Re: eap-sim module can't be compiled!?
I'm afraid I can't find where the relevant is. can you explain that furthermore? Actually, I have tried to compile that at two PCs with different versions of redhat, 7.3 and 9.0. At the redhat 7.3, I chose Full install, and I chose Minimal install at the other. I found out the eap-sim module can not be compiled at the redhat 9.0, but works at 7.3. That's why I wonder whether there is any other package should be installed. By the way, I have read the related docs and tried the test procedures at src/tests, but the eap-sim module seemed not worked. Besides the users and simtriplets.dat, is there any other file I should edit or config? thanks in advance, alex - Original Message - On Mon, May 31, 2004 at 12:03:45PM +0800, Alex Wang wrote: hi~ guys, I have downloaded the latest snapshot from the ftp site, but after make, I found out the module, eap-sim, wasn't be compiled(i.e. without generating object file). My OS is RedHat 9.0, and I just chose minimal install. Is this reason that eap-sim module can't be compiled? If yes, which other packages should I install? thanks for any suggestion! I recently made some changes to the EAP-SIM module's compilation, can you find the relevant section of the build logs? (It'll process the directory a few times, for make static, make dynamic and make install.) -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Change User Password
Hi list, I'm using freeradius 0.9.1 (into RH 7.2 box) to account and validate my own web users, andI would ask a question: How can my users change their password without editing manually users file ?? I'm not an Radius expert, so, Are there some request RADIUS standardpacket to do this ?? I think that the only way to do this is: 1- Create a application that directlly update passwordsinfo on MySQL FreeRADIUS DB (I'm notusing MySQL mod yet ) 2- Make a script that directlly edit users file and pulbicate on My Apache web Server (not secure solution) 3- Usesome third party paidsoftware :( Can somebody give me some help ?? Thanks in advance Dani
Ldap-Group, Login-Time not working?
Hello list, I'm running freeradius-0.9.3 with openldap auth, and it's working nicely. However, when I try to limit groups to certain times, I find that users are still able to log in when they should be blocked. My ldap records have a rategroupid field, which is mapped to Ldap-Group. My users file looks like this: DEFAULT Ldap-Group == sundayonly, Login-Time = 2000-0500, Auth-Type := LDAP Fall-Through = Yes DEFAULT Auth-Type := LDAP,Max-Sessions = 1 Framed-Protocol = PPP, Service-Type = Framed-User An example login looks like this in debug: rad_recv: Access-Request packet from host 127.0.0.1:53215, id=48, length=60 User-Name = testuser User-Password = NAS-IP-Address = 255.255.255.255 NAS-Port = 0 ... rlm_ldap::ldap_groupcmp: User found in group sundayonly ... rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser ... rlm_ldap: Adding rategroupid as Ldap-Group, value sundayonly op=21 ... rlm_ldap: user netbwana authorized to use remote access ... rlm_ldap: user netbwana authenticated succesfully I have the same Ldap-Group field working for other groups, setting ascend-data-filter reply items, is there something wrong with my Login-Time config? Thanks, Gavin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: how to change xp client using peap
You can search on the registry for EAPOL. Delete all the entrys and reauthenticate. lguido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of BLANCA FERRERO RODRIGUEZ Sent: Friday, May 28, 2004 14:20 To: [EMAIL PROTECTED] Subject: Re: how to change xp client using peap - Mensaje original - De: Michael Griego [EMAIL PROTECTED] Fecha: Viernes, Mayo 28, 2004 2:48 pm Asunto: Re: how to change xp client using peap There's a Microsoft KB article on this. I can't remember the title offhand, though. It tells you which registry entry to delete in order to force the eapol client to re-ask for credentials. --Mike I think I found the article, thanks a lot because all the other attemps were unsuccessful bfr - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ldap-Group, Login-Time not working?
DEFAULT Ldap-Group == sundayonly, Login-Time = 2000-0500, Auth-Type := LDAP Fall-Through = Yes I believe you want a Login-Time attribute like this: Al2000-0500 for all days of the week between 20:00 and 5:00. Hope that helps, Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ldap-Group, Login-Time not working?
