FreeRadius - Slipstream
I'm hoping this will be an easy one to get answered. I have all dialup authentication running as hoped for the past several hours. I came across one more little config I'm trying to work out. I have an accelerator server that I'm are able to sell to anyone and they don't have to be on our service to buy it. I have a radgroupcheck for the users setup with the SlipStream=true if they pay for it. Question, how do I tell FreeRadius to only allow them to authenticate from the network side with one of our realms but not allow them to log in from the dialup realm. It could be the same realm name we use for our dialup side. Thanks Bob Ross - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Does anyone know whether freeradius work with Linksys WRT54G?
On Wed, Apr 21, 2004 at 06:23:15PM -0700, loader wrote: Or where can I get a list of APs supported by freeradius? I've had a WRV54G work with FreeRADIUS, but it doesn't send Accounting packets. Linksys said a new firmware was working in their lab, but didn't say when it would be out. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem faced in integrating Domino LDAP Server for authentication with FreeRadius Server
On Thu, 22 Apr 2004, Joseph Silvin wrote: Hi Kostas, Please allow me to explain. I have installed FreeRadius on RedHat Advanced Server 2.1. The Domino Server which has LDAP service running is on another machine. I am able to authenticate this LDAP using tools like LDAP Browser, Outlook Express, Lotus Notes etc. Besides, if you look the log file... rlm_ldap: - authorize rlm_ldap: performing user authorization for MyUserName radius_xlat: '(uid=MyUserName)' radius_xlat: 'ou=MyDept,ou=SBULocation,o=MyOrg' ldap_get_conn: Got Id: 0 We can see that it has returned back correctly the radius_xlat indicating that the correct username has got verified. I have only put the username as MyUserName. NO. It has run an xlat on a string. NOTHING more. Please go ahead an read again my answer and FIX the problem reported to you by rlm_ldap. That is, fix the identity and password configuration directives so that rlm_ldap can connect to the ldap server. Can you please clarify what I am missing ? JS Kostas Kalevras [EMAIL PROTECTED]To: [EMAIL PROTECTED] Sent by:cc: [EMAIL PROTECTED]Subject: Re: Problem faced in integrating Domino LDAP Server for authentication eradius.org with FreeRadius Server 21/04/2004 05:56 PM Please respond to freeradius-users On Wed, 21 Apr 2004, Joseph Silvin wrote: Hi , I am trying to use FreeRadius ACS Server for authentication against IBM Domino LDAP Server. The following is the error message that I get. I have reproduced both radiusd.conf and log files. Looking forward to someone who can help on this front. Thanks. JS = Log file of FreeRadius Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 127.0.0.1:1026, id=86, length=60 User-Name = MyUserName User-Password = MyLDAPPassword NAS-IP-Address = 255.255.255.255 NAS-Port = 1 modcall: entering group authorize for request 10 modcall[authorize]: module preprocess returns ok for request 10 modcall[authorize]: module chap returns noop for request 10 modcall[authorize]: module eap returns noop for request 10 rlm_realm: No '@' in User-Name = MyUserName, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 10 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 10 modcall[authorize]: module mschap returns noop for request 10 rlm_ldap: - authorize rlm_ldap: performing user authorization for MyUserName radius_xlat: '(uid=MyUserName)' radius_xlat: 'ou=MyDept,ou=SBULocation,o=MyOrg' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 192.168.192.41:389, authentication 0 rlm_ldap: bind as / to 192.168.192.41:389 rlm_ldap: waiting for bind result ... rlm_ldap: LDAP login failed: check login, password settings in ldap section of radiusd.conf ^^ If that does not help, nothing will... rlm_ldap: (re)connection attempt failed rlm_ldap: search failed ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns fail for request 10 modcall: group authorize returns fail for request 10 Finished request 10 Going to the next request --- Walking the entire request list --- Nothing to do. Sleeping until we see a request. = DISCLAIMER* This message and any attachments (hereinafter referred to as the 'mail content') is intended solely for the addressee. The 'mail content' is confidential and may be privileged and is also prohibited from disclosure. Access, use, copying, distribution or re-use of the 'mail content' by anyone except the addressee is unauthorized. If you are not the intended addressee, please destroy all copies of the 'mail content' in your possession and also delete the same from your computer. Any views expressed in the 'mail content' are those of the individual sender except where the sender, with due authority of Jyoti Structures Ltd., specifically states them to be the views of Jyoti Structures Ltd. Nothing contained in the 'mail content' is capable or intended to create any legally binding obligations on the sender, Jyoti Structures Ltd. The sender, Jyoti Structures Ltd., accepts no responsibility, whatsoever, for loss or damage from the use
Strange Problem with Freeradius and Ascend
Hi, i'm having a strange problem with freeradius and ascend max 4000. freeradius 0.9.1 is running very stable with a cisco NAS without any problems. now i tried to have authenticating and accounting from the ascend boxes with freeradius, too. but i encountered problems with authenticating. here is what the log looks like: Mon Apr 19 15:54:32 2004 : Auth: Login OK: [acc-1/***] (from client cisco-nas port 0) - this is working login, the password was actually logged, i deleted it and put the ** instead. Mon Apr 19 15:54:32 2004 : Auth: Login incorrect: [acc-2/\224Au\2115ex] (from client ascend-nas port 0) - this is not working. the password is expected to be logged as clear text, but instead this kind of garbage is logged all the time. Any idea whats wrong here ?! Regards, Philipp - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strange Problem with Freeradius and Ascend
Sorry for reposting, due to massive spam i missed Alans reply. Please ignore... Thank you Alan, i check you suggestion... Regards, philipp - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strange Problem with Freeradius and Ascend
Hi, i'm having a strange problem with freeradius and ascend max 4000. freeradius 0.9.1 is running very stable with a cisco NAS without any problems. now i tried to have authenticating and accounting from the ascend boxes with freeradius, too. but i encountered problems with authenticating. here is what the log looks like: Mon Apr 19 15:54:32 2004 : Auth: Login OK: [acc-1/***] (from client cisco-nas port 0) - this is working login, the password was actually logged, i deleted it and put the ** instead. Mon Apr 19 15:54:32 2004 : Auth: Login incorrect: [acc-2/\224Au\2115ex] (from client ascend-nas port 0) - this is not working. the password is expected to be logged as clear text, but instead this kind of garbage is logged all the time. check your ascend boxes, it seems it is crypting the password considering you did not crypt it from freeradius. with cisco box, you can work around NOT to crypt and have a clear text password, i do not know with ascend boxes. HTH, //milver - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem faced in integrating Domino LDAP Server for authentication with FreeRadius Server
On Thu, 22 Apr 2004, Joseph Silvin wrote:
Hi Kostas,
Thanks for the reply. But I am not able to figure out what to check under
the identity and password configuration directives. I have run the
following command and it is able to log in.
