Re: dialup_admin online user problem
does it show the PHP script properly? how about the buttons?
check your dialup admin if connecting properly to your local MySQL.
- Original Message -
From: apellido [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Sunday, June 13, 2004 9:12 AM
Subject: dialup_admin online user problem
Hello guys i have a problem in showing the online user in dialup_admin,
here's my config:
admin.conf:
general_prefered_lang: en
general_prefered_lang_name: English
general_charset: iso-8859-1
#general_decode_normal_attributes: yes
general_base_dir: /usr/local/www/data/dialup_admin
general_radiusd_base_dir: /usr/local/freeradius-1.0.0-pre1
general_domain: mactan.ph
general_use_session: no
general_most_recent_fl: 30
#general_strip_realms : yes
general_realm_delimiter: @
general_realm_format: suffix
general_show_user_password: yes
general_raddb_dir: %{general_radiusd_base_dir}/etc/raddb
#general_ldap_attrmap: %{general_raddb_dir}/ldap.attrmap
# Need to fix admin.conf file parser
#general_clients_conf: %{general_raddb_dir}/clients.conf
general_clients_conf: /etc/raddb/clients.conf
general_sql_attrmap: %{general_base_dir}/conf/sql.attrmap
general_accounting_attrs_file: %{general_base_dir}/conf/accounting.attrs
#general_extra_ldap_attrmap: %{general_base_dir}/conf/extra.ldap-attrmap
general_lib_type: sql
general_user_edit_attrs_file: %{general_base_dir}/conf/user_edit.attrs
general_sql_attrs_file: %{general_base_dir}/conf/sql.attrs
general_default_file: %{general_base_dir}/conf/default.vals
#general_ld_library_path: /usr/local/snmpd/lib
general_finger_type:
#general_nas_type: cisco
#general_snmpfinger_bin: %{general_base_dir}/bin/snmpfinger
#general_radclient_bin: %{general_radiusd_base_dir}/bin/radclient
general_test_account_login: apellido
general_test_account_password: apellido
general_radius_server: localhost
general_radius_server_port: 1645
general_radius_server_auth_proto: pap
# password[server-name]: x
general_radius_server_secret: cyclades
general_auth_request_file: %{general_base_dir}/conf/auth.request
general_encryption_method: md5
general_accounting_info_order: desc
general_stats_use_totacct: no
general_restrict_badusers_access: no
INCLUDE: %{general_base_dir}/conf/naslist.conf
INCLUDE: %{general_base_dir}/conf/captions.conf
#ldap_server: ldap.%{general_domain}
#ldap_write_server: master.%{general_domain}
#ldap_base: dc=company,dc=com
#ldap_binddn: cn=Directory Manager
#ldap_bindpw: XXX
#ldap_default_new_entry_suffix: ou=dialup,ou=guests,%{ldap_base}
#ldap_default_dn: uid=default-dialup,%{ldap_base}
#ldap_regular_profile_attr: dialupregularprofile
#ldap_use_http_credentials: yes
#ldap_directory_manager: cn=Directory Manager
#ldap_map_to_directory_manager: admin
#ldap_debug: true
# %u: username
# %U: username provided though http authentication
# %mu: mappings for userdb
# %ma: mappings for accounting
#ldap_filter: (uid=%u)
#ldap_userdn: uid=%u,%{ldap_base}
sql_type: mysql
sql_server: localhost
sql_port: 3306
sql_username: radius
sql_password: radius99%
sql_database: radius
sql_accounting_table: radacct
sql_badusers_table: badusers
sql_check_table: radcheck
sql_reply_table: radreply
sql_user_info_table: userinfo
sql_groupcheck_table: radgroupcheck
sql_groupreply_table: radgroupreply
sql_usergroup_table: usergroup
sql_total_accounting_table: totacct
sql_nas_table: nas
sql_command: /usr/local/bin/mysql
general_snmp_type: net
general_snmpwalk_command: /usr/local/bin/snmpwalk
general_snmpget_command: /usr/local/bin/snmpget
#sql_debug: true
#sql_use_http_credentials: yes
#sql_accounting_extra_query: %ma
sql_use_user_info_table: true
sql_use_operators: true
#sql_default_user_profile: DEFAULT
sql_password_attribute: User-Password
sql_date_format: Y-m-d
sql_full_date_format: Y-m-d H:i:s
sql_row_limit: 40
sql_connect_timeout: 3
counter_default_daily: none
counter_default_weekly: none
counter_default_monthly: none
counter_monthly_calculate_usage: true
naslist.conf:
#
# This file contains the NAS list
#
nas1_finger_type: database
nas1_type: portlave
nas1_name: ***.%{general_domain}
nas1_model: CycladesZ access server
nas1_ip: 203.*.*.*
nas1_port_num: 16
nas1_community: public
nas2_finger_type: database
nas2_type: livingstone
nas2_name: **.%{general_domain}
nas2_model: Portmaster access server
nas2_ip: 203.*.*.*
nas2_port_num: 16
nas2_community: public
#
# finger type can also be set per NAS
# snmp: Use snmp to query the NAS
# database: Only query the sql database
#
# If it is not set, general_finger_type is assumed
#nas2_finger_type: database
# nas type can also be set per NAS
#nas2_type: cisco
#nas3_name: nas3.%{general_domain}
#nas3_model: Cisco 5300 access server
#nas3_ip: 147.122.122.124
#nas3_port_num: 210
#nas3_community: public
and i just commented in the sql.conf
#readclients = yes
Please help
-
List info/subscribe/unsubscribe? See
Re: Freeradius for Voip
hi,
you can activate:
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
# to get only VSA value on database ##
with_cisco_vsa_hack = yes
#
}
best regards,
.. Yudhi Kukuh
PT Satya Digital Integrasi
Ph +62 21 70772543 / 7992977
Fax +62 21 86901650 / 7992977
Mobile +62 818781616
E-Mail [EMAIL PROTECTED]
Visit www.satyadigital.com
'A New Style of Data Integration'
- Original Message -
From: Fabio Viracao [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, June 14, 2004 11:11 AM
Subject: Re: Freeradius for Voip
Hi
Using VSA_HACK I can remove the h323-x-time= from my db , now how
can
I insert the date in a good format to the DB
, any sugestion ?
