Enabling login access and denied to be logged in radius log file
Hi, How do i enable logging of user accept and deny logins in log file? I tried to put sql_log in post-auth but didn't work. thanks! det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Enabling login access and denied to be logged in radius log file
I had tried to use the reply_log. It logs access or reject in log file but does not include the username. How do I add the username info? From: Det Det det.explo...@yahoo.com To: FreeRadius mailing list freeradius-users@lists.freeradius.org Sent: Thursday, October 27, 2011 2:15 PM Subject: Enabling login access and denied to be logged in radius log file Hi, How do i enable logging of user accept and deny logins in log file? I tried to put sql_log in post-auth but didn't work. thanks! det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
systemd and FreeRADIUS
Hi, seems like openSUSE is going the fancy way and throws good old INIT overboard with their next release. System initialisation and housekeeping is changing towards systemd instead. So, in 20-something days I'll try to get my first FreeRADIUS running on that, and can't use my good old init scripts any more (I guess I could with some systemd-to-INIT legacy support, but I like eating fresh dogfood). Is there already someone working on systemd description files for FreeRADIUS? If not, I'll (have to :-) ) give it a go myself... Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Why is not writting in second detail file?
Hi, I have checked my NAS' packets and I can confirm that sends Event-Timestamp (I have seen it from output of freeradius -X). Now, What have I to do? I have seen that Event-Timestamp has not a good mysql format: Oct 26 2011 13:03:14 CEST. Any idea? Thanks. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Why-is-not-writting-in-second-detail-file-tp4935451p4942366.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending accounting packets to more than one server?
Is it possible to do this with copy-acct-to-home-server? Whit copy-acct-to-home-server I can't get it. Have you get to copy the same set of information from one server to another? Thanks. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Sending-accounting-packets-to-more-than-one-server-tp3408816p4942465.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure proxy server to send a copy of acct to remote/home server
Have you got this configuration? How have you done it? I can't get to sync accountin data to remote server with same set of information (acctstarttime and acctstoptime have got differents times - I think that this is because servers catching its local time at the moment on recieve the packets). Any idea? -- View this message in context: http://freeradius.1045715.n5.nabble.com/How-to-configure-proxy-server-to-send-a-copy-of-acct-to-remote-home-server-tp2843198p4942508.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius mysql acct copy
Hi, This configuration is correctly? Nowadays, could I use this to copy acct to a remote server? Thanks. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius-mysql-acct-copy-tp4272880p4942524.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending accounting packets to more than one server?
tonimanel wrote: Is it possible to do this with copy-acct-to-home-server? Whit copy-acct-to-home-server I can't get it. Have you get to copy the same set of information from one server to another? Sending the same question multiple times is rude. Download the latest version, and read doc/ChangeLog. The answer to your question is there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP with Machine auth
The weird thing is that I didn't see that popup On Wed, Oct 26, 2011 at 5:07 PM, Phil Mayers p.may...@imperial.ac.uk wrote: On 10/26/2011 07:53 PM, Francois Gaudreault wrote: Correct me if I am wrong, but that should not be needed when you are not validating server certificate. There are a few issues; let me try to lay them out. First: it seems you MUST install the CA on the client (in one or both of the user or machine store, depending on whether you're doing user or machine-based auth). Authentication will simply fail if you don't install the CA - although helpfully Windows does seem to send an invalid CA TLS alert. Second: If (and only if) you install the CA, then when you FIRST connect to a network, you will be shown the dialog box The connection attempt could not be completed. In my testing, if you click Continue, then windows will: a. Check the Validate server certificate b. Leave the Connect to these servers (hostname/CN) blank c. Check the box next to the CA cert That is, windows will trust on first use (TOFU) the *specific* CA for that *specific* connection profile (WLAN SSID or Wired profile). The text at the link given by the OP is misleading. The issue is not whether the CA is a Trusted CA on the machine/user store as a whole. It's whether it's trusted for *that specific connection* as a CA for signing the authentication server cert. I'm unsure whether the OP is clicking Continue at the prompt and it's failing, or if he's not clicking Continue or not even being presented with the option - but as I say, in my testing, TOFU works. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending accounting packets to more than one server?
