Re: Help needed to configure FreeRADIUS for eduroam
Hi, I am struggling to configure my FreeRADIUS server for eduroam (www.eduroam.org), as I understood that some subscribers have done the configuration successfully, I come here to get help. I have been running my FreeRADIUS server with out problem for several years, identifying to an openLdap backend. I managed to configure a test WiFi access point to identify with 802.1x against that same radius/ldap server. But I have a problem to configure eduroam, so I would be glad if I could see a working example. It would help if you told us *what* the problem is. Looking at what you write, you have a working FreeRADIUS, working openLDAP backend, and have configured it to do IEEE 802.1X on a WiFi access point. That is 99% of what eduroam needs. So, what's missing? Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed to configure FreeRADIUS for eduroam
On 28 Jun 2012, at 02:54, Olivier Nicole wrote: Hi, I am struggling to configure my FreeRADIUS server for eduroam (www.eduroam.org), as I understood that some subscribers have done the configuration successfully, I come here to get help. I have been running my FreeRADIUS server with out problem for several years, identifying to an openLdap backend. I managed to configure a test WiFi access point to identify with 802.1x against that same radius/ldap server. But I have a problem to configure eduroam, so I would be glad if I could see a working example. Have you looked at the eduroam wiki: https://confluence.terena.org/display/H2eduroam/How+to+deploy+eduroam+on-site+or+on+campus Thanks --- Scott Armitage, Loughborough University PGP.sig Description: This is a digitally signed message part - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Questions on the finer points of CUI
All, I was after some clarification about the implementation of CUI in freeRADIUS. My first point is the use of Client IP Address. I notice that client IP Address makes a regular appearance but I'm wondering whether it should. Looking at the cui.conf the post-auth insert adds the Client IP Address. postauth_query = INSERT IGNORE INTO ${cui_table} \ (clientipaddress, callingstationid, username, cui, lastaccounting) \ VALUES \ ('%{Client-IP-Address}', '%{Calling-Station-Id}', '%{User-Name}', '%{reply:Chargeable-User-Identity}', NULL) ON DUPLICATE KEY UPDATE lastaccounting='-00-00 00:00:00', cui='%{reply:Chargeable-User-Identity}'; likewise the schema (in cui.sql) even has the Client IP Address as a primary key which to me seems wrong. In the world of eduroam my RADIUS server can proxy off to one of 3 National Proxies each will have a different Client IP Address, therefore a single client could have 3 entries in the cui table depending upon which National proxy dealt with the request. I don't see the point of the Client IP Address being in there. If each home server is using a salt (together with the operator name) then even the same username and calling station id will return a different CUI for different home servers. Maybe some could explain what I'm missing and why the Client IP Address is there? Staying with the Client IP Address, my next point surrounds the Accounting. The cui.conf shows that accounting updates the table using Client IP Address in the search: accounting_start_query = UPDATE ${cui_table} \ SET \ lastaccounting = CURRENT_TIMESTAMP \ WHERE clientipaddress = '%{Client-IP-Address}' \ AND callingstationid = '%{Calling-Station-Id}' \ AND username = '%{User-Name}' \ AND cui = '%{Chargeable-User-Identity}'; How would this work? The NAS doesn't know what the Client IP Address is and doesn't send it in Accounting packets. Finally, why does the Accounting stop for cui remove the cui from the database: accounting_stop_query = DELETE FROM ${cui_table} WHERE \ clientipaddress = '%{Client-IP-Address}' \ AND callingstationid = '%{Calling-Station-Id}' \ AND username = '%{User-Name}' \ AND cui = '%{Chargeable-User-Identity}'; Surely I'd want to keep this? If 2 weeks later I get a copyright infringement notice for a client, I'd want the CUI when contacting the home site of the user. Thanks Scott Armitage PGP.sig Description: This is a digitally signed message part - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed to configure FreeRADIUS for eduroam
Hi, I have been running my FreeRADIUS server with out problem for several years, identifying to an openLdap backend. I managed to configure a test WiFi access point to identify with 802.1x against that same radius/ldap server. But I have a problem to configure eduroam, so I would be glad if I could see a working example. you need to look at the output of 'radiusd -X' so see what is going on with your server and why it is failing. regarding eduroam - if you already have working 802.1X locally (which I'm not sure from your message as your OpenLDAP/RADIUS combo could have been just PAP authentication) - then all you need to do for eduroam is have some unlang which checks the realm and if its not your realm, then send it to a proxy pool (configure proxy.conf) - which will send the request to remote RADIUS servers that you will be told about by your federation operator.and for you to add those remote RADIUS servers as clients (clients.conf or NAS table in SQL) so that requests for you can be sent to you. you might want to also look at the eduroam confluence WIKI for help/advice/pointers https://confluence.terena.org/display/H2eduroam/How+to+deploy+eduroam+on-site+or+on+campus alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Questions on the finer points of CUI