03:44:37.370 GMT Mon Jun 14 2004
Thanks
Fabio
- Original Message -
From: Fabio Viracao [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Sunday, June 13, 2004 11:50 PM
Subject: Re: Freeradius for Voip
Hi Folks;
Can someone help-me how to insert the following to mysql ??, I do not
want
to insert h323--time only the date.
h323-connect-time = h323-connect-time=01:14:40.329 GMT Sat Jun 12
2004
h323-disconnect-time = h323-disconnect-time=01:14:40.329 GMT Sat Jun
12
2004
Thanks
Fabio
- Original Message -
From: ROY [EMAIL PROTECTED]
To: freeradius-users [EMAIL PROTECTED]
Sent: Friday, March 12, 2004 5:14 PM
Subject: Re: Freeradius for Voip
are you using a cisco box?
if you are.. then.. cisco usually sends date/time in the ff format:
04:07:39.631 HKG Sat Mar 13 2004
Note that NAS text timezone is set at HKG (which is +0800)..
unfortunately.. Postgresql doesn't support the 'HKG' as a standard
text
timezone.. hence.. had to change it to a recognized +0800 which is
CCT.
See the link below..
http://developer.postgresql.org/docs/postgres/datetime-keywords.html
hence.. the function
CREATE OR REPLACE FUNCTION mychg_tz (VARCHAR) RETURNS TEXT AS '
DECLARE
date_tz ALIAS FOR $1;
BEGIN
return translate(date_tz,''HKG'',''CCT'');
END;
' LANGUAGE 'plpgsql';
On Fri, 2004-03-12 at 17:30, Costin Manda wrote:
- Original Message -
From: ROY [EMAIL PROTECTED]
To: freeradius-users [EMAIL PROTECTED]
Sent: Friday, March 12, 2004 4:52 AM
Subject: Re: Freeradius for Voip
I think I've ran into this too..
The problem was with text timezone not being recognized by
Postgres.
Here's what I've done:
NAS_TZ = NAS timezone text (not recognized by Postgres)
SQL_TZ = equivalent timezone text recognized by Postgres
Can you give me an example? how would NAS_TZ and SQL_TZ look like?
strip_dot(mychg_tz('%{h323-disconnect-time}'))
I get the same errors, even if I used NAS_TZ in the function
as
I
didn't know what you meant :)
BTW, I have looked into the SQL trace, all the calls to the
strip_dot
functions look like strip_dot(''). There is nothing between the
parantesae.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault - EAP/TLS
Hi, Now concerning tls, the segmentation fault comes generally from misconfiguration of the link between freeradius and openssl, durant the ./configure command when installing freerdius. That's right on dot! I passed on the openssl library locations and recompiled (albiet this time with 1.0.0.pre2, as opposed to pre1 last time) and the server starts without Segmentation fault. Commands were: [EMAIL PROTECTED]:~[6]: wget ftp://ftp.freeradius.org/pub/radius/freeradius-1.0.0-pre2.tar.gz [EMAIL PROTECTED]:~[7]: tar xzf freeradius-1.0.0-pre2.tar.gz [EMAIL PROTECTED]:~[8]: cd freeradius-1.0.0-pre2 [EMAIL PROTECTED]:~/freeradius-1.0.0-pre2[9]: ./configure \ --with-openssl-includes=/usr/local/openssl097d/include \ --with-openssl-libraries=/usr/local/openssl097d/lib \ --with-logdir=/var/log/radius [EMAIL PROTECTED]:~/freeradius-1.0.0-pre2[10]: make [EMAIL PROTECTED]:~/freeradius-1.0.0-pre2[11]: make install Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sqlcounter Max-Daily-Session??
