Re: account activate datetime
There is rlm_logintime module. It uses Login-Time control attribute. Login-Time attribute format is: login-times ::= login-time | login-times,login-time login-time ::= days | daystime days ::= day | daysday day ::= day-of-week | day-of-week-day-of-week | Wk | Al | Any day-of-week ::= Su | Mo | Tu | We | Th | Fr | Sa time ::= hhmm | hhmm-hhmm hh ::= 00 .. 24 mm ::= 00 .. 59 For example, allow logins from Monday till Friday, from 9:00 till 20:00: Login-Time := Mo-Fr0900-2000 You can set Login-Time control attribute using rlm_files or rlm_sql (or whatever backend module). For example, using rlm_files: # raddb/files joe Cleartext-Password := ToPsEcReT, Login-Time := Mo-Fr0900-2000 rlm_logintime module should be called from authorize section. SkyDiablo wrote: hiho, i search a solution to set a activate datetime for a account? in the end, i want a possebility to set a timespan where the account is active? from - datetime to - dateime any tips for me ? greez thx, sky... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Segmentation fault when linking 2.2.0 against openSSL 1.0.1c
Hi, until today, I have been running FreeRADIUS 2.2.0 successfully with a system-supplied openSSL. Today, I compiled with --with-openssl --with-openssl-includes=/usr/local/freeradius/openssl-1.0.1c/include/openssl --with-openssl-libraries=/usr/local/freeradius/openssl-1.0.1c/lib the path is in ld.so.conf, and ldd shows that linking against this new version works. However, when running PEAP on this version, I get a segmentation fault now: [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [peap] Using saved attributes from the original Access-Accept User-Name = test.edur...@education.lu Reply-Message = What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam. Reply-Message = What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam. Reply-Message = What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam. Reply-Message = What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam. Reply-Message = What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam. Reply-Message = What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam. Reply-Message = What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam. Reply-Message = What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam. Reply-Message = What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam. Reply-Message = What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam. Segmentation fault The repetition of that attribute is NOT an error; it's there to inflate the packet beyond 1500 bytes to trigger UDP fragmentation (this is our Nagios testing). In 2.2.0 against the old openSSL version, everything works fine - Access-Accept. Any hints? Greetings, Stefan winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault when linking 2.2.0 against openSSL 1.0.1c
Stefan Winter wrote: until today, I have been running FreeRADIUS 2.2.0 successfully with a system-supplied openSSL. Today, I compiled with --with-openssl --with-openssl-includes=/usr/local/freeradius/openssl-1.0.1c/include/openssl --with-openssl-libraries=/usr/local/freeradius/openssl-1.0.1c/lib the path is in ld.so.conf, and ldd shows that linking against this new version works. Are you sure? The openssl SEGV problem is almost always because you have two versions of OpenSSL installed. What is likely happening is that the compile stage is picking up the system-supplied OpenSSL include files. The way to test this is to rename / move them, do the build, and then the install. If it now works, it was picking up OpenSSL X, and linking against OpenSSL Y. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy and requests queue
Hi everybody I've a question about the management of the queue in freeradius 2.1.12. Let's assume my server are used for local authentication for the realm mydomanin.org and proxy the request for the realm remote.org (a pool with a single home server). Let's assume also that max_servers and max_spare_server are sets correctly. What happens if the home server for the proxy takes too long to respond? The requests for the local side are ignored or have their own queue? And if my proxy are used for different realm (remote1.org, remote2.org etc...) all with their own single home_server what happens if a remote home server takes too long to respond? To make a long story short it's possible that a problem on a remote home server (that receives a huge number of requests) blocks the requests for my local server? Thanks I know this can be a stupid question but I didn't find an answer in the wiki or in the docs (probably I've searched in the wrong place or the wrong terms sorry) PS: sorry for my English - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy and requests queue
AemNet wrote: I've a question about the management of the queue in freeradius 2.1.12. Upgrade. Let's assume my server are used for local authentication for the realm mydomanin.org and proxy the request for the realm remote.org (a pool with a single home server). Let's assume also that max_servers and max_spare_server are sets correctly. Those thread settings have NOTHING to do with proxying. You can proxy requests even in single-threaded mode. What happens if the home server for the proxy takes too long to respond? The server handles it gracefully. The requests for the local side are ignored or have their own queue? The inputs outputs are completely decoupled. It would be a bad design to tightly couple them. And if my proxy are used for different realm (remote1.org, remote2.org etc...) all with their own single home_server what happens if a remote home server takes too long to respond? The server handles it gracefully. Each request is handled separately from each other request, no matter where it came from, and no matter where it was proxied to. Each home server is handled separately from each other home server. To make a long story short it's possible that a problem on a remote home server (that receives a huge number of requests) blocks the requests for my local server? No. I know this can be a stupid question but I didn't find an answer in the wiki or in the docs (probably I've searched in the wrong place or the wrong terms sorry) The short answer is that the server works, and doesn't do anything stupid. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault when linking 2.2.0 against openSSL 1.0.1c
