From: freeradius-users-request@lists.freeradius.org
Reply-To: freeradius-users@lists.freeradius.org
To: freeradius-users@lists.freeradius.org
Subject: Freeradius-Users Digest, Vol 24, Issue 3
Date: Mon, 02 Apr 2007 07:59:28 +0200
Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at
freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: Attributes (Shawn Mitchell)
2. Re: passing Calling-Station-ID (Adil Azmi Bikarbass)
3. Re: Freeradius-Users Digest, Vol 24, Issue 2 (Arran Cudbard-Bell)
4. RE: Attributes [unclas] (Ranner, Frank MR)
5. Re: Attributes [unclas] (Shawn Mitchell)
6. RE: Anyone using dd-wrt for AP? (Aren Chua)
7. EAP-AKA patch for Freeradius 1.1.2 (awaneesh kumar)
----------------------------------------------------------------------
Message: 1
Date: Sun, 01 Apr 2007 16:45:22 -0500
From: Shawn Mitchell <shawnm@iodamedia.net>
Subject: Re: Attributes
To: FreeRadius users mailing list
<freeradius-users@lists.freeradius.org>
Message-ID: <461027F2.3020605@iodamedia.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Ok, here's what I'm doing:
DEFAULT Client-IP-Address == xx.xx.xx.xx
Ascend-Data-Filter = "ip in forward tcp est",
Ascend-Data-Filter = "ip in forward dstip xx.xx.xx.0/24",
Ascend-Data-Filter = "ip in drop tcp dstport = 25",
Ascend-Data-Filter = "ip in forward",
Fall-Through = Yes
I turned on logging of reply's, but all I'm seeing it send is:
Sun Apr 1 16:31:21 2007
Ascend-Data-Filter = "ip in forward tcp est"
I put this into the 'users' file btw.
Alan DeKok wrote:
> Shawn Mitchell wrote:
>
>> Where can I say "If client is 'x', then also send these attributes to
>> users being authenticated..."?
>>
>
> In the "users" file.
>
> DEFAULT Client-IP-Address == 1.2.3.4
> Reply-Message = "You're coming from 1.2.3.4"
>
> Alan DeKok.
> --
> http://deployingradius.com - The web site of the book
> http://deployingradius.com/blog/ - The blog
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
------------------------------
Message: 2
Date: Sun, 01 Apr 2007 22:59:14 +0000
From: Adil Azmi Bikarbass <adil@mtds.com>
Subject: Re: passing Calling-Station-ID
To: Alan DeKok <aland@deployingradius.com>
Cc: FreeRadius users mailing list
<freeradius-users@lists.freeradius.org>
Message-ID: <46103942.2070008@mtds.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Hello All,
Do i need to create a whole DB for only one filed that i will pass from
one NAS to another?
Knowing that my Freeradius is running on Solaris 10 which DB you suggest
to use?
Thank you
Alan DeKok a ?crit :
> Adil Azmi Bikarbass wrote:
>
>> The issue is that we want the second NAS to get the calling-station-ID
>> from the "someuser" session on Radius
>>
>
> To do... what?
>
>
>> is there a way we can have this to work and pass this attribute from
one
>> session to another?
>>
>
> Sure. Store the Calling-Station-Id in a database when you receive it
> from the first NAS, then pull it out of the DB, and send it to the
> second NAS.
>
> Alan DeKok.
> --
> http://deployingradius.com - The web site of the book
> http://deployingradius.com/blog/ - The blog
>
>
--
|-Adil Bikarbass
|-IT Manager, MTDS
|-tel +212.3.767.4861
|-fax +212.3.767.4863
|-gsm +212.6.139. 4541
|-14, rue 16 novembre
|-Rabat, Kingdom of Morocco
------------------------------
Message: 3
Date: Mon, 02 Apr 2007 00:00:43 +0100
From: Arran Cudbard-Bell <A.Cudbard-Bell@sussex.ac.uk>
Subject: Re: Freeradius-Users Digest, Vol 24, Issue 2
To: freeradius-users@lists.freeradius.org
Message-ID: <4610399B.6010008@sussex.ac.uk>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>> Does anyone have a draft list of which clients actually support the
>> Reply-Message and by which methods they can recieve them?
>>
>
> All clients will accept it. Very few will do anything useful with it.
>
>
>> The reason why I ask , it during initial tests (using chap) the built
in
>> windows CHAP supplicant would display the reply-messages being sent
back
>> from the server.
>> Now we've moved on from CHAP to using EAP and the windows supplicant no
>> longer displays the messages.
>>
>
> Yes.
>
>
>> Am I right in assuming that with EAP attributes from the access-accept
>> packet only get to the NAS and that the NAS will strip out of the EAP
>> message
>> and pass it on to the supplicant and thats all the supplicant will ever
get?
