Re: Goodbye SNMP, hello statistics.
On Friday 20 June 2008 09:48:53 Alan DeKok wrote: > I've commited some code (~1K LoC) to CVS head that will go into 2.0.6. > In short, there's no point in using SNMP any more. The good news is > that the Status-Server packet is overloaded to get all sorts of > statistics that weren't available in SNMP. For more information, see: > > share/dictionary.freeradius The changes sound great! I'd cutover to this if I were still at the company that used FR and SNMP monitoring stuff... Kevin Bonner signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Could not link driver rlm_sql_mysql.so
On Friday 15 February 2008 05:20:21 [EMAIL PROTECTED] wrote: > if you run the configure stage through some sanity checking, you get to > see all the good stuffeg > > ./configure --with-blah-blah | grep WARN > > alan I prefer the following so you can go over all the output, not just the WARN lines: script ~/fr2-output ./configure --blah exit grep whatever ~/fr2-output -Kevin signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pap "Cleartext-Password", sql etc...
On Wednesday 30 January 2008 15:31:51 Andrew Long wrote: > If I change the attribute to `Cleartext-Password', authentication > fails and I see: > > rlm_pap: WARNING! No "known good" password found for the user. > Authentication may fail because of this. > ++[pap] returns noop > rad_check_password: Found Auth-Type CHAP > auth: type "CHAP" > +- entering group CHAP > rlm_chap: login attempt by "elmaroma_cn3000" with CHAP password > rlm_chap: Cleartext-Password is required for authentication > ++[chap] returns invalid > auth: Failed to validate the user. > Login incorrect (rlm_chap: Clear text password not available): > [elmaroma_cn3000/] (from client cn3000_aroma port 0 cli > 00-02-6F-xx-xx-92) > > Thanks muchly, > Andrew Long > EWS Can you run the radcheck query manually and post the output? Is the operator correct? Does it do the same thing when you move the SQL entry to the users file and make the same attribute name changes? Kevin Bonner signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pool defined, but radius does not hand out an IP address.
On Thursday 24 January 2008 13:10:09 Alan DeKok wrote: > And with all of the information you posted, you didn't include the > most important, which is requested in the FAQ, README, INSTALL, "man" > page, and daily on this list: radiusd -X. > > Is there some other place in the documentation where this should be > suggested? > > Alan DeKok. Big red letters on the front page of the website. Or below the subscribe/unsubscribe line in the footer of every message. =) -Kevin signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Blank spaces after username - problem with accounting -MySqldatabase.
On Tuesday 22 January 2008 13:20:27 Marinko Tarlac wrote: > Alan DeKok wrote: > > a) the user has typed the user name with spaces > > Yes. User has typed user name with space but why radius didn't ignore them? FreeRADIUS doesn't mangle usernames by default. > I repeat, user names and all other records in database are without > space. User has entered space and he can connect but he can't see his > accounting informations because they are connected with the same user > but with space at the end. If the user can connect with an invalid username, the problem is a configuration issue. Reject usernames with a space (see email from Alan) in the username or strip the spaces from the request. -Kevin signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius V2.0.0 Simultaneous-Use Problems
On Monday 21 January 2008 14:19:06 Dryw Paulic wrote: > mysql> select * from radgroupcheck; > ++---+--++---+ > | id | GroupName | Attribute| op | Value | > ++---+--++---+ > | 1 | dynamic | Auth-Type| == | Local | > | 2 | static| Auth-Type| == | Local | Don't do this. The operator is incorrect as is nearly every use of Auth-Type. > mysql> SELECT COUNT(*) FROM radacct WHERE username = 'Kat' AND > acctstoptime = 0; ... > mysql> select * from radacct where username ='Kat' \G; What is shown when you use the full where clause from the previous command? What version of MySQL are you using? I just tried this with 5.0.48 and 'datefield = 0' does not match on datetime fields. If you're using the V2.0.0 schema, that SQL query should be changed to 'acctstoptime IS NULL'. Try this from your SQL command line and see if it gives the desired results for both connected and disconnected users. Kevin Bonner signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP error
On Thursday 10 January 2008 08:41:30 Amr el-Saeed wrote: > but every time i wanted to snmpwalk from the radius i got that error " > RADIUS-AUTH-SERVER-MIB::radiusMIB = No Such Object available on this > agent at this OID " > > the command i execute is " snmpwalk -v2c -c testsnmp -m > /etc/raddb/RADIUS-AUTH-SERVER-MIB.txt localhost radius " > same command is working fine on the old machine. > > i searched for that on google but found nothing . > > any one can help ?? What does debug mode (-X) show? Are there any errors in your snmpd log file? Kevin Bonner signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restricting user by realm
On Thursday 08 November 2007 11:19:48 Lisa Casey wrote: > The way things are setup now, any user can log in with any of the realms I > have defined. For example, I (username lisa) could login as > [EMAIL PROTECTED] and then turn around and login as [EMAIL PROTECTED]My > boss would like me to restrict this so that (for example) lisa could log in > as [EMAIL PROTECTED] but not [EMAIL PROTECTED] Just add a check item to the user entry and it will only allow them from that realm. Since you are using 1.1.6, don't use Auth-Type and start using Cleartext-Password with the := operator. lisa Cleartext-Password := "xxx", Realm == "jellico.com" ... Or if you want to reject from a specific realm, just use this before your real user entry: lisa Realm == "realmY", Auth-Type := Reject Kevin Bonner signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco NAS Password problem
On Thursday 25 October 2007 17:26:10 John Morris wrote: > I then added a second switch to the freeradius client configuration (nas > table), and encountered a problem. The password was being rejected. So I > ran Freeradius -X so I could see what was going on. > > On the failed password attempt (second and now third switch in the list) I > see something like this: > > rad_recv: Access-Request packet from host 192.168.x.z:1645, id=1, length=80 > NAS-IP-Address = 192.168.x.z > NAS-Port = 1 > NAS-Port-Type = Virtual > User-Name = "username" > Calling-Station-Id = "192.168.x.y" > User-Password = "r\306\324\333M\014\247\022\363\216K\257`\315#]" Debug output like this usually points to non-matching RADIUS secrets. Check the radius secret in your switch config as well as the secret configured in your nas SQL table. Freeradius only reads the nas table on startup, so if you make changes to that table, you must restart the daemon for those changes to take effect. Kevin Bonner signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: aaa accounting command
On Tuesday 23 October 2007 11:58:22 Dominique Demore wrote: > Hi folks, > > Is there any method of keeping track of the commands issued by a user with > Radius. Under the aaa option, there is "aaa accounting command " but > for some reason, I'm not seeing the accounting information stored in the > radacct information. I know a few years ago, this was an issue, but I'm not > sure if it has been resolved. http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg39493.html http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg34103.html > Does anyone have an alternative to accomplish this if it's not possible > with Radius. TACACS+ Kevin Bonner signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Acct-Status-Type attribute
On Wednesday 03 October 2007 16:44:28 Walter Gould wrote:
> I am running freeradius-1.1.3.
* Old version complaints apply *
> I am trying to use radrelay to send the radius accounting data to our syslog
> server.
> [snip]
> When I check the contents of the /var/log/radius/radacct/detail-combined
> file, it contains the following attributes:
>
> Packet-Type = Access-Request
> Wed Oct 3 15:36:02 2007
> NAS-IP-Address = 10.3.51.1
> NAS-Port = 1
> NAS-Port-Type = Virtual
> User-Name = "testuser"
> Calling-Station-Id = "10.3.0.51"
> Client-IP-Address = 10.3.51.1
Access-Request is not from an accounting packet. You have a detail module
listed in your authorize or post-auth section which is adding this data to
the detail-combined file. You should have something similar to this in your
radiusd.conf file:
===
modules {
...
detail detail-radrelay {
detailfile = ${radacctdir}/detail-combined
detailperm = 0600
locking = yes
}
...
}
accounting {
...
detail-radrelay
...
}
===
If you have the detail-radrelay name listed in a config section other than
accounting, that is probably where the Access-Request packets are coming
from.
Kevin Bonner
signature.asc
Description: This is a digitally signed message part.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending Cisco AV Pairs per realm
On Friday 14 September 2007 11:28:51 Dan Goscomb wrote: > Hi > > I have a number of realms on my radius server (FreeRADIUS Version > 1.1.6). All users are valid in both realms (one is for dialup, one for > broadband). > > e.g. > [EMAIL PROTECTED] > [EMAIL PROTECTED] > > All realm's are stripped so that the user (dang in the examples above) > is authenticated. However, on dial.realm I need to return a couple of > Cisco-Avpair attributes; how can this be done? You may be able to use the Realm attribute in the users file to add your specific attributes, depending on how the realms are stripped from the username. You can also use the hints file, which you already tried. > I have tried a hints file, however although I get the message on debug: > > hints: Matched DEFAULT at 17 > > The data specifies is not sent back in the RADIUS reply. That's because you cannot list reply attributes in the hints file, but you can add a Hint that can be checked in the users file. Here is a short example that should work for you using the hints file: #hints DEFAULT User-Name =~ "@dsl.realm" Hint = "DSL" #/hints #users DEFAULT Hint == "DSL" Cisco-AVPair += "..." #/users Kevin Bonner signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How do I Instruct Freeradius to connect to postgreSQL Database on a port other than 5432?
