date:20111027

Hi, 

I have checked my NAS' packets and I can confirm that sends Event-Timestamp
(I have seen it from output of freeradius -X). Now, What have I to do? I
have seen that Event-Timestamp has not a good mysql format: Oct 26 2011
13:03:14 CEST. Any idea?

Thanks.

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Why-is-not-writting-in-second-detail-file-tp4935451p4942366.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sending accounting packets to more than one server?

Is it possible to do this with copy-acct-to-home-server? Whit
copy-acct-to-home-server I can't get it. Have you get to copy the same set
of information from one server to another?

Thanks.

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Sending-accounting-packets-to-more-than-one-server-tp3408816p4942465.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure proxy server to send a copy of acct to remote/home server

Have you got this configuration? How have you done it? I can't get to sync
accountin data to remote server with same set of information (acctstarttime
and acctstoptime have got differents times - I think that this is because
servers catching its local time at the moment on recieve the packets). 

Any idea?

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/How-to-configure-proxy-server-to-send-a-copy-of-acct-to-remote-home-server-tp2843198p4942508.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius mysql acct copy

Hi,

This configuration is correctly? Nowadays, could I use this to copy acct to
a remote server?

Thanks.

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Freeradius-mysql-acct-copy-tp4272880p4942524.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sending accounting packets to more than one server?

tonimanel wrote:
 Is it possible to do this with copy-acct-to-home-server? Whit
 copy-acct-to-home-server I can't get it. Have you get to copy the same set
 of information from one server to another?

  Sending the same question multiple times is rude.

  Download the latest version, and read doc/ChangeLog.   The answer to
your question is there.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP with Machine auth

2011-10-27 Thread Bonald

The weird thing is that I didn't see that popup

On Wed, Oct 26, 2011 at 5:07 PM, Phil Mayers p.may...@imperial.ac.uk wrote:
 On 10/26/2011 07:53 PM, Francois Gaudreault wrote:

 Correct me if I am wrong, but that should not be needed when you are not
 validating server certificate.

 There are a few issues; let me try to lay them out.

 First: it seems you MUST install the CA on the client (in one or both of the
 user or machine store, depending on whether you're doing user or
 machine-based auth). Authentication will simply fail if you don't install
 the CA - although helpfully Windows does seem to send an invalid CA TLS
 alert.


 Second: If (and only if) you install the CA, then when you FIRST connect to
 a network, you will be shown the dialog box The connection attempt could
 not be completed. In my testing, if you click Continue, then windows
 will:

  a. Check the Validate server certificate
  b. Leave the Connect to these servers (hostname/CN) blank
  c. Check the box next to the CA cert

 That is, windows will trust on first use (TOFU) the *specific* CA for that
 *specific* connection profile (WLAN SSID or Wired profile).

 The text at the link given by the OP is misleading. The issue is not whether
 the CA is a Trusted CA on the machine/user store as a whole. It's whether
 it's trusted for *that specific connection* as a CA for signing the
 authentication server cert.

 I'm unsure whether the OP is clicking Continue at the prompt and it's
 failing, or if he's not clicking Continue or not even being presented with
 the option - but as I say, in my testing, TOFU works.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sending accounting packets to more than one server?

Hi Alan,

Sorry very much, but I was desperate. Now I understand how can I do this.
Following documentation and re-reading it, I understand that I can use
radrelay.conf configuration to do an exactly replica, obviously with a
second detail file created and with a reader and a writer configurated. I
have opened my eyes! However, I think that there are a lot of answers that
cause confusion.

Thanks!

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Sending-accounting-packets-to-more-than-one-server-tp3408816p4942835.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP with Machine auth

2011-10-27 Thread Phil Mayers


On 27/10/11 13:12, Bonald wrote:

The weird thing is that I didn't see that popup


That is very odd.

I just tried this again; purged the CA from the User  Machine lists, 
deleted the wired 802.1x profile and re-connected. 1st time - no joy 
because the CA is unknown. Import the CA  retry and I get promoted to 
Terminate or Connect. If I click Connect, the 802.1x profile is 
altered to trust the CA.


Maybe you have some windows Group Policy which is preventing you from 
being prompted?

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RES: FreeRadius + MySQL | radacct: Errors and Warnings

Fajar,

I had radutmp and SQL commented out in account {}.
I don't know why, a possible mistake.
After mark radutmp and restart freeradius I don't see new errors in log.

In the NAS (MikroTik) statistics sometimes have a few resends and timeouts,
it's normal?



