date:20031215

hi,
My configuration
RedHat 9.0 Latest up2date
FR 0.9.3 non CVS, ./configure --with-experimental-modules / make / make
install
MySQL Ver 12.20 Distrib 4.0.13, for pc-linux (i686)

--- radius.log begin ---
Mon Dec 15 12:30:23 2003 : Info: rlm_sql (sql): There are no DB handles to
use! skipped 0, tried to connect 0
Mon Dec 15 12:30:38 2003 : Auth: Login OK: [ashok/CHAP-Password] (from
client XXX port 6649 cli 00:07:95:50:8C:52)
Mon Dec 15 12:30:39 2003 : Info: rlm_sql (sql): There are no DB handles to
use! skipped 0, tried to connect 0
Mon Dec 15 12:31:21 2003 : Auth: Login OK: [nariman/CHAP-Password] (from
client XXX port 6650 cli 00:E0:4C:77:43:22)
Mon Dec 15 12:31:35 2003 : Auth: Login OK: [chheda/CHAP-Password] (from
client YYY port 80 cli 00:00:E8:87:05:01)
Mon Dec 15 12:32:48 2003 : Info: rlm_sql (sql): There are no DB handles to
use! skipped 0, tried to connect 0
Mon Dec 15 12:33:39 2003 : Auth: Login OK: [imasol123/CHAP-Password] (from
client XXX port 6651 cli 00:E0:4A:39:00:1F)
Mon Dec 15 12:33:43 2003 : Info: rlm_sql (sql): There are no DB handles to
use! skipped 0, tried to connect 0
Mon Dec 15 12:35:20 2003 : Info: rlm_sql (sql): There are no DB handles to
use! skipped 0, tried to connect 0
Mon Dec 15 12:35:20 2003 : Info: rlm_sql (sql): There are no DB handles to
use! skipped 0, tried to connect 0
Mon Dec 15 12:35:23 2003 : Auth: Login OK: [magice/CHAP-Password] (from
client XXX port 6652 cli 00:0A:CD:03:CC:0E)
Mon Dec 15 12:35:29 2003 : Auth: Login OK: [global/CHAP-Password] (from
client ZZZ port 794 cli 00:00:1C:81:DA:B5)
Mon Dec 15 12:35:29 2003 : Auth: Login OK: [sudeep/CHAP-Password] (from
client YYY port 81 cli 00:08:A1:3E:A3:13)

--- radius.log end ---

at the client end the auth fails some times and a retry gets them connected


-- pstree output for mysql ---

|-mysqld_safe---mysqld---mysqld---24*[mysqld]

--- pstree output for mysql ---

# Example mysql config file for medium systems.
my.cnf = my-medium.cnf

cannot figure out why this is happening, about 100 users getting auth on
this server per minute
from four diff NAS servers with accounting enabled

thanks
Ripunjay Bararia


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_perl Client-IP-Address

2003-12-15 Thread Boian Jordanov

On Mon, Dec 15, 2003 at 09:12:59AM +0800, Bruce Cook wrote:
 Hmm, don't see it in the current version I'm running, I'll suck the 
 latest CVS and
 have a look at that.
 
 Mon Dec  1 23:20:53 2003 : Info: rlm_perl: ?/RAD_REQUEST:
 Mon Dec  1 23:20:53 2003 : Info: rlm_perl: ?  Calling-Station-Id = 
 wpp212100900202
 Mon Dec  1 23:20:53 2003 : Info: rlm_perl: ?  NAS-Port = 1627979978
 Mon Dec  1 23:20:53 2003 : Info: rlm_perl: ?  CHAP-Password = 
 0x5293ce878311839de112b3bc95946d7566
 Mon Dec  1 23:20:53 2003 : Info: rlm_perl: ?  Service-Type = Framed-User
 Mon Dec  1 23:20:53 2003 : Info: rlm_perl: ?  NAS-Identifier = 
 N9028384K-WPP2
 Mon Dec  1 23:20:53 2003 : Info: rlm_perl: ?  Acct-Session-Id = 18afe90b
 Mon Dec  1 23:20:53 2003 : Info: rlm_perl: ?  User-Name = kz032
 Mon Dec  1 23:20:53 2003 : Info: rlm_perl: ?  Framed-Protocol = PPP
 Mon Dec  1 23:20:53 2003 : Info: rlm_perl: ?  NAS-IP-Address = 172.31.22.192
 Mon Dec  1 23:20:53 2003 : Info: rlm_perl: ?/RAD_REPLY:
 Mon Dec  1 23:20:53 2003 : Info: rlm_perl: ?/RAD_CHECK:
 Mon Dec  1 23:20:53 2003 : Info: rlm_perl: ?/RAD_CONFIG:
 
 Bruce


You have to use preprocess module for Client-IP-Address 

from radiusd.conf authorize section.

--//--
#  It also adds a Client-IP-Address attribute to the request.
  preprocess
--//--

 
 
 Boian Jordanov wrote:
 
 On Fri, Dec 12, 2003 at 06:01:53PM +0800, Bruce Cook wrote:
  
 
 Is there any way to access Client-IP-Address within a perl script under 
 rlm_perl.
 
 I can't seem to find any direct reference to it.
 

 
 
 $RAD_REQUEST{'Client-IP-Address'}
 
  
 
 Bruce Cook
 
 
 
 - 
 List info/subscribe/unsubscribe? See 
 http://www.freeradius.org/list/users.html
 

 
 
 - 
 List info/subscribe/unsubscribe? See 
 http://www.freeradius.org/list/users.html
 
 
  
 
 
 
 
 - 
 List info/subscribe/unsubscribe? See 
 http://www.freeradius.org/list/users.html
 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Auth: Login incorrect:

2003-12-15 Thread Nicolas Baradakis

Joe Bonow wrote:

After searching the limited archive I am unable to find info on how
 to have the Login Incorrect return the name of the nas that the login
 failed on.

The CVS version has support for a postauth_query stanza in sql.conf
which allows you to insert any value you want in the SQL query : the
User-Name, the User-Password and the NAS-IP-Address for example.

See raddb/sql.conf and doc/Post-Auth-Type to use this feature.

-- 
Nicolas Baradakis

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Kill -HUP in debug mode eats all CPU

2003-12-15 Thread ZORBADELOS KONSTANTINOS

At Fri, 12 Dec 2003 19:24:03 +0200,
ZORBADELOS KONSTANTINOS wrote:
Here is the output after adding debug_level = 2 as the last line of
radiusd.conf. Sorry for the delay I was off for the weekend.
By the way I compiled freeradius on another SUN machine (much bigger)
with gcc 2.95.3 and in the HUP signal it didn't eat the cpu (without
connections to an sql database). 
Thanks Alan.

