Hello!
Why is there no option in rad_client (radtest) for choosing a specific outgoing interface, like -I eth0?
This option will save on the hosts for testing the interaction of rad_clients with a free radius server.

It seems it is currently impossible to use it over IPv6 because all IPs are stored as uint4/uint32_t

Hi,

I am using freeradius client which is working fine with service-type attributes but when I am trying to access Vendor-Specific attributes then its not working as expected. below the the reply:
Command: radiusclient -p 1812 User-name="admin" password="123456" -f /app/radius/radius_config/radiusclient.conf
Output: User-Name = 'admin'
Expected Output: Vendor-Specific= 'admin'
I attached my dictionary file. Please help me and let me know if you need more information.

Regards,
Sunil

Currently timeouts are calculated using the rc_getctime utility function which just returns the system time in seconds since epoch. Changes to the system time may result in timeouts getting very large. So it's better to use a monotonic time source for that.
I created a patch to modify the current behaviour. Feel free to include it upstream:
freeradius-client-01-monotonic-time.txt

The website in http://freeradius.org/freeradius-client/
links to release 1.1.7 as: ftp://ftp.freeradius.org/pub/freeradius/freeradius-client-1.1.7.tar.bz2
This file doesn't exist. One can get the new release as: https://github.com/FreeRADIUS/freeradius-client/archive/release_1_1_7.tar.gz

The website also points to a wiki with outdated info at: http://wiki.freeradius.org/Radiusclient
(I was also unable to login either with github or openid at the wiki)
The best would have been to point to the github site instead (or in addition), which also has an issue tracker and does not require login to see the contents.

hi
i'm using this dictionary for PPTP Vpn Connection. my problem is that in windows 10 after successful connection, i can't browse websites that are unassailable from my ISP. in windows 10 after i run ping command it doesn't show target server IP and it seems like that it pass-through from my regular internet connection, not that one from VPN connection and it causes that connection is established but still i can't browse filtered websites.
the amazing part is it just works like a charm in android and latency is great.
my question is that is this dictionary works fine with windows 10 or should i do or use specific attribute to make it work on windows too?

