Kris, Thanks for your help. Do you think that (1) and (2) in my previous message could be the reason that freeradius will not authenticate the client?
thanks again. [EMAIL PROTECTED] wrote: >Send Freeradius-Users mailing list submissions to > [email protected] > >To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freeradius.org/mailman/listinfo/freeradius-users >or, via email, send a message with subject or body 'help' to > [EMAIL PROTECTED] > >You can reach the person managing the list at > [EMAIL PROTECTED] > >When replying, please edit your Subject line so it is more specific >than "Re: Contents of Freeradius-Users digest..." > > >Today's Topics: > > 1. FreeRadius EAP-TLS quesitons (Hamid Salim) > 2. Re: problem with using rlm_sql for accounting only (John Donagher) > 3. Re: problem with using rlm_sql for accounting only (John Donagher) > 4. Re: FreeRadius EAP-TLS quesitons (Kris Benson) > 5. sql.conf (update query) (Michel B?langer) > 6. Re: problem with using rlm_sql for accounting only (Alan DeKok) > 7. Hi. Windows RADIUS server died. (Derrick MacPherson) > 8. Re: Hi. Windows RADIUS server died. (Alan DeKok) > 9. Re: Hi. Windows RADIUS server died. (Derrick MacPherson) > 10. Re: how to return multiple attributes from ldap? (kevin) > > >---------------------------------------------------------------------- > >Message: 1 >Date: Tue, 9 Aug 2005 13:54:52 -0400 (EDT) >From: Hamid Salim <[EMAIL PROTECTED]> >Subject: FreeRadius EAP-TLS quesitons >To: [email protected] >Message-ID: <[EMAIL PROTECTED]> >Content-Type: text/plain; charset=UTF-8 > >Hello, >Two part question: >1. Is it critical to have certificates, dh and random files in >etc/raddb/certs directory for eap-tls to work. >2. Is it ok to generate random file as date > random > >thanks a lot. >Hamid. > > >------------------------------ > >Message: 2 >Date: Tue, 09 Aug 2005 13:55:45 -0400 >From: John Donagher <[EMAIL PROTECTED]> >Subject: Re: problem with using rlm_sql for accounting only >To: FreeRadius users mailing list > <[email protected]> >Message-ID: <[EMAIL PROTECTED]> >Content-Type: text/plain > >On Tue, 2005-08-09 at 00:01 +0200, Nicolas Baradakis wrote: >> John Donagher wrote: >> >> > If the SQL server is inaccessible (i.e. down, or locked), freeradius >> > rejects all radius requests. In my case, since the SQL database is being >> > used only for accounting, this is not desired behavior. >> >> The link below explains how to control the flow of modules in FreeRADIUS. >> http://www.freeradius.org/radiusd/doc/configurable_failover >> >> There is an example which looks like what you want to do for accounting. >> > >Thanks, that was exactly what I was looking for! > >John > > > > >------------------------------ > >Message: 3 >Date: Tue, 09 Aug 2005 14:01:11 -0400 >From: John Donagher <[EMAIL PROTECTED]> >Subject: Re: problem with using rlm_sql for accounting only >To: FreeRadius users mailing list > <[email protected]> >Message-ID: <[EMAIL PROTECTED]> >Content-Type: text/plain > >On Mon, 2005-08-08 at 18:09 -0400, Alan DeKok wrote: >> John Donagher <[EMAIL PROTECTED]> wrote: >> > If the SQL server is inaccessible (i.e. down, or locked), freeradius >> > rejects all radius requests. In my case, since the SQL database is being >> > used only for accounting, this is not desired behavior. >> >> See the log messages. >> >> What's probably happening is that all of the threads are blocked, >> waiting for SQl to respond. Therefore, there are no threads ready to >> service authentication requests, and they get discarded. >> >> The solution is to fix the SQL server so it doesn't go down. If >> it's a critical part of your infrastructure, I'm a little unsure as to >> why it would go down, or lock FreeRADIUS out for many seconds at a >> time. > >Indeed.. under normal circumstances it wouldn't go down. My issue is >that the SQL server is not a critical part of our infrastructure and I >don't want it to be (at this point anyway). I'm using it for accounting >trend reporting only.. in any event, Nicolas' suggestion was right on >and works like a charm. > >Thanks >John > > > > >------------------------------ > >Message: 4 >Date: Tue, 09 Aug 2005 11:18:10 -0700 >From: "Kris Benson" <[EMAIL PROTECTED]> >Subject: Re: FreeRadius EAP-TLS quesitons >To: "FreeRadius users mailing list" > <[email protected]> >Cc: [email protected] >Message-ID: > <[EMAIL PROTECTED]> >Content-Type: text/plain; charset=ISO-8859-1 > >FreeRadius users mailing list <[email protected]> on >August 9, 2005 at 10:54 -0800 wrote: >>Hello, >>Two part question: >>1. Is it critical to have certificates, dh and random files in >>etc/raddb/certs directory for eap-tls to work. >>2. Is it ok to generate random file as date > random > >1. Yes, sort of. You can put it in a different directory if you change >the eap.conf entries. > >2. No. This is the correct way: > >To generate the dh file you can use a function that comes with openssl > >openssl dhparam -check -text -5 512 -out dh > >This will generate a 512 Diffie-Hellman key named dh. >Move this file to /etc/mycerts/ > >mv dh /etc/mycerts/. > >To generate a random file you will need a short C program using openssl >libraries. Paste this text into a file named 'random.c': >----8< cut--- >#include <stdio.h> >#include <openssl/rand.h> > >main (void) { >unsigned char buf[100]; >if (!RAND_bytes(buf, 100)) { >// the usual md5(time+pid) >} >printf("Random : %s\n", buf); >} >----8< cut--- > >Compile it like this: gcc random.c -o random -lcrypto > >I will generate 32-bit LSB executable named random, try it with ./random. > >Move this file to /etc/mycerts/: >mv random /etc/mycerts/. > >-kb >-- >Kris Benson, CCP, I.S.P. >Technical Analyst, District Projects >School District #57 (Prince George) > > > >------------------------------ > >Message: 5 >Date: Tue, 09 Aug 2005 15:34:28 -0400 >From: Michel B?langer <[EMAIL PROTECTED]> >Subject: sql.conf (update query) >To: [email protected] >Message-ID: <[EMAIL PROTECTED]> >Content-Type: text/plain; charset=ISO-8859-1; format=flowed > >Hi, >I try to add an additional query in the query update in sql.conf. This >is possible to make it ? > >Here what I have test: > >accounting_update_query = "UPDATE ${acct_table1} \ > SET FramedIPAddress = '%{Framed-IP-Address}', \ > AcctSessionTime = '%{Acct-Session-Time}', \ > AcctInputOctets = '%{Acct-Input-Octets}', \ > AcctOutputOctets = '%{Acct-Output-Octets}' \ > WHERE AcctSessionId = '%{Acct-Session-Id}' \ > AND UserName = '%{SQL-User-Name}' \ > AND NASIPAddress= '%{NAS-IP-Address}'; INSERT into radtempo >(AcctInputOctets, AcctOutputOctets, AcctSessionId) values('%{Ac >ct-Input-Octets}', '%{Acct-Output-Octets}', '%{Acct-Session-Id}')" > >rlm_sql_mysql: MYSQL check_error: 1064 received >rlm_sql (sql): Couldn't update SQL accounting ALIVE record - You have an >error in your SQL syntax; check the manual that corresponds to your >MySQL server version for the right syntax to use near '; INSERT into >radtempo (AcctInputOctets, AcctOutputOctets, AcctSessionId) values' at >line 1 >-- >------------------------------------------------------------ > >Michel BĂ©langer > > > > >------------------------------ > >Message: 6 >Date: Tue, 09 Aug 2005 16:00:34 -0400 >From: "Alan DeKok" <[EMAIL PROTECTED]> >Subject: Re: problem with using rlm_sql for accounting only >To: FreeRadius users mailing list > <[email protected]> >Message-ID: <[EMAIL PROTECTED]> > >John Donagher <[EMAIL PROTECTED]> wrote: >> Indeed.. under normal circumstances it wouldn't go down. My issue is >> that the SQL server is not a critical part of our infrastructure and I >> don't want it to be (at this point anyway). I'm using it for accounting >> trend reporting only.. in any event, Nicolas' suggestion was right on >> and works like a charm. > > In the CVS head you can use the rlm_sql_log module, which dumps the >queries to a file. The file can then be post-processed. This removes >all run-time dependency on SQL, which is a better solution. > > Alan DeKok. > > >------------------------------ > >Message: 7 >Date: Tue, 09 Aug 2005 13:47:29 -0700 >From: Derrick MacPherson <[EMAIL PROTECTED]> >Subject: Hi. Windows RADIUS server died. >To: [email protected] >Message-ID: <[EMAIL PROTECTED]> >Content-Type: text/plain > >I just got asked to try and get a freeradius server running ASAP. I got >it installed on a freebsd 5.4 box that I had just finished getting squid >running on, not implemented yet still testing. > >I see freeradius can use ntlm_auth as well, though I'm not clear on it's >syntax. I have squid using the same authentication criteria as the >radius server was using, that was based upon being in certain group. Can >freeradius