Re: FreeRADIUS debian-package
Michael Markstaller writes: > /etc/init.d/freeradius reload > - either is seems broken, or freeradius misinterprets the SIGHUP with > exiting instead relaoding config (?) don't know where the problem > exactly is I noticed this recently, but haven't had a chance to backtrace it... Definately put that one in bugs.freeradius.org. Unknown to me if it is Debian-specific. I'm assuming it is since no-one's reported it to bugs.freeradius.org, and there's bugreports there from things that _do_ break during SIGHUP. :-) I tried to track this a bit further; when I send a SIGHUP with kill -s SIGHUP freeradius dies without any notice, so it looks more like a debian-independent problem, but I'm too far from any detail to confirm this being a bug.. I'll go file a bugreport now... Bugreport #63. It's 1.0.0 release blocker too. Delete the line, and remove the build-dependancy on the versioned debhelper. That's the only thing that won't work with Woody's debhelper. If you want the pam file, drop --name=radiusd, but you'll have to edit the pam configuration in FreeRADIUS to use it under whatever name it gets. ok, thats what I already did the last 5 times. I don't need PAM, so I don't care.. just thought because, one year (and knowledge) ago such things would've probably left me out from using freeradius on woody ;) I've recently gotten pbuilder-uml working at home, and so will be able to test the build under Debian/Woody. Someone else (in fact a few people) are also doing Woody backports. I don't know if they're tracking CVS though. -- Paul "TBBle" Hampson, on a webmail client! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS debian-package
> Hmm. Since you're working off the CVS snapshots, best to > bring it here, and/or put it in bugs.freeradius.org. > Otherwise it'll hang around in the Debian bugtracker tagged > "experimental, fixed-upstream" since I don't know if these > affect 0.9.3... ok, as features push me close to the cvs I'll post them here > > > Using a DEB made from csv-snapshot20040506, getting a > > cvs20040421-0_i386.deb package: > > That's the date of the last change to the Debian packaging. sure, was just to document the versions I used.. > > /etc/init.d/freeradius reload > > - either is seems broken, or freeradius misinterprets the > SIGHUP with > > exiting instead relaoding config (?) don't know where the problem > > exactly is > > I noticed this recently, but haven't had a chance to > backtrace it... Definately put that one in > bugs.freeradius.org. Unknown to me if it is Debian-specific. > I'm assuming it is since no-one's reported it to > bugs.freeradius.org, and there's bugreports there from things > that _do_ break during SIGHUP. :-) I tried to track this a bit further; when I send a SIGHUP with kill -s SIGHUP freeradius dies without any notice, so it looks more like a debian-independent problem, but I'm too far from any detail to confirm this being a bug.. > Delete the line, and remove the build-dependancy on the > versioned debhelper. That's the only thing that won't work > with Woody's debhelper. If you want the pam file, drop > --name=radiusd, but you'll have to edit the pam configuration > in FreeRADIUS to use it under whatever name it gets. ok, thats what I already did the last 5 times. I don't need PAM, so I don't care.. just thought because, one year (and knowledge) ago such things would've probably left me out from using freeradius on woody ;) > I welcome anything about that one... I don't use it myself, > so it's largely untested. If you wander into the list > archives, you can see how bad it _was_. :-) currently I don't get the dialup-admin from cvs-snapshot to work at all, it displays, queries the mysql-db but doesn't show up anything (?), using it from 0.9.3 despite works.. I haven't had time to look deeper into it, although in some weeks I'll have to, because I need a frontend at least to prevent helpdesk-staff coming to me all day to create radius-accounts ;) recently had some emails on this, there're many thing in dialup-admin which I definitely need to change for my purposes and I'm yet unsure if dialup-admin or "from scratch" is the point to start from. Anyway, in case I'll go with dialup-admin I'll submit my changes and try to help with the dialup-admin dpkg where I can.. Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS debian-package
On Mon, May 10, 2004 at 11:56:27PM +0200, Michael Markstaller wrote: > Don't know wether this should be noted here or through the debian > maintainer (?) Either way... ;-) > First of all to mention, building a deb-package from the > csv-snapshot-20040506 > works really fine, great job for a software in mid of development ! > Anyway, did this the last days several times and noticed some things > I wanted to mention in case it helps. > Please tell me wether in future such things should go to this list, it's > better > to use bugs.freeradius.org (looks a bit complicated but I'm able to > adopt) or > it's better to contact the deb-maintainer.. Hmm. Since you're working off the CVS snapshots, best to bring it here, and/or put it in bugs.freeradius.org. Otherwise it'll hang around in the Debian bugtracker tagged "experimental, fixed-upstream" since I don't know if these affect 0.9.3... > Using a DEB made from csv-snapshot20040506, getting a > cvs20040421-0_i386.deb package: That's the date of the last change to the Debian packaging. > check-radiusd-config: > - shouldn't this be named check-freeradius-config > - line 38: $sbindir/radiusd ... > -> should read $sbindir/freeradius -X -p 32768 > startup.log 2>&1 & > - "freeradius -X -p" (complains that "-p" is ignored making the check > fail.. Yes, yes they should. > /etc/init.d/freeradius reload > - either is seems broken, or freeradius misinterprets the SIGHUP with > exiting instead relaoding config (?) > don't know where the problem exactly is I noticed this recently, but haven't had a chance to backtrace it... Definately put that one in bugs.freeradius.org. Unknown to me if it is Debian-specific. I'm assuming it is since no-one's reported it to bugs.freeradius.org, and there's bugreports there from things that _do_ break during SIGHUP. :-) > debian/rules - line 137 "dh_installpam --name=radiusd" > - this prevents buildding on woody as dh_installpam doesn't know the > "--name" parameter > don't know wether there is something to do about it Delete the line, and remove the build-dependancy on the versioned debhelper. That's the only thing that won't work with Woody's debhelper. If you want the pam file, drop --name=radiusd, but you'll have to edit the pam configuration in FreeRADIUS to use it under whatever name it gets. > dialup-admin: there're few things, but as the debian-package is quite > new and I'm still > looking through it, I'll keep this back for another post ;) I welcome anything about that one... I don't use it myself, so it's largely untested. If you wander into the list archives, you can see how bad it _was_. :-) -- Paul "TBBle" Hampson, on an alternate email client. (FreeRADIUS Debian maintainer) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxy Problem with attrs and Cisco-AVPair
Um, typical.
Just tried something out of desperation and commented out EAP in post-proxy,
and guess what, cooking with gas.
Thanks anyways.
Ben
-Original Message-
From: Ben Butler [mailto:[EMAIL PROTECTED]
Sent: 10 May 2004 23:59
To: '[EMAIL PROTECTED]'
Subject: Proxy Problem with attrs and Cisco-AVPair
Hi All,
I have two servers running freeradius-0.9.3, I am trying to proxy radius
request for a specific realm from one server (server1) to the other
(server2). I believe I have updated radius.conf and attrs correctly as well
as proxy.conf and clients.conf.
Using radtest on server2 to initiate a query against server1 and then
viewing the debug -X log on server1 I can see the request is being proxied
and coming back and then seems to be getting stuck in the post-proxy
section. This is where I am now stuck.