On Tuesday 11 September 2007 15:30:09 justice obrey wrote: > All, > The PostgreSQL database that I want my freeradius-1.1.7 to connect to is > running on a port different from the default 5432 and beacause of this, > Freeradius is not not able to connect to the database. How do I change my > fFreeradius configuration to instruct it to to the postgresql database on a > port say 5490? It is the rlm_sql_postgresql driver that fails in doing this > connection. Thanks for any suggestions. > > Below is the debug: > > [EMAIL PROTECTED]:~# /opt/freeradius/sbin/radiusd -X > ... > Module: Loaded SQL > sql: driver = "rlm_sql_postgresql" > sql: server = "localhost" > sql: port = "" > sql: login = "postgres" The debug output shows what variable to use. I've snipped the output to make it a little easier to identify what you're hunting for. Kevin Bonner signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error on start freeradius + jradius
On Thursday 09 August 2007 15:05:55 George Beitis wrote: > I read this post and for more than 8 hours i have been trying to install > freeradius 1.1.5 -.6 and .7 unseccesfully. With versions 5 and 6 i get > errors saying the glibc error. With 7 i get something different: with > 1.1.7 + jradius patch i get the rlm_acct_unique is not a valid libtool > archive error. For each installation i made sure i deleted the raddb > folder before installing again. Should i give up and go back to 1.1.1 ? > > I am using ubuntu by the way > > regards > George Can you post the actual 1.1.7 build output with errors? I have no idea what the jradius patch is, but does the build work without that patch? Kevin Bonner signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication problem with mysql integration
On Tuesday 07 August 2007 12:08:07 ram wrote: > rad_verify: Received Access-Reject packet from client x.x.x.x port 1812 > with invalid signature (err=2)! (Shared secret is incorrect.) ... > WARNING: Unprintable characters in the password. ? Double-check the > shared secret on the server and the NAS! ... > any suggestions. > > ram Those messages seem pretty clear to me. Have you verified the secret is the same? -Kevin signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS restart without proper client logout on radius (mysql)
On Monday 16 July 2007 12:37:08 Nataniel Klug wrote: > Hello all, > > I have a question: when a nas restart without sending client logout > to the freeradius server the clients stay connected in radacct table > (AcctStopTime=0). What can I do to solve this kind of problem? What > could happen is that when a nas reboot my clients keep logged and when > the nas start again they will get "You are already logged in" > (simultaneous-use). Your NAS should send an Accounting-On packet which you can use to flag the existing connections as offline/disconnected. You can also use checkrad to confirm the session is active. Kevin Bonner signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: figuration doubt
On Monday 16 July 2007 09:40:48 Osvaldohp wrote: > I found a nice paper about freeradius+mysql, so far everything is installed > and working fine. My guestion is which field of my radius database > (db_mysql.sql) i have to put Session-Timeout attribute to limit the use of > the Internet from my HotSpot users? Session-Timeout is a reply item, so it can go into the user or group reply item tables. Kevin Bonner signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration doubt
On Monday 16 July 2007 08:05:15 Alan DeKok wrote: > Osvaldohp wrote: > > This is my users file: > > mike Auth-Type = System, User-Password == mike" > > Session-Timeout := 3600, > > > > What i am doing wrong? > > You're telling the server to look in /etc/passwd for the users > password, and then also telling it what the users password is. > > Don't set Auth-Type. > > Use 1.1.6. > > Use Cleartext-Password, not "User-Password", as suggested in the FAQ. > > Alan DeKok. Don't forget to use the ':=' operator for the Cleartext-Password attribute, in addition to all of the above. -Kevin signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error on start freeradius + jradius
* moved to -users list... On Friday 13 July 2007 10:25:15 Renan Tateoka wrote: > 2007/7/13, Alan DeKok <[EMAIL PROTECTED]>: > > Renan Tateoka wrote: > > > hi everybody, > > > > > > I have installed freeradius 1.1.5 > > > > Why? Install 1.1.6. > > > > Alan DeKok. > > hi, > > i`m sorry, I think that the message went wrong... > > I have installed freeradius 1.1.5 and jradius patch 1.1.5... > ... > Module: Library search path is /usr/local/lib > *** glibc detected *** /usr/local/sbin/radiusd: double free or corruption > (fasttop): 0x800fae98 *** What part of Alan's message was unclear? 1.1.5 has a bug that has been beaten to death on the users list. 1.1.6 doesn't. Use 1.1.6 or later, then try your tests again. Kevin Bonner signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: "Clear text password not available"
On Monday 25 June 2007 12:45:15 Flavio Silvestrone wrote: > > If you are using a recent version of freeradius, you should have the ... > The version of radius is "freeradius-1.0.1-3". 1.0.1 is not recent. Use 1.1.6. > flavio Cleartext-Password := "flavio" >Service-Type = Framed-User, >Framed-Protocol = PPP, >Framed-IP-Address = 10.1.1.8, >Framed-IP-Netmask = 255.255.255.0, >Framed-Routing = Broadcast-Listen, > # Framed-Filter-Id = "std.ppp", >Framed-MTU = 1500, > # Framed-Compression = Van-Jacobsen-TCP-IP Since you're using such an old version of freeradius, you cannot use Cleartext-Password here as it was available in 1.1.5 (I think) and later versions. You can use User-Password, but you should upgrade to a newer version. Kevin Bonner pgpwSTaVHg9Y8.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: "Clear text password not available"
On Monday 25 June 2007 10:14:07 Flavio Silvestrone wrote: > If i enable the same pppoe profile (user: flavio, password: flavio) on the > Access Point all work fine; When i disable the profile on the Access Point > and i configure the radius client on the Access Point i have the problem > This is the configuration on the file /etc/raddb/users for the user > "flavio" > > >Service-Type = Framed-User, >Framed-Protocol = PPP, >Framed-IP-Address = 10.1.1.8, >Framed-IP-Netmask = 255.255.255.0, >Framed-Routing = Broadcast-Listen, > # Framed-Filter-Id = "std.ppp", >Framed-MTU = 1500, > # Framed-Compression = Van-Jacobsen-TCP-IP > > Any idea to find out the prob ? > Than's a lot > Flavio Can you post the FULL entry that you have in the users file? What you posted lists only reply items, which give us no information related to the problem you are having. What check items do you have? If you are using a recent version of freeradius, you should have the Cleartext-Password as a check item. Have you run the server in debug mode? If so, there are probably error messages in the output which may assist you in resolving your problem. Kevin Bonner pgpuOvqj7Bku9.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use problem.
On Monday 25 June 2007 11:42:08 Josh Howlett wrote:
> I have a feeling that the answer is blindingly obvious, but I can't
> figure it out...
>
> The 'users' file consists of:
>
> DEFAULT Auth-Type = Accept
> Simultaneous-Use := 1
Simultaneous-Use is a check item, not a reply item.
> In radiusd.conf I also have:
>
> session {
> sql
> }
>
> authorize {
> radius-user-auth
> }
>
> 'radius-user-auth' is an rlm_exec instance that invokes a script used to
> authenticate users. It works fine, but the 'session' section never gets
> processed. Why?
>
> josh.
Because Simultaneous-Use is in the wrong place. Make it a check item and the
session section should be processed.
Kevin Bonner
pgpvI8CdFN5pf.pgp
Description: PGP signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute "User-Password" is required for authentication
On Monday 18 June 2007 16:31:37 Cody Jarrett wrote: > I found a few topics on this issue but nothing quite informative enough. > I'm trying to get freeradius auth working with pam and peap. When I test > my config with radtest, I get Access-accept. When I use a windows XP > supplicant with a 3com access point, I get: > > rlm_pam: Attribute "User-Password" is required for authentication. > modcall[authenticate]: module "pam" returns invalid for request 4 > modcall: leaving group authenticate (returns invalid) for request 4 > auth: Failed to validate the user. > > Is the 3com not sending User-Password attributes in the packets, or is > something else wrong? Run FreeRADIUS in debug mode (radiusd -X) to verify. We cannot guess what your NAS/client is sending. -Kevin pgpzZ32ZnVcdH.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql question
On Friday 08 June 2007 13:24:20 [EMAIL PROTECTED] wrote: > radgroupreply: > >| 27 | dialup| Framed-IP-Address | 255.255.255.254 | == | > >| 28 | dialup| Framed-Compression | Van-Jacobson-TCP-IP | == | > >| 29 | dialup| Framed-IP-Netmask | 255.255.255.255 | == | > >| 30 | dialup| Framed-MTU | 576 | == | > >| 31 | dialup| Idle-Timeout | 900 | := | > > - change all ops to = Change all '==' to just '=' or ':=', depending on your needs. The operator for Idle-Timeout is correct. > - is this (255.255.255.254) really the IP address you want to give your > user; client is unlikely to accept IP address above 224 subnet The RFCs say that this IP tells the NAS to assign an IP from the dynamic pool. -Kevin pgpnDk4jIgQil.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wiki
On Friday 25 May 2007 04:11:24 Arran Cudbard-Bell wrote: > Now which bloody wiki are you using, so I can look up the formatting > rules :) http://wiki.freeradius.org/Special:Version says MediaWiki: 1.8.2. -Kevin pgpd5qhwcXFFw.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server IP changed and "FreeRADIUS+MySQL" does not work
On Tuesday 15 May 2007 09:39:55 yao guoxian wrote: > I have installed FreeRADIUS and MySQL on the same machine. > "FreeRADIUS + MySQL" had worked well before Server IP changed. For > some reason the server had to be carried to a new place and its IP must be > changed. > After the server IP changed, "FreeRADIUS + MySQL" does not work. > I have edited sql.conf and changed IP to the new correct IP . I > also edited the table "user" in the database "mysql" and altered > the Host field from the old IP to the new correct IP. However these > mendings do not work. As Alan stated, try connecting to MySQL from the command line to confirm that it works. You updated the IPs in mysql.user, but that doesn't affect the MySQL permissions. To apply any changes to the mysql privilege tables, you must either restart the MySQL service or run "FLUSH PRIVILEGES". Kevin Bonner pgpVPKsiK9TTw.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying by Nas-Ip-Address (was Proxy.conf regex )
On Monday 07 May 2007 07:45:36 Andrea Cerrito wrote: > Hi to list, > > I've read the thread for "Proxy.conf regex". > I'd like to setup a proxy based on Nas-Ip-Address. > > I've tried two solutions: > > 1) add to users file (please note that 255.255.255.255 is done by radtest, > and realm test.com is configured in proxy.conf) > DEFAULT NAS-IP-Address == 255.255.255.255 > Proxy-To-Realm = "test.com" > > 2) add to users file > DEFAULT Huntgroup-Name == "test" > Proxy-To-Realm = "test.com" > > And to huntgroups file > test NAS-IP-Address == 255.255.255.255 > > Without success. All logins are tested locally. > > Any clue? > Thank you Read what several others have posted to this thread. Proxy-To-Realm is a _check_ item. Make Proxy-To-Realm a check item and both of your solutions should work as expected. Kevin Bonner pgpnSS9BdZQJ2.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Crypt passwords doesn't work
On Thursday 19 April 2007 10:42:30 Jacob Jarick wrote: > On the topic of password encryption. > Kevin would you know how to encode a password for windows 2003 active > directory server. I need a user with permission to do active directory > searchs, it tries atm but fails because the password is not encrypted. > > Even if you know what the encryption they use is it would be a big help > thanks. Win2k3? Never used it before. Active Directory? Ditto. =-) Maybe [1] or [2] will help push you in the right direction. Kevin Bonner [1] http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO [2] http://lists.cistron.nl/pipermail/freeradius-devel/2006-January/009250.html pgpr1TWIInq7Y.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Crypt passwords doesn't work
>
I almost ignored your message, as I don't parse HTML well. =)
On Wednesday 18 April 2007 18:06:28 Sebastian Firpo wrote:
> Thank you Kevin, but it didn't work now my entire users file is:
>
> sebas Crypt-Password := "(!lGOOlHaBWoQ"
> Service-Type = Administrative-User,
> Cisco-AVPair = "shell:priv-lvl=15"
>
> and then the debug was:
>
> rad_recv: Access-Request packet from host 10.12.4.2:1645, id=103,
> length=75 NAS-IP-Address = 10.12.4.2
> NAS-Port = 1
> NAS-Port-Type = Virtual
> User-Name = "sebas"
> Calling-Station-Id = "10.11.1.25"
> User-Password = "hello"
>
> Another idea??
