Re: Configure Errors with OpenSSL NetSNMP

[Oliver Graf]

Hi!

On Tue, Dec 16, 2003 at 12:35:43AM -0600, MkLinux Admin @ Oceanbay wrote:
  This may have been covered before, but I cannot seem to find it when 
 searching the archives. I am new to FreeRadius, but not new to Linux. I 
 tried configuring FreeRadius, when checking for checking for 
 asn1.h,snmp.h,snmp_impl.h... it would not find the NetSNMP installation. 

freeradius works with ucd-snmp not with net-snmp. Till now nobody
submitted patches for the new version. Feel free to do so.

  On to OpenSSL, OpenSSL was compiled and installed in /usr/local/ssl 
 and it cannot be found by the configure script. I added the usual 
 LDFLAGS, etc to get it to find it, but there was more mess. In the end I 
 just bypassed the checks altogether and told it it was okay to go ahead 
 and include that.

The usual way would be to use the configure scripts options to tell it
where the openssl installation resides. Try ./configure --help to see
what options are avaiable.

  Then I checked the confdefs.h file, it is 100% empty, something is 
 getting stomped on here. no included ssl headers. when I change that to 
 add in the ssl headers like below. I get the next bad result.

Probably you hosed up configure by editing it by hand... try to do
your changes in configure.in and run autoconf after this.

  FreeRadius is the only one which does not seem to get a hold of 
 OpenSSL easy. I dunno what is going on, but I had to hand edit the 
 configure script to get it all to work. Maybe this is all worth a good 
 looking over. As for all of my code I write I use my own home-made 
 configure scripts so I dunno how to fit it all up with autoconf.

It seems to me that the main problem is you messing the configure
script up. Please try to stick with it and follow its rules, and the
compilation should work.

Oliver.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

is this a complete auth-request packet?

[Brian Clarkson]

This is pulled straight out of the output from

radiusd -sfxxyz -l stdout

I'm using FreeRadius 0.9.3, a Buffalo AirStation Pro, and EAP-TLS 
authentication.  MySQL is used to store the user/pass/etc. attributes.

The client is a WinXP box set up for PEAP/MS-CHAP ...

I'm not sure if the client is misconfigured, if I'm not getting all the 
information from the NAS, or if the server is misconfigured.  Any help 
is appreciated.

--- packet info ---

rad_recv: Access-Request packet from host 66.219.41.196:1090, id=56, 
length=138
User-Name = fakeAcctOne
NAS-Identifier = AirStation Pro
NAS-IP-Address = 172.16.2.10
NAS-Port = 1
NAS-Port-Type = Wireless-802.11
Called-Station-Id = 00022d75ad58
Calling-Station-Id = 00022d18efec
Framed-MTU = 1400
EAP-Message = 0x020100100166616b65416363744f6e65
Message-Authenticator = 0x8c70a27688a11578a008cd41eaa8a98a



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Configure Errors with OpenSSL NetSNMP

[Harrie Hazewinkel]

On Tuesday, December 16, 2003, at 08:11 AM, Oliver Graf wrote:

Hi!

On Tue, Dec 16, 2003 at 12:35:43AM -0600, MkLinux Admin @ Oceanbay 
wrote:
 This may have been covered before, but I cannot seem to find it 
when
searching the archives. I am new to FreeRadius, but not new to Linux. 
I
tried configuring FreeRadius, when checking for checking for
asn1.h,snmp.h,snmp_impl.h... it would not find the NetSNMP 
installation.
freeradius works with ucd-snmp not with net-snmp. Till now nobody
submitted patches for the new version. Feel free to do so.
The problem is that some file names are equal between
openssl and netsnmp. Not sure of openssl, but net-snmp
installs now in something like /usr/local/include/net-snmp
and then one is better of using the
'-I/usr/local/include/' with the '#include net-snmp/foo.h'
 On to OpenSSL, OpenSSL was compiled and installed in 
/usr/local/ssl
and it cannot be found by the configure script. I added the usual
LDFLAGS, etc to get it to find it, but there was more mess. In the 
end I
just bypassed the checks altogether and told it it was okay to go 
ahead
and include that.
The usual way would be to use the configure scripts options to tell it
where the openssl installation resides. Try ./configure --help to see
what options are avaiable.
Not sure, but it would be nice if the openssl would do the same as
net-snmp in this case.
Harrie

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP problem - HELP PLEASE

[garelli]

Hi Alan!
Thanks for your help.
I did what you told me, but it seems that it wasn't the only error I made...
I put in the users file :

ourson  User-Password =  testtest

and my user on the XP supplicant is also the same, but authentication is
still impossible! I really don't understand because the same error message
appears even if I change the users file like I show you before.
I am asking myself about which options must be put on the MS-CHAP module
(on radiusd.conf) ?
I didn't change any options on the MS-CHAP module ( use_mppe,
require_encryption, require_strong with a # before), but is it necessary??
(I tried quickly to put these options = yes ,but I had same results)
If you have any idea about what is wrong with my configuration, please
tell me! here are my log with the beginning of freeradius when it's
launched:


+ LD_LIBRARY_PATH=/usr/local/ssl-end/lib
+ LD_PRELOAD=/usr/local/ssl-end/lib/libcrypto.so
+ export LD_LIBRARY_PATH LD_PRELOAD
+ /usr/local/sbin/radiusd -X -y -z
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /usr/local/etc/raddb/clients.conf
Config:   including file: /usr/local/etc/raddb/snmp.conf
Config:   including file: /usr/local/etc/raddb/sql.conf
 main: prefix = /usr/local
 main: localstatedir = /usr/local/var
 main: logdir = /usr/local/var/log/radius
 main: libdir = /usr/local/lib
 main: radacctdir = /usr/local/var/log/radius/radacct
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = yes
 main: log_file = /usr/local/var/log/radius/radius.log
 main: log_auth = yes
 main: log_auth_badpass = yes
main: log_auth_goodpass = yes
 main: pidfile = /usr/local/var/run/radiusd/radiusd.pid
 main: user = (null)
 main: group = (null)
 main: usercollide = no
 main: lower_user = no
 main: lower_pass = no
 main: nospace_user = no
 main: nospace_pass = no
 main: checkrad = /usr/local/sbin/checkrad
 main: proxy_requests = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
Using deprecated clients file.  Support for this will go away soon.
read_config_files:  reading realms
Using deprecated realms file.  Support for this will go away soon.
radiusd:  entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
 pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
 mschap: use_mppe = yes
 mschap: require_encryption = yes
 mschap: require_strong = yes
 mschap: passwd = (null)
 mschap: authtype = MS-CHAP
Module: Instantiated mschap (mschap)
Module: Loaded eap
 eap: default_eap_type = peap
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 tls: rsa_key_exchange = no
 tls: dh_key_exchange = yes
 tls: rsa_key_length = 512
 tls: dh_key_length = 512
 tls: verify_depth = 0
 tls: CA_path = (null)
 tls: pem_file_type = yes
 tls: private_key_file = /sauv-certif/cert/new/serveur6.pem
tls: certificate_file = /sauv-certif/cert/new/serveur6.pem
 tls: CA_file = /sauv-certif/cert/new/root.pem
 tls: private_key_password = saucisson
 tls: dh_file = /sauv-certif/cert/new/dh
 tls: random_file = /sauv-certif/cert/new/random
 tls: fragment_size = 1024
 tls: include_length = yes
 tls: check_crl = no
rlm_eap: Loaded and initialized type tls
 peap: default_eap_type = mschapv2
 peap: copy_request_to_tunnel = no
 peap: use_tunneled_reply = no
rlm_eap: Loaded and initialized type peap
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
 preprocess: huntgroups = /usr/local/etc/raddb/huntgroups
 preprocess: hints = /usr/local/etc/raddb/hints
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded detail
 detail: detailfile =
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
detail: detailperm = 384
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (auth_log)
Module: Loaded realm
 realm: format = suffix
 realm: delimiter = @
Module: Instantiated realm (suffix)
Module: Loaded files
 files: usersfile = /usr/local/etc/raddb/users
 files: acctusersfile = /usr/local/etc/raddb/acct_users
 files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users
 files: compat = no
[/usr/local/etc/raddb/users]:156 WARNING! Changing 

Re: How to start/stop/restart FR

[Jean-Paul Chapalain]

See in Freeradius sources the file :
free-radiusd-home-sources/etc/rc.radiusd-redhat
I use this script with little changes.

Place the script in /etc/init.d and use chkconfig.

Thanks,

Ripunjay Bararia wrote:
hi
just had this silly question
what is the preferred/normal way to start/stop/restart FR running on a
RedHat box
with or without init.d scripts
Ripunjay Bararia

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
--  Jean-Paul Chapalain - GICM -  Resp. Reseaux et Infrastructure
--  32 rue Mirabeau - Le Relecq-Kerhuon - 29808 Brest Cedex 9, FRANCE
--  Tel +33298002873 - Fax +33298284005 - [EMAIL PROTECTED]
--  Key Fingerprint: 192C 1CFE F24A 050D F280 A086 AF15 8631 3ABB 4C7D
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem EAP TLS

[Holger Schurig]

 Could you send some detail on your configuration ?

