Re: Accessing radwho information or accounting request from rlm_perl
eluna wrote: As you can see the NAS-IP-Address attributes are different, and I need a method to get the value of the accounting request because when I need to for example deauthenticate a user, i need to know what access point is is actually associated to. Any solutions or hints are very much appreciated. Use a database to store the data. Find a common key, and look it up in the DB. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout Monitoring from db.daily
yagizozen wrote: All the information of the users that connect and dc, is stored in the db.daily file I suppose. But I can not open the file with notepad and see which user had how many seconds of active sessions. That's not how computers work. Do you open MP3s in Notepad to play them? I configured a user to use 1 hour per day. The user used 20 min of his 1 hour limit. Now where can I see that users remaining time to spent during that day?? I am not using regular accounting tables of the FR. I suppose that information is located that db.daily file but I can not see inside of it. Can you help me? See the rad_counter.pl file which is distributed with the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Prob web wiki.freeradius.org
Hallo, http://wiki.freeradius.org/ (or faq) returns: Forbidden regards Torsten - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Prob web wiki.freeradius.org
Torsten Lehmann wrote: http://wiki.freeradius.org/ (or faq) returns: Forbidden It works for me. We upgraded the machine, and had a few problems with editing the wiki. But it should be OK now. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang fails for some strange reason...
Hello,
noone with a hint?
Stefan
On 07.05.2012 11:13, Stefan Winter wrote:
Hi,
at a client's site, I have to some chopping off parts of User-Name,
pretty straightforward, but for some reason it doesn't work (2.1.12):
In inner-tunnel, authenticate, MSCHAPv2 for PEAP:
authenticate {
Auth-Type MS-CHAP {
if(%{Stripped-User-Name} =~ /().*/){
update request {
SAMAccountName := %{1}
}
}
else {
update request {
SAMAccountName :=
%{Stripped-User-Name}
}
}
mschap
}
So, if the Stripped-User-Name is longer than 20 chars, chop it off and store
it in SAMAccountName, otherwise, just store the full Stripped-User-Name in
SAMAccountName.
SAMAccountName is defined in the dictionary as an internal attribute:
ATTRIBUTE SAMAccountName 3003 string
During run-time, the following strange thing happens...
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschapv2] ++? if (%{Stripped-User-Name} =~ /().*/)
[mschapv2] expand: %{Stripped-User-Name} - christian.test
[mschapv2] ? Evaluating (%{Stripped-User-Name} =~
/().*/) - FALSE
[mschapv2] ++? if (%{Stripped-User-Name} =~ /().*/) -
FALSE
[mschapv2] ++- entering else else {...}
[mschapv2] expand: %{Stripped-User-Name} - christian.test
[mschapv2] +++[request] returns reject
[mschapv2] ++- else else returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
So... short User-Name, the else path is taken, Stripped-User-Name expands
nicely... and then, the update request group returns reject?!?
I tried to use update control instead, which fails too, and used a
non-internal attribute for that name as well. It just won't work.
Is that maybe one of the known quirks in 2.1.12? Would using the current
stable branch work better?
Greetings,
Stefan Winter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Prob web wiki.freeradius.org
Hello Alan, Torsten Lehmann wrote: http://wiki.freeradius.org/ (or faq) returns: Forbidden * Alan DeKok al...@deployingradius.com [2012-05-09 09:44]: It works for me. We upgraded the machine, and had a few problems with editing the wiki. But it should be OK now. for me it does not, I still have the problem. If you want I can record the problem for you as flash video. I'm using github to authenticate. Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang fails for some strange reason...
On Wed, May 9, 2012 at 2:45 PM, Stefan Winter stefan.win...@restena.lu wrote:
Hello,
noone with a hint?
Might not be the direct cause for your problem, but I'm pretty sure
you're not supposed to put unlang blocks inside authenticate section.
Or at least it's not recommended.
Try moving it to authorize section.
--
Fajar
Stefan
On 07.05.2012 11:13, Stefan Winter wrote:
Hi,
at a client's site, I have to some chopping off parts of User-Name,
pretty straightforward, but for some reason it doesn't work (2.1.12):
In inner-tunnel, authenticate, MSCHAPv2 for PEAP:
authenticate {
Auth-Type MS-CHAP {
if(%{Stripped-User-Name} =~ /().*/){
update request {
SAMAccountName := %{1}
}
}
else {
update request {
SAMAccountName :=
%{Stripped-User-Name}
}
}
mschap
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang fails for some strange reason...