> Thanks a lot, any way.
$ perl -e 'print crypt("hello","(!") . "\n";'
(!BVoPlmea8cg
Fix your Crypt-Password? How you are generating that encrypted string?
-Kevin
pgp07VlZL3nEM.pgp
Description: PGP signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Crypt passwords doesn't work
On Wednesday 18 April 2007 16:39:27 Sebastian Firpo wrote: > Hi, I migrated a freeradius server from version 0.6 to 1.5. I'm using a > users file for authorize. Wow, that's quite a leap. I assume from 0.6 to 1.1.5? > The server don't authorize and when a do a debug (radiusd -X) I saw the > User-password in clear text. If I modify the User-password in the users > file by the clear text one it works. > > Here are the debug and an entry of the users file: > > Listening on authentication *:1812 > Listening on accounting *:1813 > Ready to process requests. > rad_recv: Access-Request packet from host 10.12.4.2:1645, id=91, length=75 > NAS-IP-Address = 10.12.4.2 > NAS-Port = 1 > NAS-Port-Type = Virtual > User-Name = "sebas" > Calling-Station-Id = "10.11.1.25" > User-Password = "hello" > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 0 > modcall[authorize]: module "preprocess" returns ok for request 0 > users: Matched entry sebas at line 50 > modcall[authorize]: module "files" returns ok for request 0 > modcall: leaving group authorize (returns ok) for request 0 > rad_check_password: Found Auth-Type Local > auth: type Local > auth: user supplied User-Password does NOT match local User-Password > auth: Failed to validate the user. > Delaying request 0 for 1 seconds > > users file > > sebas Auth-Type := Local, Crypt-Password == "(!lGOOlHaBWoQ" > Service-Type = Administrative-User, > Cisco-AVPair = "shell:priv-lvl=15" > > Thanks very much!! Don't set Auth-Type, the server will figure it out. The operator for Crypt-Password should be changed to := as well. Kevin Bonner pgpsPajLfZa7I.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault for SNMP query
On Monday 16 April 2007 07:52:43 Alan DeKok wrote:
> Kevin Bonner wrote:
> > Try http://bugs.freeradius.org/show_bug.cgi?id=150
> >
> > I doubt that patch will still apply cleanly due to the many recent
> > changes. I'll see if I can test the CVS head later today and submit a
> > newer patch.
>
> Please try the latest CVS. I've added a patch based on yours.
>
> Alan DeKok.
Tested with the CVS head as of this morning and everything looks good to me,
even the per-client data. I'm hitting a segfault when testing the cases I
listed in bug#150, but I don't think it is related to the SNMP portion of the
code. Segfault info is below.
Kevin Bonner
== cut ==
(gdb) bt
#0 0x00fe97a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2
#1 0x002fca0d in ___newselect_nocancel () from /lib/tls/libc.so.6
#2 0x004ecbb6 in main (argc=2, argv=0xbfe06fc4) at radiusd.c:575
(gdb) up
#1 0x002fca0d in ___newselect_nocancel () from /lib/tls/libc.so.6
(gdb) up
#2 0x004ecbb6 in main (argc=2, argv=0xbfe06fc4) at radiusd.c:575
575 status = select(max_fd + 1, &readfds, NULL, NULL,
ptv);
(gdb) list
570 #else
571 DEBUG2("Waking up in %d seconds...",
572(int) tv.tv_sec);
573 #endif
574 }
575 status = select(max_fd + 1, &readfds, NULL, NULL,
ptv);
576 if (status == -1) {
577 /*
578 * On interrupts, we clean up the request
579 * list. We then continue with the loop,
(gdb) print ptv
$1 = (struct timeval *) 0x0
(gdb) print &readfds
$2 = (fd_set *) 0xbfe05ea0
(gdb) print max_fd
$3 = 10
== cut ==
pgpSJjuzOV29P.pgp
Description: PGP signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP with 1.1.6 and Net-SNMP 5.3
On Monday 16 April 2007 03:53:52 Stefan Winter wrote: > Thanks for the tip. Looking up the net-snmp.spec file of openSUSE 10.2, it > appears that ucd-snmp compat should be there... the compile > switches --enable-local-smux and --enable-ucd-snmp-compatibility are there. > > Any other hints? Otherwise, I guess I'll need to source-compile net-snmp > :-( > > Stefan Sorry, those few things were all I could think of. I don't have an openSUSE server lying around, so I can't even confirm it works at all. Hopefully the source compile of net-snmp and freeradius will uncover the actual problem. -Kevin pgpbzO8AwkkDp.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP with 1.1.6 and Net-SNMP 5.3
On Friday 13 April 2007 08:53:26 Stefan Winter wrote: > Hi, > > trying for the first time to get SNMP working, and I have come to a point > where I'm really startled why stuff doesn't work. > > I've configured FreeRADIUS 1.1.6 with SNMP, and it's printing out that it > is starting up the SMUX connection. Then the snmpd refuses the SMUX > connection. > > This would usually mean I screwed up the shared secret, but I'm very sure I > haven't. I even verified with tcpdump that FR sends the correct secret on > the loopback "wire". > > So the problem would appear to be that Net-SNMP is confused wrt the secret. > But I configured it with the line > > smuxpeer .1.3.6.1.4.1.3317.1.3.1 verysecret > > (also without the leading dot, in my desperation, didn't help). The > password *is* verysecret on the FR side. > > Debug output says: > > ... > Module: Instantiated detail (nas_reply_log) > main: smux_password = "verysecret" > main: snmp_write_access = no > SMUX connect try 1 > SMUX open oid: 1.3.6.1.4.1.3317.1.3.1 > SMUX open progname: radiusd > SMUX open password: verysecret > SMUX register oid: 1.3.6.1.2.1.67.1.1.1.1 > SMUX register priority: -1 > SMUX register operation: 1 > SMUX register oid: 1.3.6.1.2.1.67.2.1.1.1 > SMUX register priority: -1 > SMUX register operation: 1 > SMUX register message send failed: Broken pipe > Listening on authentication *:1812 > Listening on accounting *:1813 > Ready to process requests. > > The broken pipe is because Net-SNMP closes the connection, it's log says: > > [smux_accept] accepted fd 9 from 127.0.0.1:4580 > refused smux peer: oid SNMPv2-SMI::enterprises.3317.1.3.1, descr radiusd > > and tcpdump reveals that the reason for refusing is authenticationFailure. > > Anyone else running a similar config? It's the version of Net-SNMP that > came as RPM on SUSE 10.1. FR compiled freshly. > > Greetings, > > Stefan Winter I receive the same broken pipe error when the smuxpeer pass and smux_password aren't the same, though there is probably a more complex cause. Are there any non-standard characters in either config file? Is Net-SNMP configured with ucd-snmp compatibility? Kevin Bonner pgpu99VoRvAtE.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault for SNMP query
On Thursday 12 April 2007 10:32:18 Kevin Bonner wrote: > On Thursday 12 April 2007 04:40:47 Milan Holub wrote: > > Radius itself seems to react on radius packets; only snmp is ignored > > after the snmp-write query. Completely same behaviour is observed when > > doing reload via HUP signal(using my "memory leakage" patch for reload). > > > > Please advise. > > Try http://bugs.freeradius.org/show_bug.cgi?id=150 > > I doubt that patch will still apply cleanly due to the many recent changes. > I'll see if I can test the CVS head later today and submit a newer patch. It surprises me that it still applies cleanly (just offset) with the current CVS head. Feel free to test the patch and report results in the bug or on the list. It would be nice to see the bug squashed, but it's become a default patch for my local freeradius build so I haven't been bothered with the issue in a long time. Kevin Bonner pgppnkGkMNWtE.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault for SNMP query
On Thursday 12 April 2007 04:40:47 Milan Holub wrote: > - when trying to force reload using snmp: > `snmpset -m /devel/freeradius/cvs/radiusd/mibs/RADIUS-AUTH-SERVER-MIB.txt > -c verysecret localhost radiusAuthServConfigReset.0 i 2` > then 1st reload is OK but after then when trying to either run the > snmp-read query or the snmp-write query radius seems to ignore it. > * there is no debug activity when running with -X flag and the result of > the snmp-read query is empty and result of snmp-write query is > following: > `snmpset -m /devel/freeradius/cvs/radiusd/mibs/RADIUS-AUTH-SERVER-MIB.txt > -c verysecret localhost radiusAuthServConfigReset.0 i 2` > Error in packet. > Reason: (noSuchName) There is no such variable name in this MIB. > Failed object: > radiusMIB.radiusAuthentication.radiusAuthServMIB.radiusAuthServMIBObjects.r >adiusAuthServ.radiusAuthServConfigReset.0 > > Radius itself seems to react on radius packets; only snmp is ignored > after the snmp-write query. Completely same behaviour is observed when > doing reload via HUP signal(using my "memory leakage" patch for reload). > > Please advise. Try http://bugs.freeradius.org/show_bug.cgi?id=150 I doubt that patch will still apply cleanly due to the many recent changes. I'll see if I can test the CVS head later today and submit a newer patch. Kevin Bonner pgpktEd5UzlPw.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.0 is a lot closer to reality...