Gavin White escreveu: DEFAULT Ldap-Group == sundayonly, Login-Time = 2000-0500, Auth-Type := LDAP Fall-Through = Yes Okay, looking at this more closely I think you need to use the := operator because this is a check item. Try Login-Time := Al2000-0500 Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: fail-over configration
baffy200y [EMAIL PROTECTED] wrote: 1.Checking users file If the User-Name is found,check the User-Password. The server can't do that. The authorize section doesn't do any authentication. I would re-write your request as: 1.Checking users file If the User-Name is not found, go to Checking SQL(Mysql) DataBase. Check the Calling-Station-Id. if the Calling-Station-Id is correct, continue to authenticate if the Calling-Station-Id is incorrect,reject the user. 2.Checking SQL(Mysql) DataBase. If the User-Name is not found, reject the user. Check the Calling-Station-Id. if the Calling-Station-Id is correct, continue to authenticate if the Calling-Station-Id is incorrect,reject the user. In authenticate, check the User-password. If correct, the user is authenticated. if the User-Password is incorrect,reject the user The server can do this. See doc/configurable_failover for how to configure the authorize section to do check files, if not found, check sql. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with attr_rewrite
Ruslan A Dautkhanov [EMAIL PROTECTED] wrote:
For unconditional change Nas-IP-Address to Client-IP-Address
Why?
attr_rewrite set_real_nas_ip {
attribute = NAS-IP-Address
searchin = packet
searchfor = ^.*$
replacewith = %{Client-IP-Address}
This is always wrong. You do NOT want to do this.
But in authorize it's fail:
Sat May 29 22:42:50 2004 : Debug: modsingle[authorize]: calling
set_real_nas_ip (rlm_attr_re
write) for request 2
Sat May 29 22:42:50 2004 : Debug: radius_xlat: '^.*$'
Sat May 29 22:42:50 2004 : Debug: radius_xlat: ''
Sat May 29 22:42:50 2004 : Debug: rlm_attr_rewrite: xlat on replace
string failed.
Odds are you listed it *before* preprocess, or there was no
NAS-IP-Address in the packet.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: attr_rewrite regex query
Spencer Stapleton [EMAIL PROTECTED] wrote: I can't figure out the regex syntax used in attr_rewrite, and am unable to find any useful docs pertaining to this anywhere $ man regex The regex engine used is whatever is already on your machine. I noticed that the debug line has dropped the regex '$' end-of-string character, so I tried escaping it, but to no avail: One '\' does nothing to the debug output, whilst two '\\' gives: It's a bug in 0.9.3. The latest CVS snapshot should have it fixed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fail-Over
Juan [EMAIL PROTECTED] wrote: i have read configurable_failover for three times but i can not do that freeradius failover with ippool. I have two pools that i want to use then for all my users. I need that freradius start to asign IPs from the second Pool whe the first is full. I do not known what i must read to do it. It looks like it's a problem with the IP pool module... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql failover
On Sunday 30 May 2004 14:07, Gary McKinney wrote: Hmmm - The logic of the request does not really make much sense... If the FreeRadius server is responding to the NAS but the mysql server back-end is not responding that does not mean the radius server is broken... I would think you could setup to authenticate through multiple mysql backend servers to handle the event of the primary being offline or down instead of forcing a purfectly good working radius server to act like it was down and if you setup a secondary freeradius server to handle the event of the primary going down you can use the mysql servers that the first radius server points to for authentication by the second radius server so they have a common shared database (double redundancy). Check the email archives - I remember someone answered how to setup multiple sql servers to be used for user authentication in freeradius (which is what you really want to do here)... if the first mysql server is not responding the second (or next in line) will perform the response instead gm... - Original Message - From: jesk [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, May 30, 2004 6:38 AM Subject: Re: mysql failover On Friday 28 May 2004 17:36, jesk wrote: hi everybody, is there a way to configure freeradius to NOT answer to a NAS if the mysql-backend is down, so that the nas can switch to the next secondary configured freeradius server with its own mysql-backend? i tested freeradius and shutted down the mysqlserver, the request from the nas came in and freeradius rejected the request in cause of the closed mysqldb-handle, now the nas rejected the ppp session and didnt requested the secondary freeradius. can somebody help me? thanks in advance, christian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html no way? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html hi, my intend was to setup 2 freeradius server, both server have to local its own mysql-db. both mysqlserver are used to handle all 3 kinds of aaa. the replication for accounting data is done with radrelay, this works very fine. but now there is this problem with the potentiality breakdown of a mysqlserver. if iam handling this like you said, then i couldnt log accounting data, in cause of the radrelay i think, accounting data would be logged twice. is there no easy way to come around this circumstances? i use the mysql for all accounts only the DEFAULT entry is in the USER file. thanks for any hints! regards, christian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trying out Windows XP 802.1x + PEAP and FreeRADIUS.