#
#       Microsoft's VSA's, from RFC 2548
#
#       \$Id: poptop_ads_howto_8.htm,v 1.8 2008/10/02 08:11:48 wskwok Exp \$
#
VENDOR          Microsoft       311     Microsoft
BEGIN VENDOR    Microsoft
ATTRIBUTE       MS-CHAP-Response        1       string  Microsoft
ATTRIBUTE       MS-CHAP-Error           2       string  Microsoft
ATTRIBUTE       MS-CHAP-CPW-1           3       string  Microsoft
ATTRIBUTE       MS-CHAP-CPW-2           4       string  Microsoft
ATTRIBUTE       MS-CHAP-LM-Enc-PW       5       string  Microsoft
ATTRIBUTE       MS-CHAP-NT-Enc-PW       6       string  Microsoft
ATTRIBUTE       MS-MPPE-Encryption-Policy 7     string  Microsoft
# This is referred to as both singular and plural in the RFC.
# Plural seems to make more sense.
ATTRIBUTE       MS-MPPE-Encryption-Type 8       string  Microsoft
ATTRIBUTE       MS-MPPE-Encryption-Types  8     string  Microsoft
ATTRIBUTE       MS-RAS-Vendor           9       integer Microsoft
ATTRIBUTE       MS-CHAP-Domain          10      string  Microsoft
ATTRIBUTE       MS-CHAP-Challenge       11      string  Microsoft
ATTRIBUTE       MS-CHAP-MPPE-Keys       12      string  Microsoft encrypt=1
ATTRIBUTE       MS-BAP-Usage            13      integer Microsoft
ATTRIBUTE       MS-Link-Utilization-Threshold 14 integer        Microsoft
ATTRIBUTE       MS-Link-Drop-Time-Limit 15      integer Microsoft
ATTRIBUTE       MS-MPPE-Send-Key        16      string  Microsoft
ATTRIBUTE       MS-MPPE-Recv-Key        17      string  Microsoft
ATTRIBUTE       MS-RAS-Version          18      string  Microsoft
ATTRIBUTE       MS-Old-ARAP-Password    19      string  Microsoft
ATTRIBUTE       MS-New-ARAP-Password    20      string  Microsoft
ATTRIBUTE       MS-ARAP-PW-Change-Reason 21     integer Microsoft
ATTRIBUTE       MS-Filter               22      string  Microsoft
ATTRIBUTE       MS-Acct-Auth-Type       23      integer Microsoft
ATTRIBUTE       MS-Acct-EAP-Type        24      integer Microsoft
ATTRIBUTE       MS-CHAP2-Response       25      string  Microsoft
ATTRIBUTE       MS-CHAP2-Success        26      string  Microsoft
ATTRIBUTE       MS-CHAP2-CPW            27      string  Microsoft
ATTRIBUTE       MS-Primary-DNS-Server   28      ipaddr
ATTRIBUTE       MS-Secondary-DNS-Server 29      ipaddr
ATTRIBUTE       MS-Primary-NBNS-Server  30      ipaddr Microsoft
ATTRIBUTE       MS-Secondary-NBNS-Server 31     ipaddr Microsoft
#ATTRIBUTE      MS-ARAP-Challenge       33      string  Microsoft
#
#       Integer Translations
#
#       MS-BAP-Usage Values
VALUE           MS-BAP-Usage            Not-Allowed     0
VALUE           MS-BAP-Usage            Allowed         1
VALUE           MS-BAP-Usage            Required        2
#       MS-ARAP-Password-Change-Reason Values
VALUE   MS-ARAP-PW-Change-Reason        Just-Change-Password            1
VALUE   MS-ARAP-PW-Change-Reason        Expired-Password                2
VALUE   MS-ARAP-PW-Change-Reason        Admin-Requires-Password-Change  3
VALUE   MS-ARAP-PW-Change-Reason        Password-Too-Short              4
#       MS-Acct-Auth-Type Values
VALUE           MS-Acct-Auth-Type       PAP             1
VALUE           MS-Acct-Auth-Type       CHAP            2
VALUE           MS-Acct-Auth-Type       MS-CHAP-1       3
VALUE           MS-Acct-Auth-Type       MS-CHAP-2       4
VALUE           MS-Acct-Auth-Type       EAP             5
#       MS-Acct-EAP-Type Values
VALUE           MS-Acct-EAP-Type        MD5             4
VALUE           MS-Acct-EAP-Type        OTP             5
VALUE           MS-Acct-EAP-Type        Generic-Token-Card      6
VALUE           MS-Acct-EAP-Type        TLS             13
END-VENDOR Microsoft

I am working with the freeradius-client-1.1.7 library. If the configuration file does not have authserver or acctserver defined, the test_config() function in lib/config.c will segfault due to a null pointer reference. The segfault is due to the following code segments:

if(!(rc_conf_srv(rh, "authserver")->max))

if(!(rc_conf_srv(rh, "acctserver")->max))

If these options are not defined, rc_conf_srv() will return null.

Hello,

I fix radius for pptpd by = radiusclient-0.3.2
I have problem by radius in xl2tpd by this radiusclient .
Give me this Error :

