aland [Mon, 15 Mar 2004 19:10:47 +0000 (19:10 +0000)]
Moved EAP section to its own configuration file, as it was
getting large
cparker [Mon, 15 Mar 2004 01:27:11 +0000 (01:27 +0000)]
Added two realm module configure options. Ignore_default and
ignore_null. Boolean values that can be set to yes to cause the
specific module instance to not return a match on DEFAULT or NULL
realms respectively. This allows mutliple realm modules to coexist
with DEFAULT and NULL entries in 'raddb/proxy.conf' much nicer.
Updated man page, and radiusd.conf with examples.
cparker [Sun, 14 Mar 2004 01:25:10 +0000 (01:25 +0000)]
More man pages for commonly used modules.
aland [Fri, 12 Mar 2004 21:33:37 +0000 (21:33 +0000)]
A little better way of dealing with DICT_VALUEs that are defined
out of order
aland [Fri, 12 Mar 2004 19:06:56 +0000 (19:06 +0000)]
Get rid of "long" types. They're not needed.
aland [Fri, 12 Mar 2004 18:23:14 +0000 (18:23 +0000)]
Don't bother fixing these things up incorrectly
aland [Fri, 12 Mar 2004 16:35:48 +0000 (16:35 +0000)]
Look for post-proxy for tunneled session, and do it, if configured
aland [Fri, 12 Mar 2004 16:31:22 +0000 (16:31 +0000)]
Added instance, so that we can control with_ntdomain_hack,
for proxying EAP-MS-CHAP-V2 as MSCHAP-V2.
The wonderful Windows clients send User-Name = "DOMAIN\\user",
but calculate the MS-CHAP response based on "user", so they lie
to us. WTF were those people thinking?
aland [Fri, 12 Mar 2004 16:19:50 +0000 (16:19 +0000)]
After we've called MS-CHAP for authentication, delete the MPPE
keys from the response.
Handle proxying of EAP-MS-CHAP-V2 as MS-CHAP-V2
aland [Fri, 12 Mar 2004 16:14:53 +0000 (16:14 +0000)]
If the tunneled EAP session returned early because the server
is acting as a protocol translator for proxying (EAP-FOO to FOO),
then remember what's going on for later.
aland [Fri, 12 Mar 2004 16:12:53 +0000 (16:12 +0000)]
Minor formatting
aland [Fri, 12 Mar 2004 16:12:35 +0000 (16:12 +0000)]
A little prettier printing for -Xx
aland [Wed, 10 Mar 2004 20:29:20 +0000 (20:29 +0000)]
Padding is "NOT unaligned data", not "aligned data"
kkalev [Wed, 10 Mar 2004 14:29:32 +0000 (14:29 +0000)]
Add a force directive in log_badlogins. If uncommented it will force inserts even if there are
sql errors. That can help in case there is one sql query which stops the whole failed logins
logging system from working
aland [Tue, 9 Mar 2004 16:01:13 +0000 (16:01 +0000)]
Added attributes as posted to the list today
aland [Mon, 8 Mar 2004 22:04:36 +0000 (22:04 +0000)]
Export rad_postauth()
aland [Mon, 8 Mar 2004 21:51:30 +0000 (21:51 +0000)]
Added submodule tunnel callback
aland [Mon, 8 Mar 2004 21:51:03 +0000 (21:51 +0000)]
Expose rad_postauth
aland [Mon, 8 Mar 2004 21:47:57 +0000 (21:47 +0000)]
-X means debug_flag +=2.
This lets "-xX" set it to 3, rather than 2
aland [Mon, 8 Mar 2004 21:47:06 +0000 (21:47 +0000)]
Added 'const', for paranoia
aland [Mon, 8 Mar 2004 21:45:12 +0000 (21:45 +0000)]
More updates
aland [Mon, 8 Mar 2004 19:11:08 +0000 (19:11 +0000)]
If this VP isn't a LEAP thing, go to the next one.