Hi Alan, Sorry very much, but I was desperate. Now I understand how can I do this. Following documentation and re-reading it, I understand that I can use radrelay.conf configuration to do an exactly replica, obviously with a second detail file created and with a reader and a writer configurated. I have opened my eyes! However, I think that there are a lot of answers that cause confusion. Thanks! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Sending-accounting-packets-to-more-than-one-server-tp3408816p4942835.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP with Machine auth
On 27/10/11 13:12, Bonald wrote: The weird thing is that I didn't see that popup That is very odd. I just tried this again; purged the CA from the User Machine lists, deleted the wired 802.1x profile and re-connected. 1st time - no joy because the CA is unknown. Import the CA retry and I get promoted to Terminate or Connect. If I click Connect, the 802.1x profile is altered to trust the CA. Maybe you have some windows Group Policy which is preventing you from being prompted? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: FreeRadius + MySQL | radacct: Errors and Warnings
Fajar, I had radutmp and SQL commented out in account {}. I don't know why, a possible mistake. After mark radutmp and restart freeradius I don't see new errors in log. In the NAS (MikroTik) statistics sometimes have a few resends and timeouts, it's normal? Sds, --- Daniel Menezes -Mensagem original- De: freeradius-users-bounces+listas=dmnzs.com...@lists.freeradius.org [mailto:freeradius-users-bounces+listas=dmnzs.com...@lists.freeradius.org] Em nome de Fajar A. Nugraha Enviada em: quarta-feira, 26 de outubro de 2011 13:19 Para: FreeRadius users mailing list Assunto: Re: FreeRadius + MySQL | radacct: Errors and Warnings Another thing to try, are you using radutmp? If no (e.g. session/simultaneous use check is using sql), just mark all instance of radutmp from sites-available/default (and whatever other virtual server you use). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: FreeRadius + MySQL | radacct: Errors and Warnings
Hi Tim, 1. User the InnoDB Engine in MySQL. I read about it and don't know if it's the best way. Why InnoDB engine? MySAM engine is more fast. 2. Increase the number of SQL sockets in sql.conf (num_sql_socks). The default is 5, try 25. Ok. 3. Increase the number of connections (max_connections) in my.cnf to match the number of SQL sockets in sql.conf. Ok. 4. Enable the MySQL slow query log (slow_query_log) in my.cnf. 5. Check the MySQL slow query log file for problems. I've enable the slow query and set up to 2 sec. The log don't show any slow query .. It's much time? I've tested whith mtop[1] too, no slow queries. Thanks! Sds, --- Daniel Menezes Links: [1] http://mtop.sourceforge.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RES: FreeRadius + MySQL | radacct: Errors and Warnings
Daniel Menezes wrote: 1. User the InnoDB Engine in MySQL. I read about it and don't know if it's the best way. Why InnoDB engine? MySAM engine is more fast. If you know better than the RADIUS experts, why are you asking questions on this list? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP with Machine auth
Exactly, I have a GPO that's pushing some wireless profiles. When disabling this GPO I see the popup. On Thu, Oct 27, 2011 at 9:37 AM, Phil Mayers p.may...@imperial.ac.uk wrote: On 27/10/11 13:12, Bonald wrote: The weird thing is that I didn't see that popup That is very odd. I just tried this again; purged the CA from the User Machine lists, deleted the wired 802.1x profile and re-connected. 1st time - no joy because the CA is unknown. Import the CA retry and I get promoted to Terminate or Connect. If I click Connect, the 802.1x profile is altered to trust the CA. Maybe you have some windows Group Policy which is preventing you from being prompted? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RES: FreeRadius + MySQL | radacct: Errors and Warnings
On 27 Oct 2011, at 16:16, Alan DeKok wrote: Daniel Menezes wrote: 1. User the InnoDB Engine in MySQL. I read about it and don't know if it's the best way. Why InnoDB engine? MySAM engine is more fast. It doesn't support row level locking for one. Which absolutely cripples selects against the radacct/postauth table when there are high levels of inserts/updates. MyISAM should *NOT* be used for the postauth and radacct. Version 3 schema has been updated to use INNODB for these tables. https://github.com/alandekok/freeradius-server/blob/master/raddb/sql/mysql/schema.sql -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: systemd and FreeRADIUS