Aug 11 08:37:58 localhost xl2tpd[3141]: death_handler: Fatal signal 15 received
Aug 11 08:37:59 localhost xl2tpd[15268]: setsockopt recvref[30]: Protocol not available
Aug 11 08:37:59 localhost xl2tpd[15268]: Using l2tp kernel support.
Aug 11 08:37:59 localhost xl2tpd[15269]: xl2tpd version xl2tpd-1.3.8 started on shayan PID:15269
Aug 11 08:37:59 localhost xl2tpd[15269]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Aug 11 08:37:59 localhost xl2tpd[15269]: Forked by Scott Balmos and David Stipp, (C) 2001
Aug 11 08:37:59 localhost xl2tpd[15269]: Inherited by Jeff McAdams, (C) 2002
Aug 11 08:37:59 localhost xl2tpd[15269]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
Aug 11 08:37:59 localhost xl2tpd[15269]: Listening on IP address 0.0.0.0, port 1701
Aug 11 08:38:26 localhost xl2tpd[15269]: Connection established to 11.11.11.11, 12969. Local: 26402, Remote: 22 (ref=0/0). LNS session is 'default'
Aug 11 08:38:26 localhost xl2tpd[15269]: Call established with 11.11.11.11, Local: 15176, Remote: 1, Serial: 0
Aug 11 08:38:26 localhost pppd[15281]: Plugin pppol2tp.so loaded.
Aug 11 08:38:26 localhost pppd[15281]: Plugin radius.so loaded.
Aug 11 08:38:26 localhost pppd[15281]: RADIUS plugin initialized.
Aug 11 08:38:26 localhost pppd[15281]: Plugin radattr.so loaded.
Aug 11 08:38:26 localhost pppd[15281]: RADATTR plugin initialized.
Aug 11 08:38:26 localhost pppd[15281]: pppd 2.4.5 started by root, uid 0
Aug 11 08:38:26 localhost pppd[15281]: Using interface ppp0
Aug 11 08:38:26 localhost pppd[15281]: Connect: ppp0 <-->
Aug 11 08:38:27 localhost pppd[15281]: rc_avpair_new: unknown attribute 60
Aug 11 08:38:27 localhost pppd[15281]: rc_avpair_gen: received unknown attribute 85 of length 4: 0x0000003C
Aug 11 08:38:27 localhost pppd[15281]: Peer test failed CHAP authentication
Aug 11 08:38:27 localhost pppd[15281]: Connection terminated.
Aug 11 08:38:27 localhost pppd[15281]: Exit.
Aug 11 08:38:27 localhost xl2tpd[15269]: control_finish: Connection closed to 11.11.11.11, serial 0 ()
Aug 11 08:38:27 localhost xl2tpd[15269]: control_finish: Connection closed to 11.11.11.11, port 12969 (), Local: 26402, Remote: 22

Not sure where the upper limit of 8k comes from:

As far as I can see, the current maximal length of the shared secret is 256:

so issiu is like this i am using freeradius and MSSQL connection is perfect everything but i have table like this

id	UserName	Attribute	                       op	                Value
5	*****	        Framed-IP-Address 	= 	                 *******
6	*****	        Mikrotik-Address-List	= 	                 *****

my sql query is like this :

authorize_reply_query = "\
        SELECT id, UserName, Attribute, Value, op \
        FROM ${authreply_table} \
        WHERE Username = '%{SQL-User-Name}' \
        ORDER BY id

but i want it to look like this

authorize_reply_query = "\
        SELECT Value,Value2 \
        FROM ${authreply_table} \
        WHERE Username = '%{SQL-User-Name}' \
        ORDER BY id

i will add in table Value2 that will mean Mikrotik-Address-List value so i want to give this values to

%{Framed-IP-Address}=Value1
%{Mikrotik-Address-List}=Value2

But this don't work

0,User-Name,check
1,Framed-IP-Address,reply
2,Mikrotik-Address-List,reply
3,Session-Timeout,reply

this don't works for me either can you help me out?

Is there an openwrt package？

I want to integrate radius client in openwrt, and how to create radius client authentication for SSH or TELNET?

In practice, I doubt anyone uses shared secrets of more than 256 characters. However, a Google search provided some empirical information about maximal lengths for various implementations. The AWS Directory Service is documented to have an exceptional upper limit of 512.

From the AWS Directory Service Documentation:

Length Constraints: Minimum length of 8. Maximum length of 512.

I have a large patch set to create pull requests for, at:
https://github.com/nmav/freeradius-client/commits/mine
However it is impossible to make independent pull requests for each of the change sets, since you require to commit and include the auto-generated files in the pull-requests. That creates conflicts between otherwise independent changes. Please consider applying:
#18

Is there a Java version for freeradius？

In order to use freeradius-client with kamailio/opensips etc one must include dictionary.sip file to the default dictionary.

However currently the directory.sip file which is shipped with freeradius-client contains attributes with values greater than 255 (Digest-Realm, Digest-Nonce etc) which cause the library to fail to load the radiusclient.conf

The 255 limit was added with the commit of issue #72. (cc @mcpat)

What is the best way to address this? Change the attribute values to less than 255? What is the point of the limit?

That's 2015 and IPv6 support is no luxury but a requirement for a library.