>>
>
> Yes.
>
>
>> In which case, although the Reply-Message attribute is also supported
in
>> PoD the client will never actually recieve it when using EAP ?
>>
>
> Yes.
>
> Alan DeKok.
>
Ahh, Thanks for clearing that up !
Don't suppose EAP supports encoding the equivalent of a Reply-Message ?
P.S Well done for understanding my poorly punctuated morning ramblings :)
Arran
------------------------------
Message: 4
Date: Mon, 2 Apr 2007 11:14:47 +1000
From: "Ranner, Frank MR" <Frank.Ranner@defence.gov.au>
Subject: RE: Attributes [unclas]
To: "FreeRadius users mailing list"
<freeradius-users@lists.freeradius.org>
Message-ID:
<3497E314EE23D54EACE26B5CFFD896980A6125@drnrxm01.drn.mil.au>
Content-Type: text/plain; charset="US-ASCII"
Use the += operator, eg Ascend-Data-Filter += "ip in forward dstip
xx.xx.xx.0/24", to append to
a multi-valued list.
FR
> -----Original Message-----
> From:
> freeradius-users-bounces+frank.ranner=defence.gov.au@lists.fre
> eradius.org
> [mailto:freeradius-users-bounces+frank.ranner=defence.gov.au@l
> ists.freeradius.org] On Behalf Of Shawn Mitchell
> Sent: Monday, 2 April 2007 07:45
> To: FreeRadius users mailing list
> Subject: Re: Attributes
>
> Ok, here's what I'm doing:
>
> DEFAULT Client-IP-Address == xx.xx.xx.xx
> Ascend-Data-Filter = "ip in forward tcp est",
> Ascend-Data-Filter = "ip in forward dstip xx.xx.xx.0/24",
> Ascend-Data-Filter = "ip in drop tcp dstport = 25",
> Ascend-Data-Filter = "ip in forward",
> Fall-Through = Yes
>
> I turned on logging of reply's, but all I'm seeing it send is:
>
> Sun Apr 1 16:31:21 2007
> Ascend-Data-Filter = "ip in forward tcp est"
>
> I put this into the 'users' file btw.
>
>
>
> Alan DeKok wrote:
> > Shawn Mitchell wrote:
> >
> >> Where can I say "If client is 'x', then also send these
> attributes to
> >> users being authenticated..."?
> >>
> >
> > In the "users" file.
> >
> > DEFAULT Client-IP-Address == 1.2.3.4
> > Reply-Message = "You're coming from 1.2.3.4"
> >
> > Alan DeKok.
> > --
> > http://deployingradius.com - The web site of the book
> > http://deployingradius.com/blog/ - The blog
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
------------------------------
Message: 5
Date: Sun, 01 Apr 2007 20:44:05 -0500
From: Shawn Mitchell <shawnm@iodamedia.net>
Subject: Re: Attributes [unclas]
To: FreeRadius users mailing list
<freeradius-users@lists.freeradius.org>
Message-ID: <46105FE5.3090904@iodamedia.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Thanks!
That seems to have fixed it
radtest blarg blarg localhost 111 testing123
Sending Access-Request of id 145 to 127.0.0.1:1812
User-Name = "blarg"
User-Password = "blarg"
NAS-IP-Address = xxxxxxxxxxxxxx
NAS-Port = 111
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=145, length=180
Ascend-Data-Filter = "ip in forward tcp est"
Ascend-Data-Filter = "ip in forward dstip xx.xx.xx.0/24 0"
Ascend-Data-Filter = "ip in drop tcp dstport = 25"
Ascend-Data-Filter = "ip in forward 0"
Ranner, Frank MR wrote:
> Use the += operator, eg Ascend-Data-Filter += "ip in forward dstip
> xx.xx.xx.0/24", to append to
> a multi-valued list.
>
> FR
>
>
>> -----Original Message-----
>> From:
>> freeradius-users-bounces+frank.ranner=defence.gov.au@lists.fre
>> eradius.org
>> [mailto:freeradius-users-bounces+frank.ranner=defence.gov.au@l
>> ists.freeradius.org] On Behalf Of Shawn Mitchell
>> Sent: Monday, 2 April 2007 07:45
>> To: FreeRadius users mailing list
>> Subject: Re: Attributes
>>
>> Ok, here's what I'm doing:
>>
>> DEFAULT Client-IP-Address == xx.xx.xx.xx
>> Ascend-Data-Filter = "ip in forward tcp est",
>> Ascend-Data-Filter = "ip in forward dstip xx.xx.xx.0/24",
>> Ascend-Data-Filter = "ip in drop tcp dstport = 25",
>> Ascend-Data-Filter = "ip in forward",
>> Fall-Through = Yes
>>
>> I turned on logging of reply's, but all I'm seeing it send is:
>>
>> Sun Apr 1 16:31:21 2007
>> Ascend-Data-Filter = "ip in forward tcp est"
>>
>> I put this into the 'users' file btw.
