freeradius has performed the PAP/CHAP/EAP authentication
(and it was OK).
Does what I want to do make sense?
Is this possible?
Yes, and yes.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
this work for you. The latest
revision even includes scripts that work with FreeRADIUS!
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
, and add:
use_open_directory = yes
That's it.
You may need to use a more recent version of FreeRADIUS. I suggest 2.1.8.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
, cause my users file is
authenticated minus the realm in proxy..
You can still access the Realm attribute in the users file:
bob Realm != foo.net, Auth-Type := Reject
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Vijay Badola wrote:
Can I use mysql connection, created by server initially by reading
sql.conf, from my own separate module to get sql query answer?
Why not just use the dynamic expansion:
Filter-Id := %{sql: SELECT ...}
Alan DeKok.
-
List info/subscribe/unsubscribe? See http
.
Create soft links from enable to available to enable them.
This is a common pattern used by Apache, among other services.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
at tcpdump, and not the
FreeRADIUS logs.
In 2.1.7, you can also use raddebug to get the debug logs from a
running server.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
, it's wrong.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
periods (months:1-3,4-6,7-9,10-12).
Use a cron job SQL statements.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Jeff A wrote:
Freeradius can look at more than one user file, what is the syntax to allow
this to read another, and where do I place the entry for it
$ man users
And also see the documentation at the top of the users file.
Look for include.
Alan DeKok.
-
List info/subscribe/unsubscribe
on a quarterly cycle. Though I'd appreciate to hear from you another
approach to this.
If it works, fine.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
is complaining about.
(single downstream RADIUS configured as auth+acct)
There is no naturally here.
Run in debugging mode. Have I said that enough? Is there anything
else I need to say to convince you to run in debugging mode?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http
by not following instructions, and withholding information that
could let us help you?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
automatically?
You need to run FreeRADIUS on the same machine as Open Directory.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
. The proxy tries to
fail over from one server to another. Since the packet is still live,
it's not considered to be missed.
Either post the debug log for us to look at, or stop pretending that
you want the problem solved.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http
it didn't work that this only works for reply
attributes.
In... the users file? SQL? Where?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
in 4.9 seconds.
Cleaning up request 18 ID 46 with timestamp +771
Ready to process requests.
Read the FAQ and raddb/eap.conf. Look for Access-Challenge
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
is not
transmitted correctly, although im very sure I typed it right.
Any suggestions?
If you run it in debugging mode, you will see a large message
suggesting that you check the shared secret.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
access the configuration files from rlm_perl.
Try describing a problem rather than a solution. Maybe there's
another solution that works.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(text copied from the configuration files), and
what happened (text copied from debug output)
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Leighton Man wrote:
I have unlang in authorise section of sites-enabled/default, after pap:
if (request:Tunnel-Private-Group-Id:0 == 13){
Use:
if (request:Tunnel-Private-Group-Id == 13) {
i.e. without the :0
Alan DeKok.
-
List info/subscribe/unsubscribe? See http
*do* something, like reject the user?
This configuration does *not* deny users access by matching
Airespace-Wlan-Id. That should be clear: there is no deny rule!
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
.
Then, as root do:
$ freeradiusd -X
(or radiusd -X)
Try PEAP. It will work.
See also my web site: http://deployingradius.com/ for more detailed
instructions on getting EAP methods to work.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-Type = 802,
Tunnel-Private-Group-ID = 4
radreply (with the user name column)
Now I just need to translate that into SQL.
It should be easy. Read doc/rlm_sql.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
had a chance to look at it yet, sorry.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Samba versions until it works.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
. They get run only
when you set Simultaneous-Use...
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
of a request, see
request_data_add(), and request_data_get().
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
with the server. It has a file
rlm_sql, which explains this. There's also the wiki. Type sql into
the search box, and go from there.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
decides and initiates which eap type to use inside
tunnel.
No. The server ALWAYS initiates an EAP rtype.
What the default_eap_type is used for?
The comments in eap.conf explain this.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
to do simultaneous-use
checking. It didn't run in the debug output you posted, so you
didn't follow the documentation.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Neville wrote:
Anyone please, as this is driving me mad...
2^31 issues? Check the code for unsigned int...
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
.
For other RADIUS monitoring... the latest release of Monit includes
FreeRADIUS plugins.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
the ippool / sqlippool module.
(b) No: use DHCP.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
'{' on the line, too.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
be too hard
to add, though.
if I run the server with -X then it only runs one thread so that does
not tell me what is going on.
Also if the cleanup delay is too long so I am hitting the max_requests
Why would you set cleanup delay to be longer than 5 seconds?
Alan DeKok.
-
List info
Mark Jones wrote:
Is it possible to have the accounting packets that you would normally
proxy to another server wrote to a file and then sent from the file.