As I've previously mentioned, I have a patch set for it which depends on my existing 3 pull requests being merged. If you have no resources for them I volunteer to get that into freeradius-client, towards a 1.2.0 release.

random() is used internally when generating IDs by rc_get_id().
When using rc_read_config(), srandom() gets called, but if you need to set up the configuration in some other way and use rc_config_init() instead, srandom() is not called, which results in the same random sequence each time. (And for a client program that's restarted for each call, the same ID every time.)

So rc_config_init(), and/or possibly some other function(s) should call srandom() as well.

It's easy enough to work around by letting the client program call srandom(), but the caller should preferably not need to know which random generator is used internally.

If bad PW_TYPE_DATE data is received, a call to gmtime() will result in a NULL pointer. This is then passed to strftime() which then causes a crash.

I have submitted a pull request which guards against this.

Program received signal SIGSEGV, Segmentation fault.
__strftime_internal (s=s@entry=0x7ffeefb01610 "", maxsize=maxsize@entry=256, format=format@entry=0xa831bf "%m/%d/%y %H:%M:%S", tp=0x0, tzset_called=tzset_called@entry=0x7ffeefb01510,
loc=0x7f1d33b01060 <_nl_global_locale>) at strftime_l.c:565
565 strftime_l.c: No such file or directory.
(gdb) where
#0 __strftime_internal (s=s@entry=0x7ffeefb01610 "", maxsize=maxsize@entry=256, format=format@entry=0xa831bf "%m/%d/%y %H:%M:%S", tp=0x0,
tzset_called=tzset_called@entry=0x7ffeefb01510, loc=0x7f1d33b01060 <_nl_global_locale>) at strftime_l.c:565
#1 0x00007f1d337fbe83 in __GI___strftime_l (s=s@entry=0x7ffeefb01610 "", maxsize=maxsize@entry=256, format=format@entry=0xa831bf "%m/%d/%y %H:%M:%S", tp=,
loc=) at strftime_l.c:485
#2 0x00007f1d337fa040 in __GI_strftime (s=s@entry=0x7ffeefb01610 "", maxsize=maxsize@entry=256, format=format@entry=0xa831bf "%m/%d/%y %H:%M:%S", tp=) at strftime.c:25
#3 0x0000000000a0b72f in rc_avpair_tostr (rh=rh@entry=0x2df6750, pair=pair@entry=0x2e05680, name=name@entry=0x7ffeefb015e0 "Event-Timestamp", ln=ln@entry=33,
value=value@entry=0x7ffeefb01610 "", lv=lv@entry=256) at avpair.c:807
#4 0x0000000000a0b919 in rc_avpair_log (rh=0x2df6750, pair=,
buf=0x7ffeefb01800 "User-Name", ' ' <repeats 24 times>, "= 'AH-149-44/xt-0756'\nPassword", ' ' <repeats 25 times>, "= '5245'\nNAS-Port-Id", ' ' <repeats 22 times>, "= '2'\nAcct-Session-Id", ' ' <repeats 18 times>, "= '78a1a83e-a0a6-4c9d-b25b-f283"..., buf_len=32768) at avpair.c:838

According to RFC 2865 the attribute type is one octet and the vendor ID is three octets. To combine that together into one 32-bit integer the following may be done:
combined = (vendor_id << 8) | attribute_type

In the code instead, the vendor_id is shifted 16 bits thus dropping one byte which may lead to collisions.

So I propose to change the calculation above as well as to switch to an integer type with at least 32-bits. Also the default dictionary should be stripped of all server-internal attribute specifications, because clients won't see them anyway.

We have a use case where a password is combined with a string from a hardware token. The latter is a 44 byte string. It turns out that the password string is truncated at 48 characters in the freeradius-client library.

The problem seems to be this... In freeradius-client.h :
#define AUTH_PASS_LEN (3 * 16) /* multiple of 16 */
in combination with this in sendserver.c :

static int rc_pack_list (VALUE_PAIR *vp, char *secret, AUTH_HDR *auth)
{
  unsigned char passbuf[MAX(AUTH_PASS_LEN, CHAP_VALUE_LENGTH)];
  ...
  /* Chop off password at AUTH_PASS_LEN */
  length = vp->lvalue;
  if (length > AUTH_PASS_LEN)
    length = AUTH_PASS_LEN;
  ...
  /* Pad the password with zeros */
  memset ((char *) passbuf, '\0', AUTH_PASS_LEN);
  memcpy ((char *) passbuf, vp->strvalue, (size_t) length);
  ...
}

Is there some technical reason for limiting it to (3*16)? Otherwise the max length is really 254 bytes (or 240, if it has to be a multiple of 16).