Fredrik Ohrn [EMAIL PROTECTED] wrote:
Initially I had some trouble getting ntlm_auth accepting the username
given to it (on the form domain\\username). I ended upp writing a small
script that chopped of the domain\\ part before sending it to ntlm_auth,
also had to add --domain=mydomain to the commandline.
You can do:
.ntlm_auth = /path/to/ntlm_auth ... --username=%{mschap:User-Name}
--domain=%{mschap:NT-Domain} ..
And the MSCHAP module will take care of doing that for you.
Unfortunatley the Windows XP client logs the following line:
[1440] 19:02:18:161: Failing Auth because we got a success/fail without T=
LV.
Run the server with -Xxxx, and you should see a little more
debugging information from the PEAP tunnel.
As to why that message happens, I don't know. The server always
sends a proper TLV in the responses...
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PostgreSQL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wednesday 05 November 2003 14:27, David Cadenas wrote: Hi everybody, I have a problem with the loading of the driver rlm_sql_postgresql. I have added sql to the list in authorize section of the radiusd.conf, between suffix and files. When the radiusd -X tries to load the Module SQL appears: Module: Loaded SQL sql: driver = rlm_sql_postgresql sql: server = localhost sql: port = sql: login = postgres sql: password = sql: radius_db = radius sql: acct_table = radacct sql: acct_table2 = radacct sql: authcheck_table = radcheck sql: authreply_table = radreply sql: groupcheck_table = radgroupcheck sql: groupreply_table = radgroupreply sql: usergroup_table = usergroup ... ... sql: connect_failure_retry_delay = 60 sql: simul_count_query = sql: simul_verify_query = rlm_sql (sql): Could not link driver rlm_sql_postgresql: file not found rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search path of your system's ld. radiusd.conf[11]: sql: Module instantiation failed. I'm sure that the libraries are well located. Being prefix = /usr/local in radiusd.conf, I've the libraries in /usr/local/lib, for example: rlm_sql.a rlm_sql.la rlm_sql_postgresql.a rlm_sql_postgresql.la rlm_sql.so Is it necessary the existence of rlm_sql_postgresql.so? Is it dynamic? Thanks! Did you have postgresql-devel installed on your system when you compiled FreeRADIUS. It appears that you have not built FreeRADIUS with postgres support.. - -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAu0pLAcdsUt9pJjwRAug2AKD2/qkg37Djcagp+nBR7wv9xQ54OwCgmRrP 1VvOrtkZAXYNzwCWrkBTeGw= =97Co -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Please update FAQ, was Re: Ldap-Group, Login-Time not working?