ldapsearch -h 192.168.192.41 -vx -W -p 389 -D MyUserName
The above command returns back the LDAP schema.
Please guide in terms of what changes to make.
Thanks.
JS.
radiusd.conf:
ldap {
server = ldap.your.domain
identity = cn=admin,o=My Org,c=UA
password = mypass
Note: Without the -x option in the ldapsearch, I am not able to connect.
Kostas Kalevras
[EMAIL PROTECTED]To: [EMAIL
PROTECTED]
Sent by:cc:
[EMAIL PROTECTED]Subject: Re: Problem faced in
integrating Domino LDAP Server for authentication
eradius.org with FreeRadius Server
22/04/2004 04:30 PM
Please respond to
freeradius-users
On Thu, 22 Apr 2004, Joseph Silvin wrote:
Hi Kostas,
Please allow me to explain. I have installed FreeRadius on RedHat
Advanced
Server 2.1. The Domino Server which has LDAP service running is on
another
machine. I am able to authenticate this LDAP using tools like LDAP
Browser,
Outlook Express, Lotus Notes etc. Besides, if you look the log
file...
rlm_ldap: - authorize
rlm_ldap: performing user authorization for MyUserName
radius_xlat: '(uid=MyUserName)'
radius_xlat: 'ou=MyDept,ou=SBULocation,o=MyOrg'
ldap_get_conn: Got Id: 0
We can see that it has returned back correctly the radius_xlat indicating
that the correct username has got verified. I have only put the username
as
MyUserName.
NO. It has run an xlat on a string. NOTHING more.
Please go ahead an read again my answer and FIX the problem reported to you
by
rlm_ldap. That is, fix the identity and password configuration directives
so
that rlm_ldap can connect to the ldap server.
Can you please clarify what I am missing ?
JS
Kostas Kalevras
[EMAIL PROTECTED]To:
[EMAIL PROTECTED]
Sent by:cc:
[EMAIL PROTECTED]Subject:
Re: Problem faced in integrating Domino LDAP Server for authentication
eradius.org with
FreeRadius Server
21/04/2004 05:56 PM
Please respond to
freeradius-users
On Wed, 21 Apr 2004, Joseph Silvin wrote:
Hi ,
I am trying to use FreeRadius ACS Server for authentication against IBM
Domino LDAP Server. The following is the error message that I get. I
have
reproduced both radiusd.conf and log files. Looking forward to someone
who
can help on this front.
Thanks.
JS
=
Log file of FreeRadius
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 127.0.0.1:1026, id=86,
length=60
User-Name = MyUserName
User-Password = MyLDAPPassword
NAS-IP-Address = 255.255.255.255
NAS-Port = 1
modcall: entering group authorize for request 10
modcall[authorize]: module preprocess returns ok for request 10
modcall[authorize]: module chap returns noop for request 10
modcall[authorize]: module eap returns noop for request 10
rlm_realm: No '@' in User-Name = MyUserName, looking up realm
NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 10
users: Matched DEFAULT at 152
modcall[authorize]: module files returns ok for request 10
modcall[authorize]: module mschap returns noop for request 10
rlm_ldap: - authorize
rlm_ldap: performing user authorization for MyUserName
radius_xlat: '(uid=MyUserName)'
radius_xlat: 'ou=MyDept,ou=SBULocation,o=MyOrg'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 192.168.192.41:389, authentication 0
rlm_ldap: bind as / to 192.168.192.41:389
rlm_ldap: waiting for bind result ...
rlm_ldap: LDAP login failed: check login, password settings in ldap
section
of radiusd.conf
^^
If that does not help, nothing will...
