - Message d'origine De : elmalhi abdelghani [EMAIL PROTECTED] À : freeradius-users@lists.freeradius.org Envoyé le : Vendredi, 23 Mars 2007, 14h02mn 10s Objet : freeradius unistalling Hi, how i can uninstall freeradius, i dont found make uninstall thank´s Abdelghani ELMALHI Devesestr. 1 45897 Gelsenkirchen Deutschland Tel. 00 49 176 65 84 38 50 Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with freeradius 1.1.5 (2.0.0) 20070322 with postgresql (SIGHUP = segmentation fault)
Hello freeradius-users, I'm running Freeradius 20070322 snapshot with postgresql backend. (I tried older versions too) I have 3 questions for you, all related to $subject. Everything is working fine (the radius is getting the nas clients from the database, doing db auth/acct, etc.) until we send a -HUP to the radiusd.. First one: 8x--8x- $ /radius/sbin/radiusd -fsX$ killall -HUP radiusd rlm_sql (sql): Closing sqlsocket 4 rlm_sql (sql): Closing sqlsocket 3 rlm_sql (sql): Closing sqlsocket 2 rlm_sql (sql): Closing sqlsocket 1 rlm_sql (sql): Closing sqlsocket 0 read_config_files: reading realms Thu Mar 22 16:21:23 2007 : Info: rlm_sql (sql): Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked Thu Mar 22 16:21:23 2007 : Info: rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:5432/dbradius Segmentation fault No core file.. I solved this problem by commenting out the we do other magic in mainconfig.c lines 1059-1064. This will disable debug level change on the fly facility, it's not that important anyway 8x-8x-- Second: 8x-8x-- rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 3 , fields = 5 rlm_sql (sql): Read entry nasname=1.2.3.4,shortname=nume,secret=secret rlm_sql (sql): Adding client 1.2.3.4 (nume) to clients list Segmentation fault (core dumped) #0 rbtree_insert (tree=0x7d4c4c55, Data=0x80025808) at rbtree.c:246 246 Current = tree-Root; (gdb) bt #0 rbtree_insert (tree=0x7d4c4c55, Data=0x80025808) at rbtree.c:246 #1 0x8000685d in client_add (clients=0x800fbb18, client=0x80025808) at client.c:231 #2 0xb7db29ca in rlm_sql_instantiate (conf=0x8012efc8, instance=0x7d4c4c55) at rlm_sql.c:347 #3 0x8000f77c in find_module_instance (modules=0x8012e5e0, instname=0x80130100 sql) at modules.c:322 #4 0x80010243 in setup_modules (reload=1) at modules.c:917 #5 0x8000ed65 in read_mainconfig (reload=1) at mainconfig.c:1162 #6 0x80012dc0 in main (argc=2, argv=0xbfdb1a34) at radiusd.c:560 I add DEBUG2(OLD: %p,(void *)old_clients); DEBUG2(NEW: %p,(void *)clients); right before mainconfig.clients = clients; clients_free(old_clients); in mainparse.c Start radiusd -fsX OLD: (nil) NEW: 0x800fbb18 killall -HUP radiusd: OLD: 0x800fbb18 NEW: 0x800fbb18 rlm_sql (sql): Adding client 1.2.3.4 (nume) to clients list Segmentation fault (core dumped) So, we free the same location.. I guess the problem is in the clients_parse_section which doesnt return a new address space. clients.c - if (clients) return clients; + if (clients) clients_free(clients); mainconfig.c -clients_free(old_clients); +if ((void *)old_clients != (void *)clients) + clients_free(old_clients); solved the problem. Do I still need the clients_free(old_clients)? 8x--8x Three: 8x There is any other way to make the radius re-reread its clients from database, without an expensive HUP (and not so easy to send when you add entries to db)? 8x Thanks for scrolling this down.. Best wishes, Claudiu FILIP [EMAIL PROTECTED]Phone : +40344880100 http://www.globtel.ro Fax: +40344880113 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What is the real meaning and use of cache-size in ippool declaration
Hi everyone, FreeRadius 1.0.1 here, the one which comes as standard with RHEL 4. I want to use a whole class B subnet (172.16.0.0/16) in an ippool declaration to assign IP addresses from. Now it is said that the cache-size parameter should be equal to the number of IP addresses in the pool. But if I try to set it to 65536, the server won't start (it'll crash actually). So what is the **real** meaning and use of this parameter ? You have to specify the start and end of the pool, so then why set another parameter with a value that can be trivially calculated by the server anyway ? And more importantly, what are the right guidlines on setting the value for this parameter ? Making it equal to the number of IP addresses in the pool won't work and it just doesn't make any sense to me. Finally, if I change the value of this parameter, beside restarting FreeRadius, do I have to do anything else ? Do I have to delete the related database and index files in order for the change to take place ? Thank you in advance. Best regards, Florin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : freeradius unistalling
hi, but i found always my directory usr/local/etc/raddb regards! Abdelghani ELMALHI Devesestr. 1 45897 Gelsenkirchen Deutschland Tel. 00 49 176 65 84 38 50 - Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SUMMARY: ldap groups + freeradius
Thank you to this list! I am posting snips from my users,
radiusd.conf and huntgroup files that work.