On Tuesday 10 April 2007 13:51:29 Arran Cudbard-Bell wrote: > and finally, how do you define a binding for the snmp module it's > on, but I never explicitly bound it to anywhere :| > unlike auth/acct that are bound with listen sections. Seems like there > may be a need for a small extension to listen sections > to allow type snmp . Arran, http://wiki.freeradius.org/SNMP_HOWTO That page should give some base info on setting up SNMP support. Kevin Bonner pgp4G1jfBRBqQ.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reject user without realm
On Monday 09 April 2007 14:32:31 Marcos Roberto Greiner wrote: > The problem I'm having is that if a user adds no realm, only the user, > the server is autenticating locally. I wanted it to deny the > authentication. How should I proceed? A username with no realm will match the NULL realm. You can reject NULL realms with: == users == DEFAULT Realm == "NULL", Auth-Type := Reject == users == > hints file. Added only the following entry: > # The following entry is to be authenticated locally > DEFAULT Suffix == "@domain1.com", Strip-User-Name = Yes > Hint = "PPP", > Service-Type = Framed-User, > Framed-Protocol = PPP A realm definition for domain1.com and a small users file entry should do the same thing, as long as you don't add the nostrip option for the realm. > rad_recv: Access-Request packet from host a.b.c.d:3793, id=0, length=58 > User-Name = "[EMAIL PROTECTED]" > User-Password = "user" > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 0 > hints: Matched DEFAULT at 36 > modcall[authorize]: module "preprocess" returns ok for request 0 > modcall[authorize]: module "chap" returns noop for request 0 > modcall[authorize]: module "mschap" returns noop for request 0 > rlm_realm: No '@' in User-Name = "user", looking up realm NULL > rlm_realm: No such realm "NULL" This request matches the NULL realm, which should be impossible based on your configuration and the description of how the NULL realm works. The User-Name has a realm in this request, so it should match the DEFAULT realm if it is defined. Since the hints file matched at line 36 here, I assume you actually configured provider1.com instead of domain1.com in your hints file. Is this assumption correct? If not, what is in your hints file at line 36? Kevin Bonner pgpAUsH7FbwDX.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Configuration
On Wednesday 04 April 2007 14:01:31 Norman Zhang wrote: > Hi, > > I'm learning how to use freeradius. Does anyone have a working conf that > works for cisco devices? > > Regards, > Norman Zhang DEFAULT Auth-Type := Accept ... but seriously, what are you trying to do? Authenticate PPPoX sessions, admin sessions, or something else? Have you run in debug mode to see what the cisco is sending to the radius server? A little more information on what you are trying to do would be very helpful. The wiki has some info related to cisco configs [1]. Another source that should have some cisco-related info is the mailing list archives. Kevin Bonner [1] http://wiki.freeradius.org/Cisco pgpE4JK3pnVC6.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Checkrad Redback
On Monday 02 April 2007 08:11:10 ahissi jean-françois wrote: > Hello, > > I'am facing a Simultaneous-Use problem. > > We are ISP and we have adsl subscribers. > The aaa is a freeradius 1.1.3 server > and the NAS is a REDBACK SMS. > > The Simultaneous-Use don't work! > > We want plan to use checkrad but > there is no snmp script for redback! > The telnet options is not good i think because we have 18000 > subscribers. > > Please help me with a snmp script for redback or with an other > solution for Simultaneous-Use. > > Thinks! I agree that verifying a session via telnet is not a scaleable solution. Lucent probably has SNMP MIBS for the Redback, which should have a way to confirm active sessions. Kevin Bonner pgpMuUVY0TsK7.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: chap rlm_sql authentication problem
On Friday 30 March 2007 09:13:17 Andrew Long wrote: > In NTRADPING: > username: hiegalleria ... > rad_recv: Access-Request packet from host 192.168.10.100:49259, id=5, > length=59 > User-Name = "hiegalleria_cn3200" > CHAP-Password = 0xac0b9199834a040866dd0050c44d4fdf35 Am I missing something obvious? How is "_cn3200" getting appended to the username? > -- > 1176 hiegalleria_cn3200 passwordPASSWORD_HERE == > -- You've heard several times that the attribute and operator need to be fixed. I'm just listing it again for emphasis. > radius_xlat: 'SELECT > radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupch >e ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE > usergroup.Username = 'hiegalleria_cn3200' AND usergroup.GroupName = > radgroupcheck.GroupName ORDER BY radgroupcheck.id' > -- > 9 colubrisService-TypeAdministrative-User == > -- If this is correct, your request will not match unless you send this particular Service-Type. Looking at the request above, I don't see this attribute being sent in the access-request. Kevin Bonner pgpFB6Yq6Th26.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP support for radius problem
On Thursday 29 March 2007 12:47:38 satish patel wrote: > Thanks for help > > i got it and now my freeradius working with snmpd and it is working fine > now can u tell me what i monitor through snmpd means can i check how much > users login currently and how much failed and what stat i can check throgh > this feature The RADIUS mibs are in the mibs/ directory of the freeradius release. You should be able to monitor any of those values. -Kevin pgpdHQD20yMNo.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP support for radius problem
On Wednesday 28 March 2007 08:17:00 satish patel wrote: > main: smux_password = "verysecret" > main: snmp_write_access = no > SMUX connect try 1 > SMUX open oid: 1.3.6.1.4.1.3317.1.3.1 > SMUX open progname: radiusd > SMUX open password: verysecret > SMUX register oid: 1.3.6.1.2.1.67.1.1.1.1 > SMUX register priority: -1 > SMUX register operation: 1 > SMUX register oid: 1.3.6.1.2.1.67.2.1.1.1 > SMUX register priority: -1 > SMUX register operation: 1 > Listening on authentication *:1812 > Listening on accounting *:1813 > Ready to process requests. > SMUX read start > SMUX read len: 12 > SMUX message received type: 67 rest len: 4 > SMUX_RRSP > SMUX_RRSP value: 0 errstat: 0 > --- Walking the entire request list --- > Nothing to do. Sleeping until we see a request. This looks good. It successfully registered with the local SNMP daemon, which means FreeRADIUS is built with SNMP support and is properly configured. > Now i have run snmpwalk but i didnt get any output from radius > > $snmpwalk -v 1 -c public localhost .1.3.6.1.2.1.67.1.1.1.1 > End of MIB This looks correct as well. Make sure the public community has permission to view that OID tree. I did test my local SNMP config and receive the same results when I restrict the public community from accessing that OID. Kevin Bonner pgpgF2PbALtDG.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: use realms to access different mysql tables
On Tuesday 27 March 2007 18:13:09 Alexander Papenburg wrote:
> Hi Freeradius-Mailing-List,
>
> does anyone of you differentiate sql database table with realms?
> E.g.:
>
> Auth-Requests for [EMAIL PROTECTED] will be checked against table db_radius1
> Auth-Requests for [EMAIL PROTECTED] will be checked against table db_radius2
> .and so on.
>
> I already found out that it is possible to use multiple sql instances,
> but for what i understand is that they would be asked/checked one after
> another. That would be nice for failover scenarios but if there are
> about 20-30 realms to check it would be result in a very slow
> performance (depending on mysql host speed).
> So is there a better way to solve this Problem? All users in one
> database is at the time unfortunately no option...
>
>
> Thanks in advance
>
> Alex
An example of this is below. In each sql definition you can define the
different queries necessary to handle a particular realm. realm3 shows how
to allow multiple realms to use the same db/SQL queries, so you can easily
merge the databases over time and update the users file to reflect the db
changes.
Kevin Bonner
== sql.conf ==
sql db1 { ... }
sql db2 { ... }
...
== sql.conf ==
== radiusd.conf ==
authorize {
...
Autz-Type SQL1 {
db1
}
Autz-Type SQL2 {
db2
}
}
== radiusd.conf ==
== users ==
DEFAULT Realm == "realm1", Autz-Type := SQL1
DEFAULT Realm == "realm2", Autz-Type := SQL2
DEFAULT Realm == "realm3", Autz-Type := SQL2
... OR
DEFAULT User-Name =~ "@realm1$", Autz-Type := SQL1
DEFAULT User-Name =~ "@realm2$", Autz-Type := SQL2
DEFAULT User-Name =~ "@realm3$", Autz-Type := SQL2
== users ==
pgpe2o0vglrsB.pgp
Description: PGP signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting is not working. Please help.
On Monday 26 March 2007 18:18:55 alex wrote: > > > without problem. But the accounting is not working, the mysql tables ... > > Did you run in debug mode (-X)? If so, did the output show anything > > strange when processing an accounting packet? ... > rad_recv: Access-Request packet from host 192.168.1.1:6001, id=91, I've stripped out the non-relevant parts and shall repeat again. Did the debug output show any errors when processing an _accounting_ packet? -Kevin pgp8Ba4ou7KZj.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting is not working. Please help.
On Monday 26 March 2007 16:30:35 alex wrote:
> Hey guys, i just follow this guide.
> http://www.frontios.com/freeradius.html
> and everything looks ok, the users are already working and login without
> problem. But the accounting is not working, the mysql tables are empty, i
> checked when i user access and everything looks ok, and the radacct still
> empty.
>
> In my radiusd.conf i have
> accounting {
> detail
> radutmp
> sql
> }
> Other guy is checking in the AP, but i wanna be sure i have the correct
> values in the server.