>>
>>
>>
>> Alan DeKok wrote:
>>
>>> Shawn Mitchell wrote:
>>>
>>>
>>>> Where can I say "If client is 'x', then also send these
>>>>
>> attributes to
>>
>>>> users being authenticated..."?
>>>>
>>>>
>>> In the "users" file.
>>>
>>> DEFAULT Client-IP-Address == 1.2.3.4
>>> Reply-Message = "You're coming from 1.2.3.4"
>>>
>>> Alan DeKok.
>>> --
>>> http://deployingradius.com - The web site of the book
>>> http://deployingradius.com/blog/ - The blog
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>>
>>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
------------------------------
Message: 6
Date: Mon, 2 Apr 2007 03:03:25 +0000
From: Aren Chua <cclian18@hotmail.com>
Subject: RE: Anyone using dd-wrt for AP?
To: FreeRadius users mailing list
<freeradius-users@lists.freeradius.org>
Message-ID: <BAY130-W126EC141C8DD048BA432ECCC600@phx.gbl>
Content-Type: text/plain; charset="iso-8859-1"
Ian Truelsen
you can try the hotspot(chillispot) under DD-WRT firmware to configure your
AP to authenticate against the radius server.
Regards,
Aren Chua> Date: Sun, 1 Apr 2007 10:16:25 +0200> From:
aland@deployingradius.com> To: freeradius-users@lists.freeradius.org>
Subject: Re: Anyone using dd-wrt for AP?> > Ian Truelsen wrote:> >> >
Hopefully that is not the case. The freeradius server is on an external> >
machine. I am trying to get the AP to authenticate against that server,> >
but I am having trouble sorting out how to get it to do this.> > There
should be a RADIUS server configuration. But you'll have to> enable 802.1x
authentication, too.> > Alan DeKok.> --> http://deployingradius.com - The
web site of the book> http://deployingradius.com/blog/ - The blog> - > List
info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________
Your friends are close to you.?Keep them that way.
http://spaces.live.com/signup.aspx
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070402/5e13df6d/attachment-0001.html
------------------------------
Message: 7
Date: Sun, 1 Apr 2007 22:59:20 -0700 (PDT)
From: awaneesh kumar <awaneeshkmr@yahoo.com>
Subject: EAP-AKA patch for Freeradius 1.1.2
To: freeradius-users@lists.freeradius.org
Message-ID: <181530.30637.qm@web58815.mail.re1.yahoo.com>
Content-Type: text/plain; charset="iso-8859-1"
Hi All,
I have downloaded patch from
http://bugs.freeradius.org/show_bug.cgi?id=386.
I have succesfully applied patch to Freeradius1.1.2. Few questions i
have..
a) Does patch supports optional identity privacy support, optional
result indications, and an optional fast re-authentication procedure.
b) After receiving EAP-Request/AKA-Challenge from server, client
should calculate AT_MAC and compares with the received one. If it matches
it should send back the EAP-Response/AKA-Challenge with AT_RES and new
AT_MAC.
As per section 10.8 of RFC 4187, AT_RES should be encoded as follows.
The value field of this attribute begins with the 2-byte
RES Length,which identifies the exact length of the
RES in bits. The RES length is followed by the AKA RES parameter.
According to [TS33.105], the length of the AKA RES can vary between 32 and
128 bits. Because the length of the AT_RES attribute must be a
multiple of 4 bytes, the sender pads the RES with zero bits where
necessary
Trace below is packet from client to server:-
0x024200301701000003050000d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d00b0500
000d6eb3a8082c9d2c0a031505b7a0fac0
c) As per section 3 (Figure 2) from RFC 4187, if server is unable to
authenticate client if AT_MAC or AT_RES is incorrect, it should back the
EAP-Request/AKA-Notification to client and client should respond back with
EAP-Response/AKA-Notification. Then only server should send back EAP result
as Failure. But Freeradius1.1.2 sends back the EAP Result (FAILURE) with
Access-Reject. How ever success scenarion works perfectly.
d) After receiving AKA-Challenge from Radius server, does patch supports
the checking of Sequence No from AUTN parameter?
Do we have any latest patch to support EAP-AKA?
Thanks
---------------------------------
Sucker-punch spam with award-winning protection.
Try the free Yahoo! Mail Beta.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070401/1708475c/attachment.html
------------------------------
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 24, Issue 3
***********************************************