I need to be able to return multiple variable Cisco-AVPair attributes in the
proxied request ip:dns-servers and ip:route.
I have included below information that I thought may be useful to help with
this request.
Thanks for any and all help
Kind Regards
Ben
Attrs file
DEFAULT
Service-Type == Framed-User,
Service-Type == Login-User,
Login-Service == Telnet,
Login-Service == Rlogin,
Login-Service == TCP-Clear,
Login-TCP-Port <= 65536,
Framed-IP-Address == 255.255.255.254,
Framed-IP-Netmask == 255.255.255.255,
Framed-Protocol == PPP,
Framed-Protocol == SLIP,
Framed-Compression == Van-Jacobson-TCP-IP,
Framed-MTU >= 576,
Framed-Filter-ID =* ANY,
Reply-Message =* ANY,
Proxy-State =* ANY,
Session-Timeout <= 28800,
Idle-Timeout <= 600,
Port-Limit <= 2,
Cisco-AVPair =* ANY
radiusd.conf file section
post-proxy {
# attr_rewrite
attr_filter
eap
}
Debug:
Listening on IP address *, ports 1645/udp and 1646/udp, with proxy on
1647/udp.
Ready to process requests.
rad_recv: Access-Request packet from host 213.170.128.11:32802, id=233,
length=80
User-Name = "[EMAIL PROTECTED]"
User-Password = "testing"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1645
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat:
'/usr/local/var/log/radius/radacct/213.170.128.11/auth-detail-20040510'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/var/log/radius/radacct/213.170.128.11/auth-detail-20040510
modcall[authorize]: module "auth_log" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "attr_filter" returns noop for request 0
modcall[authorize]: module "eap" returns noop for request 0
rlm_realm: No '/' in User-Name = "[EMAIL PROTECTED]", looking
up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "realmslash" returns noop for request 0
rlm_realm: Looking up realm "proxy.c2internet.net" for User-Name =
"[EMAIL PROTECTED]"
rlm_realm: Found realm "proxy.c2internet.net"
rlm_realm: Proxying request from user testing to realm
proxy.c2internet.net
rlm_realm: Adding Realm = "proxy.c2internet.net"
rlm_realm: Preparing to proxy authentication request to realm
"proxy.c2internet.net"
modcall[authorize]: module "suffix" returns updated for request 0
users: Matched DEFAULT at 166
modcall[authorize]: module "files" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
modcall: group authorize returns updated for request 0 Sending
Access-Request of id 1 to 213.170.128.11:1645
User-Name = "[EMAIL PROTECTED]"
User-Password = "testing"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1645
Proxy-State = 0x32
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Accept packet from host 213.170.128.11:1645, id=1,
length=159
Framed-IP-Address = 10.10.10.1
Cisco-AVPair = "ip:route=213.170.150.8 255.255.255.252 10.10.10.1"
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Netmask = 255.255.255.255
Cisco-AVPair = "ip:dns-servers=213.170.128.16 213.170.128.150"
Proxy-State = 0x32
modcall: entering group post-proxy for request 0
attr_filter: Matched entry DEFAULT at line 84
modcall[post-proxy]: module "attr_filter" returns updated for request 0
Kind Regards
Ben Butler
++
C2 Internet Ltd
Alvaston House
Alvaston Business Park
Nantwich
Cheshire
CW5 6PF
W http://www.c2internet.net/
T +44-(0)845-658-0
Proxy Problem with attrs and Cisco-AVPair
Hi All,
I have two servers running freeradius-0.9.3, I am trying to proxy radius
request for a specific realm from one server (server1) to the other
(server2). I believe I have updated radius.conf and attrs correctly as well
as proxy.conf and clients.conf.
Using radtest on server2 to initiate a query against server1 and then
viewing the debug -X log on server1 I can see the request is being proxied
and coming back and then seems to be getting stuck in the post-proxy
section. This is where I am now stuck.
I need to be able to return multiple variable Cisco-AVPair attributes in the
proxied request ip:dns-servers and ip:route.
I have included below information that I thought may be useful to help with
this request.
Thanks for any and all help
Kind Regards
Ben
Attrs file
DEFAULT
Service-Type == Framed-User,
Service-Type == Login-User,
Login-Service == Telnet,
Login-Service == Rlogin,
Login-Service == TCP-Clear,
Login-TCP-Port <= 65536,
Framed-IP-Address == 255.255.255.254,
Framed-IP-Netmask == 255.255.255.255,
Framed-Protocol == PPP,
Framed-Protocol == SLIP,
Framed-Compression == Van-Jacobson-TCP-IP,
Framed-MTU >= 576,
Framed-Filter-ID =* ANY,
Reply-Message =* ANY,
Proxy-State =* ANY,
Session-Timeout <= 28800,
Idle-Timeout <= 600,
Port-Limit <= 2,
Cisco-AVPair =* ANY
radiusd.conf file section
post-proxy {
# attr_rewrite
attr_filter
eap
}
Debug:
Listening on IP address *, ports 1645/udp and 1646/udp, with proxy on
1647/udp.
Ready to process requests.
rad_recv: Access-Request packet from host 213.170.128.11:32802, id=233,
length=80
User-Name = "[EMAIL PROTECTED]"
User-Password = "testing"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1645
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat:
'/usr/local/var/log/radius/radacct/213.170.128.11/auth-detail-20040510'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/var/log/radius/radacct/213.170.128.11/auth-detail-20040510
modcall[authorize]: module "auth_log" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "attr_filter" returns noop for request 0
modcall[authorize]: module "eap" returns noop for request 0
rlm_realm: No '/' in User-Name = "[EMAIL PROTECTED]", looking
up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "realmslash" returns noop for request 0
rlm_realm: Looking up realm "proxy.c2internet.net" for User-Name =
"[EMAIL PROTECTED]"
rlm_realm: Found realm "proxy.c2internet.net"
rlm_realm: Proxying request from user testing to realm
proxy.c2internet.net
rlm_realm: Adding Realm = "proxy.c2internet.net"
rlm_realm: Preparing to proxy authentication request to realm
"proxy.c2internet.net"
modcall[authorize]: module "suffix" returns updated for request 0
users: Matched DEFAULT at 166
modcall[authorize]: module "files" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
modcall: group authorize returns updated for request 0
Sending Access-Request of id 1 to 213.170.128.11:1645
User-Name = "[EMAIL PROTECTED]"
User-Password = "testing"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1645
Proxy-State = 0x32
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Accept packet from host 213.170.128.11:1645, id=1,
length=159
Framed-IP-Address = 10.10.10.1
Cisco-AVPair = "ip:route=213.170.150.8 255.255.255.252 10.10.10.1"
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Netmask = 255.255.255.255
Cisco-AVPair = "ip:dns-servers=213.170.128.16 213.170.128.150"
Proxy-State = 0x32
modcall: entering group post-proxy for request 0
attr_filter: Matched entry DEFAULT at line 84
modcall[post-proxy]: module "attr_filter" returns updated for request 0
Kind Regards
Ben Butler
++
C2 Internet Ltd
Alvaston House
Alvaston Business Park
Nantwich
Cheshire
CW5 6PF
W http://www.c2internet.net/
T +44-(0)845-658-0020
F +44-(0)845-658-0070
All quotes & services from C2 are bound by our standard terms and conditions
which are available on our website at:
http://www.c2internet.net/legal/main.htm#tandc
- -
C2i Business Internet http://www.c2internet.net/
--
Re: Setup and PEAP