>
> Any comment is appreciated.
> Alex
Did you run in debug mode (-X)? If so, did the output show anything strange
when processing an accounting packet? Is the NAS configured to send
accounting records to the radius server?
-Kevin
pgpy71kZbTCgQ.pgp
Description: PGP signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: disconnect users from radius
On Wednesday 28 February 2007 10:40, satish patel wrote: > Dear all > > I have installed freeradius on RHEL with MSSQL server and it > is working fine but now i have facing problem regarding disconnecting of > users my NAS is cisco Router it is l2tp so what i do for this ??? problem > ?? > >and i want to connect my dialupadmin with mssql ? so it is > possible?/ > > Satish Patel Since it is a cisco, it may support Packet of Disconnect (PoD) requests. [1] has some info about this. To verify that it is available and configure it, you should refer to the vendor documentation for your device. Kevin Bonner [1] http://wiki.freeradius.org/Disconnect_Messages pgpR7RBkMIfgo.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius says client is unknown.
On Tuesday 27 February 2007 14:47, M. Onur ERGiN wrote: > Just a moment ago, I noticed that I can't start radiusd daemon with > 'service radiusd start' command. It gives the following error: > > [EMAIL PROTECTED] raddb]# service radiusd start > Starting RADIUS server: Tue Feb 27 21:44:38 2007 : Info: Starting - reading > configuration files ... 6490:error:0906D06C:PEM routines:PEM_read_bio:no > start line:pem_lib.c:632:Expecting: CERTIFICATE 6490:error:0906D06C:PEM > routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: CERTIFICATE > 6490:error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM > lib:ssl_rsa.c:534: [FAILED] > > But I can start it with 'radiusd -X' > > Can the prooblem be related to that? By the way, I have signed a new > certificate to be used in radius. But it seems okay. > > Thanks for any help, > Onur. Sounds like a permissions issue to me. Check the user/group that is configured in radiusd.conf, then verify that the user can read the certificates and config files. Kevin Bonner pgphLZ52A7c3r.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: check active threads
On Tuesday 20 February 2007 03:10, Tomas Hoger wrote: > > Freshly added to the Wiki FAQ as this has been covered countless times on > > the users list. > > Kevin, it may be better to add a bit more info to wiki, since combining > SysV and BSD flags of ps is usually not permitted and -H flag is not > recognized by older versions of ps. > > What about this: > > For older versions of ps, use: > > - ps -efm > - ps auxm > > For newer versions of ps, you may prefer to use: > > - ps -efL > - ps auxH > > th. Sounds fine with me. As it is a wiki, feel free to register an account and make that change. I only included the ps versions I had available at the time. -Kevin pgp7KlZ4UqwGU.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: attr_rewrite
On Monday 19 February 2007 15:29, Ben Butler wrote: > Hi, > > I am having some problems with attr_rewrite. > > What I want to do is the following at a pre authorisation phase: > > User-Name = [EMAIL PROTECTED] > > To > > User-Name = somedomain.com > > I want to call by attr_rewrite function for each of the domains that I want > to stip the username from prior to authorisation. I'm not very familiar with attr_rewrite, so I'm posting what I would do if I were presented with this issue. We use the hints file to rewrite the request username, as needed. A hints file example that should do what you want: DEFAULT User-Name =~ "[EMAIL PROTECTED]" User-Name := "somedomain.com" Then just define somedomain.com in your users file (or DB) and process it like a normal request. Kevin Bonner pgpE4ALVzj8VL.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: check active threads
On Monday 19 February 2007 13:13, Andrew Long wrote:
> freeradius 1.4 on CentOS 4.4
> How can I verify the number of threads? I only see one process with
>
> > ps aux | grep radiusd
>
> I could have sworn I used to see each thread with 0.9 and I am
> concerned that the threads are not starting correctly as defined in
> radiusd.conf:
>thread pool {
> start_servers = 5
> max_servers = 32
> min_spare_servers = 3
> max_spare_servers = 10
> max_requests_per_server = 0
> }
http://wiki.freeradius.org/FAQ#I_see_only_one_radiusd_in_the_process_list.__What_is_wrong.3F
Freshly added to the Wiki FAQ as this has been covered countless times on the
users list.
Kevin Bonner
pgpGUxgtGLaKb.pgp
Description: PGP signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting a realm in the User-Name based on Client-IP-Address
On Wednesday 24 January 2007 16:59, Jason E. Murray wrote: > My question is there a better way to do this, this seems a bit kludgy. > > Using FreeRadius 1.1.4 > > Thanks in advance, Use the hints file like below, then configure freeradius as if the realm were included in the original request. == hints == DEFAULT User-Name !~ "@", Client-IP-Address == A.B.C.D User-Name := "[EMAIL PROTECTED]" == hints == Kevin Bonner pgpt7dICXx56J.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS will no longer start!
On Wednesday 24 January 2007 10:02, Michelle Gates wrote:
> read_config_files: reading clients
> /opt/freeradius/etc/raddb/radiusd.conf[751]: Missing client name
>
> -
>
> Can anyone shed any light on this? Unfortunately for me, one of our
> developers was working on our production server but *claims* not to have
> changed anything of any consequence...
>
> I'm really unsure of where this is coming from! Has anyone seen this error
> before or could anyone at least point me in the right direction?
Since you have multiple people poking around on a production config, you are
using some sort of revision control... right? ;-)
I tried to reproduce the error locally and here is what I've done to cause the
same error message to show up.
== clients.conf ==
client {
secret = testing
shortname = testing
nastype = other
}
== clients.conf ==
[EMAIL PROTECTED] raddb.dial]# /usr/sbin/radiusd -X
...
read_config_files: reading clients
/etc/raddb/radiusd.conf[327]: Missing client name
To fix the issue, find the broken client entry and either comment it out or
restore it with the correct client IP.
Kevin Bonner
pgpZXQWGiPdYS.pgp
Description: PGP signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Best practices for redundant servers
On Friday 19 January 2007 14:02, Peter Nixon wrote: > On Fri 19 Jan 2007 18:56, Graham Beneke wrote: > > Would it be possible for someone to dump all the man pages into the wiki? > > Please feel free to do it.. It is a wiki after all :-) Agreed. I've added a few things here and there, but that's just because I was poking around in those areas of freeradius recently. If you add stuff, I can clean up the page display, if necessary, after I find the box that contains my "free time". =) -Kevin pgpZNwNzZwfyb.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius-1.1.3 + snmp...
On Friday 12 January 2007 13:19, adreas Polyxronopoulos wrote: > > In your snmpd.conf file, do you have a line that looks like the > > following? smuxpeer .1.3.6.1.4.1.3317.1.3.1 public > > No i hadn't in my snmpd.conf a line like the follwing : smuxpeer > .1.3.6.1.4.1.3317.1.3.1 public However when i add the line in my snmpd.conf > at a random place in the file i got the same output. Do i have to write it > in a specific place in the snmpd.conf ? That line can be added anywhere in snmpd.conf. After it is added, you'll need to HUP or restart snmpd for that config line to take effect. > > Are there any errors in your log files that might indicate a problem > > with your snmpd config? > > I checked the radiusd.log but nothing useful. I was referring to the snmp or system log files that might have any errors listed for the SMUX registration. An example from my logs is: Jan 10 23:30:15 radiustest snmpd[2238]: [smux_accept] accepted fd 13 from 127.0.0.1:32850 Jan 10 23:30:15 radiustest snmpd[2238]: accepted smux peer: oid SNMPv2-SMI::enterprises.3317.1.3.1, password verysecret, descr radiusd > > Does freeradius exit without error or do you press Ctrl-C to kill it? > > No my freeradius exits without error and i don't press Ctrl-C to kill it. Okay. I think this is caused by the SMUX registration failure, which should be fixed once you HUP the snmpd process. I'll try to find time to test this, but it should not be preventing you from getting FreeRADIUS+SNMP working. Kevin Bonner pgpu0kOhbwSoi.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius-1.1.3 + snmp...