On 10/27/2011 03:29 AM, Stefan Winter wrote: Hi, seems like openSUSE is going the fancy way and throws good old INIT overboard with their next release. System initialisation and housekeeping is changing towards systemd instead. So, in 20-something days I'll try to get my first FreeRADIUS running on that, and can't use my good old init scripts any more (I guess I could with some systemd-to-INIT legacy support, but I like eating fresh dogfood). Is there already someone working on systemd description files for FreeRADIUS? If not, I'll (have to :-) ) give it a go myself... Fedora has moved to systemd (with backward support for sysV initscripts). systemd support was added to the current Fedora 16 FreeRADIUS RPM's by someone other than myself. It's been on my todo list to review what was done so I can't comment yet on how well the integration was done, but you're welcome to take a peek. I'm certainly interested on working cooperatively on systemd integration and my gut tells me there is more work to be done than what was already added (the work was done by those tasked with providing systemd support across all packages, so they know systemd well, but had little experience with FreeRADIUS). The current F-16 SRPM can be found here: http://kojipkgs.fedoraproject.org/packages/freeradius/2.1.12/1.fc16/src/freeradius-2.1.12-1.fc16.src.rpm FWIW, true systemd integration requires source code changes to the server. Control via external scripts within the systemd environment is the obvious incremental step and is what I assume you're talking about. Also Fedora has documentation on the systemd conversion, something else you might want to look at: https://fedoraproject.org/wiki/Systemd -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + MySQL | radacct: Errors and Warnings
On Thu, Oct 27, 2011 at 8:19 PM, Daniel Menezes lis...@dmnzs.com.br wrote: Fajar, I had radutmp and SQL commented out in account {}. I don't know why, a possible mistake. After mark radutmp and restart freeradius I don't see new errors in log. So you mean radutmp was the root cause of your problem? That's good, in a way. It means you've got more room to breathe (and possibly do more improvements) before your db's high load really slows down your system :) In the NAS (MikroTik) statistics sometimes have a few resends and timeouts, it's normal? What does FR log says? Does it say it recives duplicate or conflicting packets? If yes, then the db is still slow. You still need to fix it. If not, then the problem might be somewhere else (e.g. congested network causing dropped packets) -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Build RPM
Hi Francois, Thanks a lot for your last post, I will try to build with your spec. It seems to be far more intelligent than mine (sompe builrequire I don't have, etc ...) Regarding cert patch : I already have certs from an external PKI (not openssl-generated at install) so I suppose I can omit this patch when I don' want to build generic packages but a customer specific package with customer's certs, right ? I also tried to rpmbuild using 2.1.x git repository (currently 2.2.0) but I got into troubles because au radrelay module : Even if /etc/raddb/radrelay.conf if correctly declared (note 1°) , the build reports missing radrelay.conf in /var/tmp/freeradius-2.2.0./etc/raddb Any idea ? note 1° = %attr(640,root,radiusd) %config(noreplace) /etc/raddb/radrelay.conf Best regards, Fred MAISON 2011/10/26 Francois Gaudreault fgaudrea...@inverse.ca: Hi, See Below (I won't put the comments section) for RHEL5: Summary: High-performance and highly configurable free RADIUS server Name: freeradius2 Version: 2.1.12 Release: 1%{?dist} License: GPLv2+ and LGPLv2+ Group: System Environment/Daemons URL: http://www.freeradius.org/ Source0: ftp://ftp.freeradius.org/pub/radius/freeradius-server-%{version}.tar.bz2 Source100: freeradius-radiusd-init Source102: freeradius-logrotate Source103: freeradius-pam-conf Patch1: freeradius-cert-config.patch Obsoletes: freeradius2-devel Obsoletes: freeradius2-libs %define docdir %{_docdir}/freeradius-%{version} %define initddir %{?_initddir:%{_initddir}}%{!?_initddir:%{_initrddir}} BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: autoconf BuildRequires: gdbm-devel BuildRequires: libtool BuildRequires: libtool-ltdl-devel BuildRequires: openssl-devel BuildRequires: pam-devel BuildRequires: zlib-devel BuildRequires: net-snmp-devel BuildRequires: net-snmp-utils BuildRequires: readline-devel BuildRequires: libpcap-devel Requires(pre): shadow-utils glibc-common Requires(post): /sbin/chkconfig Requires(preun): /sbin/chkconfig %description The FreeRADIUS Server Project is a high performance and highly configurable GPL'd free RADIUS server. The server is similar in some respects to Livingston's 2.0 server. While FreeRADIUS started as a variant of the Cistron RADIUS server, they don't share a lot in common any more. It now has many more features than Cistron or Livingston, and is much more configurable. FreeRADIUS is an Internet authentication daemon, which implements the RADIUS protocol, as defined in RFC 2865 (and others). It allows Network Access Servers (NAS boxes) to perform authentication for dial-up users. There are also RADIUS clients available for Web servers, firewalls, Unix logins, and more. Using RADIUS allows authentication and authorization for a network to be centralized, and minimizes the amount of re-configuration which has to be done when adding or deleting new users. %package utils Group: System Environment/Daemons Summary: FreeRADIUS utilities Requires: %{name} = %{version}-%{release} Requires: libpcap = 0.9.4 %description utils The FreeRADIUS server