On 28.06.2012 09:07, Scott Armitage wrote: All, I was after some clarification about the implementation of CUI in freeRADIUS. My first point is the use of Client IP Address. I notice that client IP Address makes a regular appearance but I'm wondering whether it should. Looking at the cui.conf the post-auth insert adds the Client IP Address. postauth_query = INSERT IGNORE INTO ${cui_table} \ (clientipaddress, callingstationid, username, cui, lastaccounting) \ VALUES \ ('%{Client-IP-Address}', '%{Calling-Station-Id}', '%{User-Name}', '%{reply:Chargeable-User-Identity}', NULL) ON DUPLICATE KEY UPDATE lastaccounting='-00-00 00:00:00', cui='%{reply:Chargeable-User-Identity}'; likewise the schema (in cui.sql) even has the Client IP Address as a primary key which to me seems wrong. In the world of eduroam my RADIUS server can proxy off to one of 3 National Proxies each will have a different Client IP Address, therefore a single client could have 3 entries in the cui table depending upon which National proxy dealt with the request. I don't see the point of the Client IP Address being in there. If each home server is using a salt (together with the operator name) then even the same username and calling station id will return a different CUI for different home servers. Maybe some could explain what I'm missing and why the Client IP Address is there? The $cui_table is merely a helper table to bind returned CUI values from the home server during the *authentication* phase to a possible subsequent Accounting packet for that same session. It is logically maintained at the SP side of the transactions (i.e. towards Access Points and Controllers). When doing auth, Calling-Station-Id and a User-Name are present in the request. The response contains the associated Chargeable-User-Identity, and may or may not contain a User-Name, and that User-Name may or may not be the same as the request had. If the NAS doesn't bin auth-CUI to acct-CUI itself (which is true for most NASes), the SP-side RADIUS server needs to do guesswork to add the CUI attribute to the outgoing accounting request (for all such requests: starts, interims and stops). It can see the binding primarily by observing that the calling-station ID is the same. It can not use the User-Name in Accounting because some NASes use the value of an Access-Accept instead of the original value. In principle, one could stop here. However, if a user moves from one NAS to another, he needs to reauthenticate and has the same Calling-Station-Id. This new authentication might get the same CUI or another (as you rightly note, the next request can go to a different home server, who might calculate his own CUI). In that case, there are two entries for the same Calling-Station-Id with different CUIs, and the server won't know which one to attach to the next outgoing Accounting-Request - BAD. That's why the Client-IP-Address is a secondary key: since we're talking SP-side, the client is the Access-Point or Controller, and the tuple of (CSI;Client-IP) makes the CUI value unique: This device *on this client* at a particular point in time. You might argue that the user could close the session and then re-auth on the *same* NAS. That's true, but it is not a problem: if that previous session was closed in order with an Accounting-Stop, the temporary entry in $cui_table gets deleted, and the new session gets the new one. If not, since the key of CSI and Client-IP is identical, the new session overwrites the CUI value of the previous one. This should also explain your subsequent queries below. Greetings, Stefan Winter Staying with the Client IP Address, my next point surrounds the Accounting. The cui.conf shows that accounting updates the table using Client IP Address in the search: accounting_start_query = UPDATE ${cui_table} \ SET \ lastaccounting = CURRENT_TIMESTAMP \ WHERE clientipaddress = '%{Client-IP-Address}' \ AND callingstationid = '%{Calling-Station-Id}' \ AND username = '%{User-Name}' \ AND cui = '%{Chargeable-User-Identity}'; How would this work? The NAS doesn't know what the Client IP Address is and doesn't send it in Accounting packets. Finally, why does the Accounting stop for cui remove the cui from the database: accounting_stop_query = DELETE FROM ${cui_table} WHERE \ clientipaddress = '%{Client-IP-Address}' \ AND callingstationid = '%{Calling-Station-Id}' \ AND username = '%{User-Name}' \ AND cui = '%{Chargeable-User-Identity}'; Surely I'd want to keep this? If 2 weeks later I get a copyright infringement notice for a client, I'd want the CUI when contacting the home site of the user. Thanks Scott Armitage - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA
Re: Help needed to configure FreeRADIUS for eduroam
Hi, Thank you to Stefan, Scot and Alan who took time to reply to me. For some reason, it is working now, I did only tiny changes though. What I still don't understand: - the differences between the WiKi https://confluence.terena.org/display/H2eduroam/How+to+deploy+eduroam+on-site+or+on+campus and the cookbook http://www.eduroam.org/downloads/docs/GN2-08-230-DJ5.1.5.3-eduroamCookbook.pdf. The configuration files are slightly different. - the inner logic behind the virtual servers eduroam and server eduroam-inner-tunnel; how it is working; how packets are passed from one to the other. - how to implement anonymous outer identity? What to configure in Radius? Is there any configuration needed in the suplicant? Best regards, Olivier On Thu, Jun 28, 2012 at 1:21 PM, Stefan Winter stefan.win...@restena.lu wrote: Hi, I am struggling to configure my FreeRADIUS server for eduroam (www.eduroam.org), as I understood that some subscribers have done the configuration successfully, I come here to get help. I have been running my FreeRADIUS server with out problem for several years, identifying to an openLdap backend. I managed to configure a test WiFi access point to identify with 802.1x against that same radius/ldap server. But I have a problem to configure eduroam, so I would be glad if I could see a working example. It would help if you told us *what* the problem is. Looking at what you write, you have a working FreeRADIUS, working openLDAP backend, and have configured it to do IEEE 802.1X on a WiFi access point. That is 99% of what eduroam needs. So, what's missing? Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed to configure FreeRADIUS for eduroam