Stefan Winter wrote:
noone with a hint?
Hmm... the default return code for things in the authenticate
section is reject. And the update sections just pass through the
*previous* return code.
You might try this as a hack:
Auth-Type MS-CHAP {
ok
if (..) {
}
else {
}
mschap
}
The ok at the start will over-ride the default reject
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Prob web wiki.freeradius.org
On 9 May 2012, at 09:51, Thomas Glanzmann wrote: Hello Alan, Torsten Lehmann wrote: http://wiki.freeradius.org/ (or faq) returns: Forbidden * Alan DeKok al...@deployingradius.com [2012-05-09 09:44]: It works for me. We upgraded the machine, and had a few problems with editing the wiki. But it should be OK now. for me it does not, I still have the problem. If you want I can record the problem for you as flash video. I'm using github to authenticate. You should be able to access the page fine, but editing the page currently results in Forbidden. Some bug with the upgraded version of Sinatra that was installed. I'll look at it today. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Prob web wiki.freeradius.org
On Wed, May 9, 2012 at 2:51 PM, Thomas Glanzmann tho...@glanzmann.de wrote: Hello Alan, Torsten Lehmann wrote: http://wiki.freeradius.org/ (or faq) returns: Forbidden * Alan DeKok al...@deployingradius.com [2012-05-09 09:44]: It works for me. We upgraded the machine, and had a few problems with editing the wiki. But it should be OK now. for me it does not, I still have the problem. If you want I can record the problem for you as flash video. I'm using github to authenticate. It works for me, with ot without github auth. I suggest you try different connections (e.g. just in case your ISP block the traffic somehow) and different station (e.g. just in case your browser cache the response). -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Prob web wiki.freeradius.org
It works for me too. http://www.downforeveryoneorjustme.com/http://wiki.freeradius.org/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Prob web wiki.freeradius.org
Works for me.. On 5/9/2012 9:39 AM, Alan DeKok wrote: Torsten Lehmann wrote: http://wiki.freeradius.org/ (or faq) returns: Forbidden It works for me. We upgraded the machine, and had a few problems with editing the wiki. But it should be OK now. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Prob web wiki.freeradius.org
Hello everyone, * Thomas Glanzmann tho...@glanzmann.de [2012-05-09 09:58]: for me it does not, I still have the problem. If you want I can record the problem for you as flash video. I'm using github to authenticate. I have problem editing the page, accessing is fine. But Arran seems to fix that. Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout Monitoring from db.daily
Thank you Alan, I couldnt find that perl file in my machine. Is there any way to see the content of db.daily with the use of any program in the windows environment so that I can copy the file to my windows and use that tool to look inside. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Session-Timeout-Monitoring-from-db-daily-tp5693089p5696811.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang fails for some strange reason...
Hi,
yet another subtlety I didn't know of... I'm checking with my client
whether either moving it to authorize or putting the ok in front will
do the trick.
I'll let the list know of the outcome so that the collective list
intelligence a.k.a. archive will have the answer for later.
Thanks,
Stefan
On 09.05.2012 09:56, Alan DeKok wrote:
Stefan Winter wrote:
noone with a hint?
Hmm... the default return code for things in the authenticate
section is reject. And the update sections just pass through the
*previous* return code.