Sds,

---
Daniel Menezes



-Mensagem original-
De: freeradius-users-bounces+listas=dmnzs.com...@lists.freeradius.org
[mailto:freeradius-users-bounces+listas=dmnzs.com...@lists.freeradius.org]
Em nome de Fajar A. Nugraha
Enviada em: quarta-feira, 26 de outubro de 2011 13:19
Para: FreeRadius users mailing list
Assunto: Re: FreeRadius + MySQL | radacct: Errors and Warnings

 Another thing to try, are you using radutmp? If no (e.g.
 session/simultaneous use check is using sql), just mark all instance
 of radutmp from sites-available/default (and whatever other virtual
 server you use).

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RES: FreeRadius + MySQL | radacct: Errors and Warnings

Hi Tim,

 1. User the InnoDB Engine in MySQL. 
I read about it and don't know if it's the best way.
Why InnoDB engine? MySAM engine is more fast.

 2. Increase the number of SQL sockets in sql.conf (num_sql_socks). The
 default is 5, try 25.
Ok.

 3. Increase the number of connections (max_connections) in my.cnf to match
 the number of SQL sockets in sql.conf.
Ok.

 4. Enable the MySQL slow query log (slow_query_log) in my.cnf.
 5. Check the MySQL slow query log file for problems.
I've enable the slow query and set up to 2 sec.
The log don't show any slow query ..
It's much time?
I've tested whith mtop[1] too, no slow queries.

Thanks!


Sds,

---
Daniel Menezes


Links:
[1] http://mtop.sourceforge.net/ 



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RES: FreeRadius + MySQL | radacct: Errors and Warnings

Daniel Menezes wrote:
 1. User the InnoDB Engine in MySQL. 
 I read about it and don't know if it's the best way.
 Why InnoDB engine? MySAM engine is more fast.

 If you know better than the RADIUS experts, why are you asking
questions on this list?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP with Machine auth

2011-10-27 Thread Bonald

Exactly, I have a GPO that's pushing some wireless profiles. When
disabling this GPO I see the popup.

On Thu, Oct 27, 2011 at 9:37 AM, Phil Mayers p.may...@imperial.ac.uk wrote:
 On 27/10/11 13:12, Bonald wrote:

 The weird thing is that I didn't see that popup

 That is very odd.

 I just tried this again; purged the CA from the User  Machine lists,
 deleted the wired 802.1x profile and re-connected. 1st time - no joy because
 the CA is unknown. Import the CA  retry and I get promoted to Terminate
 or Connect. If I click Connect, the 802.1x profile is altered to trust
 the CA.

 Maybe you have some windows Group Policy which is preventing you from being
 prompted?
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RES: FreeRadius + MySQL | radacct: Errors and Warnings

2011-10-27 Thread Arran Cudbard-Bell


On 27 Oct 2011, at 16:16, Alan DeKok wrote:

 Daniel Menezes wrote:
 1. User the InnoDB Engine in MySQL. 
 I read about it and don't know if it's the best way.
 Why InnoDB engine? MySAM engine is more fast.
 

It doesn't support row level locking for one. Which absolutely cripples selects 
against the radacct/postauth table when there are high levels of 
inserts/updates.

MyISAM should *NOT* be used for the postauth and radacct. Version 3 schema has 
been updated to use INNODB for these tables.

https://github.com/alandekok/freeradius-server/blob/master/raddb/sql/mysql/schema.sql

-Arran

Arran Cudbard-Bell
a.cudba...@freeradius.org

Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: systemd and FreeRADIUS

2011-10-27 Thread John Dennis

On 10/27/2011 03:29 AM, Stefan Winter wrote:

Hi,

seems like openSUSE is going the fancy way and throws good old INIT
overboard with their next release. System initialisation and
housekeeping is changing towards systemd instead.

So, in 20-something days I'll try to get my first FreeRADIUS running on
that, and can't use my good old init scripts any more (I guess I could
with some systemd-to-INIT legacy support, but I like eating fresh dogfood).

Is there already someone working on systemd description files for
FreeRADIUS? If not, I'll (have to :-) ) give it a go myself...

Fedora has moved to systemd (with backward support for sysV
initscripts). systemd support was added to the current Fedora 16
FreeRADIUS RPM's by someone other than myself. It's been on my todo list
to review what was done so I can't comment yet on how well the
integration was done, but you're welcome to take a peek. I'm certainly
interested on working cooperatively on systemd integration and my gut
tells me there is more work to be done than what was already added (the
work was done by those tasked with providing systemd support across all
packages, so they know systemd well, but had little experience with
FreeRADIUS).

The current F-16 SRPM can be found here:

http://kojipkgs.fedoraproject.org/packages/freeradius/2.1.12/1.fc16/src/freeradius-2.1.12-1.fc16.src.rpm

FWIW, true systemd integration requires source code changes to the
server. Control via external scripts within the systemd environment is
the obvious incremental step and is what I assume you're talking about.

