Re: sql wont pass radtest
Robert Wilkinson wrote: I have uncommented all the SQL lines to no avail. No module is loaded. The debug log *clearly* shows which files it is reading, and which modules it is loading. It reads the SQL configuration files, but does *not* load the SQL module. Is it important to have a NAS installed at this stage? No. including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel Did you edit these files? The answer is no. None of the debug log shows it loading the sql module. You have been editing *different* files, which is why the server isn't using SQL. So.. which files were you editing and why? Go back and edit the *real* files. You will know you have succeeded when it starts printing text like this: Module: Linked to module rlm_sql Until it prints that text, you are not editing the right files. Again, the *whole purpose* of debug mode is for people to *read* it. It is *telling* you which files it is reading. You have been editing *different* files. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS CN Check Question
David Mitchell wrote: I've encountered a similar issue I'm not sure how to deal with. Is there a place I can log any attributes of the certificate? Not at this moment. Patches are welcome. I log my accounting records via linelog, and as long as the configuration I end up with forces something reasonable into the User-Name value I do log a username. But it occurs to me it might be nice to have some kind of record of the certificate which was used. Either the CN, or serial number, or something. Is there a way to do this? Source code changes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: still about how to return some attributes only inAccess-Accept packet
Hi, However, the filter does not work. Can anyone tell me what the problem is? do you not read my emails? really, I side with Alan here - why bother replying if you keep asking the wrong questions. yes, that # cannot be on the same line as handled - obviously that config wasnt checked before submission. but the debug you posted just showed the CONFIG being read correctly...not the code actually being activated. do as I said in my last email - ie comment out the line which says 'eap' about 6 lines up and then that code will be activated alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: still about how to return some attributes onlyinAccess-Accept packet
hi Thanks a lot for your kindly help!!! It works now! Best Regards 2010-05-27 - Original Message - From: Alan Buxey To: weiw...@126.com,FreeRadius users mailing list Sent: 2010-05-27, 16:34:08 Subject: Re: Re: still about how to return some attributes onlyinAccess-Accept packet Hi, However, the filter does not work. Can anyone tell me what the problem is? do you not read my emails? really, I side with Alan here - why bother replying if you keep asking the wrong questions. yes, that # cannot be on the same line as handled - obviously that config wasnt checked before submission. but the debug you posted just showed the CONFIG being read correctly...not the code actually being activated. do as I said in my last email - ie comment out the line which says 'eap' about 6 lines up and then that code will be activated alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
expired user accounts between two dates
hello, i want to use expiration module to validate user account, but i need check the expirtation between two dates, init and finish date. somebody help me. thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: expired user accounts between two dates
Le 27/05/2010 10:46, Marco Jaraiz a écrit : hello, i want to use expiration module to validate user account, but i need check the expirtation between two dates, init and finish date. somebody help me. As you already may know the expiration module only works for expiration date. When I had this need (a long time ago and with FR1) I just did the following: * I added a new personnal/local attribute in /etc./raddb/dictionnary ATTRIBUTE My-Local-Date 3000string * setup the hint module to add the Date for incomming requests: DEFAULT NAS-IP-ADDRESS == 192.168.1.4 My-Local-Date = `%D` * Then I use the local attribute to check the date (for instance if you use the rlm_sql module): mysql select UserName,Attribute,op,Value from radcheck where UserName='myloginname'; +-++++ | UserName| Attribute | op | Value | +-++++ | myloginname | NAS-IP-Address | =~ | 192.168.1.[4]{1} | | myloginname | My-Local-Date | = | 20090731 | | myloginname | My-Local-Date | = | 20090526 | | myloginname | Login-Time | := | Wk0700-2200| | myloginname | Cleartext-Password | := | THEPASS| +-++++ 5 rows in set (0.00 sec) However, I think that FR now tags incoming access-request with an internal Date-like attribute (i don't know the attribute name) so it should be easy to add a test on this specific attribute. The test could use unlang instead of users or rlm_sql check attributes. Hope this helps, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Restricting certain users access to certain NAS devices