DEFAULT Ldap-Group == sundayonly, Login-Time = 2000-0500, Auth-Type := LDAP Fall-Through = Yes Okay, looking at this more closely I think you need to use the := operator because this is a check item. Try Login-Time := Al2000-0500 Keith Yoder Reply-Message = You are calling outside your allowed timespan\r\n Superb! Thank you Keith. The faq at http://www.freeradius.org/faq/#5.3 has the '=' syntax. I've cc'd the maintainer. Thanks again, Gavin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Latest freeradius and NPTL fail
Hello. Latest version of the FR doesn't work under Debian GNU/Linux when NPTL used. I have the next configuration: NAS, FR, MySql to store all attributes. RADGROUPREPLY table contain: Exec-Program-Wait := /etc/freeradius/webadmin/webadmin-auth This script used for authenificate users instead using RADCHECK attributes. Example log when we run: #LD_ASSUME_KERNEL=2.4.1 /usr/sbin/freeradius -fxx (LD_ASSUME_KERNEL=2.4.1 used to disable NPTL in glibc library calls). Run FR in single thread mode (-s) also solve all problems. ...skipped... radius_xlat: '/etc/freeradius/webadmin/webadmin-auth' Exec-Program: /etc/freeradius/webadmin/webadmin-auth Exec-Program output: Exec-Program: returned: 1 Delaying request 10 for 1 seconds Finished request 10 Going to the next request Thread 1 waiting to be assigned a request rad_recv: Access-Request packet from host 80.237.68.1:1645, id=232, length=76 Sending Access-Reject of id 232 to 80.237.68.1:1645 Reply-Message := \r\nAccess denied (external check failed). --- Walking the entire request list --- Waking up in 1 seconds... But when we run freeradius with NPTL enabled we have instability (sometimes requests are OK, but more frequently they failed). ...skipped... radius_xlat: '/etc/freeradius/webadmin/webadmin-auth' Exec-Program: /etc/freeradius/webadmin/webadmin-auth Re-wait 2 Exec-Program output: rad_recv: Access-Request packet from host 80.237.68.1:1645, id=238, length=76 Discarding duplicate request from client c2650:1645 - ID: 238 due to unfinished request 3 --- Walking the entire request list --- radius_xlat: '/etc/freeradius/webadmin/webadmin-auth' Threads: total/active/spare threads = 5/1/4 --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 80.237.68.1:1645, id=238, length=76 Discarding duplicate request from client c2650:1645 - ID: 238 due to unfinished request 3 Waking up in 5 seconds... --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 80.237.68.1:1645, id=238, length=76 Discarding duplicate request from client c2650:1645 - ID: 238 due to unfinished request 3 Waking up in 5 seconds... --- Walking the entire request list --- Waking up in 5 seconds... --- Walking the entire request list --- Waking up in 5 seconds... --- Walking the entire request list --- Waking up in 5 seconds... --- Walking the entire request list --- WARNING: Unresponsive child (id 1119775664) for request 3 Server rejecting request 3. Waking up in 5 seconds... System configuration: Debian GNU/Linux unstable, FR (cvs snapshot from 20.05.2004), glibc 2.3.2.ds1, linux kernel 2.6.6. --- Sergei Golod. SIG11-RIPE. Computers Technologies Ltd. Tobolsk, Russia. http://www.tob.ru Tobolsk : +7 345 1151200, Mobile : +7 902 8503999 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Latest freeradius and NPTL fail
Sergei Golod [EMAIL PROTECTED] wrote: Latest version of the FR doesn't work under Debian GNU/Linux when NPTL used. It looks like the NPTL implementation of semaphores has problems. The server uses a number of semaphores internally. From what I can see of the debug log, the Exec-Program code is waiting on a semaphore that never unlocks. The end result is that the server is locked forever. Since this exact code works on NetBSD, FreeBSD, Solaris, Windows XP (SFU), and older versions of Linux, I'm inclined to say it's a NPTL-specific problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Latest freeradius and NPTL fail
RedHat 9 and Fedora Core both use NPTL threading. I've never seen any problems like this, and I use FC1 as my production RADIUS server OS. The only exec-program stuff I've used is the ntlm_auth portion of the mschap module, and I've never had any problems with it. Perhaps it is even Debian-unstable specific? Or perhaps kernel 2.6 specific? --Mike On Mon, 2004-05-31 at 11:05, Alan DeKok wrote: Sergei Golod [EMAIL PROTECTED] wrote: Latest version of the FR doesn't work under Debian GNU/Linux when NPTL used. It looks like the NPTL implementation of semaphores has problems. The server uses a number of semaphores internally. From what I can see of the debug log, the Exec-Program code is waiting on a semaphore that never unlocks. The end result is that the server is locked forever. Since this exact code works on NetBSD, FreeBSD, Solaris, Windows XP (SFU), and older versions of Linux, I'm inclined to say it's a NPTL-specific problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please update FAQ, was Re: Ldap-Group, Login-Time not working?
