Re: dialup admin replacement
Hi Barry,
Would it not be better to contact the maintainer of the pppd for the Debian
distribution and ask him/her why pppd is not sending the stop accounting packet to the
radius server when a connection is dropped (for whatever reason) That would fix
the problem the way it should be corrected instead of bandaiding it
Gary N. McKinney
-- Original Message --
From: Barry Murphy [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date: Mon, 26 Jul 2004 22:35:54 +1200
Anyone know how to get dialup_admin to check a poptop NAS to see if users
are still connected or not. If a user disconnects by unplugging his wireless
card or by loosing signal to the wireless node they remain connected even
though there pc has thrown them out. This causes multiple connections and
long connection durations with no bandwidth info. Perhaps there is a way to
check every hour or so if the user is connected or not?
base-nas.albanywireless.co.nz
Network Access Server 2 users connected 3 free lines
# user ip address caller id name duration
1 icepick 219.88.249.83 - Barry Murphy 104:32:29
2 casper 219.88.249.85 - - 83:25:39
- Original Message -
From: issa rabba' [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, July 27, 2004 8:13 AM
Subject: RE: dialup admin replacement
Ok, I will make another template for your uses, and you can change to that
template
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Barry
Murphy
Sent: Monday, July 26, 2004 2:58 AM
To: [EMAIL PROTECTED]
Subject: Re: dialup admin replacement
Thats great!!!
Now just to add some functionality for a per month basis and bandwidth
usage
info.
My users are charged on usage not time.
Barry
- Original Message -
From: issa rabba' [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, July 27, 2004 6:33 AM
Subject: RE: dialup admin replacement
Ok no problem
Go to login2.php
Commet line 32
// $passwd = da_encrypt($passwd,$enc_passwd);
If this not work try this
Commet line 31, and 32
// $passwd = $FF_valPassword;
// $passwd = da_encrypt($passwd,$enc_passwd);
And change line 34
From
if (!strcmp($passwd,$enc_passwd)){
To
if (!strcmp($FF_valPassword,$enc_passwd)){
That's all
Regards
Issa rabba
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Barry
Murphy
Sent: Monday, July 26, 2004 12:57 AM
To: [EMAIL PROTECTED]
Subject: Re: dialup admin replacement
I'm using clear text passwords.
Thanks
Barry
- Original Message -
From: issa rabba' [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, July 27, 2004 5:12 AM
Subject: RE: dialup admin replacement
I used the crypt function because all the password will be saved as
crypted
password, if not please tell me I will tell you what to change at the
login2.php file
Regards
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Barry
Murphy
Sent: Sunday, July 25, 2004 11:48 PM
To: [EMAIL PROTECTED]
Subject: Re: dialup admin replacement
Same here, is there a way to disable the crypt part of things, I can
only
comment out a little, but still cant get it working.
Barry
- Original Message -
From: Nick Marino [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, July 26, 2004 11:16 AM
Subject: Re: dialup admin replacement
I tried it and no matter what username and password I put in it just
goes
back to the login page.
I did configure pp.php to point to my database with the correct
username
and
password and database name.
Any ideas?
- Original Message -
From: issa rabba' [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, July 26, 2004 12:18 AM
Subject: RE: dialup admin replacement
Ok:
Please download this file http://www.issa.ps/dialup_admin/stat.rar
Please note that this interface for the mysql database only.
Extract the stat.tar and edit Connections/pp.php, change the
valuse
of
the
hostname, username, password and database name.
Then upload it to websever support PHP.
Please contact me if you need any question.
Regards,
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
sarky
Sent: Sunday, July 25, 2004 11:20 AM
To: [EMAIL PROTECTED]
Subject: RE: dialup admin replacement
cool if you can send it over to me that will be great.
I think the dialup admin author is on this list, you can ask
Sarky
On Sun, 25 Jul 2004 09:21:21 -0700, issa rabba' wrote:
I did some thing like that, but it's not a part of the
dialupadmin,
it
web interface for our
Re: dialup admin replacement
Google WinRAR . . . That will unpack it... in a Windows System... gm... - Original Message - From: Johnno [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, July 25, 2004 6:07 PM Subject: Re: dialup admin replacement I download this and had a look see.. but the rar file coming up and says unknown method so the file can't be unpacked.. Can you use other method ie.. zip, gz, tar etc.. Many Thanks.. - Original Message - From: issa rabba' [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, July 26, 2004 5:18 PM Subject: RE: dialup admin replacement Ok: Please download this file http://www.issa.ps/dialup_admin/stat.rar Please note that this interface for the mysql database only. Extract the stat.tar and edit Connections/pp.php, change the valuse of the hostname, username, password and database name. Then upload it to websever support PHP. Please contact me if you need any question. Regards, -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of sarky Sent: Sunday, July 25, 2004 11:20 AM To: [EMAIL PROTECTED] Subject: RE: dialup admin replacement cool if you can send it over to me that will be great. I think the dialup admin author is on this list, you can ask Sarky On Sun, 25 Jul 2004 09:21:21 -0700, issa rabba' wrote: I did some thing like that, but it's not a part of the dialupadmin, it web interface for our customers, I will customize it and send it to you. Or if you know how can we publish it to be part of the dialup admin project. Regards -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of sarky Sent: Saturday, July 24, 2004 10:21 AM To: freeradius- [EMAIL PROTECTED] Subject: dialup admin replacement Hello all, I am looking for a web interface which does what dialup admin does and allows users to access it via there login/password and get all the information they require download limits, what they have downloaded and so on. Anything out there which does that ? Sarky - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New Opensource project-AAAadmin
Kostas,
Hopefully this is still in the context of freeradius for this list...
See body of message below for responses:
- Original Message -
From: Kostas Kalevras [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, July 23, 2004 10:24 PM
Subject: Re: New Opensource project-AAAadmin
On Fri, 23 Jul 2004, Gary McKinney wrote:
Hi Kostas,
It's nice to see Dialup_Admin can handle a large operation!
I realize dialup_admin is in the radiusd CVS - I would have thought it
would
have been at least a separate CVS to make allowing others to work with
it
directly and not mess with the radiusd CVS - but I suppose it works the
way
it is...
dialupadmin is completely separate from the freeradius server source. It's
on
it's own directory where users can play with it as much as they like
(provided
they have write cvs access). I don't see a reason for a separate cvs.
Changes or Features that would be nice?
1. You have the New Group section setup to allow both adding a new
group to
the system AND displaying and editing an existing group BUT you have to
go
to the Show Groups section to see the actual group names of existing
groups.
Would it not make more sense to have a display in the New Group section
that
displays existing groups so you don't have to bounce between the two
sections to get the name correct??? If you are using just a few groups
then
most likely you will remember the group names but if you have a fair
number
of groups to handle different situations (IE: Pre-Paid users, PPP users,
Wireless users, etc, etc) it would make life easier for the admin to
work
with the system.
The 'Show Group' button in the New Group page is intended as a path to
move to
the Group Administration page after you 've added a new group. In other
words:
Open 'New Group' - Add Group details - Press 'Create' - Press 'Show
Group' to
immediately go to the corresponding group administration page instead of
having
to insert the group name in the left frame ('Edit Group'). It's only a
shortcat,
nothing more. Though your idea of having a non editable drop down menu
with the
existing groups in the 'New Group' page is quite nice. I 'll look into it.
Yes - having a drop-down menu to select an existing name would be more
intuitive...
2. There currently does not exist any method (other than for NAS
Clients)
to setup the system or make changes to the system other than using a CLI
(command line interface) to make changes... IE: If you want to changes
Hints because of some additional requirement you currently have to
know
how to do so and then use the CLI to perform the task - would it not be
easier for someone to make changes to the system if there were a section
that allowed configuration changes (or initial setups) to the system
1. I personally require dialupadmin to be able to run on any server with
just
php support and radclient, not only on the server where freeradius is
running.
I see your point - if the dialup_admin is running on a different box it gets
a little more complicated to change the configuration files and issue the
restart Had not thought of that since I run both on the same box...
2. The language used in the text files is quite complicated (which means
corresponding pages will need a lot of development and will be equally
complicated) and user configurations are infinite. The pages would
probably be able to only support a small part of those configurations
unless
they became even more complicated. If you follow the list archives there
are
cases were per user patches for the server are required for specific
setups.
Just imagine a similar scenario for dialupadmin!
I had envisioned more of a initial starting point - somelthing to get people
started in the configurations as I noticed in the list archives the same
types of issues in configuring the freeradius system (seems most want to
drop in an go without RTFM first [grin]). I suppose the same thing could be
accomplished by writing HOW-TOs in detail for the different types of
configureation settings...
3. An initial setup means configuring not only freeradius but also other
components (ldap or sql installations etc).
I had only thought for the freeradius configs... the others are outside the
scope of what I had envisioned...
4. You don't require an administrator to run sql queries each time he
wants to
go through the accounting of a user, but you DO require him to be able to
setup
the system. This is server software, i assume a minimal user technical
level.
Hopefully the technical level is such that a person capable of installing an
OS (not Windows) is capable of understanding and implementing freeradius and
dialup_admin [grin]...
I would think things like Realm configurations, SQL configurations, LDAP
configurations, SNMP configurations and so one would be a nice addition
to
the system. It is not hard to have PHP scripts that generate the
required
Re: New Opensource project-AAAadmin
Kostas, Are you also a user too??? [grin]... Kidding aside - is there some place where the dialup_admin is being maintained (CVS) and where freatures can be added to the code (not to mention bringing the code up to current levels) ??? BTW: I have not setup the database side completely yet but you can see the latest version of dialup_admin at the following url: http://www.ewcllc.net/dialup - like I said, I have not completely set this up yet but it is better than plain ole screen shots [grin]... gm... - Original Message - From: Kostas Kalevras [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, July 23, 2004 9:11 AM Subject: Re: New Opensource project-AAAadmin On Fri, 23 Jul 2004, Amit Gupta wrote: are you currently using dailupadmin Actually i am the writer. - Original Message - From: Kostas Kalevras [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, July 23, 2004 5:46 AM Subject: Re: New Opensource project-AAAadmin On Fri, 23 Jul 2004, Amit Gupta wrote: This solution will be avaible in perl and biferno too. Also more features that I will disclose soon. first let me know ur expectations. WIll you join me??? I really don't see any point in reinventing the wheel. Why not just add the extra features in dialupadmin instead of creating a new one? expectations: dialup_admin/doc/TODO Also see dialup_admin/doc/HELP_WANTED As for joining, sorry I 've already got an interface that suits my needs and is in constant development. The question would be why abandon it for a new one? Amit - Original Message - From: Kostas Kalevras [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, July 23, 2004 5:01 AM Subject: Re: New Opensource project-AAAadmin On Fri, 23 Jul 2004, Amit Gupta wrote: Hi friends , I have decided to develop opensource project-AAAadmin. Its URL is dmin.sourceforge.net. I invite you to share your expectations from such solution. I also invite you to join development. What's wrong with dialupadmin? Amit Gupta --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.725 / Virus Database: 480 - Release Date: 7/19/2004 -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.725 / Virus Database: 480 - Release Date: 7/19/2004 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.725 / Virus Database: 480 - Release Date: 7/19/2004 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New Opensource project-AAAadmin
Hi Kostas, It's nice to see Dialup_Admin can handle a large operation! I realize dialup_admin is in the radiusd CVS - I would have thought it would have been at least a separate CVS to make allowing others to work with it directly and not mess with the radiusd CVS - but I suppose it works the way it is... Changes or Features that would be nice? 1. You have the New Group section setup to allow both adding a new group to the system AND displaying and editing an existing group BUT you have to go to the Show Groups section to see the actual group names of existing groups. Would it not make more sense to have a display in the New Group section that displays existing groups so you don't have to bounce between the two sections to get the name correct??? If you are using just a few groups then most likely you will remember the group names but if you have a fair number of groups to handle different situations (IE: Pre-Paid users, PPP users, Wireless users, etc, etc) it would make life easier for the admin to work with the system. 2. There currently does not exist any method (other than for NAS Clients) to setup the system or make changes to the system other than using a CLI (command line interface) to make changes... IE: If you want to changes Hints because of some additional requirement you currently have to know how to do so and then use the CLI to perform the task - would it not be easier for someone to make changes to the system if there were a section that allowed configuration changes (or initial setups) to the system I would think things like Realm configurations, SQL configurations, LDAP configurations, SNMP configurations and so one would be a nice addition to the system. It is not hard to have PHP scripts that generate the required files and issue a kill -HUP radiusd PID to activate the changes. This capability makes it a full featured front-end to the freeradius system instead of just a works for specific application front-end - and as you said you wrote it because you needed it. I suspect the basis for the system was for you specific purpose - nothing wrong with that but I think others are using different configurations and it could make their administration of the system easier if it had a more flexible capability. 3. I am curious - why have all of the settings for NAS attributes in the New User section AND in the New Group section - would it not make it cleaner overall to just have the NAS attributes contained in just the groups section and if there is a specific requirement for an individual user to have specfic NAS attribute requirements just have a group of their own??? It seems to me it is more confusing to someone new to the freeradius system to have both locations where NAS attributes can be set instead of just the requirement that the user have a unique group (the group name could be the username) for NAS attributes and all other users that have the same NAS attribute requirements be in the same group with thost NAS attributes identified? You wanted to know some specifics [grin]... As for the warning message about variables not being defined - current thinking is if there is a variable that is checked within the body of a script but is not passed to the script you should at least test to see if the variable exists and if not define the varible with a default value - the reason is to preclude someone attempting to hack the script ( of course you should also test the variables passed to the script to make sure the values being passed are within the range you expect as well and take appropriate action if it is not - there is currently a buffer overflow in the maximum memory used section of PHP prior to the current release that can allow a hacker total access to the computer! - this was just released in the last few days in the security mailing lists I belong to... ). Now - having said all that I think you did a pretty good job on the dialup_admin overall!!! I read a posting here about modularizing the program to allow easier modification - that would be a nice thing but not totally a requirement... It does need better documentation but what program does not??? More comments in the body of the scripts would be a nice addition just so someone can follow the thought-process as to why things are done the way they are... Please take this in the manner in which it is intended - I am not flaming the program at all!!! gm... - Original Message - From: Kostas Kalevras [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, July 23, 2004 6:36 PM Subject: Re: New Opensource project-AAAadmin On Fri, 23 Jul 2004, Gary McKinney wrote: Kostas, Are you also a user too??? [grin]... Yes, dialupadmin is used in both my university (ntua.gr/15000 users) and in the greek school network (sch.gr/15 users). In the latter there are around 100 people using it (delegated user administration) with no problems. I wrote dialupadmin cause i needed it. Kidding aside
Re: EAP Inner/Outer attributes matching! (REPOST) - Avoid identity spoofing in EAP authentications!!!
See body of message below for responses: -- Original Message -- From: PedroRibeiro (B) [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 22 Jul 2004 10:34:57 +0100 Sorry for the repost but this problems are forcing-me to leave our FreeRADIUS open to stealing of identity privileges ... PB I'm trying to instruct our freeradius to check some inconsistences PB between inner and outer parameters involved in EAP-TTLS and EAP-PEAP PB authentication of wireless users. PB PB If the return attributes are based in outer identity the system can be PB fooled by using a valid inner identity and obtaining privileges of PB another user (sent as outer identity). Yep... that is the REASON for an encrypted inner pipe to carry the actual attribute information. PB If the return attributes are based in inner identity, because not all PB the states of EAP authentication involves inner phase, only in the PB phases that involves inner EAP the correct attributes are returned and PB as an example, the user isn't correctly mapped in his correct VLAN. PB You would map the user based on one of the inner attributes... PB How can I validate if the same Realm is used in inner and outer PB User-Name ? WHY would you want to! One of the features of EAP/TTLS is the fact you can have an anonymous username and NAS IP in the outer phase (visible phase) thereby hiding the actual client attributes sent through the inner phase (TTLS pipe). Also, NO password information is passed in the outer phase so that information is also obscured as it only passes between the supplicant and Freeradius server in the TTLS pipe. The information carried in the TTLS pipe is encrypted so as to be secure and if using AES encryption is pretty damned hard to break! I would base all of the client checking ONLY on the information contained within the TTLS pipe and just ignore any attributes passed through the outer phase. You could possibly use the fact that the outer phase usually contains a username of anonymous (unless changed in the supplicant to be something else) and use an external program to check for the proper bogus information in the outer phase - this might be a method to detect possible hack attempts to gain access to the wireless network if the attacker is attempting to guess a username and sending it in the outer phase instead of the username you have assigned to the outer phase in the supplicate on the client machine... PB How can I pass variables (attributes) between inner and outer phases ? Why would you want to? PB How can I maintain some context of the authentications in progress so PB that I can sent the correct parameters in phases that didn't involve PB inner auth and I can't trust in the outer identity ? Sounds like you are making this harder than it needs to be (IMHO)... If the client information in the inner phase does not match up properly just REJECT the connection! Of course this is my own opinion... YMMV gm... TIA. -- Best regards, PedroRibeiro mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] Sent via the KillerWebMail system at mail.brev.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with Dialup admin web software
Sounds like the NAS is not sending an accounting stop packet when the connection dies (for whatever reason). This is not a Freeradius problem (how could it know?)... Gary N. McKinney -- Original Message -- From: Barry Murphy [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 22 Jul 2004 15:57:12 +1200 Hi, I'm running freeradius and have 3 NAS (POPTOP) servers connecting to this server. I find when a user disconnects because they out of wireless signal or they unplug their wireless card, the system shows them as still logged in and I dont get the final bandwidth usage, I have to manualy delete the start request from the mysql radacc table. Thanks Barry Sent via the KillerWebMail system at mail.brev.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is Release 1.0.0 available?