** huntgroups **
admin NAS-IP-Address == 192.168.1.1
Session-Timeout = 60,
Idle-Timeout = 30
public NAS-IP-Address == 192.168.1.2
NAS-IP-Address == 192.168.1.3,
Idle-Timeout = 3600
vpn NAS-IP-Address == 192.168.1.4
** radiusd.conf **
snip
ldap {
server = ldap.example.com
port =
identity = cn=proxy,dc=example,dc=com
password = itsasecret
basedn = ou=People,dc=example,dc=com
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
groupname_attribute = cn
groupmembership_filter = ((objectClass=GroupOfNames)(member=%{
Ldap-UserDn}))
groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
}
snip
** users **
snip
DEFAULT Auth-Type = LDAP
Fall-Through = yes
DEFAULT Huntgroup-Name == public, Ldap-Group == public
Reply-Message = Welcome to the dial-in service,
Fall-Through = no
DEFAULT Huntgroup-Name == admin, Ldap-Group == admin
Reply-Message = Welcome to the admin Termial Server,
Fall-Through = no
DEFAULT Huntgroup-Name == vpn, Ldap-Group == vpn
Reply-Message = Welcome to the VPN Gateway,
Fall-Through = no
DEFAULT Auth-Type := Reject
Reply-Message = You are not authorized to use this service. If
you believe you have received this message in error, please contact our
Helpdesk.
snip
* user ldap record *
dn: uid=user1,ou=People,dc=example,dc=com
objectClass: radiusprofile
radiusGroupName: public
radiusGroupName: vpn
radiusGroupName: admin
dn: uid=user2,ou=People,dc=example,dc=com
objectClass: radiusprofile
radiusGroupName: public
dn: uid=user3,ou=People,dc=example,dc=com
objectClass: radiusprofile
radiusGroupName: public
radiusGroupName: vpn
--
Karen R. McArthur [EMAIL PROTECTED]
Systems Administrator
Information and Library Services, Bates College
Lewiston, Maine 04240 USA
ph:(207)786-8236 fax:(207)786-6057
RedHat EL 4 (managed through RHN, so latest available versions)
freeradius-1.0.1-3
openldap-2.2.13-6
I have 4 NAS-IP-Addresses.
My users are split into 6 groups (some are in multiple groups): public,
faculty, staff, student, vpn, and admin.
I would like the users to get access to the NAS by virtue of being in a
group.
192.168.1.1
admin
192.168.1.2
vpn
192.168.1.3 192.168.1.4
faculty, staff, student public
What steps do I need to follow to implement this? I have tried many
combinations in huntgroups, users, and radiusd.conf.