This prevents an infinite loop.
aland [Fri, 5 Mar 2004 20:45:26 +0000 (20:45 +0000)]
Catch people who type 1 character hex strings
aland [Fri, 5 Mar 2004 17:51:17 +0000 (17:51 +0000)]
eapttls_process() was sometimes returning PW_FOO, and sometimes
returning RLM_MODULE_FOO. That's bad.
The code has now been fixed to be consistent.
aland [Fri, 5 Mar 2004 17:33:31 +0000 (17:33 +0000)]
If we've found openssl/ssl.h, then set -I$OPENSSL_INCLUDE
Patch from Rok Papez
aland [Thu, 4 Mar 2004 16:19:25 +0000 (16:19 +0000)]
Added docs for cisco_accounting_username_bug
aland [Thu, 4 Mar 2004 16:06:40 +0000 (16:06 +0000)]
Nope... Panther doesn't like this, either.
aland [Wed, 3 Mar 2004 19:52:36 +0000 (19:52 +0000)]
Explicitly link to -lradius, to get functions defined there, for
platforms like Mac OSX, which can't figure out that since radiusd
is linked to -lradius, and radiusd is also linked to rlm_mschap,
then it shouldn't be rocket science to have rlm_mschap use
the symbols from -lradius.
Instead, it forces you to link rlm_mschap against -lradius. Weird.
aland [Wed, 3 Mar 2004 19:50:50 +0000 (19:50 +0000)]
The encryption of the MPPE keys is done by tunnel_pwencode,
so we don't do it here, and we don't need to pass "secret" or
"request" to the gen keys function
aland [Wed, 3 Mar 2004 16:58:40 +0000 (16:58 +0000)]
added gtc{} to eap{}
aland [Wed, 3 Mar 2004 15:56:57 +0000 (15:56 +0000)]
Added another debug message about which section it's processing
mgriego [Tue, 2 Mar 2004 23:57:40 +0000 (23:57 +0000)]
Added cisco_accouting_username_bug to the rlm_eap_t.
mgriego [Tue, 2 Mar 2004 23:48:01 +0000 (23:48 +0000)]
Must have a semicolon at the end of the line.
mgriego [Tue, 2 Mar 2004 23:43:19 +0000 (23:43 +0000)]
Make 'radiusd -s' not daemonize like the man page says it won't.
aland [Tue, 2 Mar 2004 22:33:55 +0000 (22:33 +0000)]
Print out a warning message for groups which are empty.
aland [Tue, 2 Mar 2004 18:57:34 +0000 (18:57 +0000)]
Re-arrange send_one_packet, based on comments from Nicolas Baradakis
aland [Tue, 2 Mar 2004 18:52:53 +0000 (18:52 +0000)]
Got rid of radsend_walk function, and moved the code to the
main-line
aland [Tue, 2 Mar 2004 18:52:24 +0000 (18:52 +0000)]
Be less annoying about messages.
If a block is empty, and we didn't pick a particular type to call,
then don't complain.
aland [Tue, 2 Mar 2004 18:37:16 +0000 (18:37 +0000)]
Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given a
User-Name attribute in an Access-Accept, it copies one more byte
than it should.
So we work around it by configurably adding an extra zero byte.
Based on a patch from rok.papez
aland [Tue, 2 Mar 2004 18:20:11 +0000 (18:20 +0000)]
When proxying synchronously, if retry_delay * retry_count
is exceeded, then mark the realm dead, even if we didn't send
that many retries.
Patch from Chris Brotsos
aland [Tue, 2 Mar 2004 17:19:44 +0000 (17:19 +0000)]
Clean up the code a little more.
Print out more error messages.
In diameter2vp, check for data_len == length BEFORE padding length,
just like in diamater_verify. This will fix problems with broken
clients which don't pad.
kkalev [Tue, 2 Mar 2004 13:27:35 +0000 (13:27 +0000)]
In log_badlogins add a newline after every sql query so that the resulting file can be editable
kkalev [Sun, 29 Feb 2004 13:55:08 +0000 (13:55 +0000)]
If we are passed an empty password log a module failure message not an error message
kkalev [Sun, 29 Feb 2004 13:52:50 +0000 (13:52 +0000)]
Also be able to use Crypt-Password attribute.
