Hi Juban, I did tried both settings SQL and SQLCC in sqlcounter.conf Accounting packets are updated into mySQL radacct table without any problems.
Can I request you to send me MYSQL table entries for a sample user with daily time limits for my reference. I think I am entering some wrong values in MYSQL table. Sorry for hassle. Sagar Patil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 22 March 2004 22:27 To: [EMAIL PROTECTED] Subject: Freeradius-Users digest, Vol 1 #3024 - 4 msgs Send Freeradius-Users mailing list submissions to [EMAIL PROTECTED] To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..." Today's Topics: 1. Re: SQLCOUNTER Problems (Juan Pablo Fava) 2. RE: Multiple IP Pools with Ascend APX's (Troy Settle) 3. Precedence of Realms and Groups in raddb/users (Bernie Dolan) 4. RE: Using freeradius to authenticate users to a Windows 2000 AD (Tarun Bhushan) --__--__-- Message: 1 Date: Mon, 22 Mar 2004 17:32:25 -0300 (ART) Subject: Re: SQLCOUNTER Problems From: "Juan Pablo Fava" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Fisrt at all replace in sqlcounter.conf this line: sqlmod-inst = sqlcca3} whith this one: sqlmod-inst = sql The usage statics are updated by rlm_sql. todo this you must have "sql" in the accounting section of your radiusd.conf Juan Pablo [EMAIL PROTECTED] dijo: > Hi All, > > I want to use RLM_SQLCOUNTER with Freeradius. > After compiling RLM_SQLCOUNTER with FreeRadius .. I still can't see > radius trying to update usage statistics in MYSQL tables. > I read doc/rlm_sqlcounter and thought whenever user uses any minutes out > of allocated values RLM_COUNTER will change statistics by calculating : > (Allocated time - Used time)= Remaining time. > Am I right here? Any help will be appreciated.... > > > Sqlcounter.conf : > sqlcounter dailycounter { > driver = "rlm_sqlcounter" > counter-name = Daily-Session-Time > check-name = Max-Daily-Session > sqlmod-inst = sqlcca3 > key = User-Name > reset = daily > query = "SELECT SUM(AcctSessionTime - GREATEST((%b - > UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' > AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" > } > sqlcounter monthlycounter { > counter-name = Monthly-Session-Time > check-name = Max-Monthly-Session > sqlmod-inst = sqlcca3 > key = User-Name > reset = monthly > query = "SELECT SUM(AcctSessionTime - GREATEST((%b - > UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' > AND UNIX_TIMESTAMP(AcctStartTime) + > AcctSessionTime > '%b'" > } > > # Query: > # SELECT * > # FROM `radcheck` > # > 'id','UserName','Attribute','op','Value' > '[NULL]','infinite','Password','==','infinite' > '[NULL]','infinite','Max-Daily-Session',':=','100' > '[NULL]','infinite','Max-Monthly-Session',':=','1000' > > Radiusd -Xp 1645 returns.................... > --- Walking the entire request list --- > Cleaning up request 1 ID 67 with timestamp 405f32ea > Nothing to do. Sleeping until we see a request. > rad_recv: Accounting-Request packet from host 132.146.197.111:1646, > id=68, length=36 > User-Name = "infinite" > Acct-Status-Type = Stop > Processing the preacct section of radiusd.conf > modcall: entering group preacct for request 2 > modcall[preacct]: module "preprocess" returns noop for request 2 > rlm_realm: No '@' in User-Name = "infinite", looking up realm NULL > rlm_realm: No such realm "NULL" > modcall[preacct]: module "suffix" returns noop for request 2 > modcall[preacct]: module "files" returns noop for request 2 > modcall: group preacct returns noop for request 2 > Processing the accounting section of radiusd.conf > modcall: entering group accounting for request 2 > rlm_acct_unique: WARNING: Attribute NAS-Port was not found in request, > unique ID MAY be inconsistent > rlm_acct_unique: WARNING: Attribute Acct-Session-Id was not found in > request, unique ID MAY be inconsistent > rlm_acct_unique: Hashing ',Client-IP-Address > 132.146.197.111,NAS-IP-Address = 