rlm_ldap: (re)connection attempt failed
rlm_ldap: search failed
ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap
Better version
Hello All, I'm goingo to install FreeRadius. What is better version? Best regards, Monica M. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Combining Radius with Apache Authorization
For various reasons, our department has implemented a system whereby we combine Radius authorization (for user login) with the built-in Apache Basic authorization model (for management of individual user directory privileges via use of an .htaccess file). We're currently seeing some weirdness with this setup, specifically: Problem #1: If someone logs in and then tries to access a resource for which they do not have permission, the server is throwing out an Internal Server Error (Error code 500) to the browser instead of the proper Unauthorized (Error code 401). Problem #2: There are times where the .htaccess files are being read, but ignored. e.g., a user has an .htaccess file in his directory which is being read, but the require groups bar directive is being ignored and he gets access to the directory anyway. My questions are: Does anyone have any experience using both systems together? If so, do you have any configuration tips you'd be willing to share? Can anyone theorize why the wrong error is being generated when a user doesn't have access to a resource? What is generating this error (I'm guessing Apache) and where would I go to try to fix this bug? Please feel free to email me off-list with any hints. I'll also be watching here. Many thanks! CT -- Charles Thomas DoIT Network Services Programmer University of Wisconsin - Madison 1210 W. Dayton St. Rm. B111 Madison, WI 53706 (608) 262-1649 Office (608) 262-7561 Fax [EMAIL PROTECTED]
Re: How freeRADIUS handles vendor specific
Shah, Nishant B [EMAIL PROTECTED] wrote: Can someone tell me how RADIUS server handles vendor specific attribute. I am sending a packet using radclient with vendor specific attribute and its working. I found that attribute is not in dictionary. I want to know where in the code it checks for the vendor specific attribute. src/lib/radius.c What file and function ? I couldn't figure out myself. I want to add tht attribute in dictionary. So add it to the dictionary. You don't have to look at the code to do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS realm info
James [EMAIL PROTECTED] wrote: I'd like to know if there is a way to retrieve the realm information from the email address field in the certificate or if the realm info must be contained in the user name field. The realm must be in the user name field. There is currently no way to look inside of the users certificate. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Better version
Hello All, I'm goingo to install FreeRadius. What is better version? www.freeradius.org ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Combining Radius with Apache Authorization
My questions are:Does anyone have any experience using both systems together? YES If so, do you have any configuration tips you'd be willing to share? READ BASIC APACHE CONFIGURATION Can anyone theorize why the wrong error is being generated when a user doesn't have access to a resource? What is generating this error (I'm guessing Apache) and where would I go to try to fix this bug? CONFIGURE YOUR APACHE
Re: Tagged Attributes and attribute filter does not work correctly
Holger Steppke [EMAIL PROTECTED] wrote: like to bothere you again about Taged Attributes. (0.9.3) Its not like i complain about. I work arounded it differently vor myself but hopefully someone is intressed in seening this. If i add some more of those Attributes in the usersfile like Tunnel-Endpoint:1 += 1.2.3.4 Tunnel-Endpoint:2 += 1.2.3.5 and then using in attr_filter Tunnel-Endpoint =* ANY we end up with Tunnel-Endpoint:0 += 1.2.3.4 It's a bug in the attr_filter module. I've just commited a fix. The CVS snapshot from tomorrow should contain the fix. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying after local reject
Rinaldo Bergamini [EMAIL PROTECTED] wrote: I'd like to differentiate users without using realms, my intention is to send the request (proxy) to another radius on another machine ONLY IF it is rejected by the first radius, is it possible? Not right now. With code changes, probably. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Combining Radius with Apache Authorization
From you description it appears it is something in the configuration of Apache Gary N. McKinney Network Administrator Computer Services Dept. Brevard County Library System -- Original Message -- From: Charles Thomas [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 22 Apr 2004 08:36:55 -0500 For various reasons, our department has implemented a system whereby we combine Radius authorization (for user login) with the built-in Apache Basic authorization model (for management of individual user directory privileges via use of an .htaccess file). We're currently seeing some weirdness with this setup, specifically: Problem #1: If someone logs in and then tries to access a resource for which they do not have permission, the server is throwing out an Internal Server Error (Error code 500) to the browser instead of the proper Unauthorized (Error code 401). Problem #2: There are times where the .htaccess files are being read, but ignored. e.g., a user has an .htaccess file in his directory which is being read, but the require groups bar directive is being ignored and he gets access to the directory anyway. My questions are: Does anyone have any experience using both systems together? If so, do you have any configuration tips you'd be willing to share? Can anyone theorize why the wrong error is being generated when a user doesn't have access to a resource? What is generating this error (I'm guessing Apache) and where would I go to try to fix this bug? Please feel free to email me off-list with any hints. I'll also be watching here. Many thanks! CT -- Charles Thomas DoIT Network Services Programmer University of Wisconsin - Madison 1210 W. Dayton St. Rm. B111 Madison, WI 53706 (608) 262-1649 Office (608) 262-7561 Fax [EMAIL PROTECTED] Sent via the KillerWebMail system at mail.brev.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Better version
www.freeradius.org ! Thanx, but I want know your exeperience! use the latest CVS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius - Slipstream
Bob Ross [EMAIL PROTECTED] wrote: Question, how do I tell FreeRadius to only allow them to authenticate from the network side with one of our realms but not allow them to log in from the dialup realm. It could be the same realm name we use for our dialup side. What is different between the RADIUS Access-Request packets for the two kinds of requests? Once you know how the packets are different, you can key off of those differences to enforce your policies. Also, your explanation of what you want appears to be contradictory. You want to have people use a dial-up realm to authenticate from the network side, but prevent them from using the dial-up side? Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius - Slipstream
That's how they do it. I have no control over that. They told me it was up to me to filter the difference. So I figured this would be the best place to ask how to do this. Maybe I'm wrong, but I see these types of answers a lot as if this list is for those to tell others they need to learn before they can use. So I guess all those answering on the list knew it all before they extracted the program? Once you know how the packets are different, you can key off of those differences to enforce your policies. I was only asking for help, not being told I need to learn more. That will come later. I have no idea what your talking about, I guess others off list were correct. - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, April 22, 2004 8:36 AM Subject: Re: FreeRadius - Slipstream Bob Ross [EMAIL PROTECTED] wrote: Question, how do I tell FreeRadius to only allow them to authenticate from the network side with one of our realms but not allow them to log in from the dialup realm. It could be the same realm name we use for our dialup side. What is different between the RADIUS Access-Request packets for the two kinds of requests? Once you know how the packets are different, you can key off of those differences to enforce your policies. Also, your explanation of what you want appears to be contradictory. You want to have people use a dial-up realm to authenticate from the network side, but prevent them from using the dial-up side? Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How freeRADIUS handles vendor specific
Alan DeKok [EMAIL PROTECTED] said: Can someone tell me how RADIUS server handles vendor specific attribute. I am sending a packet using radclient with vendor specific attribute and its working. I found that attribute is not in dictionary. I want to know where in the code it checks for the vendor specific attribute. src/lib/radius.c What file and function ? I couldn't figure out myself. I want to add tht attribute in dictionary. So add it to the dictionary. You don't have to look at the code to do that. Alan DeKok. I have to give presentation to my team for this. It would be a good help if you throw some more lights on it. I looked at radius.c but it seems that it checks for the code in the packet for vendor specific i.e 26. But how it deals with particular vendor?? Nishant - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Nishant Shah U4 Computer Engineering 979-268-0866 (M)281-222-3176 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AuthRadiusBindAddress ?