has a number of features found in other servers, and additional features not found in any other server. Rather than doing a feature by feature comparison, we will simply list the features of the server, and let you decide if they satisfy your needs. Support for RFC and VSA Attributes Additional server configuration attributes Selecting a particular configuration Authentication methods %package ldap Summary: LDAP support for freeradius Group: System Environment/Daemons Requires: %{name} = %{version}-%{release} BuildRequires: openldap-devel %description ldap This plugin provides the LDAP support for the FreeRADIUS server project. %package krb5 Summary: Kerberos 5 support for freeradius Group: System Environment/Daemons Requires: %{name} = %{version}-%{release} BuildRequires: krb5-devel %description krb5 This plugin provides the Kerberos 5 support for the FreeRADIUS server project. %package perl Summary: Perl support for freeradius Group: System Environment/Daemons Requires: %{name} = %{version}-%{release} Requires: perl(:MODULE_COMPAT_%(eval `%{__perl} -V:version`; echo $version)) %{?fedora:BuildRequires: perl-devel} %if 0%{?rhel} = 5 BuildRequires: perl %endif %if 0%{?rhel} = 6 BuildRequires: perl-devel %endif BuildRequires: perl(ExtUtils::Embed) %description perl This plugin provides the Perl support for the FreeRADIUS server project. %package python Summary: Python support for freeradius Group: System Environment/Daemons Requires: %{name} = %{version}-%{release} BuildRequires: python-devel %description python This plugin provides the Python support for the FreeRADIUS server project. %package mysql Summary: MySQL support for freeradius Group: System Environment/Daemons Requires: %{name} = %{version}-%{release} BuildRequires: mysql-devel %description
Re: systemd and FreeRADIUS
John Dennis wrote: FWIW, true systemd integration requires source code changes to the server. Control via external scripts within the systemd environment is the obvious incremental step and is what I assume you're talking about. Source code changes to the server shouldn't be hard... Also Fedora has documentation on the systemd conversion, something else you might want to look at: https://fedoraproject.org/wiki/Systemd Hmm... not much documentation there on source code changes. http://0pointer.de/blog/projects/socket-activation.html Has some more information. It might be enough just to have a command-line option saying -i systemd, in which case it does systemd activation, rather than anything else. I don't know that systemd should be the default, though. even on systems with it configured. Doing that will make it difficult to have debug mode. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: RES: FreeRadius + MySQL | radacct: Errors and Warnings
Hi Alan, If you know better than the RADIUS experts, why are you asking questions on this list? I don't know better than anyone, I'm simply asking to understand where I'm lost. Sorry if you feel bad with my questions .. Sds, --- Daniel Menezes - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP with Machine auth
On 27/10/11 15:18, Bonald wrote: Exactly, I have a GPO that's pushing some wireless profiles. When disabling this GPO I see the popup. Sigh. I hate windows. I'm glad you've got it sorted out. If you find time to write some docs in the wiki that describe which GPO objects caused what behaviour, it might be useful for others in the future. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Build RPM
Fred, I don't know for git source, my spec is targeted for 2.1.x sources. On 11-10-27 10:57 AM, Fred wrote: Hi Francois, Thanks a lot for your last post, I will try to build with your spec. It seems to be far more intelligent than mine (sompe builrequire I don't have, etc ...) Regarding cert patch : I already have certs from an external PKI (not openssl-generated at install) so I suppose I can omit this patch when I don' want to build generic packages but a customer specific package with customer's certs, right ? I also tried to rpmbuild using 2.1.x git repository (currently 2.2.0) but I got into troubles because au radrelay module : Even if /etc/raddb/radrelay.conf if correctly declared (note 1°) , the build reports missing radrelay.conf in /var/tmp/freeradius-2.2.0./etc/raddb Any idea ? note 1° = %attr(640,root,radiusd) %config(noreplace) /etc/raddb/radrelay.conf Best regards, Fred MAISON -- Francois Gaudreault, ing. jr fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RES: RES: FreeRadius + MySQL | radacct: Errors and Warnings
Daniel Menezes wrote: I don't know better than anyone, I'm simply asking to understand where I'm lost. Then you should ask WHY is one better than the other. Sorry if you feel bad with my questions .. Which is proof you didn't understand my response. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: RES: FreeRadius + MySQL | radacct: Errors and Warnings