Also Fedora has documentation on the systemd conversion, something else
you might want to look at:

https://fedoraproject.org/wiki/Systemd

--
John Dennis jden...@redhat.com

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius + MySQL | radacct: Errors and Warnings

2011-10-27 Thread Fajar A. Nugraha

On Thu, Oct 27, 2011 at 8:19 PM, Daniel Menezes lis...@dmnzs.com.br wrote:
 Fajar,

 I had radutmp and SQL commented out in account {}.
 I don't know why, a possible mistake.
 After mark radutmp and restart freeradius I don't see new errors in log.

So you mean radutmp was the root cause of your problem?

That's good, in a way. It means you've got more room to breathe (and
possibly do more improvements) before your db's high load really slows
down your system :)


 In the NAS (MikroTik) statistics sometimes have a few resends and timeouts,
 it's normal?

What does FR log says? Does it say it recives duplicate or conflicting packets?
If yes, then the db is still slow. You still need to fix it. If not,
then the problem might be somewhere else (e.g. congested network
causing dropped packets)

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Build RPM

2011-10-27 Thread Fred

Hi Francois,

Thanks a lot for your last post, I will try to build with your spec.
It seems to be far more intelligent than mine (sompe builrequire I
don't have, etc ...)

Regarding cert patch : I already have certs from an external PKI (not
openssl-generated at install) so I suppose I can omit this patch when
I don' want to build generic packages but a customer specific package
with customer's certs, right ?

I also tried to rpmbuild using 2.1.x git repository (currently 2.2.0)
but I got into troubles because au radrelay module :
Even if /etc/raddb/radrelay.conf if correctly declared (note 1°) , the
build reports missing radrelay.conf in
/var/tmp/freeradius-2.2.0./etc/raddb 
Any idea ?

note 1°   =  %attr(640,root,radiusd) %config(noreplace)
/etc/raddb/radrelay.conf

Best regards,
Fred MAISON

2011/10/26 Francois Gaudreault fgaudrea...@inverse.ca:
 Hi,

 See Below (I won't put the comments section) for RHEL5:

 Summary: High-performance and highly configurable free RADIUS server
 Name: freeradius2
 Version: 2.1.12
 Release: 1%{?dist}
 License: GPLv2+ and LGPLv2+
 Group: System Environment/Daemons
 URL: http://www.freeradius.org/

 Source0:
 ftp://ftp.freeradius.org/pub/radius/freeradius-server-%{version}.tar.bz2
 Source100: freeradius-radiusd-init
 Source102: freeradius-logrotate
 Source103: freeradius-pam-conf

 Patch1: freeradius-cert-config.patch

 Obsoletes: freeradius2-devel
 Obsoletes: freeradius2-libs

 %define docdir %{_docdir}/freeradius-%{version}
 %define initddir %{?_initddir:%{_initddir}}%{!?_initddir:%{_initrddir}}

 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)

 BuildRequires: autoconf
 BuildRequires: gdbm-devel
 BuildRequires: libtool
 BuildRequires: libtool-ltdl-devel
 BuildRequires: openssl-devel
 BuildRequires: pam-devel
 BuildRequires: zlib-devel
 BuildRequires: net-snmp-devel
 BuildRequires: net-snmp-utils
 BuildRequires: readline-devel
 BuildRequires: libpcap-devel

 Requires(pre): shadow-utils glibc-common
 Requires(post): /sbin/chkconfig
 Requires(preun): /sbin/chkconfig

 %description
 The FreeRADIUS Server Project is a high performance and highly configurable
 GPL'd free RADIUS server. The server is similar in some respects to
 Livingston's 2.0 server.  While FreeRADIUS started as a variant of the
 Cistron RADIUS server, they don't share a lot in common any more. It now has
 many more features than Cistron or Livingston, and is much more
 configurable.

 FreeRADIUS is an Internet authentication daemon, which implements the RADIUS
 protocol, as defined in RFC 2865 (and others). It allows Network Access
 Servers (NAS boxes) to perform authentication for dial-up users. There are
 also RADIUS clients available for Web servers, firewalls, Unix logins, and
 more.  Using RADIUS allows authentication and authorization for a network to
 be centralized, and minimizes the amount of re-configuration which has to be
 done when adding or deleting new users.

 %package utils
 Group: System Environment/Daemons
 Summary: FreeRADIUS utilities
 Requires: %{name} = %{version}-%{release}
 Requires: libpcap = 0.9.4

 %description utils
 The FreeRADIUS server has a number of features found in other servers,
 and additional features not found in any other server. Rather than
 doing a feature by feature comparison, we will simply list the features
 of the server, and let you decide if they satisfy your needs.

 Support for RFC and VSA Attributes Additional server configuration
 attributes Selecting a particular configuration Authentication methods

 %package ldap
 Summary: LDAP support for freeradius
 Group: System Environment/Daemons
 Requires: %{name} = %{version}-%{release}
 BuildRequires: openldap-devel

 %description ldap
 This plugin provides the LDAP support for the FreeRADIUS server project.