--- Walking the entire request list ---
Nothing to do.  Sleeping until we see a request.
Reloading configuration files.
reread_config:  reading radiusd.conf
Config:   including file: 
/export/home/radius/freeradius-0.9.3/BUILD/etc/raddb/proxy.conf
Config:   including file: 
/export/home/radius/freeradius-0.9.3/BUILD/etc/raddb/clients.conf
Config:   including file: 
/export/home/radius/freeradius-0.9.3/BUILD/etc/raddb/snmp.conf
Config:   including file: 
/export/home/radius/freeradius-0.9.3/BUILD/etc/raddb/oraclesql.conf
 main: prefix = /export/home/radius/freeradius-0.9.3/BUILD
 main: localstatedir = /export/home/radius/freeradius-0.9.3/BUILD/var
 main: logdir = /export/home/radius/freeradius-0.9.3/BUILD/var/log/radius
 main: libdir = /export/home/radius/freeradius-0.9.3/BUILD/lib
 main: radacctdir = /export/home/radius/freeradius-0.9.3/BUILD/var/log/radius/radacct
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = 
/export/home/radius/freeradius-0.9.3/BUILD/var/log/radius/radius.log
 main: log_auth = yes
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = 
/export/home/radius/freeradius-0.9.3/BUILD/var/run/radiusd/radiusd.pid
 main: user = radius
 main: group = other
 main: usercollide = no
 main: lower_user = no
 main: lower_pass = no
 main: nospace_user = no
 main: nospace_pass = no
 main: checkrad = /export/home/radius/freeradius-0.9.3/BUILD/sbin/checkrad
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = yes
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = no
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 2
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
Using deprecated clients file.  Support for this will go away soon.
read_config_files:  reading realms
Using deprecated realms file.  Support for this will go away soon.
radiusd:  entering modules setup
rlm_sql (sql1): Closing sqlsocket 2
rlm_sql (sql1): Closing sqlsocket 1
rlm_sql (sql1): Closing sqlsocket 0
rlm_sql (sql2): Closing sqlsocket 2
rlm_sql (sql2): Closing sqlsocket 1
rlm_sql (sql2): Closing sqlsocket 0
Bus Error (core dumped)


==
  Kostas Zorbadelos
  Currently at: Otenet IT Department 
  mailto: [EMAIL PROTECTED]
  
  Out there in the darkness, out there in the night
  out there in the starlight, one soul burns brighter
  than a thousand suns.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Digital Cert + Username/Password against LDAP = ???

2003-12-15 Thread Kostas Kalevras

On Sun, 14 Dec 2003, Patrick Mowry wrote:

 Hello,

 I have a requirement for two stage authentication for wireless networks.
 Before the wireless Windows 2000/XP client is even allowed to reach the
 domain, it must authenticate to the network with Digital Certs issued
 from an iPlanet certificate server (EAP-TLS) and also a
 username/password against LDAP.  Would this be EAP-TTLS?  If someone can
 point me to the correct keyword I'm sure I can figure it out from there.

Yes that would be EAP-TTLS.
You can also set the EAP-TLS-Require-Client-Cert attribute to 1 so that the TLS
code will also require a valid client certificate


 Thanks,

 -Patrick

 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

radius 0.9.3 / mysql 4.0.16: no logging

Good morning all,

We have a server with a really old copy of FreeRADIUS logging accounting 
data to mysql 3.xx. We are now in the process of upgrading to the latest 
stable of mysql 4 and freeradius.

We've built the system on a separate machine and it works during 
testing, except it doesn't log anything to mysql. We have authorisation 
checks using flat files, but use mysql for logging.

radtest works fine, nothing in mysql. radiusd -x shows it connects fine 
to the mysql server, and mysqld shows it has connected.

Yet there is no sqltrace.sql file either.

We have confirmed the username/password details can log in, and the 
table names are correct. The accounting{} part is as default, with 'sql' 
right above 'unix'.

Some help would be appreciated. We are at a loss!

Thanks,

James Green



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

PEAP problem - HELP PLEASE

2003-12-15 Thread garelli

hello everybody!
I am tryong to make a secure wireless access using PEAP, but I have a
problem during authentication.
I had successfully configured TLS module, and all work fine.
But when I want to have a peap authentication, there is a problem.
In fact could someone try to look at my log, and tell me where is my
problem? I would be great!
Another point is the configuration of the users file, for peap. I've read
the list but nobody gave a real answer to this question.. how this file
have to be configured?? I tried :
username Auth-type := EAP , User-password ==  xxx
or
username Auth-type := Local , User-password ==  xxx
or ...
I don't really know which syntax is good according to peap
authentication..maybe my problem is here?
Thank you for your help!

there are my logs :

...
auth: type EAP
modcall: entering group authenticate for request 15
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Proceeding to decode tunneled
attributes.

  rlm_eap_peap: Identity - NOMADE\ourson
  rlm_eap_peap: Tunneled data is valid.
  PEAP: Got tunneled EAP-Message
EAP-Message = 0x02810012014e4f4d4144455c6f7572736f6e
  PEAP: Got tunneled identity of NOMADE\ourson
  PEAP: Setting default EAP type for tunneled EAP session.
  PEAP: Sending tunneled request
EAP-Message = 0x02810012014e4f4d4144455c6f7572736f6e
Freeradius-Proxied-To = 127.0.0.1
User-Name = NOMADE\\ourson
modcall: entering group authorize for request 15
  modcall[authorize]: module preprocess returns ok for request 15
radius_xlat: 
'/usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20031215'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20031215
  modcall[authorize]: module auth_log returns ok for request 15
  rlm_eap: EAP packet type response id 129 length 18
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module eap returns updated for request 15
rlm_realm: No '@' in User-Name = NOMADE\ourson, looking up realm NULL
rlm_realm: No such realm NULL
  modcall[authorize]: module suffix returns noop for request 15
  modcall[authorize]: module files returns notfound for request 15
modcall: group authorize returns updated for request 15
  rad_check_password:  Found Auth-Type EAP
auth: type EAP
modcall: entering group authenticate for request 15
  rlm_eap: EAP Identity
  rlm_eap: processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
  modcall[authenticate]: module eap returns handled for request 15
modcall: group authenticate returns handled for request 15
  PEAP: Got tunneled reply RADIUS code 11
EAP-Message =
0x018200271a01820022104c50168820c00ade9de928725f57b2964e4f4d4144455c6f7572736f6e
Message-Authenticator = 0x
State = 0xc2efbd051aa877ec625ee103a4a76b76
  PEAP: Got tunneled Access-Challenge
  modcall[authenticate]: module eap returns handled for request 15
modcall: group authenticate returns handled for request 15
Sending Access-Challenge of id 158 to 192.168.1.2:2462
EAP-Message =
0x0182003e19001703010033d078dd9a67221656dce0acbb5519d8b9af452bb0eaf5f600fcabafd63a385dfe8b1d076837f1798de3ca6d5b2a0d7269ad9f2f
Message-Authenticator = 0x
State = 0x55cbafd5eafc1a8c249ad219c5d26a3b
Finished request 15
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.2:2463, id=159,
length=250
User-Name = NOMADE\\ourson
Cisco-AVPair = ssid=bebe
NAS-IP-Address = 192.168.1.2
Called-Station-Id = 00409656deff
Calling-Station-Id = 000af49c507f
NAS-Identifier = AP350-56deff
NAS-Port = 37
Framed-MTU = 1400
State = 0x55cbafd5eafc1a8c249ad219c5d26a3b
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message =
0x028200581900170301004d7375a04660bd286865a528793617699cb52551682fc670d49518765d8d8c78754448d9e3eea2d3d4c05fe1367daa485f6e915eebd1fa6d301bb4996dac7906667fa1013b41e11f29e367
Message-Authenticator = 0x63157043cdd0b024b172ecaf24dfb290
modcall: entering group authorize for request 16
  modcall[authorize]: module preprocess returns ok for request 16
radius_xlat: 
'/usr/local/var/log/radius/radacct/192.168.1.2/auth-detail-20031215'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/var/log/radius/radacct/192.168.1.2/auth-detail-20031215
  modcall[authorize]: module auth_log returns ok for request 16
  rlm_eap: EAP packet type response id 130 length 88
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation

Help

2003-12-15 Thread Shashidhara S Bapat

Hello  everyone,
I am a new user of Freeradius server. I have installed freeradius (beta
version) and tested radius server using 'radtest' command and found in
working.
I have a windows user connected through AP600 (NAS), and it is not
responding. (I ran 'radiusd' with -X option ..and found it not showing
any message, when the windows-user tried to access. It's allowing user
to access the NAS without asking for any password).