You might try this as a hack:
Auth-Type MS-CHAP {
ok
if (..) {
}
else {
}
mschap
}
The ok at the start will over-ride the default reject
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout Monitoring from db.daily
On Wed, May 9, 2012 at 3:54 PM, yagizozen yagizo...@yahoo.com wrote: Thank you Alan, I couldnt find that perl file in my machine. Is there any way to see the content of db.daily with the use of any program in the windows environment so that I can copy the file to my windows and use that tool to look inside. Short version: No. Long version: did you look at rad_counter.pl, as Alan mentioned? If you did, you'd notice that it's a perl script, which uses GDBM_File module. Both should be available on windows (active perl, cygwin, etc). Or you could use some other program which supports gdbm (e.g. php). But since you didn't even bother looking at that file, my guess is you won't be able to find the applications required to look at it's content. So no, you won't be able to do so. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout Monitoring from db.daily
On Wed, May 9, 2012 at 3:54 PM, yagizozen yagizo...@yahoo.com wrote: Thank you Alan, I couldnt find that perl file in my machine. It's available on FR source code, as mentioned already by Alan: http://freeradius.org/download.html Or read the latest development version directly from github: https://github.com/alandekok/freeradius-server/blob/v2.1.x/src/modules/rlm_counter/rad_counter.pl -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout Monitoring from db.daily
yagizozen wrote: I couldnt find that perl file in my machine. That's not a good response. The file is distributed with FreeRADIUS. Go look in the FreeRADIUS distribution archive for it. Is there any way to see the content of db.daily with the use of any program in the windows environment so that I can copy the file to my windows and use that tool to look inside. I have no idea. I don't use Windows. The tools distributed with FreeRADIUS work. Use them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Prob web wiki.freeradius.org
On 9 May 2012, at 10:30, Thomas Glanzmann wrote: Hello everyone, * Thomas Glanzmann tho...@glanzmann.de [2012-05-09 09:58]: for me it does not, I still have the problem. If you want I can record the problem for you as flash video. I'm using github to authenticate. I have problem editing the page, accessing is fine. But Arran seems to fix that. Yep working on it, expect some downtime today whilst I try and cleanup the ruby installation and Gollum... The upgrade to 12.04 has really messed things up. Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Synchronous + Asynchronous proxying
Hello, According to proxy.conf asynchronous configuration is disabled. I want to manage the realms by setting parameter synchronous or asynchronous, means that switch the configuration each other. Asynchronous is needed to queue the accounting packages, retransmission etc. Do you have any comment on this? # In 2.0, the server is always synchronous, and setting # synchronous = no is impossible. This simplifies the # server and increases the stability of the network. # However, it means that the server (i.e. proxy) NEVER # originates packets. It proxies packets ONLY when it receives # a packet or a re-transmission from the NAS. If the NAS never # re-transmits, the proxy never re-transmits, either. This can # affect fail-over, where a packet does *not* fail over to a # second home server.. because the NAS never retransmits the # packet. # # If you need to set synchronous = no, please send a # message to the list freeradius-users@lists.freeradius.org # explaining why this feature is vital for your network. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Synchronous-Asynchronous-proxying-tp5696984.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout Monitoring from db.daily
You are right Sir, I could not find it in my server because it didnt installed I guess when I install FR with yum install freeradius2 freeradius2-utils -- View this message in context: http://freeradius.1045715.n5.nabble.com/Session-Timeout-Monitoring-from-db-daily-tp5693089p5697104.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout Monitoring from db.daily
I do not have the modules folder under /usr/src. How can I install the modules folder to my machine but do not change any other file contents under /etc or /var/log/radius -- View this message in context: http://freeradius.1045715.n5.nabble.com/Session-Timeout-Monitoring-from-db-daily-tp5693089p5697169.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Synchronous + Asynchronous proxying
mimir wrote: According to proxy.conf asynchronous configuration is disabled. I want to manage the realms by setting parameter synchronous or asynchronous, means that switch the configuration each other. Asynchronous is needed to queue the accounting packages, retransmission etc. Do you have any comment on this? Asynchronous proxying has few good use-cases. It can cause more problems than it solves. That's why it was removed from the server. The NAS is supposed to retransmit. So it's simpler for the server to wait for that retransmission. Can you give a concrete use-case for why this is necessary? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout Monitoring from db.daily
yagizozen wrote: I do not have the modules folder under /usr/src. How can I install the modules folder to my machine but do not change any other file contents under /etc or /var/log/radius Download the tar file from our FTP site. See http://www.freeradius.org/ Or, read the link that Fajar sent out. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Synchronous + Asynchronous proxying