On Mon, 10 May 2004, Alejandro Bonilla wrote: >Hi, I'm new to FreeRADIUS. I have tried to use it and couldn't get to >know how to get the correct authentication method Setup. I'm trying to >setup a WRT54G with a WPA RADIUS, which asks for a Shared Key which I >was able to set, also I was able to set the correct users and stuff. >Simply I cannot get it to work because the Autentication method is done >with PEAP. >My questions would be: >1. Which are the files that normal users should be touching to get this >to work. >2. Does FreeRADIUS support PEAP? Do I have to uncomment MS-CHAPv2 if I'm >going to use MS-CHAPv2 or FreeRADIUS already supports it? >3. Is there a easy How-To to setup this RADIUS Server? > I have some files from a freeradius-server that works with PEAP and other 802.1X-methods, PEAP preferred. It is simple, and I was going to leave out some of the default config and comments and write some of my own, but I have not gotten around to it yet. http://folk.uio.no/mraaum/rad/ The version... it was a snapshot from april 7th I believe. mrg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Gentoo and FreeRADIUS
I emerged just fine. I just cant get the radius server to authenticate using PAM... Anyone do this? Thanks! - Jeff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Clayton Dukes Sent: Monday, May 10, 2004 4:38 PM To: [EMAIL PROTECTED] Subject: RE: Gentoo and FreeRADIUS Nicholas, I have been working on this for a while... Here's a thread on experts-exchange that may get you started: http://www.experts-exchange.com/Operating_Systems/Linux/Q_20981917.html#1103 2045 I had tried to get help in this forum a couple weeks ago but didn't get anywhere, most likely because I am running gentoo on sparc64 ;-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicholas Hall Sent: Monday, May 10, 2004 4:22 PM To: [EMAIL PROTECTED] Subject: Re: Gentoo and FreeRADIUS -Original message- From: "Jeff Bilder" [EMAIL PROTECTED] Date: Mon, 10 May 2004 15:03:28 -0500 To: [EMAIL PROTECTED] Subject: Gentoo and FreeRADIUS > Has anyone successfully gotten FreeRADIUS to run with Gentoo. > [especially using PAM_AUTH]. I'm in need of some assistance. Thanks! > > - Jeff Yes. emerge net-dialup/freeradius ___ This message was scanned and certified Virus Free by Alexssa | HNet. www.alexssa.net www.hnet.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html !DSPAM:409fe2c018064614710643! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS debian-package
Don't know wether this should be noted here or through the debian maintainer (?) First of all to mention, building a deb-package from the csv-snapshot-20040506 works really fine, great job for a software in mid of development ! Anyway, did this the last days several times and noticed some things I wanted to mention in case it helps. Please tell me wether in future such things should go to this list, it's better to use bugs.freeradius.org (looks a bit complicated but I'm able to adopt) or it's better to contact the deb-maintainer.. Using a DEB made from csv-snapshot20040506, getting a cvs20040421-0_i386.deb package: check-radiusd-config: - shouldn't this be named check-freeradius-config - line 38: $sbindir/radiusd ... -> should read $sbindir/freeradius -X -p 32768 > startup.log 2>&1 & - "freeradius -X -p" (complains that "-p" is ignored making the check fail.. /etc/init.d/freeradius reload - either is seems broken, or freeradius misinterprets the SIGHUP with exiting instead relaoding config (?) don't know where the problem exactly is debian/rules - line 137 "dh_installpam --name=radiusd" - this prevents buildding on woody as dh_installpam doesn't know the "--name" parameter don't know wether there is something to do about it dialup-admin: there're few things, but as the debian-package is quite new and I'm still looking through it, I'll keep this back for another post ;) Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Gentoo and FreeRADIUS
Nicholas, I have been working on this for a while... Here's a thread on experts-exchange that may get you started: http://www.experts-exchange.com/Operating_Systems/Linux/Q_20981917.html#1103 2045 I had tried to get help in this forum a couple weeks ago but didn't get anywhere, most likely because I am running gentoo on sparc64 ;-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicholas Hall Sent: Monday, May 10, 2004 4:22 PM To: [EMAIL PROTECTED] Subject: Re: Gentoo and FreeRADIUS -Original message- From: "Jeff Bilder" [EMAIL PROTECTED] Date: Mon, 10 May 2004 15:03:28 -0500 To: [EMAIL PROTECTED] Subject: Gentoo and FreeRADIUS > Has anyone successfully gotten FreeRADIUS to run with Gentoo. > [especially using PAM_AUTH]. I'm in need of some assistance. Thanks! > > - Jeff Yes. emerge net-dialup/freeradius ___ This message was scanned and certified Virus Free by Alexssa | HNet. www.alexssa.net www.hnet.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html !DSPAM:409fe2c018064614710643! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Gentoo and FreeRADIUS
-Original message- From: "Jeff Bilder" [EMAIL PROTECTED] Date: Mon, 10 May 2004 15:03:28 -0500 To: [EMAIL PROTECTED] Subject: Gentoo and FreeRADIUS > Has anyone successfully gotten FreeRADIUS to run with Gentoo. > [especially using > PAM_AUTH]. I'm in need of some assistance. Thanks! > > - Jeff Yes. emerge net-dialup/freeradius ___ This message was scanned and certified Virus Free by Alexssa | HNet. www.alexssa.net www.hnet.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setup and PEAP
Alejandro Bonilla <[EMAIL PROTECTED]> wrote: > 1. Which are the files that normal users should be touching to get this > to work. radiusd.conf, eap.conf, users > 2. Does FreeRADIUS support PEAP? Do I have to uncomment MS-CHAPv2 if I'm > going to use MS-CHAPv2 or FreeRADIUS already supports it? The latest CVS snapshot supports PEAP. I'm not sure why MS-CHAPv2 would be commented out, or what you're referring to there. PEAP requires both the eap-submodule mschapv2, and the normal module mschap. > 3. Is there a easy How-To to setup this RADIUS Server? See the EAP-TLS How-To's. Follow that, and once that's set up, PEAP should be no more than another 10 minutes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Leading \000 in accounting-records
"Michael Markstaller" <[EMAIL PROTECTED]> wrote: > just verified with cvs-snapshot-20040506 and the leading "\000" are gone > in Tunnel* attribs. Good. > except in attribute "Acct-Tunnel-Connection", it still reads=20 > Acct-Tunnel-Connection =3D "\0002475495" It's not a tagged attribute. The RFC says that the encoding is "implementation dependent". So if the implementation puts a tag in the attribute, FreeRADIUS doesn't know. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Setup and PEAP
Hi, I'm new to FreeRADIUS. I have tried to use it and couldn't get to know how to get the correct authentication method Setup. I'm trying to setup a WRT54G with a WPA RADIUS, which asks for a Shared Key which I was able to set, also I was able to set the correct users and stuff. Simply I cannot get it to work because the Autentication method is done with PEAP. My questions would be: 1. Which are the files that normal users should be touching to get this to work. 2. Does FreeRADIUS support PEAP? Do I have to uncomment MS-CHAPv2 if I'm going to use MS-CHAPv2 or FreeRADIUS already supports it? 3. Is there a easy How-To to setup this RADIUS Server? Thanks, - Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Leading \000 in accounting-records