On Friday 12 January 2007 11:13, adreas Polyxronopoulos wrote: > I have configured the radiusd.conf to support snmp > and in snmp.conf i have set the community string to public as it is in > snmpd.conf. In your snmpd.conf file, do you have a line that looks like the following? smuxpeer .1.3.6.1.4.1.3317.1.3.1 public Are there any errors in your log files that might indicate a problem with your snmpd config? > However when i am running freeradius in debugging mode : > radiusd -X , i get the following output and the freeradius does not start. > Why is that happening ? When i configured the radiusd.conf without snmp > everything works perfect. Does freeradius exit without error or do you press Ctrl-C to kill it? Kevin Bonner pgp7UST2LqcE9.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySql and calling-station-id help please
On Friday 12 January 2007 10:19, Ackbar Joolia wrote: > > See the FAQ about "it doesn't work". > > > > Also, try posting pieces of your current config. What you want isn't > > hard to do, but we have no idea what your configuration is, so it's > > impossible to say what is going wrong. > > > > Alan DeKok > > Alan, > > Where is the “it doesn’t work” faq? http://wiki.freeradius.org/FAQ#It_still_doesn.27t_work.21 > Radcheck table > -- > UserName | Attribute | op | Value > User1 | Password | == | pass1 Operator should be :=. Attribute should be User-Password (or Cleartext-Password depending on your freeradius version), but Password should be fine for your tests. > Radgroupcheck > > GroupName | Attribute | op | Value > Group1 | Calling-Station-Id | := | 123456 > Group2 | Calling-Station-Id | := | 345677 The operator is incorrect. := sets the attribute to that value. See the Operators page in the wiki or "man 5 users" for more info on operator behavior. Kevin Bonner pgpXt3Nxpciy7.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 > 1.1.0 sql errors
On Friday 05 January 2007 18:36, Long wrote: > why doesn't 0.9.3 yield errors when the operator is wrong? > > - Andrew Software should get better over time. 0.9.3 was released over 3 years ago, so there have been many improvements to the code since then. -Kevin pgpXEfnwfLl7m.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 > 1.1.0 sql errors
On Friday 05 January 2007 16:40, Andrew Long wrote: > >> Invalid operator for item Suffix: reverting to '==' > >> Invalid operator for item Suffix: reverting to '==' > >> Invalid operator for item Suffix: reverting to '==' > (HINTS) > DEFAULT Suffix = ".ppp", Strip-User-Name = Yes > DEFAULT Suffix = ".slip", Strip-User-Name = Yes > DEFAULT Suffix = ".cslip", Strip-User-Name = Yes > --- > Can you see any problem? > > -Andrew 3 "invalid operator" messages from debug mode... 3 lines in the hints file with the Suffix attribute. I think we have a winner. See 'man 5 users' or the Wiki Operators page to see why that is invalid. I think the hints file in the latest release (1.1.4) has correct defaults. -Kevin pgpe2tjNZi0L8.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 > 1.1.0 sql errors
On Friday 05 January 2007 12:01, Andrew Long wrote: > > Use "+=" for the operators. See doc/rlm_sql for reasons why. > > Still, after updating instances of '=' to '+=', we get: > > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 0 > Invalid operator for item Suffix: reverting to '==' > Invalid operator for item Suffix: reverting to '==' > Invalid operator for item Suffix: reverting to '==' > > How can I tell what operator/suffix they refer to? $ grep -ri Suffix /etc/raddb/* If that shows nothing, then it's being pulled from a database or other flat file. Check those other locations for any Suffix attributes. -Kevin pgp5Sgt8hTaqf.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 > 1.1.0 sql errors
On Thursday 04 January 2007 13:39, Andrew Long wrote: > Can you clarify: > > In 0.9.3 (/usr/local/raddb/dictionary): > VALUE Service-TypeAdministrative-User 6 > > In 1.1.0 (usr/local/share/freeradius/dictionary.rfc2865): > VALUE Service-TypeAdministrative-User 6 > ... > Now, 0.9.3 runs smoothly and returns no error... While 1.1.0 > returns: Since 0.9.3 worked, then you can grep for Administrative in the 0.9.3 dictionaries to see what integer value is assigned to it. If it is found, then look for the Service-Type entry with the same integer value in the 1.1.0 dictionaries and use that newer name. If the Administrative Service-Type is not found, then it was silently ignored in 0.9.3 and finally reports an error in 1.1.0. Switching it from Administrative to Administrative-User should be all you need to do to resolve your issue. Kevin Bonner pgpacqyeZcrBl.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 > 1.1.0 sql errors
On Thursday 04 January 2007 09:09, Andrew Long wrote: > "Unknown value Administrative for attribute Service-Type" (1.1.0) > > NOW... > > I found that 1.1.0 defines A-V pair Service-Type:Administrative-User in > dictionary.rfc2865: > > VALUE Service-TypeAdministrative-User 6 > > Am I correct in thinking that an update to the tables (replacing > "Administrative" with "Administrative-User") ought to fix this? > > Andrew In the 0.9.3 dictionaries, you should see the same number value associated with the Administrative Service-Type. Replacing it in your tables should work. Do you plan to use the latest version of FreeRADIUS (1.1.3) after resolving these issues? Kevin Bonner pgpgIPCYDfoYx.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS support for disconnect methods
On Thursday 28 December 2006 12:04, Daniel Lark wrote: > I am in the process of developing a generalized disconnect methodology > for disconnects. While I know definitely that Cisco NAS with an IOS => > 12.1 will support POD, does anyone out there know what equipment > supports disconnects through SNMP or POD. I have equipment all over the > map and need to plan accordingly. Obviously radkill is my ultimate > back-up ;-) > > Thanks! Ascend/Lucent Max-TNT supports PoD with TAOS 10.1.4 and higher. Previous versions of TAOS used the wrong response port, but the session would still be disconnected. We also have Cisco NAS devices, but you've already discovered what is needed for PoD support. Kevin Bonner pgpvpOTjkCrRE.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Repost: Properly using the := and = operators?
Mike, See http://wiki.freeradius.org/Operators for operator behavior. On Tuesday 26 December 2006 17:52, Mike wrote: > mysql> select * from radreply ; > | 2 | joe.user | Framed-IP-Address | = | 1.2.3.4 | This looks correct. The = operator says to assign 1.2.3.4 to the Framed-IP-Address attribute, if that attribute doesn't already exist. > mysql> select * from radgroupreply ; > | 5 | suspended | Framed-IP-Address | = | 10.10.0.2+ | The = operator here is incorrect, as you want to always override the Framed-IP-Address. Using := will replace any/all Framed-IP-Address attributes in the reply with the one listed above. Kevin Bonner pgpZEmTlPCNN1.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with mysql accounting
On Thursday 21 December 2006 06:45, basile wrote: > but start and stop not > > rlm_sql (sql): sql_set_user escaped user --> '' > radius_xlat: 'INSERT into radaact SET ' > rlm_sql (sql): Reserving sql socket id: 4 > rlm_sql_mysql: MYSQL check_error: 1064 received When you run in debug mode, do you see the full query when the config options are printed? If not, there might be an escaping problem in your sql.conf file. > freeradius 1.1 What freeradius version is that? 1.1.3 is the latest release. Kevin Bonner pgppSBvWYbfco.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Chap support
On Friday 15 December 2006 09:23, Sinan Ulker wrote: > how can I add chap support to the free radius? See my response from yesterday in the thread "Chap authentication". Kevin Bonner pgplu7BK8HXnl.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Chap authentication
On Thursday 14 December 2006 07:12, [EMAIL PROTECTED] wrote: > How can i set a basic CHAP authentication? What parameters and files i must > set? The default freeradius config supports CHAP, so all you need to supply is a password for the user. According to [1], CHAP requires the cleartext password. > Can you send me an example? A users file example with the default freeradius 1.1.3 config would be: userX User-Password := "secretpass" To test CHAP auth, run the following. ( echo 'User-Name = "userX"'; echo 'CHAP-Password = "secretpass"' ) | radclient your.radius.server:1812 auth your_secret Kevin Bonner [1] http://deployingradius.com/documents/protocols/compatibility.html pgp0Gybsec5BK.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unable to authenticate freeradius using PostgreSQL
On Wednesday 29 November 2006 10:36, Ross McOwat wrote: > All sorted! > > I copied a fresh-install postgresql.conf file from another server, and > bingo, all is working fine. Must have made a mistake while editing this > file - note to self, make copies of the file BEFORE editing it! > > Thanks for everyones help. > > Ross Got this message right after I sent out my other one. Good to see it's all working now. Making copies works, but I prefer RCS or some other revision control to manage changes. -Kevin pgpzzIvdpdPkq.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unable to authenticate freeradius using PostgreSQL
On Wednesday 29 November 2006 05:52, Ross McOwat wrote: > radius_xlat: 'SELECT id, UserName, Attribute, Value, Op > #?authorize_check_query = ' > rlm_sql (sql): Reserving sql socket id: 4 > rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op > #?authorize_check_query = > rlm_sql_postgresql: Status: PGRES_FATAL_ERROR radius_xlat now shows the query, but "SELECT id, UserName, Attribute, Value, Op" is not a valid SQL query. The "authorize_check_query" being listed in the radius_xlat line means that you haven't properly quoted the SQL query in the config file. Look at the default postgresql.conf to see what you're missing... paying close attention to quotation marks. > I have changed the 'value' and 'op' columns around, as the > authentication sql query within postgresql.conf appears to try and > retrieve 'value' before 'op'. Using the supplied database schema, the > op column appears BEFORE value. Not sure if this is significant or not? > Or possibly the actual data format I've entered is incorrect? I suspect > (hope) it's something as simple as that. It doesn't matter how the table columns are arranged, as long as your query asks for them in the correct order. Kevin Bonner pgpQu8YGcSSMw.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unable to authenticate freeradius using PostgreSQL
On Tuesday 28 November 2006 11:53, Ross McOwat wrote: > Hi Kevin, > > I am running debug with the -X flag - in this instance, I only included > the output I thought relevant (probably a mistake). Complete output > from the radius authentication request (with 3 attempts set) is as > follows: > > radius_xlat: 'ROSStest4' > rlm_sql (sql): sql_set_user escaped user --> 'ROSStest4' > radius_xlat: '' > rlm_sql (sql): Reserving sql socket id: 4 > rlm_sql (sql): SQL query error; rejecting user > rlm_sql (sql): Released sql socket id: 4 > modcall[authorize]: module "sql" returns fail for request 0 My guess is that you have an empty SQL query which is causing this to fail. Are any queries blank in your rlm_sql section of the debug output? Can you post the config dump in debug mode, or perhaps just the rlm_sql config section? Kevin Bonner pgpDNIv7Z6VhI.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unable to authenticate freeradius using PostgreSQL