We want radius support both modes and update realms configuration as sync/async. I think in asyncron mode we can send/proxy accounting packets in a period not instantly. Because of this, we want to use async mode. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Synchronous-Asynchronous-proxying-tp5696984p5697219.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout Monitoring from db.daily
On 05/09/2012 07:17 AM, yagizozen wrote: You are right Sir, I could not find it in my server because it didnt installed I guess when I install FR with yum install freeradius2 freeradius2-utils The reason the rad_counter.pl is only in a source distribution is because it's not installed via the install target in the Makefile. If rad_counter.pl is meant to be a user utility it should be installed as part of make install. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Synchronous + Asynchronous proxying
On Wed, May 9, 2012 at 7:13 PM, mimir erdem.mimiro...@alcatel-lucent.com wrote: We want radius support both modes and update realms configuration as sync/async. I think in asyncron mode we can send/proxy accounting packets in a period not instantly. Because of this, we want to use async mode. If you're only concerned about accounting packets, why not use the detail module and take a look at sites-available/copy-acct-to-home-server? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SNMP capabilities
Hello, According to the document, freeradius supports SNMP and can send snmp trap. But, when I check the MIBs, I could not find event based definitions. According to my scenario, I want to send trap, For example 1-) When one of fail-server is dead ( with clear live also) 2-) When one of accounting packet which is proxied to another radius, and we can not get accounting response (with clear) 3-) via unlang and sql or ldap xlat, if query result is null. Is it possible? I appriceate if you refer any document. Thanks. -- View this message in context: http://freeradius.1045715.n5.nabble.com/SNMP-capabilities-tp5697299.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout Monitoring from db.daily
John Dennis wrote: The reason the rad_counter.pl is only in a source distribution is because it's not installed via the install target in the Makefile. If rad_counter.pl is meant to be a user utility it should be installed as part of make install. That's probably a good idea. I'll go add that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Synchronous + Asynchronous proxying
mimir wrote: We want radius support both modes and update realms configuration as sync/async. You already said that. Saying it again doesn't help. I think in asyncron mode we can send/proxy accounting packets in a period not instantly. What does that mean? Because of this, we want to use async mode. we want to use async because we want to use async That's not an answer. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP capabilities
mimir wrote: According to the document, freeradius supports SNMP and can send snmp trap. Which document? But, when I check the MIBs, I could not find event based definitions. See the mibs directory in the git master branch. According to my scenario, I want to send trap, For example 1-) When one of fail-server is dead ( with clear live also) 2-) When one of accounting packet which is proxied to another radius, and we can not get accounting response (with clear) 3-) via unlang and sql or ldap xlat, if query result is null. Is it possible? I appriceate if you refer any document. Read the source. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang fails for some strange reason...
Hi,
both methods worked: moving into authorize (but after calling the suffix
module, which sets Stripped-User-Name), and also the ok hack in
authenticate.
We chose to move to authorize, as it's more easily understandable.
Thanks for the help!
Greetings,
Stefan Winter
On 09.05.2012 11:17, Stefan Winter wrote:
Hi,
yet another subtlety I didn't know of... I'm checking with my client
whether either moving it to authorize or putting the ok in front will
do the trick.
I'll let the list know of the outcome so that the collective list
intelligence a.k.a. archive will have the answer for later.
Thanks,
Stefan
On 09.05.2012 09:56, Alan DeKok wrote:
Stefan Winter wrote:
noone with a hint?
Hmm... the default return code for things in the authenticate
section is reject. And the update sections just pass through the
*previous* return code.
You might try this as a hack:
Auth-Type MS-CHAP {
ok
if (..) {
}
else {
}
mschap
}
The ok at the start will over-ride the default reject
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout Monitoring from db.daily
helloo everyone, I manage to do it finally :) THANK YOU Very much -- View this message in context: http://freeradius.1045715.n5.nabble.com/Session-Timeout-Monitoring-from-db-daily-tp5693089p5697405.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Synchronous + Asynchronous proxying
Hello, In general I can accounting packets to multiple servers from one radius servers. I set a solution with replicate module + one by one proxy configuration. ( because I want to see some logs regarding home servers) I do not know very well how radius behaves in sync and async mode? But I guess that we proxy packets immediately in sync mode to other servers. I think async mode is requested to queue messages for a while and then proxy them to other node in a set period? Am I right? If you explain/or refer me to any document about this, I will appricate. Thanks. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Synchronous-Asynchronous-proxying-tp5696984p5697451.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP capabilities