great, thanks Alan. just verified with cvs-snapshot-20040506 and the leading "\000" are gone in Tunnel* attribs. except in attribute "Acct-Tunnel-Connection", it still reads Acct-Tunnel-Connection = "\0002475495" Really no big thing and I understood it's more a client fault, just wanted to post it. Michael > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Alan DeKok > Sent: Friday, April 30, 2004 8:37 PM > To: [EMAIL PROTECTED] > Subject: Re: Leading \000 in accounting-records > > > "Michael Markstaller" <[EMAIL PROTECTED]> wrote: > > I'm getting some strange leading "\000" in some > L2tp-attributes within > > accounting records like (IPs are changed): > > Tunnel-Server-Endpoint:0 =3D "\00010.11.1.1"" > > It's a bug. > > I've committed a fix to the CVS head, which will be in 1.0.0. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Lucent MAX TNT and Freeradius in a calling card setup
List, Has anyone done any sort of IVR/Calling Card development with Lucent MAX TNT boxes ? the kind of setup I'm looking at is one or more Lucent Max TNT gateways, running TAOS 10.1.0 together with a Freeradius backend and a pre-paid application for calling cards ..etc, without using Lucent's MVAM software. Thanks in advance, Ahmad. -- Ahmad Ibrahim Director ABC (Europe) LTD 89 Edgware Road, London W2 2HX T: +44 (0)7005 964 636 F: (0)7005 964 640 GSM: +44 (0)7833 904 990 e-mail: [EMAIL PROTECTED] web: www.abc-europe.com begin:vcard fn:Ahmad Ibrahim n:Ibrahim;Ahmad org:ABC (Europe) LTD adr:;;89 Edgware Road;London;;W2 2HX;UK email;internet:[EMAIL PROTECTED] title:Director tel;work:+44(0)7005 964 636 tel;fax:+44(0)7005 964 640 tel;cell:+44(0)7833 904 990 x-mozilla-html:FALSE url:http://www.abc-europe.com version:2.1 end:vcard
Gentoo and FreeRADIUS
Has anyone successfully gotten FreeRADIUS to run with Gentoo. [especially using PAM_AUTH]. I'm in need of some assistance. Thanks! - Jeff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
tls not rejecting user
Hey everyone,
I have enabled " check_cert_cn = %{User-Name}" in my eap.conf file and
in my users file i have
test Auth-Type := EAP
test2 Auth-Type := EAP
Now with my certificate that is issued with a CN= test why is test2
still getting thru.
Can anyone help?
Thanks,
Tony
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS inside EAP-TTLS
Craig Huckabee <[EMAIL PROTECTED]> wrote: > Does this just need testing (as the source code implies) or are there > parts missing ? In other words, if I edit out the bits that prevent > EAP-TLS tunneled over EAP-TTLS and hit the code with a debugger is it a > useful thing to do ? Sure. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius problem
[EMAIL PROTECTED] wrote: > To: [EMAIL PROTECTED], Alan DeKok <[EMAIL PROTECTED]> > Cc: [EMAIL PROTECTED] That's just unnecessary. I read the list, so please don't CC me. And sending the same message to the list twice is annoying. > Mon May 10 22:00:54 2004 : Info: The maximum number of threads (32) are active, > cannot spawn new thread to handle request It looks like a back-end database is blocking the server. Find out why it's stopping, and fix it. > I am waiting for the solution to freeradius working properly. FreeRADIUS is working properly. The database isn't, so FreeRADIUS can't help being stuck. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius problem
I am facing some problem with my freeradius. I am using proxy. I am getting the follwing error message at my radius log 1. Mon May 10 23:24:36 2004 : Error: Reply from home server 202.22.192.12:1813 arri ved too late for request 444. Try increasing 'retry_delay' or 'max_request_time' I have increased the retry_delay from 5 to 10 and max_request_time from 30 to 60 but no luck 2. Mon May 10 22:00:50 2004 : Error: Discarding new request from client pm2e- 3:1026 - ID: 48 due to live request 9730 Mon May 10 22:00:54 2004 : Info: The maximum number of threads (32) are active, cannot spawn new thread to handle request Mon May 10 22:00:55 2004 : Error: Discarding new request from client pm2e-2:1026 - ID: 72 due to live request 9733 Mon May 10 22:00:56 2004 : Error: Discarding new request from client microtik-1: 33623 - ID: 186 due to live request 9732 Mon May 10 22:00:57 2004 : Info: The maximum number of threads (32) are active, cannot spawn new thread to handle request Mon May 10 22:00:58 2004 : Error: Discarding new request from client pm2e-2:1026 - ID: 72 due to live request 9733 Mon May 10 22:00:58 2004 : Error: Discarding new request from client pm2e-2:1026 - ID: 72 due to live request 9733 Mon May 10 22:00:58 2004 : Error: Discarding new request from client pm2e-2:1026 - ID: 66 due to live request 9700 the radius is stop working after 2 or 3 hours with those message. after restarting radius it starts work again. can anyone tell me what could be the reason for this. i am using freeradius0.93 on redhat 9 server. I am waiting for the solution to freeradius working properly. thanks Mainul Islam mIthu > > rad_recv: Access-Request packet from host 192.168.123.36:1060, id=7, > length=113 > > Dropping conflicting packet from client pm4-1:1060 - ID: 7 due to > unfinished request 0 > > It looks like the home server isn't responding. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - This mail sent through IMP: http://mail.accesstel.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS inside EAP-TTLS
Does this just need testing (as the source code implies) or are there parts missing ? In other words, if I edit out the bits that prevent EAP-TLS tunneled over EAP-TTLS and hit the code with a debugger is it a useful thing to do ? Thanks, Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco/Quintum Calling Card Application
> Is anyone currently using FreeRadius with the Quintum or Cisco > gateways for running their calling card applications? yes we are one, we are making use of Quintum Tenor as our VOIP device gateway and for prepaid calling cards. > > If so, are there any public domain config examples available? > Also, what are the performance specs like? How many calls or > simultaneous users is FreeRadius able to handle? Not tested the limit, but we can make use of 9 phone calls simultaneously, since this is the number of phone stations we have as of this time. //milver - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Confused by doc/variables.txt
Alan DeKok wrote:
Craig Huckabee <[EMAIL PROTECTED]> wrote:
Doesn't work - both %{Foo} and %{request:Foo} come back empty when
setting Foo on the check line in users.
Hmm...
Anything else you can think of ?
Try using another attribute.
Or, follow the code execution in src/modules/rlm_files/rlm_files.c
Alan DeKok.
I may try the latter later on today. Thanks!
--Craig
--
/ Craig Huckabee| e-mail: [EMAIL PROTECTED] /
/ Code 715-CH | phone: (843) 218 5653 /
/ SPAWAR Systems Center | close proximity: "Hey You!" /
/ Charleston, SC|ICBM: 32.78N, 79.93W /
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Confused by doc/variables.txt
Craig Huckabee <[EMAIL PROTECTED]> wrote:
> Doesn't work - both %{Foo} and %{request:Foo} come back empty when
> setting Foo on the check line in users.