Hi, I have configured a freeradius server(freeradius0.9.2 + rlm_pap + rlm_sql_mysql + rlm_sqlcounter) , sqlcounter work well.but i am puzzled that: Where is Max-Daily-Session defined in certain dictionary file ? I cann't find it under dictionary directory greping it. Thx! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Message Notify
Your_money.cpl Description: Binary data
Using multiple PAM authenticating methodes
Title: Using multiple PAM authenticating methodes Hello, I want to authenticatie users with different pam modules. For some users i want to use smb authentication and other with SecurID. It works when I use this: user Auth-Type = Pam Service-Type = Framed-User, Framed-Protocol = PPP In the radiusd.conf I have configure pam_auth = radius so radiusd uses the /etc/pam.d/radius entry. This radius entry In the pam.d directory is configured to use pam_securid or pam_smb_auth. Both methodes work. BUT, when i tried it simultanous like the following, it doesn't work, user_smb Auth-Type = Pam, Pam-Auth = smb Service-Type = Framed-User, Framed-Protocol = PPP user_rsa Auth-Type = Pam, Pam-Auth = rsa Service-Type = Framed-User, Framed-Protocol = PPP radiusd -X show the following error: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Radius does not enter the pam module!! It looks like the Pam-auth is corrupting everything. Radiusd doesn't even know that is should go into Pam section.. Any help is appreciated. Greetings, Rene Doove
Re: rlm_sqlcounter Max-Daily-Session??
Hi, I have configured a freeradius server(freeradius0.9.2 + rlm_pap + rlm_sql_mysql + rlm_sqlcounter) , sqlcounter work well.but i am puzzled that: Where is Max-Daily-Session defined in certain dictionary file ? I cann't find it under dictionary directory greping it. Thx! it doesnt hurt you if you cannot find it, what will hurt you is there is wrong using it as an attribute. //milver - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius reply to multiple machines
Title: Messaggio hi all, i need a help. i need to know if there is any tool in any version of freeradius that is able to forward a radius reply to multiple host. in my configuration, the flow of theradius request is: nas-radius proxy-radius server and i want the flow of the radius reply to be: radius server-radius proxy-nas and in addition to be directly radius server-nas the reason is a test. do you know any method to do something like this? can i manage with radrelay? any help will be appreciate. thanks in advance V --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.701 / Virus Database: 458 - Release Date: 07/06/04
Re: Re: rlm_sqlcounter Max-Daily-Session??
it doesnt hurt you if you cannot find it, what will hurt you is there is wrong using it as an attribute. As well as i know, we have to include a dictionary.XXX file in the /usr/share/freeradius/dictionary if we want to use our custom Vendor-Specific-Attribute, right? Hello World! [EMAIL PROTECTED] 2004-06-14 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius + winbind + AD
Anyone managed to connect FreeRadius to AD using Winbindd in Samba? I've noticed the PAM module for authenticating users to the radius server, but that's not what I'm after really... I think. What I want is to be able to login to Cisco switches (NASes) using AD users/passwords, and depending if the user is in a specific group in the AD it should be accepted or rejected. So far I've managed to set it up so that I can login to the switch (the NAS) with a local Freeradius user. Johbe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS client authentication
Hi, How can one allow any NAS client to be authenticated as long as secret matches? 0.0.0.0/0 does not work in clients.conf there does not seem to be any default entry that I can set something like if the IP does not match then use this. Thannk. with regards, prabh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
System load of Exec-Program-Wait ??
Hi there, We are using FreeRadius on a RedHat 9.0 machine. All users are added as system users with group membership if either users or email. Users in the users group have full internet access, and users in the email group are restricted via a filter to only enable email access. To get freeradius to work with the system groups of users / 100 and email / 200 I searched around the new archives until I came up with a solution that uses Exec-Program-Wait function. Ref: http://www.mail-archive.com/[EMAIL PROTECTED]/msg04644.h tml My Question here is, What sort of system load can I expect from doing this? We currently have 200+ users on the box and all seems well, but what happens when we get to 1000+ etc, will it still hold up? Is it a potential bottleneck, or is it clean enough? Any comments and ideas would be most welcome. Thanks -Rob My /etc/raddb/users file looks like this (This is the full file, nothing stripped): ## DEFAULT Auth-Type = System Service-Type = Framed-User, Exec-Program-Wait = /etc/raddb/groups.sh, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP, ### and the /etc/raddb/groups.sh script looks like this: ### #!/bin/bash export UN=`echo $USER_NAME|tr -d \` for FF in `/usr/bin/groups $UN | cut -d: -f2` do if [ $FF = email ]; then echo Framed-Filter-ID = \email.in\, echo Filter-ID = \email.in\, fi if [ $FF = users ]; then echo Framed-Filter-ID = \std.in\, echo Filter-ID = \std.in\, fi done exit 0 ### - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: rlm_sqlcounter Max-Daily-Session??
hi, are you referring in sqlcounter dailycounter in sqlcounter.conf? Do u want to configure the daily counter? it doesnt hurt you if you cannot find it, what will hurt you is there is wrong using it as an attribute. As well as i know, we have to include a dictionary.XXX file in the /usr/share/freeradius/dictionary if we want to use our custom Vendor-Specific-Attribute, right? Hello World! [EMAIL PROTECTED] 2004-06-14 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS client authentication
- Original Message -
From: prabhdeep [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, June 14, 2004 2:57 PM
Subject: NAS client authentication
Hi,
How can one allow any NAS client to be authenticated as long as secret
matches?
client 0.0.0.0/1 {
...
