Angelica Delgado | 1 Apr 07:41 2006
Picon

cisco-avpair + vrf-id

Hello,
Do we need to enable something on radius.conf in order to accept cisco-avpair attributes such as a vrf-id?
Thanks.
Angelica

----- Original Message ----
From: Alan DeKok <aland <at> ox.org>
To: Angelica Delgado <angelicadel <at> yahoo.com>; FreeRadius developers mailing list <freeradius-devel <at> lists.freeradius.org>
Sent: Thursday, March 30, 2006 8:49:22 PM
Subject: Re: multiple lap modules

Angelica Delgado <angelicadel <at> yahoo.com> wrote:
> I am trying to setup cisco webvpn with ldap and I want to configure
> a ldap module for each vpn. The problem is that I get the same NAS
> ip from all the vpns. I enabled Calling-Station Id and NAS-Port
> attribute at the webvpn module but freeradius does not display it on
> its logs.

  Did you try running the server in debugging mode as suggested in the
FAQ, README, and INSTALL?

> If there is something I need to enable on the system in
> order to receive NAS-PORT and Calling-Station on the radius packet.

  No.  But you need to *look* at the RADIUS packet.  You're not doing
that now.

  Alan DeKok.
Alan DeKok | 1 Apr 18:41 2006

Re: cisco-avpair + vrf-id

Angelica Delgado <angelicadel <at> yahoo.com> wrote:
> Do we need to enable something on radius.conf in order to accept cisco-avpair attributes such as a vrf-id?

  No.

  Alan DeKok.
Mingyur Koblensky | 4 Apr 12:40 2006

module programming

Hi, i would like to develop an authentication method based on EAP...
I've look around a bit but didn't find nothing, is there any ? should i
write here my doubts ?
thank you,
kky

Mingyur Koblensky | 4 Apr 12:57 2006

Re: module programming

Mingyur Koblensky wrote:
> Hi, i would like to develop an authentication method based on EAP...
> I've look around a bit but didn't find nothing, is there any ? should i
> write here my doubts ?
> thank you,
> kky
>
>
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
>
>   
was talking about documentation !! excuse me ...
kky

Ryan Melendez | 4 Apr 16:39 2006
Picon

detail logs User-Password

Hello,

I've seen a couple of email in the list discussing the fact that
User-Password is logged by the detail module.  I have to change this
behavior, but hope to get the change in future releases so I wanted to
know where you guys stand. (so I don't have to patch) I plan on adding a
config option for the detail module:

logpass = yes/no

In rlm_detail have the a/v pair associated with PW_PASSWORD skipped if
logpass is set to no. Alternatively, output this line to the log:

User-Password = <censored>

Personally, I think any password attribute should not be logged, but
there might be some history/backwards compatibility I'm unaware of.  I
welcome any comments or suggestions.

Thanks,
Ryan

Alan DeKok | 4 Apr 18:14 2006

Re: detail logs User-Password

"Ryan Melendez" <rmelendez <at> wayport.net> wrote:
> I've seen a couple of email in the list discussing the fact that
> User-Password is logged by the detail module.  I have to change this
> behavior, but hope to get the change in future releases so I wanted to
> know where you guys stand. (so I don't have to patch)

  Personally, I don't see a lot of value in it.  But if the patch is
simple & the config is easy, I have no objections to it going in.

> Personally, I think any password attribute should not be logged, but
> there might be some history/backwards compatibility I'm unaware of.

  I don't think so.  Make the default to log the password, and all
backwards compatibility will be maintained.

  Question: are there *other* attributes which should be suppressed?
If so, the configuration should take a list of attributes to censor,
rather than just "logpass=yes/no"

  Alan DeKok.
Mingyur Koblensky | 4 Apr 18:14 2006

Re: module programming

In my last post i was not very precise ...
I've looked in the /doc directory  ( coding-methods.txt,
module_interface ... ) and i'm wondering if i'm missing additional
documentation, thx
kky

Mingyur Koblensky wrote:
> Mingyur Koblensky wrote:
>   
>> Hi, i would like to develop an authentication method based on EAP...
>> I've look around a bit but didn't find nothing, is there any ? should i
>> write here my doubts ?
>> thank you,
>> kky
>>
>>
>> - 
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
>>
>>   
>>     
> was talking about documentation !! excuse me ...
> kky
>
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
>
>   

(Continue reading)

Alan DeKok | 4 Apr 18:28 2006

Re: module programming

Mingyur Koblensky <Mingyur <at> inventati.org> wrote:
> Hi, i would like to develop an authentication method based on EAP...
> I've look around a bit but didn't find nothing, is there any ? should i
> write here my doubts ?

  Read the existing source code.  There is no documentation.

  Alan DeKok.
Ryan Melendez | 4 Apr 19:12 2006
Picon

RE: detail logs User-Password


>   Personally, I don't see a lot of value in it.  But if the patch is
> simple & the config is easy, I have no objections to it going in.

If someone would rather send plain text over the wire rather than
storing plain text passwords, logging the password gives up the main
advantage for many in using PAP over CHAP.

>   Question: are there *other* attributes which should be suppressed?
> If so, the configuration should take a list of attributes to censor,
> rather than just "logpass=yes/no"

I don't know of any others, but suggestions are welcome.  I'm going to
go the single-line-option route unless someone chimes in.

Thanks,
Ryan

lmyho | 4 Apr 19:17 2006
Picon

Couldn't stop Freeradius server on Debian!!

Dear All,

I installed freeradius 1.1.0-1 on a debian system (2.6.15-1-686, etch) 2 days ago,
via "aptitude install".  The radius server started well automatically and each time
when the system booting. But when I wanted to stop it for some test on my modified
configuration files, I got trouble to stop the server!  I tried to stop the server
using command: 'freeradius stop' ('radiusd' command doesn't work on this debian
system - anyone knows why this behavior??) 

But so werid, no matter what command I gave, with parameter stop|start|restart or
even just a question mark(?), the server ALWAYS goes to START again!! even though
from the /etc/init.d/freeradius I can read that the 'stop' param should stop the
server!  Can anyone tell me why the command doesn't stop the server and how should I
stop it from command line??  

The log file shows entries like this for each of my trying, even the command given
was to "stop" it:

Tue Apr  4 01:14:13 2006 : Info: Using deprecated naslist file.  Support for this
will go away soon.
Tue Apr  4 01:14:13 2006 : Error: There appears to be another RADIUS server running
on the authenticat

What is happenning here?  

Also, from the log file I noticed: for each system automatically started freeradius
server deamon, it is "Using deprecated naslist file"! The log entries show like
this:

Fri Mar 31 13:51:54 2006 : Info: Using deprecated naslist file.  Support for this
(Continue reading)


Gmane