Please help me in configuring radius server.
Thanks in advance for all the help.




-- 
=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
--Best Regards,
  Shashi.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radius 0.9.3 / mysql 4.0.16: no logging

2003-12-15 Thread ZORBADELOS KONSTANTINOS

At Mon, 15 Dec 2003 10:25:36 +,
James Green wrote:
 
Use radiusd -X and see what happens with the requests. You should see
the sql queries that the server tries to execute.

 Good morning all,
 
 We have a server with a really old copy of FreeRADIUS logging accounting 
 data to mysql 3.xx. We are now in the process of upgrading to the latest 
 stable of mysql 4 and freeradius.
 
 We've built the system on a separate machine and it works during 
 testing, except it doesn't log anything to mysql. We have authorisation 
 checks using flat files, but use mysql for logging.
 
 radtest works fine, nothing in mysql. radiusd -x shows it connects fine 
 to the mysql server, and mysqld shows it has connected.
 
 Yet there is no sqltrace.sql file either.
 
 We have confirmed the username/password details can log in, and the 
 table names are correct. The accounting{} part is as default, with 'sql' 
 right above 'unix'.
 
 Some help would be appreciated. We are at a loss!
 
 Thanks,
 
 James Green
 
 
 
 - 
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
==
  Kostas Zorbadelos
  Currently at: Otenet IT Department 
  mailto: [EMAIL PROTECTED]
  
  Out there in the darkness, out there in the night
  out there in the starlight, one soul burns brighter
  than a thousand suns.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radius 0.9.3 / mysql 4.0.16: no logging

ZORBADELOS KONSTANTINOS wrote:

At Mon, 15 Dec 2003 10:25:36 +,
James Green wrote:
 

Use radiusd -X and see what happens with the requests. You should see
the sql queries that the server tries to execute.
 

Zorbadelos,

This has been done. That is how I know it connects to the database, but 
doesn't perform any SQL queries.

I can get it to look up the user in the database even, it just refuses 
to log the result in the database.

Its driving me up the wall :-(

James

 

Good morning all,

We have a server with a really old copy of FreeRADIUS logging accounting 
data to mysql 3.xx. We are now in the process of upgrading to the latest 
stable of mysql 4 and freeradius.

We've built the system on a separate machine and it works during 
testing, except it doesn't log anything to mysql. We have authorisation 
checks using flat files, but use mysql for logging.

radtest works fine, nothing in mysql. radiusd -x shows it connects fine 
to the mysql server, and mysqld shows it has connected.

Yet there is no sqltrace.sql file either.

We have confirmed the username/password details can log in, and the 
table names are correct. The accounting{} part is as default, with 'sql' 
right above 'unix'.

Some help would be appreciated. We are at a loss!

Thanks,

James Green



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
   

==
 Kostas Zorbadelos
 Currently at: Otenet IT Department 
 mailto: [EMAIL PROTECTED]
 
 Out there in the darkness, out there in the night
 out there in the starlight, one soul burns brighter
 than a thousand suns.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

 



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radius 0.9.3 / mysql 4.0.16: no logging

2003-12-15 Thread ZORBADELOS KONSTANTINOS

At Mon, 15 Dec 2003 12:57:24 +,
James Green wrote:
 
 ZORBADELOS KONSTANTINOS wrote:
 

You said you used radiusd -x and not radiusd -X (case is important).
Please send the output you receive from radiusd -X.  See the rlm_sql
and radius_xlat messages. Perhaps something is wrong with the
configuration of queries.


 At Mon, 15 Dec 2003 10:25:36 +,
 James Green wrote:
   
 
 Use radiusd -X and see what happens with the requests. You should see
 the sql queries that the server tries to execute.
   
 
 
 Zorbadelos,
 
 This has been done. That is how I know it connects to the database, but 
 doesn't perform any SQL queries.
 
 I can get it to look up the user in the database even, it just refuses 
 to log the result in the database.
 
 Its driving me up the wall :-(
 
 James
 
   
 
 Good morning all,
 
 We have a server with a really old copy of FreeRADIUS logging accounting 
 data to mysql 3.xx. We are now in the process of upgrading to the latest 
 stable of mysql 4 and freeradius.
 
 We've built the system on a separate machine and it works during 
 testing, except it doesn't log anything to mysql. We have authorisation 
 checks using flat files, but use mysql for logging.
 
 radtest works fine, nothing in mysql. radiusd -x shows it connects fine 
 to the mysql server, and mysqld shows it has connected.
 
 Yet there is no sqltrace.sql file either.
 
 We have confirmed the username/password details can log in, and the 
 table names are correct. The accounting{} part is as default, with 'sql' 
 right above 'unix'.
 
 Some help would be appreciated. We are at a loss!
 
 Thanks,
 
 James Green
 
 
 
 - 
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
 
 
 ==
   Kostas Zorbadelos
   Currently at: Otenet IT Department 
   mailto: [EMAIL PROTECTED]
   
   Out there in the darkness, out there in the night
   out there in the starlight, one soul burns brighter
   than a thousand suns.
 
 
 - 
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
 
   
 
 
 
 
 - 
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
==
  Kostas Zorbadelos
  Currently at: Otenet IT Department 
  mailto: [EMAIL PROTECTED]
  
  Out there in the darkness, out there in the night
  out there in the starlight, one soul burns brighter
  than a thousand suns.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Digital Cert + Username/Password against LDAP = ???

Patrick Mowry [EMAIL PROTECTED] wrote:
 I have a requirement for two stage authentication for wireless networks.
 Before the wireless Windows 2000/XP client is even allowed to reach the
 domain, it must authenticate to the network with Digital Certs issued
 from an iPlanet certificate server (EAP-TLS) and also a
 username/password against LDAP.  Would this be EAP-TTLS?

  Yes.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Upgrade questions

Nick Marino [EMAIL PROTECTED] wrote:
 Can anyone point in the direction of the best way to upgrade to Freeradius
 version 0.9.3 from version FreeRADIUS Version 0.8-pre with out losing my
 current configuration?

$ make install

  Read the output.  It warns you in big letters that it hasn't changed
the configuration files.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP problem - HELP PLEASE

[EMAIL PROTECTED] wrote:
 In fact could someone try to look at my log, and tell me where is my
 problem? I would be great!

  The log you posted to the list contains a description of what is wrong.

 Another point is the configuration of the users file, for peap. I've read
 the list but nobody gave a real answer to this question.. how this file
 have to be configured?? I tried :
 username Auth-type := EAP , User-password ==  xxx
 or
 username Auth-type := Local , User-password ==  xxx

  You often don't need to do anything to the 'users' file.

  The simplest change to make (if you're not using LDAP or SQL), is to
add the tunneled user name, with a password:

tunnel-user  User-Password = password

  That's it.

   rlm_mschap: No User-Password configured.  Cannot create LM-Password.
   rlm_mschap: No User-Password configured.  Cannot create NT-Password.
   rlm_mschap: No LM-Password or NT-Password attribute found.  Cannot
 perform MS-CHAP authentication.

  It needs a password.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help

Shashidhara S Bapat [EMAIL PROTECTED] wrote:
 I have a windows user connected through AP600 (NAS), and it is not
 responding. (I ran 'radiusd' with -X option ..and found it not showing
 any message, when the windows-user tried to access. It's allowing user
 to access the NAS without asking for any password).

  Then it's a problem with the NAS configuration.  Nothing you do to
FreeRADIUS will help.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with attr_filter

  This is my last message on this topic, in the naive hope that you
will pay attention to what I'm saying.