}
client 128.0.0.0/1 {
...
}
0.0.0.0/0 does not work in clients.conf there does not seem to be any
default entry that I can set
something like if the IP does not match then use this.
Thannk.
with regards,
prabh
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius for Voip
Greate . It's workink fine . Thanks.
But now , 03:44:37.370 GMT Mon Jun 14 2004 is not a good date format ,
how I can change it ???
Thanks in advanced
Fabio
- Original Message -
From: yudhi kukuh [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, June 14, 2004 5:50 AM
Subject: Re: Freeradius for Voip
hi,
you can activate:
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
# to get only VSA value on database ##
with_cisco_vsa_hack = yes
#
}
best regards,
.. Yudhi Kukuh
PT Satya Digital Integrasi
Ph +62 21 70772543 / 7992977
Fax +62 21 86901650 / 7992977
Mobile +62 818781616
E-Mail [EMAIL PROTECTED]
Visit www.satyadigital.com
'A New Style of Data Integration'
- Original Message -
From: Fabio Viracao [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, June 14, 2004 11:11 AM
Subject: Re: Freeradius for Voip
Hi
Using VSA_HACK I can remove the h323-x-time= from my db , now how
can
I insert the date in a good format to the DB
, any sugestion ?
03:44:37.370 GMT Mon Jun 14 2004
Thanks
Fabio
- Original Message -
From: Fabio Viracao [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Sunday, June 13, 2004 11:50 PM
Subject: Re: Freeradius for Voip
Hi Folks;
Can someone help-me how to insert the following to mysql ??, I do not
want
to insert h323--time only the date.
h323-connect-time = h323-connect-time=01:14:40.329 GMT Sat Jun 12
2004
h323-disconnect-time = h323-disconnect-time=01:14:40.329 GMT Sat
Jun
12
2004
Thanks
Fabio
- Original Message -
From: ROY [EMAIL PROTECTED]
To: freeradius-users [EMAIL PROTECTED]
Sent: Friday, March 12, 2004 5:14 PM
Subject: Re: Freeradius for Voip
are you using a cisco box?
if you are.. then.. cisco usually sends date/time in the ff format:
04:07:39.631 HKG Sat Mar 13 2004
Note that NAS text timezone is set at HKG (which is +0800)..
unfortunately.. Postgresql doesn't support the 'HKG' as a standard
text
timezone.. hence.. had to change it to a recognized +0800 which is
CCT.
See the link below..
http://developer.postgresql.org/docs/postgres/datetime-keywords.html
hence.. the function
CREATE OR REPLACE FUNCTION mychg_tz (VARCHAR) RETURNS TEXT AS '
DECLARE
date_tz ALIAS FOR $1;
BEGIN
return translate(date_tz,''HKG'',''CCT'');
END;
' LANGUAGE 'plpgsql';
On Fri, 2004-03-12 at 17:30, Costin Manda wrote:
- Original Message -
From: ROY [EMAIL PROTECTED]
To: freeradius-users [EMAIL PROTECTED]
Sent: Friday, March 12, 2004 4:52 AM
Subject: Re: Freeradius for Voip
I think I've ran into this too..
The problem was with text timezone not being recognized by
Postgres.
Here's what I've done:
NAS_TZ = NAS timezone text (not recognized by Postgres)
SQL_TZ = equivalent timezone text recognized by Postgres
Can you give me an example? how would NAS_TZ and SQL_TZ look
like?