The same concept as we get with the buffered-sql config.
raddb/sites-available/decoupled-accounting
Alan DeKok.
-
List info
Mark Jones wrote:
I have turned on reply_log option in the post-auth area. for both
accepted and rejected packets.
It is logging to the file successfully but it does not log the username
or password.
Does the reply contain the username and password?
Likely not.
Alan DeKok.
-
List
Mark Jones wrote:
ok but in the same post-auth section if i use the sql_log facility it
will write the username and password
That's nice.
You have been careful to discuss only problems. I suggest stating
your requirements instead.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http
José Campos wrote:
What’s, if possible, the way you recommend to obtain graphical analysis
from freeradius activity?
Munin http://munin.projects.linpro.no/
The latest version includes scripts for FreeRADIUS.
See also the scripts directory.
Alan DeKok.
-
List info/subscribe
in rlm_preprocess checks if the attribute is string
type. I don't see why this is necessary. See line 155 (or so) in
src/modules/rlm_preprocess/rlm_preprocess.c.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Latha Krishnamurthi wrote:
Is there a way in freeradius to forward the requests to all the
configured realms one after the other, if it gets rejected say for null
or default realms ??
No.
A reject is a reject.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org
for the
data.
See also raddb/ldap.attrmap
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
with the server?
Read raddb/sql.conf. It's explained.
And do you know any site that describes the configuration for 2.1.8 with
mysql?
I'm continually amazed at the number of people who spend hours
googling for solutions, instead of reading the documentation that
comes with the server.
Alan DeKok
.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
, but in the login page of
NoCat dosn`t log, here are the log of the radtest -X after a try with
the login of NoCat
Nocatauth is sending an empty Access-Request. It's broken. Fix it.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
...
Been searching how to do this in FreeRADIUS, but haven't found much
useful information. So, if somebody can point me in the right
direction on how to set it up in FreeRADIUS. Any help will be greatly
appreciated.
Perhaps you could describe the problem in more detail.
Alan DeKok.
-
List info
2.0.3. Any suggestions/comments will be
appreciated. I guess my next e-mail will be to the Samba mailing list
Install FreeRADIUS 2.1.8, and possibly Samba 3.4.3
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
== NULL, Auth-Type := Reject
But it doesn't work. What's the best way to do this?
Regex?
authorize {
...
if (User-Name !~ /@/) {
reject
}
suffix
...
}
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list
@domain1 and @domain2.
...
I would like to know if there is any possible way to attach a list of
allowed NAS clients to realm domain2 for example, so that RADIUS discard
requests comming from nas 2.2.2.2 with realm @domain1?
Yes. See raddb/huntgroups
Alan DeKok.
-
List info/subscribe
or similar?
You can simply list multiple certificates in the CA file.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
.
Configure two SQL instances. One queries the main server, and sets a
group attribute. The other queries the secondary server.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
in radius_db config
option and not in the server configuration option. (at least for 1.1.8)
Send comments to the list, and we'll see what we can do.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Johan Meiring wrote:
Alan DeKok wrote:
have read other posts on the list that have said it won't work (which
kind of makes sense to me). However, it sure would be nice to side step
Samba on this issue.
It's impossible. (for now)
For now?
Samba 4 will be a full member of an AD
.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Craig Schurr wrote:
If I understand correctly the following request should be denied because
the NAS-Identifier in the request doesn't match the one specified in the
groupcheck table.
No. Read doc/rlm_sql. The Wiki also has a copy of that page.
Alan DeKok.
-
List info/subscribe
, the user is rejected.
If you want a user to be rejected, you have to configure that.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
.
Try this:
1) start with a default install / configuration files
2) configure LDAP
3) get PAP working
4) do NOTHING ELSE until you get PAP working
5) get CHAP working (radclient will do this)
6) THEN go customize the heck out of the server.
Alan DeKok.
-
List info/subscribe/unsubscribe
Craig Schurr wrote:
I was just wondering if there was a maximum priority number, other than
the character limit in my mysql field.
FreeRADIUS doesn't use the id field for anything. So any limit is
due to MySQL.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org
available/enabled to help me on this?
You should be able to figure it out from their current configuration.
It's really not that hard.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
has happened. Has the wiki
become road kill?
I hope not. I'll take a look.
We may need to move it to another system.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
.
Fix your script, or install 4x as many servers, and put a load
balancer in front of them. Nothing else will make the system run faster.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
won't help.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
the Simultaneous-Use parameter. Does it go in
ldap.attrmap.config ?
No. See man users, or doc/rlm_sql
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
using it with EAP.
2. Is there a free wpa supplicant (peer) that generates multiple
separate sessions at the same time?
No. Just run 5-6 processes at the same time.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
or issue for this
problem ?
Fix the NAS.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
for a number of attributes, but have the query
generated in some automatic way, so I will only need one sql
instance)?
rlm_perl, and run a script.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
with knowledge of this kind of setup please advise on the
best way forward?