Hi Arran, It doesn't support row level locking for one. Which absolutely cripples selects against the radacct/postauth table when there are high levels of inserts/updates. MyISAM should *NOT* be used for the postauth and radacct. Version 3 schema has been updated to use INNODB for these tables. https://github.com/alandekok/freeradius-server/blob/master/raddb/sql/mysql/s chema.sql Hmm, I get it now. I'll change the engine and report the results. Thanks. Sds, --- Daniel Menezes - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorising Clients by Calling Station ID Not IP
Cool, thanks I'll download now and take a look J -- View this message in context: http://freeradius.1045715.n5.nabble.com/Authorising-Clients-by-Calling-Station-ID-Not-IP-tp4883866p4943676.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
cisco WAP/FreeRadius/OpenLDAP
Hi All, having trouble setting up my RADIUS(FreeRADIUS Version 2.1.7) to auth to my openldap server (openldap-2.3.43-12.el5_6.7) on CentOS 5.5. i am trying to configure EAP-TLS and think i am pretty close. I am currently wondering if possibly i have an incorrect mapping in the ldap.attrs file (it is completely default right now).running 'radiusd -X' i do see some errors such as: rlm_ldap: performing search in dc=currensee,dc=com, with filter (uid=anonymous) rlm_ldap: object not found [ldap] search failed but later down the path of the session it looks like things are going ok , seeing a bunch of EAP challeges and it expanding the username and stuff being put in to the inner-tunnel. However, in the end: rlm_ldap: performing search in dc=currensee,dc=com, with filter (uid=marguin2) [ldap] checking if remote access for marguin2 is allowed by uid [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? my ldap attribute for password is userPassword and i have tried changing the values in the ldap.attrs to match this but that did not help. Here is the full output of the run of radiusd in debug mode. Any insight is appreciated: Ready to process requests. rad_recv: Access-Request packet from host 192.168.10.31 port 1645, id=181, length=132 User-Name = anonymous Framed-MTU = 1400 Called-Station-Id = 64a0.e729.b890 Calling-Station-Id = 1c65.9d32.fb68 Service-Type = Login-User Message-Authenticator = 0x247be03937ef0698a7ad23d2f86aa54b EAP-Message = 0x0202000e01616e6f6e796d6f7573 NAS-Port-Type = Wireless-802.11 NAS-Port = 799 NAS-Port-Id = 799 NAS-IP-Address = 192.168.10.31 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = anonymous, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 2 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [ldap] performing user authorization for anonymous [ldap] expand: %{Stripped-User-Name} - [ldap] expand: %{User-Name} - anonymous [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=anonymous) [ldap] expand: dc=currensee,dc=com - dc=currensee,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.local.currensee.com:389, authentication 0 rlm_ldap: bind as cn=radius,ou=Services,dc=currensee,dc=com/c17ad5805204465ab39d11e0381272c5 to ldap.local.currensee.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=currensee,dc=com, with filter (uid=anonymous) rlm_ldap: object not found [ldap] search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop [eap] EAP packet type response id 2 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated Found Auth-Type = EAP Found Auth-Type = EAP Warning: Found 2 auth-types on request for user 'anonymous' +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 181 to 192.168.10.31 port 1645 EAP-Message = 0x010300061920 Message-Authenticator = 0x State = 0x12d3382012d02152159f345e3e0c333a Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.10.31 port 1645, id=182, length=228 User-Name = anonymous Framed-MTU = 1400 Called-Station-Id = 64a0.e729.b890 Calling-Station-Id = 1c65.9d32.fb68 Service-Type = Login-User Message-Authenticator = 0x07f8f2c72439114d5efd54762efa740b EAP-Message = 0x0203005c19001603010051014d03014ea9917e4e0fee76b71533a74710796e73ac02e494439b92a5338ee6d1f1bcd92600390038003500160013000a00330032002f00050004001500120009001400110008000600030100 NAS-Port-Type = Wireless-802.11 NAS-Port = 799 NAS-Port-Id = 799 State = 0x12d3382012d02152159f345e3e0c333a NAS-IP-Address = 192.168.10.31 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = anonymous, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 3 length 92 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found,
Custom MySQL Queries
Hello What's the best approach regarding custom mysql queries? I'd like to check if a user is blocked whilst authorising.. Have tried to add something like this to my dictionary file: ATTRIBUTE User-Disabled-Attr 3002integer And then putting a 1 / 0 in to radcheck against the user. What's the best way to do this kind of request? Is it better to write a lookup somewhere else? Thanks J -- View this message in context: http://freeradius.1045715.n5.nabble.com/Custom-MySQL-Queries-tp4943692p4943692.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: FreeRadius + MySQL | radacct: Errors and Warnings