On Tuesday 28 November 2006 11:00, Ross McOwat wrote: > Other tables are empty. Running freeradius in debug mode, the following > output is given when attempting an authentication request using > NTRadPing: That output is very brief for "debug" mode. You are using the -X flag, right? If not, do so and you'll see why it's dying in the rlm_sql module. Kevin Bonner pgpV4GLF2ttyH.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rewriting usernames
On Thursday 16 November 2006 04:56, Christopher Carver wrote: > Quoting Kevin Bonner <[EMAIL PROTECTED]>: > > Not a crazy question at all. We used a hints file entry like: ... > It seems as though the users file can only manipulate reply A/V pairs. Correct. The hints file can manipulate the request before any other module touches it. Add the entry to your _hints_ file and it should work. Kevin Bonner pgpogRyrvsk2R.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rewriting usernames
On Monday 13 November 2006 22:24, Christopher Carver wrote: > Hello, > > How do I rewrite the value of the User-Name attribute based on > Called-Station-Id? I need to do a series of these logical decisions and > replace the username with username@ based on what the value > of Called-Station-Id is. > > rlm_attr_rewrite seems the obvious choice, but I can't figure out how to > use various instances of that module only when Called-Station-Id has a > certain value. > > It seems like a strange thing to need to do, but I've thought about our > problem and this is really the only scalable way. I can give a lot of > background as to why, but I figured I would ask the question first. So, > does anyone have any ideas? > > Also, thank you for all the hard work on Freeradius. Its a great piece of > software. > > Thanks > > Chris Carver Not a crazy question at all. We used a hints file entry like: DEFAULT Called-Station-Id =~ "^(012)?3456789$" User-Name := "[EMAIL PROTECTED]" After that, it's pretty easy. Just make sure the some-isp.com realm is in proxy.conf and it should act like any other normal request. Kevin Bonner pgpi4KAtzr2tA.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: limiting sessions
* Try to respond just to the list and not me personally. I don't enjoy wading through duplicate messages. Thanks! On Thursday 09 November 2006 11:34, Andrew Long wrote: > also ran > > SELECT > `usergroup`.`UserName`, > `usergroup`.`creationdate`, > `usergroup`.`GroupName` > from usergroup > where username = '4aroma70370'; > > and that also comes up null... > > Does it make sense that radius is not recognizing the usernames as > belonging to the group 'aroma', thus not assigning the group-reply? Yes, because the radius server does what you configure it to do. You should have control over the usergroup table, so it shouldn't be difficult to add the missing records. If you're still stuck, try sending relevant output from all of your sql tables. The actual row data should be good enough, unless you've mangled the table structure to suit local needs. > This is my current thought on this, but I'm not sure why it would > still authorize the request, unless it's not necessary that users be > part of group. It isn't necessary. The cleartext password needed for CHAP was provided by a module (users, sql, ??), so the access request was accepted. Kevin Bonner pgp5lBMh78e4T.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: limiting sessions
On Thursday 09 November 2006 11:00, Andrew Long wrote: > Here is the output from radiusd -X regarding the answer to an > auth-request from one of the properties where I changed > session-timeout to 1800. It does not look to me like the > session-timeout attribute is being sent... any suggestions? Where are you setting Session-Timeout? If it is being added by an sql entry, run the queries shown in your debug output to verify the rows returned from the database are correct. What are the check and reply items for the section that contains the Session-Timeout attribute? Are they matching attributes in the Access-Request packet you sent? Kevin Bonner pgp2Wjcu4U6Qm.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: static IP's with rlm_perl
On Friday 20 October 2006 10:32, Michael Gale wrote: > Hello, > > No, that did not work, with the setting below the debug shows: > > --snip-- > Framed-IP-Address = 255.255.255.254 Where is that attribute/value pair being added? If that is being set after your perl functions are processed, then it's possible the operator being used is allowing that attribute to be overwritten. Framed-IP-Address is not in the default FreeRADIUS config, so you've most likely added it somewhere and that is causing your problem. Kevin Bonner pgpydH6rbysTz.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP with Freeradius - Again
On Friday 20 October 2006 05:59, Velikanov wrote: > Good Day. > > I use Oracle with Freeradius. > The situation with SNMP is as follows now: > 1. When i have sql in radiusd.conf and such string: > snmp = no > then i have working radiusd with Oracle > 2. When i have no sql , but have > snmp = yes > then i have working radiusd with SNMP > 3. When i have sql in radiusd.conf and > snmp = yes > i have not working radiusd, debug does not contain any strings with > SMUX and it is finished with: > > Module: Instantiated sql (sql) > Segmentation fault > > In all cases the configurations was the same, except pointed above SNMP/SMUX support should not affect the rlm_sql module in any way. See doc/bugs for steps to debug the segfault issue and identify where the program is actually failing. Kevin Bonner pgp14fIiKv3Cb.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Privelege Level with Different Manufacturers
On Thursday 19 October 2006 08:20, Maestro_Ba wrote: > > > user1Auth-Type := System >Service-Type = Shell-User, >cisco-avpair = "shell:priv-lvl=15" > > However, now I have other manufacturers' devices in my network, namely > Alcatel, Enterasys and Nortel. > I want this user to be able to authenticate in any device, and with high > privilege levels, if possible. > As it is right now, an error occurs in non-cisco equipment (because of > "cisco-avpair"). > > Can anyone tell me: > 1 - How to configure file? > 2 - How to configure the different devices? > > Thanks a lot, any information will be very helpful! > Maestro_Ba One option is to use huntgroups to identify the class of each NAS device on your network. In your users file, you can match the user with the specific huntgroup and configure attributes to be returned. -- huntgroups -- cisco NAS-IP-Address == A.B.C.D cisco NAS-IP-Address == G.H.I.J nortel NAS-IP-Address == W.X.Y.Z -- end huntgroups -- -- users -- user1Huntgroup-Name == "cisco", Auth-Type := System Service-Type = Shell-User, cisco-avpair = "shell:priv-lvl=15" user1Huntgroup-Name == "nortel", Auth-Type := System ... Nortel specific attributes ... -- end users -- Kevin Bonner pgp1ngFwwofv4.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP with Freeradius - Again
On Thursday 19 October 2006 08:38, Velikanov wrote: > when I run /usr/local/sbin/radiusd -X > > And NOW, again, there are no strings with "smux", as shown in wiki > > Where is my mistake? > What must I looking for? > > Thanks. Did you also configure your local SNMP daemon with the proper smuxpeer entry? Can you post your debug mode output? Kevin Bonner pgpVVr0PKPGLO.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP with Freeradius
On Tuesday 17 October 2006 06:12, Velikanov wrote: > /* #undef WITH_SNMP */ This means the snmp libraries weren't found. For RHEL 3.3, install the net-snmp-devel RPM and build FreeRADIUS again, or check your build output for errors. Kevin Bonner pgp0IwdD8LIQa.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS Documentation
I read the mailing list... please send there in the future. On Sunday 15 October 2006 03:04, affora deeb wrote: > do u know about IAS windows server 2003 configuration with NORTEL NAS Nope, don't have a clue. I try to avoid any windows that can't stand against a harsh external environment. Maybe someone else on the list can help you with the issues you're finding. -Kevin pgpi0lY8KxAOO.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS Documentation
On Friday 13 October 2006 10:14, Abel Monzon wrote: > Hello list, > > I need a good documentation+example to understand how I configure the NAS > administration. > > Tnx > Abel What NAS hardware you are using? What NAS administration are you expecting FreeRADIUS to provide (auth admins for console access, provide route/tunnel/ip pool configs, etc.)? Please provide a better description of what you are trying to do so that we can make helpful suggestions. Kevin Bonner pgpHtQCfXXOml.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: syslog - 1.1.2
On Thursday 05 October 2006 08:07, Michael Messner wrote:
> hey kenneth,
>
> Kenneth Grady wrote:
> > try ...
> >
> > log_destination = syslog
> > log {
> > syslog_facility = daemon
> > }
>
> not working :-(
>
> mIke
I don't believe it was added to the 1.1.X branch, so the CVS head and nightly
snapshots are the only way to use the syslog logging method. Wait for 2.0 or
try one of the other suggestions in my previous email.
Kevin Bonner
pgpXoL9P4idqL.pgp
Description: PGP signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: syslog - 1.1.2
On Wednesday 04 October 2006 12:27, Michael Messner wrote: > hey alan, > > Alan DeKok wrote: > > Michael Messner <[EMAIL PROTECTED]> wrote: > >> to the radiusd.conf, and I also tried to start the radius with the > >> parameter -lsyslog but nothing goes to syslog! > > > > That doesn't really work in 1.1.x > > any workarounds available? Make the log file a named pipe (see mkfifo) and write a program that reads from the pipe and sends the messages to the local syslog daemon. Ugly hack.. but it should work as long as your reader program starts before freeradius. Other options would be to look at the cvs head changes that added the extra logging options and backport those to your local copy, or run a nightly snapshot. Kevin Bonner pgpTYTxnfV0Wo.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conditionally adding reply pair
On Tuesday 19 September 2006 15:25, Garber, Neal wrote: > I need to conditionally add a reply pair based upon Huntgroup-Name and a > custom attribute. Pseudocode follows for what I'm trying to accomplish: > > > If Huntgroup-Name == NetSensory then >if LDAP-Group-Requirement == "NP-Admin" then > pairadd(reply, NetSensory-Permission, "npadmin") >Elsif LDAP-Group-Requirement == "NP-Read" then > pairadd(reply, NetSensory-Permission, "npread") >Elsif LDAP-Group-Requirement == "NP-Insight" > pairadd(reply, NetSensory-Permission, "insight") >Endif > Endif > > > I thought about using an external program (e.g., Perl module) in > post-auth to accomplish this. Is this reasonable or is there a better > way? You should be able to do this through the users file: DEFAULT Huntgroup-Name == "NetSensory", LDAP-Group-Requirement == "NP-Admin" NetSensory-Permission += "npadmin" ... Just change the check and reply items where necessary. If you don't expect to use the NetSensory huntgroup after these lines, you may want to add the following after all users file entries related to the NetSensory huntrgroup. DEFAULT Huntgroup-Name == "NetSensory", Auth-Type := Reject Kevin Bonner pgpmNIVww.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Write access to the wiki
On Monday 18 September 2006 01:12, Graham Beneke wrote: > Is access to the wiki exclusive?? > I wanted to start working on a sqlcounter page since the current > documentation is rather lacking and I plan to 'journal' my exploits in > figuring it out... > But I can't seem to find the register link that is referred to. There should be a "Log In" link in the top right corner of the page. At the login page, you can create a new account. Kevin Bonner pgpAJgnhX1YYJ.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VSA in Local User Profile