If we are passed an empty password create a module failure message and fail
not just log an error message
kkalev [Sun, 29 Feb 2004 13:35:16 +0000 (13:35 +0000)]
Also update radiusd.conf
kkalev [Sun, 29 Feb 2004 13:33:17 +0000 (13:33 +0000)]
Add a timestamp and a timeout attribute in ippool_info. When we assign an ip we set timestamp
to request->timestamp and timeout to %{Session-Timeout:-0}. When we search for a free entry
we check if timeout has expired. If it has then we free the entry. We also add a maximum
timeout configuration directive. If it is non zero then we also use that one to free entries.
kkalev [Sun, 29 Feb 2004 13:06:57 +0000 (13:06 +0000)]
Replace user with username in postauth table. Patch by Guy Fraser
kkalev [Sun, 29 Feb 2004 12:16:17 +0000 (12:16 +0000)]
* Add a patch from Neil McCalden to not put spaces in the -p argument to the mysql binary.
* Fix a bug in conf/config.php3. Patch from Neil McCalden
aland [Fri, 27 Feb 2004 19:03:56 +0000 (19:03 +0000)]
Clean up the "done request" logic.
aland [Fri, 27 Feb 2004 16:41:07 +0000 (16:41 +0000)]
If no -f is specified, we're reading from stdin.
Bug noted by Nicolas Baradakis
aland [Fri, 27 Feb 2004 16:37:42 +0000 (16:37 +0000)]
print out an error for people who specify an Auth-Type which
doesn't exist.
aland [Thu, 26 Feb 2004 20:57:08 +0000 (20:57 +0000)]
Now that EAP-GTC works with Meetinghouse, include it
aland [Thu, 26 Feb 2004 19:04:19 +0000 (19:04 +0000)]
perl -i -npe "s/[ \t]+$//g" `find src -name "*.[ch]" -print`
Whitespace changes only, from a fresh checkout.
For bug # 13
aland [Thu, 26 Feb 2004 18:40:03 +0000 (18:40 +0000)]
Better deal with netmasks of 0.
Bug found & patch by Chris Brotsos
aland [Thu, 26 Feb 2004 18:22:14 +0000 (18:22 +0000)]
Fix a HUGE bug in ltdl, which would give the wrong f*cking
error message when it couldn't link to a library.
The bug is fixed in newer versions of libltdl, but we haven't
upgraded because of other issues.
Bug found by Paul Stewart, and verified to be fixed in newer
versions of the software.
aland [Thu, 26 Feb 2004 16:16:32 +0000 (16:16 +0000)]
Added LOCAL realm to the standard configuration
aland [Thu, 26 Feb 2004 16:02:12 +0000 (16:02 +0000)]
Add EAP-Type to the request packet pairs, even if the request
was configured to be proxied. This lets the local server cancel
the proxying, based on EAP-Type.
aland [Wed, 25 Feb 2004 20:50:30 +0000 (20:50 +0000)]
Multiple packets from a file are sent in series. Once all
the retries (or multiple copies) of packet 1 have been sent, then
packet 2 is tried.
Packets from multiple files are sent in parallel.
aland [Wed, 25 Feb 2004 20:09:46 +0000 (20:09 +0000)]
Read multiple packets from one file.
aland [Wed, 25 Feb 2004 20:07:09 +0000 (20:07 +0000)]
Restore old functionality: reading multiple packets from a file.
Patch from Nicolas Baradakis
aland [Wed, 25 Feb 2004 18:58:53 +0000 (18:58 +0000)]
Move the packets to send into a list, rather than a tree.
The list of sent packets are still in a tree, though.
This allows a file to contain multiple packets
aland [Wed, 25 Feb 2004 18:39:56 +0000 (18:39 +0000)]
NIL != NULL
aland [Wed, 25 Feb 2004 15:13:27 +0000 (15:13 +0000)]
Fix a boundary condition. When the pair to replace is the last
one, the loop exits early, as it stop when "i->next == NULL",
not when "i == NULL".
The loop now continues until "i == NULL", and uses the "prev"
pointer to know where and how to link the attribute into the list.