132.146.197.111,,User-Name = "i > nfinite"' > rlm_acct_unique: Acct-Unique-Session-ID = "e017b662ef57e3ce". > modcall[accounting]: module "acct_unique" returns ok for request 2 > radius_xlat: > '/usr/local/var/log/radius/radacct/132.146.197.111/detail-20040322' > rlm_detail: > /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d > expands to /usr/local/var/log/ > radius/radacct/132.146.197.111/detail-20040322 > modcall[accounting]: module "detail" returns ok for request 2 > modcall[accounting]: module "unix" returns noop for request 2 > radius_xlat: '/usr/local/var/log/radius/radutmp' > radius_xlat: 'infinite' > rlm_radutmp: No NAS-Port seen. Cannot do anything. > rlm_radumtp: WARNING: checkrad will probably not work! > modcall[accounting]: module "radutmp" returns noop for request 2 > radius_xlat: 'infinite' > rlm_sql (sql): sql_set_user escaped user --> 'infinite' > radius_xlat: 'UPDATE radacct SET AcctStopTime = '2004-03-22 18:39:55', > AcctSessionTime = '', AcctInputOctets '', AcctOutputOctets = '', > AcctTerminateCause = '', AcctStopDelay = '', > ConnectInfo_stop = '' WHERE AcctSessio > nId = '' AND UserName = 'infinite' AND NASIPAddress = '132.146.197.111'' > rlm_sql (sql): Reserving sql socket id: 4 > rlm_sql (sql): Released sql socket id: 4 > modcall[accounting]: module "sql" returns ok for request 2 > modcall: group accounting returns ok for request 2 > Sending Accounting-Response of id 68 to 132.146.197.111:1646 > Finished request 2 > Going to the next request > --- Walking the entire request list --- > Cleaning up request 2 ID 68 with timestamp 405f32fb > Nothing to do. Sleeping until we see a request. > > > > > Regards, > Sagar > > > --__--__-- Message: 2 From: "Troy Settle" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: RE: Multiple IP Pools with Ascend APX's Date: Mon, 22 Mar 2004 15:22:48 -0500 Reply-To: [EMAIL PROTECTED] This is a multi-part message in MIME format. ------=_NextPart_000_006A_01C41021.8886B030 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Anson, You need to look at how pool chaining works with the APX. You might also look into the virtual routers. -- Troy Settle Pulaski Networks http://www.psknet.com <http://www.psknet.com/> 540.994.4254 ~ 866.477.5638 _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anson Rinesmith Sent: Wednesday, March 17, 2004 6:04 PM To: [EMAIL PROTECTED] Subject: Multiple IP Pools with Ascend APX's I'm using freeRadius with MySQL In radgroupreply, GroupName, Attribute, op, Value, prio I have multiple ISP's logging into one RAS. First ISP needs to class C's, pools 1 and 2. Second ISP needs 3 Class C's, pools 3, 4 & 5. etc... Therefore I cannot use isp1, X-Ascend-Assign-IP-Pool, :=, 0 Would I have isp1, X-Ascend-Assign-IP-Pool, :=, 1 isp1, X-Ascend-Assign-IP-Pool, +=, 2 isp2, X-Ascend-Assign-IP-Pool, :=, 3 isp2, X-Ascend-Assign-IP-Pool, +=, 4 isp2, X-Ascend-Assign-IP-Pool, +=, 5 etc.. ------=_NextPart_000_006A_01C41021.8886B030 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Dus-ascii"> <META content=3D"MSHTML 6.00.2800.1400" name=3DGENERATOR> <STYLE>@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.25in 1.0in = 1.25in; } P.MsoNormal { FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman" } LI.MsoNormal { FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman" } DIV.MsoNormal { FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman" } A:link { COLOR: blue; TEXT-DECORATION: underline } SPAN.MsoHyperlink { COLOR: blue; TEXT-DECORATION: underline } A:visited { COLOR: purple; TEXT-DECORATION: underline } SPAN.MsoHyperlinkFollowed { COLOR: purple; TEXT-DECORATION: underline } P.MsoAutoSig { FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman" } LI.MsoAutoSig { FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman" } DIV.MsoAutoSig { FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman" } SPAN.EmailStyle17 { COLOR: windowtext; FONT-FAMILY: Arial } DIV.Section1 { page: Section1 } </STYLE> </HEAD> <BODY lang=3DEN-US vLink=3Dpurple link=3Dblue> <DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff=20 size=3D2></FONT> </DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20 class=3D903152120-22032004>Anson,</SPAN></FONT></DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20 class=3D903152120-22032004></SPAN></FONT> </DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN = class=3D903152120-22032004>You=20 need to look at how pool chaining works with the APX. You might = also look=20 into the virtual routers.