 %package krb5
 Summary: Kerberos 5 support for freeradius
 Group: System Environment/Daemons
 Requires: %{name} = %{version}-%{release}
 BuildRequires: krb5-devel

 %description krb5
 This plugin provides the Kerberos 5 support for the FreeRADIUS server
 project.

 %package perl
 Summary: Perl support for freeradius
 Group: System Environment/Daemons
 Requires: %{name} = %{version}-%{release}
 Requires: perl(:MODULE_COMPAT_%(eval `%{__perl} -V:version`; echo
 $version))
 %{?fedora:BuildRequires: perl-devel}
 %if 0%{?rhel} = 5
 BuildRequires: perl
 %endif
 %if 0%{?rhel} = 6
 BuildRequires: perl-devel
 %endif
 BuildRequires: perl(ExtUtils::Embed)

 %description perl
 This plugin provides the Perl support for the FreeRADIUS server project.

 %package python
 Summary: Python support for freeradius
 Group: System Environment/Daemons
 Requires: %{name} = %{version}-%{release}
 BuildRequires: python-devel

 %description python
 This plugin provides the Python support for the FreeRADIUS server project.

 %package mysql
 Summary: MySQL support for freeradius
 Group: System Environment/Daemons
 Requires: %{name} = %{version}-%{release}
 BuildRequires: mysql-devel

 %description

Re: systemd and FreeRADIUS

John Dennis wrote:
 FWIW, true systemd integration requires source code changes to the
 server. Control via external scripts within the systemd environment is
 the obvious incremental step and is what I assume you're talking about.

  Source code changes to the server shouldn't be hard...

 Also Fedora has documentation on the systemd conversion, something else
 you might want to look at:
 
 https://fedoraproject.org/wiki/Systemd

  Hmm... not much documentation there on source code changes.

http://0pointer.de/blog/projects/socket-activation.html

  Has some more information.

  It might be enough just to have a command-line option saying -i
systemd, in which case it does systemd activation, rather than anything
else.

  I don't know that systemd should be the default, though. even on
systems with it configured.  Doing that will make it difficult to have
debug mode.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RES: RES: FreeRadius + MySQL | radacct: Errors and Warnings

Hi Alan,

  If you know better than the RADIUS experts, why are you asking
 questions on this list?

I don't know better than anyone, I'm simply asking to understand where I'm
lost.
Sorry if you feel bad with my questions ..



Sds,

---
Daniel Menezes



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP with Machine auth

2011-10-27 Thread Phil Mayers


On 27/10/11 15:18, Bonald wrote:

Exactly, I have a GPO that's pushing some wireless profiles. When
disabling this GPO I see the popup.


Sigh.

I hate windows.

I'm glad you've got it sorted out. If you find time to write some docs 
in the wiki that describe which GPO objects caused what behaviour, it 
might be useful for others in the future.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Build RPM

2011-10-27 Thread Francois Gaudreault


Fred,

I don't know for git source, my spec is targeted for 2.1.x sources.

On 11-10-27 10:57 AM, Fred wrote:

Hi Francois,

Thanks a lot for your last post, I will try to build with your spec.
It seems to be far more intelligent than mine (sompe builrequire I
don't have, etc ...)

Regarding cert patch : I already have certs from an external PKI (not
openssl-generated at install) so I suppose I can omit this patch when
I don' want to build generic packages but a customer specific package
with customer's certs, right ?

I also tried to rpmbuild using 2.1.x git repository (currently 2.2.0)
but I got into troubles because au radrelay module :
Even if /etc/raddb/radrelay.conf if correctly declared (note 1°) , the
build reports missing radrelay.conf in
/var/tmp/freeradius-2.2.0./etc/raddb 
Any idea ?

note 1°   =   %attr(640,root,radiusd) %config(noreplace)
/etc/raddb/radrelay.conf

Best regards,
Fred MAISON




--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca  ::  +1.514.447.4918 (x130) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RES: RES: FreeRadius + MySQL | radacct: Errors and Warnings

Daniel Menezes wrote:
 I don't know better than anyone, I'm simply asking to understand where I'm
 lost.

  Then you should ask WHY is one better than the other.

 Sorry if you feel bad with my questions ..

  Which is proof you didn't understand my response.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RES: RES: FreeRadius + MySQL | radacct: Errors and Warnings

Hi Arran,

 It doesn't support row level locking for one. Which absolutely cripples
selects against the radacct/postauth table when there are
 high levels of inserts/updates.

 MyISAM should *NOT* be used for the postauth and radacct. Version 3 schema
has been updated to use INNODB for these tables.


https://github.com/alandekok/freeradius-server/blob/master/raddb/sql/mysql/s
chema.sql

Hmm, I get it now.
I'll change the engine and report the results.
Thanks.