Bug found by geoffroy.arnoud
aland [Tue, 24 Feb 2004 21:10:06 +0000 (21:10 +0000)]
When using the tunneled reply, don't include Proxy-State
aland [Tue, 24 Feb 2004 20:41:09 +0000 (20:41 +0000)]
Some fairly serious changes to radclient. It still doesn't read
multiple packets from one file, but that will be fixed later.
It now accepts multiple '-f' options on the command line.
It now keeps a RB tree of outstanding packets its sent, and
another for responses.
It walks through the packets to send, and sends them, doing
retries, and repeats of the same packet.
Asynchronously (but not in another thread), it looks for responses
to any packet, and processes those.
This allows multiple requests to be outstanding, and allows
responses to be processed out of order.
aland [Tue, 24 Feb 2004 19:33:51 +0000 (19:33 +0000)]
If users set Proxy-To-Realm, and the realm is LOCAL, then
don't try to proxy it. Instead, print warning messages telling
them what they've done wrong.
aland [Tue, 24 Feb 2004 17:59:13 +0000 (17:59 +0000)]
Added serv-side attribute Packet-Dst-Port, to set the destination
port of the packet.
aland [Tue, 24 Feb 2004 17:40:17 +0000 (17:40 +0000)]
More calls to free
aland [Tue, 24 Feb 2004 17:02:53 +0000 (17:02 +0000)]
Updated debug messages
aland [Tue, 24 Feb 2004 15:56:13 +0000 (15:56 +0000)]
Pull changelog from 0.9.3, for historical archiving
aland [Tue, 24 Feb 2004 15:07:50 +0000 (15:07 +0000)]
Use the trapeze networks dictionary, too
aland [Tue, 24 Feb 2004 15:06:30 +0000 (15:06 +0000)]
With the updated "hints" file handling, we shouldn't get
excited about Strip-User-Name, either
Hmm... these things should probably be handled by attributes
in the dictionary files.
phampson [Tue, 24 Feb 2004 13:01:23 +0000 (13:01 +0000)]
Debian: Correct build-dependancy on debhelper.
Debian: Include overlooked iodbc postinst script.
aland [Mon, 23 Feb 2004 21:44:35 +0000 (21:44 +0000)]
Updates from Trapeze Networks
aland [Mon, 23 Feb 2004 21:10:35 +0000 (21:10 +0000)]
Move code from main() to function send_request()
Patch from Nicolas Baradakis
aland [Mon, 23 Feb 2004 21:05:39 +0000 (21:05 +0000)]
Continue processing requests, even if the server doesn't respond
to one.
Patch from Nicolas Baradakis
aland [Mon, 23 Feb 2004 20:54:12 +0000 (20:54 +0000)]
Re-iterate the fact that they are Trapeze-specific VSA's
aland [Mon, 23 Feb 2004 20:53:28 +0000 (20:53 +0000)]
As posted to the list by Guy Davies
aland [Mon, 23 Feb 2004 18:52:56 +0000 (18:52 +0000)]
After finding a request in the proxy tree, remove it from the
tree. This will cause complaints if we get duplicate replies,
but it means that we can re-use the ID sooner.
aland [Mon, 23 Feb 2004 18:52:13 +0000 (18:52 +0000)]
Added node2data function.
Call cleanup handler in the appropriate place in rbtree_delete
aland [Mon, 23 Feb 2004 16:53:40 +0000 (16:53 +0000)]
If the host isn't found, die.
aland [Mon, 23 Feb 2004 16:29:44 +0000 (16:29 +0000)]
If nothing is in the buffer, deal with it.
Patch from Martin Seine
aland [Mon, 23 Feb 2004 16:27:02 +0000 (16:27 +0000)]
It's string, not integer.
Patch from Martin Seine
hartwick [Sun, 22 Feb 2004 06:30:19 +0000 (06:30 +0000)]
* Fix a couple of typos
aland [Fri, 20 Feb 2004 19:56:14 +0000 (19:56 +0000)]
Set Message-Authenticator to a known value.