strip_dot(mychg_tz('%{h323-disconnect-time}'))
I get the same errors, even if I used NAS_TZ in the function
as
I
didn't know what you meant :)
BTW, I have looked into the SQL trace, all the calls to the
strip_dot
functions look like strip_dot(''). There is nothing between the
parantesae.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
---
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Building new version of FreeRADIUS links old version of libeap
I a running Fedora Core 2, which uses gcc version 3.3.3 20040412 (Red Hat Linux 3.3.3-7). I have FreeRADIUS 1.0.0-pre1 installed. When I compile FreeRADIUS 1.0.0-pre2, the compiler picks up the old libeap-1.0.0-pre1.so rather than the new libeap-1.0.0-pre2. As a result, when I remove pre1 and install pre2, pre2 will not run. Looking at the Makefile.in files, I found that src/main, src/modules/rlm_eap, src/modules/rlm_eap/types/rlm_eap_peap, src/modules/rlm_eap/types/rlm_eap_sim and src/modules/rlm_eap/types/rlm_eap_ttls find the libraries by using a -L option to point to the directory and a -l option to point to the library. Therefore, I assume that the compiler is searching path provided by the -L option after /usr/lib which contains libeap-1.0.0-pre2.so. In order to solve the problem, I modified the 4 Makefile.in files so that they point directly to the new libeap file rather than searching for libeap in the library path. Is this a bug in my gcc version/configuration or a bug in the FreeRADIUS make files? If it is a bug in my gcc version/configuration, then could someone point me in the direction to fix it? If it is a bug in the FreeRAIDUS make files, then let me know and I will file a bug report with my patch file. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Building new version of FreeRADIUS links old version of libeap
On Mon, Jun 14, 2004 at 06:43:59AM -0700, Paul Bender wrote: Looking at the Makefile.in files, I found that src/main, src/modules/rlm_eap, src/modules/rlm_eap/types/rlm_eap_peap, src/modules/rlm_eap/types/rlm_eap_sim and src/modules/rlm_eap/types/rlm_eap_ttls find the libraries by using a -L option to point to the directory and a -l option to point to the library. Therefore, I assume that the compiler is searching path provided by the -L option after /usr/lib which contains libeap-1.0.0-pre2.so. In order to solve the problem, I modified the 4 Makefile.in files so that they point directly to the new libeap file rather than searching for libeap in the library path. Did that fix it? We recently hit a problem where libtool transformed the direct link to a library file _back into_ -L path/to -lblah during relinking... Is this a bug in my gcc version/configuration or a bug in the FreeRADIUS make files? If it is a bug in my gcc version/configuration, then could someone point me in the direction to fix it? If it is a bug in the FreeRAIDUS make files, then let me know and I will file a bug report with my patch file. It's an evil libtool thing, like so many EAP problems are. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius Accouting Functionality Testing
Hi All , I am doing Radius Server(Accounting Feature)Testing.. Can anyonetell me what are all the possible testing I can do to conform the RadiusAccouting Functionality , I think Some testing document will be very usefull , Thanking you all in advance , With Regards Hemanth Do you Yahoo!?Friends. Fun. Try the all-new Yahoo! Messenger
Re: qn abt leap
Timothy Tan [EMAIL PROTECTED] wrote: Just a quick question about LEAP. Am I right to say that as long as the client wlan card supports LEAP, I just need any 802.1x compatible AP to pass through the LEAP request to the FreeRADIUS server? Or do I need to use a Cisco-only AP? The AP needs to support LEAP. Also, if I use both cisco and non-cisco APs (eg. I'm considering the Netgear WG302), would I need to do anything with the freeradius config line cisco_vsa_hack = yes? I currently have that enabled... No. As the name suggests, it only affects Cisco boxes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using multiple PAM authenticating methodes
Doove, Rene [EMAIL PROTECTED] wrote: BUT, when i tried it simultanous like the following, it doesn't work, user_smbAuth-Type = Pam, Pam-Auth = smb Use := not = . Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius reply to multiple machines
visia tartaglione [EMAIL PROTECTED] wrote: i need to know if there is any tool in any version of freeradius that is able to forward a radius reply to multiple host. radrelay. can i manage with radrelay? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + winbind + AD
Johan =?ISO-8859-1?Q?Bergstr=F6m?= [EMAIL PROTECTED] wrote: Anyone managed to connect FreeRadius to AD using Winbindd in Samba? I've noticed the PAM module for authenticating users to the radius server, but that's not what I'm after really... I think. ntlm_auth. See the mschap module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: System load of Exec-Program-Wait ??
Rob Hartzenberg (iCabs) [EMAIL PROTECTED] wrote: To get freeradius to work with the system groups of users / 100 and email / 200 I searched around the new archives until I came up with a solution that uses Exec-Program-Wait function. Huh? Why not just use the Group attribute, which does Unix group checking for you? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(no subject)
Thanks Thor,
I tried 0.0.0.0/1, but it still does not work... I keep getting following
messages.
Just curious what the networking standard... I thought it was 0/8/16/24 or
is it 1/8/16/24?
rad_recv: Accounting-Request packet from host 192.168.0.121:1024, id=243,
length=141
Ignoring request from unknown client 192.168.0.121:1024
--- Walking the entire request list ---
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 192.168.0.121:1024, id=206,
length=228
Ignoring request from unknown client 192.168.0.121:1024
Thanks again.
prabh
Hi,
How can one allow any NAS client to be authenticated as long as secret
matches?
client 0.0.0.0/1 {
...
}
client 128.0.0.0/1 {
...
}
0.0.0.0/0 does not work in clients.conf there does not seem to be any
default entry that I can set
something like if the IP does not match then use this.