Fajar, So you mean radutmp was the root cause of your problem? I don't know, but it's better now. =) What does FR log says? Does it say it recives duplicate or conflicting packets? If yes, then the db is still slow. You still need to fix it. If not, then the problem might be somewhere else (e.g. congested network causing dropped packets) This is strange! When starting radius in debug mode I don't see any error, in normal mode duplicate or conflicting packages have disappeared. Always the statistics in MikroTik shows 2, 4 resends and timeouts .. a few. I'll try other ways, first, change the DB engine. Tomorrow i'll write about. Thanks. Sds, --- Daniel Menezes - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Failed to load module jradius
I don't seem to be able to get freeRadius to load the jradius module. My steps are as follows: wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.12.tar.gz tar -xzvf freeradius-server-2.1.12.tar.gz cd freeradius-server-2.1.12 echo rlm_jradius src/modules/stable ./configure make make install cp src/modules/rlm_jradius/jradius./conf /usr/local/etc/raddb I configure jradius.conf to point to my JRadius server, and add jradius to the accounting section of sites-enabled. radiusd -X gives: /usr/local/etc/raddb/sites-enabled/default[443]: Failed to load module jradius. /usr/local/etc/raddb/sites-enabled/default[378]: Errors parsing accounting section. I have verified that the jradius libraries have been compiled and installed /usr/local/lib. I've managed to comile freeRadius with the jradius module before just fine.not sure what the problem is now. Any help would be greatly appreciated. Travis Dimmig Software Development Specialist Impulse Point www.impulse.comhttp://www.impulse.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed to load module jradius
Travis Dimmig wrote: I don’t seem to be able to get freeRadius to load the “jradius” module. My steps are as follows: ... “radiusd –X” gives: /usr/local/etc/raddb/sites-enabled/default[443]: Failed to load module jradius. It should give more than that. Look at the *previous* lines to see the real cause of the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Failed to load module jradius
Figured it out. The jradius.conf needs to be in /usr/local/etc/raddb/modules. I swear it used to be one directory up... Anyway, I don't know if it's the freeRadius team or the JRadius team that maintains this plugin, but the config file is not automatically copied into the modules directory even when freeRadius is compiled with jradius support. Travis From: freeradius-users-bounces+tdimmig=impulse@lists.freeradius.org [mailto:freeradius-users-bounces+tdimmig=impulse@lists.freeradius.org] On Behalf Of Travis Dimmig Sent: Thursday, October 27, 2011 2:29 PM To: FreeRadius users mailing list Subject: Failed to load module jradius I don't seem to be able to get freeRadius to load the jradius module. My steps are as follows: wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.12.tar.gz tar -xzvf freeradius-server-2.1.12.tar.gz cd freeradius-server-2.1.12 echo rlm_jradius src/modules/stable ./configure make make install cp src/modules/rlm_jradius/jradius./conf /usr/local/etc/raddb I configure jradius.conf to point to my JRadius server, and add jradius to the accounting section of sites-enabled. radiusd -X gives: /usr/local/etc/raddb/sites-enabled/default[443]: Failed to load module jradius. /usr/local/etc/raddb/sites-enabled/default[378]: Errors parsing accounting section. I have verified that the jradius libraries have been compiled and installed /usr/local/lib. I've managed to comile freeRadius with the jradius module before just fine.not sure what the problem is now. Any help would be greatly appreciated. Travis Dimmig Software Development Specialist Impulse Point www.impulse.comhttp://www.impulse.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco WAP/FreeRadius/OpenLDAP
Matt Arguin wrote: having trouble setting up my RADIUS(FreeRADIUS Version 2.1.7) to auth to my openldap server (openldap-2.3.43-12.el5_6.7) on CentOS 5.5. i am trying to configure EAP-TLS Then you don't need LDAP. EAP-TLS does authentication based on client certificates. It doesn't use passwords. Why are you using EAP-TLS LDAP? What do you expect it to do? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco WAP/FreeRadius/OpenLDAP
://www.impulse.com -- next part -- An HTML attachment was scrubbed... URL: https://lists.freeradius.org/pipermail/freeradius-users/attachments/20111027/66f79dc6/attachment.html -- Message: 4 Date: Thu, 27 Oct 2011 21:00:00 +0200 From: Alan DeKok al...@deployingradius.com Subject: Re: Failed to load module jradius To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 4ea9aa30.3020...@deployingradius.com Content-Type: text/plain; charset=UTF-8 Travis Dimmig wrote: I don?t seem to be able to get freeRadius to load the ?jradius? module. My steps are as follows: ... ?radiusd ?X? gives: /usr/local/etc/raddb/sites-enabled/default[443]: Failed to load module jradius. It should give more than that. Look at the *previous* lines to see the real cause of the problem. Alan DeKok. -- Message: 5 Date: Thu, 27 Oct 2011 18:59:33 + From: Travis Dimmig tdim...@impulse.com Subject: RE: Failed to load module jradius To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 2ecc69012853fb42a8adaba5eb3b4b800c9d1...