You quoted about 550 lines to just add one sentence?  Ahh, would it be nice
for readers if writers would adopt a sensible quoting style :-)

-- 
Try Linux 2.6 from BitKeeper for PXA2x0 CPUs at
http://www.mn-logistik.de/unsupported/linux-2.6/


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Prompt user for callback number

[Rther Milan]

Title: Zprva



How can I force 
freeradius server to prompt the user for its callback 
number?

I cannot use %i 
variable because i need make out two phone number (1st call-in 2nd 
callback)

Thx for 
reply.
-mri

Prompt user for callback number - TXT

[Rther Milan]

How can I force freeradius server to prompt the user for its callback number?
 
I cannot use %i variable because i need make out two phone number (1st call-in 2nd 
callback)
 
Thx for reply. Sorry for previous nonTXT format =]
-mri 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

[PATCH] proper .cvsignore files

[Holger Schurig]

The following patch adds proper .cvsignore patch to freeradius.

-- 
MN-Logistik GmbH http://www.mn-logistik.de
Holger Schurig
Dieselstr. 18
61191 Rosbach v.d.Höhe
Tel: (+49) 6003 9141 0   Fax: (+49) 6003 9141 49

#
# Patch managed by http://www.mn-logistik.de/unsupported/pxa250/patcher
#

--- /dev/null
+++ radiusd/.cvsignore
@@ -0,0 +1,2 @@
+config.cache
+libtool
--- /dev/null
+++ radiusd/libltdl/.cvsignore
@@ -0,0 +1,3 @@
+libtool
+stamp-h
+stamp-h1
--- /dev/null
+++ radiusd/raddb/.cvsignore
@@ -0,0 +1,2 @@
+dictionary
+radiusd.conf
--- /dev/null
+++ radiusd/scripts/.cvsignore
@@ -0,0 +1,6 @@
+check-radiusd-config
+cryptpasswd
+radiusd.cron.daily
+radiusd.cron.monthly
+radwatch
+rc.radiusd
--- /dev/null
+++ radiusd/src/include/.cvsignore
@@ -0,0 +1,4 @@
+autoconf.h
+build-radpaths-h
+radpaths.h
+stamp-h
--- /dev/null
+++ radiusd/src/main/.cvsignore
@@ -0,0 +1,8 @@
+checkrad.pl
+radclient
+radiusd
+radlast
+radrelay
+radtest
+radwho
+radzap
--- /dev/null
+++ radiusd/src/modules/.cvsignore
@@ -0,0 +1 @@
+lib
--- /dev/null
+++ radiusd/src/modules/rlm_dbm/.cvsignore
@@ -0,0 +1,2 @@
+rlm_dbm_cat
+rlm_dbm_parser
--- /dev/null
+++ radiusd/src/modules/rlm_eap/.cvsignore
@@ -0,0 +1 @@
+config.cache
--- /dev/null
+++ radiusd/src/modules/rlm_ippool/.cvsignore
@@ -0,0 +1 @@
+rlm_ippool_tool
--- /dev/null
+++ radiusd/src/modules/rlm_mschap/.cvsignore
@@ -0,0 +1 @@
+smbencrypt
--- /dev/null
+++ radiusd/src/modules/rlm_sql/drivers/.cvsignore
@@ -0,0 +1 @@
+lib

Windows sending Hostname

[Sevcik Berndt]

I use Windows XP with PEAP for authentication

The problem ist that in the uid at the Radius Server is always the following
string:

HOSTNAME\\USERNAME

So our LDAP lookup is not working (requires only the username). Is there a
possibility to extract only the username?

Thanks
Berndt

-
TGM - Die Schule der Technik
IT-Service
A-1200 Wien, Wexstr. 19-23
Tel. +43(1)33126/316 Fax: +43(1)33126/154
E-Mail: [EMAIL PROTECTED]
-
 



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP problem - HELP PLEASE

[Brian Clarkson]

[EMAIL PROTECTED] wrote:

Hi Alan!
Thanks for your help.
I did what you told me, but it seems that it wasn't the only error I made...
I put in the users file :
ourson  User-Password =  testtest
i think i see two potential issues here ... one is noted in the logging:

 [/usr/local/etc/raddb/users]:156 WARNING! Changing 'User-Password =' 
to 'User-Password ==' ?for comparing RADIUS attribute in check item list 
for user ourson

the operator that's needed is ==, not just = ... but radius sorta 
fixed that in the request, as the logs note.

the other potential issue:  the space before the password begins. 
assuming that the password gets encrypted into the EAP-Message ( 
something i'm thinking happens ... but i'm not sure of ), that space is 
getting added to the encypted string and will never match.

and my user on the XP supplicant is also the same, but authentication is
still impossible! I really don't understand because the same error message
appears even if I change the users file like I show you before.
I am asking myself about which options must be put on the MS-CHAP module
(on radiusd.conf) ?
I didn't change any options on the MS-CHAP module ( use_mppe,
require_encryption, require_strong with a # before), but is it necessary??
(I tried quickly to put these options = yes ,but I had same results)
If you have any idea about what is wrong with my configuration, please
tell me! here are my log with the beginning of freeradius when it's
launched:
+ LD_LIBRARY_PATH=/usr/local/ssl-end/lib
+ LD_PRELOAD=/usr/local/ssl-end/lib/libcrypto.so
+ export LD_LIBRARY_PATH LD_PRELOAD
+ /usr/local/sbin/radiusd -X -y -z
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /usr/local/etc/raddb/clients.conf
Config:   including file: /usr/local/etc/raddb/snmp.conf
Config:   including file: /usr/local/etc/raddb/sql.conf
 main: prefix = /usr/local
 main: localstatedir = /usr/local/var
 main: logdir = /usr/local/var/log/radius
 main: libdir = /usr/local/lib
 main: radacctdir = /usr/local/var/log/radius/radacct
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = yes
 main: log_file = /usr/local/var/log/radius/radius.log
 main: log_auth = yes
 main: log_auth_badpass = yes
main: log_auth_goodpass = yes
 main: pidfile = /usr/local/var/run/radiusd/radiusd.pid
 main: user = (null)
 main: group = (null)
 main: usercollide = no
 main: lower_user = no
 main: lower_pass = no
 main: nospace_user = no
 main: nospace_pass = no
 main: checkrad = /usr/local/sbin/checkrad
 main: proxy_requests = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
Using deprecated clients file.  Support for this will go away soon.
read_config_files:  reading realms
Using deprecated realms file.  Support for this will go away soon.
radiusd:  entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
 pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
 mschap: use_mppe = yes
 mschap: require_encryption = yes
 mschap: require_strong = yes
 mschap: passwd = (null)
 mschap: authtype = MS-CHAP
Module: Instantiated mschap (mschap)
Module: Loaded eap
 eap: default_eap_type = peap
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 tls: rsa_key_exchange = no
 tls: dh_key_exchange = yes
 tls: rsa_key_length = 512
 tls: dh_key_length = 512
 tls: verify_depth = 0
 tls: CA_path = (null)
 tls: pem_file_type = yes
 tls: private_key_file = /sauv-certif/cert/new/serveur6.pem
tls: certificate_file = /sauv-certif/cert/new/serveur6.pem
 tls: CA_file = /sauv-certif/cert/new/root.pem
 tls: private_key_password = saucisson
 tls: dh_file = /sauv-certif/cert/new/dh
 tls: random_file = /sauv-certif/cert/new/random
 tls: fragment_size = 1024
 tls: include_length = yes
 tls: check_crl = no
rlm_eap: Loaded and initialized type tls
 peap: default_eap_type = mschapv2
 peap: copy_request_to_tunnel = no
 peap: use_tunneled_reply = no
rlm_eap: Loaded and initialized type peap
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
 preprocess: huntgroups = /usr/local/etc/raddb/huntgroups
 preprocess: hints = /usr/local/etc/raddb/hints
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no

Re: Windows sending Hostname

[Brian Clarkson]

do you have this part of the config enabled?

preprocess {

# Windows NT machines often authenticate themselves as
# NT_DOMAIN\username
#
# If this is set to 'yes', then the NT_DOMAIN portion
# of the user-name is silently discarded.
with_ntdomain_hack = yes
}

Sevcik Berndt wrote:

I use Windows XP with PEAP for authentication

The problem ist that in the uid at the Radius Server is always the following
string:
HOSTNAME\\USERNAME

So our LDAP lookup is not working (requires only the username). Is there a
possibility to extract only the username?
Thanks
Berndt
-
TGM - Die Schule der Technik
IT-Service
A-1200 Wien, Wexstr. 19-23
Tel. +43(1)33126/316 Fax: +43(1)33126/154
E-Mail: [EMAIL PROTECTED]
-
 



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Realy need Help

[Lucas Oliveira]

Hi everybody,

I am having a problem with acct_users, i did a shell script but when the
user logon, the radius print that exec-program is running but it didnt make
any action.

I realy do know how to set it up.
Thanks
Atenciosamente
Lucas Oliveira
Web Manager
Prompt Tecnologia
www.prompt-tecnologia.com.br


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Getting no results with LDAP

[Sevcik Berndt]

Thanks for the tip with th NT Domain hack Brian.

An other problem is the LDAP Query themself. I get no result for my Username. But the 
User exists and when I use the ldapsearch command with the
same filter I also get an result.