Hi, Today, I compiled with --with-openssl --with-openssl-includes=/usr/local/freeradius/openssl-1.0.1c/include/openssl --with-openssl-libraries=/usr/local/freeradius/openssl-1.0.1c/lib the path is in ld.so.conf, and ldd shows that linking against this new version works. Are you sure? The openssl SEGV problem is almost always because you have two versions of OpenSSL installed. What is likely happening is that the compile stage is picking up the system-supplied OpenSSL include files. The way to test this is to rename / move them, do the build, and then the install. If it now works, it was picking up OpenSSL X, and linking against OpenSSL Y. Hm, okay... will do. Stefan Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:
On Mon, Sep 17, 2012 at 4:05 PM, QASIM RAO qasim2...@hotmail.com wrote: hi, i want to test performance of my radius server. can any body give me suggestion how i can perform performance test of my radius server. i have check some performance testing tools like (radlogin,radtest,Evolynx RADIUS Load Test tool) but they are not working according to my requirement i want to send bulk number of request including additional attributes i have included in my server. There's radclient, included in the server. Handy when you want highly customized attributes for each request. There's also radperf: http://networkradius.com/radperf.html -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault when linking 2.2.0 against openSSL 1.0.1c
Hi, --with-openssl-includes=/usr/local/freeradius/openssl-1.0.1c/include/openssl Are you sure? The openssl SEGV problem is almost always because you have two versions of OpenSSL installed. What is likely happening is that the compile stage is picking up the system-supplied OpenSSL include files. The way to test this is to rename / move them, do the build, and then the install. If it now works, it was picking up OpenSSL X, and linking against OpenSSL Y. Hm, okay... will do. That was it indeed. Had to change the include path above to --with-openssl-includes=/usr/local/freeradius/openssl-1.0.1c/include because configure adds the openssl/ sub-path on its own. Now it works like a charm (as usual :-) ). Thanks! Stefan Stefan Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
users file case sensitive
Hi, Background: FreeRadius Version: 2.1.1-7.10.1 Users are stored in LDAP, I am using the users file to assign static IP Addresses to certain users. It seems that the users file is case sensitive, I found a few articles on the net regarding this, but none really supplied a definitive answer. Is there a way to prevent the users file from being case sensitive ? If not, what is the recommended method to elegantly avoid this problem. Regards Gregg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault when linking 2.2.0 against openSSL 1.0.1c
On 17 Sep 2012, at 10:34, Stefan Winter stefan.win...@restena.lu wrote: Hi, --with-openssl-includes=/usr/local/freeradius/openssl-1.0.1c/include/openssl Are you sure? The openssl SEGV problem is almost always because you have two versions of OpenSSL installed. What is likely happening is that the compile stage is picking up the system-supplied OpenSSL include files. The way to test this is to rename / move them, do the build, and then the install. If it now works, it was picking up OpenSSL X, and linking against OpenSSL Y. Hm, okay... will do. That was it indeed. Had to change the include path above to --with-openssl-includes=/usr/local/freeradius/openssl-1.0.1c/include because configure adds the openssl/ sub-path on its own. Now it works like a charm (as usual :-) ). Thanks! Also you have a typo in your config, should be earli, assuming the Reply-Message is meant to be read with a piratey accent. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users file case sensitive
On 09/17/2012 11:00 AM, Gregg Douglas wrote: Hi, Background: FreeRadius Version: 2.1.1-7.10.1 Users are stored in LDAP, I am using the users file to assign static IP Addresses to certain users. It seems that the users file is case sensitive, I found a few articles on the net regarding this, but none really supplied a definitive answer. Is there a way to prevent the users file from being case sensitive ? If not, what is the recommended method to elegantly avoid this problem. files myfiles { key = %{lower:%{User-Name}} ... } ...or something similar. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
max_queue_size 65536
A friendly heads up. The bug fixes item Use max_queue_size in threading code refers to an issue in the threading code where the value used to initialise the request queue, was different to the value used to check when the max entries had been added into the queue, thus if you'd set the config item max_queue_size to something larger than 65536 and actually used more than that number of queue slots the server would crash. This config item was previously undocumented so hopefully few people have altered it. If you have and you're using a version 2.2.0, please remove the config item to set it back to defaults, or set it to a value less than 65536. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: generating ssl certs in debian squeeze