</SPAN></FONT></DIV><!-- Converted from = text/plain format --> <P><FONT size=3D2>--<BR> Troy Settle<BR> Pulaski = Networks<BR> <A=20 href=3D"http://www.psknet.com/";>http://www.psknet.com</A><BR> = 540.994.4254 ~=20 866.477.5638<BR> </FONT> </P> <DIV> </DIV><BR> <BLOCKQUOTE dir=3Dltr=20 style=3D"PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px = solid; MARGIN-RIGHT: 0px"> <DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr align=3Dleft> <HR tabIndex=3D-1> <FONT face=3DTahoma size=3D2><B>From:</B>=20 [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] <B>On Behalf Of = </B>Anson=20 Rinesmith<BR><B>Sent:</B> Wednesday, March 17, 2004 6:04 = PM<BR><B>To:</B>=20 [EMAIL PROTECTED]<BR><B>Subject:</B> Multiple IP = Pools=20 with Ascend APX's<BR></FONT><BR></DIV> <DIV></DIV> <DIV class=3DSection1> <P class=3DMsoNormal><FONT face=3DArial size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">I’m using = freeRadius with=20 MySQL</SPAN></FONT></P> <P class=3DMsoNormal><FONT face=3DArial size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">In radgroupreply, = GroupName,=20 Attribute, op, Value, prio</SPAN></FONT></P> <P class=3DMsoNormal><FONT face=3DArial size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial"></SPAN></FONT> </P> <P class=3DMsoNormal><FONT face=3DArial size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">I have multiple = ISP’s logging into=20 one RAS. First ISP needs to class C’s, pools 1 and 2. Second ISP = needs 3 Class=20 C’s, pools 3, 4 & 5. etc…..</SPAN></FONT></P> <P class=3DMsoNormal><FONT face=3DArial size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">Therefore I cannot use = isp1,=20 X-Ascend-Assign-IP-Pool, :=3D, 0</SPAN></FONT></P> <P class=3DMsoNormal><FONT face=3DArial size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">Would I = have</SPAN></FONT></P> <P class=3DMsoNormal><FONT face=3DArial size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">isp1, = X-Ascend-Assign-IP-Pool, :=3D,=20 1</SPAN></FONT></P> <P class=3DMsoNormal><FONT face=3DArial size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">isp1, = X-Ascend-Assign-IP-Pool, +=3D,=20 2</SPAN></FONT></P> <P class=3DMsoNormal><FONT face=3DArial size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">isp2, = X-Ascend-Assign-IP-Pool, :=3D,=20 3</SPAN></FONT></P> <P class=3DMsoNormal><FONT face=3DArial size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">isp2, = X-Ascend-Assign-IP-Pool, +=3D,=20 4</SPAN></FONT></P> <P class=3DMsoNormal><FONT face=3DArial size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">isp2, = X-Ascend-Assign-IP-Pool, +=3D,=20 5</SPAN></FONT></P> <P class=3DMsoNormal><FONT face=3DArial size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; FONT-FAMILY: = Arial">etc….