Stephan von Krawczynski [EMAIL PROTECTED] wrote:
 You are not wrong, you simply don't listen or don't at least try to
 understand the problem, again:
 
 I have a freeradius 0.8.1 and let it send vendor attributes to a freeradius
 0.9.3 proxy that tries to filter _that very same_ vendor attributes and does
 not recognise them.

  Bullshit.  Total, absolute, bullshit.  I explained why in my
previous message.  Go back and read it.

 _That_ is a real issue. It is likely that 0.8.1 is different somehow
 regarding vendor info behaviour (maybe buggy, I don't know). My
 expectation was you had some knowledge about this. Do you?

  Yes.  I told you to go read dictionay.ascend.  You obviously
haven't.

  To hint again: one is a VSA, one is not.  The attributes are
incomparable.

   If the names look similar to you, that's
  an illusion, and has nothing to do with the problem at hand.  If the
  attribute numbers look similar, that, too, is unimportant.
 
 .. as long as they don't belong to the _same_ dictionary, which is
 exactly the case here.

  Sorry, you're wrong.  I could explain why, but you'd just argue with
me again.

 Why does a packet come out different from 0.8.1 using the same dictionary as
 0.9.3 ?

  drum roll  Because the dictionaries have changed?  And you're too
damn lazy to go check?  Or, you're too damn proud to follow my
instructions?

  See, I would have thought you READ my messages, and put 2 and 2
together:

 1) go read dictionary.ascend
 2) if the attribute isn't being sent as a VSA, update the dictionary
so that it IS sent as a VSA.

  You did READ the dictionary, to see if the attribute was a VSA,
didn't you?  You did try to update the dictionary, to make the
attribute a VSA, didn't you?

  But I doubt you have.  You're only asking questions to prove me
wrong, and to avoid all of my instructions as to how to fix the
problem.

 Something that came to my mind while debugging was: is there a
 (simple) way to make freeradius write a protocol of all
 access-packets very like the accounting packets' protocol
 (detail-file)? I mean besides freeradius debugging mode.  That would
 be very handy (I really don't like tcpdump for long-term protocols).

  You did read 'radiusd.conf', didn't you?  That question is answered
there.

  Obviously not...

  Honestly, I don't know why it's so hard for you to read my
responses, and do as I say.  I do know that I'm wasting my time, and
I don't see the point in discussing it any further.  I've told you
exactly what's wrong, and I've told you exactly how to fix it.

  Yet that isn't good enough for you.  You still argue with me, ignore
what I say, and tell me I'm wrong.  I can only conclude that you're
uninterested in solving your problem.  You're only interested in
social gossip on the list.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Upgrade questions

2003-12-15 Thread [EMAIL PROTECTED]

--- Alan DeKok [EMAIL PROTECTED] wrote:
 Nick Marino [EMAIL PROTECTED] wrote:
  Can anyone point in the direction of the best way to upgrade to
Freeradius
  version 0.9.3 from version FreeRADIUS Version 0.8-pre with out losing my
  current configuration?
 
 $ make install
 
   Read the output.  It warns you in big letters that it hasn't changed
 the configuration files.
 
   Alan DeKok.

yeah I have done that exactly before and it did overwrite my config that is
one of the reasons I am asking.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radius 0.9.3 / mysql 4.0.16: no logging

ZORBADELOS KONSTANTINOS wrote:

At Mon, 15 Dec 2003 12:57:24 +,
James Green wrote:
 

ZORBADELOS KONSTANTINOS wrote:

   

You said you used radiusd -x and not radiusd -X (case is important).
Please send the output you receive from radiusd -X.  See the rlm_sql
and radius_xlat messages. Perhaps something is wrong with the
configuration of queries.
 

Hello again.

Right, we've just had our NAS configured to the same spec that the 
exising (non-test) one is which logs things fine.

Yet we still don't see anything in our database on the test number. 
Here's the debug output - I hope someone can point the finger...

rad_recv: Access-Request packet from host 81.20.32.130:2048, id=40, 
length=317
   Attr-172818433 = 
0x202449643a2041707469732e76696e666f2020496d6167654e616d653d6665706d64202056657273696f6e3d332e362e32703220204275696c644e756d6265723d3332383420204275696c64446174653d31322f31392f3230303020204275696c6454696d653d31363a33313a333820204d616368696e653d4255494c4430332020557365723d4275696c642020546172676574426f6172643d736363202054617267657450726f636573736f723d50504336303320204272616e63683d7033363220204578702024
   NAS-IP-Address = 81.20.32.130
   User-Name = [EMAIL PROTECTED]
   CHAP-Password = 0x017095d941e007b1ca52c6ee6137cf8d65
   Called-Station-Id = 08714719098
   Calling-Station-Id = 1493660030
   NAS-Port = 17236748
   NAS-Port-Type = Async
   Framed-Protocol = PPP
   Service-Type = Framed-User
modcall: entering group authorize for request 3
 modcall[authorize]: module preprocess returns ok for request 3
radius_xlat:  '/var/log/radiusd/radacct/81.20.32.130/auth-detail-20031215'
rlm_detail: 
/var/log/radiusd/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands 
to /var/log/radiusd/radacct/81.20.32.130/auth-detail-20031215
 modcall[authorize]: module auth_log returns ok for request 3
 rlm_chap: Setting 'Auth-Type := CHAP'
 modcall[authorize]: module chap returns ok for request 3
 modcall[authorize]: module eap returns noop for request 3
   rlm_realm: Looking up realm wapmob for User-Name = [EMAIL PROTECTED]
   rlm_realm: Found realm wapmob
   rlm_realm: Adding Stripped-User-Name = james
   rlm_realm: Proxying request from user james to realm wapmob
   rlm_realm: Adding Realm = wapmob
   rlm_realm: Authentication realm is LOCAL.
 modcall[authorize]: module suffix returns noop for request 3
radius_xlat:  '[EMAIL PROTECTED]'
rlm_sql (sql): sql_set_user escaped user -- '[EMAIL PROTECTED]'
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE 
Username = '[EMAIL PROTECTED]' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql_mysql: query:  SELECT id,UserName,Attribute,Value,op FROM 
radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id
rlm_sql (sql): User [EMAIL PROTECTED] not found in radcheck
radius_xlat:  'SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op  
FROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' 
AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query:  SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op  
FROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' 
AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat:  'SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op  
FROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' 
AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query:  SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op  
FROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' 
AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): User [EMAIL PROTECTED] not found in radgroupcheck
rlm_sql (sql): User not found
rlm_sql (sql): Released sql socket id: 1
 modcall[authorize]: module sql returns notfound for request 3
   users: Matched DEFAULT at 152
   users: Matched DEFAULT at 159
 modcall[authorize]: module files returns ok for request 3
 modcall[authorize]: module mschap returns noop for request 3
modcall: group authorize returns ok for request 3
 rad_check_password:  Found Auth-Type Local
auth: type Local
auth: user supplied CHAP-Password matches local User-Password
Login OK: [james/CHAP-Password] (from client intelliplus port 17236748 
cli 1493660030)
modcall: entering group post-auth for request 3
radius_xlat:  '/var/log/radiusd/radacct/81.20.32.130/reply-detail-20031215'
rlm_detail: 
/var/log/radiusd/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d 
expands to /var/log/radiusd/radacct/81.20.32.130/reply-detail-20031215
 modcall[post-auth]: module reply_log returns ok for request 3
modcall: group post-auth returns ok for request 3

Re: strange, but minor issue with 0.9.3 and ./debian/rules

2003-12-15 Thread Nick Davis


 So I need to put something into debian/changlog that indicates version
 0.9.3 and
 the debian packaging system will then correctly name the deb files ???