Hi, I use the check_radius plugin from nagios-plugins that uses freeradius-client for running its RADIUS checks. I was looking in to updating the plugin to support IPv6 and noticed that, while freeradius-client has patches for IPv6 support, they aren't in any released version. Are there plans to make a new release?

Can you give me a example for OTP two factor authentication,
radexample is not enough for me.

Is there a plan to add encryption of CHAP-password in rc_pack_list() defined lib/senserver.c?

I could have done it outside before adding VP attribute, but in some cases standard requires us to use authorization-vector which is initialized @ line 333 in rc_send_server() in lib.sendserver.c.

Currently the radiusclient executable simply returns 1 on error. Would recommend the following change

-return (i == OK_RC) ? 0 : 1;
+return (i == OK_RC) ? 0 : i + X;

Where X is some sufficiently great enough positive integer whose absolute value exceeds the maximum negative error value.

The issue was introduced in version 1.1.8. The rc_getaddrinfo function (at /lib/ip_util.c) calls getaddrinfo(). This function returns an error when the "radius" (or "radius-acct") service is not defined in the /etc/services file. The library should take this case into account and use the default value.

As a workaround, I've used this code in rc_getaddrinfo:

     char defport[10];

...
if (flags & PW_AI_AUTH)
{
	service = "radius";
	snprintf(defport,  sizeof(defport), "%d", PW_AUTH_UDP_PORT);		
}
else if (flags & PW_AI_ACCT)
{
	service = "radius-acct";
	snprintf(defport, sizeof(defport), "%d", PW_ACCT_UDP_PORT);		
}
err = getaddrinfo(host, service, &hints, &res);
if (err != 0) {
	/* Execute again using the default (old) radius port number */
	hints.ai_flags |= AI_NUMERICSERV; 
	err = getaddrinfo(host, defport, &hints, &res);
	if (err != 0) {
		return NULL;
	} 		
}

Currently, the code will discard all value pairs and stop processing further if an unknown attribute or unknown vendor attribute is found. Here, "unknown" refers to its absence in the dictionary (as far as I understand the code).

In our case this behaviour is inacceptible, because it would tie our client too close to the server (configurations). A better way would be

1. either to ignore the attribute and proceed
2. or to attach the attribute to the list, storing the value to strvalue, length to lvalue and leaving the name empty.

The value comparison for dictionary attributes are done against UINT8_MAX, the variable that holds the values (value) is int32_t and the field in the dict_attr struct are uint32_t. The affected function is rc_read_dictionary in lib/dict.c.

There are a multiple of issues with this, first of since value can hold negative values the comparison is somehwat wrong. second if the dict_attr struct holds uint32_t it makes no sense to have an upper bound of uint8_max (unless I'm missing something).

I wouldn't mind doing a pull request for this, but since I don't know which of these types and values are proper I don't know what to change.

The COPYRIGHT file includes a 4-clause BSD license of NetBSD, and that makes the library GPL-incompatible. However the NetBSD project has switched licenses to the 3-clause BSD:
http://www.netbsd.org/about/redistribution.html

Shouldn't the information on COPYRIGHT be updated as well? As far as I understand the NetBSD code is in lib/util.c. That would make the library GPL-compatible.

Found as part of this effort:
https://fedoraproject.org/wiki/Toolchain/PortingToModernC

See below for details.

diff --git a/configure.in b/configure.in
index 435e8ca..d1a4090 100644
--- a/configure.in
+++ b/configure.in
@@ -212,7 +212,7 @@ then
AC_TRY_RUN([
#include <sys/utsname.h>

• main(int argc, char **argv)

• int main(int argc, char **argv)
  {
  struct utsname uts;
  uts.domainname[0] = '\0';

Hello,
I saw that freeRadius support EAP MD5/SIM/TLS, etc.
However, I haven't found the EAP_AKA, does freeRadius it?
Please help to check it, thank a lot.