I use the latest CVS Version of Freeradius
and openLDAP Version 2.1.22-1

rlm_ldap: - authorize
rlm_ldap: performing user authorization for sevcikb
radius_xlat:  '(uid=sevcikb)'
radius_xlat:  'ou=People,ou=admin,dc=tgm.dc=ac,dc=at'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=People,ou=admin,dc=tgm.dc=ac,dc=at, with filter 
(uid=sevcikb)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
ldap_release_conn: Release Id: 0

Hers my config:

 ldap {
server = localhost
identity = cn=admin,dc=tgm,dc=ac,dc=at
password = xxx
basedn = ou=People,ou=admin,dc=tgm.dc=ac,dc=at
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
 
# base_filter = (objectclass=radiusprofile)
 
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689) connections
start_tls = no
 
# tls_cacertfile= /path/to/cacert.pem
# tls_cacertdir = /path/to/ca/dir/
# tls_certfile  = /path/to/radius.crt
# tls_keyfile   = /path/to/radius.key
# tls_randfile  = /path/to/rnd
# tls_require_cert  = demand
 
# default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA
# profile_attribute = radiusProfileDn
#   access_attr = dialupAccess
 
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
 
ldap_connections_number = 5
 
#
# NOTICE: The password_header directive is NOT case insensitive
#
# password_header = {clear}
#
#  The server can usually figure this out on its own, and pull
#  the correct User-Password or NT-Password from the database.
#
#  Note that NT-Passwords MUST be stored as a 32-digit hex
#  string, and MUST start off with 0x, such as:
#
#   0x000102030405060708090a0b0c0d0e0f
#
#  Without the leading 0x, NT-Passwords will not work.
#  This goes for NT-Passwords stored in SQL, too.
#
password_attribute = ntPassword
# groupname_attribute = cn
# groupmembership_filter = 
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
}

Thanks for help
Berndt



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

WLAN/NT-Domain Authentication

[Kai Matla]

Hi all,

we have a freeRadius Server (0.9.3) authenticating WLAN-Users.
It works fine with the local users file, but we want it to authenticate the users 
against our NT-Domain.
I have learned that rlm_smb should be used to achieve this, so I re-configured 
freeRadius with experimental modules.

This block was added to radiusd.conf:

smb {
server = srv1.domain.com
backup = srv2.domain.com
domain = domain.com
}

But when I try to authenticate a user, I get:

auth: Failed to validate the user.

without any mentioning of the smb module in the above output about the request.
Any help would be appreciated!

With kind regards,
Kajetan Matla
__
WEB.DE FreeMail wird 5 Jahre jung! Feiern Sie mit uns und
nutzen Sie die neuen Funktionen http://f.web.de/features/?mc=021130


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius Ip address assignation

[Alex Rodriguez]

There is a way for freeradius to be the one asigning the dynamic ip 
addresses, instead of the access server assigning them?

I am trying to create different groups, with different dynamic ranges of ip 
addressess, for a project, and i cannot do that on the ascend max. Only the 
pool assignation is used to be specified using different PRI's or phone 
number.

Anobody knows if there's a way of the radius be in charge of assigning the 
pool of ips for each group?

_
Shop online for kids’ toys by age group, price range, and toy category at 
MSN Shopping. No waiting for a clerk to help you! http://shopping.msn.com

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: WLAN/NT-Domain Authentication

[Michael Griego]

WLAN authentication is handled by the EAP module.  Sounds like, for what
you're wanting to do, you need to look at the PEAP setup.

--Mike



On Tue, 2003-12-16 at 08:22, Kai Matla wrote:
 Hi all,
 
 we have a freeRadius Server (0.9.3) authenticating WLAN-Users.
 It works fine with the local users file, but we want it to authenticate the users 
 against our NT-Domain.
 I have learned that rlm_smb should be used to achieve this, so I re-configured 
 freeRadius with experimental modules.
 
 This block was added to radiusd.conf:
 
 smb {
 server = srv1.domain.com
 backup = srv2.domain.com
 domain = domain.com
 }
 
 But when I try to authenticate a user, I get:
 
 auth: Failed to validate the user.
 
 without any mentioning of the smb module in the above output about the request.
 Any help would be appreciated!
 
 With kind regards,
 Kajetan Matla
 __
 WEB.DE FreeMail wird 5 Jahre jung! Feiern Sie mit uns und
 nutzen Sie die neuen Funktionen http://f.web.de/features/?mc=021130
 
 
 - 
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- 

--Mike

---
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius Ip address assignation

[Chris Parker]

At 08:29 AM 12/16/2003, Alex Rodriguez wrote:
There is a way for freeradius to be the one asigning the dynamic ip 
addresses, instead of the access server assigning them?

I am trying to create different groups, with different dynamic ranges of 
ip addressess, for a project, and i cannot do that on the ascend max. Only 
the pool assignation is used to be specified using different PRI's or 
phone number.
You can actually.  If you put the ip's in different pools on the MAX, you
can tell it which pool to pull a dynamic IP from via the Vendor-Specific
attribute Ascend-Assign-IP-Pool ( from dictionary.ascend ).  See the MAX
documentation for how to do this.
Anobody knows if there's a way of the radius be in charge of assigning the 
pool of ips for each group?
the rlm_ippool module can allow FreeRADIUS to assign IP's from a pool that
it manages.
-Chris
--
   \\\|||///  \  StarNet Inc.  \ Chris Parker
   \ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
   | @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
  \ Wholesale Internet Services - http://www.megapop.net


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Getting no results with LDAP

[Sevcik Berndt]

The problem is solved! Sorry for the posting

Thanks
Berndt


On Tue, 2003-12-16 at 15:09, Sevcik Berndt wrote:
 Thanks for the tip with th NT Domain hack Brian.
 
 An other problem is the LDAP Query themself. I get no result for my Username. But 
 the User exists and when I use the ldapsearch command with the
 same filter I also get an result.
 
 I use the latest CVS Version of Freeradius
 and openLDAP Version 2.1.22-1
 
 rlm_ldap: - authorize
 rlm_ldap: performing user authorization for sevcikb
 radius_xlat:  '(uid=sevcikb)'
 radius_xlat:  'ou=People,ou=admin,dc=tgm.dc=ac,dc=at'
 ldap_get_conn: Got Id: 0
 rlm_ldap: performing search in ou=People,ou=admin,dc=tgm.dc=ac,dc=at, with filter 
 (uid=sevcikb)
 rlm_ldap: object not found or got ambiguous search result
 rlm_ldap: search failed
 ldap_release_conn: Release Id: 0
 
 Hers my config:
 
  ldap {
 server = localhost
 identity = cn=admin,dc=tgm,dc=ac,dc=at
 password = xxx
 basedn = ou=People,ou=admin,dc=tgm.dc=ac,dc=at
 filter = (uid=%{Stripped-User-Name:-%{User-Name}})
  
 # base_filter = (objectclass=radiusprofile)
  
 # set this to 'yes' to use TLS encrypted connections
 # to the LDAP database by using the StartTLS extended
 # operation.
 # The StartTLS operation is supposed to be used with normal
 # ldap connections instead of using ldaps (port 689) connections
 start_tls = no
  
 # tls_cacertfile= /path/to/cacert.pem
 # tls_cacertdir = /path/to/ca/dir/
 # tls_certfile  = /path/to/radius.crt
 # tls_keyfile   = /path/to/radius.key
 # tls_randfile  = /path/to/rnd
 # tls_require_cert  = demand
  
 # default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA
 # profile_attribute = radiusProfileDn
 #   access_attr = dialupAccess
  
 # Mapping of RADIUS dictionary attributes to LDAP
 # directory attributes.
 dictionary_mapping = ${raddbdir}/ldap.attrmap
  
 ldap_connections_number = 5
  
 #
 # NOTICE: The password_header directive is NOT case insensitive
 #
 # password_header = {clear}
 #
 #  The server can usually figure this out on its own, and pull
 #  the correct User-Password or NT-Password from the database.
 #
 #  Note that NT-Passwords MUST be stored as a 32-digit hex
 #  string, and MUST start off with 0x, such as:
 #
 #   0x000102030405060708090a0b0c0d0e0f
 #
 #  Without the leading 0x, NT-Passwords will not work.
 #  This goes for NT-Passwords stored in SQL, too.
 #
 password_attribute = ntPassword
 # groupname_attribute = cn
 # groupmembership_filter = 
 (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
 # groupmembership_attribute = radiusGroupName
 timeout = 4
 timelimit = 3
 net_timeout = 1
 # compare_check_items = yes
 # do_xlat = yes
 # access_attr_used_for_allow = yes
 }
 
 Thanks for help
 Berndt
 
 
 
 - 
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- 
Diese Message wurde erstellt mit freundlicher Unterstuetzung
eines freilaufenden Pinguins aus artgerechter Freilandhaltung.
Sie ist garantiert frei von Microsoftschen Viren.
 
-
TGM - Die Schule der Technik
IT-Service
A-1200 Wien, Wexstr. 19-23
Tel. +43(1)33126/316 Fax: +43(1)33126/154
E-Mail: [EMAIL PROTECTED]
-



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Getting no results with LDAP

[Kostas Kalevras]

On Tue, 16 Dec 2003, Sevcik Berndt wrote:

 Thanks for the tip with th NT Domain hack Brian.