Can someone tell me more about AuthRadiusBindAddress? From the documentation it's not clear to me whether this directive is looking for an IP address of the Radius server to listen on, or if it wants an IP address of the localhost from which to do the listening. Thanks! CT -- Charles Thomas DoIT Network Services Programmer University of Wisconsin - Madison 1210 W. Dayton St. Rm. B111 Madison, WI 53706 (608) 262-1649 Office (608) 262-7561 Fax [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius - Slipstream
Bob Ross [EMAIL PROTECTED] wrote: So I figured this would be the best place to ask how to do this. Maybe I'm wrong, but I see these types of answers a lot as if this list is for those to tell others they need to learn before they can use. No. It's to tell people *what* they need to learn so they can use it. If you're trying to use the server without learning how it works, you have *serious* problems. Are you honestly saying that you're upset that you have to learn something about the server before you can use it? So I guess all those answering on the list knew it all before they extracted the program? I guess the people answering on the list were willing to learn. Once you know how the packets are different, you can key off of those differences to enforce your policies. I was only asking for help, not being told I need to learn more. That will come later. You were asking for help. I gave you help: where to go to learn more. If you want someone to hold your hand, ask someone for a tech support contract. They'll set it up for you, and charge you a hefty amount. I have no idea what your talking about, I guess others off list were correct. Probably. I'm incredibly insensitive: I tell you that you've got to think for yourself, and learn something about the server, and you're offended at my response. I must be a truly horrible person. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How freeRADIUS handles vendor specific
Shah, Nishant B [EMAIL PROTECTED] wrote: I have to give presentation to my team for this. It would be a good help if you throw some more lights on it. I looked at radius.c but it seems that it checks for the code in the packet for vendor specific i.e 26. But how it deals with particular vendor?? It looks it up in the dictionaries. See rad_decode(). The whole point of the design is that there shouldn't be anything special about a particular vendor. The code just looks up vendor + attribute in the dictionary, and uses what's there. Perhaps you could say *why* you're interested in this information, or what you're trying to explain. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AuthRadiusBindAddress ?
Charles Thomas [EMAIL PROTECTED] wrote: From the documentation it's not clear to me whether this directive is looking for an IP address of the Radius server to listen on, or if it wants an IP address of the localhost from which to do the listening. It's the IP address of the local host: ... # Bind client (local) socket to this local IP address. # The server will then see RADIUS client requests will come from # the given IP address. ... Another configuration entry tells it which RADIUS server to talk to: AddRadiusAuth server[:port] shared-secret ... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AuthRadiusBindAddress ?
From the documentation it's not clear to me whether this directive is looking for an IP address of the Radius server to listen on, or if it wants an IP address of the localhost from which to do the listening. you are like asking to install freeradius on host A and listen radius authentication request on host B. otherwords, you asked the same question, so both are correct. i think you are confusing yourself from TO and ON. this auth bind address covers a radius server host which has multiple NICs each has separate ip address or even more virtual IPs on each NICs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Help
Search the archives.
Just yesterday I sent another example of how to configure for sql, and
gave some sample
data.
Look for postgres, in the archives.
The same data works with MySQL and the only config change is to include
sql.conf
instead of postgresql.conf.
On the 20th I collected the most current version from CVS then built and
installed it.
Yesterday I spent 10 minutes, and configured the new radiusd.conf and
postgresql .conf for PostgreSQL and tested it with encrypted and clear text
passwords. I then changed the include from postgresql.conf to sql.conf and
configured sql.conf.
Here is some sample data for MySQL {password for troll is skunk}.
delete from usergroup ;
insert into usergroup (username,groupname) values('fredf','ppp-unlimited');
insert into usergroup (username,groupname) values('barneyr','ppp-static');
insert into usergroup (username,groupname) values('troll','ppp-unlimited');
insert into usergroup (username,groupname) values('frog','nas-prompt');
delete from radcheck ;
insert into radcheck (username,attribute,op,value)
values('fredf','User-Password','==','wilma');
insert into radcheck (username,attribute,op,value)
values('barneyr','User-Password','==','betty');
insert into radcheck (username,attribute,op,value)
values('troll','Crypt-Password','==','$1$A8BotTi4$UTg2XL.fSStI2RFENUfnR.');
insert into radcheck (username,attribute,op,value)
values('frog','User-Password','==','kermit');
delete from radreply ;
insert into radreply (username,attribute,op,value)
values('barneyr','Framed-IP-Address',':=','10.19.65.38');
insert into radreply (username,attribute,op,value)
values('barneyr','Framed-IP-Netmask',':=','255.255.255.252');
delete from radgroupreply ;
insert into radgroupreply (groupname,attribute,op,value)
values('ppp-unlimited','Framed-Compression',':=','Van-Jacobsen-TCP-IP');
insert into radgroupreply (groupname,attribute,op,value)
values('ppp-unlimited','Framed-Protocol',':=','PPP');
insert into radgroupreply (groupname,attribute,op,value)
values('ppp-unlimited','Service-Type',':=','Framed-User');
insert into radgroupreply (groupname,attribute,op,value)
values('ppp-unlimited','Framed-MTU',':=','1500');
insert into radgroupreply (groupname,attribute,op,value)
values('ppp-static','Framed-Compression',':=','Van-Jacobsen-TCP-IP');
insert into radgroupreply (groupname,attribute,op,value)
values('ppp-static','Framed-Protocol',':=','PPP');
insert into radgroupreply (groupname,attribute,op,value)
values('ppp-static','Service-Type',':=','Framed-User');
insert into radgroupreply (groupname,attribute,op,value)
values('ppp-static','Framed-MTU',':=','1500');
insert into radgroupreply (groupname,attribute,op,value)
values('nas-prompt','Framed-MTU',':=','1500');
insert into radgroupreply (groupname,attribute,op,value)
values('nas-prompt','Framed-Compression',':=','Van-Jacobson-TCP-IP');
insert into radgroupreply (groupname,attribute,op,value)
values('nas-prompt','Service-Type',':=','NAS-Prompt');
NOTE: There is nothing in radgroupcheck .