Nothing to do with Freeradius... Congratulations Alan!!! Better grab that sleep now because it's about to become a thing of the past [grin]. gm.. - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, July 22, 2004 5:25 PM Subject: Re: Is Release 1.0.0 available? David [EMAIL PROTECTED] wrote: I saw on the list last week that 1.0.0 was just about ready and I have seen some other posts referring to 1.0.0 , is 1.0.0 ready for download yet? No. I was going to release it last Friday, but my wife released Baby 1.0 first. That took priority, oddly enough. Give me a few days to sleep... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem setting up Radius to use Primary and Secondary Mysql Databases .
Hmm - think I saw an earlier posting (it's in the archives) about this very
subject!
I think you want to take a look at the configurable_failover file in the doc
directory where you untarred the freeradius package - it describes what you
are looking for...
gm...
- Original Message -
From: Ali Asghar [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, July 21, 2004 5:55 PM
Subject: Problem setting up Radius to use Primary and Secondary Mysql
Databases .
Hi all ..
Radius = R1
MySql Prim = DB1
Mysql Sec = DB2
i am unable to configure Radius to operate in fail over to DB2 incase
DB1 goes down .
The configuration details are as follows.
1) In radiusd.conf i am doing an include on sql1.conf and sql2.conf.
$INCLUDE ${confdir}/sql1.conf
$INCLUDE ${confdir}/sql2.conf
These two files exist in the correct location .
2) In Radiusd.conf 's authorize section i have replaced sql
entry with the following lines
group {
sql1 {
fail = 1
notfound = return
noop = 2
ok = return
updated = 3
reject = return
userlock = 4
invalid = 5
handled = 6
}
sql2 {
fail = 1
notfound = return
noop = 2
ok = return
updated = 3
reject = return
userlock = 4
invalid = 5
handled = 6
}
}
On starting the server in debug mode i get the following errors ..
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
Module: Instantiated realm (suffix)
ERROR: Cannot find a configuration entry for module sql1.
Can any one tell me if i am missing some thing in the configuration .
??? (~ ~ )
o
FYI ... I was able to make single mysql server work with radius
successfully . And as a second step i was in the process of adding
mysql redundency . So basically all my tables , data etc etc works
fine in the same arrangemnet .
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
---
[This E-mail scanned for viruses by Declude Ant-Virus Scanner]
---
[This E-mail scanned for viruses by Declude Ant-Virus Scanner]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Additional lookup via SQL
Hiya Graeme, If you are using an SQL database backend it is very easy to implement this... You setup group names in the radgroupreply table with the attributes to be returned to the NAS for that group - you can have multiple records with the same group name to allow multiple attributes. Each group name would be used for the different rates and respective burst values and whatever attributes returned to the NAS that are specific to that group: IE: groupname attributeValueop rate1rate 500 += rate1burst 800 += rate2rate 1000 += rate2burst 1200 += ( the '+= op value states to add the A/V (attribute/value) pair to the NAS response even if there is another A/V pair with the same name, if you know for a fact there is not an A/V pair with the same name you can just use '=' instead)... and so on for each group you are defining. You then put the username in the usergroup table with the name of the group the user is assigned... IE: Username Groupname user1rate1 user2rate2 user3rate1 user4rate1 user5rate2 ad nausium... Freeradius should do the rest... The nice thing is all you have to do to change the rate and bust information for the user's assigned to a group is to change the value in the radgroupreply table and it changes for all users defined in that group. I think I got this right - YMMV gm... - Original Message - From: Graeme Hinchliffe [EMAIL PROTECTED] To: FreeRADIUS list [EMAIL PROTECTED] Sent: Tuesday, July 20, 2004 5:08 AM Subject: Additional lookup via SQL Hiya, We are adding rate limiting attributes to our radius entries on a per customer basis, however the rates imposed will be one of 4 predefined rates. Each rate also has a burst value which is pre determined, and may be changed as we tweak. Ideally we would like to store a lookup of rates and their respective burst values, thus making changes quick and efficient. Is there a nice way that freeRADIUS could perform an additional lookup to determine the correct burst for a given rate and add it (allong with the attribute) to the radius reply? Thanks in advance for your help. -- - Graeme Hinchliffe (BSc) Core Internet Systems Designer Zen Internet (http://www.zen.co.uk/) ICQ 3842605 (link) Direct: 0845 058 9074 Main : 0845 058 9000 Fax : 0845 058 9005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Servpoet dictionary
Take a look at man dictionary, the dictionary file in the /raddb radius directory (the same directory where radiusd.conf lives) and the dictionary file in the share directory (it's in the path specified by the dictionary file in the /raddb directory... all should become as clear as mud! [grin]... Hope this helps... Gary N. McKinney Network Administrator Computer Services Dept. Brevard County Library System -- Original Message -- From: Brian Semrad [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 20 Jul 2004 14:04:11 -0500 I'm using the third pre-release of FreeRadius with ServPoet Why isn't there a dictionary for ServPoet? I'd like to use the RP-Downstream-Speed-Limit and RP-Upstream-Speed-Limit attributes to manage the bandwidth. Do I need to create a custom dictionary? Can someone point me to some documentation or something. Thanks Brian Semrad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] Sent via the KillerWebMail system at mail.brev.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup admin does not work
Do you have the same problem with:
group_new.php3
user_admin.php3
user_edit.php3
and user_state.php3
as you have with user_new.php3 ?
If so - is the register_globals directive in the php.ini file set to off
or no ???
gm...
- Original Message -
From: Rico Spiesberger [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, July 16, 2004 7:00 AM
Subject: Re: dialup admin does not work
Ok, i turned on the sql debug an the debugging in the php.ini ... no
results...no failure messages...
I think i found out (with the php function calls), that the php scripts
are running until the
require('../lib/defaults.php3'); is reached. for example in the
user_new.php3.
If i comment this line out, i get the page where i can set up a new
user. so far so good...
What can go wrong with the defaults.php3?
rico
Gary McKinney wrote:
You could try turning on the sql debug in the dialup admin program and
place
a phpinfo() function call in different places within the php scripts to
see
what the variables are doing to debug the problem - you also can turn on
php
debuging in the php.ini file... I suspect the program is sending header
information AFTER the script has sent other header information but you
don't
see any warning messages from the php engine as you have the php debug
output disabled ... if this is the case then you need to turn on the php
output caching (?) feature to allow building the pages prior to sending
them
to the web server from the php engine.
gm...
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS proxying
Actually - not really a silly question! Since you reported what actually happened and why I suspect the information will be useful to others who attempt to do the same thing (two servers running on the same box) and run into the same senario... Of course it DOES require someone to look at the archives! [grin] gm... - Original Message - From: Tomasz Wolniewicz [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, July 16, 2004 7:55 AM Subject: Re: EAP-TTLS proxying I hoped noone will bring that up, since this was my silly mistake. Of course everything is just as it should be and the reason for this odd behavour was that out of laziness we have set up two servers on one machine (on different ports). Obviously radius realises that keys and everything are the same so it does not bother doing a TTLS proxy. So unfortunaley this was a silly question, and no problem on the side of freeradius. Tomasz On Fri, Jul 16, 2004 at 12:24:31PM +0100, Luis Guido wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Wolniewicz Sent: Tuesday, July 13, 2004 21:30 To: [EMAIL PROTECTED] Subject: EAP-TTLS proxying I hope this is not a totally stupid question. Suppose a user [EMAIL PROTECTED] wants to access the network at org-2 by authenticating at org-1 via the proxy mechanism. Suppose we want to use PAP-TTLS. It would seem natural that the proxying is done on the basis of the outer identity and the tunneled data is never revealed to the proxy server at org-2. Yes that's exacly how it should be. Unfortunately our tests seem to show that the server at org-2 needs to get the user data, including the password. Very weird I have that same scenario and password AND inner username is never revealed. Because that information is tunneled on a secure TLS tunnel and encapsulated on a EAP packet. The 1st server (that acts as a proxy) just see some anonymous username an EAP-Message , and some more stuff (Message-Authenticator; etc...) but never the real username and password. The org-2 server CAN'T open a TLS connection to get access to the critit information: user+pass!!! If that happen that's no longer a secure connection :) Is it possible to configure things in the secure way? Of course, the servers need to trust each other, but some trust is one thing and seeing passwords in plain text is another. I realise that other forms of authentication, which do not transmit passwords will not have that problem. That's the way things are suposed to be Only the authentication server has access to user+pass Can you send the config? We have a cookbook for freeradius (is all in portuguese but the configuration part is in native english) at: http://www.fccn.pt/index.php?module=pagemasterPAGE_user_op=view_pagePA GE_id=199MMN_position=140:4:90 You are welcome to download, try and comment it off course. Contributions are most welcome! Luis Guido Yours Tomasz -- Tomasz M. Wolniewicz [EMAIL PROTECTED] http://www.uni.torun.pl/~twoln Uczelniane Centrum Informatyczne InformationCommunication Technology Centre Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University, pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.: +48-693-032-576 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Tomasz Wolniewicz [EMAIL PROTECTED] http://www.uni.torun.pl/~twoln Uczelniane Centrum Informatyczne InformationCommunication Technology Centre Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University, pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.: +48-693-032-576 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup admin does not work
In your configuration settings for dialup admin do you have the variable general_use_session set to YES??? If it is - try setting it to NO and see if things start working... it may not be the mode of operation you want but it is a good check to isolate the actual problem... If the general_use_session was set to YES and changing it to NO allows the scripts to work then I suspect the Register_Sessions() call in the defaults.php3 file is causing the problem (of course that is a depreciated call in versions of PHP greater than 4.02 and versions greated than 4.1.0 recommend not using that function call at all)... If this is indeed the problem you will need to rewrite part of the lib/defaults.php3 script to use the $_SESSION form to setup the sessions defaults instead of the depreciated Register_Sessions() call... or use an older version of PHP (prior to 4.x.x) to get things working properly - I would suggest the re-write then send the changes to the freeradius site so they can include the updates [grin] gm... - Original Message - From: Rico Spiesberger [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, July 16, 2004 8:33 AM Subject: Re: dialup admin does not work yes, the problem with these files, but the register_globals in the php.ini are on rico Gary McKinney wrote: Do you have the same problem with: group_new.php3 user_admin.php3 user_edit.php3 and user_state.php3 as you have with user_new.php3 ? If so - is the register_globals directive in the php.ini file set to off or no ??? gm... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius+Postfresqk+MAC problem
Hmmm,
Looks like most everything is correct - from what
you have sent here...
A couple of things:
1. Is postgresql case sensitive ( I play with
MySQL)??? If so check the case (caps or lower case) of the record field
names to make sure the schema's match for the database and queries.
2. Check the debug logs for the database to see
exactly what is being done on the database side!
From what I see here it looks like the Freeradius
is doing it's job properly...
As an aside note: When you had the users file setup
and the Auth-Type := Accept you were basically telling Freeradius to "accept"
any default caller unconditionally - that is what the "Accept" means
{grin}...
gm...
- Original Message -
From:
Christoffer Dahl
Petersen
To: [EMAIL PROTECTED]
Sent: Tuesday, July 13, 2004 4:40
AM
Subject: Freeradius+Postfresqk+MAC
problem
Hi!As I wrote earlier in this list, I'm trying to get
Freeradius to authenticate my clients based on theirs NIC's MAC.This works
great as long as I use the "users" file:DEFAULT Calling-Station-Id ==
"CLIENT NIC", Auth-Type :=
Accept
Filter-ID="profile="">Now I'm trying to use a Postgresql as
backend, but it won't work.Here is my radiusd.conf (the entire conf file
is in the bottom of the mail):$INCLUDE
${confdir}/postgresql.confauthorize
{
preprocess
sql}Here is my postgresql.conf:sql
{ driver =
"rlm_sql_postgresql" server =
"localhost" login =
"radius" password =
"123456" radius_db =
"radius" acct_table1 =
"radacct" acct_table2 =
"radacct" authcheck_table =
"radcheck" authreply_table =
"radreply" groupcheck_table
= "radgroupcheck"
groupreply_table =
"radgroupreply"
usergroup_table =
"usergroup"
deletestalesessions = yes
sqltrace = yes sqltracefile =
${logdir}/sqltrace.sql
num_sql_socks = 5
sql_user_name = "%{User-Name}"
SQL_User_Name =
"%{User-Name}"
authorize_check_query = "SELECT id, UserName, Attribute, Value, Op \FROM
${authcheck_table} WHERE username = '%{SQL-User-Name}' ORDER BY
id"# authorize_reply_query =
"SELECT id, UserName, Attribute, Value, Op \# FROM ${authreply_table}
WHERE username = '%{SQL-User-Name}' ORDER BY
id"# authenticate_query =
"SELECT Value,Attribute FROM ${authcheck_table} \# WHERE UserName =
'%{User-Name}' AND \# ( Attribute = 'User-Password' OR Attribute =
'Crypt-Password' ) ORDER BY Attribute DESC"}Here is a dump
of my database:[EMAIL PROTECTED] 172.16.0.10]# psql -U radiusradius=
select * from radcheck;id |
username |
attribute | op |
value+---+++- 1
| 00-04-23-4d-c4-3d | User-Password | == | 123456 2 |
00-20-e0-8d-05-94 | User-Password | == | 123456(2
rows)And here is what my log says:Jul 12 14:39:02 linux
radiusd: ^IUser-Name = "00-20-e0-8d-05-94"Jul 12 14:39:02 linux radiusd:
^IUser-Password = "123456"Jul 12 14:39:02 linux radiusd: ^INAS-IP-Address
= 172.16.0.10Jul 12 14:39:02 linux radiusd: ^INAS-Port = 0Jul 12
14:39:02 linux radiusd: rlm_sql (sql): Reserving sql socket id: 3Jul 12
14:39:02 linux radiusd: rlm_sql_postgresql: query: SELECT id, UserName,
Attribute, Value, Op FROM radcheck WHERE username = '00-20-e0-8d-05-94' ORDER
BY idJul 12 14:39:02 linux postgres[19980]: [5-1] LOG: 0:
duration: 5.637 msJul 12 14:39:02 linux postgres[19980]: [5-2]
LOCATION: exec_simple_query, postgres.c:960Jul 12 14:39:02 linux
postgres[19980]: [6-1] LOG: 0: duration: 5.637 ms statement:
SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE username
=Jul 12 14:39:02 linux postgres[19980]: [6-2] '00-20-e0-8d-05-94'
ORDER BY idJul 12 14:39:02 linux postgres[19980]: [6-3] LOCATION:
exec_simple_query, postgres.c:974Jul 12 14:39:02 linux radiusd:
rlm_sql_postgresql: Status: PGRES_TUPLES_OKJul 12 14:39:02 linux radiusd:
rlm_sql_postgresql: affected rows =Jul 12 14:39:02 linux radiusd: rlm_sql
(sql): No matching entry in the database for request from user
[00-20-e0-8d-05-94]Jul 12 14:39:02 linux radiusd: rlm_sql (sql): Released
sql socket id: 3Jul 12 14:39:02 linux radiusd: Login incorrect:
[00-20-e0-8d-05-94/123456] (from client testap1 port 0)Jul 12 14:39:05
linux radiusd: rad_recv: Access-Request packet from host 172.16.0.10:6001,
id=63, length=69Jul 12 14:39:05 linux radiusd: Sending Access-Reject of id
63 to 172.16.0.10:6001I really don't know what I'm doing wrong -
Could anyone of give me a hint?If you need to see any other configuration
files please let me know.ThanksChristofferMe entire
radiusd.conf:prefix = /usrexec_prefix = /usrsysconfdir =
/etclocalstatedir = /varsbindir = /usr/sbinlogdir =
${localstatedir}/log/radiusraddbdir = ${sysconfdir}/raddbradacctdir =
${logdir}/radacctconfdir = ${raddbdir}run_dir =
${localstatedir}/run/radiusdlog_file = ${logdir}/radius.loglibdir =
/usr/libpidfile =
Re: Freeradius compilation ERROR
Hi Apellido, this is a known issue - here is Alan's previous response (it's in the archives too!): - The solution is to edit libltdl/Makefile, and change: top_builddir = . to: top_builddir = ./.. - This corrected the build process for me with FreeBSD 5.2.1 gm... - Original Message - From: apellido jr., wilfredo p. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, July 08, 2004 11:05 PM Subject: Freeradius compilation ERROR Freebsd 4.10 Freeradius latest development CVS July 09, 2004 diameter# make Making all in libltdl... gmake[1]: Entering directory `/usr/local/radiusd/libltdl' gmake[1]: *** No rule to make target `all'. Stop. gmake[1]: Leaving directory `/usr/local/radiusd/libltdl' gmake: *** [common] Error 1 *** Error code 2 Stop in /usr/local/radiusd. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP TLS: rlm_eap: Failed in handler
What are you using for a Supplicant???
gm...