Delete FreeRADIUS-Proxied-To attribute when proxying tunneled
sessions, as it tells others what's up.
aland [Fri, 20 Feb 2004 19:54:18 +0000 (19:54 +0000)]
Add "proxy_tunneled_request_as_eap" configuration entry, which tells
(for now) the rlm_eap_mschap module to decode EAP-MSCHAP-V2 into
plain MS-CHAPv2, so that it may be proxied to systems which don't
understand EAP-MSCHAP-V2
aland [Fri, 20 Feb 2004 19:51:45 +0000 (19:51 +0000)]
Clear RAD_REQUEST_OPTION_PROXY_EAP if we're not done initializing
the EAP session.
When we are done, use that option to decide when to proxy the
tunneled request.
aland [Fri, 20 Feb 2004 19:49:40 +0000 (19:49 +0000)]
Define RAD_REQUEST_OPTION_PROXY_EAP, and don't get excited
if we have an EAP response without Success/Fail when that
option is set, as the request will be proxied.
cparker [Fri, 20 Feb 2004 17:36:22 +0000 (17:36 +0000)]
Added comment to explain that failover is not possible when
synchronous is set to yes.
aland [Thu, 19 Feb 2004 21:40:58 +0000 (21:40 +0000)]
Added rl_add_proxy() to request_list.c, and made radiusd.c use it.
If WITH_RBTREE isn't defined in request_list.c, it does nothing.
If it is defined, then we use a new (and mutex-protected) tree
to keep track of proxied packets, and to find responses to those
packets. This should be HUGELY faster than the previous method.
Hmm... we don't check for packet codes in proxy replies. This
is probably a bad idea.
aland [Thu, 19 Feb 2004 21:35:35 +0000 (21:35 +0000)]
Added "number of elements" function, maily for debugging.
aland [Thu, 19 Feb 2004 20:03:41 +0000 (20:03 +0000)]
Added commented-out Red-black tree lookups for the request list
handling. It still needs the linked list for incremental walking
& cleanup, but the tree is used for finding requests, which is MUCH
faster.
i.e. We have two ways of storing requests:
a) linked list: O(1) insert and deletion, O(N) searching
We REQUIRE this for incremental walking & cleanup.
b) red-black tree: O(log(N)) insert, deletion, and searching.
Doing both isn't much of a problem.
aland [Thu, 19 Feb 2004 18:37:11 +0000 (18:37 +0000)]
Updates before 1.0
aland [Thu, 19 Feb 2004 17:33:25 +0000 (17:33 +0000)]
include propel dictionary
aland [Thu, 19 Feb 2004 17:31:14 +0000 (17:31 +0000)]
Found on the net
aland [Thu, 19 Feb 2004 17:23:36 +0000 (17:23 +0000)]
Whitespace changes
aland [Thu, 19 Feb 2004 17:23:17 +0000 (17:23 +0000)]
in DICT_VENDOR, name is "name", not "vendorname"
dict_vendorname is a bad name. Use dict_vendorbyname for compatibility
with other dictionary functions.
Add dict_vendorbyvalue
When printing names for unknown attributes, use vendor name, if
it exists. Cisco-Attr-1 is easier to read than Vendor-9-Attr-1
aland [Thu, 19 Feb 2004 17:12:31 +0000 (17:12 +0000)]
When creating attributes, parse things like Cisco-Attr-15,
which is a little easier to read than Vendor-9-Attr-15
aland [Thu, 19 Feb 2004 16:23:41 +0000 (16:23 +0000)]
after malloc'ing "inst", return it in initiate.
Set EAP_SUCCESS or EAP_FAILURE in authenticate.
Use data.length, not eap.length - 4 (which should have been 5)
New configuration option "auth_type", to determine what to do
with the response. For now, we assume it's a clear-text password,
and create a User-Password attribute. This lets PAP work...
We may want to look for a *second* Auth-Type in the request,
and use that. This means we'll need Auth-Type = EAP, to do the
EAP portion, and Auth-Type = Foo, for the decoded stuff.
But EAP-Generic-Token-Card now works with PEAP, and the Aegis client.
aland [Wed, 18 Feb 2004 17:23:14 +0000 (17:23 +0000)]
argc++ should have been argc--
Bug found by Chris Chapman