Hi, For some reason, it is working now, I did only tiny changes though. well..you made changes... obviously they were beneficial - the differences between the WiKi https://confluence.terena.org/display/H2eduroam/How+to+deploy+eduroam+on-site+or+on+campus and the cookbook http://www.eduroam.org/downloads/docs/GN2-08-230-DJ5.1.5.3-eduroamCookbook.pdf. The configuration files are slightly different. the wiki is up to date. the cookbook is printed material...and is from GEANT2 days - so older - the inner logic behind the virtual servers eduroam and server eduroam-inner-tunnel; how it is working; how packets are passed from one to the other. eduroam server passes EAP stuff into eduroam inner-tunnel - just like, by default, the default server passes things into the inner-tunnel.. how does stuff go into eduroam VS? well, usually via an entry in client.conf which says to put traffic from a particular NAS into a particualr virtual server - how to implement anonymous outer identity? What to configure in Radius? Is there any configuration needed in the suplicant? the RADIUS server will just handle it - it will get to the EAP part and open the tunnel to see the good stuff inside. be aware that if you have made ANY assumptions about ID based on the outerID then those can be abused/miscontrued. anonymous ID ability is based on the supplicant - some supplicants can set it, others cant. some can set a different realm ini the outer ID, some cant. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS SQl Ippool problem -
Hi Guys, Im having a problem with Ippools with freeradius2 and i cant seem to get any username to get an address from the pool.90% of the usernames will have static IP's but i want a few to be in a pool but i really am stumped - i tried putting username@realm Framed-Pool := EZPOOL into the radreply section and it gives me a reply when i test it # Standard Framed-PoolEZPOOL so i know is readying that - i then have a pool set up in radippool pool_name=EZPOOLFramedIPAddress=192.168.1.200 (i have more) and my radiusd -X reply is : # Executing group from file /etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password 111 [pap] Using clear text password 111 [pap] User authenticated successfully ++[pap] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} [sql] expand: %{User-Name} - user@realm [sql] sql_set_user escaped user -- 'username@realm' [sql] expand: %{User-Password} - 111 [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') - INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'username@realm', '111', 'Access-Accept', '2012-06-28 10:59:37') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'username@realm', '111', 'Access-Accept', '2012-06-28 10:59:37') rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[exec] returns noop Sending Access-Accept of id 51 to 192.168.1.100 port 52433 Framed-Pool := EZPOOL Cisco-AVPair := lcp:interface-config=ip vrf forwarding BLAH Cisco-AVPair += lcp:interface-config=ip unnumbered Loopback1 Cisco-AVPair += lcp:interface-config=mtu 1492 Service-Type := Framed-User Framed-Protocol := PPP Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 51 with timestamp +5 Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS SQl Ippool problem -
On Thu, Jun 28, 2012 at 7:03 PM, Taz Manian djta...@hotmail.com wrote: Hi Guys, Im having a problem with Ippools with freeradius2 and i cant seem to get any username to get an address from the pool. 90% of the usernames will have static IP's but i want a few to be in a pool but i really am stumped - i tried putting username@realm Framed-Pool := EZPOOL into the radreply section and it gives me a reply when i test it # Please check the wiki, IIRC you should put it in radcheck, not radreply. And the attribute is Pool-Name, not Framed-Pool. so i know is readying that - i then have a pool set up in radippool Also, IMHO you should just use rlm_sqlipool. It's easier to setup and debug. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS SQl Ippool problem -
On Thu, Jun 28, 2012 at 7:08 PM, Fajar A. Nugraha l...@fajar.net wrote: On Thu, Jun 28, 2012 at 7:03 PM, Taz Manian djta...@hotmail.com wrote: so i know is readying that - i then have a pool set up in radippool Also, IMHO you should just use rlm_sqlipool. It's easier to setup and debug. Sorry, I somehow read radippool as rlm_ippool. If you use that table then you should use (or at least try to use) rlm_sqlippool already. You probably just need to read the wiki: http://wiki.freeradius.org/Rlm_sqlippool -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Would like to stop Interim Accounting being proxied
Hi all, I need to stop proxying Interim Accounting for a particular domain on our legacy Freeradius 1.1.2 platform. Reading the unlang man page, I've tried: accounting { if ( (%{Acct-Status-Type} = Interim-Update) (%{User-Name} =~ /@domain/) ) { update control { Proxy-To-Realm := LOCAL } } } But that causes the daemon to error out with /etc/raddb/radiusd.conf[1433]: Line is not in 'attribute = value' format What have I misunderstood? Steve - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS SQl Ippool problem -