 An other problem is the LDAP Query themself. I get no result for my Username.
 But the User exists and when I use the ldapsearch command with the
 same filter I also get an result.

 I use the latest CVS Version of Freeradius
 and openLDAP Version 2.1.22-1

 rlm_ldap: - authorize
 rlm_ldap: performing user authorization for sevcikb
 radius_xlat:  '(uid=sevcikb)'
 radius_xlat:  'ou=People,ou=admin,dc=tgm.dc=ac,dc=at'
 ldap_get_conn: Got Id: 0
 rlm_ldap: performing search in ou=People,ou=admin,dc=tgm.dc=ac,dc=at, with filter 
 (uid=sevcikb)
 rlm_ldap: object not found or got ambiguous search result
 rlm_ldap: search failed
 ldap_release_conn: Release Id: 0

Check your ldap server ACIs
Check your ldap server logs

freeradius normally just uses the openldap libs (which are used by ldapsearch)
so there should be some kind of difference between the queries ran by each one.


 Hers my config:

  ldap {
 server = localhost
 identity = cn=admin,dc=tgm,dc=ac,dc=at
 password = xxx
 basedn = ou=People,ou=admin,dc=tgm.dc=ac,dc=at
 filter = (uid=%{Stripped-User-Name:-%{User-Name}})

 # base_filter = (objectclass=radiusprofile)

 # set this to 'yes' to use TLS encrypted connections
 # to the LDAP database by using the StartTLS extended
 # operation.
 # The StartTLS operation is supposed to be used with normal
 # ldap connections instead of using ldaps (port 689) connections
 start_tls = no

 # tls_cacertfile= /path/to/cacert.pem
 # tls_cacertdir = /path/to/ca/dir/
 # tls_certfile  = /path/to/radius.crt
 # tls_keyfile   = /path/to/radius.key
 # tls_randfile  = /path/to/rnd
 # tls_require_cert  = demand

 # default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA
 # profile_attribute = radiusProfileDn
 #   access_attr = dialupAccess

 # Mapping of RADIUS dictionary attributes to LDAP
 # directory attributes.
 dictionary_mapping = ${raddbdir}/ldap.attrmap

 ldap_connections_number = 5

 #
 # NOTICE: The password_header directive is NOT case insensitive
 #
 # password_header = {clear}
 #
 #  The server can usually figure this out on its own, and pull
 #  the correct User-Password or NT-Password from the database.
 #
 #  Note that NT-Passwords MUST be stored as a 32-digit hex
 #  string, and MUST start off with 0x, such as:
 #
 #   0x000102030405060708090a0b0c0d0e0f
 #
 #  Without the leading 0x, NT-Passwords will not work.
 #  This goes for NT-Passwords stored in SQL, too.
 #
 password_attribute = ntPassword
 # groupname_attribute = cn
 # groupmembership_filter = 
 (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
 # groupmembership_attribute = radiusGroupName
 timeout = 4
 timelimit = 3
 net_timeout = 1
 # compare_check_items = yes
 # do_xlat = yes
 # access_attr_used_for_allow = yes
 }

 Thanks for help
 Berndt



 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Repeating authentication all the time

[Sevcik Berndt]

The authentication now works and I see an Access Accept Packet at the
end. But the interesting is that the authentication goes a few seconds
later on and the same process is repeated.

The Windows XP PC never gets really authenticated. The Access Point show
that the authentication was successfull (RoamAbout R2)

Has someone the same experience?

Thanks
Berndt


Initializing the thread pool...
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on
1814/udp.
Ready to process requests.
rad_recv: Access-Request packet from host 10.3.4.2:1043, id=136,
length=116
Message-Authenticator = 0x649854dbce2d7bf0fcee43598bb647e6
User-Name = berndt.sevcik
NAS-IP-Address = 10.3.4.2
Sending Access-Challenge of id 145 to 10.3.4.2:1043
EAP-Message =
0x01cc004a1900170301003ffbb7b7b2a9fc6b9e6cba07729cdb312818ca43307b7ec2a2ab3669b1d5b66f3a3df95d0b0adc9ef933a6b97961eb47099d149ffcc38d3f4ca2b16510ad77be
Message-Authenticator = 0x
State = 0x4cb24f3bbf150ffaf70f1305ee419e12
rad_recv: Access-Request packet from host 10.3.4.2:1043, id=146,
length=145
Message-Authenticator = 0x2c0ff11621c9b0033f34fb6ea44546e7
User-Name = berndt.sevcik
State = 0x4cb24f3bbf150ffaf70f1305ee419e12
NAS-IP-Address = 10.3.4.2
NAS-Port = 2
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = 00-04-23-77-4b-a3
Framed-MTU = 1000
EAP-Message =
0x02cc001d1900170301001259680ad935701f4d4333b259e3773f36bf28
rlm_ldap: - authorize
rlm_ldap: performing user authorization for berndt.sevcik
ldap_get_conn: Got Id: 0
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding ntPassword as NT-Password, value
0x97BA4F3659E30573DB838CA8692897BC  op=21
rlm_ldap: Adding lmPassword as LM-Password, value
B1EE20160x1D73468FA91E548719C3AC6E  op=21
rlm_ldap: Adding radiusAuthType as Auth-Type, value EAP  op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user berndt.sevcik authorized to use remote access
ldap_release_conn: Release Id: 0
 
  PEAP: Got tunneled EAP-Message
EAP-Message = 0x02cc00061a03
  PEAP: Sending tunneled request
EAP-Message = 0x02cc00061a03
Freeradius-Proxied-To = 127.0.0.1
User-Name = berndt.sevcik
State = 0x1ea57825164814a89aa097aba563
rlm_ldap: - authorize
rlm_ldap: performing user authorization for berndt.sevcik
ldap_get_conn: Got Id: 0
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding ntPassword as NT-Password, value
0x97BA4F3659E30573DB838CA8692897BC  op=21
rlm_ldap: Adding lmPassword as LM-Password, value
B1EE20160x1D73468FA91E548719C3AC6E  op=21
rlm_ldap: Adding radiusAuthType as Auth-Type, value EAP  op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user berndt.sevcik authorized to use remote access
ldap_release_conn: Release Id: 0
  PEAP: Got tunneled reply RADIUS code 2
EAP-Message = 0x03cc0004
Message-Authenticator = 0x
User-Name = berndt.sevcik
Sending Access-Accept of id 146 to 10.3.4.2:1043
MS-MPPE-Recv-Key =
0x82040f0dd02ebaa84b2558e7067ce3f505fee4528a582a61c71762d4493c83e3
MS-MPPE-Send-Key =
0xaa9976081be52cdc089a854b705837c58c0e218b0f58a52f82585c06711400dd
EAP-Message = 0x03cc0004
Message-Authenticator = 0x
User-Name = berndt.sevcik
Sending Access-Challenge of id 145 to 10.3.4.2:1043
EAP-Message =
0x01cc004a1900170301003ffbb7b7b2a9fc6b9e6cba07729cdb312818ca43307b7ec2a2ab3669b1d5b66f3a3df95d0b0adc9ef933a6b97961eb47099d149ffcc38d3f4ca2b16510ad77be
Message-Authenticator = 0x
State = 0x4cb24f3bbf150ffaf70f1305ee419e12
rad_recv: Access-Request packet from host 10.3.4.2:1043, id=146,
length=145
Message-Authenticator = 0x2c0ff11621c9b0033f34fb6ea44546e7
User-Name = berndt.sevcik
State = 0x4cb24f3bbf150ffaf70f1305ee419e12
NAS-IP-Address = 10.3.4.2
NAS-Port = 2
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = 00-04-23-77-4b-a3
Framed-MTU = 1000
EAP-Message =
0x02cc001d1900170301001259680ad935701f4d4333b259e3773f36bf28
rlm_ldap: - authorize
rlm_ldap: performing user authorization for berndt.sevcik
ldap_get_conn: Got Id: 0
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding ntPassword as NT-Password, value
0x97BA4F3659E30573DB838CA8692897BC  op=21
rlm_ldap: Adding lmPassword as LM-Password, value
B1EE20160x1D73468FA91E548719C3AC6E  op=21
rlm_ldap: Adding radiusAuthType as Auth-Type, value EAP  op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user berndt.sevcik authorized to use remote access
ldap_release_conn: Release Id: 0
 
  PEAP: Got tunneled EAP-Message
EAP-Message = 0x02cc00061a03
  PEAP: Sending tunneled request
EAP-Message = 0x02cc00061a03
Freeradius-Proxied-To = 127.0.0.1

Re: Getting no results with LDAP

[Sevcik Berndt]

The problem was the following line
password = xxx

The correct syntax is:

password = xxx

I copied this line from an earlier version of freeradius (about 0.9) and
I think there it worked. But I updated also the openldap Server, so it
is hard to say which part changed.

Berndt


On Tue, 2003-12-16 at 16:23, Kostas Kalevras wrote:
 On Tue, 16 Dec 2003, Sevcik Berndt wrote:
 
  Thanks for the tip with th NT Domain hack Brian.
 
  An other problem is the LDAP Query themself. I get no result for my Username.
  But the User exists and when I use the ldapsearch command with the
  same filter I also get an result.
 