 I am trying to learn this this stuff, and am at the point I am very
 dangerous to my systems. :-)
 I try to procede with caution in areas I know very little about.

 Richard

Richard,
 I have instructions on my website for building .deb freeradius packages if 
you'd like to take a look:

http://mrtizmo.com/freeradius/

Step 7 instructs people to change the top of the changelog, which will then be 
used to name the .deb packages.

Nick
-- 
Nick Davis 
Associate Systems Administrator 
[EMAIL PROTECTED] 
Internet Exposure, Inc. 
http://www.iexposure.com  

(612)676-1946 
Web Development-Web Marketing-ISP Services


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radius 0.9.3 / mysql 4.0.16: no logging

2003-12-15 Thread Nick Davis

   modcall[authorize]: module preprocess returns ok for request 3
 radius_xlat:  '/var/log/radiusd/radacct/81.20.32.130/auth-detail-20031215'
 rlm_detail:
 /var/log/radiusd/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
 to /var/log/radiusd/radacct/81.20.32.130/auth-detail-20031215
   modcall[authorize]: module auth_log returns ok for request 3

[snip]

 modcall: entering group post-auth for request 3
 radius_xlat:  '/var/log/radiusd/radacct/81.20.32.130/reply-detail-20031215'
 rlm_detail:
 /var/log/radiusd/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
 expands to /var/log/radiusd/radacct/81.20.32.130/reply-detail-20031215
   modcall[post-auth]: module reply_log returns ok for request 3

[snip]

   modcall[accounting]: module sql returns ok for request 4
 radius_xlat:  '/var/log/radiusd/radacct/81.20.32.130/detail-20031215'
 rlm_detail: /var/log/radiusd/radacct/%{Client-IP-Address}/detail-%Y%m%d
 expands to /var/log/radiusd/radacct/81.20.32.130/detail-20031215
   modcall[accounting]: module detail returns ok for request 4
   modcall[accounting]: module unix returns ok for request 4
 radius_xlat:  '/var/log/radiusd/radutmp'
 radius_xlat:  '[EMAIL PROTECTED]'
   modcall[accounting]: module radutmp returns ok for request 4
 modcall: group accounting returns ok for request 4


 Please bear in mind that authentication and authorisation is done using
 flat files, accounting is done in a database. The latter doesn't work.


James,

All of your accounting data is being written to the details files. You must 
not have put sql in the accounting section of radius.conf.

Also make sure the sql queries in sql.conf are correct for the radacct 
table.

Take a look at my radius.conf for reference to using mysql for accounting and 
user/pass/groups (auth).

http://mrtizmo.com/freeradius/

Hope some of this helps!

Nick
-- 
Nick Davis 
Associate Systems Administrator 
[EMAIL PROTECTED] 
Internet Exposure, Inc. 
http://www.iexposure.com  

(612)676-1946 
Web Development-Web Marketing-ISP Services


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Testers Please - MySQL and PostgreSQL compatability patch

2003-12-15 Thread Guy Fraser

I hoped these patches would have been applied to CVS by now, but they 
haven't.

If anyone is interested in PostgreSQL support for freeradius, please 
check out
the site I have setup, and send feedback if you find any problems.

I have verified my patch against the CVS as of 2003 Dec 15 10:15.

Have anice day

Guy Fraser wrote:

This patch has been made against the CVS tree, I have verified that it 
applies
to the CVS as of Dec 10 16:11 2003 MDT. This is a unified patch that will
patch the radiusd directory.

I have solved, all the compatibility issues between MySQL and PostgreSQL
for Dialup Admin,as far as I can tell. I tested all the dialupadmin 
interfaces with
PostgreSQL and MySQL. They both work and all I have to do to switch 
between
them is change the sql driver and port in conf/admin.conf.

I have done a considerable amount of work getting this code to work with
PostgreSQL and ensuring that MySQL works without having to modify
the SQL tables, data or any of the other config files. It is dead easy 
to see that
the code works. I have provided a patch, some sample data for both MySQL
and PostgreSQL and a demo site running with both configurations.

The homepage for the site is at :

http://sphinx.incentre.net/

Please have a look, and get back to me with your suggestions. I would 
like to see
this put into cvs soon. I have a fair amout of other development to 
do, and don't
want to have too many patch levels to maintain.

For the non developers watching this post, these are the steps 
required to test this
patch :

mkdir test-dir
cd test-dir
cvs -d :pserver:[EMAIL PROTECTED]:/source login
enter the password : anoncvs 
cvs -d :pserver:[EMAIL PROTECTED]:/source checkout radiusd
cvs -d :pserver:[EMAIL PROTECTED]:/source logout
patch  dialupadmin-pg-compatability.patch
The radiusd directory should now be patched.

I will put the patches for the dialup_admin/bin files once I get 
feedback.

RSVP

--
Guy Fraser
Network Administrator
The Internet Centre
780-450-6787 , 1-888-450-6787
There is a fine line between genius and lunacy, fear not, walk the
line with pride. Not all things will end up as you wanted, but you
will certainly discover things the meek and timid will miss out on.




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Upgrade questions

[EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
 yeah I have done that exactly before and it did overwrite my config that is
 one of the reasons I am asking.

  That must have been a very old version of the server.  The current
version does not overwrite any files in raddb/

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Support for Safeword tokens in synchronous mode

Szelepcsenyi Robert [EMAIL PROTECTED] wrote:
 I would like to replace the Safeword server with some open source software,
 if possible. However, we are using tokens in synchronous mode for dialup,
 VPN etc. Freeradius seems to support Safeword Tokens in asynchronous mode
 only. I would like to ask whether synchronous mode is planned sometime in
 the future.

  Nope.

 I have not been able to find any specs concerning the synchronous
 mode. I also tried to extract the counter value form import0.dat (it
 is the last item of a record), but encrypting it using the DES key
 did not yield the desirec password.

  Without the algorithm, it's impossible to implement.  And if the
algorithm is patented, it's even more impossible to implement.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radius 0.9.3 / mysql 4.0.16: no logging

Nick Davis wrote:

James,

All of your accounting data is being written to the details files. You must 
not have put sql in the accounting section of radius.conf.
 

You mean this?:

accounting {
   #
   #  Ensure that we have a semi-unique identifier for every
   #  request, and many NAS boxes are broken.
   acct_unique
   sql
   #
   #  Create a 'detail'ed log of the packets.
   #  Note that accounting requests which are proxied
   #  are also logged in the detail file.
   detail
#   daily
   unix# wtmp file

   #
   #  For Simultaneous-Use tracking.
   #
   #  Due to packet losses in the network, the data here
   #  may be incorrect.  There's little we can do about it.
   radutmp
#   sradutmp
   #  Return an address to the IP Pool when we see a stop record.
#   main_pool
}
Been there for some time.

Also make sure the sql queries in sql.conf are correct for the radacct 
table.
 

I've not touched them. The only thing I did was make it use 
radacct_table1/table2, for which I searched and replaced. mysql.err 
shows nothing, and I've logged into the mysql server using the radius 
user account and successfully inserted some data.

I find it suspicous that although I see SQL queries to SELECT data in 
the authorisation and authentication phase, I see no SQL being performed 
for accounting data.

Take a look at my radius.conf for reference to using mysql for 
accounting and

user/pass/groups (auth).

http://mrtizmo.com/freeradius/
 

Thanks for this, can't see much in there that's different to mine!

James

Hope some of this helps!