- Original Message -
From:
[EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, July 09, 2004 5:37 AM
Subject: EAP TLS: rlm_eap: Failed in
handler
Sorry...my first posting was not easy to read ;-(Here the
same subject in a readable formatHello!I tried to use eap tls.
When I started radius everything looked fine. Then radius receives
an access request and answers with an access challenge containing EAP TLS
START. No problem so far. But when radius receives the TLS client hello in
the next step it fails with "rlm_eap: Either EAP-request timed out OR
EAP-response to an unknown EAP-request" and "rlm_eap: failed in handler".
I am rather confused now. Perhaps one of the experts could give me
hint concerning the cause. Thanks in advance! Greetings
Michael Heiart Module: Loaded eap eap: default_eap_type =
"tls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no
tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls:
dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls:
pem_file_type = yes tls: private_key_file =
"/usr/local/etc/raddb/certs/cert-srv.pem" tls: certificate_file =
"/usr/local/etc/raddb/certs/cert-srv.pem" tls: CA_file =
"/usr/local/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password =
"whatever" tls: dh_file = "/usr/local/etc/raddb/certs/dh" tls: random_file
= "/usr/local/etc/raddb/certs/random" tls: fragment_size = 1024 tls:
include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)"
rlm_eap: Loaded and initialized type tls Module: Instantiated eap
(eap)... Listening on authentication *:1812 Listening on
accounting *:1813 Listening on proxy *:1814 Ready to process
requests rad_recv: Access-Request packet from host
127.0.0.1:32858, id=167, length=95 User-Name = "Server certificate"
EAP-Message = 0x02b6001701536572766572206365727469666963617465
NAS-IP-Address = 127.0.0.2 NAS-Port = 0 Message-Authenticator =
0x0012efe996568bc1ca6419e4c07ce713 Processing the authorize section of
radiusd.conf modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat:
'/usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20040709'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20040709
modcall[authorize]: module "auth_log" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
rlm_realm: No '@' in User-Name = "Server certificate", looking up realm
NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix"
returns noop for request 0 rlm_eap: EAP packet type response id 182 length
23 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0 users:
Matched DEFAULT at 154 modcall[authorize]: module "files" returns ok for
request 0 modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing
the authenticate section of radiusd.conf modcall: entering group authenticate
for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap"
returns handled for request 0 modcall: group authenticate returns handled
for request 0 Sending Access-Challenge of id 167 to 127.0.0.1:32858
EAP-Message = 0x01b700060d20 Message-Authenticator =
0x State =
0x172cf45df81917d900bc7f4cd4353545 Finished request 0 Going to the next
request --- Walking the entire request list --- Waking up in 6
seconds... rad_recv: Access-Request packet from host 127.0.0.1:32858,
id=168, length=152 User-Name = "Server certificate" EAP-Message =
0x02b700500d8000461603010041013d030140ee5e798623d9c38b893a0d87ba4681324740e7f1b264453463058af5167c4a1600040005000a000900640062000300060013001200630100NAS-IP-Address
= 127.0.0.2 NAS-Port = 0 Message-Authenticator =
0x2816e26924e7c987dc6ccb8e4729e0d4 Processing the authorize section of
radiusd.conf modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
radius_xlat:
'/usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20040709'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20040709
modcall[authorize]: module "auth_log" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
rlm_realm: No '@' in User-Name = "Server
Re: Cisco Command Authorization
It would probably help [grin] if you sent the radiusd -x output instead of the Cisco debug output - this list does not normally perform vendor specific troubleshooting ( but if someone on the list has seen the specific type of problem they usually respond) Gary N. McKinney Network Administrator Computer Services Dept. Brevard County Library System -- Original Message -- From: Eric TURENNE [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Fri, 9 Jul 2004 16:11:36 -0300 Hi, I'm currently investigating freeradius in order to migrate from tacacs+ to radius. I got pretty much authentication and accounting to do what I want. But I cannot figure out what's wrong with the command authorization. Config seems good but nothing is sent to RADIUS server. Here's router config and DEBUG: Router config : aaa new-model aaa authentication login default group radius enable none aaa authentication enable default group radius enable none aaa authorization commands 1 default group radius if-authenticated aaa accounting exec default start-stop group radius aaa accounting commands 1 default start-stop group radius aaa accounting commands 15 default start-stop group radius aaa accounting connection default start-stop group radius aaa accounting system default start-stop group radius aaa processes 6 ! radius-server host xxx.xxx.72.238 auth-port 1812 acct-port 1813 radius-server retransmit 3 radius-server timeout 3 radius-server key testing123 When I issue with debug : Cariboush ver Command authorization failed. Caribou 03:14:17: tty67 AAA/AUTHOR/CMD (3529157779): Port='tty67' list='' service=CMD 03:14:17: AAA/AUTHOR/CMD: tty67 (3529157779) user='' 03:14:17: tty67 AAA/AUTHOR/CMD (3529157779): send AV service=shell 03:14:17: tty67 AAA/AUTHOR/CMD (3529157779): send AV cmd=show 03:14:17: tty67 AAA/AUTHOR/CMD (3529157779): send AV cmd-arg=version 03:14:17: tty67 AAA/AUTHOR/CMD (3529157779): send AV cmd-arg=cr 03:14:17: tty67 AAA/AUTHOR/CMD (3529157779): found list default 03:14:17: tty67 AAA/AUTHOR/CMD (3529157779): Method=radius (radius) 03:14:17: AAA/AUTHOR (3529157779): Post authorization status = FAIL Any hint would be much appreciated. Regards, --Eric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] Sent via the KillerWebMail system at mail.brev.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reauthentication interval for WPA w/ EAP-TTLS
Hi Yi, When I installed the PCMCIA wireless network card software on my laptop the wireless network card manager was installed along with the wireless network card drivers. I had to disable the wireless network card manager so the Funk Software Odyssey Supplicant would work properly (the wireless network card manager and the Funk software were fighting each other for control of the network card)... Your description of the problem is exactly what I had experienced with my configuration prior to disabling the wireless network card manager that came with the PCMCIA wireless network card I used in my laptop Gary N. McKinney -- Original Message -- From: Yi Zheng [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 7 Jul 2004 12:28:58 -0700 (PDT) Hi Gary, Does disabling the linksys wireless manager solve the problem? If so, sounds like the problem is with the supplicant side? Any experience with other supplicant? I am not using the linksys card, what I have is a cisco 350 wireless card in a IBM T30 notebook. - Yi Gary McKinney [EMAIL PROTECTED] wrote: HI Yi, I have basically the same setup here at home and ran into the same issues! If you are running the Linksys PCMCIA wireless network card you need to disable the wireless manager software - the Odyssey Supplicant software and the Linksys wireless manager software do not play nice together! gm... - Original Message - From: Yi Zheng To: [EMAIL PROTECTED] Sent: Tuesday, July 06, 2004 8:56 PM Subject: Reauthentication interval for WPA w/ EAP-TTLS Hi, I downloaded the third pre-release of version 1.0.0 and was able to make a windows 2k client running Funk client software to work with a linksys wrt54g AP using WPA with EAP/TTLS authentication against the FreeRadius server. The windows 2k client gets its DHCP address and the connection seems to work fine. However the funk software repeated the reauthentication against the Radius server continuously every 3 to 4 seconds. It greatly impact the performance of the AP and makes the connection very unstable. I read about the Session-Timeout mentioned in some email threads in the archieve but did not figure out where to make changes to that. It seems to be that it is the funk client (supplicant) who initiates the reauthticaton. Can someone help me on this? Thanks, - Yi Sent via the KillerWebMail system at mail.brev.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ERROR freeradius compilation
Hmmm - Yep ... I wonder if the problem is the DATE ( CVS July 7, 2004 )... Actually Alan answered this question a couple of days ago... Has to do with the newer version of libtool... The current fix is to go into the libtldl source directory per Alan and perform the following: - The solution is to edit libltdl/Makefile, and change: top_builddir = . to: top_builddir = ./.. - Worked for me! gm... - Original Message - From: apellido jr., wilfredo p. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, July 02, 2004 4:45 AM Subject: ERROR freeradius compilation Freebsd 4.10 Freeradius latest development CVS July 07, 2004 gmake[1]: Entering directory `/usr/local/radiusd/libltdl' /bin/sh ./libtool --mode=compile gcc -DHAVE_CONFIG_H -I. -I. -I. -g -O2 -pthread -D_THREAD_SAFE -DOPENSSL _NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcas t-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-d eclarations -Wnested-externs -W -Wredundant-decls -Wundef -c ltdl.c ./libtool: s,^.*/,,g: not found -e: not found *** Warning: inferring the mode of operation is deprecated. *** Future versions of Libtool will require -mode=MODE be specified. -e: not found -e: not found -e: not found -e: not found -e: not found -e: not found -e: not found -e: not found -e: not found -e: not found -e: not found -e: not found -e: not found -e: not found -e: not found -e: not found -e: not found -e: not found -e: not found -e: not found -e: not found -e: not found -e: not found -e: not found -e: not found -e: not found -e: not found -e: not found : compile: cannot determine name of library object from `' gmake[1]: *** [ltdl.lo] Error 1 gmake[1]: Leaving directory `/usr/local/radiusd/libltdl' gmake: *** [common] Error 1 *** Error code 2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Max TNT not respecting my Default profile
Drew, Check to make sure the Ascend you have uses the Ascend-VSA attributes, if not I think there is a setting in the ascend configuration for the ascend to use the VSA attributes... See the file ascend in the docs section of the source directory for the freeradius server - it discusses this very issue. gm... - Original Message - From: Drew Weaver [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, July 01, 2004 5:12 PM Subject: Max TNT not respecting my Default profile Version is: lt-radiusd: FreeRADIUS Version 0.9.3, for host i686-pc-linux-gnu, built on Dec 24 2003 at 09:56:24 This is my default profile listed at the bottom of my USERS file in /usr/local/etc/raddb DEFAULT Auth-Type = System Service-Type = Framed-User, Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP, Ascend-Maximum-Time = 18000, Ascend-Idle-Limit = 900, Ascend-Maximum-Channels = 1 Sorry to bother you guys with this.. I just noticed that this command Ascend-Idle-Limit = 900 appears to have no effect on the length of time our Ascend Max TNT will allow a user to be idle. It appears that it has a VERY short idle-time out (less than 1 minute) this is the only difference I can tell when switching my TNT off of my OLD merit radius aaa server, and moving it to our new freeradius server, we really want to use the new system with our TNT because FreeRadius absolutely rules, but not allowing the users more than a 1 minute idle timeout is kind of a killer ;-) Using NTRadPing when I authenticate I get back vendor Ascend Ascend-VSA-Idle-Limit=900, so it looks like the attribute is actually being sent to the TNT but the tnt is ignoring it, is this not the correct syntax for this command or am I doing something stupid? Thanks, -Drew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting and SQL, help!
Are you sure the NAS is sending accounting packets
gm...
- Original Message -
From: Maqbool Hashim [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, July 01, 2004 5:46 AM
Subject: Accounting and SQL, help!
Anson Rinesmith wrote:
Run radius in debug mode (radiusd -X) and see if you can figure out
what is
happening.
-Original Message-
From: [EMAIL PROTECTED] [mailto:freeradius-
[EMAIL PROTECTED] On Behalf Of Maqbool Hashim
Sent: Wednesday, June 30, 2004 11:24 AM
To: [EMAIL PROTECTED]
Subject: problems with radius accounting when using mysql
Hi,
I have radius set up to get authentication information from a mysql
database. I want it to log accounting information to the radacct table
in my
mysql database. I have set up the accounting section in my
radiusd.conf
file as follows:
accounting {
acct_unique
detail
unix
sql
radutmp
}
However radius is still logging accounting information to the files and
I can't see anything in the radacct table in my database. (I have
rebooted the radius server).
Am I missing a crucial setting here?
Regards,
Maqbool
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Thanks, I had another look at the debug messages from the radiusd
server, I can't see anything that illuminating in there. I see the sql
module being loaded:
Module: Loaded SQL
.
.
.
.
sql: accounting_update_query = UPDATE radacct SET FramedIPAddress =
'%{Framed-IP-Address}' WHERE AcctSessionId =
'%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress=
'%{NAS-IP-Address}' AND AcctStopTime = 0
sql: accounting_update_query_alt =
Thats the sql query that should get executed when the accounting section
is processed. However when there is an authentication request from a
NAS, I only see sql queries and connections to the mysql server during
the authorize section:
modcall[authorize]: module suffix returns noop for request 1
radius_xlat: 'ben'
rlm_sql (sql): sql_set_user escaped user -- 'ben'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'ben' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM
radcheck WHERE Username = 'ben' ORDER BY id
:
:
:
But I don't see anything like modcall[accounting] and an sql query.
Should I be? And if I'm not what setting have I missed? The accounting
section in radiusd.conf looks as I gave above.
Regards,
Maqbool
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
---
[This E-mail scanned for viruses by Declude Ant-Virus Scanner]
---
[This E-mail scanned for viruses by Declude Ant-Virus Scanner]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Sniff radius
Try searching for: radiusniff (just one 's')... gm... - Original Message - From: nsinit [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Sent: Tuesday, June 29, 2004 9:22 PM Subject: Re: Re: Sniff radius yeah i found it yesterday afet the post , thx anyway . i use radiussniff too. Hi, can you tell me where i can download radiussniff? I have searched it at google/freshmeat.net/sourceforge.net, but get nothing. thx. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ingoring unknown Client error.
Looks like the 'name' of the NAS in the clients.conf file is not correct or the shared (secret) password is not correct - careful of whitespace and non-printable characters in the clients.conf file or the PM3 - also, I think this is case sensitive as well... gm.. - Original Message - From: Alexander Lopez To: [EMAIL PROTECTED] Sent: Tuesday, June 29, 2004 10:40 PM Subject: Ingoring unknown Client error. So I thought it was going to be simple. Download, Complie install configure files and bam!! Radius, NOT SO!! I am running: [EMAIL PROTECTED] sbin]# `pwd`/radiusd -v radiusd: FreeRADIUS Version 1.0.0-pre3, for host , built on Jun 28 2004 at 12:13:59 When I start radiusd with –X I get this when trying to authenticate a dialup user from a Livingston PM3 rad_recv: Access-Request packet from host 216.22.88.240:1142, id=182, length=115 Ignoring request from unknown client 216.22.88.240:1142 --- Walking the entire request list --- Nothing to do. Sleeping until we see a request. I have added the secret in the clients.conf file, stopped and started the radiusd process. I have changed the secret on the PM3 (just to make sure I knew what it was) Funny thing is that the PM3 works fine on my Sun box that I am trying to retire. (This is that last thing that remains) This is what I have done: Made sure that the PM3 is using port 1812 (as per RFC) Made sure that the PM3 can ping and has connectivity, (long shot, but wanted to rule the network out) I don’t know what else to check.. Do I just have a weird one??