Any directions or urls to documentation would be appreciated.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : RE : RE : freeradius, ldap error - HELP ME!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 peppeska ha scritto: ma script to start pppoe-server is debian:~# cat start-pppoe2.sh #!/bin/bash MAX=250 BASE=10.67.7.1 NAT=10.67.7.0/24 MYIP=193.205.94.13 iptables -A INPUT -i eth0 -s $NAT -j DROP iptables -t nat -A POSTROUTING -s $NAT -j SNAT --to-source $MYIP pppoe-server -T 60 -I eth1 -N $MAX -C PPPoE-R -S PPPoE-R -R $BASE debian:~# nobody can help me? - -- -- |Giuseppe Moscato aka peppeska - Linux User - no html messages---| |[EMAIL PROTECTED] - http://peppeska.altervista.org--| |Fingerprint = 90DC 05A8 2D65 BC04 BD1B 4C07 C389 434B 3201 319D| -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGA+6VkA6hcnFZI/YRAp2cAKCov2R+AetOdFgaJrqntCRX/ltpNACgmnoJ 3PvvnqnjYBKDyNeKkFNSr60= =7072 -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius unistalling
There is no uninstall and make clean just cleans the source tree. Use rpmbuild to make an rpm. - Original Message - From: elmalhi abdelghani To: FreeRadius users mailing list Sent: Friday, March 23, 2007 3:48 PM Subject: Re : freeradius unistalling hi, but i found always my directory usr/local/etc/raddb regards! Abdelghani ELMALHI Devesestr. 1 45897 Gelsenkirchen Deutschland Tel. 00 49 176 65 84 38 50 Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Res: Res: Res: EAP-TTLS + Post-auth clear password
- Mensagem original De: Alan DeKok [EMAIL PROTECTED] Para: FreeRadius users mailing list freeradius-users@lists.freeradius.org Enviadas: Sexta-feira, 23 de Março de 2007 3:54:41 Assunto: Re: Res: Res: EAP-TTLS + Post-auth clear password Erico Augusto wrote: All I can say is huh? You want to use a custom app, and you solution is to write a shell script that does... nothing? sure not! Perhaps you could explain how the custom app *currently* interacts with FreeRADIUS. From the examples you've posted, it doesn't. it's called learning ... My suggestion was to write a program that would send the username password to the custom app. See the documentation for how to see the username password in a shell script run by rlm_exec. that's what I'm looking for ... constructive suggestions ... What makes you think that the shell script changes the password? Nothing in the documentation or examples would lead you to believe that simple echoing a number would have the magic side-effect of changing the password. just learning how the tool works... The configurations you've shown don't match the documentation. i.e. You think they do one thing, but the documentation says they do something else. The interaction with JRadius now works ... it wasn't an issue with freeradius ... JRadius API was outputing [Encrypted String] to the password ... in truth, it's just in ASCII ... a simple casting fix everything. So, to get cleartext password with WinXP SecureW2(EAP-TTLS) Supplicant configured to PAP at Authentication Tab, using JRadius API, just gather password bytes as following: byte [] passByte = requestPacket.getAttributes().get(Attr_UserPassword.NAME). getValue().getBytes(); where requestPacket is a RadiusPacket object. Erico. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Fale com seus amigos de graça com o novo Yahoo! Messenger http://br.messenger.yahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius-1.1.5 and FC4
I encountered the problem, too. On 3/21/07, Goke Aruna [EMAIL PROTECTED] wrote: I installed freeradius-1.1.4 in FC4 and i got all the compilation without error. However, when i tried to run the radiusd in debug mode i got the error below Can someone pls point out my problem to me. Goksie [EMAIL PROTECTED] ~]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib *** glibc detected *** radiusd: double free or corruption (fasttop): 0x090fcde8 *** === Backtrace: = /lib/libc.so.6[0x1b7424] /lib/libc.so.6(__libc_free+0x77)[0x1b795f] /usr/local/lib/libltdl.so.3[0xd9da50] /usr/local/lib/libltdl.so.3(lt_dlopenext+0xc3)[0xd9e51f] radiusd(find_module_instance+0x1bd)[0xe98fb5] radiusd(setup_modules+0x1c0)[0xe997b0] radiusd(main+0x3b0)[0xe9c814] /lib/libc.so.6(__libc_start_main+0xc6)[0x168de6] radiusd[0xe91cb5] === Memory map: 00111000-0012b000 r-xp fd:00 