  I use the latest CVS Version of Freeradius
  and openLDAP Version 2.1.22-1
 
  rlm_ldap: - authorize
  rlm_ldap: performing user authorization for sevcikb
  radius_xlat:  '(uid=sevcikb)'
  radius_xlat:  'ou=People,ou=admin,dc=tgm.dc=ac,dc=at'
  ldap_get_conn: Got Id: 0
  rlm_ldap: performing search in ou=People,ou=admin,dc=tgm.dc=ac,dc=at, with filter 
  (uid=sevcikb)
  rlm_ldap: object not found or got ambiguous search result
  rlm_ldap: search failed
  ldap_release_conn: Release Id: 0
 
 Check your ldap server ACIs
 Check your ldap server logs
 
 freeradius normally just uses the openldap libs (which are used by ldapsearch)
 so there should be some kind of difference between the queries ran by each one.
 
 
  Hers my config:
 
   ldap {
  server = localhost
  identity = cn=admin,dc=tgm,dc=ac,dc=at
  password = xxx
  basedn = ou=People,ou=admin,dc=tgm.dc=ac,dc=at
  filter = (uid=%{Stripped-User-Name:-%{User-Name}})
 
  # base_filter = (objectclass=radiusprofile)
 
  # set this to 'yes' to use TLS encrypted connections
  # to the LDAP database by using the StartTLS extended
  # operation.
  # The StartTLS operation is supposed to be used with normal
  # ldap connections instead of using ldaps (port 689) connections
  start_tls = no
 
  # tls_cacertfile= /path/to/cacert.pem
  # tls_cacertdir = /path/to/ca/dir/
  # tls_certfile  = /path/to/radius.crt
  # tls_keyfile   = /path/to/radius.key
  # tls_randfile  = /path/to/rnd
  # tls_require_cert  = demand
 
  # default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA
  # profile_attribute = radiusProfileDn
  #   access_attr = dialupAccess
 
  # Mapping of RADIUS dictionary attributes to LDAP
  # directory attributes.
  dictionary_mapping = ${raddbdir}/ldap.attrmap
 
  ldap_connections_number = 5
 
  #
  # NOTICE: The password_header directive is NOT case insensitive
  #
  # password_header = {clear}
  #
  #  The server can usually figure this out on its own, and pull
  #  the correct User-Password or NT-Password from the database.
  #
  #  Note that NT-Passwords MUST be stored as a 32-digit hex
  #  string, and MUST start off with 0x, such as:
  #
  #   0x000102030405060708090a0b0c0d0e0f
  #
  #  Without the leading 0x, NT-Passwords will not work.
  #  This goes for NT-Passwords stored in SQL, too.
  #
  password_attribute = ntPassword
  # groupname_attribute = cn
  # groupmembership_filter = 
  (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
  # groupmembership_attribute = radiusGroupName
  timeout = 4
  timelimit = 3
  net_timeout = 1
  # compare_check_items = yes
  # do_xlat = yes
  # access_attr_used_for_allow = yes
  }
 
  Thanks for help
  Berndt
 
 
 
  -
  List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
 
 
 --
 Kostas Kalevras   Network Operations Center
 [EMAIL PROTECTED] National Technical University of Athens, Greece
 Work Phone:   +30 210 7721861
 'Go back to the shadow'   Gandalf
 
 - 
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- 
Diese Message wurde erstellt mit freundlicher Unterstuetzung
eines freilaufenden Pinguins aus artgerechter Freilandhaltung.
Sie ist garantiert frei von Microsoftschen Viren.
 
-
TGM - Die Schule der Technik
IT-Service
A-1200 Wien, Wexstr. 19-23
Tel. +43(1)33126/316 Fax: +43(1)33126/154
E-Mail: [EMAIL PROTECTED]
-

(no subject)

[Paolo Ercolani]

Re: Prompt user for callback number - TXT

[Michael J. Hartwick]

On Tue, 16 Dec 2003 at 11:19 (+0100), Rther Milan wrote:

RM How can I force freeradius server to prompt the user for its
RM callback number?

When a user dials in you want them to be prompted to their username,
password and callback number?  You can't.  FreeRADIUS does not talk to
the user.  The NAS talks to the user and sends authentication packets
to the FreeRADIUS server.

RM  I cannot use %i variable because i need make out two phone number
RM (1st call-in 2nd callback)

FreeRADIUS (like all RADIUS servers) can only work with the
information that is provided to it.

Michael

--
Michael J. Hartwick, VE3SLQ  [EMAIL PROTECTED]
Hartwick Communications Consulting  (519) 396-7719
Kincardine, ON, CA http://www.hartwick.com
--

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Can't get Login-Time to work

[Kevork]

Hi all ...

Just a question about Login-Time ...

I was trying to get this working using mysql instead files.

If I put Login-Time attribute in radcheck table (user by user), it works
OK.

I tried to put it for some group, in radgroupcheck, but it doesnt work, I
always get Access-Accept.

I would thank some idea ...

Regards,
Kevork.


- Original Message - 
From: Jonathan Ruano [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, November 18, 2003 12:29 PM
Subject: RE: Can't get Login-Time to work


 I think Login-Time is a check parameter, so you should include it on the
 first
 line:

 user1 Auth-Type := System, Login-Time := Wk0745-1715
 Framed-IP-Address = 255.255.255.254,
 Framed-MTU = 1500,
 [..]

 For the meaning of the operators (=, ==, :=, etc.) take a look at rlm_sql
 doc file.

 Jon


 -
 List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Repeating authentication all the time

[Guy Fraser]

Just a guess:

Is there any firwall software/hardware that may not be allowing the 
acknowledgement
to be returned to the NAS?

Sevcik Berndt wrote:

The authentication now works and I see an Access Accept Packet at the
end. But the interesting is that the authentication goes a few seconds
later on and the same process is repeated.
The Windows XP PC never gets really authenticated. The Access Point show
that the authentication was successfull (RoamAbout R2)
Has someone the same experience?

Thanks
Berndt
 



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco VPN3000 with freeradius

[Spetzler, Arne \(DZ-SH\)]

Alan DeKok [EMAIL PROTECTED] wrote:

 From: Alan DeKok [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Subject: Re: Cisco VPN3000 with freeradius 
 Date: Mon, 15 Dec 2003 14:39:46 -0500
 Reply-To: [EMAIL PROTECTED]
 
 Spetzler, Arne (DZ-SH) [EMAIL PROTECTED] wrote:
  i'am successfully authenticate Certificate users against 
 freeradius =
  0.9.0 (from suse 9.0).
  
  BUT:  only the 'first' time. That means:
  
  wait a 'long' time (av. 15 min)
  
  authenticate successfull
 
   This has nothing to do with FreeRADIUS.  If the client/NAS doesn't
 contact the server, there's nothing that FreeRADIUS can do to speed up
 the process.
 
  The CISCO Access Control Server ACS did not show this behauvior.
 
   I would suggest seeing what attributes are sent back from the Cisco
 server, and make FreeRADIUS send back the same attributes.
 
   Whatever the problem is, that is the only fix.
 
   Alan DeKok.
 

Hi, Alan,

no, this is _not_ the only fix ;)

I have found the problem now:

the VPN3000 Concentrator has a timing problem:

if the answer from the radius server is _fast_ ( 200ms) _and_ a lot 
of debugging is enabled - then the vpn3000 may lost the udp packet which
contains the answer.

The FREERADIUS _is_ fast - in our environement the answers came after
30-180 ms. So packets get lost.

Because the CISCO ACS is not so fast ( 300ms) this did not happen with ACS.


regards,

Arne Spetzler
 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Repeating authentication all the time

[Sevcik Berndt]

They are conectet via the same network (also the same switch). The funny
thing is that the Access Point says that the Client is authenticated.

Berndt

On Tue, 2003-12-16 at 17:34, Guy Fraser wrote:
 Just a guess:
 
 Is there any firwall software/hardware that may not be allowing the 
 acknowledgement
 to be returned to the NAS?
 
 Sevcik Berndt wrote:
 
 The authentication now works and I see an Access Accept Packet at the
 end. But the interesting is that the authentication goes a few seconds
 later on and the same process is repeated.
 
 The Windows XP PC never gets really authenticated. The Access Point show
 that the authentication was successfull (RoamAbout R2)
 
 Has someone the same experience?
 
 Thanks
 Berndt
 
   
 
 
 
 - 
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- 
Diese Message wurde erstellt mit freundlicher Unterstuetzung
eines freilaufenden Pinguins aus artgerechter Freilandhaltung.
Sie ist garantiert frei von Microsoftschen Viren.
 
-
TGM - Die Schule der Technik
IT-Service
A-1200 Wien, Wexstr. 19-23
Tel. +43(1)33126/316 Fax: +43(1)33126/154
E-Mail: [EMAIL PROTECTED]
-



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius Ip address assignation

[Oliver Graf]

On Tue, Dec 16, 2003 at 09:17:56AM -0600, Chris Parker wrote:
 At 08:29 AM 12/16/2003, Alex Rodriguez wrote:
 There is a way for freeradius to be the one asigning the dynamic ip 
 addresses, instead of the access server assigning them?
 