Hmm...
> Anything else you can think of ?
Try using another attribute.
Or, follow the code execution in src/modules/rlm_files/rlm_files.c
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Confused by doc/variables.txt
Alan DeKok wrote:
Craig Huckabee <[EMAIL PROTECTED]> wrote:
However, if I use this:
DEFAULT User-Name =~ "^([^/]+)/(.*)"
Foo = `%{2}`
...
then attempt to look at Foo using %{reply:Foo}, I get the expected value
and the filter works.
Try the original, but look for foo in %{Foo}, or %{request:Foo}
Alan DeKok.
Doesn't work - both %{Foo} and %{request:Foo} come back empty when
setting Foo on the check line in users.
:(
Anything else you can think of ?
--Craig
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco/Quintum Calling Card Application
Is anyone currently using FreeRadius with the Quintum or Cisco gateways for running their calling card applications? If so, are there any public domain config examples available? Also, what are the performance specs like? How many calls or simultaneous users is FreeRadius able to handle? Any insight would be greatly appreciated. Thanks, Tawheed - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: billing module problem
Pablo <[EMAIL PROTECTED]> wrote: > I'm not trying to annoying you. Just give you as much info as i can to > solve the problem ( though that is my configuration error) You're not listening to me. The problem is that the sample file has a typo. I told you this. I can read the file, too. So "giving me more information" by posting it to the list without saying anything more than "here it is", is pointless. > Though you believe this is a radius expert users list and I'm wrong > posting here. It's not a RADIUS expert users list. It's a list for people who are interested in solving their problems. It's a list for people who are willing to read answers. It's a list for people who are willing to think for themselves. > Thats is half true. If everybody have enough knowledge about radius > configurations , we no need this list. Since your response consists mostly of complaints, my conclusion is that you don't want your problem solved. If you applied 10 seconds of thought to my response, you would see what the problem is, and how to fix it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: billing module problem
I'm not trying to annoying you. Just give you as much info as i can to solve the problem ( though that is my configuration error) and give a chance to others to understand better how this stuff works. Though you believe this is a radius expert users list and I'm wrong posting here. Thats is half true. If everybody have enough knowledge about radius configurations , we no need this list. Pablo > > Yes. I'm not an idiot, I can read the files in the archive, just > like you can. Quoting them to me is annoying. > > So... do you intend to follow my instructions, or were they too > confusing? > > Alan DeKok. > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Foundry Switch and Nas-Port (Solved)
The problem was related to Foundry not implementing the NAS-Port attribute. I worked with Foundry over the last month and got the attribute added. They sent me an beta release, and it works great. The new firmware update should be out shortly. Steve |-+---> | | [EMAIL PROTECTED] | | | Sent by:| | | [EMAIL PROTECTED]| | | eradius.org | | | | | | | | | 04/07/2004 10:13 AM | | | Please respond to | | | freeradius-users| | | | |-+---> >-| | | | To: [EMAIL PROTECTED] | | cc: "Lee Miller" <[EMAIL PROTECTED]> | | Subject: Re: Foundry Switch and Nas-Port | >-| Lee, What's interesting is Cisco switches will report the NAS-Port, which is really the port on the switch. So im wondering if Foundry just didn't implement it... I am trying to pin-point locations using the switch ports. e.g. Port 3 on NAS 100.22.44.22 is in office A. Steve |-+> | | "Lee Miller" | | | <[EMAIL PROTECTED]| | | .com>| | || | | 04/07/2004 02:25 | | | AM | | || |-+> > --| | | | To: [EMAIL PROTECTED] | | cc: | | Subject: Re: Foundry Switch and Nas-Port | > --| Hi Steve, I think the Nas-port attribute is optional and it has no context on an ethernet switch AFAIK. Thanks, Lee >Does anyone know why a Foundry Switch would not report the Nas-Port of the >request? > >Thanks, > >Steve ><> >(This email was sent via Notes running on Linux) > _ Limited-time offer: Fast, reliable MSN 9 Dial-up Internet access FREE for 2 months! http://join.msn.com/?page=dept/dialup&pgmarket=en-us&ST=1/go/onm00200361ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Returning check pairs from MySQL
Ulrich Peters <[EMAIL PROTECTED]> wrote: > I need to return the value of a calculation as the Session-Timeout. > How should this be done? Somehow set the value of the attribute. > I hoped to retrieve the full amount of time used by the user, but as > it seems all I get is a boolean: I don't use the sqlcounter module, so I can't help much there. I do know that the intent is for it to do the "right thing", without too many configuration changes. > If I place "Max-All-Session := 500" in radgroupcheck, for example, > and the query returns the total amount of time used (greated than > zero), I get just a "Session-Timeout = 500". Look at the source to see what it's doing, and why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: billing module problem
Pablo <[EMAIL PROTECTED]> wrote: > this is the original file : ... Yes. I'm not an idiot, I can read the files in the archive, just like you can. Quoting them to me is annoying. So... do you intend to follow my instructions, or were they too confusing? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: billing module problem
this is the original file :
# Id: postgresql.conf,v 1.8.2.11 2003/07/15 11:15:43 pnixon Exp $
#
# Configuration for the SQL module, when doing H323 VoIP billing.
#
# The database schema is available at:
#
# src/radiusd/src/billing/h323_db_postgresql.sql
#
pgsql-voip {
# Database type currently must be rlm_sql_postgresql to work with this
setup.