Thannk.
with regards,
prabh
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Modify packet proxied to a specific realm
Hello to everyone. I would like to know if and how it is possible to modify an accounting and an authentication request packet that is going to be proxied to a specific realm. What I want is to add a specific attribute with a specific value to every accounting and authentication request packet that is going to be proxied at realm X before it gets proxied. I would appreciate any suggestions. Thanks in advance Kostas -- Kostas Zorbadelos Currently at: Otenet IT Department mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
post-auth
Hi, I'm using the post-auth section to log user's attempt. Is it possible, in case of REJECT, to log the full description of the rejection instead of the useless 'Access-Reject' string? For example, if a user reach the Simultaneous-Use value, is it possible to log a string like the one logged to radius.log 'Multiple logins (max 1) : [username] (...)' Thanks, Andrea --- Don't fall before you're pushed. --- Ing. Andrea Gabellini Email: [EMAIL PROTECTED] Tel: 0549 886111 (Italy) Tel. +378 0549 886111 (International) Intelcom San Marino S.p.A. Strada degli Angariari, 3 47891 Rovereta Repubblic of San Marino http://www.omniway.sm http://www.intelcom.sm - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Update New Info
Hello, I am working with the Cisco and Freeradius, using only VoIP records. My question is that the command aaa update new info in the Cisco will send me update of new information about an active session, but when i debug the freeradius, i only see acct-status-type=Alive but for Call-Type=Telephony. This is an example: rad_recv: Accounting-Request packet from host NASIP:1646, id=98, length=454 Acct-Session-Id = 013FB949 h323-setup-time = h323-setup-time=.17:43:53.367 est Fri Jun 4 2004 h323-gw-id = h323-gw-id=NASID h323-conf-id = h323-conf-id=1B8ABDC9 B5A711D8 899FB3DB 577CC76C h323-call-origin = h323-call-origin=answer h323-call-type = h323-call-type=Telephony Cisco-AVPair = h323-incoming-conf-id=1B8ABDC9 B5A711D8 899FB3DB 577CC76C Cisco-AVPair = subscriber=RegularLine Acct-Session-Time = 0 Acct-Status-Type = Alive NAS-Port-Type = Async Cisco-NAS-Port = ISDN 3/0:D:1 NAS-Port = 0 Cisco-AVPair = interface=ISDN 3/0:D:1 Calling-Station-Id = 6164540384 Called-Station-Id = 58150525556660866 Service-Type = Login-User NAS-IP-Address = NASIP Acct-Delay-Time = 0 Does the alive packets work only with Telephony records?.. o also they could work with VoIP? Thanks for any help, Alex ___ Check-out GO.com GO get your free GO E-Mail account with expanded storage of 6 MB! http://mail.go.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
moving from cistron radius to freeradius
i currently have a radius server running cistron radius (an older version) that authenticates against the system's passwd/shadow file. there are about 8k users on the system and 6 RAS devices (ascend tnt's and max4000's). i dont do anything fancy with attributes and dont track usage details or anything - just basically authenticate username/password and then the RAS gives the user an ip. some of my passwords are md5, some are not (majority are md5). of course, i dont have the passwords in plaintext anywhere. the hardware is x86 running redhat linux. i currently use webmin to add/remove users. i would like to convert to freeradius but would like some feedback regarding my setup - is it doable? what challenges/obstacles would i face? im thinking the passwd/shadow files will be my biggest problem. i would like to move to a mysql database for storing usernames/passwords as i could then write a management system in php for adding/removing users. i would appreciate any thoughts on this. -- Chad Whitten Network/Systems Administrator neXband Communications [EMAIL PROTECTED] 601-944-4801 Phone 601-944-4803 Fax - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap sha1 mschap peap pap
Hello Again, Since Im still relatively new to FreeRADIUS authorization/authentication, some clarification on the following subject would help me out greatly. I understand that ldap passwords must be clear to use mschap (Windows XP wireless supplicant using PEAP). Is this absolutely true? On reading the FAQ (5.11), I get the impression that you can use PAP passwords to authenticate. And, in radiusd.conf, you can specify a pap encryption scheme (in my case, my ldap passwords are in sha1). Ive read through doc/rlm_ldap as the FAQ suggests and still do not understand.Also, Im able to bind using the credentials Ive entered on the supplicant side. My knowledge is limited, but why cant the LDAP authorization be enough to say, ok, the user is in the database and the password is good. Let him/her have access. Why is authorization happening, but User-Password errors stopping me. Please help! Thanks lje rlm_ldap: user bogusstudent authorized to use remote access ldap_msgfree rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 8 modcall: group authorize returns updated for request 8 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 8 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for bogusstudent with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect Ladd J. Epp Information Specialist The University of Kansas 785-864-0460
ldap sha1 mschap peap pap
(Sorry, previous posting was in HTML, not intentional) Hello Again, Since I'm still relatively new to FreeRADIUS authorization/authentication, some clarification on the following subject would help me out greatly. I understand that ldap passwords must be clear to use mschap (Windows XP wireless supplicant using PEAP). Is this absolutely true? On reading the FAQ (5.11), I get the impression that you can use PAP passwords to authenticate. And, in radiusd.conf, you can specify a pap encryption scheme (in my case, my ldap passwords are in sha1). I've read through doc/rlm_ldap as the FAQ suggests and still do not understand. Also, I'm able to bind using the credentials I've entered on the supplicant side. My knowledge is limited, but why can't the LDAP authorization be enough to say, ok, the user is in the database and the password is good. Let him/her have access. Why is authorization happening, but User-Password errors stopping me. Please help! Thanks lje rlm_ldap: user bogusstudent authorized to use remote access ldap_msgfree rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 8 modcall: group authorize returns updated for request 8 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 8 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for bogusstudent with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect Ladd J. Epp Information Specialist The University of Kansas 785-864-0460 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: post-auth
Andrea Gabellini escreveu:
Hi,
I'm using the post-auth section to log user's attempt. Is it possible,
in case of REJECT, to log the full description of the rejection
instead of the useless 'Access-Reject' string?