Nick
 



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Denying Access by NAS-Port-Type

2003-12-15 Thread NetNITCO Systems Administration

Is it possible to deny an Access-Request by the NASPortType?  The
current issue at hand is as follows:

Our RADIUS servers handles the authentication for standard 56K dial-up,
64K ISDN, and 128K ISDN.  The current problem is that if somebody
purchases a dial-up account (which is restricted to Simultaneous-Use 1),
they can obtain a 64K ISDN connection, without paying the additional fee
for the service.  So, since dial-up gets reported as NASPortType Async
and ISDN is reported as ISDN, I was wondering if populating
'radgroupcheck' for the DialUp group with 'NASPortType' Async would
disallow somebody from making an 64K ISDN connection when their
'radgroup' group is set for the DialUp group.

Thanks,

--Josh Snyder, Linux/UNIX Systems Administrator
NetNITCO Internet Services
[EMAIL PROTECTED]



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MySQL Help!

Deramus, Chris [EMAIL PROTECTED] wrote:
 What file(s) should I run ldd against? 

  rlm_sql_mysql.so

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: There are no DB handles to use! skipped 0, tried to connect 0

Ripunjay Bararia [EMAIL PROTECTED] wrote:
 --- radius.log begin ---
 Mon Dec 15 12:30:23 2003 : Info: rlm_sql (sql): There are no DB handles to
 use! skipped 0, tried to connect 0

  Find out why your SQL database is slow.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Upgrade questions

2003-12-15 Thread [EMAIL PROTECTED]

--- Alan DeKok [EMAIL PROTECTED] wrote:
 [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
  yeah I have done that exactly before and it did overwrite my config that
 is
  one of the reasons I am asking.
 
   That must have been a very old version of the server.  The current
 version does not overwrite any files in raddb/
 
   Alan DeKok.
 
So the config files are competely the same between versions?

Are any modifications needed on the config files after the install or will
0.9.3 run with 0.8 pre config files?

What about new fields in the mysql database are they also the same?

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Denying Access by NAS-Port-Type

NetNITCO Systems Administration [EMAIL PROTECTED] wrote:
 So, since dial-up gets reported as NASPortType Async and ISDN is
 reported as ISDN, I was wondering if populating 'radgroupcheck'
 for the DialUp group with 'NASPortType' Async would disallow
 somebody from making an 64K ISDN connection when their 'radgroup'
 group is set for the DialUp group.

  It should work.  Check, though, that the NAS is actually sending
Async.

  This should let the ISDN people also do dial-up, but will prevent
the dial-up people from using ISDN.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Upgrade questions

[EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
 So the config files are competely the same between versions?

  No.

 Are any modifications needed on the config files after the install or will
 0.9.3 run with 0.8 pre config files?

  Maybe.

 What about new fields in the mysql database are they also the same?

  I don't recall.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Denying Access by NAS-Port-Type

2003-12-15 Thread NetNITCO Systems Administration

On Mon, 2003-12-15 at 10:51, Alan DeKok wrote:
   It should work.  Check, though, that the NAS is actually sending
 Async.
 

I checked the 'radacct' table to verify that our HiPerARCs are sending
Async for dial-up and ISDN for ISDN.

   This should let the ISDN people also do dial-up, but will prevent
 the dial-up people from using ISDN.
 

That was my thought as well.  Obviously, if you're paying for 64K ISDN,
but for some reason you need to use standard dial-up, you should be able
to.

Thanks a lot Alan!

--Josh



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Auth: Login incorrect:

2003-12-15 Thread Joe Bonow

Thanks for the patched log_badlogins it takes care of the issue for me 
and is greatly appreciated.  Thanks also to all who replied with other 
solutions.

Guy Fraser wrote:

You have to configure and run dialup_admin/bin/log_badlogins to 
process you radius.log file and put the entries into your DB.

I have written a patch that makes log_badlogins, use the 
raddb/clients.conf file to determine the NAS-IP-Address.

This patch is not in CVS yet, I am waiting for some more important 
patches to applied to CVS before I resubmit this patch.

Here is a patched version for you to try.

Joe Bonow wrote:

Hello:

   After searching the limited archive I am unable to find info on 
how to have the Login Incorrect return the name of the nas that the 
login failed on.  As an example my radius.log file shows this line:

Thu Dec 11 11:42:17 2003 : Auth: Login incorrect: [test/abc] (from 
client ip99 port 1)

I am using dialup admin to check for bad logins and after reviewing 
the script it seems that the ip99 response should be more long the 
lines of say nameofnas or nameofnas.domain.  Any help would be 
appreciated.  Oh I am using a Livingston Portmaster 2e as the nas and 
the version of freeradius i am running is 0.9.2.  Thanks in advance 
for assistance.

- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html




#!/usr/bin/perl
#
# Log failed logins in the sql database
# Works only with mysql an postgresql {look for PG and change commented lines}
# It will read the sql parameters from the admin.conf file
#
# Usage:
# log_badlogins radius.log [admin.conf] [all]
#
# Defaults:
# radius.log: none
# admin.conf: /usr/local/dialup_admin/conf/admin.conf 
# all:no. Go to the end of the file. Don't read it all.

use Date::Manip qw(ParseDate UnixDate);
use Digest::MD5;
$|=1;
$file=shift||'none';
$conf=shift||'/usr/local/dialup_admin/conf/admin.conf';
$all_file=shift||'no';
#
#
# CHANGE THESE TO MATCH YOUR SETUP
#
#$regexp = 'from client localhost port 135|from client blabla ';
$tmpfile='/var/tmp/sql.input';
#
#
open CONF, $conf
or die Could not open configuration file\n;
while(CONF){
chomp;
($key,$val)=(split /:\s*/,$_);
$sql_server = $val if ($key eq 'sql_server');
$sql_username = $val if ($key eq 'sql_username');
$sql_password = $val if ($key eq 'sql_password');
$sql_database = $val if ($key eq 'sql_database');
$sql_accounting_table = $val if ($key eq 'sql_accounting_table');
$realm_strip = $val if ($key eq 'general_strip_realms');
$realm_del = $val if ($key eq 'general_realm_delimiter');
$realm_for = $val if ($key eq 'general_realm_format');
$domain = $val if ($key eq 'general_domain');
$sql_timeout = $val if ($key eq 'sql_connect_timeout');
$sql_extra = $val if ($key eq 'sql_extra_servers');
$sqlcmd = $val if ($key eq 'sql_command');
$clients= $val if ($key eq 'general_clients_conf');
}
close CONF;
open CLIENTS, $clients
or die Could not open $clients file\n;
while(CLIENTS){
chomp;
s/^\s*//g;
s/\s*#.*//g;
if (!/^\s*$/  /=/) {
($key,$val)=(split /\s*=\s*/,$_);
$client_short = $val if ($key eq 'shortname');
} else {
if (/\{/) {
s/.*client\s+([^\s]*)\s+\{.*$/\1/;
if (/^\d+\.\d+\.\d+\.\d+/) {
$client = $_;
} else {
if (/\./ || /localhost/) {
$name = $_ ;
} else {
$name = $_...$domain;
}
$addr = gethostbyname $name;
($a,$b,$c,$d)=unpack('C4',$addr);
$client = $a.$b.$c.$d;
#DEBUG# print $name. = .$client.\n;
}
} else {
if (/\}/) {
$client_array{$client_short} .= $client;
}
}
}
}
close CLIENTS;
$realm_del = '@' if ($realm_del eq '');
$realm_for = 'suffix' if ($realm_for eq '');
$pass = ($sql_password ne '') ? -p$sql_password : '';
die SQL server not defined\n if ($sql_server eq '');
die sql_command directive is not set in admin.conf\n if ($sqlcmd eq '');
die Could not find sql binary. Please make sure that the \$sqlcmd variable points to the 
right location\n if (! -x $sqlcmd);
$opt = -O connect_timeout=$sql_timeout if ($sql_timeout);
@servers = (split /\s+/,$sql_extra) if ($sql_extra ne '');
unshift @servers, $sql_server;
open LOG, $file
or die Could not open file $file\n;
seek LOG, 0, 2 if ($all_file eq 'no');
for(;;){
while(LOG){

MySQL Success

2003-12-15 Thread Deramus, Chris

Title: Message

To
all,

I finall got it,
go figure it was a very obvious answer. I simply re-configured FreeRADIUS using
./configure --with-static-modules="sql sql_mysql" command. When I executed a
make, it errored out saying it could not find ../modules/rlm_sql_mysql. I simply
made a symbolic link to include the rlm_sql_mysql sub-directory in the
../modules/ directory and re-ran make. Everything works great now,
thanks!