Hello, to some time ago informed me that the ippool not work properly with mysql. As it is now? I'm not sure what the problems were occurring, but informed me that it worked better and smoothly only in postgres. They try to succeed in this scenario freeradius / mysql? Thanks for listening, Michell 2012/6/28 Fajar A. Nugraha l...@fajar.net On Thu, Jun 28, 2012 at 7:03 PM, Taz Manian djta...@hotmail.com wrote: Hi Guys, Im having a problem with Ippools with freeradius2 and i cant seem to get any username to get an address from the pool. 90% of the usernames will have static IP's but i want a few to be in a pool but i really am stumped - i tried putting username@realm Framed-Pool := EZPOOL into the radreply section and it gives me a reply when i test it # Please check the wiki, IIRC you should put it in radcheck, not radreply. And the attribute is Pool-Name, not Framed-Pool. so i know is readying that - i then have a pool set up in radippool Also, IMHO you should just use rlm_sqlipool. It's easier to setup and debug. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Would like to stop Interim Accounting being proxied
Steve Brown wrote: Reading the unlang man page, I've tried: accounting { if ( (%{Acct-Status-Type} = Interim-Update) (%{User-Name} =~ /@domain/) ) { That's wrong on a number of levels. The documentation says you can just refer to an attribute by name. And use '==': if ((Acct-Status-Type == Interim-Update) (User-Name =~ /@domain/)) { ... } But that causes the daemon to error out with /etc/raddb/radiusd.conf[1433]: Line is not in 'attribute = value' format What have I misunderstood? Double-check line 1433? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Probmels with sqlcounter module in FreeRADIUS 2.1.12
I'm running FreeRADIUS in conjunction with PostgreSQL 9.1. Snippet from radiusd.conf: modules { ... $INCLUDE sql/postgresql/counter.conf ... } in my sql/postgresql/counter.conf, I have the following: sqlcounter dailycounter { counter-name = Daily-Session-Time check-name = Max-Daily-Session reply-name = Session-Timeout sqlmod-inst = sql key = User-Name reset = hourly query = SELECT SUM(AcctSessionTime - GREATER((%b - AcctStartTime::ABSTIME::INT4), 0)) FROM radacct WHERE UserName='%{%k}' AND AcctStartTime::ABSTIME::INT4 + AcctSessionTime '%b' } Attention!!! The dailycounter has an hourly reset. in the sites-available/default, under authorize section: authorize { ... dailycounter ... } Now in my database. I have in radcheck table two rows: id | username | attribute| op | value -++++ 167 | test1 | Password | := | test1 168 | test1 | Max-Daily-Session | := | 60 The problem is that every time when I authenticate for the first time per hour (because the sqlcounter is resetted hourly), with username test1, I can access the services given by freeradius an unlimited time. The sqlcounter is ebanled only if after I log in first time, log out and log in again. If I exceed the time specified in the radcheck table in the first log in, at the second login (in the same hour), I cannot login again due to the sqlcounter that says that the time is up. Question: can anyone help me how to put the right settings in database or FR' files so that the sqlcounter module will work from the first login? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS SQl Ippool problem -
Michell wrote: to some time ago informed me that the ippool not work properly with mysql. As it is now? someone somewhere said something. That's not helpful. Read the documentation and examples distributed with FreeRADIUS. They give you the CORRECT answers. In this case, raddb/sql/mysql/ippool.* Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Would like to stop Interim Accounting being proxied
Hi Alan, Thanks for the pointer. This is actually what I started with :( I still get the error Error: /etc/raddb/radiusd.conf[1433]: Line is not in 'attribute = value' format; line 1433 is this actual 'if ((' line. accounting { if ((Acct-Status-Type == Interim-Update) (User-Name =~ /@docomo/)) { update control { Proxy-To-Realm := LOCAL } } } On 28/06/12 13:32, Alan DeKok wrote: That's wrong on a number of levels. The documentation says you can just refer to an attribute by name. And use '==': if ((Acct-Status-Type == Interim-Update) (User-Name =~ /@domain/)) { ... } Steve - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS SQl Ippool problem -
On Thu, Jun 28, 2012 at 7:26 PM, Michell bill.c...@gmail.com wrote: Hello, to some time ago informed me that the ippool not work properly with mysql. It works just fine As it is now? I'm not sure what the problems were occurring, but informed me that it worked better and smoothly only in postgres. IIRC from the discussion, postgres should perform better compared to mysql on the DEFAULT setup due to locking (or lack of it). Function-wise, both work fine. If your load is pretty light, OR you know how to adjust your mysql setup to avoid the locking issue, it should be irrelevant. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Probmels with sqlcounter module in FreeRADIUS 2.1.12
Andrei Petru Mura wrote: Now in my database. I have in radcheck table two rows: id | username | attribute| op | value -++++ 167 | test1 | Password | := | test1 Please fix that. Really. It's been ~6 years that Password := has been *documented* as being wrong. See the FAQ. 168 | test1 | Max-Daily-Session | := | 60 The problem is that every time when I authenticate for the first time per hour (because the sqlcounter is resetted hourly), with username test1, I can access the services given by freeradius an unlimited time. Blame the NAS. The sqlcounter is ebanled only if after I log in first time, log out and log in again. If I exceed the time specified in the radcheck table in the first log in, at the second login (in the same hour), I cannot login again due to the sqlcounter that says that the time is up. Question: can anyone help me how to put the right settings in database or FR' files so that the sqlcounter module will work from the first login? Read the debug output. If the correct Session-Timeout is being returned, blame the NAS. As *always* read the debug output. We really can't say that enough. Perhaps putting that in the you have subscribed notice to the list would make a difference? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Probmels with sqlcounter module in FreeRADIUS 2.1.12