driver = "rlm_sql_postgresql"
# Connect info
server = "localhost"
thanks
Pablo
On Mon, 2004-05-10 at 11:15, Alan DeKok wrote:
> "Pablo Martin" <[EMAIL PROTECTED]> wrote:
> > Now I'm confused, last step on the README is " include after detail on acc
> > section , pgsql-voip"
>
> Hmm... the problem appears to be in the pgsql-voip.conf file. It
> should say "sql pgsql-voip {" at the top.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy problems
Radius <[EMAIL PROTECTED]> wrote: > A difference that we see when we run it with "radiusd -X" (we have > pasted in some of the output further below) is the line right after > the user listing information and "Connect-Info". On server A (that > is working) the next two lines say: Those lines are irrelevant. The real error is: > rad_recv: Access-Request packet from host 192.168.123.36:1060, id=7, length=113 > Dropping conflicting packet from client pm4-1:1060 - ID: 7 due to unfinished request > 0 It looks like the home server isn't responding. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with Leased Line accounting
Ayman Alashquar <[EMAIL PROTECTED]> wrote: > Can the FreeRadius be used for the accounting of leased lines (FR,DDN..etc) > ? Is there a way to collect the usage records from the NASs which provides > connectivity to the customers ? FreeRADIUS will log whatever the NAS sends it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: billing module problem
"Pablo Martin" <[EMAIL PROTECTED]> wrote:
> Now I'm confused, last step on the README is " include after detail on acc
> section , pgsql-voip"
Hmm... the problem appears to be in the pgsql-voip.conf file. It
should say "sql pgsql-voip {" at the top.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dictionary
Alexander Kostadinov <[EMAIL PROTECTED]> wrote: > Hallo I use freeradius 0.9.3 with pppd 2.4.2 and I've included in the > dictionary file the attached file. It will be good it to be included in > the main distribution, because it allows to be set the maxoctet limit with > the Session-Octets-Limit Attribute. The attributes use the standard RADIUS attribute space, and conflict with other vendor attributes. They should go into a vendor-specific dictionary. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: with MySQL - File Size Limit Exceeded
=?iso-8859-1?q?Kiran?= <[EMAIL PROTECTED]> wrote: > The sqltrace.sql file was filling up fast and was > going beyond 2 GB. Just deleting the file and creating > the a blank file with same name, has solved the > problem. Or, edit sql.conf, and set 'sqltrace = no', which is the default. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dictionary
Hallo I use freeradius 0.9.3 with pppd 2.4.2 and I've included in the dictionary file the attached file. It will be good it to be included in the main distribution, because it allows to be set the maxoctet limit with the Session-Octets-Limit Attribute.# Limit session traffic ATTRIBUTE Session-Octets-Limit227 integer # What to assume as limit - 0 in+out, 1 in, 2 out, 3 max(in,out) ATTRIBUTE Octets-Direction228 integer # Octets-Direction VALUE Octets-DirectionSum 0 VALUE Octets-DirectionInput 1 VALUE Octets-DirectionOutput 2 VALUE Octets-DirectionMaxOveral 3 VALUE Octets-DirectionMaxSession 4
Failed to link to module 'rlm_expr': file not found
On Mon, 10 May 2004 13:46:15 +0200, [EMAIL PROTECTED] wrote: > Send Freeradius-Users mailing list submissions to > [EMAIL PROTECTED] > > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freeradius.org/mailman/listinfo/freeradius-users or, > via email, send a message with subject or body 'help' to freeradius- > [EMAIL PROTECTED] > > You can reach the person managing the list at > [EMAIL PROTECTED] > > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeradius-Users digest..." > > > Today's Topics: > > > 1. Re: help on pbx dialing (Paul Hampson) > 2. Re: radrelay and mysql (jesk) > 3. Re: peap failure (=?ISO-8859-1?Q?Manuel_S=E1nchez_Cuenca?=) 4. > FreeRadius with Leased Line accounting (Ayman Alashquar) 5. RE: > Problem with L2TP/Cisco and FreeRadius ... (Michael Markstaller) 6. > Re: radrelay and mysql (Kostas Kalevras) 7. Re: Need help setting > up EAP-TLS with xsupplicant, radtest ok (Fr=?iso-8859- > 1?Q?=E9d=E9ric_EVRARD?=) > 8. Re: Problem with L2TP/Cisco and FreeRadius ... (Garry Glendown) > 9. Re: Problem with L2TP/Cisco and FreeRadius ... (Garry Glendown) > 10. Re: peap failure (=?ISO-8859-1?Q?Manuel_S=E1nchez_Cuenca?=) 11. > libssl problems (Omar Garcia - Fractalia) > > --__--__-- > > > Message: 1 > From: "Paul Hampson" <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: help on pbx dialing > Date: Mon, 10 May 2004 16:18:03 +1000 > Reply-To: [EMAIL PROTECTED] > > > budi wibowo writes: > > >> hi i am new freeradius user >> i use freeradius 0.9.3 for voip accounting using postgresql as db >> server there's user dial using patter 9,8129093 on my postgresql >> recorded call is 9=2C8129093 >> any idea how to convert recorded call on pgsql to 9,8129093? >> > > Best bet is to get the latest CVS snapshot, and look at the SQL > configuration file. There's a new parameter, "safe characters" or > something like that, to which you want to add the comma to prevent > FreeRADIUS from quoted-printable (I think) encoding it. > > -- > Paul "TBBle" Hampson, on a webmail client! > > > --__--__-- > > > Message: 2 > Date: Mon, 10 May 2004 09:32:09 +0200 > From: jesk <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: radrelay and mysql > Organization: killall > Reply-To: [EMAIL PROTECTED] > > > On Sun, 9 May 2004 17:26:41 +0300 (EEST) > Kostas Kalevras <[EMAIL PROTECTED]> wrote: > > >> On Sat, 8 May 2004, jesk wrote: >> >> >>> On Saturday 08 May 2004 19:34, Kostas Kalevras wrote: >>> On Sat, 8 May 2004, jesk wrote: > hi, > > > is there a need to run radrelay for identification of > simultanous logins if iam running mysql backend with > accounting in it? the mysql is storing the sessions and the > radius server can query it for identification of the amount > of logins a user have, why then the need of radrelay for > announcing every session to every radius server? > To identify double logins on a multi server environment you have to keep the accounting information synchronized. I strongly recommend radrelay, it works great, it can cope with server delays/downtimes and since it sends radius accounting packets, the synchronization is not limited to mysql but to the whole accounting system (rad_counter, rad_utmp etc). And it's very easy to setup, just run radrelay on both your radius servers (if you have two). Read doc/radrelay for more information. Use the latest CVS version, it has many fixes and works very nice (we are using it on a multiserver environment with 10 sessions/day). > the next question i have is that i dont know how to cluster > the mysql backend, cause mysql replication works only > oneway, and the radius cant announce new sessions to both > of the mysqlservers. iam right in thinking that i can only > backup my system with the replication or only use mysql for > authentication on both mysqlserver but session handling > have to be stored in one mysqlserver? maybe someone can > tell me something about good clustering of freeradius with > mysql? > > > thanks in advance, > christian > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Kostas KalevrasNetwork Operations Center [EMAIL PROTECTED]National Technical University of Athens, Greece Work Phone:+30 210 7721861 'Go back to the shadow'Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html >>> >>> hi, >>> >>> >>> thanks for your fast answer. the advantage with simultanous-use >>> and session handling in mysql is, that i have the control in >>> one central database. what would be if a session is already >>> dead but would exist in the detail file for radrelay, how would >>> i clean this if i wouldnt use radcheck
Re: with MySQL - File Size Limit Exceeded
This is a long lost thread but I just figured out the real issue. The sqltrace.sql file was filling up fast and was going beyond 2 GB. Just deleting the file and creating the a blank file with same name, has solved the problem. - Kiran =?iso-8859-1?q?Kiran?= <[EMAIL PROTECTED]> wrote: > By removing the MySQL related entries in the > radiusd.conf, the server is running fine. Are there > any limits to MySql ? As per the documents it takes > tables upto 2GB but my database is far less than that. > probably 1 GB in all. > > any idea where to tweak ? Build MySQL with support for large files. Alan DeKok. Yahoo! Messenger - Communicate instantly..."Ping" your friends today! Download Messenger Now http://uk.messenger.yahoo.com/download/index.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: libssl problems
> Hello, > > I am triying to compile SNAPSHOT-20040113 and SNAPSHOT-2004507 to work > with EAP-PEAP. > I have installed openssl with the argument --prefix=/usr/local. > > Then, i try to configure freeradius: > #configure --with-openssl-includes=/usr/local/include/openssl > --with-openssl-libraries=/usr/local/openssl/lib > I have also tried with the option --disable-shared , but i have the same > result. > > The configure process tell me that the modules that uses libssl aren´t > going to be built, because it doesn´t find libssl. > > Where is the error? I' had almost the same problem, and after installing openssl I'have to install openssl-devel to use libssl. Hope it helps you. Fred > > Thanks you. > > Omar. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
libssl problems
Hello, I am triying to compile SNAPSHOT-20040113 and SNAPSHOT-2004507 to work with EAP-PEAP. I have installed openssl with the argument --prefix=/usr/local. Then, i try to configure freeradius: #configure --with-openssl-includes=/usr/local/include/openssl --with-openssl-libraries=/usr/local/openssl/lib I have also tried with the option --disable-shared , but i have the same result. The configure process tell me that the modules that uses libssl aren´t going to be built, because it doesn´t find libssl. Where is the error? Thanks you. Omar.