@dsm-mail01.dsm.net Content-Type: text/plain; charset=us-ascii Figured it out. The jradius.conf needs to be in /usr/local/etc/raddb/modules. I swear it used to be one directory up... Anyway, I don't know if it's the freeRadius team or the JRadius team that maintains this plugin, but the config file is not automatically copied into the modules directory even when freeRadius is compiled with jradius support. Travis From: freeradius-users-bounces+tdimmig=impulse@lists.freeradius.org [mailto:freeradius-users-bounces+tdimmig=impulse@lists.freeradius.org] On Behalf Of Travis Dimmig Sent: Thursday, October 27, 2011 2:29 PM To: FreeRadius users mailing list Subject: Failed to load module jradius I don't seem to be able to get freeRadius to load the jradius module. My steps are as follows: wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.12.tar.gz tar -xzvf freeradius-server-2.1.12.tar.gz cd freeradius-server-2.1.12 echo rlm_jradius src/modules/stable ./configure make make install cp src/modules/rlm_jradius/jradius./conf /usr/local/etc/raddb I configure jradius.conf to point to my JRadius server, and add jradius to the accounting section of sites-enabled. radiusd -X gives: /usr/local/etc/raddb/sites-enabled/default[443]: Failed to load module jradius. /usr/local/etc/raddb/sites-enabled/default[378]: Errors parsing accounting section. I have verified that the jradius libraries have been compiled and installed /usr/local/lib. I've managed to comile freeRadius with the jradius module before just fine.not sure what the problem is now. Any help would be greatly appreciated. Travis Dimmig Software Development Specialist Impulse Point www.impulse.comhttp://www.impulse.com -- next part -- An HTML attachment was scrubbed... URL: https://lists.freeradius.org/pipermail/freeradius-users/attachments/20111027/392fa3ba/attachment.html -- Message: 6 Date: Thu, 27 Oct 2011 21:01:21 +0200 From: Alan DeKok al...@deployingradius.com Subject: Re: cisco WAP/FreeRadius/OpenLDAP To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 4ea9aa81.50...@deployingradius.com Content-Type: text/plain; charset=ISO-8859-1 Matt Arguin wrote: having trouble setting up my RADIUS(FreeRADIUS Version 2.1.7) to auth to my openldap server (openldap-2.3.43-12.el5_6.7) on CentOS 5.5. i am trying to configure EAP-TLS Then you don't need LDAP. EAP-TLS does authentication based on client certificates. It doesn't use passwords. Why are you using EAP-TLS LDAP? What do you expect it to do? Alan DeKok. -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest, Vol 78, Issue 124 * -- This email and any files transmitted with it are confidential and intended solely for the addressee. If you received this email in error, please do not disclose the contents to anyone; kindly notify the sender by return email and delete this email and any attachments from your system. © 2011 Currensee Inc. is a member of the National Futures Association (NFA) Member ID 0403251 | Over the counter retail foreign currency (Forex) trading may involve significant risk of loss. It is not suitable for all investors and you should make sure you understand the risks involved before trading and seek independent advice if necessary. Performance, strategies and charts shown are not necessarily predictive of any particular result and past performance is no indication of future results. Investor returns may vary from Trade Leader returns based
Re: Custom MySQL Queries
If you would like to disable a user why not to use the Auth-Type := Reject which is natively available in freeradius. I don't think it is necessary to re-invent the wheel. Regards Suman On Thu, Oct 27, 2011 at 11:07 PM, JennyBlunt jennyshoeh...@me.com wrote: Hello What's the best approach regarding custom mysql queries? I'd like to check if a user is blocked whilst authorising.. Have tried to add something like this to my dictionary file: ATTRIBUTE User-Disabled-Attr 3002integer And then putting a 1 / 0 in to radcheck against the user. What's the best way to do this kind of request? Is it better to write a lookup somewhere else? Thanks J -- View this message in context: http://freeradius.1045715.n5.nabble.com/Custom-MySQL-Queries-tp4943692p4943692.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Custom MySQL Queries
I usually add Auth-Type := Reject to the radcheck table to disable a user. You remove the entry to enable the user. Tim -Original Message- From: freeradius-users- bounces+tim.sylvester=networkradius@lists.freeradius.org [mailto:freeradius-users- bounces+tim.sylvester=networkradius@lists.freeradius.org] On Behalf Of JennyBlunt Sent: Thursday, October 27, 2011 10:37 AM To: freeradius-users@lists.freeradius.org Subject: Custom MySQL Queries Hello What's the best approach regarding custom mysql queries? I'd like to check if a user is blocked whilst authorising.. Have tried to add something like this to my dictionary file: ATTRIBUTE User-Disabled-Attr 3002integer And then putting a 1 / 0 in to radcheck against the user. What's the best way to do this kind of request? Is it better to write a lookup somewhere else? Thanks J -- View this message in context: http://freeradius.1045715.n5.nabble.com/Custom-MySQL-Queries- tp4943692p4943692.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ntlm_auth reconnection without login data?