Sorry, I should have mentioned I already tried man rlm_passwd and couldn't figure it out. I've been through it again and have made the following changes: 1. created a file /etc/raddb/path_group path_group:user1,user2,user3,user4,user5 2. Added the following to /etc/raddb/dictionary ATTRIBUTE User_Group_Name 3003string 3. Added to modules/passwd filename = /etc/raddb/path_group hashsize = 20 allowmultiplekeys = yes format = ~User_Group_Name:*,User-Name 4. Also edited modules/etc_group because I couldn't make out which file to put these items in passwd etc_group { filename = /etc/raddb/path_group format = ~User_Group_Name:*,User-Name hashsize = 50 ignorenislike = no allowmultiplekeys = yes delimiter = : } 5. Inserted this into the post-auth section of sites-enabled/default if (%{User_Group_Name} == path_group) { update reply { Reply-Message := You are not allowed here } reject } Debug output is: FreeRADIUS Version 2.1.6, for host i686-pc-linux-gnu, built on Nov 20 2009 at 09:43:24 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/default group = radiusd user = radiusd including dictionary file /etc/raddb/dictionary main { prefix = /usr localstatedir = /var logdir = /home/radlogs libdir = /usr/lib/freeradius radacctdir = /home/radlogs/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /var/run/radiusd/radiusd.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes
github wiki
Hello Alan, I want to thank you for your services. Not just for myself but for everyone that you assisted over the years it seems. You are a tireless soldier. I have visited github made some notes on the Wiki there. I am dedicated to streamlining the process of installing FR. The present system of passing information and knowledge can be daunting to new users. I nearly gave up myself due the sheer amount of old and misleading sources that exist. By writing guides and docs I intend to learn more about FR and hopefully the community will benefit by having a greater number of users that will in turn help others along. I would like to thank the two Alans for your fine work. Please contact me if there are any additional matters that you think might be useful in increasing the knowledge base. Kind Regards, Robert Wilkinson ps I still have a few issues with sql but I am certainly going in the right direction now. I have now spent 5 days and I have been worn out. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: github wiki
Robert Wilkinson wrote: I want to thank you for your services. Not just for myself but for everyone that you assisted over the years it seems. You are a tireless soldier. I have visited github made some notes on the Wiki there. I am dedicated to streamlining the process of installing FR. Thanks, but we already *have* a Wiki. I would really prefer to not add yet *another* location for documentation. The present system of passing information and knowledge can be daunting to new users. I nearly gave up myself due the sheer amount of old and misleading sources that exist. Yes... the existing Wiki has a number of out-of-date pages. However, the documentation that *comes with the server* is largely up to date. ps I still have a few issues with sql but I am certainly going in the right direction now. I have now spent 5 days and I have been worn out. Can you say which documentation you were reading, and why it was unclear? We can't improve the existing documentation until we know what is wrong with it. There have been many complaints about bad documentation, which usually are because the person is reading 4 year-old guides on third party web sites. *Please* read the documentation that comes with the server. All of the configuration files are *extensively* commented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restricting certain users access to certain NAS devices
Whitmarsh Mark (Leeds Teaching Hospitals NHS Trust) wrote: Sorry, I should have mentioned I already tried man rlm_passwd and couldn't figure it out. I've been through it again and have made the following changes: 1. created a file /etc/raddb/path_group path_group:user1,user2,user3,user4,user5 2. Added the following to /etc/raddb/dictionary ATTRIBUTE User_Group_Name 3003string 3. Added to modules/passwd filename = /etc/raddb/path_group hashsize = 20 allowmultiplekeys = yes format = ~User_Group_Name:*,User-Name 4. Also edited modules/etc_group because I couldn't make out which file to put these items in passwd etc_group { filename = /etc/raddb/path_group format = ~User_Group_Name:*,User-Name hashsize = 50 ignorenislike = no allowmultiplekeys = yes delimiter = : } 5. Inserted this into the post-auth section of sites-enabled/default if (%{User_Group_Name} == path_group) { You should list etc_group in the post-auth section. The module will be loaded, and will add the User_Group_Name attribute. Debug output is: Which shows that the etc_group module isn't used when a packet is received. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dynamic assignment of VLANs from LDAP via freeradius to WLAN-Clients doesn't work properly
Hello, we have freeradius-2.1.8 running, with openldap-2.3.43 as backend. in ldap we have three attributes (radiusTunnelMediumType=IEEE-802, radiusTunnelType=VLAN, and radiusTunnelPrivateGroupId=[vlan-id]), freeradius maps the ldap-attributes to radius-attributes. We have three vlans, one for staff, one for students and one for guests on the WLAN. after assigning the 1st VLAN on our cisco aironet 1242 accesspoints to the SSID - clicking Apply, assigning the 2nd VLAN - click Apply, assigning the 3rd VLAN, click Apply it works fine. (I mean manual assigning VLANs using web-interface) after reboot of the accesspoint it doesn't work anymore. after assign all three VLANs again, one after the other, it works. has anybody an idea about what I'm doing wrong ? the command aaa authorization network default group radius from the Cisco-site I tried, but it didn't help further. Thanks for some help, Frank Meister - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dynamic assignment of VLANs from LDAP via freeradius to WLAN-Clients doesn't work properly