Re: Compiling FreeRADIUS CVS on FreeBSD -- dismal failures
Hi Chris, I have compiled earlier versions of CVS on FreeBSD 5.2 and had no problems I'm currently downloading the latest CVS to see if it compiles on a FreeBSD 5.2 machine now... will post results... Gary N. McKinney Network Administrator Computer Services Dept. Brevard County Library System -- Original Message -- From: Chris Shenton [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 30 Jun 2004 14:21:31 -0400 I've been trying for a few days to get FreeRADIUS from CVS compiled on a FreeBSD-4.9 and FreeBSD-5.2 machine. I want to use it to authenticate users connecting to LinkSys WRT54G wireless routers running the Sveasoft firmware. But builds on both versions of FreeBSD fail spectacularly in a variety of places depending on how I specify options to configure. Has any other FreeBSD user out there gotten this to compile? I'm a sometimes coder but don't grok libtool very well, and it seems to be having problems finding libraries. Most recently I've been trying to put the configure command into a script file so I could tweak options, currently trying: CPPFLAGS=-I/usr/local/include LDFLAGS=-L/usr/local/lib CFLAGS=$CPPFLAGS $LDFLAGS export CPPFLAGS export LDFLAGS export CFLAGS WITHOUTFLAGS=\ --without-rlm_krb5 \ --without-rlm_ldap \ --without-rlm_python \ --without-rlm_sql \ --without-rlm_sqlcounter \ --without-rlm_x99_token \ # Try and force these to look in /usr/local/lib, etc. # --with-rlm-MODULE-lib-dir=DIR # --with-rlm-MODULE-include-dir=DIR WITHFLAGS=\ --with-rlm-ippool-lib-dir=/usr/local/lib \ OLDFLAGS=\ --with-large-files \ ./configure \ --prefix=/usr/local \ --with-logdir=/var/log \ --localstatedir=/var \ --disable-ltdl-install \ $WITHFLAGS \ $WITHOUTFLAGS \ CPPFLAGS=$CPPFLAGS \ CFLAGS=$CFLAGS \ LDFLAGS=$LDFLAGS Failing because it's not finding the ../lib/rbtree stuff. creating .libs/radiusdS.c (cd .libs gcc -c -fno-builtin radiusdS.c) rm -f .libs/radiusdS.c .libs/radiusd.nm .libs/radiusd.nmS .libs/radiusd.nmT gcc .libs/radiusdS.o -I/usr/local/include -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I../include -DHOSTINFO=\i386-unknown-freebsd5.2\ -DRADIUSD_VERSION=\1.1.0-pre0\ -o radiusd radiusd.o files.o util.o acct.o nas.o log.o valuepair.o version.o proxy.o exec.o auth.o timestr.o conffile.o modules.o modcall.o session.o xlat.o threads.o smux.o radius_snmp.o client.o request_list.o mainconfig.o -Wl,--export-dynamic -L/usr/local/lib -L/usr/local/src/CVS/freeradius/radiusd/src/lib -lpthread /usr/local/lib/libradius.so /usr/local/lib/libltdl.so -lcrypt -lcipher -lssl -lcrypto -Wl,--rpath -Wl,/usr/local/lib -Wl,--rpath -Wl,/usr/local/lib xlat.o: In function `xlat_find': /usr/local/src/CVS/freeradius/radiusd/src/main/xlat.c:294: undefined reference to `rbtree_finddata' xlat.o: In function `xlat_register': /usr/local/src/CVS/freeradius/radiusd/src/main/xlat.c:323: undefined reference to `rbtree_create' I've been able to work around most of the other libraries libtool isn't finding. It seems to be avoiding /usr/local/lib, perhaps becuase gcc -print-search-dirs only shows libraries: =/usr/lib/ without /usr/local/lib. I've been trying to hack the configure script to generate libtool with /usr/local/lib where appropriate but there appear to be about 20 places where this is needed. I must be missing something obvious because it seems it can't be this hairy and repetitive. Any clues? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] Sent via the KillerWebMail system at mail.brev.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compiling FreeRADIUS CVS on FreeBSD -- dismal failures
Alan, I attempted to perform a ./configure and then a make without making any changes to the latest CVS 20040630 (out of the box compile attempt). Attached are the ./configure results and the attempt a performing the make operation... This was executed on a FreeBSD 5.2.1 system. There is a previous version of freeradius installed on this machine but the error occurs before any external libraries are accessed (still in the source directory path) interesting... Gary N. McKinney Network Administrator Computer Services Dept. Brevard County Library System -- Original Message -- From: Alan DeKok [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 30 Jun 2004 14:41:51 -0400 Chris Shenton [EMAIL PROTECTED] wrote: I'm a sometimes coder but don't grok libtool very well, and it seems to be having problems finding libraries. You've installed multiple versions of the server, and are telling it to use an older version of libradius, which doesn't have the rbtree code. Most recently I've been trying to put the configure command into a script file so I could tweak options, currently trying: CPPFLAGS=-I/usr/local/include LDFLAGS=-L/usr/local/lib CFLAGS=$CPPFLAGS $LDFLAGS None of that should be necessary. gcc .libs/radiusdS.o -I/usr/local/include -D_REENTRANT ... /usr/local/lib/libradius.so That's the problem. For some reason, it's picking /usr/local/lib/libradius.so, rather than the local libradius.so (or.a) My suggestion is to NOT do -L/usr/local/lib, and/or to temporarily chmod -x /usr/local/lib/libradius.so, while building the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] Sent via the KillerWebMail system at mail.brev.org checking for gcc... gcc checking for C compiler default output... a.out checking whether the C compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ANSI C... none needed checking how to run the C preprocessor... gcc -E checking for egrep... grep -E checking whether gcc needs -traditional... no checking whether we are using SUNPro C... no checking for ranlib... ranlib checking for AIX... no checking for gmake... yes checking for gmake... /usr/local/bin/gmake checking for lt_dlinit in -lltdl... no checking build system type... i386-unknown-freebsd5.2.1 checking host system type... i386-unknown-freebsd5.2.1 checking for a sed that does not truncate output... /usr/bin/sed checking for ld used by gcc... /usr/bin/ld checking if the linker (/usr/bin/ld) is GNU ld... yes checking for /usr/bin/ld option to reload object files... -r checking for BSD-compatible nm... /usr/bin/nm -B checking whether ln -s works... yes checking how to recognise dependent libraries... pass_all checking for ANSI C header files... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... yes checking dlfcn.h usability... yes checking dlfcn.h presence... yes checking for dlfcn.h... yes checking for g++... g++ checking whether we are using the GNU C++ compiler... yes checking whether g++ accepts -g... yes checking how to run the C++ preprocessor... g++ -E checking for g77... no checking for f77... f77 checking whether we are using the GNU Fortran 77 compiler... yes checking whether f77 accepts -g... yes checking the maximum length of command line arguments... 16384 checking command to parse /usr/bin/nm -B output from gcc object... ok checking for objdir... .libs checking for ar... ar checking for ranlib... (cached) ranlib checking for strip... strip checking if gcc static flag works... yes checking if gcc supports -fno-rtti -fno-exceptions... no checking for gcc option to produce PIC... -fPIC checking if gcc PIC flag -fPIC works... yes checking if gcc supports -c -o file.o... yes checking whether the gcc linker (/usr/bin/ld) supports shared libraries... yes checking whether -lc should be explicitly linked in... yes checking dynamic linker characteristics... freebsd5.2.1 ld.so checking how to hardcode library paths into programs... immediate checking whether stripping libraries is possible... yes checking for shl_load... no checking for shl_load in -ldld... no checking for dlopen... yes checking whether a program can dlopen itself... yes checking whether a statically linked program can dlopen itself... yes checking if libtool supports shared libraries... yes checking whether to build
Re: Compiling FreeRADIUS CVS on FreeBSD -- dismal failures
Gotta lov libtool!!! Gary N. McKinney Network Administrator Computer Services Dept. Brevard County Library System -- Original Message -- From: Alan DeKok [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 30 Jun 2004 15:36:30 -0400 Gary McKinney [EMAIL PROTECTED] wrote: I attempted to perform a ./configure and then a make without making any changes to the latest CVS 20040630 (out of the box compile attempt). Attached are the ./configure results and the attempt a performing the make operation... Ah, yes. More libltld nonsense. I see the same thing on my system, but I've bene ignoring it, while trying to fix the last annyoing problems with 1.0.0. The solution is to edit libltdl/Makefile, and change: top_builddir = . to: top_builddir = ./.. I've tried a few things to fix it, but nothing seems to work... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] Sent via the KillerWebMail system at mail.brev.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Usuários.
Fabio, Veja o rlm_sql da lima na seção dos docs do diretório de fonte. BTW: Use por favor o inglês nesta lista. Obrigado! (Brought to you by: http://world.altavista.com/babelfish/tr ) [Grin] Gary N. McKinney Network Administrator Computer Services Dept. Brevard County Library System -- Original Message -- From: Fabio Oliveira dos Santos - Claro RJ - [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 29 Jun 2004 11:13:36 -0300 Pessoal, Tem como fazer uma configuração no freeradius de forma que eu tem em uma base de dados ou um arquivo os usuários que e suas senhas para autenticação ? Sds, Fábio Santos O conteudo desta mensagem e de uso restrito e confidencial, sendo o seu sigilo protegido por lei. Estas informacoes nao podem ser divulgadas sem previa autorizacao escrita. Se voce nao e o destinatario desta mensagem, ou o responsavel pela sua entrega, apague-a imediatamente e avise ao remetente, respondendo a esta mensagem. Alertamos que esta mensagem transitou por rede publica de comunicacao, estando, portanto, sujeita aos riscos inerentes a essa forma de comunicacao. A CLARO nao se responsabiliza por conclusoes, opinioes, ou outras informacoes nesta mensagem que nao se relacionem com sua linha de negocios. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] Sent via the KillerWebMail system at mail.brev.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem Getting Free Radius Work with MySql
Hi, Check in your users file to see if you have Auth-Type = System set there... if so that may be your problem... gm.. - Original Message - From: Ali Asghar [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 28, 2004 4:56 AM Subject: Problem Getting Free Radius Work with MySql Hi .. Radius Version = 0.9.2 Mysql Version = 4.0.20 Linux Redhat = Red Hat Enterprise Linux AS release 3 (Taroon Update 2) I have tried authenticating users with user info in users file and it works fine , however when i move the same info to mysql , it doesnt work . Below are Mysql Tables and their contents used . mysql select * from usergroup ; ++--+---+ | id | UserName | GroupName | ++--+---+ | 3 | asghar | propel| ++--+---+ mysql select * from radcheck ; ++--+---+++ | id | UserName | Attribute | op | Value | ++--+---+++ | 5 | asghar | Password | == | asghar | ++--+---+++ mysql select * from radreply ; ++--+---++---+ | id | UserName | Attribute | op | Value | ++--+---++---+ | 3 | asghar | Auth-Type | := | Local | ++--+---++---+ All the other mysql tables ( raddacct , radgroupcheck , radgroupreply) are empty . Running the radius server in debug gives me the following output. rad_recv: Access-Request packet from host 172.16.8.6:32781, id=31, length=70 User-Name = asghar User-Password = asghar Propel-Client-IP-Address = 172.16.1.131 Propel-Client-Source-ID = 1 modcall: entering group authorize for request 2 modcall[authorize]: module preprocess returns ok for request 2 modcall[authorize]: module chap returns noop for request 2 rlm_eap: EAP-Message not found modcall[authorize]: module eap returns noop for request 2 rlm_realm: No '@' in User-Name = asghar, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 2 radius_xlat: 'asghar' rlm_sql (sql): sql_set_user escaped user -- 'asghar' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'asghar' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'asghar' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'asghar' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'asghar' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module sql returns ok for request 2 users: Matched DEFAULT at 165 modcall[authorize]: module files returns ok for request 2 modcall[authorize]: module mschap returns noop for request 2 modcall: group authorize returns ok for request 2 rad_check_password: Found Auth-Type System auth: type System modcall: entering group authenticate for request 2 modcall[authenticate]: module unix returns notfound for request 2 modcall: group authenticate returns notfound for request 2 auth: Failed to validate the user. Delaying request 2 for 1 seconds Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 172.16.8.6:32781, id=31, length=70 Sending Access-Reject of id 31 to 172.16.8.6:32781 --- Walking the entire request list --- Waking up in 5 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 31 with timestamp 40dfc4c7 Nothing to do. Sleeping until we see a request. - - A clue in the debug output is the following line rad_check_password: Found Auth-Type System . If you look at Mysql radreply tables i have specifically tried to specify Auth-Type to be Local and not System . I would really appreciate if some one can help me understand where i am going wrong . Thanks Ali - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to save binary values in MySQL radreply table
Dave, You may want to check out MySQL 4.x - there is a hex() function to return a hexidecimal representation.. gm... - Original Message - From: Dave Mason [EMAIL PROTECTED] To: freeradius mailing list [EMAIL PROTECTED] Sent: Friday, June 25, 2004 2:30 PM Subject: Re: how to save binary values in MySQL radreply table True - I need to figure out how to reverse the process. That is, I need to send something like 0xed5e as my attribute value. For now I'll just use VSA as the attribute because it's not encrypted. If I set the value in radreply to ed5e, the server returns 65643565 to the client, as you would expect. I need to get binary values into the table somehow. Maybe the API is smart enough to handle binary data even if the mysql command line client isn't? I tried prefixing each character with \0x but that didnt work. Dave Alan DeKok wrote: Dave Mason [EMAIL PROTECTED] wrote: My apologies if this has been answered before but I didn't see anything. This is basically a MySQL question. I need to save MS-MPPE attributes in the radreply table. Those have a binary value. Which is why they're of type octets in the dictionary. When the server prints them out, it prints them as a series of hex characters, which is in turn a normal ASCII string. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Another PAM question
Hans, I think all you have to do is comment out the unix line in the Authentication section of the radiusd.conf file and restart the radius server. Gary N. McKinney Network Administrator Computer Services Dept. Brevard County Library System -- Original Message -- From: Hans [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 24 Jun 2004 16:57:49 +0200 Hello. I managed to get my user-logins to authenticate against a freeradius server, which in turn uses an openLdap server. This works now, but login is still using /etc/passwd, because if I delet a user then I get 'User is unknown to underlying authentication module' I tried to delete the line auth requisite pam_unix2.so from /etc/pam.d/login, but no such luck. What I want now, is that the /etc/passwd is not used anymore for password and for home and shell etc, so delete all users from it. So that ls /home does give me the correct user/group names instead of numbers. What should I do? Gr, Hans - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] Sent via the KillerWebMail system at mail.brev.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Replies on port 1029
Brian, That is the correct way for operation! Radius Listens on Ports 1812 and 1813 ( for authentication and accounting respectively) BUT responds back to the NAS on the first non-priviledged port the system has available for use this is normal RFC operation in TCP/IP communications for services - don't believe it? Perform an FTP or Telnet or HTTP operation and watch the traffic with a network sniffer - they do the same thing [grin]... Gary N. McKinney Network Administrator Computer Services Dept. Brevard County Library System -- Original Message -- From: Brian Andrus [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 24 Jun 2004 09:50:45 -0700 I do have the following in the /etc/services file: radius 1812/tcp# Radius radius 1812/udp# Radius radius-acct 1813/tcpradacct # Radius Accounting radius-acct 1813/udpradacct # Radius Accounting And when I start freeradius up, it grabs 1812 and 1813 for listening. The odd thing is that it seems to grab the first non-priviledged port for sending out responses. All The Best, Brian Andrus Millenia Internet Services, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Coccimiglio Sent: Thursday, June 24, 2004 12:46 AM To: [EMAIL PROTECTED] Subject: Re: Replies on port 1029 Check your /etc/services file. If a port is not specified in the radius config, radius looks to /etc/services for the port. If none is specified there then I guess it takes the first non-prevlidged port. Mark C. Brian Andrus wrote: I have been using freeradius .9.1 for some time now. I have been seeing a problem in that the responses are coming back on port 1029 rather than the 1812 expected. I have not found or seen anything that addresses this. It seems that it is grabbing the first non-privledged port, but I may be wrong. How do I force freeradius to respond on port 1812 for requests? Brian Andrus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] Sent via the KillerWebMail system at mail.brev.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Accept source ip
Hi Ted, Why would the Access-Accept packet NOT come from the same IP (radius server) the request was sent to originally??? To do otherwise would open up the NAS or AP to spoofing attacks... What vendors are you referring to in terms of accepting Access-Accept packets from an IP other than the original IP the request was sent to (just to make sure I don't use their equipment [grin])??? Are you confusing IP (Internet Address) with the port number of the communications on the IP address between the NAS or AP and the Radius Server gm... - Original Message - From: Ted Kaczmarek [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 24, 2004 1:59 PM Subject: Access-Accept source ip I recently noticed that Cisco rejects Access-Accept unless they originate from the same IP that auth was requested from. Another vendor will accept them from any ip no matter who they were originally sent to. Didn't find any mention in the RFC 2865 about the ip source of an accept packet. Now to me it seems like rejecting the packets makes more sense when they are not being sourced from the same IP address that the original request was destined to. Any thought on this? Ted - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Newbie] Questions about accounting
Keith, There is a text document in the Docs directory under the source directory where you un-tarred the source code called aaa.txt. It will answer some of your questions. As for the others: 1. How do I limit the traffic for a user? You dont, at least not with radius - unless there is a specific attribute your network access server understands to set the bandwidth for a user - then you could return that attribute for the user to set the bandwidth allowed... 2. How do I shape the traffic for a user once they have gone over their limit? You don't, at least not with radius. Radius is an authorization and authentication server - not a bandwidth packet shaper - the only thing you could do would be to write scripts to control a packet shaper upstream of the NAS or AP and trigger the scripts to perform this - Don't take offense but it sounds like this would be more than you can handle at this point. No insult intended!!! It is WAY outside the scope of a radius server! 3. How to I limit the time slots for a user? This is possible with freeradius - check out the rlm_sqlcounter file in the docs directory and also do a search in the list archive for the same thing (rlm_sqlcounter) This will require installing an sql server to implement and your access device will need to understand timelimits but it is possible to do. 4. How do I control the amount of time a user has been on? See the answer above... Hope this helps... gm... - Original Message - From: keith [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 24, 2004 8:13 PM Subject: [Newbie] Questions about accounting 1. How do I limit the traffic for a user? 2. How do I shape the traffic for a user once they have gone over their limit? 3. How to I limit the time slots for a user? 4. How do I control the amount of time a user has been on? Users log in via pptpd (--version - PoPToP v1.1.3) radiusd (-v - FreeRADIUS Version 0.9.3, for host i686-pc-linux-gnu, built on Jun 16 2004 at 03:00:59) Logging into freeradius is done via a matched name in /etc/raddb/users.conf (default is accept since I am currently unable to get pppd to pass a password pair to freeradius) Thanks Keith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Arnauld,
It almost looks like something in the supplicant is not configured properly
to use the certificate sent from the server during the handshake phase... I
have attached a copy of some of my notes (written to myself so some of the
meaning in the notes may not be exactly correct - but heck - they were for
me anyway [grin]) that show a EAP/TTLS session negotiation...