</SPAN></FONT></P> <P class=3DMsoNormal><FONT face=3D"Times New Roman" size=3D3><SPAN=20 style=3D"FONT-SIZE: = 12pt"></SPAN></FONT> </P></DIV></BLOCKQUOTE></BODY></HTML> ------=_NextPart_000_006A_01C41021.8886B030-- --__--__-- Message: 3 From: "Bernie Dolan" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: Precedence of Realms and Groups in raddb/users Date: Tue, 23 Mar 2004 09:06:20 +1100 Reply-To: [EMAIL PROTECTED] This is a multi-part message in MIME format. ------=_NextPart_000_00BF_01C410B6.1B5C69B0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable have been running FreeRadius at our installation for some time to authenticate user access to routers. We recently introduced a number of Radius servers for various parts of = the network and started using Realms. Also introduced a raddb/users group called "readonly" which gets read = only service attributes passed back to NAS which limits the users = functionality. We now find that if a username is sent with a suffixed Realm then the = users group ("readonly") is bypassed and the DEFAULT group is used. Is there a reference to how I can have a suffix realm observed that = still uses the "readonly" DEFAULT entry in the raddb/users file. Attached is a logon with the same user without and with a suffixed = realm. raddb/users entry are: DEFAULT Group =3D=3D "readonly", Auth-Type :=3D System Login-Service =3D Telnet, Cisco-AVPair =3D "shell:priv-lvl=3D1", ERX-Cli-Initial-Access-Level=3D "5", ........ DEFAULT Auth-Type :=3D System Login-Service =3D Telnet, Cisco-AVPair =3D "shell:priv-lvl=3D15", Service-Type =3D 6 raddb/realms entry are: # Realm Remote server [:port] Options #---------------- --------------------- ------- rdn LOCAL rad_recv: Access-Request packet from host 144.133.144.100:50000, = id=3D59, length=3D83 User-Password =3D "......................................." User-Name =3D "bhd3" Acct-Session-Id =3D "erx :0002097211" Service-Type =3D Administrative-User NAS-IP-Address =3D 144.133.144.100 NAS-Identifier =3D "P_Router" modcall: entering group authorize modcall[authorize]: module "suffix" returns ok HASH: user bhd3 found in hashtable bucket 93085 HASH: matched user bhd3 in group readonly users: Matched DEFAULT at 7 modcall[authorize]: module "files" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type System auth: type "System" modcall: entering group authenticate HASH: user bhd3 found in hashtable bucket 93085 modcall[authenticate]: module "unix" returns ok modcall: group authenticate returns ok Sending Access-Accept of id 59 to 144.133.144.100:50000 Login-Service =3D Telnet Cisco-AVPair =3D "shell:priv-lvl=3D1" ERX-Cli-Initial-Access-Level =3D "5" Finished request 6 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 6 ID 59 with timestamp 405d3194 Nothing to do. Sleeping until we see a request. Second use with @realm rad_recv: Access-Request packet from host 144.133.144.100:50000, = id=3D60, length=3D87 User-Password =3D "...................................." User-Name =3D "[EMAIL PROTECTED]" Acct-Session-Id =3D "erx :0002097212" Service-Type =3D Administrative-User NAS-IP-Address =3D 144.133.144.100 NAS-Identifier =3D "P_Router" modcall: entering group authorize modcall[authorize]: module "suffix" returns ok users: Matched DEFAULT at 65 modcall[authorize]: module "files" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type System auth: type "System" modcall: entering group authenticate HASH: user bhd3 found in hashtable bucket 93085 modcall[authenticate]: module "unix" returns ok modcall: group authenticate returns ok Sending Access-Accept of id 60 to 144.133.144.100:50000 Login-Service =3D Telnet Cisco-AVPair =3D "shell:priv-lvl=3D15" Service-Type =3D Administrative-User Finished request 7 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 7 ID 60 with timestamp 405d31a8 Nothing to do. Sleeping until we see a request. ------=_NextPart_000_00BF_01C410B6.1B5C69B0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 6.00.2800.1400" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2><FONT face=3D"Times New Roman" = size=3D3> have been=20 running FreeRadius at our installation for some time to<BR>authenticate = user=20 access to routers.<BR>We recently introduced a number of Radius servers = for=20 various parts of the<BR>network and started using Realms.<BR>Also = introduced a=20 raddb/users group called "readonly" which gets read only<BR>service = attributes=20 passed back to NAS which limits the users functionality.