 I am trying to create different groups, with different dynamic ranges of 
 ip addressess, for a project, and i cannot do that on the ascend max. Only 
 the pool assignation is used to be specified using different PRI's or 
 phone number.
 
 You can actually.  If you put the ip's in different pools on the MAX, you
 can tell it which pool to pull a dynamic IP from via the Vendor-Specific
 attribute Ascend-Assign-IP-Pool ( from dictionary.ascend ).  See the MAX
 documentation for how to do this.

And I would urge you to use this solution, cause you get no benefit
from letting freeradius manage the IPs.

You can assign the pools to your MAXes via freeradius and you can tell
the MAX which pool to choose per user. This will save you from asking
the MAX for valid sessions and loosing IPs cause your radius missed a
closed session...

The only real benefit of managing pools on radius side would be in a
pure dynamic routed enveronment (OSPF in this case -- watch your TAOS
version!), where the MAX can set the routes dynamical for each assigned 
ip, and the pools need not to be on a per device base. So you could
you a few huge pools distributed over a lot of MAXes without 'loosing'
lots of net and broadcast addresses...

Oliver.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco VPN3000 with freeradius

[Oliver Graf]

On Tue, Dec 16, 2003 at 05:56:40PM +0100, Spetzler, Arne (DZ-SH) wrote:
 if the answer from the radius server is _fast_ ( 200ms) _and_ a lot 
 of debugging is enabled - then the vpn3000 may lost the udp packet which
 contains the answer.
 
 The FREERADIUS _is_ fast - in our environement the answers came after
 30-180 ms. So packets get lost.
 
 Because the CISCO ACS is not so fast ( 300ms) this did not happen with ACS.

Huh, cool :)

So what about a answer-delay option for sluggy NASes? ;)

Oliver.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco VPN3000 with freeradius

[Alan DeKok]

Oliver Graf [EMAIL PROTECTED] wrote:
 So what about a answer-delay option for sluggy NASes? ;)

  Yuck.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius Ip address assignation

[Anson Rinesmith]

I've been trying to get this to work. What must I enable and where to get
freeradius to manage the IP pools. I have the setup mentioned with an OSPF
setup using ASCEND products that can do dynamic routing. It keeps trying to
look for it in my SQL db.

Any help?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Oliver Graf
Sent: Tuesday, December 16, 2003 12:22 PM
To: [EMAIL PROTECTED]
Subject: Re: Freeradius Ip address assignation

On Tue, Dec 16, 2003 at 09:17:56AM -0600, Chris Parker wrote:
 At 08:29 AM 12/16/2003, Alex Rodriguez wrote:
 There is a way for freeradius to be the one asigning the dynamic ip 
 addresses, instead of the access server assigning them?
 
 I am trying to create different groups, with different dynamic ranges of 
 ip addressess, for a project, and i cannot do that on the ascend max.
Only 
 the pool assignation is used to be specified using different PRI's or 
 phone number.
 
 You can actually.  If you put the ip's in different pools on the MAX, you
 can tell it which pool to pull a dynamic IP from via the Vendor-Specific
 attribute Ascend-Assign-IP-Pool ( from dictionary.ascend ).  See the MAX
 documentation for how to do this.

And I would urge you to use this solution, cause you get no benefit
from letting freeradius manage the IPs.

You can assign the pools to your MAXes via freeradius and you can tell
the MAX which pool to choose per user. This will save you from asking
the MAX for valid sessions and loosing IPs cause your radius missed a
closed session...

The only real benefit of managing pools on radius side would be in a
pure dynamic routed enveronment (OSPF in this case -- watch your TAOS
version!), where the MAX can set the routes dynamical for each assigned 
ip, and the pools need not to be on a per device base. So you could
you a few huge pools distributed over a lot of MAXes without 'loosing'
lots of net and broadcast addresses...

Oliver.


- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius Ip address assignation

[Oliver Graf]

On Tue, Dec 16, 2003 at 12:46:18PM -0600, Anson Rinesmith wrote:
 I've been trying to get this to work. What must I enable and where to get
 freeradius to manage the IP pools. I have the setup mentioned with an OSPF
 setup using ASCEND products that can do dynamic routing. It keeps trying to
 look for it in my SQL db.

I would opt for configure some pools and go... an example is in the
standard radiusd.conf.

Each pool should have its own db file I would say. But I don't think
it does something in sql, it uses gdbm db files.

Sorry, I can't be of more help, cause I never used this. From the one
look I took at it a minute ago, I would ask myself the question: how
does the radiusd sense a disconnect?

A quick look in the sources shows that it does this by looking at the
stop records. Be sure it sees all (here is the place where you
certainly will loose some IPs over time). And there seems to be a
tool called rlm_ippool_tool to clean up those stuck entries. Perhaps
with an script that checks those sessions via snmp...

Oliver (still feeling good using nas-side pools).


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius mysql simultaneous-use question URGENT

[Soujanya Rao]

Hi,
I am new to freeradius. I need some help in using simultaneous-use for detecting double logins using mysql only. Here is my current set up:

 select * from radgroup check
++--- +---++---+| id | GroupName | Attribute  | op | Value |+++++---+
| 2 | static | Auth-Type  | == | Local |+++++---+| 4 | static | Simultaneous-Use | := | 1 |++++-++

 select * from usergroup
++-+-+| id | UserName | GroupName |++-+-+| 33 | PW006 | static  |++--++
 select * from radcheck
++---+++--+| id | UserName | Attribute | op | Value  |++---+++--+| 18 | PW006 | Password | == |abcd |++---++-+-+
In my radius.conf I have a set up like this:

session { sql}

In sql.conf, the "Simultaneous Use Checking Queries" are uncommented

I am using NTRadping to test for simultaneous-use and am failing to do so!
I am doing an accounting start using NTRadPing for the same user with adifferent NAS-IP-Address (Additional RADIUS attributes)and a different port NAS-Port (additional RADIUS attribute). Though simultaneous-use is setup the user is not stopped for double login at all. It creates two entries in the radaact table and when I run accounting stop it updates the relevant radacct records with the AcctStopTime.

Can anyone tell me where I am going wrong? This is urgent and I am clueless as to what else needs to be done. The sqltrace.log does not show that the uncommented statements in sql.conf are executed. How do I make sure that they get executed. Also please let me know if this is a correct procedure for testing the same.

Thanks in advance,
Soujanya
.
Do you Yahoo!?
New Yahoo! Photos - easier uploading and sharing

Re: freeradius mysql simultaneous-use question URGENT

[Alan DeKok]

Soujanya Rao [EMAIL PROTECTED] wrote:
 Can anyone tell me where I am going wrong? This is urgent and I am
 clueless as to what else needs to be done. 

  Ensure that 'sql' is listed in the 'accounting' section.

  Run: radiusd -X

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius Ip address assignation

[Kostas Kalevras]

On Tue, 16 Dec 2003, Oliver Graf wrote:

 On Tue, Dec 16, 2003 at 12:46:18PM -0600, Anson Rinesmith wrote:
  I've been trying to get this to work. What must I enable and where to get
  freeradius to manage the IP pools. I have the setup mentioned with an OSPF
  setup using ASCEND products that can do dynamic routing. It keeps trying to
  look for it in my SQL db.

 I would opt for configure some pools and go... an example is in the
 standard radiusd.conf.

 Each pool should have its own db file I would say. But I don't think
 it does something in sql, it uses gdbm db files.

 Sorry, I can't be of more help, cause I never used this. From the one
 look I took at it a minute ago, I would ask myself the question: how
 does the radiusd sense a disconnect?

 A quick look in the sources shows that it does this by looking at the
 stop records. Be sure it sees all (here is the place where you
 certainly will loose some IPs over time). And there seems to be a
 tool called rlm_ippool_tool to clean up those stuck entries. Perhaps
 with an script that checks those sessions via snmp...

rlm_ippool will also clear an entry if an access-request comes in on an assigned
nas/port combination. So as long as accounting works ok and the ip pool is not
full rlm_ippool should be able to find a free entry.


 Oliver (still feeling good using nas-side pools).

Me too. There's very little reason in using server side pools.



 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius Ip address assignation

[Anson Rinesmith]

I have added an ippool main_pool {
  range-start = 192.168.31.1
range-stop = 192.168.31.254
netmask = 255.255.255.0
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = yes
}

in radiusd.conf
What steps am I missing?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Oliver Graf
Sent: Tuesday, December 16, 2003 3:06 PM
To: [EMAIL PROTECTED]
Subject: Re: Freeradius Ip address assignation

On Tue, Dec 16, 2003 at 12:46:18PM -0600, Anson Rinesmith wrote:
 I've been trying to get this to work. What must I enable and where to get
 freeradius to manage the IP pools. I have the setup mentioned with an OSPF
 setup using ASCEND products that can do dynamic routing. It keeps trying
to
 look for it in my SQL db.

I would opt for configure some pools and go... an example is in the
standard radiusd.conf.

Each pool should have its own db file I would say. But I don't think
it does something in sql, it uses gdbm db files.

Sorry, I can't be of more help, cause I never used this. From the one
look I took at it a minute ago, I would ask myself the question: how
does the radiusd sense a disconnect?