Bob Ross wrote:
Believe me when I tell you I do understand what your saying. The problem was
that I was tossed in to this after all our fee's were paid to the wholesale
dialup provider when he told us they do PAP, and on the day we were ready to
start it didn't work. So I was between the rocks and a hard place and was
recommended to use mySQL and freeradius, both that I have never used or
looked at before a week ago.
It has been authenticating fine so far, no problems noticeable, but I still
have to leave the two auth-type in the uesrs file or it quits. It works now
and I think I'll leave it and hope it doesn't break.
Thanks for all your help.
Bob Ross
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius - Slipstream
You need to set up your server so that people who buy acceleration send their own realm information with a username. For instance... You have username bob and he is trying to log in to your acceleration server through his Internet service provider Joe ISP who has domain name joeisp.com. He needs to send [EMAIL PROTECTED] to your acceleration server to log in. Then joeisp.com needs some tool to add [EMAIL PROTECTED] as a valid customer to be authenticated. This setup assumes that Joe ISP is buying reselling rights from you for your acceleration server and software. It's a logistics issue, not a configuration issue. -Original Message- From: Bob Ross [mailto:[EMAIL PROTECTED] Sent: Thursday, April 22, 2004 4:25 AM To: Free Radius Subject: FreeRadius - Slipstream I'm hoping this will be an easy one to get answered. I have all dialup authentication running as hoped for the past several hours. I came across one more little config I'm trying to work out. I have an accelerator server that I'm are able to sell to anyone and they don't have to be on our service to buy it. I have a radgroupcheck for the users setup with the SlipStream=true if they pay for it. Question, how do I tell FreeRadius to only allow them to authenticate from the network side with one of our realms but not allow them to log in from the dialup realm. It could be the same realm name we use for our dialup side. Thanks Bob Ross - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How freeRADIUS handles vendor specific
What he is saying is that you do not need to dig through the code to figure out this problem. Each dictionary file contains all the vendor specific attributes that you need. There is not a particular vendor-specific-attribute field to deal with. There are just entries in a dictionary file for that vendor. Those entries are the vendor specific attributes. You just enter the appropriate vendor attributes and values into a dictionary file for that vendor. Usually you format the file like this: VENDOR vendor name goes here vendor number goes here ATTRIBUTE vendor specific attribute value data type vendor name ... You will have to get all that information from the vendor. -Original Message- From: Shah, Nishant B [mailto:[EMAIL PROTECTED] Sent: Thursday, April 22, 2004 12:23 PM To: [EMAIL PROTECTED] Subject: Re: How freeRADIUS handles vendor specific Alan DeKok [EMAIL PROTECTED] said: Can someone tell me how RADIUS server handles vendor specific attribute. I am sending a packet using radclient with vendor specific attribute and its working. I found that attribute is not in dictionary. I want to know where in the code it checks for the vendor specific attribute. src/lib/radius.c What file and function ? I couldn't figure out myself. I want to add tht attribute in dictionary. So add it to the dictionary. You don't have to look at the code to do that. Alan DeKok. I have to give presentation to my team for this. It would be a good help if you throw some more lights on it. I looked at radius.c but it seems that it checks for the code in the packet for vendor specific i.e 26. But how it deals with particular vendor?? Nishant - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Nishant Shah U4 Computer Engineering 979-268-0866 (M)281-222-3176 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Help
delete from usergroup ;
insert into usergroup (username,groupname)
values('fredf','ppp-unlimited');
insert into usergroup (username,groupname) values('barneyr','ppp-static');
insert into usergroup (username,groupname)
values('troll','ppp-unlimited');
insert into usergroup (username,groupname) values('frog','nas-prompt');
wow, don't make it hard for you doing all the same commands every day...
if you need MySQL database administration using nice PHP or PERL script,
customized for
your MySQL database. contact me off the list. :)
cheers,
//milver
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting problem with MySQL
I have installed FreeRadius 0.9.3 on Debian 3, using MySQL for
authentication and accounting, but the radacct table is not being
populated. I had been using FreeRadius 0.8.1 under Solaris 7 and has
been authenticating and maintaining the radacct table until after I
configured the Debian server, I missed commenting out for simultaneous
logins under sql.conf and noticed in radius.log that users were being
denied, so (not thinking) dumped the radacct table and deleted all
records. Since then, I have commented out simul_count_query and
siml_verify_query in sql.conf.
My first stab at this would be that the user, raduser, in MySQL does
not have INSERT privileges, but that's been ruled out by connecting to
the database from the radius server as raduser and inserting into
radacct AND raduser was granted all privileges to the database from
any host.
Second guess would be differing configuration files, but I've gone
through sql.conf line by line and verified they were identical.
Has anyone else come across this (or a similar issue)? Should radiusd
-X show the INSERT statement in the debug output?
Any help is greatly appreciated.