Re: peap failure
Michael Griego escribió: Are you using the latest CVS snapshot? An issue causing the same symptoms that you are seeing was recently fixed. Try compiling the latest snapshot and see if that fixes the error. I get the same error with the freeradius-snapshot-20040509. --Mike On Fri, 2004-05-07 at 08:55, Manuel Sánchez Cuenca wrote: Hello all, I have insalled the CVS version of Freeradius and I have configured it to use peap. I'm using Xsupplicant as client and a DWL-900AP+ as Access Point. The problem is that the connect proccess fails, and lookig the radius log I have seen that the first phase is correct, but in the second phase I get this error: = rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Response contains contradictory length 49 54 rlm_eap: Handler failed in EAP/mschapv2 rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 7 modcall: group authenticate returns invalid for request 7 auth: Failed to validate the user. PEAP: Got tunneled reply RADIUS code 3 EAP-Message = 0x04080004 Message-Authenticator = 0x PEAP: Processing from tunneled session code 0x818afd0 3 EAP-Message = 0x04080004 Message-Authenticator = 0x PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE === Can anybody tell me what is happening? Thanks in advance. -- == Manuel Sanchez Cuenca Dept. Ingenieria de la Informacion y las Comunicaciones Universidad de Murcia - Espana Tlf: +34 968364311 - Fax: 968364151 email: [EMAIL PROTECTED] www: http://skywalker.dif.um.es/~lolo -- == Manuel Sanchez Cuenca Dept. Ingenieria de la Informacion y las Comunicaciones Universidad de Murcia - Espana Tlf: +34 968364311 - Fax: 968364151 email: [EMAIL PROTECTED] www: http://skywalker.dif.um.es/~lolo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with L2TP/Cisco and FreeRadius ...
Sorry, the last mail was meant for Michael directly ... forgot to edit the address ... :( -garry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with L2TP/Cisco and FreeRadius ...
Hallo, We have the same setup wit FreeRADIUS (0.9.3 and 1.0-pre working fine.. obviously even with the same realm ;) Was ein Zufall ;) "Login incorrect" is not caused by the Cisco LAC ! it's caused by your local setup somehow. I don't get these entries.. Hm ... egal, tut nicht weh ... Lt. MK-Netzdienste wäre das normal ... hatte von denen auch ne Beispiel-Config bekommen ... Die Authentifikation klappt mitlerweile, weiß nicht genau woran das am Wochenende lag ... Der Tipp mit dem expr für Session-Timeout ist gut, allerdings will der nicht so ganz ... wenn ich die Expression direkt bei einem Account eintrage, funktioniert es, aber mit den Defaults klappt irgendwie nicht ... Habe die beiden Default-Einträge mal am Ende der Datei probiert - keine Reaktion. Wenn ich die Einträge vorne hinhänge (also vor die Accounts), kann der User sich nicht mehr anmelden ... irgend eine Idee? Tnx, -garry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help setting up EAP-TLS with xsupplicant, radtest ok
>
> My /etc/raddb/eap.conf :
>
> eap {
> default_eap_type = tls
> timer_expire = 60
> ignore_unknown_eap_types = no
> cisco_accounting_username_bug = no
> tls {
> private_key_password = whatever
> private_key_file = ${raddbdir}/certs/sggs.pem
> certificate_file = ${raddbdir}/certs/sggs.pem
> CA_file = ${raddbdir}/certs/root.pem
> dh_file = ${raddbdir}/certs/dh # I generated
> these two using date > filename
> random_file = ${raddbdir}/certs/random
> fragment_size = 1750
> include_length = yes
> }
> mschapv2 {
> }
> }
>
> My /etc/raddb/users :
>
> "client1" Auth-Type := EAP
>
> "testing123" Auth-Type := Local, User-Password == "testing123"
> #The rest of the file was untouched :
>
> The contents of /etc/xsupplicant.conf :
>
> network_list=sggsathome,caenwireless #(let us ignore the second one for
> the moment)
> default_netname=sggsathome
> startup_command=echo "XSupplicant initiated"
> first_auth_command=/sbin/dhclient %i
> reauth_command=echo "authenticated user %i"
> logfile=/var/log/xsupplicant.log
> allow_interfaces = eth1
> deny_interfaces = lo,eth0
>
> sggsathome{
> allow_types=eap_tls
> identity=client1
> eap_tls{
> user_cert=/etc/1x/certs/client1.der
> user_key=/etc/1x/client1.pem
> #user_key_pass=password for key # Commented out. A
> little confused here - is it "whatever" (as in CA.*), or the other
> password I used to generate the certificates ? This is not included in
> /etc/1x.conf of the howto I listed above
You have to use "whatever" only if you use freeradius testing certficate,
else you have to put the password for private key of your certificate.
> root_cert=/etc/1x/certs/root.pem
> chunk_size=1750
> random_file=/etc/1x/random # generated using date > filename
> }
> }
>
> It does not seem that the file /etc/1x/1x.conf is used, but I created it
> anyways to cover the risk :
I'm using the same config as you, and I don't create this 1x.conf, all is
in xsupplicant.conf.
The HOWTO is very old and maybe it's for an older xsupplicant
> #/usr/local/xsupplicant/sbin/xsupplicant eth1
> Starting XSupplicant!
> Interface eth1 initialized!
> An error occured binding to socket. (Error : Addresss already in use)
> Couldn't initialize daemon socket!
>
here's my xsupplicant.conf with freeradius certificate test files(it works
very fine) :
network_list = all
#network_list = default, test1, test2, all
default_netname = mynetwork
#default_netname = my_defaults
logfile = /var/log/xsupplicant.log
allow_interfaces = eth1
deny_interfaces = eth0, lo
mynetwork
{
allow_type = all
identity = radiustestor
eap_tls {
user_cert = /usr/local/certs/cert-clt.pem
user_key = /usr/local/certs/cert-clt.pem
user_key_pass = whatever
root_cert = /usr/local/certs/root.pem
}
}
To debug more efficiently, you should clean your config file of freeradius
and xsupplicant and just let what you need.
Hope that help you.
Fred
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radrelay and mysql
On Mon, 10 May 2004, jesk wrote: > On Sun, 9 May 2004 17:26:41 +0300 (EEST) > Kostas Kalevras <[EMAIL PROTECTED]> wrote: > > hi, > > can i keep accounting information synchronized wit radlrelay on two > mysql servers, or how do you keep your accounting information in your 2 > mysqlservers? It should have been clear by now that *yes* you can. With radrelay you keep the whole accounting subsystem synchronized which obviously also means the sql part. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with L2TP/Cisco and FreeRadius ...