On Friday 15 September 2006 15:52, A. K. wrote: > Although it appears as Account-Info in dictionary.cisco, in the users file > it has to be Cisco-Account-Info (some sort or automatic prepending occurs > based on Vendor ID), so actually i was entering in the new VSA incorrectly. Where do you see Account-Info in dictionary.cisco? In my CVS and 1.1.3 installs of freeradius, it isn't there. > Changing it to Cisco-Account-Info creates a different problem. Only the > first VSA of that name gets sent back in the Access-Accept response. Is > this behavior configurable? Your operators aren't correct. See http://wiki.freeradius.org/index.php/Operators Kevin Bonner pgpVHnCrY8jzW.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VSA in Local User Profile
On Friday 15 September 2006 14:39, A. K. wrote: > User profile is as follows: > > "test" Auth-Type := Local, User-Password == "test" > Idle-Timeout = 300, > Session-Timeout = 1560, > Acct-Interim-Interval = 600, > Account-Info = "QU;8000;4000;D;8000;4000", > Reply-Message = Authenticated, > Cisco-Account-Info = Axxx > > All attributes are returned in the Access-Accept message except for: > > Account-Info = "QU;8000;4000;D;8000;4000" > > Am I violating some sort of syntax restriction? $ grep Account-Info share/dictionary* share/dictionary.cisco:ATTRIBUTECisco-Account-Info250string In the default dictionary files, I see no Account-Info attribute. Did you add this to your local dictionary file? When you run freeradius in debug mode, do you see an error when it encounters that line? Kevin Bonner pgppDZSVF6ez4.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute Operators
On Friday 15 September 2006 03:04, Peter Nixon wrote: > Thanks. I was meaning to fix that this morning. It was midnight when I > copied that data in there and I couldn't be bothered at the time to figure > out how to cancel the wiki formating :-) I've added the link that I use for MediaWiki formatting to http://wiki.freeradius.org/index.php/Help:Editing It would be nice to use apache rewrites to drop the index.php and make the URL a little cleaner, but that's not necessary for the wiki to work. Switching to another skin, it looks like the $wgLogo option wasn't set. To get rid of the logo spot on the default skin, did someone just edit the template file for that skin? I don't mind the default skin, but being able to switch to another one and have it look similar would be great! -Kevin pgp7uELtRnfkY.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute Operators
On Thursday 14 September 2006 17:47, Peter Nixon wrote: > On Thu 14 Sep 2006 19:09, Cliff Hayes wrote: > > Hello everyone, > > > > Does anyone know of a good reference site for the attribute operators > > (:=, ==, +=) that shows what each means? > > http://wiki.freeradius.org/index.php/Operators The := operator display is fixed. The wiki is responding much faster than it was earlier today. -Kevin pgpoQ156XexJb.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and SNMP
On Wednesday 30 August 2006 11:09, Michael Schwartzkopff wrote: > Hi, > > thanks to that explanation. But my question was: Why I do get no answer if > I do > snmpwalk (...) localhost enterprises.3317 > > while walking mib-2.67 gives results? > > Michael. The ent.3317 OID is only used to establish the SMUX session with the SNMP daemon. It is never registered with snmpd, which is why you receive no results. -Kevin pgpEsIkqBW2xE.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and SNMP
On Tuesday 29 August 2006 07:25, Michael Schwartzkopff wrote: > I recompiled the latest version (1.1.3) explicitly telling configure > --with-snmp and everything seems to be ok. Debug output from radius: Looks like everything should work fine based on the output. > Now: > > snmpwalk (...) mib-2.67 gives good results, but > snmpwalk (...) enterprises.3317 gives nothing. > > Reading the MIBs in mibs/ there are only the descriptions of mib-2.67, > nothing about 3317. Is this OK or am I missing something? mib-2.67 is what you care about. You can load the mib files from the mibs/ directory to see useful names, or read the chart files to see what each OID value represents. The private enterprise number 3317 is assigned by IANA [1] to "Port Community Rotterdam", which released the GNOME-SMI MIB module. The GNOME-SMI MIB is used in mibs/GNOME-PRODUCT-RADIUSD-MIB, and using that file you can obtain a full object name for the enterprises.3317.1.3.1 OID. It's only use right now is for the SMUX connection, but may also be needed if/when AgentX support is added. Kevin Bonner [1] http://www.iana.org/assignments/enterprise-numbers pgpQsPZyshDsS.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More documentation on Auth-Type
On Friday 04 August 2006 17:21, Alan DeKok wrote: > Kevin Bonner <[EMAIL PROTECTED]> wrote: > > One thing I didn't see mentioned on the auth type page is the > > heavily used "Auth-Type := Local". Was that consciously omitted, or > > are you still adding content to that page? > > I'm adding content... check back soon! > > But as for "Auth-Type := Local", I didn't even think to address it, > because I never use it, and don't think there's any need for it. What > kind of discussion do you think is necessary? > > Alan DeKok. It's an auth method that some still have cluttering their users files. Perhaps just a small blurb stating that it was used in legacy versions of FR, but is no longer necessary. Local and System are the only 2 I can recall that I don't see on your page, but have been around for a long time. -Kevin pgpvAJA5RKUjL.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: monitoring freeradius with snmp
On Friday 04 August 2006 09:59, Andy Ford wrote: > 4. started the radiusd and snmpd daemons. Sounds good so far. When you run in debug mode, does the SMUX registration work properly? You should see something similar to this: SMUX connect try 1 SMUX open oid: 1.3.6.1.4.1.3317.1.3.1 SMUX open progname: radiusd SMUX open password: somesecretpass SMUX register oid: 1.3.6.1.2.1.67.1.1.1.1 SMUX register priority: -1 SMUX register operation: 1 SMUX register oid: 1.3.6.1.2.1.67.2.1.1.1 SMUX register priority: -1 SMUX register operation: 1 > When I walk enterprises.3317 I get nothing. The mibs directory has loadable files so that you can use pretty names (radiusAuthServIdent) instead of OIDs in your queries. If you're just looking for confirmation that FR+SNMP is working, you can run: $ snmpwalk -v1 -c public localhost mib-2.67.1.1.1.1.1.0 RADIUS-AUTH-SERVER-MIB::radiusAuthServIdent.0 = STRING: FreeRADIUS Version 1.1.2, for host , built on Jul 6 2006 at 12:59:53 Kevin Bonner pgpzU6PQm5KJc.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More documentation on Auth-Type
On Thursday 03 August 2006 14:47, Alan DeKok wrote: > http://deployingradius.com/documents/configuration/auth_type.html > > Many web sites contain all sorts of recommendations about Auth-Type. > This one is correct. > > Alan DeKok. Looks great! The compatibility matrix is pretty handy as well. One thing I didn't see mentioned on the auth type page is the heavily used "Auth-Type := Local". Was that consciously omitted, or are you still adding content to that page? Kevin Bonner pgpEs9yaTuU58.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP traps
On Sunday 30 July 2006 02:02, [EMAIL PROTECTED] wrote: > Hi, thanxs Alen > Can u give some more details for this.From where can i find that.And how > freeradius supports SNMP > > Rgds > Darshak FreeRADIUS doesn't support SNMP traps. It does support SMUX, which allows you to then query for information via SNMP. See snmp.conf for the ucd-snmp SMUX example. The RADIUS MIBS can be found in the mibs directory or you can use the actual OIDs in your SNMP queries. If you run into problems, include the versions of the SNMP and FreeRADIUS software you're using, as well as any relevant config lines and debug mode output. Kevin Bonner pgpsBpQN8WQua.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Username in MySQL with regexp
On Monday 10 July 2006 04:16, christian meutes wrote: > Hey list, > > can anybody give me an example for this? > > > cheers, > > Christian Meutes > systems engineer My suggestion is to get it working with the flat users file first, then migrate the config to your MySQL users file. Start simple, then try to get the more complex configuration working. If you already have the regexp line written for your users file, please post it so we can recommend the best way to accomplish the same checks and replies in MySQL. Kevin Bonner pgpa3lB8xHEv8.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error: Failed dependencies: libeap-1.1.2.so is needed by freeradius-1.1.2-0.i386
On Thursday 29 June 2006 01:49, Alberto Cruz wrote: > Hi Kevin and everybody. > > I'm attaching a file with all the warnings that I got with the rpmbuild > process. > > It seems there is something wrong with the "libtool" > > Is this a problem related to RedHAT Enterprise 4.0 or is this a problem > with the Make files process? Could anybody help me to fix this behavior? > > Regards > > Alberto Cruz On my CentOS 4 test box, I tried building the 1.1.2 RPM and received the same errors I see in your output file. I used the "--with-system-libtool" configure option to get the RPM build to work correctly. My system libtool version is 1.5.6, and I've has no RPM build issues on older Fedora/CentOS boxes with system libtool versions of 1.5.X. According to bug#330, someone tried building on CentOS 4 and had problems using the system libtool and GNU ld configure options, so those options were removed. Kevin Bonner pgpdRNRLhzZub.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bug with multiple IPs?
On Thursday 15 June 2006 13:20, Matt wrote: > I have freeradius running on a machine with 2 IPs. I have it binding > to all available IPs. > > xxx.xxx.xxx.44 is the main IP of the machine > xxx.xxx.xxx.26 is the secondary IP. (eth0:1) > > When a request comes in on .26 freeradius processes it and THEN sends > the reply out .44! Is this the way it is suppose to be acting? Did you build freeradius with the --with-udpfromto configure option? Another suggestion would be to have listen directives for each individual IP on your box, instead of the * catchall entry in radiusd.conf. I currently have one radius server setup with the second option, as the version it's running didn't have the udpfromto portion enabled (yeah yeah... time to rebuild). Kevin Bonner pgpiMqgnKxBII.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error: Failed dependencies: libeap-1.1.2.so is needed by freeradius-1.1.2-0.i386
On Monday 12 June 2006 23:41, Alberto Cruz wrote: > How do you fix your problem? Should I add something else to the > freeradius.spec or should I have to include something else? My libtool problem may or may not be related, which is why I've excluded my "fix" from all responses (if you really want to know, look at the -devel list). You have posted some info and have received several responses saying your RPM is broken. The problem most likely lies with your RPM build step. Build the RPM again and look at the output for those errors/warnings. If you can't find any, post the output so that we can see what is happening. Kevin Bonner pgpWbY50IrbHJ.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging
On Monday 12 June 2006 13:38, Cliff Hayes wrote: > Not sure how to "check the value of that option when running in debug mode" > as you mentioned. I started radiusd -x, but it doesn't list any options. The lower-case x gives minimal output. The extended debug mode (-X) will print out the config options and their values. Kevin Bonner pgpg8YNqoAfXm.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