Gavin White [EMAIL PROTECTED] wrote: The faq at http://www.freeradius.org/faq/#5.3 has the '=' syntax. I've cc'd the maintainer. Fixed, thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Latest freeradius and NPTL fail
On Mon, May 31, 2004 at 11:17:59AM -0500, Michael Griego wrote: RedHat 9 and Fedora Core both use NPTL threading. I've never seen any problems like this, and I use FC1 as my production RADIUS server OS. The only exec-program stuff I've used is the ntlm_auth portion of the mschap module, and I've never had any problems with it. Perhaps it is even Debian-unstable specific? Or perhaps kernel 2.6 specific? Weird. I'm running on Kernel 2.6, on Debian, (on PPC, although I've a only rarely used i386 test server at home with libc6-i686) and I've not seen any semaphores lock up. Mind you, I converted Exec-Program-Wait to rlm_exec a while ago, as it's a much cleaner solution to my mind. Try chaning to using rlm_exec, and if that fixes the problem, then the issue is near _that_ semaphore, and the best solution may be to either find out what NPTL's doing differently (signal handling I suspect) and fix/work-around it, or just deprecate Exec-Program-Wait after 1.0.0. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS 1.0.0-pre1 released
Ladies and gentlemen, We are proud to announce that the 1.0.0 release cycle for FreeRADIUS is entering its final stages. The first pre-release wide-area-test tarball is on the FreeRADIUS website: http://www.freeradius.org/ You can also download the tarball itself directly below: ftp://ftp.freeradius.org/pub/radius/freeradius-1.0.0-pre1.tar.gz It contains fixes for bugs, annoyances and surprises, as well as a host of new features listed below: Better wireless support (PEAP, EAP-TTLS), Support for listening on multiple ports, Many new dictionaries, Speed improvements and optimizations, Preliminary support for Windows XP (under SFU), Updates for 64-bit systems, More SNMP statistics, Better support for non-compliant, and unknown VSA's, The 1.0.0 changelog is huge, and available here: http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/doc/ChangeLog?rev=1.57 We're now fully license compliant, GPL for the modules and LGPL for the libradius. So please, take this release, check it for bugs that you experienced in 0.9.3, put it through its paces with whatever test loads you expect can demonstrate its stability, and let us know on the mailling lists or bug tracking system what you feel needs doing before we can declare that we have completed 1.0.0. We will under go a few more pre-releases as needed, then this code will become FreeRADIUS 1.0.0. New features will continue to be added to HEAD (nominally 1.1.0) but not to 1.0.0. The daily snapshots will still come from HEAD in CVS. In CVS, the branch is release_1_0 and this is tagged release_1_0_0_pre1. Debian packages for Debian/unstable are available from: http://www.tbble.com/freeradius/debian/ Thankyou for your attention. :-) -- Paul TBBle Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] On a sidewalk near Portland State University someone wrote `Trust Jesus', and someone else wrote `But Cut the Cards'. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Authentication (MS Windows AD)
Dusty,
Thanks. I spent some time working at it from the LDAP angle and it
still fails with the ldapsearch. I will do some more reading/research
to get that working first, then if I have problems getting it work
with FreeRADIUS, I will get back with you all. (If you have some good
recommendations on howto's or other references getting OpenLDAP and MS
AD to talk, I would appreciate the suggestions.)
Thanks for the pointers.
--Bill
From Dustin Doris on Sat, 29 May 2004 10:40:55 -0400 (EDT)
Hmmm... Perhaps you should double-check just to make sure. Do you have
access to a machine with openldap on it? You could use the ldapsearch
command to attempt a bind to AD.