9865492/lib/ld-2.3.5.so 0012b000-0012c000 r-xp 00019000 fd:00 9865492/lib/ld-2.3.5.so 0012c000-0012d000 rwxp 0001a000 fd:00 9865492/lib/ld-2.3.5.so 0012d000-0013b000 r-xp fd:00 9865497/lib/libpthread-2.3.5.so 0013b000-0013c000 r-xp d000 fd:00 9865497/lib/libpthread-2.3.5.so 0013c000-0013d000 rwxp e000 fd:00 9865497/lib/libpthread-2.3.5.so 0013d000-0013f000 rwxp 0013d000 00:00 0 0013f000-00152000 r-xp fd:00 12243222 /usr/local/lib/libradius-1.1.5.so 00152000-00153000 rwxp 00013000 fd:00 12243222 /usr/local/lib/libradius-1.1.5.so 00153000-00154000 rwxp 00153000 00:00 0 00154000-00278000 r-xp fd:00 9865493/lib/libc-2.3.5.so 00278000-0027a000 r-xp 00124000 fd:00 9865493/lib/libc-2.3.5.so 0027a000-0027c000 rwxp 00126000 fd:00 9865493/lib/libc-2.3.5.so 0027c000-0027e000 rwxp 0027c000 00:00 0 0027e000-002ed000 r-xp fd:00 12243158 /usr/lib/libkrb5.so.3.2 002ed000-002f rwxp 0006e000 fd:00 12243158 /usr/lib/libkrb5.so.3.2 002f-002f2000 r-xp fd:00 9865501/lib/libcom_err.so.2.1 002f2000-002f3000 rwxp 1000 fd:00 9865501/lib/libcom_err.so.2.1 002f3000-002f5000 r-xp fd:00 12235980 /usr/lib/libkrb5support.so.0.0 002f5000-002f6000 rwxp 1000 fd:00 12235980 /usr/lib/libkrb5support.so.0.0 0030a000-00313000 r-xp fd:00 9863221/lib/libnss_files- 2.3.5.so 00313000-00314000 r-xp 8000 fd:00 9863221/lib/libnss_files- 2.3.5.so 00314000-00315000 rwxp 9000 fd:00 9863221/lib/libnss_files- 2.3.5.so 00331000-00333000 r-xp fd:00 12243500 /usr/local/lib/rlm_exec-1.1.5.so 00333000-00334000 rwxp 1000 fd:00 12243500 /usr/local/lib/rlm_exec-1.1.5.so 0072f000-00738000 r-xp fd:00 9865500 /lib/libgcc_s-4.0.0-20050520.so.1 00738000-00739000 rwxp 9000 fd:00 9865500 /lib/libgcc_s-4.0.0-20050520.so.1 00841000-00864000 r-xp fd:00 12243157 /usr/lib/libk5crypto.so.3.0 00864000-00865000 rwxp 00023000 fd:00 12243157 /usr/lib/libk5crypto.so.3.0 00b06000-00bfe000 r-xp fd:00 9865496/lib/libcrypto.so.0.9.7f 00bfe000-00c1 rwxp 000f8000 fd:00 9865496/lib/libcrypto.so.0.9.7f 00c1-00c13000 rwxp 00c1 00:00 0 00c6c000-00c7e000 r-xp fd:00 12227470 /usr/lib/libz.so.1.2.2.2 00c7e000-00c7f000 rwxp 00011000 fd:00 12227470 /usr/lib/libz.so.1.2.2.2 00d64000-00d65000 r-xp
RE: Re: New Server Build
Alan, The only thing in the database is the userid and password. I put nothing else in. I believe it has to do with my Default Auth-Type setting in the Users file. Thank you, Scott --- Original Message --- From: Alan DeKok[mailto:[EMAIL PROTECTED] Sent: 3/23/2007 1:39:03 AM To : [EMAIL PROTECTED]; freeradius-users@lists.freeradius.org Cc : Subject : RE: Re: New Server Build Scott Hughes wrote: .. The DB structure is: 8 tables as follows: nas, radacct, radcheck, radgroupcheck, radgroupreply, radpostauth, radreply, usergroup. Yes... but what's *in* the DB? What attributes, operators, and values are there, that you expect to match? Alan DeKok. -- http://deployingradius.com- The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re: New Server Build
Alan, Found the problem. The database was saving the password in some kind of hash instead of clear-text. Once I manually changed the password to clear-text, it I got an Auth-Accept response from the server. Now onto the EAP-TTLS client configurations. Thanks again Alan. Scott --- Original Message --- From: Alan DeKok[mailto:[EMAIL PROTECTED] Sent: 3/23/2007 1:39:03 AM To : [EMAIL PROTECTED]; freeradius-users@lists.freeradius.org Cc : Subject : RE: Re: New Server Build Scott Hughes wrote: .. The DB structure is: 8 tables as follows: nas, radacct, radcheck, radgroupcheck, radgroupreply, radpostauth, radreply, usergroup. Yes... but what's *in* the DB? What attributes, operators, and values are there, that you expect to match? Alan DeKok. -- http://deployingradius.com- The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What is the real meaning and use of cache-size in ippool declaration [resend]