Meister, Frank wrote: after assigning the 1st VLAN on our cisco aironet 1242 accesspoints to the SSID - clicking Apply, assigning the 2nd VLAN - click Apply, assigning the 3rd VLAN, click Apply it works fine. (I mean manual assigning VLANs using web-interface) ? This has nothing to do with RADIUS. after reboot of the accesspoint it doesn't work anymore. after assign all three VLANs again, one after the other, it works. This has nothing to do with RADIUS. has anybody an idea about what I'm doing wrong ? the command aaa authorization network default group radius from the Cisco-site I tried, but it didn't help further. I don't see why this is a question for this list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dynamic assignment of VLANs from LDAP via freeradius to WLAN-Clients doesn't work properly
Am Donnerstag, 27. Mai 2010 18:42:29 schrieb Meister, Frank: Hello, we have freeradius-2.1.8 running, with openldap-2.3.43 as backend. in ldap we have three attributes (radiusTunnelMediumType=IEEE-802, radiusTunnelType=VLAN, and radiusTunnelPrivateGroupId=[vlan-id]), freeradius maps the ldap-attributes to radius-attributes. We have three vlans, one for staff, one for students and one for guests on the WLAN. after assigning the 1st VLAN on our cisco aironet 1242 accesspoints to the SSID - clicking Apply, assigning the 2nd VLAN - click Apply, assigning the 3rd VLAN, click Apply it works fine. (I mean manual assigning VLANs using web-interface) after reboot of the accesspoint it doesn't work anymore. after assign all three VLANs again, one after the other, it works. Besides that this question doesn't have anything to do with this list, did you try: copy running-config startup-config ? Greetings, -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS CN Check Question
Alan DeKok wrote: David Mitchell wrote: I've encountered a similar issue I'm not sure how to deal with. Is there a place I can log any attributes of the certificate? Not at this moment. Patches are welcome. I log my accounting records via linelog, and as long as the configuration I end up with forces something reasonable into the User-Name value I do log a username. But it occurs to me it might be nice to have some kind of record of the certificate which was used. Either the CN, or serial number, or something. Is there a way to do this? Source code changes. I believe I've found a better workaround for my original problem. By using the realm module, I can strip off the unwanted portion of the User-Name attribute. In sites-enabled/default enable the 'suffix' module as needed. In proxy.conf: # We don't actually care about the realm, we just need a match realm ~.+$ { authhost = LOCAL # not strictly necessary accthost = LOCAL # not strictly necessary } In eap.conf: # Check for either Stripped-User-Name or User-Name, as we don't know # which format the client will use. check_cert_cn = %{%{Stripped-User-Name}:-%{user-nam...@%{calling-station-id} Then issue certificates with a CN of the form usern...@1122.3344.5566. Most clients prompt the user for the value of User-Name, so they can just enter 'username'. XP sends the actual value of CN, but the realm strips the extra info back off so that we can do the comparison we want. -David Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - | David Mitchell (mitch...@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADDB 2.1.7 and /etc/shadow
shrug It's an error produces (sic) by the PAM subsystem. Ask them what it means. Sigh It turns out the error is caused by a typo in the radiusd file provided in /redhat/radiusd-pam, NOT by the pam subsystem. In fact, the pam subsystem was merely reporting the error in the freeradius file. The message module not found was because the radiusd-pam file was pointing to password.so NOT passwd.so Blaming FreeRADIUS is the same as blaming Dell Hmmm--rather defensive are we??? --Alan, no one is blaming anybody for anythingit was a simple and honest question that was also posted a few years ago and remained unanswered -- until now, by me as above. However I do find it interesting that you compare the customer service you provided on this to that provided by Dell -- if the shoe fits. I am part of a consortium of public and private universities and scientific research facilities and our internal listserv on radius frequently talks people off of freeradius solely because of the sarcastic and chip on the shoulder attitude of some of the developers. Quit being such a Mordac Alan, it scares the tourists and devalues the otherwise excellent work done by other people on this project. You can ban me now for such a ghastly breach of etiquette. Cheers! Alan DeKok-2 wrote: sbchem wrote: So the entry: pam_pass: function pam_authenticate FAILED for test. Reason: Module is unknown is obviously supposed to give me the clue I need but I have no idea what it means. shrug It's an error produces by the PAM subsystem. Ask them what it means. Blaming FreeRADIUS is the same as blaming Dell because the internet is slow. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://old.nabble.com/RADDB-2.1.7-and--etc-shadow-tp28640012p28699725.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting to MySQL not working