Read the documentation that comes with the server, and the comments in
the configuration files. It *should* be pretty straightforward.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list
J Brandon Polley wrote:
I have my simultaneous-use/nas type set to other. Does anyone know of a
command to clear radutmp or where I could put in a timeout value to have
the user logged out/removed from the radutmp file?
$ man radzap
Alan DeKok.
-
List info/subscribe/unsubscribe? See http
question twice in a row. Why?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eapol_test is, and what it
does, your question (2) is answered.
You need to read the answers on this list, and follow the
instructions. You've asked the same questions *repeatedly* when it's
clear you haven't bothered to look at eapol_test.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
*BROKEN THE SERVER*.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
a custom module which dumps the radius packet almost
immediately to logs which isn't seeing these packets and I'm trying to
see if the freeradius core is even seeing these packets.
They are likely duplicates, and suppressed. See the SNMP statistics,
or the stats via radmin.
Alan DeKok
from clients?
A: post a link on slashot.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
to do the learning necessary to switch.
It takes an hour or so to compile test 2.1.8. You don't need to
switch it to production until you've verified that it works.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Jens Link wrote:
@Alan: I would document VMPS in some more detail in the wiki if my
access would be working. ;-)
It seems to be fine now.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
to port for 0.0.0.0
port 1812
Stop the server before you run it in debugging mode:
$ /etc/init.d/freeradius stop
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
in the identifier of the request sent
like I listed would need to be querited unfortunantly.
In 2.x:
$ man unlang
There isn't documentation describing exactly how write specific rules.
Instead, there's documentation on how the rule syntax, and examples of
that.
Alan DeKok.
-
List info/subscribe
server.
This isn't a freeradius question, and doesn't belong on this list.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
'server' of the table 'nas'). Can I configure a virtual server for each
NAS-Port? If so, how can I acheive that? Thank you!
You should check the NAS-Port, and proxy the request to another
virtual server.
Or, modify the source code.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http
CaiMuzhang wrote:
Hi Alan,
Uh... I'm considering of modifying the source code indeed. But
before that, if proper configurations can work, it will be much easier.
You mentioned that I check the NAS-Port and proxy the request to another
virtual server. Is that achieved by some proper
should wait until previous will finish?
Yes.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
misunderstands how the server works, and is therefore
meaningless.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
, last sent data, etc.)
This should be tracked automatically, and cleaned up when the detail
file is deleted.
There are a number of corner cases to deal with (files getting out of
sync, etc.), but it's possible.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list
detailed statistics,
including lists of home servers.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-server-A
copy-acct-to-home-server-B
}
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
..)
You can configure a virtual server per listener. (i.e. detail file
reader). In that, just force proxying in pre-acct:
update control {
Proxy-To-Realm := B
}
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
.
(5) see man radiusd in 2.1.8 for more instructions on how to go from
a default install to a final configuration.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
omega bk wrote:
including files in directory /etc/freeradius/sites-enabled/
main {
You have NOTHING in the sites-enabled directory. Go fix that.
You likely need default and inner-tunnel.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
want to log the intermediate Access-Challenges...
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Harshil Anil Kumar Shah wrote:
Hey I am installing freeradius-server-snapshot-20080628
Is there any reason you're installing a version that's 2 years old?
and getting following error
shrug
Install an official release, like 2.1.8.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
Harshil Anil Kumar Shah wrote:
Yes
In the newer version I did not find CA.all file which I needed . Thats is
why I use Older version
See raddb/certs/README
This is documented.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
that, so there's something in your local configuration
which is hitting the problem. If I can get a copy of the config (raddb
directory), it's possible to reproduce fix the problem.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Chet Desai wrote:
radclient 172.0.0.1:3799 43 testing123
in this command 172.0.0.1 is a server radius but what is 43?
Read the documentation. It isn't hard.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Harshil Anil Kumar Shah wrote:
Any body knows how to configure eap.conf, radiusd.conf, users and
clients.conf for eap-tls ?
Read raddb/certs/README.
This is documented.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
many headaches trying to log in, and
the client is reluctant to relax their firewall for a number of
reasons.
shrug They chose to destroy their own network. I'm not surprised
they're hesitant to fix it.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list
?
Yes. There's no CHAP configuration, so it doesn't print a CHAP
configuration.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Harshil Anil Kumar Shah wrote:
Getting the Segmentation fault when doing radiusd -X
Read doc/bugs
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
.
You SHOULD NOT ignore the messages.
You SHOULD NOT ignore the documentation.
You SHOULD NOT post information that we did not ask for.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
96000
96000 conform-action continue exceed-action drop
You can't put random pieces of text in and expect to to do the right
thing. It helps to format the text correctly.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
1 - 100 of 14295 matches
Mail list logo