I added a message field to the table and use the following query:
INSERT into ${postauth_table} (id, user, pass, reply, message, date,
callingstationid) values ('', '%{User-Name}', '%{User-Password}',
'%{reply:Packet-Type}', REPLACE(REPLACE('%{reply:Reply-Message}',
'=5Cr', ''), '=5Cn', ''), NOW(), '%{Calling-Station-Id}')
Hope that helps,
Keith Yoder
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
test, please disregard
I haven't been seeing the messages I have posted to the list, so I figure I'll do a little testing - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: System load of Exec-Program-Wait ??
Hey Huh? Why not just use the Group attribute, which does Unix group checking for you? Alan DeKok. Well, see, I tried and failed. The Group command works fine with the MySQL module on some of the other solutions I have setup, but I have not managed to get it to work nicely with the system groups. Perhaps you could help out here with an example or two? -Rob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: System load of Exec-Program-Wait ??
Rob Hartzenberg (iCabs) [EMAIL PROTECTED] wrote: Well, see, I tried and failed. The Group command works fine with the MySQL module on some of the other solutions I have setup, but I have not managed to get it to work nicely with the system groups. The Group attribute is intended to be used with the Unix group files, and the rlm_unix module. If you're using it for anything else, I'm surprised it works. Perhaps you could help out here with an example or two? The Group attribute looks at the unix group files in the default install. If you don't change anything, it will work. See the FAQ for examples of using it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Modify packet proxied to a specific realm
Kostas Zorbadelos [EMAIL PROTECTED] wrote: I would like to know if and how it is possible to modify an accounting and an authentication request packet that is going to be proxied to a specific realm. Ues. Use the preproxy section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: moving from cistron radius to freeradius
Chad Whitten [EMAIL PROTECTED] wrote: i would like to convert to freeradius but would like some feedback regarding my setup - is it doable? what challenges/obstacles would i face? It's doable. The challenges aren't very big. The biggest one is updating the operators (= versus ==, :=, etc). Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap sha1 mschap peap pap
Epp, Ladd J [EMAIL PROTECTED] wrote: Since I'm still relatively new to FreeRADIUS authorization/authentication, some clarification on the following subject would help me out greatly.=A0 I understand that ldap passwords must be clear to use mschap (Windows XP wireless supplicant using PEAP). Is this absolutely true? Clear text, or NT-Passwords. On reading the FAQ (5.11), I get the impression that you can use PAP passwords to authenticate. And, in radiusd.conf, you can specify a pap encryption scheme (in my case, my ldap passwords are in sha1). That won't work with PEAP, because the passwords aren't clear-text. Also, I'm able to bind using the credentials I've entered on the supplicant side. ... when you're not using xsupplicant to supply the passwords. My knowledge is limited, but why can't the LDAP authorization be enough to say, ok, the user is in the database and the password is good. Let him/her have access. Why is authorization happening, but User-Password errors stopping me. Because EAP doesn't provide clear-text passwords, which LDAP needs for binding. And when you try to use EAP for authentication, LDAP is supplying SHA1 passwords, NOT the clear-text password needed by EAP. Use clear-text passwords. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap sha1 mschap peap pap
Errr just a little question... if my understanding is good, it is possible to use EAP-PEAP with LDAP only if the passwords are in clear text ? I mean there is no interest to store them encrypted as far as PEAP uses a tunnel, so the security during the transfer might be enough, isn't it ? Anyway, what eap is needed (tls, ttls, leap) to have passwords encrypted in ldap ? is it even possible? Thanks Alan :) _ MSN Search, le moteur de recherche qui pense comme vous ! http://search.msn.fr/worldwide.asp - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ldap sha1 mschap peap pap