It would look something like this:
$ ldapsearch -h win-dc.win-dom.ctc.edu -D CN=User\\, Asteroid,OU=System
Accounts,OU=CIS,OU=Accounts,DC=WIN-DOM,DC=ctc,DC=edu -w
whateveryourpasswordis -b OU=Accounts,DC=WIN-DOM,DC=ctc,DC=edu
(SamAccountName=jdummy)
-Dusty
On Fri, 28 May 2004, Bill Shaver wrote:
Thanks for the reply. Yes, it is a goofy name, but I am told it does
have read access on AD (it is in the 'domain user' group).
From: Dustin Doris [EMAIL PROTECTED] on Fri, 28 May 2004 13:16:20 -0400
Is CN=User\\, Asteroid,OU=System Accounts... a valid user with read
access to AD?
It seems that this should not be so hard; I am sure I am making a stupid
mistake somewhere, but I just don't see it.
I am attempting to set up freeradius 0.9.3 (redhat) to use (initially) one
of several Windows 2003 AD for authentication. I am, however, unable to
get the first one to work. I have attached what I think are the relevant
log and configuration sections. The Windows admin is not seeing any
errors in her logs. On the radius side, it seems that radiusd is not able to
negotiate a connection that the ldap server will accept.
Any recommendations would be appreciated.
--Bill
--- ldap config from radiusd.conf
ldap {
server = win-dc.win-dom.ctc.edu
port = 636
identity = CN=User\\, Asteroid,OU=System
Accounts,OU=CIS,OU=Accounts,DC=WIN-DOM,DC=ctc,DC=edu
** Is CN=User\\, Asteroid,OU=System Accounts... a valid user with read
access to AD?
password =
start_tls = yes
basedn = OU=Accounts,DC=WIN-DOM,DC=ctc,DC=edu
filter = (SamAccountName=%u)
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
ldap_debug = 0x0028
}
snipped
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 1.0.0-pre1 released
We are proud to announce that the 1.0.0 release cycle for FreeRADIUS is
entering its final stages. The first pre-release wide-area-test tarball
is on the FreeRADIUS website: http://www.freeradius.org/
Congratulations, I have several questions:
1. why is the option --with-large-files no by default? Are there
any shortcommings?
2. Why is the option --with-udpfromto no by default? The way I
understand it this should be on.
3. Is there a way to put the rlm_ modules in /usr/lib/freeradius while
the main libraries stay in {prefix}/lib?
--
damjan |
This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: attr_rewrite regex query
I noticed that the debug line has dropped the regex '$' end-of-string character, so I tried escaping it, but to no avail: One '\' does nothing to the debug output, whilst two '\\' gives: It's a bug in 0.9.3. The latest CVS snapshot should have it fixed. Thanks, I can also confirm that this has been fixed in 1.0.0-pre1. Spencer. -- Systems engineer Compass Communications http://www.compass.net.nz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql failover
On Monday 31 May 2004 16:58, jesk wrote:
On Sunday 30 May 2004 14:07, Gary McKinney wrote:
Hmmm -
The logic of the request does not really make much sense... If the
FreeRadius
server is responding to the NAS but the mysql server back-end is not
responding
that does not mean the radius server is broken...
I would think you could setup to authenticate through multiple mysql
backend servers
to handle the event of the primary being offline or down instead of
forcing a purfectly
good working radius server to act like it was down and if you
setup a secondary
freeradius server to handle the event of the primary going down you can
use the
mysql servers that the first radius server points to for authentication
by the second
radius server so they have a common shared database (double redundancy).
Check the email archives - I remember someone answered how to setup
multiple sql servers to be used for user authentication in freeradius
(which is what you really
want to do here)... if the first mysql server is not responding the
second (or next in line)
will perform the response instead
gm...
- Original Message -
From: jesk [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Sunday, May 30, 2004 6:38 AM
Subject: Re: mysql failover
On Friday 28 May 2004 17:36, jesk wrote:
hi everybody,
is there a way to configure freeradius to NOT answer to a NAS if the
mysql-backend is down, so that the nas can switch to the next
secondary configured freeradius server with its own mysql-backend?
i tested freeradius and shutted down the mysqlserver, the request
from the nas came in and freeradius rejected the request in cause of
the closed mysqldb-handle, now the nas rejected the ppp session and
didnt requested the secondary freeradius.
can somebody help me?
thanks in advance,
christian
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
no way?