Sds,

---
Daniel Menezes



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authorising Clients by Calling Station ID Not IP

Cool, thanks I'll download now and take a look 

J

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Authorising-Clients-by-Calling-Station-ID-Not-IP-tp4883866p4943676.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

cisco WAP/FreeRadius/OpenLDAP

2011-10-27 Thread Matt Arguin

Hi All,
  having trouble setting up my RADIUS(FreeRADIUS Version 2.1.7) to
auth to my openldap server (openldap-2.3.43-12.el5_6.7) on CentOS 5.5.

i am trying to configure EAP-TLS and think i am pretty close.  I am
currently wondering if possibly i have an incorrect mapping in the
ldap.attrs file (it is completely default right now).running
'radiusd -X' i do see some errors such as:

rlm_ldap: performing search in dc=currensee,dc=com, with filter (uid=anonymous)
rlm_ldap: object not found
[ldap] search failed

but later down the path of the session it looks like things are going
ok , seeing a bunch of EAP challeges  and it expanding the username
and stuff being put in to the inner-tunnel.  However, in the end:

rlm_ldap: performing search in dc=currensee,dc=com, with filter (uid=marguin2)
[ldap] checking if remote access for marguin2 is allowed by uid
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP.  Are you sure
that the user is configured correctly?

my ldap attribute for password is userPassword and i have tried
changing the values in the ldap.attrs to match this but that did not
help.  Here is the full output of the run of radiusd in debug mode.
Any insight is appreciated:

Ready to process requests.
rad_recv: Access-Request packet from host 192.168.10.31 port 1645,
id=181, length=132
User-Name = anonymous
Framed-MTU = 1400
Called-Station-Id = 64a0.e729.b890
Calling-Station-Id = 1c65.9d32.fb68
Service-Type = Login-User
Message-Authenticator = 0x247be03937ef0698a7ad23d2f86aa54b
EAP-Message = 0x0202000e01616e6f6e796d6f7573
NAS-Port-Type = Wireless-802.11
NAS-Port = 799
NAS-Port-Id = 799
NAS-IP-Address = 192.168.10.31
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = anonymous, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 2 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[ldap] performing user authorization for anonymous
[ldap]  expand: %{Stripped-User-Name} -
[ldap]  expand: %{User-Name} - anonymous
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=anonymous)
[ldap]  expand: dc=currensee,dc=com - dc=currensee,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.local.currensee.com:389, authentication 0
rlm_ldap: bind as
cn=radius,ou=Services,dc=currensee,dc=com/c17ad5805204465ab39d11e0381272c5
to ldap.local.currensee.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=currensee,dc=com, with filter (uid=anonymous)
rlm_ldap: object not found
[ldap] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
[eap] EAP packet type response id 2 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
Found Auth-Type = EAP
Found Auth-Type = EAP
Warning:  Found 2 auth-types on request for user 'anonymous'
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 181 to 192.168.10.31 port 1645
EAP-Message = 0x010300061920
Message-Authenticator = 0x
State = 0x12d3382012d02152159f345e3e0c333a
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.31 port 1645,
id=182, length=228
User-Name = anonymous
Framed-MTU = 1400
Called-Station-Id = 64a0.e729.b890
Calling-Station-Id = 1c65.9d32.fb68
Service-Type = Login-User
Message-Authenticator = 0x07f8f2c72439114d5efd54762efa740b
EAP-Message =
0x0203005c19001603010051014d03014ea9917e4e0fee76b71533a74710796e73ac02e494439b92a5338ee6d1f1bcd92600390038003500160013000a00330032002f00050004001500120009001400110008000600030100
NAS-Port-Type = Wireless-802.11
NAS-Port = 799
NAS-Port-Id = 799
State = 0x12d3382012d02152159f345e3e0c333a
NAS-IP-Address = 192.168.10.31
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = anonymous, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 3 length 92
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found,

Custom MySQL Queries

Hello 

What's the best approach regarding custom mysql queries? I'd like to check
if a user is blocked whilst authorising..

Have tried to add something like this to my dictionary file:

ATTRIBUTE   User-Disabled-Attr  3002integer

And then putting a 1 / 0 in to radcheck against the user.

What's the best way to do this kind of request? Is it better to write a
lookup somewhere else?

Thanks

J

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Custom-MySQL-Queries-tp4943692p4943692.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RES: FreeRadius + MySQL | radacct: Errors and Warnings

Fajar,

 So you mean radutmp was the root cause of your problem?