Take a look and compare to what you are doing to see if you can determine
where things are going off the deep end... I would suggest setting up
testing for EAP/TTLS in a simple configuration for user authorization
first - then fold in the Ldap authorization
Hope this helps
gm...
- Original Message -
From: Arnauld Dravet [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, June 23, 2004 8:40 AM
Subject: Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Have you looked at the make output from the compile to see if there
are
any error or warning messages?
yep it was my fault i have openssl 0.9.6 and 0.9.7 installed for
certificate
generation, and of course i forgot to link freeradius-cvs against 0.9.7 =)
works
much better now, at least radiusd is launching.
But, still have a prob during TLS init (i'm trying to setup a TTLS
connection):
The client (Aegis - WinXP) is configured in TTLS Auth + MS-CHAP-V2
tunneled
protocol. Seems like i got a problem with certificates, but i don't
understand
why since i'm not supposed to have one on the client-side ..
Here is the output, sorry if a bit long:
rad_recv: Access-Request packet from host 192.168.6.3:1794, id=79,
length=242
NAS-IP-Address = 192.168.6.3
NAS-Port-Type = Wireless-802.11
NAS-Port = 5
Framed-MTU = 1400
User-Name = arnauld.dravet
Calling-Station-Id = 00904b625711
Called-Station-Id = 000d54fc1807
NAS-Identifier = EPSI AP1
State = 0xfdd7e79f9bbab3286563325da5e5199a
EAP-Message =
0x0203006a15800060160301005b0157030140d9772aeddf802406fe3f32167240a3
35e4
99126e92bb2f0423691ebb49fad93000390038003500160013000a00330032002f006600
0500
040065006400630062006000150012000900140011000800030100
Message-Authenticator = 0xfdb7fe56ea406a82a82906e64a1951a2
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module preprocess returns ok for request 2
modcall[authorize]: module chap returns noop for request 2
modcall[authorize]: module mschap returns noop for request 2
rlm_realm: No '@' in User-Name = arnauld.dravet, looking up realm
NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 2
rlm_eap: EAP packet type response id 3 length 106
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 2
modcall[authorize]: module files returns notfound for request 2
rlm_ldap: - authorize
rlm_ldap: performing user authorization for arnauld.dravet
radius_xlat: '((objectclass=posixAccount)(uid=arnauld.dravet))'
radius_xlat: 'ou=Users,dc=mtp,dc=epsi,dc=fr'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Users,dc=mtp,dc=epsi,dc=fr, with filter
((objectclass=posixAccount)(uid=arnauld.dravet))
rlm_ldap: Added password {CRYPT}$16x5hPKP/.1c in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding acctFlags as SMB-Account-CTRL-TEXT, value [UX op=21
rlm_ldap: Adding ntPassword as NT-Password, value
EFAC11B52777F8D7A34BDC1A0F89228D op=21
rlm_ldap: Adding lmPassword as LM-Password, value
136BE46417241D68AAD3B435B51404EE op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user arnauld.dravet authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 2
modcall: group authorize returns updated for request 2
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
TLS_accept: SSLv3 read client hello A
TLS_accept: SSLv3 write server hello A
TLS_accept: SSLv3 write certificate A
TLS_accept: SSLv3 write key exchange A
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
modcall[authenticate]: module eap returns handled for request 2
modcall: group authenticate returns handled for request
Re: freeradius Web Frontend
Wrong color [GRIN]... Actually - I am adding things that are not in dialup_admin, such as suspension of users, billing and integrating with email services for the billing and setting up user email accounts - the simple stuff... gm... - Original Message - From: Kostas Kalevras [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 23, 2004 8:19 AM Subject: Re: freeradius Web Frontend On Wed, 23 Jun 2004, Milver S. Nisay wrote: Maqbool Hashim wrote: Are there any web frontends for Freeradius? There is a link to Chris Shenton's frontend, but there is not documentation for it as it was written for an internal project. Has anyone used his frontend with success? Or even found any other web frontends for freeradius? i will come up with a working simple web-based interface for managing users under freeradius+mysql and have it release for free soon! and will probably include you as beta testers hopefully. :) i have it working now but customized for my own use so far. im working on it, just need more time though. for now, you can try dialup admin or phpadmin. What does dialupadmin do wrong? I 've seen quite a lot of people developing their own 'simple' interface? Could one of them give me a good reason for that? //milver - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Hi Arnauld, Have you looked at the make output from the compile to see if there are any error or warning messages? It sounds like either there is an error in the latest CVS stopping the compilation of modules (most likely not) or something is missing the compilation requires - from the sounds of it I am wondering if the OpenSSL version is the correct version - you do have the latest (greater than 0.9.7) of OpenSSL installed??? ( I don't install a binary but instead download the source and compile on my machine - seems some of the binarys out there don't install all of the pieces needed to compile parts of freeradius (header files, libs, ect.). I would first look at the messages thrown out by the make command to and the configure command to see if something flags a problem... Just some thoughts... gm.. - Original Message - From: Arnauld Dravet [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 23, 2004 6:18 AM Subject: Re: radius, 802.1x, eap/tls, and edirectory (ldap) i really can't get CVS to work. Compiles fine, but i tried several cvs versions and i got that at startup: Module: Instantiated unix (unix) radiusd.conf[9] Failed to link to module 'rlm_eap': file not found [EMAIL PROTECTED]:/usr/local/freeradius-cvs# don't know if i can use the rlm_eap module from the non-cvs version. -- Arnauld Dravet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Mack, TTLS is not in 0.9.3 version - you have to use the 1.0.0-pre version to get TTLS support. The nice thing about TTLS is the fact the client security certificate is optional! Makes it much easier to deploy if you have a good number of clients or you don't have access to the wireless devices to install said certificates. Glad to see you are gaining some insight into the wonderful world of hi-security wireless access [grin]. It is rather complicated but MUCH better protecting the content of the link vs WEP... gm... - Original Message - From: Mack [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, June 22, 2004 3:53 PM Subject: Re: radius, 802.1x, eap/tls, and edirectory (ldap) Gary Alan, Thanks guys. Sorry for being so stupid about all of this, but thanks to ya'll and the reading that I've done is this short period of time, I have learned a great deal about how this stuff works. When using TTLS or PEAP, it seems that I'll still need EAP-TLS...but just on the server-side, not the client (am I right?). I think that TTLS will be a better fit as it seems to support more methods, and PEAP seems to be strickly a MS thing. I actually got the PEAP working now, though, thanks to your direction. I'll look into demoing third party clients. Know of any free ones, though? It looks like maybe the 0.9.3 version of freeradius does not support TTLS. Is this correct? If so, does the CVS version include support? Sorry if this, too, is documented somewhere, but I just thought I'd ask while I was here. Thanks for the help! mack On 22 Jun 2004 at 12:37, Gary McKinney wrote: Mack, Take a look at the following URL: http://3w.denobula.com:5/EAPTLS.pdf It may be a little dated but all of the info is still relevent... one thing to take notice of is there is NO user password exchanged as EAP/TLS does not use a user's password for authentication - that chore is handled by the fact the supplicant contains a VALID user certificate the server recognizes. I think the above is what Alan is trying to convey to you - you can not use EAP/TLS and LDAP together as there is NO user password exchanged between the supplicant and Freeradius (or any other radius server) in that mode. If you are looking to use LDAP and a very secure method for the link between the client and the AP you will have to use a different method (PEAP or EAP/TTLS come to mind)... You may want to check out other supplicant software (if you are thinking of using the EAP/TTLS method you may want to check out the Odyssey Supplicant software from Funk Software (they are the one's who came up with TTLS and are working on a RFC to that effect). I may not have stated all of the above totally correctly but you should get the basic meaning [grin]... There are several RFC's that come with the freeradius package - I would strongly suggest reading them as they are the basis for all the different protocols and authentication methods Alan and company have based the Freeradius software against ( I think ) I hope the above information is helpful and taken in the manner in which it was meant (to be informative and helpful)... gm... -- Original Message -- From: Mack [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 22 Jun 2004 12:02:33 -0400 Alan, At your request, I'll try to reformat this so that it is presented as a problem/challenge rather than a why doesn't my solution work post: Problem: My AP is a 3com 7250. It requires that you enable 802.1x on itself, the client, and the radius server if you want to use the radius server as the authentication server. My understanding is that 802.1x requires EAP-something. I chose EAP-TLS because my client is stock XP and my understanding is that EAP-TLS is my only option with that client. My boss asked me if it was possible to authenticate our wireless users against Novell's eDirectory (LDAP). He did not specifically require 802.1x/EAP-anything. The only reason I'm using 802.1x/EAP is because the AP requires it. I have successfully implemented EAP-TLS authentication between the client, AP, and freeradius. Now I am attempting to add LDAP authentication, but have not been successful. I can provide any configs/logs if needed. Solution: None so far. Anyone have any suggestions/comments? What would ya'll do in my position? thanks, mack On 21 Jun 2004 at 23:52, Alan DeKok wrote: Mack [EMAIL PROTECTED] wrote: My AP requires that I enable 802.1x in order to use RADIUS authentication. So, I figured I'd use EAP-TLS. Are you picking it at random, or are youi looking at the features it offers, and using your requirements to decide on a solution? I'm just testing now...using an XP client, so I chose to use EAP-TLS. I want to use LDAP
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Mack, Take a look at the following URL: http://3w.denobula.com:5/EAPTLS.pdf It may be a little dated but all of the info is still relevent... one thing to take notice of is there is NO user password exchanged as EAP/TLS does not use a user's password for authentication - that chore is handled by the fact the supplicant contains a VALID user certificate the server recognizes. I think the above is what Alan is trying to convey to you - you can not use EAP/TLS and LDAP together as there is NO user password exchanged between the supplicant and Freeradius (or any other radius server) in that mode. If you are looking to use LDAP and a very secure method for the link between the client and the AP you will have to use a different method (PEAP or EAP/TTLS come to mind)... You may want to check out other supplicant software (if you are thinking of using the EAP/TTLS method you may want to check out the Odyssey Supplicant software from Funk Software (they are the one's who came up with TTLS and are working on a RFC to that effect). I may not have stated all of the above totally correctly but you should get the basic meaning [grin]... There are several RFC's that come with the freeradius package - I would strongly suggest reading them as they are the basis for all the different protocols and authentication methods Alan and company have based the Freeradius software against ( I think ) I hope the above information is helpful and taken in the manner in which it was meant (to be informative and helpful)... gm... -- Original Message -- From: Mack [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 22 Jun 2004 12:02:33 -0400 Alan, At your request, I'll try to reformat this so that it is presented as a problem/challenge rather than a why doesn't my solution work post: Problem: My AP is a 3com 7250. It requires that you enable 802.1x on itself, the client, and the radius server if you want to use the radius server as the authentication server. My understanding is that 802.1x requires EAP-something. I chose EAP-TLS because my client is stock XP and my understanding is that EAP-TLS is my only option with that client. My boss asked me if it was possible to authenticate our wireless users against Novell's eDirectory (LDAP). He did not specifically require 802.1x/EAP-anything. The only reason I'm using 802.1x/EAP is because the AP requires it. I have successfully implemented EAP-TLS authentication between the client, AP, and freeradius. Now I am attempting to add LDAP authentication, but have not been successful. I can provide any configs/logs if needed. Solution: None so far. Anyone have any suggestions/comments? What would ya'll do in my position? thanks, mack On 21 Jun 2004 at 23:52, Alan DeKok wrote: Mack [EMAIL PROTECTED] wrote: My AP requires that I enable 802.1x in order to use RADIUS authentication. So, I figured I'd use EAP-TLS. Are you picking it at random, or are youi looking at the features it offers, and using your requirements to decide on a solution? I'm just testing now...using an XP client, so I chose to use EAP-TLS. I want to use LDAP because that's where our userbase is stored (Novell eDirectory). The idea is to authenticate users via LDAP. I thought I had been pretty clear in my response: EAP-TLS and LDAP are mutually incompatible. Stop trying to get them to work togerther. I'm only using EAP-TLS because the AP won't let me use RADIUS otherwise. Of course, I'm such a newbie that I'm probably getting it all wrong. That's where I was hoping the list would help. You should ask about how to solve a problem, rather than asking why the solution you chose didn't work. If you were given my task, how would you go about implementing this? I told you. Go back and read my message. If you could describe a problem, I might be able to come up with an alternate solution. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] Sent via the KillerWebMail system at mail.brev.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Mack, I Was not trying to blow you off by making the statement of reading the archives... I am still, what I consider, a newbie as well... The statement about a lot of discussion on the subject you are requesting is true so I thought you would be better served checking over those discussions! As for documentation - have you read the rlm-eap and rlm-ldap documentation in the docs directory of the installation package (at least the version 1.0.0-pre1 and later source code) has information on what you are looking for in terms of using eap/tls and ldap together (in the rlm-eap docs). If you can use the pre-release code I would suggest doing so - while 0.9.3 is stable I have found the pre-release code does more [ymmv]... gm.. - Original Message - From: Mack [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, June 20, 2004 10:30 PM Subject: Re: radius, 802.1x, eap/tls, and edirectory (ldap) Gary, I had scanned them prior to posting, but there seem to be no solutions to all of the problems people have with this configuration. My impression is that most of the gurus on the list are assuming WAY too much of some of us newbies. They keep coming back with the same replies, like read the faqs, readme, rfc, etc., etc. But, that begs the question: If that's going to be the reply each time, then why even bother with the list in the first place? Oh, well. I am definitely taking a more indepth look at the archives, though, as you've suggested. If nothing else, maybe that will help me form better questions. Thanks for the help! mack On 19 Jun 2004 at 6:34, Gary McKinney wrote: Mack, Check the email archives over the last three months - there is a great deal of information on using EAP/TLS and how to use LDAP with freeradius (including example snippets). gm... - Original Message - From: Mack [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 18, 2004 11:52 PM Subject: radius, 802.1x, eap/tls, and edirectory (ldap) Hi, I'm a newbie to all of this, so please bear with me. This list is all I've got! We are introducing a wireless infrastructure on our campus (a little late in the game). Right now we're in testing phase. In this testing phase, We are using several 3com 7250 AP's, some 3com cards capable of 802.1x, and Novell eDirectory (LDAP). My requirement is to enable 802.1x authentication to the AP's using EAP/TLS. Additionally, I need to be able to authenticate the users to Novell via LDAP. All via the FreeRADIUS server. I have configured freeradius version 0.9.3 to work successfully with only ldap authentication against Novell eDirectory. I have also verified that 802.1x authentication is working with the AP. However, if I attempt to somehow enable both authentication mechanisms, I fail. The logs keep passing the EAP username (common name from cert) to ldap and of course ldap spits it out because the object does not exist. Again, I'm new to this, and maybe I have made incorrect assumptions of what the end result should be. Maybe this isn't even possible, but here's what I had hoped to come away with: the wireless user boots their laptop, then gets authenticated via eap/tls. They then open a browser, and are asked for username and password (via dialog box?), or either redirected to a login page. The username and password are then passed to ldap for authentication. Successful authentication results in the client being given internet access. Is this possible? Or, am I totally misunderstanding how this is all supposed to work (very likely)? I must admit, I'm not very comfortable when working with the config files. Not too sure what I'm doing in there. I tackled this whole project somewhat blindly, with the help of various bits of info I gathered from google searches. I do need to obtain a good book on this stuff...that's obvious...but I am hoping that someone on this list has experience with getting freeradius to work with eap/tls and novell ldap authentication and is willing to share that experience and wisdom. (Embarrassed) Sorry again for the newbie-ness of this post, and thanks in advance for any help! mack -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by the CSU Email