On Thu, Jun 28, 2012 at 7:34 PM, Andrei Petru Mura mapand...@gmail.com wrote: id | username | attribute | op | value -++++ 167 | test1 | Password | := | test1 168 | test1 | Max-Daily-Session | := | 60 The problem is that every time when I authenticate for the first time per hour (because the sqlcounter is resetted hourly), with username test1, I can access the services given by freeradius an unlimited time. That's not right. - Did you read the wiki? - Did you try to run FR in debug mode? Did it send Session-Timeout attribute? Was it calculated correctly? - Does your NAS honor Session-Timeout attribute? IIRC some NAS (e.g. chillispot) ignores some attributes (e.g. Acct-Interim-Interval) if it's too small (e.g = 60 seconds). That might be the case in your setup (although the attribute here is different). -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Would like to stop Interim Accounting being proxied
Steve Brown wrote: Thanks for the pointer. This is actually what I started with :( I still get the error Error: /etc/raddb/radiusd.conf[1433]: Line is not in 'attribute = value' format; line 1433 is this actual 'if ((' line. It works for me. Check that you're using version 2? It looks like you're using version 1. Unlang is only supported in version 2. Upgrade. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS SQl Ippool problem -
I did check the wiki , i have been on it for the last 3 days trying to figure this out I did a search for Pool-Name and i got 4 different results as below http://wiki.freeradius.org/search?q=Pool-Name http://wiki.freeradius.org/Rlm_sqlippool http://wiki.freeradius.org/Rlm_ippool http://wiki.freeradius.org/Users http://wiki.freeradius.org/Ippool%20and%20radius%20clients I checked each one of them and not one said anything about radcheck or radreply. I checked on Google and found some pages that said TO USE Framed-Pool , and i could see that when i ran radiusd -XI just tried using Pool-Name and it doesnt work nor does it show when i try it with radiusd -X. I appreciate your input , im really stuck on this one. Im also not sure how to use rlm_sqlipool ? Taz Date: Thu, 28 Jun 2012 19:08:25 +0700 Subject: Re: FreeRADIUS SQl Ippool problem - From: l...@fajar.net To: dj...@iol.ie; freeradius-users@lists.freeradius.org On Thu, Jun 28, 2012 at 7:03 PM, Taz Manian djta...@hotmail.com wrote: Hi Guys, Im having a problem with Ippools with freeradius2 and i cant seem to get any username to get an address from the pool. 90% of the usernames will have static IP's but i want a few to be in a pool but i really am stumped - i tried putting username@realm Framed-Pool := EZPOOL into the radreply section and it gives me a reply when i test it # Please check the wiki, IIRC you should put it in radcheck, not radreply. And the attribute is Pool-Name, not Framed-Pool. so i know is readying that - i then have a pool set up in radippool Also, IMHO you should just use rlm_sqlipool. It's easier to setup and debug. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius crash during EAP-TTLS authentication
Hello, After three month having stable situation, the ISP home servers has started again to loose packet and to have slow response time, then our freeradius proxies has began to crash again. We've reproduced the crash with the Git version. Here's the output that I got with gdb Going to the next request rad_recv: Accounting-Request packet from host X.X.X.X port 1812, id=124, length=520 Received conflicting packet from client bas-man72-02 port 1812 - ID: 124 due to unfinished request 715241. Giving up on old request. ASSERT FAILED event.c[2773]: request-ev != NULL Program received signal SIGABRT, Aborted. [Switching to Thread 8012021c0 (LWP 100143)] 0x000800fb978c in kill () from /lib/libc.so.7 (gdb) (gdb) thread apply all bt full Thread 2 (Thread 8012021c0 (LWP 100143)): #0 0x000800fb978c in kill () from /lib/libc.so.7 No symbol table info available. #1 0x000800fb858b in abort () from /lib/libc.so.7 No symbol table info available. #2 0x00420cd4 in rad_assert_fail (file=Variable file is not available. ) at util.c:366 No locals. #3 0x00429d9a in received_request (listener=0x801fdcac0, packet=0x8051c1900, prequest=0x7fffe4d0, client=0x801fdaa80) at event.c:2773 when = {tv_sec = 1340876260, tv_usec = 138114} packet_p = Variable packet_p is not available. Is there enough information for this bug ? Do you want me to get some more information ? I can provide smokeping graphs that shows packet loss and slow response time (3 seconds) Many thanks Thomas Le 29/03/2012 23:04, Thomas Fagart a écrit : Many thanks, I will test it when available. Thomas Le 28/03/2012 17:15, Alan DeKok a écrit : Thomas Fagart wrote: Here's the debug output this happens specialy when we add a virtual server as a fallback server. OK... it looks like the proxy_reply doesn't exist. I'll push a patch. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS SQl Ippool problem -
Taz Manian wrote: I checked each one of them and not one said anything about radcheck or radreply. Because they give examples for the users file. They don't give examples for SQL, LDAP, external programs, Perl, Python, etc. The users file example has the Pool-Name on the first line. The documentation for the users file says that this makes it a check item. The documentation for the SQL module describes how to map users file entries to SQL. It *is* documented. We expect that *some* independent understanding is necessary. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Would like to stop Interim Accounting being proxied