Below is the output of radiusd -s -f -X:
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /var
main: logdir = /remotelogging/radius
main: libdir = /usr/local/lib
main: radacctdir = /remotelogging/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 7
main: max_requests = 2048
main: delete_blocked_requests = 0
main: port = 1812
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /remotelogging/radius/radius.log
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = no
main: pidfile = /var/run/radiusd/radiusd.pid
main: bind_address = 192.168.1.100 IP address [192.168.1.100]
main: user = nobody
main: group = nogroup
main: usercollide = off
main: lower_user = before
main: lower_pass = no
main: nospace_user = before
main: nospace_pass = before
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = no
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
Module: Instantiated mschap (mschap)
Module: Loaded preprocess
preprocess: huntgroups = /etc/raddb/huntgroups
preprocess: hints = /etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded SQL
sql: driver = rlm_sql_mysql
sql: server = localhost
sql: port =
sql: login = raduser
sql: password = pass
sql: radius_db = radius
sql: acct_table = radacct
sql: acct_table2 = radacct
sql: authcheck_table = radcheck
sql: authreply_table = radreply
sql: groupcheck_table = radgroupcheck
sql: groupreply_table = radgroupreply
sql: usergroup_table = usergroup
sql: nas_table = nas
sql: dict_table = dictionary
sql: sqltrace = no
sql: sqltracefile = /var/log/radius/sqltrace.sql
sql: deletestalesessions = yes
sql: num_sql_socks = 5
sql: sql_user_name = %{User-Name}
sql: default_user_profile =
sql: query_on_not_found = no
sql: authorize_check_query = SELECT id,UserName,Attribute,Value,op
FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id
sql: authorize_reply_query = SELECT id,UserName,Attribute,Value,op
FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id
sql: authorize_group_check_query = SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgrou
pcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id
sql: authorize_group_reply_query = SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrou
preply.Value,radgroupreply.op FROM
Re: Accessing/using the EAP identifier field
=?iso-8859-1?q?Aurelien=20Magniez?= [EMAIL PROTECTED] wrote: In details, after reading the Packet modification attacks paragraph in the RFC 2284bis (It is RECOMMENDED that methods providing integrity protection of EAP packets include coverage of all the EAP header fields, including the Code, Identifier, Length, Type and Type-Data fields.), I wondered how the EAP Identifier field was managed under FreeRADIUS. Internally, automatically. Indeed, I'm working on a pre-shared key EAP method and I would like to protect the EAP header thanks to a MAC calculated by my method. To do so, my method needs to know the value of the EAP Identifier field of the EAP request packet it will be sent in. The data structures give you access to the previous identifier, so you can use that to calculate the next one. If your method always uses an incrementing identifier, you can use that knowledge to calculate the MAC. Freeradius. Solution #2 works out fine since Freeradius seems to calculate the value of the EAP Identifier field of the EAP request packet it will send by incrementing the previous one by one. Yes. Practically in a WLAN scenario, the first EAP message received by Freeradius is generally an EAP Response/Identity sent by the AP. Thus the AP dictates the intial value FreeRADIUS increments later on. Yes. This behavior of Freeradius, though allowed, is however not the one recommended by RFC 2284bis : The value of the EAP Identifier field of the EAP request packet it will send. One way to achieve this is to start the Identifier at an initial value and increment it for each new Request. Initializing the first Identifier with a random number rather than starting from zero is recommended, since it makes sequence attacks somewhat harder. The problem is that the client sends the initial EAP packet, with a particular identitifier value. It then *also* expects a particular identifier value back from FreeRADIUS. So the incrementing by FreeRADIUS isn't done to follow the RFC's, it's done to match the clients expectations. If FreeRADIUS were to send *another* identifier back, many clients wouldn't like it, and would discard it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting problem with MySQL
Has anyone else come across this (or a similar issue)? Should radiusd -X show the INSERT statement in the debug output? Yes. Do radiusd -X | grep INSERT - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Better version
If you are in production use the latest stable version, but if your are just testing and learning the programmers and the rest of us freeradius users would like the latest CVS so bug fixes and other issues can corrected. This helps make freeradius killer But if you are a debian user you can opt for a previous packaged version. somehow you can really fall in love with debians apt get install and upgrade.Debian takes pride in stability so you get what has been already tested and suitable I guess it really depends, What you would like to use it for? I have started around .0.7.1 and am running .0.9.3 all versions did what I asked it to do.Because I am in production I use the most recent stable version, but during the winter when I have time...I love to play with the CVS's too or just even watch the development and issues mature on the list. You want to know my experience? 1.You will never find a better radius server at this price. 2.If you really read and understand the documentation first, all of us list users and mostly the programmers will help you. 3.Think before you ask, this list can be Killer Brutal to people who expect someone to do it for them(buy commercial support if you expect this) Do not ask a lame question that is covered in the config files, or reply in a rude manner. I have seen a list user verbally attack a programmer, this user was a highly educated idiot, and the rest of us did not appreciate this attack. After all these programmers donate time to help us, if they quit how can we move forward ? Do not be intimidated by freeradius, you will be up and running in no time. Just get your tar file installed and read all the config files ( its not the A-Z Encyclopedia Britannica and is quite small as config files go :) I hope this helps you. freeradius RULZ ! - Original Message - From: Milver S. Nisay [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, April 22, 2004 10:41 AM Subject: Re: Better version www.freeradius.org ! Thanx, but I want know your exeperience! use the latest CVS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Combining Radius with Apache Authorization
Charles Thomas [EMAIL PROTECTED] wrote: Problem #1: If someone logs in and then tries to access a resource for which they do not have permission, the server is throwing out an Internal Server Error (Error code 500) to the browser instead of the proper Unauthorized (Error code 401). And it's pretty much impossible to figure out why Apache is returning 500 instead of 401. While many people dislike the near-gigabytes of debug out FreeRADIUS produces, those logs are *incredibly* useful. When I try figuring out why Apache is doing, most of the time I give up in frustration. That being said, the Internal Server Error *should* result in a message being logged in the error file. Problem #2: There are times where the .htaccess files are being read, but ignored. e.g., a user has an .htaccess file in his directory which is being read, but the require groups bar directive is being ignored and he gets access to the directory anyway. Yup. It's not clear when certain configurations over-ride others, or why. Does anyone have any experience using both systems together? Unfortunately, yes. If so, do you have any configuration tips you'd be willing to share? Unfortunately, no. My preference is to avoid Apache, as I can't understand it. Can anyone theorize why the wrong error is being generated when a user doesn't have access to a resource? What is generating this error (I'm guessing Apache) and where would I go to try to fix this bug? My usual method is to run gdb on apache, and watch where the error is being generated, and walk back up the stack trace. It's not a method which I would recommend for most people, though. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS sending Access-Reject if no response to proxied Access-Request
All,
When synchronous=yes in the proxy.conf and there is no response to a
proxied Access-Request, the FreeRADIUS will send an Access-Reject to the
RADIUS client.