I don't know, but it's better now. =)

 What does FR log says? Does it say it recives duplicate or conflicting
packets?
 If yes, then the db is still slow. You still need to fix it. If not,
 then the problem might be somewhere else (e.g. congested network
 causing dropped packets)

This is strange!
When starting radius in debug mode I don't see any error, in normal mode
duplicate or conflicting packages have disappeared.
Always the statistics in MikroTik shows 2, 4 resends and timeouts .. a few.

I'll try other ways, first, change the DB engine.
Tomorrow i'll write about.

Thanks.


Sds,

---
Daniel Menezes



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Failed to load module jradius

2011-10-27 Thread Travis Dimmig

I don't seem to be able to get freeRadius to load the jradius module.  My 
steps are as follows:

wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.12.tar.gz
tar -xzvf freeradius-server-2.1.12.tar.gz
cd freeradius-server-2.1.12
echo rlm_jradius  src/modules/stable
./configure  make  make install
cp src/modules/rlm_jradius/jradius./conf /usr/local/etc/raddb

I configure jradius.conf to point to my JRadius server, and add jradius to the 
accounting section of sites-enabled.
radiusd -X gives:
/usr/local/etc/raddb/sites-enabled/default[443]: Failed to load module 
jradius.
/usr/local/etc/raddb/sites-enabled/default[378]: Errors parsing accounting 
section.

I have verified that the jradius libraries have been compiled and installed 
/usr/local/lib.

I've managed to comile freeRadius with the jradius module before just 
fine.not sure what the problem is now.  Any help would be greatly 
appreciated.

Travis Dimmig
Software Development Specialist
Impulse Point
www.impulse.comhttp://www.impulse.com

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Failed to load module jradius

Travis Dimmig wrote:
 I don’t seem to be able to get freeRadius to load the “jradius” module. 
 My steps are as follows:
...
 “radiusd –X” gives:
 
 /usr/local/etc/raddb/sites-enabled/default[443]: Failed to load module
 jradius.

  It should give more than that.  Look at the *previous* lines to see
the real cause of the problem.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Failed to load module jradius

2011-10-27 Thread Travis Dimmig

Figured it out.  The jradius.conf needs to be in /usr/local/etc/raddb/modules.  
I swear it used to be one directory up...  Anyway, I don't know if it's the 
freeRadius team or the JRadius team that maintains this plugin, but the config 
file is not automatically copied into the modules directory even when 
freeRadius is compiled with jradius support.


Travis

From: freeradius-users-bounces+tdimmig=impulse@lists.freeradius.org 
[mailto:freeradius-users-bounces+tdimmig=impulse@lists.freeradius.org] On 
Behalf Of Travis Dimmig
Sent: Thursday, October 27, 2011 2:29 PM
To: FreeRadius users mailing list
Subject: Failed to load module jradius

I don't seem to be able to get freeRadius to load the jradius module.  My 
steps are as follows:

wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.12.tar.gz
tar -xzvf freeradius-server-2.1.12.tar.gz
cd freeradius-server-2.1.12
echo rlm_jradius  src/modules/stable
./configure  make  make install
cp src/modules/rlm_jradius/jradius./conf /usr/local/etc/raddb

I configure jradius.conf to point to my JRadius server, and add jradius to the 
accounting section of sites-enabled.
radiusd -X gives:
/usr/local/etc/raddb/sites-enabled/default[443]: Failed to load module 
jradius.
/usr/local/etc/raddb/sites-enabled/default[378]: Errors parsing accounting 
section.

I have verified that the jradius libraries have been compiled and installed 
/usr/local/lib.

I've managed to comile freeRadius with the jradius module before just 
fine.not sure what the problem is now.  Any help would be greatly 
appreciated.

Travis Dimmig
Software Development Specialist
Impulse Point
www.impulse.comhttp://www.impulse.com

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: cisco WAP/FreeRadius/OpenLDAP

Matt Arguin wrote:
   having trouble setting up my RADIUS(FreeRADIUS Version 2.1.7) to
 auth to my openldap server (openldap-2.3.43-12.el5_6.7) on CentOS 5.5.
 
 i am trying to configure EAP-TLS 

  Then you don't need LDAP.  EAP-TLS does authentication based on client
certificates.  It doesn't use passwords.

  Why are you using EAP-TLS  LDAP?  What do you expect it to do?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: cisco WAP/FreeRadius/OpenLDAP

2011-10-27 Thread Matt Arguin

://www.impulse.com

-- next part --
An HTML attachment was scrubbed...
URL:
https://lists.freeradius.org/pipermail/freeradius-users/attachments/20111027/66f79dc6/attachment.html

Message: 4
Date: Thu, 27 Oct 2011 21:00:00 +0200
From: Alan DeKok al...@deployingradius.com
Subject: Re: Failed to load module jradius
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID: 4ea9aa30.3020...@deployingradius.com
Content-Type: text/plain; charset=UTF-8

Travis Dimmig wrote:
I don?t seem to be able to get freeRadius to load the ?jradius? module.
My steps are as follows:
...
?radiusd ?X? gives:

/usr/local/etc/raddb/sites-enabled/default[443]: Failed to load module
jradius.