A quick look in the sources shows that it does this by looking at the
stop records. Be sure it sees all (here is the place where you
certainly will loose some IPs over time). And there seems to be a
tool called rlm_ippool_tool to clean up those stuck entries. Perhaps
with an script that checks those sessions via snmp...

Oliver (still feeling good using nas-side pools).


- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Turk kizlar vaoemae

[Mustafa]

Title: oxypvonyjosnjkrf




Mesajýn içeriðini göremiyorsanýz buraya týklayýnýz.
Msg ID: cvftgdstrw  





.+-Šwèþ˛±ÊâmïîžË›±Êâmäžzm§ÿðÃëyêÚv+¬¢¸?–+-þë®Èmš

A excite game

[cdangelo]

Content-Type: application/octet-stream;
name=prodImage[72].jpg
Content-Transfer-Encoding: base64
Content-ID: X9O6s8d002di0BlHv

/9j/4AAQSkZJRgABAQEASABIAAD/2wBDAAUDBAQEAwUEBAQFBQUGBwwIBwcHBw8LCwkMEQ8S
EhEPERETFhwXExQaFRERGCEYGh0dHx8fExciJCIeJBweHx7/2wBDAQUFBQcGBw4ICA4eFBEU
Hh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh7/wAAR
CAC8AJ0DASIAAhEBAxEB/8QAHAABAAMBAQEBAQUGBwQCAwEI/8QAPRAAAgED
AgMFBQcBBwUBAQIDAAQRBRIGITEHEyJBUWFxgZGhFDJCUrHB0SMVM4KSwuHwFmJy0uLx
/8QAGgEBAAMBAQEAAAECBAMFBv/EACsRAAICAQQBAgUEAwABAhED
BBIhMUFR8DNhcdHhEyIjkYGx8f/aAAwDAQACEQMRAD8A/sulKUApSlAKUpQClK/CaA/aiOIt
dtNFWI3KyMZchAo5HHt+NOIuJNG0Cze51S+jgVRnbnLt7lHM1Q9T14cXC2nhtZYLXuy0Ikxv
JJ6keXQcqrKVItslW6uCxHjeMcxp0pX13/7VY9E1CLVNOhvoQVWQE7T1HPFZs8Oy1fI8W2vn
wzxuvDU1nputiOLTbmZo4bjGDE55gN6gnPPyqkZ88iMXJ0jW6V8ra5huYVmt5EliYZV0YEH4
ivqOddSopSlAKUpQClKUApSlAKUpQClK/G99ARnEWvafoVo1zfzbAFLBQMkgVi3EXaxr+pXM
8OlW402zAVEZ1zK7M2Bz8hj41YuLL+PVNcvpWxNDbKQi+RwcAfMGqXBpkdqkonHeiW7Z5Ruz
uXYCPdiqNvpHo6XFjSuatnrVtEuruS5nW/DTRIBl13mRyMkkk/L0q48PwPBpVqMqrKg5Yzg+
lVHRbeSxs7QPPM8c0r3Ds7btqAHAPn6VddGmFzpsMwxhs4+BI/aqTtqyuqctqi/B1vmRSDjJ
GM1U+OdGXU7K3hldVjSQnl6kYH81bcYqF4hRnCYHJBu+ORiqJ00Z9O3HImiA0jU9f4Xa3Nnd
ZEmUkiU5iYry3YPQn2VeeHe0qa6Nst/pRRJdweWJs7GBx0PXPvqgXz95qFpZruYx6kS4X8u3
PP2c6lrIQxRvbHrlypHqDmu0pNGzKoTjbXP/AE2y0uYrq3S4t5FeJxlWHnX2qi9lV7K8V5ZS
SFlXbNHk9AwwR8x9avVXTs82S2uhSlKEClKUApSlAKUpQCuHXrtbDRr2+c4W3t3lP+FSf2ru
qqdrdz9m4A1QZwZou5Ht3cqFoLdJIybhWV7jTLwSZM6SRK3tbAZv1NRvEE7xTylHZ1dpN6qf
u/0zt/SvOn6kNOuXldSy3NxnIHIOqAY+PKuCy1EX6ymdcd7Ic+zK5/cfKojTPYcJQm5I7NNu
5nt5U06JhLZrHazxufvbueQPd+lXHhDV7KXTlgd47ZxK6ojEAHxHp9apcsJtNRguRN3Us18g
nJPhkjI8B+B/WpbhaEremNokkj72dJVJ3blD8mHtxzzUTjZ1zY4ZMbv/AB9jQpFCgbiBnp7a
q2tXTR29zdsSQtvI/d+YA6Yr7XMC2OnhZ7maeyjbvIpd+GiIOQpx1FVO8mnu47eW6Z4YZdPn
aNsYBI6A+32VSMH6GbT6aCblutHvTm2X0147EtPIkyE/l2dPpXdoUplvlkdnKxSAc+hLcifr
UFNdobVY84ljiijlX0k2fwRUzoTOIpGZSjMivg11miJrl19C+dnci2/FjW28Ze2ddoPowNaZ
WPcIXEidotmFBZCsiOwPIEgYH0rYarB2jBnjtl9RSlKscRSlKAUpSgFKUoBWf9uFyE4fsrTP
O5u0XHngHnWgGs77VVE2r6RGTkRh3x7yP4odMVKabMyvtKaLTo5lB3fa5HIP/jgfpXBpmiyP
w/p+qLuijuZ5OQHUjGP1HyNW/WmVbKIODkyM2PLpU9quiPD2SaU8C7JLRVmcAZwHzu5f4gfh
UKj0Z6htc+SjtbKLQRXMW9TyVT1X1Ue48xUfw7q01pc3NrcOokil7yCQ5G9TyINWWBVnYNco
Nu5FZW8mxncPhUBxBbm/ju0UL3ZmKpOTjCjGfjyNSnwatOlJbJdMsWoXdtNGkz5WHcsksLDl
uUg8vXnUHfXGbOBI7X7xK2rPyVTnJ9vXqeXTlXvT0kt7G3BlZtrt1OcRjngk+fTnXZrVpDHD
eapbssgazJtsjIgJznFWuiicYOirabazSzO8pzlygc9ZHP3nPvOAPYK0LiPTxZcT/YxhQ9jE
wx7FCn6rVM4YvJb7i230657tTFPBGoUYDocEN789a07tWjjtuIdMvcYMsEkXv24NUdtUzhl4
y0vPJEaAxi4100sM75FCkeuDnPyrY6xbTpF/tzS5RyZZYmz7zj962moiqMGZ2xSlKscRSlKA
UpSgFKUoAazbtJJk4jhUNju7cH9a0g9Kyfji4EvaBd2hJAisA5I9uAP3odcSuRXdS2zRqTOx
b7xUHkBWq8SOlv2ez5wFFmqj4gAfrWM6qjJqJVSSZO5iI9p5VrvaLmLhGKzC7hLLFE3sA8X+
mqw6NeeNOHPD/BksOoS3V7avbozRgSE8vvbRtB+lekeGLRIrERd6ZlaTHnu5k/PNdMOlTW0I
uowUkitWBRT97LZrzf8Ac28NjHvCGa33AnkQRgke/rU1bo9FShtSj77IywkhEEsEMciEMfvt
4jt5kn44FdNnczzWXczQSRLOjRNG/kTnzqvXN4dOvTIE+0NOBPK4/KOSoPaTirtpoW9tmEaF
biN1Mit58gTikqXJE1su1afNkNDpi2HFOhXiMN0d1AC/TehOMH4gfKtL7abbvrPR5MkFbtl5
ejRN/FZ9xHlIe6Q7mik7yI+e5SH2/Q1pvG8kepcG6ffp4lMsUw+Kn+ataZgyOSlGbM8RZUkt
Zo3wUSNun5WBreE5gH1FYguSmxNu5YiMZ59a223bdDGw6FQfpVU7M+pvcrPpSlKkzClKUApS
lAKUpQA9KyHji6s7Tju/afwvLbwpuPQ5yAK11ulY12n2kV7xNeEy7AEjDH0AOarNWjRpfiUz
l06yXVOMbC3MRKC8R290fi/arn2vXv2fTbSAOEMjsckgYOMDr7TVf7E1k1LU7nUpEbZbx7Vd
hjczH/1A+ddnaTImo8SraMqyx2cIJQ9NxIOfgMVL+Rokks8Yy6RXEv7mS2lDKFuIYwEJ+7IM
cwarfEMg12WNsd3CoDKyn+7mU8s+w9KttxZF4bpWYJG21o3UdDVe1Gxmea5ywkSVVWaIdcAn
xCrxdm/E8akq99EREss72Yey7lIBvkU88ydEUezzq1aWO7zAJCsyIp3eRx5VBxb11G3QS99b
QR/0yfvO55DPur3e3Fzp63sroJI1jBV1Piz5ijVqmXyJzlS98k/r7wQRS3TKhAkjEo8wTyB+
tWHRb1b7seB5k2kndt6qA4/ZhVKvLcXtnNcXzZXvkO1Wx4FAOTU32QmW54P4j0t8MSvfRgD1
BH+kVXpGHNBfpqV9NH1ae0jtmAaINnGSwzg/rWvaY27T7Y56xL+grEntI7vSopVjWRiCu/HR
lrb7BQlnAg5hY1H0rnC+bM2qjFJNM+9KUroZBSlKAUpSgFKUPSgIrirUxpeh3F1kCQLtjz+Y
9KwQW15DeSSXN9NJ35+0XAnbOI18vPGTk1tXHmkXms2EFva7SqOXcFsE8uWKyDXLDUtK1Jf7
Y025ie7OJZzziRB+EHpz9KsnR6ehjFp88l+7HtSjksNRZ4xAJWF0iE8wmNvP/KPnVUmvJNRv
brUowWLzF+ZwSN3T5V1cJTGz4V4j1tGEi3AS2tgnVFPh+XPNVPS7yeDSij4EgYjkc55jIFVk
k0zrHB/NJru0XB2Pczu+DCy5x6VUY76O9uxfWzuFBKxv5N6qR76l769aeC+S2bDCJQVPLHKo
G0xZwRIIe9WaDvZ4gPENx+8PdUx9DRCGxW+/wdFgwuNXlmWPupFGzuj+fzb3YxXdKI50vLdu
cZQAMfzY51C6GxaZu5ujPLLySXPNIx5n2+XwqXjmEsF33sfdKdqx8+ZGSAfjzqzb7IyxqX9E
ZqusLZzQ20H9SUu2+HHNgBjPw6/CrP2CXBTXZYpW3C6gOM+ZwG/mqhbWKXF9fTWwZrsW7Mty
45AFjlB/zzqycM3Q0zVrG6jiEbW4D7ByBG3aR8jUPyVzwTw7EuT6cZC+0q71eysZlSKLfPEC
MkEE/tWt8Aai2qcH6VeuytI9sgkKnI3AYP1FZFxPqNreRzXMl1F3lzBnkwySTzFWrsAuJbbT
L/QLi5hma2naaHu/JHYnHw5dPWq15MmpSliXFNGo0pSh5opSlAKUpQClKUAwPSubUrG01Czk
s722juLeQYeORcqR7q6aUHRl3HWkadw3oVrpGkxPDDc3nfuhctgKByGfLpyrPYIEuJZ7eUGM
iV3iPrzXmK0Xtdcvq8CpgvDa7gD/ANzf/NZHDqV5bXE9pdZkt2uHeGTPNcgHbn0on4PZ0UJT
imuy53UCyLcyQoiXAiw4x97l1qC0pbu4urmPUTGrW7KsEsQxjl0Ps54qUhujNqcsRkxIka5B
6YNebbu0kuXQ7zJ43Q8yUJxkD2V0S5LS3L9r+RXtMMdrqF74TB/UJumxhVA8lPtOal7WZpln
Zh/ebPCPwLk4HvqvAsLi8jlkMljE/fBiMmU/hT28+VTUKfZTbI8mbiQ7rg+RbqV+FQuTXqIJ