With the following proxy.conf configuration, proxied Access-Requests
without a response will generate an Access-Reject after 2-3 seconds.
proxy server {
synchronous = yes
retry_delay = 0
retry_count = 0
dead_time = 0
default_fallback = no
post_proxy_authorize = no
}
With the following proxy.conf configuration, proxied Access-Requests
without a response will generate an Access-Reject after max_request_time
expires.
proxy server {
synchronous = yes
retry_delay = 10
retry_count = 10
dead_time = 0
default_fallback = no
post_proxy_authorize = no
}
Is this expected FreeRADIUS behavior ?
Thanks,
John
# /usr/local/sbin/radiusd -v
radiusd: FreeRADIUS Version 1.0.0-pre0, for host , built on Mar 26 2004
at 20:08:50
Copyright (C) 2000-2003 The FreeRADIUS server project.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Combining Radius with Apache Authorization
Just a thought... try checking in the httpd-error.log file to see what Apache is saying is the problem... it may be rather cryptic but should point you in the right direction Gary N. McKinney Network Administrator Computer Services Dept. Brevard County Library System -- Original Message -- From: Charles Thomas [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 22 Apr 2004 08:36:55 -0500 For various reasons, our department has implemented a system whereby we combine Radius authorization (for user login) with the built-in Apache Basic authorization model (for management of individual user directory privileges via use of an .htaccess file). We're currently seeing some weirdness with this setup, specifically: Problem #1: If someone logs in and then tries to access a resource for which they do not have permission, the server is throwing out an Internal Server Error (Error code 500) to the browser instead of the proper Unauthorized (Error code 401). Problem #2: There are times where the .htaccess files are being read, but ignored. e.g., a user has an .htaccess file in his directory which is being read, but the require groups bar directive is being ignored and he gets access to the directory anyway. My questions are: Does anyone have any experience using both systems together? If so, do you have any configuration tips you'd be willing to share? Can anyone theorize why the wrong error is being generated when a user doesn't have access to a resource? What is generating this error (I'm guessing Apache) and where would I go to try to fix this bug? Please feel free to email me off-list with any hints. I'll also be watching here. Many thanks! CT -- Charles Thomas DoIT Network Services Programmer University of Wisconsin - Madison 1210 W. Dayton St. Rm. B111 Madison, WI 53706 (608) 262-1649 Office (608) 262-7561 Fax [EMAIL PROTECTED] Sent via the KillerWebMail system at mail.brev.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Combining Radius with Apache Authorization
My suspicion is this: Currently they way things are configured the user logs in using Radius and is either a valid user or denied. When the user switches to a directory which is being managed using Apache's Basic Authentication model and an .htaccess file, they are not being re-prompted for a password, but rather the name is being compared against a list of people in a groups file using a method like this: (in .htaccess file) AuthGroupFile /usr/local/web/etc/groups require group foo I'm guessing that the AuthGroupFile is expecting to go look at a password file which does not exist, and that's generating the 500 error. Perhaps the question I OUGHT to be asking is how people would handle a situation where: 1) Users should be validated using Radius so that passwords can be encrypted during transmission. 2) Users have to be permitted/denied resources on a directory-by-directory basis without doing this management in a file that has to be modified by root (i.e. in a manner which can be automated to accommodate a highly dynamic user/resource scenario). On Apr 22, 2004, at 3:14 PM, Alan DeKok wrote: Charles Thomas [EMAIL PROTECTED]> wrote: Problem #1: If someone logs in and then tries to access a resource for which they do not have permission, the server is throwing out an Internal Server Error (Error code 500) to the browser instead of the proper Unauthorized (Error code 401). And it's pretty much impossible to figure out why Apache is returning 500 instead of 401. While many people dislike the near-gigabytes of debug out FreeRADIUS produces, those logs are *incredibly* useful. When I try figuring out why Apache is doing, most of the time I give up in frustration. That being said, the Internal Server Error *should* result in a message being logged in the error file. -- Charles Thomas DoIT Network Services Programmer University of Wisconsin - Madison 1210 W. Dayton St. Rm. B111 Madison, WI 53706 (608) 262-1649 Office (608) 262-7561 Fax [EMAIL PROTECTED]
Re: Compile freeradius in C++
Thank you for this input too. I will definitely use it. At 09:20 20/04/2004, you wrote: Hi, I also wrote a C++ module under FreeRadius. Look at this page : http://lists.cistron.nl/archives/freeradius-devel/2004/04/msg1.html Aurélien Magniez Yahoo! Mail : votre e-mail personnel et gratuit qui vous suit partout ! Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ Dialoguez en direct avec vos amis grâce à Yahoo! Messenger !Téléchargez Yahoo! Messenger sur http://fr.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS sending Access-Reject if no response to proxied Access-Request
John Butala [EMAIL PROTECTED] wrote:
With the following proxy.conf configuration, proxied Access-Requests
without a response will generate an Access-Reject after max_request_time
expires.
proxy server {
synchronous = yes
retry_delay = 10
retry_count = 10
...