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Hi Mack, As for the looping problem - one question - do you have a wireless network card manager running in the background on the laptop ( I don't mean the nic driver) along with the supplicant??? I have EAP/TTLS running at home and ran into a looping problem that sounds the same (authenticated but kept on re-authenticating)... I am running the Odyssey Supplicant on a Windows 2000 machine and there was a Linksys NIC Manager program running at the same time the supplicant was running. The NIC manager was causing the supplicant to disconnect from the nic thereby causing the supplicant to re-authenticate continuously! (duh!). Turning off the NIC manager software fixed the problem As for YMMV it means Your Mileage May Vary [grin]... gm... - Original Message - From: Mack [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 21, 2004 8:21 PM Subject: Re: radius, 802.1x, eap/tls, and edirectory (ldap) Gary, No, no, not you. I didn't mean you...sorry. You've been helpful...more so, you've shown a willingness to help. Thanks for that. I followed your suggestion about looking deeper into the list archives, and have progressed a bit further (i think). I stumbled upon PEAP, and configured my client to use mschapv2, thus answering the question of how to send LDAP username password to radius. This is all with EAP-TLS working (as far as I can tell). However, there's one catch... While running radiusd in debug mode, watching the output while the client authenticates (sends username password), it seems to get caught in a loop...same output over over again, and the client never gets totally authenticated. The output appears to indicate that the ldap auth and eap auth were both successful, but this is where it keeps looping...over and over again, keeps saying both were successful. Unless I'm just misinterpreting the output (that's VERY likely). I've attached some of the output to this email (hope that's ok...seemed to big to include in the body of the message). I am using a gentoo ebuild of freeradius now, but will look into the 1.0.0-pre1 version. I did notice that many of the posts assumed the users were on a 1.0.0-pre1 build. If nothing else, I can at least read thru the different docs included in that build, as you've suggested. Ready for a really dumb question? What does ymmv mean? I've often seen it on lists/boards, but have never seen a translation. Thanks for the help, mack On 21 Jun 2004 at 6:10, Gary McKinney wrote: Mack, I Was not trying to blow you off by making the statement of reading the archives... I am still, what I consider, a newbie as well... The statement about a lot of discussion on the subject you are requesting is true so I thought you would be better served checking over those discussions! As for documentation - have you read the rlm-eap and rlm-ldap documentation in the docs directory of the installation package (at least the version 1.0.0-pre1 and later source code) has information on what you are looking for in terms of using eap/tls and ldap together (in the rlm-eap docs). If you can use the pre-release code I would suggest doing so - while 0.9.3 is stable I have found the pre-release code does more [ymmv]... gm.. - Original Message - From: Mack [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, June 20, 2004 10:30 PM Subject: Re: radius, 802.1x, eap/tls, and edirectory (ldap) Gary, I had scanned them prior to posting, but there seem to be no solutions to all of the problems people have with this configuration. My impression is that most of the gurus on the list are assuming WAY too much of some of us newbies. They keep coming back with the same replies, like read the faqs, readme, rfc, etc., etc. But, that begs the question: If that's going to be the reply each time, then why even bother with the list in the first place? Oh, well. I am definitely taking a more indepth look at the archives, though, as you've suggested. If nothing else, maybe that will help me form better questions. Thanks for the help! mack On 19 Jun 2004 at 6:34, Gary McKinney wrote: Mack, Check the email archives over the last three months - there is a great deal of information on using EAP/TLS and how to use LDAP with freeradius (including example snippets). gm... - Original Message - From: Mack [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 18, 2004 11:52 PM Subject: radius, 802.1x, eap/tls, and edirectory (ldap) Hi, I'm a newbie to all of this, so please bear with me. This list is all I've got! We are introducing a wireless infrastructure on our campus (a little late in the game). Right now we're in testing phase. In this testing phase, We are using several 3com
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Mack, Check the email archives over the last three months - there is a great deal of information on using EAP/TLS and how to use LDAP with freeradius (including example snippets). gm... - Original Message - From: Mack [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 18, 2004 11:52 PM Subject: radius, 802.1x, eap/tls, and edirectory (ldap) Hi, I'm a newbie to all of this, so please bear with me. This list is all I've got! We are introducing a wireless infrastructure on our campus (a little late in the game). Right now we're in testing phase. In this testing phase, We are using several 3com 7250 AP's, some 3com cards capable of 802.1x, and Novell eDirectory (LDAP). My requirement is to enable 802.1x authentication to the AP's using EAP/TLS. Additionally, I need to be able to authenticate the users to Novell via LDAP. All via the FreeRADIUS server. I have configured freeradius version 0.9.3 to work successfully with only ldap authentication against Novell eDirectory. I have also verified that 802.1x authentication is working with the AP. However, if I attempt to somehow enable both authentication mechanisms, I fail. The logs keep passing the EAP username (common name from cert) to ldap and of course ldap spits it out because the object does not exist. Again, I'm new to this, and maybe I have made incorrect assumptions of what the end result should be. Maybe this isn't even possible, but here's what I had hoped to come away with: the wireless user boots their laptop, then gets authenticated via eap/tls. They then open a browser, and are asked for username and password (via dialog box?), or either redirected to a login page. The username and password are then passed to ldap for authentication. Successful authentication results in the client being given internet access. Is this possible? Or, am I totally misunderstanding how this is all supposed to work (very likely)? I must admit, I'm not very comfortable when working with the config files. Not too sure what I'm doing in there. I tackled this whole project somewhat blindly, with the help of various bits of info I gathered from google searches. I do need to obtain a good book on this stuff...that's obvious...but I am hoping that someone on this list has experience with getting freeradius to work with eap/tls and novell ldap authentication and is willing to share that experience and wisdom. (Embarrassed) Sorry again for the newbie-ness of this post, and thanks in advance for any help! mack -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting question for EAP-TTLS for Pre 2
A followup for all... I have been looking for an inexpensive WAP (Wireless Access Point) or WRT (Wireless Router) that sends the Radius Accounting information to the Radius Server - to date I have NOT found any of the inexpensive WAP or WRT devices which send the accounting information to the Radus Server... If anyone knows of such a critter I would be very interested as I have several applications that can use the accounting information! I suspect if we all start asking for such functionality the vendors might start putting the feature in the NAS devices Just a thought (I bug them once a week myself!) Gary N. McKinney Network Administrator Computer Services Dept. Brevard County Library System -- Original Message -- From: Alan DeKok [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 15 Jun 2004 09:30:00 -0400 Michael Ding [EMAIL PROTECTED] wrote: I have been play with FreeRadius for a few weeks in the following enviroment: Funk Software Odyssey Client + Belken wireless router + FreeRadius 1.0.0 Pre2. Finally, I get the system working last night, but I found out a problem with accounting file. I turn on detail, auth_detail and reply_detail files. But only auth_detail reply_detail is generated when EAP-TTLS is used. I used radtest with CHAP, I found all 3 files are generated. No, you didn't. The detail module logs only accounting requests, and when you send a CHAP authentication request using radtest, it doesn't send an accounting request. Is this a desire behavior for EAP-TTLS? If so, how do I generate billing info for my wireless usage? See the FAQ. Your NAS has to send accounting information for the server to be able to log it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] Sent via the KillerWebMail system at mail.brev.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rate limit radius requests
Now I am curious... From following this thread I am wondering how many transactions a second can a DB handle successfully perform before the system starts to lose information??? I am wondering for a given platform and OS (such as linux or FreeBSD running on a 2.0Ghz based system with 1-Gig of RAM and fast SCSI hard-drive subsystem) how many transactions can the FreeRadius system handle in a second??? I seems to me you need to establish a baseline for what would be considered too many requests in order to figure out what would need to be done to allow the system to handle hi-peak loads... Just wondering here... Gary N. McKinney Network Administrator Computer Services Dept. Brevard County Library System -- Original Message -- From: Matthew Schumacher [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 15 Jun 2004 12:38:35 -0800 Alan DeKok wrote: I know how to feed the detail file back to the server with the radrelay util, but wouldn't that require me to run two radius servers? I don't see why. You should be able to do both. Log to the DB, unless the rate is too high. If it's too high, log to a detail file, and rely on an external program to feed the requests back in, when the rate drops. Where in the config would I put this logic? How could I tell radius where to log based on load? That helps, too. Machines are cheap. Machines are cheap, and I'm getting ready to do a pretty fair upgrade on the database server, but I'm looking for a solution that won't drop accounting messages on the floor regardless of the load. A related fix would be to change src/main/threads.c, so that if an Accounting-Request has been sitting in the queue for more than 5 seconds, it's discarded and *not* processed. That should help, as the NAS will be re-sending the packet. Wouldn't sending the request back the queue if there are no DB handles be even better? schu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] Sent via the KillerWebMail system at mail.brev.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help Please
Michael, I don't have the Belkin hardware but I did run into the exact same thing using Linksys hardware and the same setup you are running It turns out the Odyssey client does not like any other wireless network card management software running at the same time on the lap top machine.. If you have some sort of wireless network card management software (not the wireless card driver - that is required) then disable it so the Odyssey Client does not have any contention for the wireless network card. It worked for me! I have been running my home laptop this way for over 4 months with any problems! Gary McKinney - Original Message - From: Michael Ding [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Saturday, June 12, 2004 3:10 PM Subject: Help Please Hi All, I am new to FreaRadiaus, I just installed FreeRadiuas on RedHat. I am trying to set up the following env: Odyssey client from funk software on IBM laptop (Win 2000)+belkin wireless card (802.11g), Belkin wireless router (802.11g) and FreeRadius. In FreeRadius, I set it up for EAP MD5 authentication. In wireless router and client, I use TKIP encrypation. I am able to do the following so far: 1. Odyssey client initiates the request 2. FreeRadiaus issues the challenge 3. Enter password from Odyssey 4. FreeRadius sends back access accept. Everything looks fine so far, but at this moment, Odyssey displays a message waiting for keys for a while ( maybe 10 seconds). Then the connection is gone. It seems this is not a freeRadiaus, but I search both funk and belkin website, could not find any usefull info. Could anyone please help? Thanks in advance! Michael _ Check out the coupons and bargains on MSN Offers! http://youroffers.msn.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Framed-MTU concern
Milver, This is not a Freeradius issue (Freeradius only sends to the NAS what is set in the attribute)and as such should be taken elsewhere. Having said that There was a great deal of discussion around 6 years ago on the best setting for dialup users in relation to MTU size and dialup modem capabilities (handling fragmentation - retrains and retransmission of garble packets and the like). From what I remember the number 576 for the MTU settings for connections up to 56Kbit/Sec comes to mind as the better compromise for different effects that can occur in dialup modem transmissions - best throughput for differing conditions... Of course for Broadband/DSL connections this number is different). Of course all of this is from memory - you may want to do a Google Search for MTU Settings for Dialup Access or some such search criteria to see if you can find some of the info I remember Gary N. McKinney Network Administrator Computer Services Dept. Brevard County Library System -- Original Message -- From: Milver S. Nisay [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 9 Jun 2004 01:52:33 +0100 hello to all. anyone can advise the optimized value for the Framed-MTU groupreply attribute? does a change change with this attribute has a high impact and effects to a dialup speed over the wire by the dialup user? how about for the 56K external modem, does it help or is this a big factor, does it help a lot? anyone? thanks in advance, //milver - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] Sent via the KillerWebMail system at mail.brev.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't Install from directory w/ spaces
Slightly off topic (Freeradius that is): Unix is User Friendly - It's just picky about it's Friends! Something an old unix guru told me once - long, long ago Gary N. McKinney Network Administrator Computer Services Dept. Brevard County Library System -- Original Message -- From: Chris Ross [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Fri, 04 Jun 2004 14:25:35 -0400 Alan DeKok wrote: Chris Ross [EMAIL PROTECTED] wrote: It may be a common UNIX problem, but it's not like UNIX prevents you from handling it. [EMAIL PROTECTED] aland]$ mkdir hello there [EMAIL PROTECTED] aland]$ cd hello\ there/ [EMAIL PROTECTED] hello there]$ FOO=`pwd` [EMAIL PROTECTED] hello there]$ cd .. cd $FOO bash: cd: /home/aland/hello: No such file or directory Unix doesn't make it easy, either. That depends on your shell. Those commands work just fine in zsh. In bash (or any other bourne shell) you can cd $FOO to work around that problem. I mean, you're using an itentifier. It's just because it is legal without quotes that noone uses them by habit. I tend to when shell programming, cause it's just safer and never wrong. (*shrug*) But, you're right, UNIX doesn't make it easy. Not as hard as having backslashes in directory names, but... :-) - Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] Sent via the KillerWebMail system at mail.brev.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re-writes required for proxied connections - HOWTO
Alan, I am currently working on a php based front-end (so to speak) to allow configuration for freeradius's use of mysql database tables (modified for my specific use) and your response given below brought up a question I have read about the radcheck/radreply table entries in the mysql database (both the sql_realm and the man pages for users). I read where the database layout follows the users file layout for the most part - the question I have (guess I am dense or just not getting it) is how would you setup the entries in the mysql tables to handle the Proxy-To-Realm entry you described below for the users file??? This example should turn on the light bulb in my head for this [grin]... TIA Gary N. McKinney Network Administrator Computer Services Dept. Brevard County Library System -- Original Message -- From: Alan DeKok [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 02 Jun 2004 10:44:04 -0400 paul hanson [EMAIL PROTECTED] wrote: I have the latest 0.93 available on SuSE Professional 9.1 and need to proxy in-bound requests based upon the called phone number. Use the Proxy-To-Realm attribute. DEFAULT Called-Station-Id == 5551212, Proxy-To-Realm := foo.com Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] Sent via the KillerWebMail system at mail.brev.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re-writes required for proxied connections - HOWTO
Hi Alan, Nothing is wrong with dialup_admin - I just want to get my feet wet working with php and thought it would be a good real-world project [glutton for punishment I suppose]... I guess the best way for me to figure out how the radcheck works is to examine the sql query used by the code (freeradius) to see how the information is gathered for the checks... Thanks for the response! Gary N. McKinney Network Administrator Computer Services Dept. Brevard County Library System -- Original Message -- From: Alan DeKok [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 02 Jun 2004 12:27:47 -0400 Gary McKinney [EMAIL PROTECTED] wrote: I am currently working on a php based front-end (so to speak) to allow configuration for freeradius's use of mysql database tables Ok... what's wrong with dialup_admin? It's been around for as long as FreeRADIUS, many people use it, and it works with LDAP multiple SQL back-ends. I read where the database layout follows the users file layout for the most part - the question I have (guess I am dense or just not getting it) is how would you setup the entries in the mysql tables to handle the Proxy-To-Realm entry you described below for the users file??? You put them in radcheck Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] Sent via the KillerWebMail system at mail.brev.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql failover
Hmmm - The logic of the request does not really make much sense... If the FreeRadius server is responding to the NAS but the mysql server back-end is not responding that does not mean the radius server is broken... I would think you could setup to authenticate through multiple mysql backend servers to handle the event of the primary being offline or down instead of forcing a purfectly good working radius server to act like it was down and if you setup a secondary freeradius server to handle the event of the primary going down you can use the mysql servers that the first radius server points to for authentication by the second radius server so they have a common shared database (double redundancy). Check the email archives - I remember someone answered how to setup multiple sql servers to be used for user authentication in freeradius (which is what you really want to do here)... if the first mysql server is not responding the second (or next in line) will perform the response instead gm... - Original Message - From: jesk [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, May 30, 2004 6:38 AM Subject: Re: mysql failover On Friday 28 May 2004 17:36, jesk wrote: hi everybody, is there a way to configure freeradius to NOT answer to a NAS if the mysql-backend is down, so that the nas can switch to the next secondary configured freeradius server with its own mysql-backend? i tested freeradius and shutted down the mysqlserver, the request from the nas came in and freeradius rejected the request in cause of the closed mysqldb-handle, now the nas rejected the ppp session and didnt requested the secondary freeradius. can somebody help me? thanks in advance, christian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html no way? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-tls with windows2000???