support this as well? My syntax in squid: > >ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership >-of=S-1-5-21-1058564242-1277044956-825688854-1337 Domain Group (2) > >Can someone save me with a quick example or am I off to read and google? > > > >------------------------------ > >Message: 8 >Date: Tue, 09 Aug 2005 17:22:17 -0400 >From: "Alan DeKok" <[EMAIL PROTECTED]> >Subject: Re: Hi. Windows RADIUS server died. >To: FreeRadius users mailing list > <[email protected]> >Message-ID: <[EMAIL PROTECTED]> > >Derrick MacPherson <[EMAIL PROTECTED]> wrote: >> I see freeradius can use ntlm_auth as well, though I'm not clear on it's >> syntax. > > See radiusd.conf for an example, and the ntlm_auth docs for it's >command-line arguments. > >> I have squid using the same authentication criteria as the radius >> server was using, that was based upon being in certain group. Can >> freeradius support this as well? > > Sure, because FreeRADIUS doesn't care about command-line arguments >to ntlm_auth. Add ass many arguments to ntlm_auth as you want. > >> ntlm_auth --helper-protocol=squid-2.5-ntlmssp > > This *isn't* supported. You have to pass the username & password on >the command line, as in the examples. And if you're doing MSCHAP, you >MUST also pass the "request nt key" option, too. > >> --require-membership -of=S-1-5-21-1058564242-1277044956-825688854-1337 Domain Group (2) > > This is just noise to FreeRADIUS, which doesn't look at it, and >doesn't care. If ntlm_auth returns success, so does FreeRADIUS. If >it returns fail, so does FreeRADIUS. > > Alan DeKok. > > > >------------------------------ > >Message: 9 >Date: Tue, 09 Aug 2005 14:38:38 -0700 >From: Derrick MacPherson <[EMAIL PROTECTED]> >Subject: Re: Hi. Windows RADIUS server died. >To: FreeRadius users mailing list > <[email protected]> >Message-ID: <[EMAIL PROTECTED]> >Content-Type: text/plain > >On Tue, 2005-08-09 at 17:22 -0400, Alan DeKok wrote: >> See radiusd.conf for an example, and the ntlm_auth docs for it's >> command-line arguments. > >thank you, reading them now. > >Is there a way to test if the authentication is passing or failing? > > > >------------------------------ > >Message: 10 >Date: Tue, 09 Aug 2005 15:10:17 -0700 >From: kevin <[EMAIL PROTECTED]> >Subject: Re: how to return multiple attributes from ldap? >To: FreeRadius users mailing list > <[email protected]> >Message-ID: <[EMAIL PROTECTED]> >Content-Type: text/plain; charset="iso-8859-1" > >But, I am still interested in the way returning multiple attributes >without changing ldap data. >I thought there must be a way. > >kevin > >Dusty Doris wrote: > >>On Tue, 9 Aug 2005, kevin wrote: >> >> >> >>>What? So, should I change the ldap attribute values with "+=" ??? >>>Any other way? >>> >>> >>> >> >>Yep, it works. >> >>I did a test, with this DN only one filter-id was returned. >> >>dn: uid=dustytest,ou=users,ou=radius,dc=test,dc=com >>objectClass: radiusprofile >>userPassword:: ZHVzdHl0ZXN0 >>radiusGroupName: dial >>radiusGroupName: adsl >>uid: dustytest >>radiusFilterId: filter1 >>radiusFilterId: filter2 >> >>Received response ID 210, code 2, length = 59 >> Framed-Routing = None >> Framed-IP-Netmask = 255.255.255.0 >> Framed-Protocol = PPP >> Service-Type = Framed-User >> Filter-Id = "filter1" >> >> >>With this dn, both were returned (note there were no quotes in it - that >>didn't work) >> >>dn: uid=dustytest,ou=users,ou=radius,dc=test,dc=com >>objectClass: radiusprofile >>userPassword:: ZHVzdHl0ZXN0 >>radiusGroupName: dial >>radiusGroupName: adsl >>uid: dustytest >>radiusFilterId: += filter1 >>radiusFilterId: += filter2 >> >>Received response ID 214, code 2, length = 68 >> Framed-Routing = None >> Framed-IP-Netmask = 255.255.255.0 >> Framed-Protocol = PPP >> Service-Type = Framed-User >> Filter-Id = "filter1" >> Filter-Id = "filter2" >> >>- >>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html >> >> >> > >-------------- next part -------------- >An HTML attachment was scrubbed... >URL: https://list.xs4all.nl/pipermail/freeradius-users/attachments/20050809/95391bfa/attachment.html > >------------------------------ > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > >End of Freeradius-Users Digest, Vol 4, Issue 39 >*********************************************** > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