We use the freeradius-client for very simple authentication in one of our Daemon processes. We have noted that there is a small memory leak when authentication requests are sent but time out. There does not appear ti=o be an issue when the requests are responded to.
Is this a know issue?
Is there a patch?
Is there a release later than 1.1.7 we could try?

Hi,
Is there any way to use this freeradius-client with Linux PAM and TLS connection?
I saw that TLS is not supported in pam_radius_auth, so I'm asking in this repository because I saw that freeradius-client does support TLS.

Thanks,
Omri.

Hello all;
i wonder can we change radius_timeout parameter to miliseconds from seconds. when i look at the codes , just needs added milisecond function to utils.c and then some changes to sendserver.c
What do you think about this changes.

Now my company want use this client in windows, but find out this library only support linux(unix)

1. Does this library has plan to support windows ?
2. Are there radius client library already support windows ?

On HP-UX/ia64:

# uname -a
HP-UX hp113-01 B.11.31 U ia64 1093729534 unlimited-user license

this happens in rc_send_server:

Program terminated with signal 10, Bus error.
BUS_ADRALN - Invalid address alignment. Please refer to the following link that helps in handling unaligned data: http://docs.hp.com/en/7730/newhelp0610/pragmas.htm#pragma-pack-ex3
#0  0x4023750:1 in rc_send_server (rh=0x200000004001eb30, 
    data=0x200000007fffd7c0, msg=0x200000007fffd83c "") at sendserver.c:339
339                     auth->length = htons ((unsigned short) total_length);
(gdb) p &retries
$1 = (int *) 0x200000007fff96d4
(gdb) p &send_buffer[0]
$2 = 0x200000007fffb76d "\001\275"
(gdb) p &recv_buffer[0]
$3 = 0x200000007fff976d ""
(gdb) p &vector[0]
$4 = (
    unsigned char *) 0x200000007fff975d "8\016\354\306\245\347\357\330\025\332\343\327\224R!\235"
(gdb) p &secret[0]
$5 = 0x200000007fff972c "testing123"
(gdb) p &secretlen 
$6 = (long unsigned int *) 0x200000007fff96d8
(gdb) p auth
$7 = (struct pw_auth_hdr *) 0x200000007fffb76d
(gdb) 

Note the odd address for auth and send_buffer (and recv_buffer).

A fix has been attached; instead of cast:ing between a misaligned char buffer and a struct, use a union to ensure proper alignment.

... ok, so not attached after all. I get "Something went really wrong, and we can't process that file." no matter in which form I try to upload the patch. Patch can be emailed on request.

Would you consider tagging a 1.1.7 release?

I would then use that to make up a fresh version of the Debian and Ubuntu packages

If I understand RFC2865 correctly, the User-Password attribute should allow up to 128 octets. (Section "5.2 User-Password").
This was only 48 bytes in freeradiusclient 1.1.7, and in 1.1.8 it was increased, but only to 112 bytes (AUTH_PASS_LEN). The secret (MAX_SECRET_LENGTH) is still only 48 bytes however.

The shared secret is somewhat vaguely specified in the RFC, but in section "3 Packet Format" it's mentioned under "Authenticator" , "Request Authenticator":

The NAS and RADIUS server share a secret. /.../ See the entry for User-Password in the section on Attributes for a more detailed description.

My interpretation is that the shared secret is treated the same way as User-Password and thus should have the same limit, 128 octets.

(The Azure server supports longer secrets at least, which is a customer ran into this issue.)

Running an application with valgrind it found two getaddrinfo (missing call to freeaddrinfo) memory leaks:

• in rc_own_bind_addr (seems trivial to fix)

• in rc_find_server_addr (complex code, IMHO there are some ways to return from it without freeing the getaddrinfo result)

If no authentication is set up but only accounting is set up, client doesn't work. But it common case when only accounting or authorization is used. Why does current implementation deny that?

The freeradius-client does not handle Access-Challenge response from a server, internally setting the status to BADRESP_RC.

I have a patch available, but need to clear it with my management before posting.