Sorry Alan, not document, according to web site native snmp support is supported. Am I right? I am not a developer so checking source code is diffiucult/different for me. I asked if we can send snmp traps to NMS systems if any type of failure, unsuccessful proxy message etc. Is it possible or supported? I checked the MIBs. I know that for example if you want to send trap code 1001, we need to define it via event1001 to MIB. So, I asked is it possible to send SNMP trap? Thanks. -- View this message in context: http://freeradius.1045715.n5.nabble.com/SNMP-capabilities-tp5697299p5697461.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Prob web wiki.freeradius.org
Hello Alan, Torsten Lehmann wrote: http://wiki.freeradius.org/ (or faq) returns: Forbidden * Alan DeKok al...@deployingradius.com [2012-05-09 09:44]: It works for me. We upgraded the machine, and had a few problems with editing the wiki. But it should be OK now. for me it does not, I still have the problem. If you want I can record the problem for you as flash video. I'm using github to authenticate. Cheers, Thomas I hate to jump on the me too bandwagon, but it is still also down for me, with a 403 Forbidden code. Steve - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP capabilities
mimir wrote: Sorry Alan, not document, according to web site native snmp support is supported. Am I right? Yes. But you asked about *traps*. Please use consistent terminology. Traps are not supported in 2.1.12. I am not a developer so checking source code is diffiucult/different for me. I asked if we can send snmp traps to NMS systems if any type of failure, unsuccessful proxy message etc. Is it possible or supported? I answered that already. I checked the MIBs. I know that for example if you want to send trap code 1001, we need to define it via event1001 to MIB. So, I asked is it possible to send SNMP trap? I answered that already. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Synchronous + Asynchronous proxying
mimir wrote: In general I can accounting packets to multiple servers from one radius servers. Stop repeating that. I understand it already. I set a solution with replicate module + one by one proxy configuration. ( because I want to see some logs regarding home servers) I do not know very well how radius behaves in sync and async mode? But I guess that we proxy packets immediately in sync mode to other servers. I think async mode is requested to queue messages for a while and then proxy them to other node in a set period? Am I right? No. If you explain/or refer me to any document about this, I will appricate. You have access to all of the documents that are available. FreeRADIUS doesn't do asynchronous proxying. The configuration file is very clear on this. The comments in proxy.conf explain this. What part of those comments are unclear? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Prob web wiki.freeradius.org
Steven Staples wrote: I hate to jump on the me too bandwagon, but it is still also down for me, with a 403 Forbidden code. As Arran said, he's in the process of fixing it. Please hold. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mySQL user wifi authentication error on freeradius
Hi! here is de debug.
FreeRADIUS Version 2.1.8, for host i486-pc-linux-gnu, built on Jan 5 2010
at 02:49:11
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/krb5
including configuration file
/etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/sql.conf
including configuration file /etc/freeradius/sql/mysql/dialup.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default.backup
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default.semsql
main {
user = freerad
group = freerad
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/freeradius
libdir = /usr/lib/freeradius
radacctdir = /var/log/freeradius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = /var/run/freeradius/freeradius.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = auth
Re: mySQL user wifi authentication error on freeradius
Hi! here is de debug.
FreeRADIUS Version 2.1.8, for host i486-pc-linux-gnu, built on Jan 5 2010
at 02:49:11
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/krb5
including configuration file
/etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/sql.conf
including configuration file /etc/freeradius/sql/mysql/dialup.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default.backup
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default.semsql
main {
user = freerad
group = freerad
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/freeradius
libdir = /usr/lib/freeradius
radacctdir = /var/log/freeradius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = /var/run/freeradius/freeradius.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = auth
Re: mySQL user wifi authentication error on freeradius
xadow20 wrote: Hi! here is de debug. Nope. It doesn't show the server receiving any packets. Post the debug output for THAT. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mySQL user wifi authentication error on freeradius
I can't post all debug http://freeradius.1045715.n5.nabble.com/file/n5697736/debug2.txt debug2.txt -- View this message in context: http://freeradius.1045715.n5.nabble.com/mySQL-user-wifi-authentication-error-on-freeradius-tp5693432p5697736.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mySQL user wifi authentication error on freeradius
On Wed, May 9, 2012 at 10:39 PM, xadow20 joaofigueired...@gmail.com wrote:
I can't post all debug
http://freeradius.1045715.n5.nabble.com/file/n5697736/debug2.txt debug2.txt
What do you get if you execute this query directly on your db?
SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'nso' ORDER BY id
From the next lines of log:
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
It looks like you have some records for that user in the db, but it
does NOT have cleartext password. Probably it's some kind of hashed
password (e.g. MD5-Password). If that's the case, then the behaviour
is correct. You need to have either cleartext or NT-Hash password to
use mschap.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mySQL user wifi authentication error on freeradius
Hi! With clear-text password it works. I Thought it work with encripted password too. Thanks -- View this message in context: http://freeradius.1045715.n5.nabble.com/mySQL-user-wifi-authentication-error-on-freeradius-tp5693432p5698103.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accessing attribute in control list
Can anyone provide an answer? I have spent much time trying to make this work, trying different things so if its not possible please let me know. On 2012-05-08, at 5:05 PM, Mike lonetravel...@gmail.com wrote: Hi guys, I am setting an attribute in the auth section of my config . I am able to access the attribute in the same section and preform unlang operations on said attribute, however, i am unable to access the same from the pre-proxy section of my config. The attribute just expands as blank. Is this a limitation of the software or is there a way I can access this attribute set in one section from another? Small background, originally i wanted to use ldap-group for group checking which turns out not to be possible due to the clients ldap not being configured correctly for groups, they are unwilling to change. So i want to be able to check against a different attribute set manually. An example would be appreciated if it is possible. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Minor update glitch in FR 2.1.12 rpm (CentOS/RH)
Just an FYI (sorry if this has already been covered): If you update FR via yum in CentOS or RedHat, as is usual practice with RPMs, conf files that have been modified are not overwritten, so the new version is installed with an .rpmnew suffix. This works great for most of the config files, but not the modules. For some reason, the .rpmnew module file is loaded instead of the original one: including configuration file /etc/raddb/modules/ldap.rpmnew The original module is there, but not loaded at run time...perhaps because it sees the .rpmnew one first? Fixing it is trivial, of course, once you see what the problem is, but I thought perhaps the rpm maintainers or FR developers might want to be made aware of it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius 2.1.12: radclient without coa
Hi Alan, thanks for your reply but as far as i know nobody as edited our version of radclient ?! It was just a clean install done by one of my colleagues. And when he installed it the only purpose of freeradius was for authentication. We didn't even think about using CoA. When you say edited, does that mean we might have to modify/add something in the Freeradius installation and/or config to get coa back to radclient ? Cheers, Thorsten Treusch Thorsten wrote: Now we have started to evaluate CoA on FreeRadius for both scenarios: a) Receive CoA packets from Node b) Send CoA-Requests to node (and analyze CoA-Ack, CoA-Nack Reading through several pages i always found radclient with the option coa to send/initiate CoA-Packets. And some of my colleagues (development) also use radclient for this purpose. That works. BUT if i look at our radclient (v2.1.12) the coa option is missing there ? Last login: Sat May 5 15:17:27 2012 from dhcp-10-61-100-168.cisco.com http://dhcp-10-61-100-168.cisco.com [freeradius at sca-radius ~]$ radclient Usage: radclient [options] server[:port] command [secret] commandOne of auth, acct, status, or disconnect. That's wrong. The version of radclient has listed coa there since May 2006. The revision control system is quite clear on this. So... who edited your version of radclient? Is it possible that this coa option was removed with v2.1.12 (or earlier) ? No. If yes, is there an alternative to send CoA packets from FreeRadius server ? I don't want to send CoA packets as a follow up to Access Request packet, but want to start it from FreeRadius. The version of radclient shipped with 2.1.12 has full support for CoA. Alan DeKok. On 05.05.2012, at 18:43, Treusch Thorsten wrote: Hi there, we have FreeRadius 2.1.12 installed in our lab mostly for testing purpose of our nodes. Now we have started to evaluate CoA on FreeRadius for both scenarios: a) Receive CoA packets from Node b) Send CoA-Requests to node (and analyze CoA-Ack, CoA-Nack Reading through several pages i always found radclient with the option coa to send/initiate CoA-Packets. And some of my colleagues (development) also use radclient for this purpose. BUT if i look at our radclient (v2.1.12) the coa option is missing there ? Last login: Sat May 5 15:17:27 2012 from dhcp-10-61-100-168.cisco.com [freeradius@sca-radius ~]$ radclient Usage: radclient [options] server[:port] command [secret] commandOne of auth, acct, status, or disconnect. Is it possible that this coa option was removed with v2.1.12 (or earlier) ? If yes, is there an alternative to send CoA packets from FreeRadius server ? I don't want to send CoA packets as a follow up to Access Request packet, but want to start it from FreeRadius. Many thanks for any helpful feedback, Thorsten - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accessing attribute in control list
Hi, Can anyone provide an answer? I have spent much time trying to make this work, trying different things so if its not possible please let me know. we all have our day jobs to do i cant seem to find the original email regarding thishave you looked at the debug log to see what is going on? are you doing attribute filtering - ie is the attribute you are interested in being stripped out by the pre-proxy filter? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius 2.1.12: radclient without coa
Hi, thanks for your reply but as far as i know nobody as edited our version of radclient ?! do yoi have multiple copies ont he server - ie do you have it installed via an RPM install (for example) of an old verion of freeradius what does 'which radclient' tell you and what does eg 'locate radclient' give you? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Minor update glitch in FR 2.1.12 rpm (CentOS/RH)
On 05/09/2012 02:53 PM, u...@3.am wrote: Just an FYI (sorry if this has already been covered): Ad nauseam, check the archives which also includes suggestions to mitigate the issue. If you update FR via yum in CentOS or RedHat, as is usual practice with RPMs, conf files that have been modified are not overwritten, so the new version is installed with an .rpmnew suffix. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