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
hi,
my intend was to setup 2 freeradius server, both server have to local its
own mysql-db. both mysqlserver are used to handle all 3 kinds of aaa. the
replication for accounting data is done with radrelay, this works very
fine. but now there is this problem with the potentiality breakdown of a
mysqlserver. if iam handling this like you said, then i couldnt log
accounting data, in cause of the radrelay i think, accounting data would be
logged twice. is there no easy way to come around this circumstances? i use
the mysql for all accounts only the DEFAULT entry is in the USER file.
thanks for any hints!
regards,
christian
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
hi,
i configured the always module with handled in the authorize section:
redundant {
sql
handled
}
i believed that that would do nothing if the mysql module would fail, but it
return a reject to the mysql client:
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'test' ORDER BY id'
rlm_sql (sql): Ignoring unconnected handle 4..
rlm_sql (sql): Ignoring unconnected handle 3..
rlm_sql (sql): Ignoring unconnected handle 2..
rlm_sql (sql): Ignoring unconnected handle 1..
rlm_sql (sql): Ignoring unconnected handle 0..
rlm_sql (sql): There are no DB handles to use! skipped 5, tried to connect 0
modcall[authorize]: module sql returns fail for request 0
modcall[authorize]: module handled returns handled for request 0
modcall: group redundant returns handled for request 0
modcall: group authorize returns handled for request 0
There was no response configured: rejecting request 0
Server rejecting request 4.
Finished request 4
Going to the next request
can somebody say me what im doing wrong?
thanks and regards,
christian
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql failover
On Tuesday 01 June 2004 00:41, jesk wrote:
On Monday 31 May 2004 16:58, jesk wrote:
On Sunday 30 May 2004 14:07, Gary McKinney wrote:
Hmmm -
The logic of the request does not really make much sense... If the
FreeRadius
server is responding to the NAS but the mysql server back-end is not
responding
that does not mean the radius server is broken...
I would think you could setup to authenticate through multiple mysql
backend servers
to handle the event of the primary being offline or down instead of
forcing a purfectly
good working radius server to act like it was down and if you
setup a secondary
freeradius server to handle the event of the primary going down you can
use the
mysql servers that the first radius server points to for authentication
by the second
radius server so they have a common shared database (double
redundancy).
Check the email archives - I remember someone answered how to setup
multiple sql servers to be used for user authentication in freeradius
(which is what you really
want to do here)... if the first mysql server is not responding the
second (or next in line)
will perform the response instead
gm...
- Original Message -
From: jesk [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Sunday, May 30, 2004 6:38 AM
Subject: Re: mysql failover
On Friday 28 May 2004 17:36, jesk wrote:
hi everybody,
is there a way to configure freeradius to NOT answer to a NAS if
the mysql-backend is down, so that the nas can switch to the next
secondary configured freeradius server with its own mysql-backend?
i tested freeradius and shutted down the mysqlserver, the request
from the nas came in and freeradius rejected the request in cause
of the closed mysqldb-handle, now the nas rejected the ppp session
and didnt requested the secondary freeradius.
can somebody help me?
thanks in advance,
christian
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
no way?
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
hi,
my intend was to setup 2 freeradius server, both server have to local its
own mysql-db. both mysqlserver are used to handle all 3 kinds of aaa.
the replication for accounting data is done with radrelay, this works
very fine. but now there is this problem with the potentiality breakdown
of a mysqlserver. if iam handling this like you said, then i couldnt log
accounting data, in cause of the radrelay i think, accounting data would
be logged twice. is there no easy way to come around this circumstances?
i use the mysql for all accounts only the DEFAULT entry is in the USER
file.
thanks for any hints!
regards,
christian
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
hi,
i configured the always module with handled in the authorize section:
redundant {
sql
handled
}
i believed that that would do nothing if the mysql module would fail, but
it return a reject to the mysql client:
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'test' ORDER BY id'
rlm_sql (sql): Ignoring unconnected handle 4..