Hi, if I connect to my radius server, I don't need my password anymore, also if I restart radius or my workstation. But why? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth reconnection without login data?
Andreas Rudat wrote: if I connect to my radius server, I don't need my password anymore, also if I restart radius or my workstation. But why? The PC caches the credentials. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco WAP/FreeRadius/OpenLDAP
On 10/27/2011 06:31 PM, Matt Arguin wrote: Hi All, having trouble setting up my RADIUS(FreeRADIUS Version 2.1.7) to auth to my openldap server (openldap-2.3.43-12.el5_6.7) on CentOS 5.5. i am trying to configure EAP-TLS and think i am pretty close. I am Nope: [eap] EAP/peap [eap] processing type peap The client is using PEAP, not EAP-TLS. PEAP/GTC in fact. Your ldap module isn't returning a known-good password: WARNING: No known good password was found in LDAP. Are you sure ...so GTC is failing: +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/gtc [eap] processing type gtc [gtc] +- entering group PAP {...} [pap] login attempt with password r0adkill [pap] Using CRYPT encryption. [pap] Passwords don't match ++[pap] returns reject That's your error. Fix your password and/or your LDAP database to return the correct password. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco WAP/FreeRadius/OpenLDAP
Thanks Phil. question on that. in the deployment of ldap that we have in place the users password attribute is 'userPassword'. looking at the ldap attribute file and various online results, is the authentication looking for ntPassword for that ldap attribute as opposed to the userPassword one that i have? i know that the user i am testing with has the password that is showing up, i am guessing that maybe i have it assigned in the wrong attribute or i need to change the ldap mapping file to use the attribute i have? -m On 10/27/2011 5:14 PM, freeradius-users-requ...@lists.freeradius.org wrote: Re: cisco WAP/FreeRadius/OpenLDAP -- Matthew Arguin Currensee, Inc. 54 Canal St, 4th Floor Boston, MA 02114 (617) 986-4758 (Office) _ This email and any files transmitted with it are confidential and intended solely for the addressee. If you received this email in error, please do not disclose the contents to anyone; kindly notify the sender by return email and delete this email and any attachments from your system. © 2011 Currensee Inc. is a member of the National Futures Association (NFA) Member ID 0403251 | Over the counter retail foreign currency (Forex) trading may involve significant risk of loss. It is not suitable for all investors and you should make sure you understand the risks involved before trading and seek independent advice if necessary. Performance, strategies and charts shown are not necessarily predictive of any particular result and past performance is no indication of future results. Investor returns may vary from Trade Leader returns based on slippage, fees, broker spreads, volatility or other market conditions. Currensee Inc | 54 Canal St 4th Floor | Boston, MA 02114 | +1.617.624.3824 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Custom MySQL Queries
Hi, I hadn't realised that was available. Do I need to modify my query - have added that column to the radcheck table but can still login. J -- View this message in context: http://freeradius.1045715.n5.nabble.com/Custom-MySQL-Queries-tp4943692p4944268.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Custom MySQL Queries
Sorry, my mistake - I had not added as another row in my radcheck table. Is there a decent online reference for such commands - I find myself wasting a lot of time here and looking through other forums... -- View this message in context: http://freeradius.1045715.n5.nabble.com/Custom-MySQL-Queries-tp4943692p4944418.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco WAP/FreeRadius/OpenLDAP
On Fri, Oct 28, 2011 at 4:32 AM, Matthew Arguin matt.arg...@currensee.com wrote: Thanks Phil. question on that. in the deployment of ldap that we have in place the users password attribute is 'userPassword'. looking at the ldap attribute file and various online results, is the authentication looking for ntPassword for that ldap attribute as opposed to the userPassword one that i have? Simple question: do you have eiter plain-text (i.e. unencrypted) password, or nt-hash password stored in your LDAP? If yes, it's simply a matter of picking the correct attribute (which is what ldap.atrrmap is for). If no (e.g. it's encrypted) do you know what encryption/hash it uses? Some password hash is supported by FR (e.g. unix crypt), while others (e.g. the one used by Lotus Domino) can't be used. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html