Sure - get a supplicant (client) software package (such as Odyssey from Funk Software - I think and comes bundled with some of the WiFi capable cards such as the Linksys wireless-G card WPC54G - at least here in the US). I use this very setup for a Win2000 laptop Gary N. McKinney Network Administrator Computer Services Dept. Brevard County Library System -- Original Message -- From: Kevin [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 25 May 2004 10:25:40 -0700 Hi Most of you use eap-tls with XP. Is there a way to use Windows2000 for eap-tls? Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] Sent via the KillerWebMail system at mail.brev.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap: EAP Start not found
Joseph, From the info you sent to the list it looks like the NT authentication is not happening... NOTE: I don't know why it is but the EAP - Start not found shows up in the debug normally [grin]... Here is the line that indicates the actual problem: rlm_eap_leap: No User-Password or NT-Password configured for this user Hope this helps you Gary N. McKinney Network Administrator Computer Services Dept. Brevard County Library System -- Original Message -- From: Joseph Silvin [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Mon, 24 May 2004 19:01:36 +0530 Hi, Currently using LEAP through Cisco AP 1200 and Cisco Client adapter (350 series) Not able to connect. Any suggestions are welcome. JS = Waking up in 5 seconds... rad_recv: Access-Request packet from host 192.168.1.7:21654, id=211, length=194 User-Name = Joseph Framed-MTU = 1400 Called-Station-Id = 000e.d7b1.008b Calling-Station-Id = 000f.245d.b532 Message-Authenticator = 0xbfff0cd4e770e2b66a99fb1b3fd057c0 EAP-Message = 0x02040028110100181cd0eb44b170c98d8f75735f502bed799897f9be3ceb75af46416e74686f6e79 NAS-Port-Type = Wireless-802.11 NAS-Port = 377 State = 0xa098942a08a361fac4b58e0be619329c434faf401ce42fce9ace56190b71178623755fa7 Service-Type = Framed-User NAS-IP-Address = 192.168.1.7 NAS-Identifier = ap modcall: entering group authorize for request 2 modcall[authorize]: module preprocess returns ok for request 2 modcall[authorize]: module chap returns noop for request 2 rlm_eap: EAP packet type notification id 4 length 40 rlm_eap: EAP Start not found modcall[authorize]: module eap returns updated for request 2 rlm_realm: No '@' in User-Name = Joseph, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 2 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'o=MyOrg' radius_xlat: '(uid=Joseph)' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=MyOrg, with filter (uid=Joseph) ldap_release_conn: Release Id: 0 radius_xlat: '((uid=Joseph)(objectclass=top))' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in OU=MyLocation,O=MyOrg, with filter ((uid=Joseph)(objectclass=top)) rlm_ldap::ldap_groupcmp: User found in group OU=MyLocation,O=MyOrg ldap_release_conn: Release Id: 0 users: Matched DEFAULT at 161 users: Matched DEFAULT at 180 modcall[authorize]: module files returns ok for request 2 modcall[authorize]: module mschap returns noop for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for Joseph radius_xlat: '(uid=Joseph)' radius_xlat: 'o=MyOrg' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=MyOrg, with filter (uid=Joseph) rlm_ldap: checking if remote access for Joseph is allowed by proposedaltorgunit rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user Joseph authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate for request 2 rlm_eap: EAP packet type notification id 4 length 40 rlm_eap: EAP Start not found rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - leap rlm_eap: processing type leap rlm_eap_leap: No User-Password or NT-Password configured for this user modcall[authenticate]: module eap returns invalid for request 2 modcall: group authenticate returns invalid for request 2 auth: Failed to validate the user. Delaying request 2 for 1 seconds Finished request 2 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 192.168.1.7:21654, id=211, length=194 Sending Access-Reject of id 211 to 192.168.1.7:21654 EAP-Message = 0x04040004 Message-Authenticator = 0x --- Walking the entire request list --- Cleaning up request 0 ID 209 with timestamp 40af4f42 Cleaning up request 1 ID 210 with timestamp 40af4f42 Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 211 with timestamp 40af4f43 Nothing to do. Sleeping until we see a request. == - Forwarded by Joseph Silvin/Information Technology/MyLocation/MyOrg on 24/05/2004 07:02 PM - Joseph Silvin To: [EMAIL PROTECTED]
Re: Urgent Cannot Load rlm_sql_mysql!!!
HI Alexander, I think if you search in the archives you will find you need to have the MySQL development package installed to compile the FreeRadius to work with the MySQL package... the MySQL binaries package does not have all of the pieces required to compile the rlm_sql_mysql module... gm... - Original Message - From: Alexander Khoo To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] ; [EMAIL PROTECTED] Sent: Wednesday, May 19, 2004 5:27 AM Subject: Urgent Cannot Load rlm_sql_mysql!!! Hi, I was trying to get my freeradius server connect to mysql server. i have encounter the following error: rlm_sql (sql): Could not link driver rlm_sql_mysql: file not foundrlm_sql (sql): Make sure it (and all its dependent libraries!) are in thesearch pathof your system's ld.radiusd.conf[14]: sql: Module instantiation failed. I check the configure log and found it complain mysql/mysql.h file is missing say can't locate mysql header. Appreciate somebody can help me on this Regards Alexander Do you Yahoo!?SBC Yahoo! - Internet access at a great low price.
RE: Urgent Cannot Load rlm_sql_mysql!!!
HI All... In installing the MySQL Database software in your system for use with FreeRadius you need to install the MySQL application by means of the source installation (compile the source) - the pre-built binaries do not contain the linking information needed for FreeRadius to link to the mysql client in order to build the myslq_realm module so the module does not get built when you build the FreeRadius package. Hope this info helps! Gary N. McKinney -- Original Message -- From: Kirti S. Bajwa [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 19 May 2004 10:09:12 -0400 Hi Gary: Does souce instalation package (example: 4.0.18) contains development package? Kirti -Original Message- From: Gary McKinney [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 19, 2004 6:26 AM To: [EMAIL PROTECTED] Subject: Re: Urgent Cannot Load rlm_sql_mysql!!! HI Alexander, I think if you search in the archives you will find you need to have the MySQL development package installed to compile the FreeRadius to work with the MySQL package... the MySQL binaries package does not have all of the pieces required to compile the rlm_sql_mysql module... gm... - Original Message - From: Alexander Khoo mailto:[EMAIL PROTECTED] To: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Cc: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ; [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Sent: Wednesday, May 19, 2004 5:27 AM Subject: Urgent Cannot Load rlm_sql_mysql!!! Hi, I was trying to get my freeradius server connect to mysql server. i have encounter the following error: rlm_sql (sql): Could not link driver rlm_sql_mysql: file not found rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search path of your system's ld. radiusd.conf[14]: sql: Module instantiation failed. I check the configure log and found it complain mysql/mysql.h file is missing say can't locate mysql header. Appreciate somebody can help me on this Regards Alexander _ Do you Yahoo!? SBC http://pa.yahoo.com/*http://us.rd.yahoo.com/evt=24311/*http://promo.yahoo.c om/sbc/ Yahoo! - Internet access at a great low price. Sent via the KillerWebMail system at mail.brev.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Could not link driver rlm_sql_mysql: file not found
You may want to do some reading in the freeradius/doc directory - take a look at the rlm_sql file in particular - one thing that is mentioned is the driver for the sql database is really just a shim used to connect the freeradius server to the database through the database client application... if you installed the MySQL database as a binary and just installed the server and not the client (I am not sure how Linux handles binary packages so I do not know if the required header and linking files are included in binary packages) then you would get such an error I have installed Freeradius multiple times (mostly for testing on different platforms and configurations) and always have installed the MySQL database software from source (most of the time there is not a binary package for the platform I am working with [grin]) and I have not run into a problem using the Freeradius server with the MySQL database Hope this helps... Gary McKinney On Friday 30 April 2004 02:34 am, Linda Pagillo wrote: Thanks. I already read all of that and i did everything he said to do. I'm happy that i read that because it was the only thing that really helped me to get started with freeradius in general. I followed all of the directions and got the thing running using text file authentication, then i followed his directions for the Mysql part and i got the error: Could not link driver rlm_sql_mysql: file not found.. now i can't get past it no matter what i do. I have tried everything. Thanks again! -- Original Message -- From: Milver S. Nisay [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Fri, 30 Apr 2004 06:15:06 +0100 Hello everyone... I'm running freeradius-0.9.3 on Linux Redhat 9. The freeradius program is working perfectly by itself, but when i try to use it with Mysql 3.23 i get the error Could not link driver rlm_sql_mysql: file not found. I have read suggestions all day today on how to fix this. I have tried all of the suggestions on the freeradius site and from a few other places that i found by using google.com. Nothing worked so lastly i went ahead and uninstalled freeradius completely and rebuilt it without dynamic libraries per advice on the freeradius FAQ.. this did not work neither. I have a question though... i do not have an actual file called rlm_sql_mysql, but i DO have a folder with that name and it has things in it such as configure. Do i need to compile what is in that folder to actually make the rlm_sql_mysql file? Any help would be appreciated. Thank you. got it from the list, you might want to read this http://www.frontios.com/freeradius.html just passing it on, .. //milver - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OS for FreeRADIUS
OK - I FINALLY found something on the gethostbyname() function not being thread safe http://lists.freebsd.org/pipermail/freebsd-threads/2004-February/001645.html According to the info I read the gethostbyname() function uses static storage so if it is called in a threaded environment it is possible (and most likely probable) the information would be overwritten by a second call by another thread before it was read back out by the calling thread - the message goes on to say there *IS* a thread safe re-entrant function ( getaddrinfo() function) which should be used in a threaded environment to alleviate the problem... I realize this is probably not the answer people are wanting to see (it would require some changes to the autoconf scripts to take into account FreeBSD vs other os types) but apparently that is the tack the FreeBSD community took to fix this problem... Gary N. McKinney Network Administrator Computer Services Dept. Brevard County Library System -- Original Message -- From: [EMAIL PROTECTED] (Paul Hampson) Reply-To: [EMAIL PROTECTED] Date: Thu, 22 Apr 2004 02:06:02 +1000 On Wed, Apr 21, 2004 at 08:49:47AM -0400, Gary McKinney wrote: I realize this is not a direct FreeRadius issue but possibly could be indirectly related if the actual problem still exists with thread locking... I checked the FreeBSD site for any PR listings for what you have described... did not find anything - have you checked against the latest release of FreeBSD for the problem??? http://lists.cistron.nl/archives/freeradius-users/2003/09/frm00212.html * http://lists.cistron.nl/archives/freeradius-users/2003/09/msg00212.html http://lists.cistron.nl/archives/freeradius-users/2003/09/frm00434.html http://lists.cistron.nl/archives/freeradius-devel/2003/09/frm00093.html _I_ haven't tested against the lastest release of FreeBSD. I'd welcome any improvements to the thread-safety of FreeRADIUS, so if you want to test it out and suggest changes that don't break any other versions of FreeBSD, any other BSD flavours, and (if possible) Tru64 and OS/X... However, given that we're ramping up to a release, I'd rather not duplicate the 0.9 series's tendancy to need autoconf fixes for gethostby* immediately after _each_ release. If we have something safe- looking before we start the pre release cycle, and it gets _tested_ by various FreeBSD and other bodies, then maybe. :-) Whoops. While trawling the list archives from September I found someone who asked me a question, and I never answered. :-( I hope he found enlightenment eventually, and didn't leave us for Radiator. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] Sent via the KillerWebMail system at mail.brev.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Better version
OH... Your just being modest!!! {Big Grin}
Gary N. McKinney
Network Administrator
Computer Services Dept.
Brevard County Library System
-- Original Message --
From: Alan DeKok [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date: Fri, 23 Apr 2004 16:01:02 -0400
radius [EMAIL PROTECTED] wrote:
You want to know my experience?
1.You will never find a better radius server at this price.
Considering the other open source (free) servers don't have many of
the features that FreeRADIUS has (e.g. EAP), that's very true.
In addition, there's more activity on this list in one day than on
the users lists for any of the other servers in a month. And this
list has more messages in a month than the all other lists for all
other free servers combined.
3.Think before you ask, this list can be Killer Brutal to people who expect
someone to do it for them(buy commercial support if you expect this)
Most peoples configurations are complicated. It takes a lot of care
and time to create a configuration which is correct, and does what you
want. You can't just poke a few things and have it work. FreeRADIUS
isn't a web browser, or an instant chat client.