On 28/06/12 14:03, Alan DeKok wrote: Check that you're using version 2? It looks like you're using version 1. Unlang is only supported in version 2. I'm not, and that would explain it nicely; I mentioned in my initial message legacy Freeradius 1.1.2 platform. Is there any way of achieving the same end result in v1.x without Unlang? Upgrade is some time away, so this is is what we have to work with. Steve - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS SQl Ippool problem -
On Thu, Jun 28, 2012 at 8:22 PM, Taz Manian djta...@hotmail.com wrote: I did check the wiki , i have been on it for the last 3 days trying to figure this out I did a search for Pool-Name and i got 4 different results as below http://wiki.freeradius.org/search?q=Pool-Name http://wiki.freeradius.org/Rlm_sqlippool Did you notice I specifically mentioned that page? http://wiki.freeradius.org/Rlm_ippool http://wiki.freeradius.org/Users http://wiki.freeradius.org/Ippool%20and%20radius%20clients I checked each one of them and not one said anything about radcheck or radreply. Did you read this paragraph? To assign a user an IP from a pool you simply need to have a Pool-Name Attribute (Keep in mind that it is a CONTROL attribute, not a reply attribute) in the required configuration file, which is either in files(users), sql or any other type of configuration schema. It should be clear enough that Pool-Name should not be in rad(group)reply (since that table holds reply attributes). If you don't know where to put CONTROL attribute (which is in rad(group)check, btw), then we might need to add an entry for that. I checked on Google and found some pages that said TO USE Framed-Pool , and i could see that when i ran radiusd -X Your primary source of information should be the included documentation (comments on the config file, man pages, etc). After that, the wiki. After that, this list. If you decide to follow some random page, then no wonder you get random result. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Would like to stop Interim Accounting being proxied
On 28/06/12 14:34, Steve Brown wrote: Is there any way of achieving the same end result in v1.x without Unlang? If there was a way to simply respond to an accounting request with an 'Accept', like you can with Auth, could I do something like: acct_users: DEFAULT Acct-Status-Type == Interim-Update, User-Name =~ /@domain/ Acct-Type := IGNORE radiusd.conf: accounting { Acct-Type IGNORE { Accept } } Can't find a method like 'Accept' in the docs though so maybe that's not possible. Steve - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP fails when proxying to a realm
}}/detail-%Y%m%d header = %t detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating module radutmp from file /etc/raddb/modules/radutmp radutmp { filename = /var/log/radius/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating module attr_filter.accounting_response from file /etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = /etc/raddb/attrs.accounting_response key = %{User-Name} } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module reply_log from file /etc/raddb/modules/detail.log detail reply_log { detailfile = /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d header = %t detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module attr_filter.access_reject from file /etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = /etc/raddb/attrs.access_reject key = %{User-Name} } } # modules } # server server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: Opening IP addresses and Ports listen { type = auth ipaddr = * port = 0 } listen { type = acct ipaddr = * port = 0 } listen { type = control listen { socket = /var/run/radiusd/radiusd.sock } } listen { type = auth ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 41620 ... adding new socket proxy address * port 46995 ... adding new socket proxy address * port 43755 ... adding new socket proxy address * port 35210 ... adding new socket proxy address * port 53936 ... adding new socket proxy address * port 60364 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 69.38.220.74 port 33457, id=25, length=227 User-Name = myrealm/chris Calling-Station-Id = 78-D6-F0-9B-62-97 NAS-IP-Address = 69.38.220.74 NAS-Port = 1 Called-Station-Id = 74-91-1A-63-49-58:My Wi-Fi Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = 74-91-1A-63-49-58 Connect-Info = CONNECT 802.11g/n WISPr-Location-Name = Lab EAP-Message = 0x021101737072696e742f6368726973 Vendor-25053-Attr-3 = 0x537072696e742057692d4669 Message-Authenticator = 0x41f70f465513dc906b544110465b80ad # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/radius/radacct/69.38.220.74/auth-detail-20120628 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/69.38.220.74/auth-detail-20120628 [auth_log] expand: %t - Thu Jun 28 12:19:22 2012 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [IPASS] Looking up realm myrealm for User-Name = myrealm/chris [IPASS] Found realm myrealm [IPASS] Adding Stripped-User-Name = chris [IPASS] Adding Realm = myrealm [IPASS] Proxying request from user chris to realm myrealm [IPASS] Preparing to proxy authentication request to realm myrealm ++[IPASS] returns updated [eap] Request is supposed to be proxied to Realm myrealm. Not doing EAP. ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} - myrealm/chris [sql] sql_set_user escaped user -- 'myrealm/chris' rlm_sql (sql): Reserving sql socket id: 48 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'myrealm/chris' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup
EAP does not work with realms
) to clients list rlm_sql (sql): Read entry nasname=127.0.0.1,shortname=localhost,secret=secret rlm_sql (sql): Adding client 127.0.0.1 (localhost, server=none) to clients list rlm_sql (sql): Released sql socket id: 49 Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module acct_unique from file /etc/raddb/modules/acct_unique acct_unique { key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port } Module: Instantiating module suffix from file /etc/raddb/modules/realm realm suffix { format = suffix delimiter = @ ignore_default = no ignore_null = no } Module: Checking accounting {...} for more modules to load Module: Instantiating module detail from file /etc/raddb/modules/detail detail { detailfile = /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d header = %t detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating module radutmp from file /etc/raddb/modules/radutmp radutmp { filename = /var/log/radius/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating module attr_filter.accounting_response from file /etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = /etc/raddb/attrs.accounting_response key = %{User-Name} } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module reply_log from file /etc/raddb/modules/detail.log detail reply_log { detailfile = /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d header = %t detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module attr_filter.access_reject from file /etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = /etc/raddb/attrs.access_reject key = %{User-Name} } } # modules } # server server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: Opening IP addresses and Ports listen { type = auth ipaddr = * port = 0 } listen { type = acct ipaddr = * port = 0 } listen { type = control listen { socket = /var/run/radiusd/radiusd.sock } } listen { type = auth ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 41620 ... adding new socket proxy address * port 46995 ... adding new socket proxy address * port 43755 ... adding new socket proxy address * port 35210 ... adding new socket proxy address * port 53936 ... adding new socket proxy address * port 60364 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.100.150 port 33457, id=25, length=227 User-Name = myrealm/chris Calling-Station-Id = 78-D6-F0-9B-62-97 NAS-IP-Address = 192.168.100.150 NAS-Port = 1 Called-Station-Id = 74-91-1A-63-49-58:myrealm Wi-Fi Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = 74-91-1A-63-49-58 Connect-Info = CONNECT 802.11g/n WISPr-Location-Name = LAB EAP-Message = 0x021101737072696e742f6368726973 Vendor-25053-Attr-3 = 0x537072696e742057692d4669 Message-Authenticator = 0x41f70f465513dc906b544110465b80ad # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/radius/radacct/192.168.100.150/auth-detail-20120628 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.100.150/auth-detail-20120628 [auth_log] expand: %t - Thu Jun 28 12:19:22 2012 ++[auth_log] returns ok ++[chap] returns noop
Re: Would like to stop Interim Accounting being proxied
On 28/06/12 17:13, Steve Brown wrote: On 28/06/12 14:34, Steve Brown wrote: Is there any way of achieving the same end result in v1.x without Unlang? If there was a way to simply respond to an accounting request with an 'Accept', like you can with Auth, could I do something like: You might be able do use the configurable_failover in 1.x to achieve this. Something like: preacct { files { ok = return } ... rest of modules ... } ...and in your files module, something like you had: DEFAULT Acct-Status-Type == Interim-Update, User-Name =~ @domain Fall-Through = No See doc/configurable_failover - from the version of the server you are running, obviously. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP fails when proxying to a realm
On 28/06/12 17:33, Christopher Manigan wrote: I am trying to use MSCHAPv2 to authenticate users. This works ok, except when I try to proxy to a realm. Pasted below is the debug of a user trying to authenticate. The realm is a prefix of the username. What I see buried in the debug is: # radiusd -X FreeRADIUS Version 2.1.11, for host i686-pc-linux-gnu, built on Jun 28 2012 at 11:37:39 Upgrade to 2.1.12 if possible Sending Access-Request of id 22 to 127.0.0.1 port 1812 Why on earth are you proxying back to yourself, to the same virtual server no less? I suspect this is confusing the server, since it fails inside the handler further down. [eap] Identity does not match User-Name, setting from EAP Identity. You are rewriting the username. This doesn't work with EAP. Don't do that. If you need to strip realms etc. use Stripped-User-Name. Leave the original username alone. [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Update control with redundant sql query
Hi, I use the policy configs to provide redundant and load-balance to update the pool-name. It´s work fine! But I have same questions... - Is it the correct way to do it? Is it the better way, considering a performance in high usage? - Why the virtual module created in the policy and control update always return notfound ? +- entering group authorize {...} ++- entering policy update_ctlr_PN {...} +++- entering redundant-load-balance group redundant-load-balance {...} - entering policy update01_Pool-Name {...} ... expand: select poolname from radpoolname where nasipaddress=%{NAS-IP-Address} -select poolname from radpoolname where nasipaddress=X.X.X.X rlm_sql (sql01): Reserving sql socket id: 4 sql_xlat finished rlm_sql (sql01): Released sql socket id: 4 expand: %{sql01:select poolname from radpoolname where nasipaddress=%{NAS-IP-Address}} -pool01 +[control] returns notfound - policy update_ctlr_PN1 returns notfound +++- redundant-load-balance group redundant-load-balance returns notfound ++- policy update_ctlr_PN returns notfound The policy.conf policy { update_ctlr_PN1 { update control { Pool-Name := %{sql01:select poolname from radpoolname where nasipaddress=\%{NAS-IP-Address}\} } } update_ctlr_PN2 { update control { Pool-Name := %{sql02:select poolname from radpoolname where nasipaddress=\%{NAS-IP-Address}\} } } update_ctlr_PN { redundant-load-balance { update_ctlr_PN1 update_ctlr_PN2 } } } Server conf: ... authorize { update_ctlr_PN pap chap sql01 } ... Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP fails when proxying to a realm