rlm_sql (sql): Ignoring unconnected handle 3..
rlm_sql (sql): Ignoring unconnected handle 2..
rlm_sql (sql): Ignoring unconnected handle 1..
rlm_sql (sql): Ignoring unconnected handle 0..
rlm_sql (sql): There are no DB handles to use! skipped 5, tried to connect
0 modcall[authorize]: module sql returns fail for request 0
modcall[authorize]: module handled returns handled for request 0
modcall: group redundant returns handled for request 0
modcall: group authorize returns handled for request 0
There was no response configured: rejecting request 0
Server rejecting request 4.
Finished request 4
Going to the next request
can somebody say me what im doing wrong?
thanks and regards,
christian
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
hi again,
i wrote a mistake:
i believed that that would do nothing if the mysql module would fail, but
it return a reject to the mysql client:
right it should be:
i believed that that would do nothing if the mysql module would fail, but
it returns a reject to the NAS client.
furthermore i looked in the mail archive and find in the past the same
question about the always handled module, but didnt find any helpful answers
if it is now possible to do it or not :(
in the doc/rlm_always file i read that its possible to do this:
quote :
Re: FreeRADIUS 1.0.0-pre1 released
Damjan [EMAIL PROTECTED] wrote:
1. why is the option --with-large-files no by default? Are there
any shortcommings?
No. It's just that most people won't need it.
2. Why is the option --with-udpfromto no by default? The way I
understand it this should be on.
The new listen directive makes the udpfromto code a little less
critical. You can configure multiple listening sockets, each with an
IP and port, Version 0.9.3 could only listen on one IP address, making
udpfromto much more necessary.
3. Is there a way to put the rlm_ modules in /usr/lib/freeradius while
the main libraries stay in {prefix}/lib?
Which main libraries?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Latest freeradius and NPTL fail
Try chaning to using rlm_exec, and if that fixes the problem, then the
issue is near _that_ semaphore, and the best solution may be to either
find out what NPTL's doing differently (signal handling I suspect) and
fix/work-around it, or just deprecate Exec-Program-Wait after 1.0.0.
Already try. Same situation with {exec:} (i.e. rlm_exec). Anybody can
reproduce this on same configuration (Debian unstable + linux 2.6.6)?
Sergei.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Latest freeradius and NPTL fail
Just exec-program or exec-program-WAIT? What version of libc6 used in FC1? Sergei. - Original Message - From: Michael Griego [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, May 31, 2004 10:17 PM Subject: Re: Latest freeradius and NPTL fail RedHat 9 and Fedora Core both use NPTL threading. I've never seen any problems like this, and I use FC1 as my production RADIUS server OS. The only exec-program stuff I've used is the ntlm_auth portion of the mschap module, and I've never had any problems with it. Perhaps it is even Debian-unstable specific? Or perhaps kernel 2.6 specific? --Mike On Mon, 2004-05-31 at 11:05, Alan DeKok wrote: Sergei Golod [EMAIL PROTECTED] wrote: Latest version of the FR doesn't work under Debian GNU/Linux when NPTL used. It looks like the NPTL implementation of semaphores has problems. The server uses a number of semaphores internally. From what I can see of the debug log, the Exec-Program code is waiting on a semaphore that never unlocks. The end result is that the server is locked forever. Since this exact code works on NetBSD, FreeBSD, Solaris, Windows XP (SFU), and older versions of Linux, I'm inclined to say it's a NPTL-specific problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help in using EAP
Hi, I am using EAP authentication protocol. When I send an access request from the NAS to the Radius Server, the server rejects the request. Please let me know how to resolve this problem. The log messages of the radius server are as follows: Log Messages: rad_recv: Access-Request packet from host 192.168.112.90:32810, id=0, length=69 Received packet from 192.168.112.90 with invalid Message-Authenticator! (Shared secret is incorrect.) Server rejecting request 0. Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to 192.168.112.90:32810 Regards, Barath Kumar. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