Cordially,

Chris
DeRamus
OCIO VPN
Administrator
SAIC

-Original Message-From: Deramus, Chris
Sent: Sunday, December 14, 2003 11:09 PMTo:
'[EMAIL PROTECTED]'Subject: RE: MySQL
Help!
Chris,
Thanks for the input, however, when I updated the configure
script with your extra code configure would not find lmysqlclient and prompted
that I specify the path to the library files by using --with-mysql-lib= When I
put in the path to the MySQL library files, it still would not find
lmysqlclient.
Any other thoughts? If I get it I'll be sure to let you know
what it was, thanks so much.
Chris DeRamus OCIO VPN
Administrator SAIC
-Original Message- From: Chris
Parker [mailto:[EMAIL PROTECTED]]
Sent: Friday, December 12, 2003 5:14 PM
To: [EMAIL PROTECTED] Subject: Re: MySQL Help!
At 03:42 PM 12/12/2003, Rob Genovesi wrote: oh boy, I remember kicking this around for ever as well ...
My solution was to 1) be
sure you have development rpms installed and 2) do not use "--disable-shared" when
running configure. I don't know exactly why
this changed things, but compiling with shared libraries it was able to find and use all the necessary mysql libs and
includes. I installed
the following MySQL rpms (Redhat) :
MySQL-devel-4.0.16-0
MySQL-shared-compat-4.0.16-0
MySQL-client-4.0.16-0
MySQL-server-4.0.16-0
Aha. Mysql4 changes some stuff. On Solaris we had
to change some of the Makefiles manually to get all of the appropriate libs
included to build the rlm_mysql driver built. It may be the same on RH
as well.
Helpfully, MySQL 3 build syntax is not totally workable with
MySQL 4 at least as far as FR is concerned.
-Chris -- \\\|||///
\ StarNet
Inc.
\ Chris Parker
\ ~ ~ /
\ WX *is* Wireless!
\ Director, Engineering
| @ @ | \ http://www.starnetwx.net
\ (847) 963-0116 oOo---(_)---oOo--\--

\ Wholesale Internet Services - http://www.megapop.net
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

Cisco VPN3000 with freeradius

2003-12-15 Thread Spetzler, Arne \(DZ-SH\)

Hello there,

i'am successfully authenticate Certificate users against freeradius 0.9.0 (from suse 
9.0).

BUT:  only the 'first' time. That means:

wait a 'long' time (av. 15 min)

authenticate successfull

wait a very short time

authentication fails

wait

authentication fails

wait 'long' time

authentication successfull


The debugg from the radius shows nothing special:


---

rad_recv: Access-Request packet from host 10.1.50.10:1064, id=38, length=125
User-Name = TC_TEST
User-Password = 12345
NAS-Port = 0
Service-Type = Framed-User
Framed-Protocol = PPP
Called-Station-Id = 10.1.50.10
Calling-Station-Id = 10.1.3.132
Tunnel-Client-Endpoint:0 = 10.1.3.132
Attr-201588758 = 0x0001
NAS-IP-Address = 10.1.50.10
NAS-Port-Type = Virtual
modcall: entering group authorize
  modcall[authorize]: module preprocess returns ok
  modcall[authorize]: module chap returns noop
rlm_eap: EAP-Message not found
  modcall[authorize]: module eap returns noop
rlm_realm: No '@' in User-Name = TC_TEST, looking up realm NULL
rlm_realm: No such realm NULL
  modcall[authorize]: module suffix returns noop
users: Matched TC_TEST at 76
  modcall[authorize]: module files returns ok
  modcall[authorize]: module mschap returns noop
modcall: group authorize returns ok
  rad_check_password:  Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password
Sending Access-Accept of id 38 to 10.1.50.10:1064
CVPN3000-IPSec-Banner1 = Authenticated by FREERADIUS
Class = 0x46524545524144495553
Finished request 4
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 4 ID 38 with timestamp 3fde1931
Nothing to do.  Sleeping until we see a request.

-

The CISCO Access Control Server ACS did not show this behauvior.

I search the archive and the FAQ and did't find anything...


Has someone seen this before?

regards,

Arne


---
 
Datenzentrale Schleswig-Holstein
Altenholzer Str. 10-14, 24161 Altenholz, Germany
http://www.dzsh.de/ mailto:[EMAIL PROTECTED]
Tel: +49.431.3295.6840 Fax: +49.431.3295.410






-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

accounting_stop request: bigint

2003-12-15 Thread Click Chebon

Using Postgresql 4.7
and FreeRadius 0.9.3
on FreeBSD 5.1

On sending an Accounting Stop Request to Freeradius
I get some errors in summary
invalid input syntax for type bigint: 

below is the error log and
Below the log is the standard part of postgresql.conf I am using it
unmodified