Thanks for pointing those things out to me. I am no longer proxying back to myself like that, and I've told the sql module to use stripped user name when possible and it looks like it's all working now. Best wishes, Chris From: freeradius-users-bounces+cmanigan=towerstream@lists.freeradius.org [freeradius-users-bounces+cmanigan=towerstream@lists.freeradius.org] on behalf of Phil Mayers [p.may...@imperial.ac.uk] Sent: Thursday, June 28, 2012 12:49 PM To: freeradius-users@lists.freeradius.org Subject: Re: EAP fails when proxying to a realm On 28/06/12 17:33, Christopher Manigan wrote: I am trying to use MSCHAPv2 to authenticate users. This works ok, except when I try to proxy to a realm. Pasted below is the debug of a user trying to authenticate. The realm is a prefix of the username. What I see buried in the debug is: # radiusd -X FreeRADIUS Version 2.1.11, for host i686-pc-linux-gnu, built on Jun 28 2012 at 11:37:39 Upgrade to 2.1.12 if possible Sending Access-Request of id 22 to 127.0.0.1 port 1812 Why on earth are you proxying back to yourself, to the same virtual server no less? I suspect this is confusing the server, since it fails inside the handler further down. [eap] Identity does not match User-Name, setting from EAP Identity. You are rewriting the username. This doesn't work with EAP. Don't do that. If you need to strip realms etc. use Stripped-User-Name. Leave the original username alone. [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco WLC - Freeradius Vlan assigment problem
++- if (!Huntgroup-Name) returns ok ++? if (Huntgroup-Name == list) (Attribute Huntgroup-Name was not found) the problem seems to be your huntgroup.. Can you post your huntgroup definitions? -- Jens Weibler IT-Services Hi, In huntgroup I just have: ... # Usuario = xxx xxx list Calling-Station-Id == 0221.6ae0.cef8 Them in sites-available/inner-tunnel I have a script: if(!Huntgroup-Name) { #reject update reply { Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = 249 } } if(Huntgroup-Name == list) { if( Ldap-Group == WIFI-Direccion) { update reply { Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = 200 } seems ok. What do you think? Thanks a lot. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Update control with redundant sql query
On Fri, Jun 29, 2012 at 12:09 AM, lscrlstld lscrls...@gmail.com wrote: Hi, I use the policy configs to provide redundant and load-balance to update the pool-name. It´s work fine! Does it? The policy.conf policy { update_ctlr_PN1 { update control { Pool-Name := %{sql01:select poolname from radpoolname where nasipaddress=\%{NAS-IP-Address}\} } } update_ctlr_PN2 { update control { Pool-Name := %{sql02:select poolname from radpoolname where nasipaddress=\%{NAS-IP-Address}\} } } update_ctlr_PN { redundant-load-balance { update_ctlr_PN1 update_ctlr_PN2 } } } last time I check the %{sql block does NOT return an error if the sql server is dead. So your load-balance part definitely works, but I wouldn't be so sure about the redundant part. Try killing one of the sql servers and see what happens. IIRC I had to explicitly hack a query so it would return some value (e.g. NOTFOUND, or whatever) when it would usually return zero rows. That way, if the %{sql block returns an empty string, I know something is wrong and I need to ask the next server. That method works, but it doesn't provide load balance. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP fails when proxying to a realm
Hi, upgarde to 2.1.12 - it has fixes for proxy errors as for username - you cannot play with User-Name with EAP - use Stripped-User-Name - see examples alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco WLC - Freeradius Vlan assigment problem
Hi, are you running the preprocess module? if not, then Huntgroups arent looked at or populated alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Would like to stop Interim Accounting being proxied
Steve Brown wrote: I'm not, and that would explain it nicely; I mentioned in my initial message legacy Freeradius 1.1.2 platform. Is there any way of achieving the same end result in v1.x without Unlang? Unlang isn't in 1.1.x, and is *documented* as not being in 1.1.x. You can't just try random things in the server. Upgrade is some time away, so this is is what we have to work with. Upgrade. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SV: Invalid password on OS-X
Jens W. Skov - JS Consult wrote: I’m trying to set up external authentication from our router to a OSX-server. I have it working fine if the user is an admin-user on the mac, but if I try with a normal user I get: Auth: rim_opendirectory: User vpntest is authorized. Auth: rim_opendirectory: User [vpntest]: invalid password Are you running FreeRADIUS on the same machine running OpenDirectory? JS: Yes, they have only this one server. I do suspect that I might be missing something in the users file. In the OSX gui I have selected that users and groups that should be allowed, but it seems it not passed on to the radius service. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html