<BR><BR>We now = find that=20 if a username is sent with a suffixed Realm then the users<BR>group = ("readonly")=20 is bypassed and the DEFAULT group is used.<BR>Is there a reference to = how I can=20 have a suffix realm observed that still<BR>uses the "readonly" DEFAULT = entry in=20 the raddb/users file.<BR>Attached is a logon with the same user without = and with=20 a suffixed realm.<BR><BR>raddb/users entry are:<BR>DEFAULT Group =3D=3D = "readonly",=20 Auth-Type :=3D System<BR> = Login-Service=20 =3D Telnet,<BR> Cisco-AVPair = =3D=20 "shell:priv-lvl=3D1",<BR> =20 ERX-Cli-Initial-Access-Level=3D "5",<BR>........<BR>DEFAULT Auth-Type = :=3D=20 System<BR> Login-Service =3D=20 Telnet,<BR> Cisco-AVPair =3D=20 "shell:priv-lvl=3D15",<BR> = Service-Type=20 =3D 6<BR><BR>raddb/realms entry are:<BR><BR>#=20 Realm & n= bsp; =20 Remote server=20 [:port] =20 Options<BR>#---------------- =20 --------------------- &nb s= p; =20 -------<BR>rdn &nbs p= ; =20 LOCAL<BR><BR>rad_recv: Access-Request packet from host = 144.133.144.100:50000,=20 id=3D59,<BR>length=3D83<BR>User-Password =3D=20 "......................................."<BR>User-Name =3D=20 "bhd3"<BR>Acct-Session-Id =3D "erx :0002097211"<BR>Service-Type =3D=20 Administrative-User<BR>NAS-IP-Address =3D = 144.133.144.100<BR>NAS-Identifier =3D=20 "P_Router"<BR>modcall: entering group authorize<BR>modcall[authorize]: = module=20 "suffix" returns ok<BR>HASH: user bhd3 found in hashtable bucket = 93085<BR>HASH:=20 matched user bhd3 in group readonly<BR>users: Matched DEFAULT at=20 7<BR>modcall[authorize]: module "files" returns ok<BR>modcall: group = authorize=20 returns ok<BR>rad_check_password: Found Auth-Type System<BR>auth: type=20 "System"<BR>modcall: entering group authenticate<BR>HASH: user bhd3 = found in=20 hashtable bucket 93085<BR>modcall[authenticate]: module "unix" returns=20 ok<BR>modcall: group authenticate returns ok<BR>Sending Access-Accept of = id 59=20 to 144.133.144.100:50000<BR>Login-Service =3D Telnet<BR>Cisco-AVPair =3D = "shell:priv-lvl=3D1"<BR>ERX-Cli-Initial-Access-Level =3D "5"<BR>Finished = request=20 6<BR>Going to the next request<BR>--- Walking the entire request list=20 ---<BR>Waking up in 6 seconds...<BR>--- Walking the entire request list=20 ---<BR>Cleaning up request 6 ID 59 with timestamp 405d3194<BR>Nothing to = do.=20 Sleeping until we see a request.<BR><BR>Second use with = @realm<BR><BR>rad_recv:=20 Access-Request packet from host 144.133.144.100:50000,=20 id=3D60,<BR>length=3D87<BR>User-Password =3D=20 "...................................."<BR>User-Name =3D "</FONT><A=20 href=3D"mailto:[EMAIL PROTECTED]"><FONT face=3D"Times New Roman"=20 size=3D3>[EMAIL PROTECTED]</FONT></A><FONT face=3D"Times New Roman"=20 size=3D3>"<BR>Acct-Session-Id =3D "erx :0002097212"<BR>Service-Type =3D=20 Administrative-User<BR>NAS-IP-Address =3D = 144.133.144.100<BR>NAS-Identifier =3D=20 "P_Router"<BR>modcall: entering group authorize<BR>modcall[authorize]: = module=20 "suffix" returns ok<BR>users: Matched DEFAULT at = 65<BR>modcall[authorize]:=20 module "files" returns ok<BR>modcall: group authorize returns=20 ok<BR>rad_check_password: Found Auth-Type System<BR>auth: type=20 "System"<BR>modcall: entering group authenticate<BR>HASH: user bhd3 = found in=20 hashtable bucket 93085<BR>modcall[authenticate]: module "unix" returns=20 ok<BR>modcall: group authenticate returns ok<BR>Sending Access-Accept of = id 60=20 to 144.133.144.100:50000<BR>Login-Service =3D Telnet<BR>Cisco-AVPair =3D = "shell:priv-lvl=3D15"<BR>Service-Type =3D = Administrative-User<BR>Finished request=20 7<BR>Going to the next request<BR>--- Walking the entire request list=20 ---<BR>Waking up in 6 seconds...<BR>--- Walking the entire request list=20 ---<BR>Cleaning up request 7 ID 60 with timestamp 405d31a8<BR>Nothing to = do.=20 Sleeping until we see a request.