There are setups I've created where I've spent days trying to get
the exact configuration correct, so that it doesn't match the wrong
thing, and does the right thing. Sure, they're complicated setups,
but it's definitely not easy, even for me.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
---
[This E-mail scanned for viruses by Declude Ant-Virus Scanner]
Sent via the KillerWebMail system at mail.brev.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OS for FreeRADIUS
Great news!!! I have setup a FreeBSD 5.2.1 system at the house and will be doing some testing over the weekend on it (with several different configurations to see how it works out) I'll let you know what I find out (the FreeRadius version is the 20040421-Snapshot) Gary N. McKinney Network Administrator Computer Services Dept. Brevard County Library System -- Original Message -- From: Alan DeKok [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Fri, 23 Apr 2004 15:08:21 -0400 Gary McKinney [EMAIL PROTECTED] wrote: I realize this is probably not the answer people are wanting to see (it would require some changes to the autoconf scripts to take into account FreeBSD vs other os types) but apparently that is the tack the FreeBSD community took to fix this problem... In the CVS snapshots, the autoconf scripts already take this into account. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] Sent via the KillerWebMail system at mail.brev.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Combining Radius with Apache Authorization
From you description it appears it is something in the configuration of Apache Gary N. McKinney Network Administrator Computer Services Dept. Brevard County Library System -- Original Message -- From: Charles Thomas [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 22 Apr 2004 08:36:55 -0500 For various reasons, our department has implemented a system whereby we combine Radius authorization (for user login) with the built-in Apache Basic authorization model (for management of individual user directory privileges via use of an .htaccess file). We're currently seeing some weirdness with this setup, specifically: Problem #1: If someone logs in and then tries to access a resource for which they do not have permission, the server is throwing out an Internal Server Error (Error code 500) to the browser instead of the proper Unauthorized (Error code 401). Problem #2: There are times where the .htaccess files are being read, but ignored. e.g., a user has an .htaccess file in his directory which is being read, but the require groups bar directive is being ignored and he gets access to the directory anyway. My questions are: Does anyone have any experience using both systems together? If so, do you have any configuration tips you'd be willing to share? Can anyone theorize why the wrong error is being generated when a user doesn't have access to a resource? What is generating this error (I'm guessing Apache) and where would I go to try to fix this bug? Please feel free to email me off-list with any hints. I'll also be watching here. Many thanks! CT -- Charles Thomas DoIT Network Services Programmer University of Wisconsin - Madison 1210 W. Dayton St. Rm. B111 Madison, WI 53706 (608) 262-1649 Office (608) 262-7561 Fax [EMAIL PROTECTED] Sent via the KillerWebMail system at mail.brev.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Combining Radius with Apache Authorization
Just a thought... try checking in the httpd-error.log file to see what Apache is saying is the problem... it may be rather cryptic but should point you in the right direction Gary N. McKinney Network Administrator Computer Services Dept. Brevard County Library System -- Original Message -- From: Charles Thomas [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 22 Apr 2004 08:36:55 -0500 For various reasons, our department has implemented a system whereby we combine Radius authorization (for user login) with the built-in Apache Basic authorization model (for management of individual user directory privileges via use of an .htaccess file). We're currently seeing some weirdness with this setup, specifically: Problem #1: If someone logs in and then tries to access a resource for which they do not have permission, the server is throwing out an Internal Server Error (Error code 500) to the browser instead of the proper Unauthorized (Error code 401). Problem #2: There are times where the .htaccess files are being read, but ignored. e.g., a user has an .htaccess file in his directory which is being read, but the require groups bar directive is being ignored and he gets access to the directory anyway. My questions are: Does anyone have any experience using both systems together? If so, do you have any configuration tips you'd be willing to share? Can anyone theorize why the wrong error is being generated when a user doesn't have access to a resource? What is generating this error (I'm guessing Apache) and where would I go to try to fix this bug? Please feel free to email me off-list with any hints. I'll also be watching here. Many thanks! CT -- Charles Thomas DoIT Network Services Programmer University of Wisconsin - Madison 1210 W. Dayton St. Rm. B111 Madison, WI 53706 (608) 262-1649 Office (608) 262-7561 Fax [EMAIL PROTECTED] Sent via the KillerWebMail system at mail.brev.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OS for FreeRADIUS
Hi Paul, I realize this is not a direct FreeRadius issue but possibly could be indirectly related if the actual problem still exists with thread locking... I checked the FreeBSD site for any PR listings for what you have described... did not find anything - have you checked against the latest release of FreeBSD for the problem??? Gary N. McKinney Network Administrator Computer Services Dept. Brevard County Library System -- Original Message -- From: [EMAIL PROTECTED] (Paul Hampson) Reply-To: [EMAIL PROTECTED] Date: Wed, 21 Apr 2004 20:28:20 +1000 On Tue, Apr 20, 2004 at 09:39:14PM -0600, stenmark wrote: Is there a recommended OS for freeradius? Is there really a difference (performance or otherwise) between running freeradius on FreeBSD compared to a distrobution of Linux (RedHat, Gentoo, etc...)? FreeBSD has locking issues with threads, in the DNS resolver libraries. If you want to see the discussion, dig around the list archives for the time of the 0.9.1 release. -- Paul TBBle Hampson, who was reading those archives the other day. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] Sent via the KillerWebMail system at mail.brev.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compiling with rlm_krb Possible BUG?
Steve, Did moving the the com_err from RLM_LIBS line to the HEADERS line correct the problem compiling?? ( you know what they say: "Just because it compiled does not mean it compiled!")... If that corrected the compile problem and it works for you I suspect the changes would be of interest to others wanting to use Kerboros as well... Gary N. McKinney - Original Message - From: Steve OBrien To: [EMAIL PROTECTED] Sent: Tuesday, April 06, 2004 6:33 PM Subject: Re: Compiling with rlm_krb Possible BUG? I edited the makefile and moved -lcom_err from the RLM_LIBS line to the HEADERS line and make seemed to work. Not sure if that is a bug... Steve ---Outgoing mail is certified Virus Free.Checked by AVG anti-virus system (http://www.grisoft.com).Version: 6.0.654 / Virus Database: 419 - Release Date: 4/6/2004
Re: Compiling with rlm_krb
Hey Steve, You really did not give very much info but I suspect you don't have Kerboros installed in the machine... Gary N. McKinney Network Administrator Computer Services Dept. Brevard County Library System -- Original Message -- From: Steve OBrien [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 6 Apr 2004 10:52:11 -0700 I am getting: ld: fatal: library -lcom_err: not found ld: fatal: File processing errors. No output written to .libs/rlm_krb5-1.0.0-pre0.so when trying to compile rlm_krb, I have googled and do not see any reference to this library, what is it? TIA, Steve Sent via the KillerWebMail system at mail.brev.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Alan
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Alan,
In response to your question the better method would be to direct
you
(and anyone else wondering about the differences between PEAP and
TTLS)
to read the following web page:
http://www.oreillynet.com/pub/a/wireless/2002/10/17/peap.html
There is a good writeup on the subject and a table showing the
differences..
The short answer about a client certificate - it is optional in PEAP
as it is
in TTLS...
Hope this sheds some light on the subject for you - I would have
answered
directly but the web page did it so much better than I could!!!
Gary N. McKinney
- - Original Message -
From: Alan Russell [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, April 02, 2004 11:01 AM
Subject: Re: Alan
- Original Message -
From: Gary McKinney [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, April 01, 2004 10:12 PM
Subject: Re: Alan
Hi Alan,
Basically:
When you have a client machine that is connecting to a NAS using
EAP/TLS and variations thereof the encrypted path is ONLY between
the client
machine
and the NAS (be it wired or wireless).
The Radius server provides the inital encryption path between the
client machine
and the radius server only during the
authentication/authorization phase
of
the
connection process. The radius server uses the TLS side of the
connection for
the authorization transactions once the TLS tunnel is established
and creditials
have been verified (by virtue of the security certificates both
the radius server
and client machine have installed) ...
with TTLS only the radius server has a certificate and the
encryption
phase
is
handled by a certificate generated on the radius server to that
specific session -
once validated the NAS and the client machine receive an
encryption key to use
during the connection session (and the key is renewed with a new
key for
the
NAS and client machine every so often - 300 seconds I think is
the default setting in FreeRadius's configuration file)
If you need encryption from the client machine to a distant
server/workstation
the you will need to implement some additional encryption
mechanism
between
those end-points as the PEAP/TLS session is ONLY between the NAS
and client machine connecting to the NAS...
I hope this helps
Gary N. McKinney
Gary,
Thanks for the help. With my PEAP/TLS implementation (which
appears to be working) my client machine, which is running win XP
sp1, asks me for credientials eg. username/password, and if the
user exists in the users file then I will be authenticated.
However, I never installed the openssl generated certificate on the
client side. In my eap.conf file:
eap {
default_eap_type = peap
etc..
}
all tls info is correct, and
peap {
default_eap_type=mschapv2
}
Is the client side cert. automatically accepted? Also, I have wep
key is provided for me checked on my XP machine and everything
still functions fine. Is the freeradius server providing a wep key
to the client machine?
Thanks,
Alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html ---
[This E-mail scanned for viruses by Declude Ant-Virus Scanner]
- ---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.648 / Virus Database: 415 - Release Date: 4/1/2004
-BEGIN PGP SIGNATURE-
Version: PGP Personal Privacy 6.5.8
iQA/AwUBQG4BjMKDDsnjo4LnEQK/MwCgkhU34CcdTuAau3ddFRiGdXiAdjwAn1PR
wFlAlgiwnXQ96uXNUPl9Ch06
=/Wjd
-END PGP SIGNATURE-
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.648 / Virus Database: 415 - Release Date: 4/1/2004
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help : issue in authenticating Wireless clients
Vasudevan, This is how I preceive things: Indeed the radius server is sending the accept back to the nas... Wed Mar 31 12:45:51 2004 : Debug: rad_check_password: Found Auth-Type Accept Wed Mar 31 12:45:51 2004 : Debug: rad_check_password: Auth-Type = Accept, accepting the user That says the radius server accepted the information to allow the user to connect... Sending Access-Accept of id 18 to 192.168.1.35:1042 Service-Type = Framed-User Login-IP-Host = 192.168.112.124 Callback-Number = 9,5551212 Login-Service = Telnet Framed-Protocol = PPP Login-TCP-Port = Telnet The radius server sent the configuration information to the nas for the connection setup... Since it appears to me the radius server is responding back to the nas with the info to accept and the configuration information for the connection - do you have the information for the connection setup properly??? This would seem to be an issue between the client machine and the nas and occurs once the connection is established and authorized (after the radius part [grin])... Gary N. McKinney - Original Message - From: Vasudevan.S [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, April 01, 2004 3:41 AM Subject: Help : issue in authenticating Wireless clients Dear All, I am re sending the mail again Can any one have any idea of what is wrong with the configuration or what am i doing wrong here ?? Thanks, Vasudevan.S Dear Alan DeKok, I am using free-radius 0.9.3 for authentication purpose. I have configured free radius and cisco 350 AP and I see the below trace when I start the radius server with debug options on. The Wireless client connects to the cisco AP and sends the authentication request to the free radius server and gets a Access Accept return packet but the end wireless client is getting invalid username/password and the user login is rejected. Please find the trace in the radius server side, I have also given the hardware components used. I have also attached the radius.conf for your reference. Free Radius Server : Linux 8.0 AP = Cisco 350 AP Wireless client card : 3com : driver version 1.0.0.225 : Has anyone encountered such problems??, solution to this is greatly appreciated. Thanks a lot for your Help Vasudevan.S rad_recv: Access-Request packet from host 192.168.1.35:1042, id=18, length=176 TEST:secretKey kernel TEST:secretKey kernel User-Name = muthuganeshj Cisco-AVPair = ssid=ciscossid2 NAS-IP-Address = 192.168.1.35 Called-Station-Id = 0040965e03cb Calling-Station-Id = 000d54aa88db NAS-Identifier = AdventNet Cisco 350 AP NAS-Port = 37 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = 0x02080011016d7574687567616e6573686a Message-Authenticator = 0xd3c1ce45286cdd4b940bbb42cc54a2e3 Wed Mar 31 12:45:51 2004 : Debug: modcall: entering group authorize for request 5 Wed Mar 31 12:45:51 2004 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 5 Wed Mar 31 12:45:51 2004 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 5 Wed Mar 31 12:45:51 2004 : Debug: modcall[authorize]: module preprocess returns ok for request 5 Wed Mar 31 12:45:51 2004 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 5 Wed Mar 31 12:45:51 2004 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 5 Wed Mar 31 12:45:51 2004 : Debug: modcall[authorize]: module chap returns noop for request 5 Wed Mar 31 12:45:51 2004 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 5 Wed Mar 31 12:45:51 2004 : Debug: rlm_realm: No '@' in User-Name = muthuganeshj, looking up realm NULL Wed Mar 31 12:45:51 2004 : Debug: rlm_realm: No such realm NULL Wed Mar 31 12:45:51 2004 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 5 Wed Mar 31 12:45:51 2004 : Debug: modcall[authorize]: module suffix returns noop for request 5 Wed Mar 31 12:45:51 2004 : Debug: modsingle[authorize]: calling files (rlm_files) for request 5 Wed Mar 31 12:45:51 2004 : Debug: users: Matched DEFAULT at 151 Wed Mar 31 12:45:51 2004 : Debug: users: Matched muthuganeshj at 215 Wed Mar 31 12:45:51 2004 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 5 Wed Mar 31 12:45:51 2004 : Debug: modcall[authorize]: module files returns ok for request 5 Wed Mar 31 12:45:51 2004 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 5 Wed Mar 31 12:45:51 2004 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 5 Wed Mar 31 12:45:51 2004 : Debug: modcall[authorize]: module mschap returns noop for request 5 Wed Mar 31 12:45:51 2004 : Debug: modcall: group
Re: Could not link driver rlm_sql_mysql problem.
Hi Shannon, By default I don't think FreeRadius compiles with the sql drivers. You have to configure FreeRadius to compile with the MySQL drivers before you can use MySQL with it. Once compiled with the drivers it should work... At least that is what I remember - check the configuration information in the INSTALL information file in the src directory of the FreeRadius package... Gary N. McKinney - Original Message - From: Shannon Sariman [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, April 01, 2004 2:29 AM Subject: Could not link driver rlm_sql_mysql problem. Hi All, I am trying to use MySQL with FreeRadius for accounting purposes. I am getting an error message when running freeradius in debug mode using radiusd -X. The error message is something like: rlm_sql (sql): Could not link driver rlm_sql_mysql: file not found rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search path of your system's ld. radiusd.conf[14]: sql: Module instantiation failed. Any ideas? Regards, Shannon Sariman (Mr.) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.648 / Virus Database: 415 - Release Date: 3/31/2004 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: xsupplicant vs. freeradius
artur, You may want to try the latest CVS Snapshot instead of the 0.9.3 version. The 0.9.3 version does not have all of the code to support what you are attempting to do (or at least it did not when I was working on getting the EAP/TTLS protocols working with a Linksys WRT45G Wireless router and WPC54G Wireless PCMCIA card using the Funk Software Supplicant - works like a charm)... Hope this helps... Gary N. McKinney Network Administrator Computer Services Dept. Brevard County Library System -- Original Message -- From: Artur Hecker [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 25 Mar 2004 09:34:17 +0100 hi list now it's a bit out of scope but i am sure some of you have some experiences with xsupplicant. i'm doing EAP/TLS over cisco 350 card and cisco 1200 or 350 APs to the 0.9.3 release of freeradius and it's actually a bit funny since (one of the latest) xsupplicant doesn't stop reauthenticating all the time although there is nothing in the Access-Accept message which would limit the session-time. so this is not about freeradius. now, i would have said that this has nothing to do with xsupplicant neither since, in the packet log, the AP is really sending an EAP Request/Identity. But curiously enough, with Windows XP's own 802.1X client with the _same_ card and the _same_ client certificate this does _not_ happen. basically, freeradius sends exactly the same Access packet in both cases: Access-Accept along with all the keys. now, xsupplicant says Authenticated. then it gets its keys, the broadcast _and_ the unicast keys, installs those two correctly and, hardly installed, it gets a new (re)authentication request!? the really funny thing is that the data pass through during all this reauthentication storm: i can bring up my wireless interface with DHCP and then even ping hosts while they keep on reauthentcating with about 0.5s delays between the last EAPOL key and the new EAP Request/ID... does somebody have _ANY_ idea what it could be about? ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] Sent via the KillerWebMail system at mail.brev.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is it possible to compile freeradius-snapshot-20040316 on Debian Woody ?
Aime Having NOT worked with Debian for a while (5 years) I would check to see if the package is available on the Debian site - I suspect it is an optional package you need to install - probably the same for the devhelper package as well... check here first: http://packages.debian.org/unstable/libdevel/libsasl2-dev Gary N. McKinney Network Administrator Computer Services Dept. Brevard County Library System -- Original Message -- All, I am trying to compile freeradius-snapshot-20040316 on Debian (kernel 2.4.2) using : pebble:~/# dpkg-buildpackage -us -uc -b -rfakeroot I get the following : dpkg-buildpackage: source package is freeradius dpkg-buildpackage: source version is 0.9.3-cvs20040225-0 dpkg-buildpackage: source maintainer is Paul Hampson [EMAIL PROTECTED] dpkg-buildpackage: host architecture is i386 dpkg-checkbuilddeps: Unmet build dependencies: debhelper (= 4.1.68), libsasl2-dev dpkg-buildpackage: Build dependencies/conflicts unsatisfied; aborting. dpkg-buildpackage: (Use -d flag to override.) - I could not find libsasl2-dev and debhelper. Any suggestions of what i can try else ? I have to say that I was able to do this on Debian Sage before. --Aimé __ Do you Yahoo!? Yahoo! Mail - More reliable, more storage, less spam http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Sent via the KillerWebMail system at mail.brev.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