Nothing to do.  Sleeping until we see a request.
rad_recv: Accounting-Request packet from host 192.168.0.1:3306, id=21,
length=38
User-Name = clint
Acct-Status-Type = Stop
Acct-Session-Id = 816
modcall: entering group preacct for request 3
  modcall[preacct]: module preprocess returns noop for request 3
rlm_realm: No '@' in User-Name = clint, looking up realm NULL
rlm_realm: No such realm NULL
  modcall[preacct]: module suffix returns noop for request 3
modcall: group preacct returns noop for request 3
modcall: entering group accounting for request 3
rlm_acct_unique: WARNING: Attribute NAS-Port-Id was not found in request,
unique ID MAY be incons
istent
rlm_acct_unique: Hashing ',Client-IP-Address = 192.168.0.1,NAS-IP-Address =
192.168.0.1,Acct-Sess
ion-Id = 816,User-Name = clint'
rlm_acct_unique: Acct-Unique-Session-ID = 38a313dce3842355.
  modcall[accounting]: module acct_unique returns ok for request 3
radius_xlat:
'/usr/local/var/log/radius/radacct/192.168.0.1/detail-20031213'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands
to /usr/
local/var/log/radius/radacct/192.168.0.1/detail-20031213
  modcall[accounting]: module detail returns ok for request 3
  modcall[accounting]: module unix returns noop for request 3
radius_xlat:  'clint'
rlm_sql (sql): sql_set_user escaped user -- 'clint'
radius_xlat:  'UPDATE radacct ??SET AcctStopTime = (now() - '0'::interval),
AcctSessionTime = '',
 ??AcctInputOctets = (('0'::bigint  32) + '0'::bigint), ??AcctOutputOctets
= (('0'::bigint  3
2) + '0'::bigint), ??AcctTerminateCause = '', AcctStopDelay = '0',
??FramedIPAddress = NULLIF('',
 '')::inet, ConnectInfo_stop = '' ??WHERE AcctSessionId = '816' AND UserName
= 'clint' ??AND NASI
PAddress = '192.168.0.1' AND AcctStopTime IS NULL'
radius_xlat:  '/usr/local/var/log/radius/sqltrace.sql'
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql_postgresql: query: UPDATE radacct ??SET AcctStopTime = (now() -
'0'::interval), AcctSessi
onTime = '', ??AcctInputOctets = (('0'::bigint  32) + '0'::bigint),
??AcctOutputOctets = (('0':
:bigint  32) + '0'::bigint), ??AcctTerminateCause = '', AcctStopDelay =
'0', ??FramedIPAddress
= NULLIF('', '')::inet, ConnectInfo_stop = '' ??WHERE AcctSessionId = '816'
AND UserName = 'clint
' ??AND NASIPAddress = '192.168.0.1' AND AcctStopTime IS NULL
rlm_sql_postgresql: Status: PGRES_FATAL_ERROR
rlm_sql_postgresql: affected rows =
rlm_sql_postgresql: Postgresql check_error: PGRES_FATAL_ERROR, returning
SQL_DOWN
rlm_sql (sql): Attempting to connect rlm_sql_postgresql #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql_postgresql: query: UPDATE radacct ??SET AcctStopTime = (now() -
'0'::interval), AcctSessi
onTime = '', ??AcctInputOctets = (('0'::bigint  32) + '0'::bigint),
??AcctOutputOctets = (('0':
:bigint  32) + '0'::bigint), ??AcctTerminateCause = '', AcctStopDelay =
'0', ??FramedIPAddress
= NULLIF('', '')::inet, ConnectInfo_stop = '' ??WHERE AcctSessionId = '816'
AND UserName = 'clint
' ??AND NASIPAddress = '192.168.0.1' AND AcctStopTime IS NULL
rlm_sql_postgresql: Status: PGRES_FATAL_ERROR
rlm_sql_postgresql: affected rows =
rlm_sql_postgresql: Postgresql check_error: PGRES_FATAL_ERROR, returning
SQL_DOWN
rlm_sql (sql): failed after re-connect
rlm_sql (sql): Couldn't update SQL accounting STOP record - ERROR:  invalid
input syntax for type
 bigint: 
rlm_sql (sql): Released sql socket id: 1
  modcall[accounting]: module sql returns fail for request 3
modcall: group accounting returns fail for request 3
Finished request 3
Going to the next request
--- Walking the entire request list ---
Cleaning up request 3 ID 21 with timestamp 3fdb4e3b
Nothing to do.  Sleeping until we see a request.
rad_recv: Accounting-Request packet from host 192.168.0.1:3307, id=22,
length=38
User-Name = clint
Acct-Status-Type = Stop
Acct-Session-Id = 816
modcall: entering group preacct for request 4
  modcall[preacct]: module preprocess returns noop for request 4
rlm_realm: No '@' in User-Name = clint, looking up realm NULL
rlm_realm: No such realm NULL
  modcall[preacct]: module suffix returns noop for request 4
modcall: group preacct returns noop for request 4
modcall: entering group accounting for request 4
rlm_acct_unique: WARNING: Attribute NAS-Port-Id was not found in request,
unique ID MAY be incons
istent
rlm_acct_unique: Hashing ',Client-IP-Address = 192.168.0.1,NAS-IP-Address =
192.168.0.1,Acct-Sess
ion-Id = 816,User-Name = clint'
rlm_acct_unique: Acct-Unique-Session-ID = 38a313dce3842355.
  modcall[accounting]: module acct_unique returns ok for request 4
radius_xlat:
'/usr/local/var/log/radius/radacct/192.168.0.1/detail-20031213'

RE: There are no DB handles to use! skipped 0, tried to connect 0

thanks Alan, for the comment,

My SQL server and FR are running on the same box,
will separating them be a good idea,
I need to do AAA for about 1500 concurrent users
what kind of a machine would I need for FR
and how much load will it put on the MySQL server
so that I can scale both of the machines accordingly

currently both are running on 

P-IV 2.6 
Intel 856 based board
512MB DDR 266Mhz
9.1GB X 2 SCSI disks


thanks
Ripunjay Bararia

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Alan DeKok
 Sent: Monday, December 15, 2003 10:19 PM
 To: [EMAIL PROTECTED]
 Subject: Re: There are no DB handles to use! skipped 0, tried to connect
 0
 
 
 Ripunjay Bararia [EMAIL PROTECTED] wrote:
  --- radius.log begin ---
  Mon Dec 15 12:30:23 2003 : Info: rlm_sql (sql): There are no DB 
 handles to
  use! skipped 0, tried to connect 0
 
   Find out why your SQL database is slow.
 
   Alan DeKok.
 
 - 
 List info/subscribe/unsubscribe? See 
 http://www.freeradius.org/list/users.html
 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Acct users

2003-12-15 Thread Lucas Oliveira




Hi everybody.

I am trying to set up a freeradius, but i cant 
execute external program at acct_users file.
it takes no action.

does anyone know hot to set it up?

thanks
Lucas OliveiraWeb ManagerPrompt 
Tecnologiawww.prompt-tecnologia.com.br

Re: There are no DB handles to use! skipped 0, tried to connect 0

Ripunjay Bararia [EMAIL PROTECTED] wrote:
 My SQL server and FR are running on the same box,
 will separating them be a good idea,

  It shouldn't matter.

 I need to do AAA for about 1500 concurrent users
 what kind of a machine would I need for FR

  Almost any machine available today will do this easily.

 and how much load will it put on the MySQL server

  Almost no load.


  Something in your SQL database is taking a long time, and preventing
the server from working properly.  Find out what that is, and the
server will be OK.

  I don't know much about SQL, so I can't help you there, sorry.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco VPN3000 with freeradius

Spetzler, Arne (DZ-SH) [EMAIL PROTECTED] wrote:
 i'am successfully authenticate Certificate users against freeradius =
 0.9.0 (from suse 9.0).
 
 BUT:  only the 'first' time. That means:
 
 wait a 'long' time (av. 15 min)
 
 authenticate successfull

  This has nothing to do with FreeRADIUS.  If the client/NAS doesn't
contact the server, there's nothing that FreeRADIUS can do to speed up
the process.

 The CISCO Access Control Server ACS did not show this behauvior.

  I would suggest seeing what attributes are sent back from the Cisco
server, and make FreeRADIUS send back the same attributes.

  Whatever the problem is, that is the only fix.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

How to start/stop/restart FR

hi
just had this silly question

what is the preferred/normal way to start/stop/restart FR running on a
RedHat box
with or without init.d scripts

Ripunjay Bararia


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: How to start/stop/restart FR

2003-12-15 Thread Deramus, Chris

Title: RE: How to start/stop/restart FR





Ripunjay,


I have been running FreeRADIUS successfully for over a year on various versions of Redhat. I simply just copied the radiusd executable into /etc/init.d and created a symbolic link to this file in /etc/rc3.d

Each time the machine is restarted or powered on it will then start this process. When I terminate the process I usually just executed a pkill -9 rad which is not the recommended way but it's a bad habit that I have :).

Thanks,


Chris DeRamus
OCIO VPN Administrator
SAIC



-Original Message-
From: Ripunjay Bararia [mailto:[EMAIL PROTECTED]] 
Sent: Monday, December 15, 2003 2:45 PM
To: [EMAIL PROTECTED]
Subject: How to start/stop/restart FR



hi
just had this silly question


what is the preferred/normal way to start/stop/restart FR running on a RedHat box with or without init.d scripts


Ripunjay Bararia



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: There are no DB handles to use! skipped 0, tried to connect 0