</FONT><BR></FONT></DIV></BODY></HTML> ------=_NextPart_000_00BF_01C410B6.1B5C69B0-- --__--__-- Message: 4 Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD Date: Tue, 23 Mar 2004 09:26:43 +1100 From: "Tarun Bhushan" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Steve What you need is the Windows root CA cert that you placed on to the FreeRadius box. Use the same PEM file as input on the box you are executing the LDAP/Browser/Editor (LBE) from - this is the c:\temp\somedc.ca.pem file I refer to in the documentation below. I used LBE from a Windows box with the Sun Java run time installed - works just fine. Tarun -----Original Message----- From: Steve OBrien [mailto:[EMAIL PROTECTED] Sent: Tuesday, 23 March 2004 6:36 AM To: [EMAIL PROTECTED] Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD OK Tarun, everything looks OK from LDP.exe, at least I am able to connect and browse. But with ldapbrowse I am getting "CA certificate is not in server certificate chain." So to back up a bit the certificate that I need on the freeradius box is the one you can retrieve via the web interface on the m$ certificate server when you select "Retrieve the CA certificate or CRL" radio button?=20 "Tarun Bhushan" <[EMAIL PROTECTED]>=20 Sent by: [EMAIL PROTECTED] 03/21/2004 04:56 PM Please respond to [EMAIL PROTECTED] To<[EMAIL PROTECTED]>=20 cc SubjectRE: Using freeradius to authenticate users to a Windows 2000 AD Steve Looks like the LDAPS connection from non-Windows-native clients is not working properly. From a Windows workstation (not on the AD machine) first try LDP.EXE (Microsoft Win2K Support Tools LDAP utility) with SSL flag set to get to your AD LDAP server and see if this works. This shows if LDAPS is working from a Windows Native point-of-view. Next, try LDAP Browser/Editor (http://www.iit.edu/~gawojar/ldap/) to access the AD with LDAPS - (on Windows you will need Sun Java), import your AD root CA cert (use the same PEM file as used before - see the documentation below). If you can connect now, this will provide an indication that connection from "non-Windows-native" clients works with LDAPS. Once that works, you can then go on from there. Regards Tarun =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Doc - is a = sample session =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D= =3D=3D=3D C:\Program Files\Java\j2re1.4.1_03\bin>keytool -list -keystore "C:\Program Files\Java\j2re1.4.1_03\lib\security\cacerts" Enter keystore password: changeit Keystore type: jks Keystore provider: SUN Your keystore contains 15 entries thawtepersonalfreemailca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): 1E:74:C3:86:3C:0C:35:C5:3E:C2:7F:EF:3C:AA:3C:D9 baltimorecodesigningca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): 90:F5:28:49:56:D1:5D:2C:B0:53:D4:4B:EF:6F:90:22 thawtepersonalbasicca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): E6:0B:D2:C9:CA:2D:88:DB:1A:71:0E:4B:78:EB:02:41 gtecybertrustglobalca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB verisignclass3ca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): 78:2A:02:DF:DB:2E:14:D5:A7:5F:0A:DF:B6:8E:9C:5D thawteserverca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D thawtepersonalpremiumca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): 3A:B2:DE:22:9A:20:93:49:F9:ED:C8:D2:8A:E7:68:0D verisignclass4ca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): 1B:D1:AD:17:8B:7F:22:13:24:F5:26:E2:5D:4E:B9:10 baltimorecybertrustca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): AC:B6:94:A5:9C:17:E0:D7:91:52:9B:B1:97:06:A6:E4 verisignclass1ca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): 51:86:E8:1F:BC:B1:C3:71:B5:18:10:DB:5F:DC:F6:20 verisignserverca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): 74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93 thawtepremiumserverca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A gtecybertrustca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): C4:D7:F0:B2:A3:C5:7D:61:67:F0:04:CD:43:D3:BA:58 