did the trick, thanks :D (had been making a silly mistake with one of the cert files) On Sat, Sep 15, 2012 at 3:05 AM, Alan DeKok al...@deployingradius.comwrote: austin wonderly wrote: hello, thanks for the tip, although unfortunately im am still getting problems Google EAP-TLS freeradius gets you this link: http://freeradius.org/doc/EAPTLS.pdf Follow it, and it WILL WORK. The Wiki also contains documentation, and points to my web site: http://deployingradius.com/documents/configuration/eap.html Follow the instructions, and it will work. You've missed a step somewhere. eapol_test is providing a client cert, signed by a CA unknown to FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Customization of RADIUS reply
Hello I’m configuring the FreeRADIUS together with the Oracle DB. I need to get the user authenticated and in the reply provide the parameter mailbox_fullname from the DB. The Oracle DB has for my purpose only one view which contains the following columns. mailbox_id,mailbox_email,mailbox_fullname,mailbox_password I created new attribute in dictionary: ATTRIBUTE Full-Mailbox-Name 3000string And customized the SQL queries as following (dialup.conf): authorize_check_query = SELECT mailbox_id,mailbox_email,'Cleartext-Password',mailbox_password,':=' FROM ${authcheck_table} WHERE mailbox_email = '%{SQL-User-Name}' ORDER BY mailbox_id authorize_reply_query = SELECT mailbox_id,mailbox_email,'Full-Mailbox-Name',mailbox_fullname,':=' FROM ${authreply_table} WHERE mailbox_email = '%{SQL-User-Name}' ORDER BY mailbox_id The user authentication works, however I need to have in the reply the value of “mailbox_fullname” from DB query. Instead of it, there is nothing. Could you please advise how to get in the reply “mailbox_fullname” for the corresponding mailbox_email? Here is the sample radtest output and in attachment full output from debug mode. radtest -x a0012 password localhost 0 testing123 Sending Access-Request of id 26 to 127.0.0.1 port 1812 User-Name = a0012 User-Password = password NAS-IP-Address = 10.7.96.25 NAS-Port = 0 Message-Authenticator = 0x rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=26, length=20 Thanks a lot! Vaclav # radiusd -X FreeRADIUS Version 2.2.0, for host x86_64-unknown-linux-gnu, built on Sep 13 2012 at 13:34:43 Copyright (C) 1999-2012 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/dynamic_clients including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/opendirectory including configuration file /usr/local/etc/raddb/modules/rediswho including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/redis including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/radrelay including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/dhcp_sqlippool including configuration file /usr/local/etc/raddb/sql/mysql/ippool-dhcp.conf including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/replicate including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/soh including configuration file /usr/local/etc/raddb/modules/smbpasswd
Re: Customization of RADIUS reply
Václav Pernica wrote: I’m configuring the FreeRADIUS together with the Oracle DB. I need to get the user authenticated and in the reply provide the parameter mailbox_fullname from the DB. Does the RADIUS client understand that attribute? The Oracle DB has for my purpose only one view which contains the following columns. mailbox_id,mailbox_email,mailbox_fullname,mailbox_password I created new attribute in dictionary: ATTRIBUTE Full-Mailbox-Name 3000string You need to read the comments in raddb/dictionary. It explains how to send new attributes in a RADIUS packet. Hint: you're doing it wrong. This is documented. The user authentication works, however I need to have in the reply the value of “mailbox_fullname” from DB query. Instead of it, there is nothing. Could you please advise how to get in the reply “mailbox_fullname” for the corresponding mailbox_email? Read the file you edited: raddb/dictionary Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed login lockout protection in FreeRADIUS
For edification, what its worth.. Heres the question asked by the author of the article, I was referring to, and the answer from Alan D. -- Here’s my question and response from Alan T DeKok al...@freeradius.org about this. You can check with him on more details if needed or send to the mailing list. ** ** Does FR support an account lockout feature to block users after so many failed password attempts? ** ** Yes. It's not enabled in the default configuration, but you can make *any* policy decision based on *any* data source, including logs. Cheers - On Fri, Sep 14, 2012 at 10:25 AM, Marinko Tarlać mangi...@gmail.com wrote: Nice option but please keep in mind that suspended routers can behave like a brute force attacker and you'll lock them too. On 14.9.2012 15:36, Phil Mayers wrote: On 14/09/12 13:57, mr. s wrote: Hello, I was reading an article in computer world comparing a few RADIUS servers. It said that FreeRADIUS had failed login lockout protection, however I can't find that particular verbiage in the FreeRADIUS documentation, FAQ or HowTos. What are you asking here? How to lock out a user after X failed logins? - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html