Re: Custom SQL Query

[Amgaabaatar Purevjal]

Thanks for reply
But in the sql.conf there are only authorise and accounting queries only. Can I add my query end of to that queries. Then how ?What I would like to do is After I received accounting query. I need to do some calculation and update some tables on 2 different database.
Kevin Bonner [EMAIL PROTECTED] wrote:
-BEGIN PGP SIGNED MESSAGE-Hash: SHA1On Monday 15 December 2003 18:03, Amgaabaatar Purevjal wrote: Hello I need to put some custom query after I receive accounting packet. Where I should look into it? rlm_sql.c is that correct file? Or I could add into accounting query? Thankssql.conf (by default) is where you should specify any query. There are defaults in there which can be modified so that they work with your local table structure.Kevin Bonner-BEGIN PGP SIGNATURE-Version: GnuPG v1.0.7 (GNU/Linux)iD8DBQE/3kAk/9i/ml3OBYMRAi3RAKCKrHJWCBVZNDJKoArQdUN2XRJeSgCgmrMJky0g9ymuz57CzJnBExTt+as==AbDr-END PGP SIGNATURE--List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Help needed.

[Shashidhara S Bapat]

Hello All,
I am a new user to this mailing list. I am using Radius server to see
how does it authenticate.
I am running freeradius on Linux machine and it is connected to a AP600
(Access Point) through which users are connected. Users are running on
Windows 2000 Professional. Following are the configuration I have done:

file - clients.conf:
# 192.168.100.7 is the IP address of my Access Point (wireless) (AP600)
# which supports RADIUS.
192.168.100.7/24 {
secret  = abcde
shortname   = AP-600LAB
}

file - users:
# TECH4 is the name of the wireless client (machine name) which is 
# running on Windows.
TECH4   Auth-Type := EAP, User-Password == password
Reply-Message = Hello, %u


I think the problem is with the 'user' part. I dont know which
'Auth-Type' I have to use. Please help me in my settings.
Please let me know what modifications I have to do to make it working.

FYI: The 'radtest' is working fine.



-- 
=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
--Best Regards,
  Shashi.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: There are no DB handles to use! skipped 0, tried to connect 0

[Ripunjay Bararia]

hi,
thanks for the great feedback,

now all tables are InnoDB
everything was working fine, till I upgraded to the latest CVS src of
16-Dec-2003, and ran ground
just to check
now the radius keeps on dying on me.. have not been able to check it out but

some of the interesting thing that I found in radiusd.log

Wed Dec 17 01:29:50 2003 : Error: Dropping conflicting packet from client
X:52730 - ID: 234 due to unfinished request 76121

above message repeating about 40-50 times and then the radiusd died

now I have downgraded to 0.9.3 and trying to find out if the problem still
exists
no changes were done in any configuration files

Ripunjay

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Kostas
 Kalevras
 Sent: Tuesday, December 16, 2003 1:53 AM
 To: [EMAIL PROTECTED]
 Subject: RE: There are no DB handles to use! skipped 0, tried to connect
 0


 On Tue, 16 Dec 2003, Ripunjay Bararia wrote:

  thanks Alan, for the comment,
 
  My SQL server and FR are running on the same box,
  will separating them be a good idea,
  I need to do AAA for about 1500 concurrent users
  what kind of a machine would I need for FR
  and how much load will it put on the MySQL server
  so that I can scale both of the machines accordingly
 
  currently both are running on
 
  P-IV 2.6
  Intel 856 based board
  512MB DDR 266Mhz
  9.1GB X 2 SCSI disks

 The hardware is more than adequate. And there's no need to separate them.

 Read doc/tuning_guide and especially the section on the sql module.
 In general for mysql EXPLAIN SELECT is your friend. Run all the
 SELECT queries
 (and also transform all the UPDATE queries to corresponding
 SELECT queries)
 through an EXPLAIN SELECT statement to see how many candidate
 rows are there.
 Example outputs:

 mysql explain select * from radacct where acctstoptime is null;
 +-+--+---+--+-+---
 +--+-+
 | table   | type | possible_keys | key  | key_len | ref
 | rows | Extra
 |
 +-+--+---+--+-+---
 +--+-+
 | radacct | ref  | AcctStopTime  | AcctStopTime |   8 | const
 |  315 | Using

 ^
 where |
 +-+--+---+--+-+---
 +--+-+
 1 row in set (0.02 sec)

 mysql explain select * from radacct where acctstoptime =
 '2003-12-15 21:00:00';
 +-+--+---+--+-+---
 +--+-+
 | table   | type | possible_keys | key  | key_len | ref
 | rows | Extra
 |
 +-+--+---+--+-+---
 +--+-+
 | radacct | ref  | AcctStopTime  | AcctStopTime |   8 | const
 |1 | Using

 ^
 where |
 +-+--+---+--+-+---
 +--+-+


 The rows and possible_keys columns are important. If you see that
 the candidate
 rows are more than a few, or that an index is never used (for example:

 mysql explain select * from radacct where acctterminatecause =
 'User-Request';
 +-+--+---+--+-+--+
 +-+
 | table   | type | possible_keys | key  | key_len | ref  | rows   | Extra
 |
 +-+--+---+--+-+--+
 +-+
 | radacct | ALL  | NULL  | NULL |NULL | NULL | 971518
 | Using where
 |
 +-+--+---+--+-+--+
 +-+
 1 row in set (0.00 sec)

 then you should either rearrange your queries to use a proper
 index (like using
 the acctuniqueid column in the accounting_stop query) or add a
 corresponding
 index.

 If you are using MySQL 3.X maybe you should think of moving to
 4.X and to the
 InnoDB tables (instead of MyISAM which have global instead of per
 row locking).

 Hope the above was helpful.

 
 
  thanks
  Ripunjay Bararia
 
   -Original Message-
   From: [EMAIL PROTECTED]
   [mailto:[EMAIL PROTECTED] Behalf Of
 Alan DeKok
   Sent: Monday, December 15, 2003 10:19 PM
   To: [EMAIL PROTECTED]
   Subject: Re: There are no DB handles to use! skipped 0, tried
 to connect
   0
  
  
   Ripunjay Bararia [EMAIL PROTECTED] wrote:
--- radius.log begin ---
Mon Dec 15 12:30:23 2003 : Info: rlm_sql (sql): There are no DB
   handles to
use! skipped 0, tried to connect 0
  
 Find out why your SQL database is slow.
  
 Alan DeKok.
  
   -
   List info/subscribe/unsubscribe? See
   http://www.freeradius.org/list/users.html
  
 
 
  -
  List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List