hi, according to the debug: +- entering group accounting {...} [detail]expand: /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d - +/var/log/freeradius/radacct/192.168.1.10/detail-20100527 [detail] /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to +/var/log/freeradius/radacct/192.168.1.10/detail-20100527 [detail]expand: %t - Thu May 27 23:32:23 2010 ++[detail] returns ok ++[unix] returns ok [radutmp] expand: /var/log/freeradius/radutmp - /var/log/freeradius/radutmp [radutmp] expand: %{User-Name} - chrissql ++[radutmp] returns ok [attr_filter.accounting_response] expand: %{User-Name} - chrissql attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 77 to 192.168.1.10 port 1646 Finished request 19. so, its drops into accouting section...it does detail unix radutmp attr_filter.accounting_response but where oh were was the SQL being called? hmm, from here is doesnt look like you are calling it. check the sites-enabled/* files (I dont know what virtual servers you have running or what you've called them) and please uncomment the 'sql' It comes after the lines that say: # # Log traffic to an SQL database. # # See Accounting queries in sql.conf alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADDB 2.1.7 and /etc/shadow
On 05/27/2010 04:51 PM, sbchem wrote: shrug It's an error produces (sic) by the PAM subsystem. Ask them what it means. Sigh It turns out the error is caused by a typo in the radiusd file provided in /redhat/radiusd-pam, NOT by the pam subsystem. In fact, the pam subsystem was merely reporting the error in the freeradius file. The message module not found was because the radiusd-pam file was pointing to password.so NOT passwd.so Glad you got it working and sorry for the frustration. Unfortunately the files in /redhat had serious bit rot and had not been maintained for a long time. When you want Red Hat specific files or RPM's it's really best to get them from us because we maintain them. The /etc/pam.d/radiusd is supplied in our freeradius RPM and isn't the same as was found in the freeradius tarball as you unfortunately discovered. FWIW, we just synced our files to /redhat directory in the freeradius 2.1.9 release. So for 2.1.9 they will be pretty close. But they will *diverge*. Why? Because in this instance that does not represent upstream (i.e. the definitive source), we are upstream for our own files. I have certain misgivings about upstream projects providing packaging files for their project because they inevitably diverge and have bit rot. I realize it's perceived to be friendly to supply packaging files in the upstream distribution, but it comes with a price (divergence bugs). Getting packaging files from the source (i.e. the specific Linux distribution) isn't that hard and would avoid some of these issues. By the way all this is documented in the FreeRADIUS wiki at http://wiki.freeradius.org/Red_Hat_FAQ Just my 2 cents ... -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Option 82 parse problems.
Good day. I'm trying to set freeradius like dhcp server with option 82 parsing and SQL data lookup. Now I use versions 2.1.8 and 2.1.9 with exactly the same configs and there is no SQL configuration yet, only default dhcp config with my test diff (see below). I have two questions for now: 1. In dictionary.dhcp there are two strings (version 2.1.8): ATTRIBUTE DHCP-Agent-Circuit-Id 0x0152 octets ATTRIBUTE DHCP-Agent-Remote-Id 0x0252 octets but when I start radiusd -X I see only one whole string like: DHCP-Relay-Agent-Information = 0x01060004006402080006000cce477c00 How can I get DHCP-Agent-Circuit-Id and DHCP-Agent-Remote-Id without using perl post_auth ? 2. There is announced feature in 2.1.9 Add sub-option support for Option 82. See dictionary.dhcp. When I start radiusd -X (2.1.9) with its dictionary.dhcp it begin to eat 100% of CPU with no any output in console after the first dhcp packet received. How to use this announced feature of sub-option for opt82 ? How to find the reason why radiusd (2.1.9) eats 100% of CPU ? My dhcp site config (with changed ip-addresses): server dhcp { listen { ipaddr = 192.168.0.1 port = 67 type = dhcp interface = eth0 } dhcp DHCP-Discover { update reply { DHCP-DHCP-Server-Identifier = %{Packet-Dst-IP-Address} } linelog update reply { DHCP-Domain-Name-Server = 192.168.0.1 DHCP-Domain-Name-Server = 192.168.10.1 DHCP-Subnet-Mask = 255.255.255.240 DHCP-IP-Address-Lease-Time = 1800 } mac2ip linelog ok } dhcp DHCP-Request { update reply { DHCP-DHCP-Server-Identifier = %{Packet-Dst-IP-Address} } linelog update reply { DHCP-Domain-Name-Server = 192.168.0.1 DHCP-Domain-Name-Server = 192.168.10.1 DHCP-Subnet-Mask = 255.255.255.224 DHCP-IP-Address-Lease-Time = 1800 } linelog ok } dhcp { update reply { DHCP-Message-Type = DHCP-NAK } } } passwd mac2ip { filename = ${confdir}/mac2ip format = *DHCP-Client-Hardware-Address:=DHCP-Your-IP-Address delimiter = , } -- Anton [WARM-RIPE] Stack ltd division head tel. 8 (3822) 555-797 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html