Is this expected FreeRADIUS behavior ?
Yes.
The server takes retry_delay * retry_count as the time to use to
determine that the home server is dead. This happens even when
proxying synchronously, when may not be actually sending packet.
In your case,
retry_delay * retry_count max_request_time
so the server rejects the request at max_request_time. If you set
retry_delay = 2, you'll see that
retry_delay * retry_count max_request_time
and the server should send a reject after 20 seconds.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PostgreSQL not working
VoipOne NOC wrote:
I've got this:
Module: Loaded SQL
rlm_sql (sql): Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded
and linked
rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radacct
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_postgresql #0
rlm_sql (sql): Connected new DB handle, #0
.
.
.
rlm_sql (sql): starting 24
rlm_sql (sql): Attempting to connect rlm_sql_postgresql #24
rlm_sql (sql): Connected new DB handle, #24
Module: Instantiated sql (sql)
Is it right if it goes up to 24 ?
Yes.
In radiusd.conf, we changed the following:
- bind_address = *
+ bind_address = 1.2.3.4
- port = 0
+ port = 1812
- with_cisco_vsa_hack = no
+ with_cisco_vsa_hack = yes
- $INCLUDE ${confdir}/sql.conf
+ $INCLUDE ${confdir}/pgsql-voip.conf # (cfr here attached)
accounting {
+ sql
}
And instead of the sql.conf, we based our config on the attached file
pgsql-voip.conf.
Check this link for more info:
http://www.freeradius.org/cgi-bin/cvsweb.cgi/%7Echeckout%7E/radiusd/src/billing/README?rev=1.5content-type=text/plain
What you can do also to test is activate the following in pgsql-voip.conf:
# Print all SQL statements when in debug mode (-x)
sqltrace = yes
sqltracefile = ${logdir}/sqltrace.sql
When you start freeradius -x, you should see something like this when
FreeRADIUS is receiving packets:
...rlm_sql...
Listening on IP address 1.2.3.4, ports 1812/udp and 1813/udp.
Ready to process requests.
rad_recv: Accounting-Request packet from host 5.6.7.8:1646, id=18,
length=452
Acct-Session-Id = 0A80
Calling-Station-Id = 123
Called-Station-Id = 0123456789
h323-setup-time = h323-setup-time=15:05:24.010 UTC Fri Apr 9 2004
h323-gw-id = h323-gw-id=mygwid
h323-conf-id = h323-conf-id=002E1B53 3AA8911D 0C002E65 0A1F0207
h323-call-origin = h323-call-origin=originate
h323-call-type = h323-call-type=VoIP
Cisco-AVPair = h323-incoming-conf-id=002E1B53 3AA8911D
0C002E65 0A1F0207
User-Name = user-name
Cisco-AVPair = connect-progress=Call Up
Acct-Status-Type = Start
Service-Type = Login-User
NAS-IP-Address = 5.6.7.8
Acct-Delay-Time = 0
rlm_sql (sql): Reserving sql socket id: 24
rlm_sql_postgresql: query: INSERT INTO StartVoIP (RadiusServerName,
UserName, NASIPAddress, AcctTime, CalledStationId, CallingStationId,
AcctDelayTime, h323gwid, h323callorigin, h323setuptime, h323confid)
VALUES ('myservername', 'user-name', '5.6.7.8', now(), '0123456789',
'123', '0', 'mygwid', 'originate', strip_dot('15:05:24.010 UTC Fri Apr 9
2004'), '002E1B53 3AA8911D 0C002E65 0A1F0207')
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: affected rows = 1
rlm_sql (sql): Released sql socket id: 24
Sending Accounting-Response of id 18 to 5.6.7.8:1646
I hope this will help you...
Thanks for your help!
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pascal
Polleunus
Sent: Tuesday, April 20, 2004 11:01 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: Freeradius + PostgreSQL not working
VoipOne NOC wrote:
Hi
I have freeradius 0.9.3, compiled on a Debian Unstable system for
PostgreSQL support.
Once I installe everything, it seems to work right. Following is the
final output from freeradius -xxyz -l stdout :
Do you have something like this:
Module: Loaded SQL
rlm_sql (sql): Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded
and linked rlm_sql (sql): Attempting to connect to user@:/dbname rlm_sql
(sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_postgresql #0
rlm_sql (sql): Connected new DB handle, #0 ...
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on
1814/udp.
Ready to process requests.
And when I try to send the radius packets for accounting from my Cisco
router, it just doesn't work
Do you receive some output in debug mode, from your router?
I have the following lines changed in my radiusd.conf:
with_cisco_vsa_hack = yes
$INCLUDE ${confdir}/postgresql.conf
#unix (wtmp file) * commented out
#radutmp * commented out
Added sql instead of the unix accounting method.
If anyone has experience with this, please let me know what I can do.
We succeeded to make it work with Debian Sarge + PostgreSQL 7.4.2 +
Cisco ;-)
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
# Id: postgresql.conf,v 1.8.2.11 2003/07/15 11:15:43 pnixon Exp $
#
# Configuration for the SQL module, when doing H323 VoIP billing.
#
# The database schema is available at:
#
# src/radiusd/src/billing/h323_db_postgresql.sql
#
sql {
# Database type currently must be rlm_sql_postgresql to work with this setup.
driver = rlm_sql_postgresql
# Connect info
server = localhost
login = postgres
password =
#