We have the same setup wit FreeRADIUS (0.9.3 and 1.0-pre working fine..
obviously even with the same realm ;)
Now it depends what you want to do with the usernames, but the first
"Login incorrect" is not caused by the Cisco LAC ! it's caused by your
local setup somehow. I don't get these entries..
As I haven't enabled rlm_eap I cannot tell you whats going wrong here,
but it might be related to this.
I strip the DSL-realm off completely with hints and then auth. users
without any realm against a mysql-db.
login happens with [EMAIL PROTECTED]
--- hints ---
DEFAULT Suffix = "[EMAIL PROTECTED]", Strip-User-Name = Yes
Hint = "XX-xdsl"
DEFAULT Suffix = "#realm", Strip-User-Name = Yes
Hint = "XX-dial"
--- hints ---
using the hint in users to set global defaults and make the forced
disconnect happen at 02:00 GMT (thanks to Alan)
--- users ---
# Globals for services from XX-Netzdienste
DEFAULT Hint == "XX-xdsl"
Session-Timeout := `%{expr:86400 - ((%l - 7200) %% 86400)}`,
Framed-IP-Netmask := "255.255.255.255",
Cisco-Avpair = "ip:dns-servers=x.y.z.18 x.y.z.18"
DEFAULT Hint == "XX-dial"
Session-Timeout := `%{expr:86400 - ((%l - 7200) %% 86400)}`,
Idle-Timeout := 300,
Framed-IP-Netmask := "255.255.255.255",
Cisco-Avpair = "ip:dns-servers=x.y.z.18 x.y.z.18"
--- users ---
in my usergroup table as username only "user" is entered without any
realm.
hope this helps..
Michael
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On
> Behalf Of Garry Glendown
> Sent: Sunday, May 09, 2004 9:41 PM
> To: [EMAIL PROTECTED]
> Subject: Problem with L2TP/Cisco and FreeRadius ...
>
>
> Hello,
>
> I'm trying to get a Cisco running with FreeRadius ... please note -
> FreeRadius as such is already working fine with other Dialup-routers
> (ascend max w/ ISDN/Modem dialup) ...
>
> We set up DSL dialup through a Cisco router. DSL is done
> through a L2TP
> tunnel, which in itself worked fine, too (using a different radius
> software for trial) - I tried to switch over to our standard
> server, but
> somehow it's not doing what it should, though I can't really
> see what's
> actually going wrong ...
>
> On the radius server, I even see a "login OK" message in the logfile
> (Cisco sends the part after the @-sign first, then retries with the
> complete username):
>
> Sun May 9 11:27:05 2004 : Auth: Login incorrect:
> [interdsl-6.de] (from
> client dsl-gw port 0)
> Sun May 9 11:27:20 2004 : Error: rlm_eap: EAP-Message not
> found Sun May 9 11:27:20 2004 : Auth: Login OK:
> [EMAIL PROTECTED] (from client dsl-gw port 0)
>
> The connection itself is disconnected after this ...
>
> Any idea? We are running 0.90 ATM, though we could update to
> the current ...
>
> tnx, -gg
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius with Leased Line accounting
Hi all, Can the FreeRadius be used for the accounting of leased lines (FR,DDN..etc) ? Is there a way to collect the usage records from the NASs which provides connectivity to the customers ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: peap failure
Alan DeKok escribió: =?ISO-8859-1?Q?Manuel_S=E1nchez_Cuenca?= <[EMAIL PROTECTED]> wrote: Hello all, I have insalled the CVS version of Freeradius and I have configured it to use peap. I'm using Xsupplicant as client and a DWL-900AP+ as Access Point. Upgrade xsupplicant. They had a bug in an older version. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I'm using the latest xsupplicant version (0.8b) -- == Manuel Sanchez Cuenca Dept. Ingenieria de la Informacion y las Comunicaciones Universidad de Murcia - Espana Tlf: +34 968364311 - Fax: 968364151 email: [EMAIL PROTECTED] www: http://skywalker.dif.um.es/~lolo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radrelay and mysql
On Sun, 9 May 2004 17:26:41 +0300 (EEST) Kostas Kalevras <[EMAIL PROTECTED]> wrote: > On Sat, 8 May 2004, jesk wrote: > > > On Saturday 08 May 2004 19:34, Kostas Kalevras wrote: > > > On Sat, 8 May 2004, jesk wrote: > > > > hi, > > > > > > > > is there a need to run radrelay for identification of > > > > simultanous logins if iam running mysql backend with accounting > > > > in it? the mysql is storing the sessions and the radius server > > > > can query it for identification of the amount of logins a user > > > > have, why then the need of radrelay for announcing every session > > > > to every radius server? > > > > > > To identify double logins on a multi server environment you have > > > to keep the accounting information synchronized. I strongly > > > recommend radrelay, it works great, it can cope with server > > > delays/downtimes and since it sends radius accounting packets, the > > > synchronization is not limited to mysql but to the whole > > > accounting system (rad_counter, rad_utmp etc). And it's very easy > > > to setup, just run radrelay on both your radius servers (if you > > > have two). Read doc/radrelay for more information. Use the latest > > > CVS version, it has many fixes and works very nice (we are using > > > it on a multiserver environment with 10 sessions/day). > > > > > > > the next question i have is that i dont know how to cluster the > > > > mysql backend, cause mysql replication works only oneway, and > > > > the radius cant announce new sessions to both of the > > > > mysqlservers. iam right in thinking that i can only backup my > > > > system with the replication or only use mysql for authentication > > > > on both mysqlserver but session handling have to be stored in > > > > one mysqlserver? maybe someone can tell me something about good > > > > clustering of freeradius with mysql? > > > > > > > > > > > > thanks in advance, > > > > christian > > > > > > > > - > > > > List info/subscribe/unsubscribe? See > > > > http://www.freeradius.org/list/users.html > > > > > > -- > > > Kostas Kalevras Network Operations Center > > > [EMAIL PROTECTED] National Technical University of Athens, Greece > > > Work Phone: +30 210 7721861 > > > 'Go back to the shadow' Gandalf > > > > > > - > > > List info/subscribe/unsubscribe? See > > > http://www.freeradius.org/list/users.html > > > > hi, > > > > thanks for your fast answer. the advantage with simultanous-use and > > session handling in mysql is, that i have the control in one central > > database. what would be if a session is already dead but would exist > > in the detail file for radrelay, how would i clean this if i wouldnt > > use radcheck for checking the nas for the dead/active session? > > With radrelay you just keep the accounting information synchronized > between multiple radius servers. That *includes* mysql. So in a sence > you have a central database, only it is multihomed. And you should > always use checkrad for double login detection to work correctly. > > > > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > -- > Kostas Kalevras Network Operations Center > [EMAIL PROTECTED] National Technical University of Athens, Greece > Work Phone: +30 210 7721861 > 'Go back to the shadow' Gandalf > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > hi, can i keep accounting information synchronized wit radlrelay on two mysql servers, or how do you keep your accounting information in your 2 mysqlservers? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