It should give more than that. Look at the *previous* lines to see
the real cause of the problem.

Alan DeKok.

Message: 5
Date: Thu, 27 Oct 2011 18:59:33 +
From: Travis Dimmig tdim...@impulse.com
Subject: RE: Failed to load module jradius
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID:
2ecc69012853fb42a8adaba5eb3b4b800c9d1...@dsm-mail01.dsm.net
Content-Type: text/plain; charset=us-ascii

Figured it out. The jradius.conf needs to be in
/usr/local/etc/raddb/modules. I swear it used to be one directory up...
Anyway, I don't know if it's the freeRadius team or the JRadius team that
maintains this plugin, but the config file is not automatically copied into
the modules directory even when freeRadius is compiled with jradius support.

Travis

From: freeradius-users-bounces+tdimmig=impulse@lists.freeradius.org
[mailto:freeradius-users-bounces+tdimmig=impulse@lists.freeradius.org] On
Behalf Of Travis Dimmig
Sent: Thursday, October 27, 2011 2:29 PM
To: FreeRadius users mailing list
Subject: Failed to load module jradius

I don't seem to be able to get freeRadius to load the jradius module. My
steps are as follows:

wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.12.tar.gz
tar -xzvf freeradius-server-2.1.12.tar.gz
cd freeradius-server-2.1.12
echo rlm_jradius src/modules/stable
./configure make make install
cp src/modules/rlm_jradius/jradius./conf /usr/local/etc/raddb

I configure jradius.conf to point to my JRadius server, and add jradius to
the accounting section of sites-enabled.
radiusd -X gives:
/usr/local/etc/raddb/sites-enabled/default[443]: Failed to load module
jradius.
/usr/local/etc/raddb/sites-enabled/default[378]: Errors parsing accounting
section.

I have verified that the jradius libraries have been compiled and installed
/usr/local/lib.

I've managed to comile freeRadius with the jradius module before just
fine.not sure what the problem is now. Any help would be greatly
appreciated.

Travis Dimmig
Software Development Specialist
Impulse Point
www.impulse.comhttp://www.impulse.com

-- next part --
An HTML attachment was scrubbed...
URL:
https://lists.freeradius.org/pipermail/freeradius-users/attachments/20111027/392fa3ba/attachment.html

Message: 6
Date: Thu, 27 Oct 2011 21:01:21 +0200
From: Alan DeKok al...@deployingradius.com
Subject: Re: cisco WAP/FreeRadius/OpenLDAP
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID: 4ea9aa81.50...@deployingradius.com
Content-Type: text/plain; charset=ISO-8859-1

Matt Arguin wrote:
having trouble setting up my RADIUS(FreeRADIUS Version 2.1.7) to
auth to my openldap server (openldap-2.3.43-12.el5_6.7) on CentOS 5.5.

i am trying to configure EAP-TLS

Then you don't need LDAP. EAP-TLS does authentication based on client
certificates. It doesn't use passwords.

Why are you using EAP-TLS LDAP? What do you expect it to do?

Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

End of Freeradius-Users Digest, Vol 78, Issue 124
*

--
This email and any files transmitted with it are confidential and
intended solely for the addressee. If you received this email in
error, please do not disclose the contents to anyone; kindly notify
the sender by return email and delete this email and any attachments
from your system.

© 2011 Currensee Inc. is a member of the National Futures Association
(NFA) Member ID 0403251 | Over the counter retail foreign currency
(Forex) trading may involve significant risk of loss. It is not
suitable for all investors and you should make sure you understand the
risks involved before trading and seek independent advice if
necessary. Performance, strategies and charts shown are not
necessarily predictive of any particular result and past performance
is no indication of future results. Investor returns may vary from
Trade Leader returns based

Re: Custom MySQL Queries

2011-10-27 Thread Suman Dash

If you would like to disable a user why not to use the Auth-Type := Reject
which is natively available in freeradius. I don't think it is necessary to
re-invent the wheel.

Regards
Suman

On Thu, Oct 27, 2011 at 11:07 PM, JennyBlunt jennyshoeh...@me.com wrote:

 Hello

 What's the best approach regarding custom mysql queries? I'd like to check
 if a user is blocked whilst authorising..

 Have tried to add something like this to my dictionary file:

 ATTRIBUTE   User-Disabled-Attr  3002integer

 And then putting a 1 / 0 in to radcheck against the user.

 What's the best way to do this kind of request? Is it better to write a
 lookup somewhere else?