Sorry guys, this is in fact a resend of a previous email, now using Thunderbird in an attempt to avoid sending HTML format message. Hope it'll be OK this time. ~~ Hi everyone, FreeRadius 1.0.1 here, the one which comes as standard with RHEL 4. I want to use a whole class B subnet (172.16.0.0/16) in an ippool declaration to assign IP addresses from. Now it is said that the cache-size parameter should be equal to the number of IP addresses in the pool. But if I try to set it to 65536, the server won't start (it'll crash actually). So what is the **real** meaning and use of this parameter ? You have to specify the start and end of the pool, so then why set another parameter with a value that can be trivially calculated by the server anyway ? And more importantly, what are the right guidlines on setting the value for this parameter ? Making it equal to the number of IP addresses in the pool won't work and it just doesn't make any sense to me. Finally, if I change the value of this parameter, beside restarting FreeRadius, do I have to do anything else ? Do I have to delete the related database and index files in order for the change to take place ? Thank you in advance. Best regards, Florin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
I am trying to set up EAP-TLS using FreeRadius, and I am using EJBCA to sign my certs. I have been able to get everything to work correctly except the CRL. I have created a directory /usr/local/etc/raddb/certs/crls where I am storing my CRL info. In this directory I have the certificate chain of the signing CA (in pem format) and the latest CRL for that CA (also in pem format). After the CRL is copied into this directory I execute c_rehash on the directory and everything runs fine. When I run radiusd, however, all attempts to authenticate are denied. The pertinent portion of the output from radiusd -X -A is : rlm_eap_tls: TLS 1.0 Handshake [length 07b8], Certificate -- verify error:num=8:CRL signature failure rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal decrypt_error TLS Alert write:fatal:decrypt error TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails. This seems to tell me that FreeRadius cannot verify the CRL against the CA cert. However, when I run: openssl crl -in my-crl.pem -inform PEM -CAfile my-cacert.pem -issuer -lastupdate -nextupdate -noout it returns verify OK and the correct info on issuer and update times. Also when I run: openssl verify -CApath ./ -crl_check test.pem it behaves as expected. Any Ideas? Jeremy Pastin [EMAIL PROTECTED] 312-344- First Industrial Realty Trust, Inc. 311 S Wacker Dr Chicago, IL 60606 Phone: 312-344-4425 Fax: 312-895-9425 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CRL Signature failure
Sorry forgot a subject I am trying to set up EAP-TLS using FreeRadius, and I am using EJBCA to sign my certs. I have been able to get everything to work correctly except the CRL. I have created a directory /usr/local/etc/raddb/certs/crls where I am storing my CRL info. In this directory I have the certificate chain of the signing CA (in pem format) and the latest CRL for that CA (also in pem format). After the CRL is copied into this directory I execute c_rehash on the directory and everything runs fine. When I run radiusd, however, all attempts to authenticate are denied. The pertinent portion of the output from radiusd -X -A is : rlm_eap_tls: TLS 1.0 Handshake [length 07b8], Certificate -- verify error:num=8:CRL signature failure rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal decrypt_error TLS Alert write:fatal:decrypt error TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails. This seems to tell me that FreeRadius cannot verify the CRL against the CA cert. However, when I run: openssl crl -in my-crl.pem -inform PEM -CAfile my-cacert.pem -issuer -lastupdate -nextupdate -noout it returns verify OK and the correct info on issuer and update times. Also when I run: openssl verify -CApath ./ -crl_check test.pem it behaves as expected. Any Ideas? Jeremy Pastin [EMAIL PROTECTED] 312-344- First Industrial Realty Trust, Inc. 311 S Wacker Dr Chicago, IL 60606 Phone: 312-344-4425 Fax: 312-895-9425 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CRL List does not appear to work with Freeradius
Hey guys, I've been using freeradius for a while now, and i want to be able to revoke my certs, however when i have revoked them it can't find the CRL and as such nobody can log in - even people who have certs that are not revoked. i just get the following message, even thugh my crl.pem is in the folder with the other certs, rlm_eap_tls: TLS 1.0 Handshake [length 0896], Certificate -- verify error:num=3:unable to get certificate CRL rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