gtecybertrust5ca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): 7D:6C:86:E4:FC:4D:D1:0B:00:BA:22:BB:4E:7C:6A:8E verisignclass2ca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): EC:40:7D:2B:76:52:67:05:2C:EA:F2:3A:4F:65:F0:D8 C:\Program Files\Java\j2re1.4.1_03\bin>keytool -import -v -alias somecompany_ad_ca -file c:\temp\somedc.ca.pem -keystore "C:\Program Files\Java\j2re1.4.1_03\lib\security\cacerts" Enter keystore password: changeit Owner: CN=3Dsomedc.somecompany.com, OU=3Detc..., [EMAIL PROTECTED] Issuer: CN=3Dsomedc.somecompany.com, OU=3Detc..., [EMAIL PROTECTED] Serial number: something Valid from: <date> until: <date) Certificate fingerprints: MD5: something SHA1: something Trust this certificate? [no]: yes Certificate was added to keystore [Saving C:\Program Files\Java\j2re1.4.1_03\lib\security\cacerts] C:\Program Files\Java\j2re1.4.1_03\bin>keytool -list -keystore "C:\Tools\ldapbrowser\lbecacerts" Enter keystore password: changeit Keystore type: jks Keystore provider: SUN Your keystore contains 6 entries 1049851423488, 9/04/2003, trustedCertEntry, Certificate fingerprint (MD5): 71:C5:05:89:08:BC:78:96:20:45:E2:0E:FD:89:E8:72 1042686583627, 16/01/2003, trustedCertEntry, Certificate fingerprint (MD5): D9:11:9E:1A:CE:C5:C4:29:2F:E6:DE:EB:C0:E8:12:0D 1047532540747, 13/03/2003, trustedCertEntry, Certificate fingerprint (MD5): 90:81:E7:42:CA:D8:90:A7:59:A5:0E:D3:0E:20:1E:B0 1042609942072, 15/01/2003, trustedCertEntry, Certificate fingerprint (MD5): F0:C3:1D:07:F7:20:7E:95:97:73:53:76:12:9B:D4:14 1046156863186, 25/02/2003, trustedCertEntry, Certificate fingerprint (MD5): F3:04:1F:F2:73:4F:C3:0D:C1:FA:5C:4C:D3:C6:13:1A 1042179593031, 10/01/2003, trustedCertEntry, Certificate fingerprint (MD5): A0:AD:08:60:83:1B:C3:50:72:7B:95:92:5A:67:E3:91 C:\Program Files\Java\j2re1.4.1_03\bin>keytool -import -v -alias somecompany_ad_ca -file c:\temp\somedc.ca.pem -keystore "C:\Tools\ldapbrowser\lbecacerts" Enter keystore password: changeit Owner: CN=3Dsomedc.somecompany.com, OU=3Detc..., [EMAIL PROTECTED] Issuer: CN=3Dsomedc.somecompany.com, OU=3Detc..., [EMAIL PROTECTED] Serial number: something Valid from: <date> until: <date) Certificate fingerprints: MD5: something SHA1: something Trust this certificate? [no]: yes Certificate was added to keystore [Saving C:\Tools\ldapbrowser\lbecacerts] =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D= =3D=3D=3D End Doc =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D -----Original Message----- From: Steve OBrien [mailto:[EMAIL PROTECTED] Sent: Sunday, 21 March 2004 12:28 PM To: [EMAIL PROTECTED] Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD OK I got that problem fixed on the windows side. Now I am getting an immediate access-reject here is the debug:=20 <snip> NOTICE This e-mail and any attachments are confidential and may contain copyright material of Macquarie Bank or third parties. If you are not the intended recipient of this email you should not read, print, re-transmit, store or act in reliance on this e-mail or any attachments, and should destroy all copies of them. Macquarie Bank does not guarantee the integrity of any emails or any attached files. The views or opinions expressed are the author's own and may not reflect the views or opinions of Macquarie Bank. -=20 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html NOTICE This e-mail and any attachments are confidential and may contain copyright = material of Macquarie Bank or third parties. If you are not the intended re= cipient of this email you should not read, print, re-transmit, store or act= in reliance on this e-mail or any attachments, and should destroy all copi= es of them. Macquarie Bank does not guarantee the integrity of any emails o= r any attached files. The views or opinions expressed are the author's own = and may not reflect the views or opinions of Macquarie Bank. --__--__-- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