 Thanks

 J

 --
 View this message in context:
 http://freeradius.1045715.n5.nabble.com/Custom-MySQL-Queries-tp4943692p4943692.html
 Sent from the FreeRadius - User mailing list archive at Nabble.com.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Custom MySQL Queries

2011-10-27 Thread Tim Sylvester

I usually add Auth-Type := Reject to the radcheck table to disable a user.
You remove the entry to enable the user.

Tim

 -Original Message-
 From: freeradius-users-
 bounces+tim.sylvester=networkradius@lists.freeradius.org
 [mailto:freeradius-users-
 bounces+tim.sylvester=networkradius@lists.freeradius.org] On Behalf
 Of JennyBlunt
 Sent: Thursday, October 27, 2011 10:37 AM
 To: freeradius-users@lists.freeradius.org
 Subject: Custom MySQL Queries
 
 Hello
 
 What's the best approach regarding custom mysql queries? I'd like to check
if
 a user is blocked whilst authorising..
 
 Have tried to add something like this to my dictionary file:
 
 ATTRIBUTE   User-Disabled-Attr  3002integer
 
 And then putting a 1 / 0 in to radcheck against the user.
 
 What's the best way to do this kind of request? Is it better to write a
lookup
 somewhere else?
 
 Thanks
 
 J
 
 --
 View this message in context:
 http://freeradius.1045715.n5.nabble.com/Custom-MySQL-Queries-
 tp4943692p4943692.html
 Sent from the FreeRadius - User mailing list archive at Nabble.com.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

ntlm_auth reconnection without login data?

2011-10-27 Thread Andreas Rudat

Hi,

if I connect to my radius server, I don't need my password anymore, also
if I restart radius or my workstation. But why?

Thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ntlm_auth reconnection without login data?

Andreas Rudat wrote:
 if I connect to my radius server, I don't need my password anymore, also
 if I restart radius or my workstation. But why?

  The PC caches the credentials.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: cisco WAP/FreeRadius/OpenLDAP

2011-10-27 Thread Phil Mayers


On 10/27/2011 06:31 PM, Matt Arguin wrote:

Hi All,
   having trouble setting up my RADIUS(FreeRADIUS Version 2.1.7) to
auth to my openldap server (openldap-2.3.43-12.el5_6.7) on CentOS 5.5.

i am trying to configure EAP-TLS and think i am pretty close.  I am


Nope:


[eap] EAP/peap
[eap] processing type peap


The client is using PEAP, not EAP-TLS. PEAP/GTC in fact.

Your ldap module isn't returning a known-good password:


WARNING: No known good password was found in LDAP.  Are you sure


...so GTC is failing:


+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/gtc
[eap] processing type gtc
[gtc] +- entering group PAP {...}
[pap] login attempt with password r0adkill
[pap] Using CRYPT encryption.
[pap] Passwords don't match
++[pap] returns reject


That's your error. Fix your password and/or your LDAP database to return 
the correct password.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: cisco WAP/FreeRadius/OpenLDAP

2011-10-27 Thread Matthew Arguin

Thanks Phil.  question on that.  in the deployment of ldap that we have 
in place the users password attribute is 'userPassword'.  looking at the 
ldap attribute file and various online results, is the authentication 
looking for ntPassword for that ldap attribute as opposed to the 
userPassword one that i have?  i know that the user i am testing with 
has the password that is showing up, i am guessing that maybe i have it 
assigned in the wrong attribute or i need to change the ldap mapping 
file to use the attribute i have?


-m

On 10/27/2011 5:14 PM, freeradius-users-requ...@lists.freeradius.org wrote:

Re: cisco WAP/FreeRadius/OpenLDAP


--
Matthew Arguin
Currensee, Inc.
54 Canal St, 4th Floor
Boston, MA 02114
(617) 986-4758 (Office)
_
This email and any files transmitted with it are confidential and intended 
solely for the addressee.  If you received this email in error, please do not 
disclose the contents to anyone; kindly notify the sender by return email and 
delete this email and any attachments from your system.

© 2011 Currensee Inc. is a member of the National Futures Association (NFA) 
Member ID 0403251 | Over the counter retail foreign currency (Forex) trading 
may involve significant risk of loss. It is not suitable for all investors and 
you should make sure you understand the risks involved before trading and seek 
independent advice if necessary. Performance, strategies and charts shown are 
not necessarily predictive of any particular result and past performance is no 
indication of future results. Investor returns may vary from Trade Leader 
returns based on slippage, fees, broker spreads, volatility or other market 
conditions.

Currensee Inc | 54 Canal St 4th Floor | Boston, MA 02114 | +1.617.624.3824

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Custom MySQL Queries

Hi,

I hadn't realised that was available.

Do I need to modify my query - have added that column to the radcheck table
but can still login.

J

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Custom-MySQL-Queries-tp4943692p4944268.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Custom MySQL Queries