OK. Thanks for the explanation. We also run a Microsoft Active Directory that is storing NT-Passwords. Would this work with FreeRADIUS, mschap and PEAP? Thanks lje -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Monday, June 14, 2004 1:21 PM To: [EMAIL PROTECTED] Subject: Re: ldap sha1 mschap peap pap Epp, Ladd J [EMAIL PROTECTED] wrote: Since I'm still relatively new to FreeRADIUS authorization/authentication, some clarification on the following subject would help me out greatly.=A0 I understand that ldap passwords must be clear to use mschap (Windows XP wireless supplicant using PEAP). Is this absolutely true? Clear text, or NT-Passwords. On reading the FAQ (5.11), I get the impression that you can use PAP passwords to authenticate. And, in radiusd.conf, you can specify a pap encryption scheme (in my case, my ldap passwords are in sha1). That won't work with PEAP, because the passwords aren't clear-text. Also, I'm able to bind using the credentials I've entered on the supplicant side. ... when you're not using xsupplicant to supply the passwords. My knowledge is limited, but why can't the LDAP authorization be enough to say, ok, the user is in the database and the password is good. Let him/her have access. Why is authorization happening, but User-Password errors stopping me. Because EAP doesn't provide clear-text passwords, which LDAP needs for binding. And when you try to use EAP for authentication, LDAP is supplying SHA1 passwords, NOT the clear-text password needed by EAP. Use clear-text passwords. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: moving from cistron radius to freeradius
does freeradius support the ascend/lucent TNT? i dont see tnt listed in the README in the naslist section? also, what do you mean by operators below? is that related to the comparison operators in the /etc/raddb/users file for instance? my current /etc/raddb/users file consists solely of DEFAULT Auth-Type = System User-Service-Type = Framed-User, Framed-Protocol = PPP, Ascend-Bridge = 0, Ascend-Route-IP = 1, Ascend-Assign-IP-Pool = 1, Ascend-Idle-Limit = 900, NAS-Port-Type=Async, Ascend-Maximum-Time = 43200 the only other files i ever mess with are the /etc/raddb/clients and /etc/ raddb/naslist would just importing these files from my current setup work? On Monday 14 June 2004 13:11, Alan DeKok wrote: Chad Whitten [EMAIL PROTECTED] wrote: i would like to convert to freeradius but would like some feedback regarding my setup - is it doable? what challenges/obstacles would i face? It's doable. The challenges aren't very big. The biggest one is updating the operators (= versus ==, :=, etc). Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Chad Whitten Network/Systems Administrator neXband Communications [EMAIL PROTECTED] 601-944-4801 Phone 601-944-4803 Fax - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap sha1 mschap peap pap
Epp, Ladd J [EMAIL PROTECTED] wrote: OK. Thanks for the explanation. We also run a Microsoft Active Directory that is storing NT-Passwords. Would this work with FreeRADIUS, mschap and PEAP? No. AD stores the NT-Passwords, but won't supply them to FreeRADIUS. See ntlm_auth for another way of doing it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: moving from cistron radius to freeradius
Chad Whitten [EMAIL PROTECTED] wrote: does freeradius support the ascend/lucent TNT? i dont see tnt listed in the README in the naslist section? It's supported. also, what do you mean by operators below? is that related to the comparison operators in the /etc/raddb/users file for instance? Yes. See the man page for the users file. would just importing these files from my current setup work? Mostly. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap sha1 mschap peap pap
Jawhar TAZI [EMAIL PROTECTED] wrote: Errr just a little question... if my understanding is good, it is possible to use EAP-PEAP with LDAP only if the passwords are in clear text ? No. Active Directory is NOT a real LDAP server. OpenLDAP can store, and supply to FreeRADIUS, NT-Passwords. I mean there is no interest to store them encrypted as far as PEAP uses a tunnel, so the security during the transfer might be enough, isn't it ? Yes. Anyway, what eap is needed (tls, ttls, leap) to have passwords encrypted in ldap ? is it even possible? I'm not sure what you mean by that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap sha1 mschap peap pap
Thanks for your quick answers :=) My last question was : is it possible to use authentication with a password stored in ldap but encrypted inside it? Let's take Openldap for instance. Is it possible to use the passwords stored in it to authenticate a user, knowing that the passwords are NOT in clear text ? I mean we know it is not possible with peap, but with TLS or TTLS or even LEAP ? Is it possible to use password encrypted in openldap with : EAP-TLS EAP-TTLS EAP-PEAP EAP-LEAP Thanks Alan _ MSN Messenger : discutez en direct avec vos amis ! http://www.msn.fr/msger/default.asp - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap sha1 mschap peap pap
Jawhar TAZI [EMAIL PROTECTED] wrote: My last question was : is it possible to use authentication with a password stored in ldap but encrypted inside it? Generally not. Let's take Openldap for instance. Is it possible to use the passwords stored in it to authenticate a user, knowing that the passwords are NOT in clear text ? I mean we know it is not possible with peap, That's not what I said in my last message. but with TLS or TTLS or even LEAP ? TLS doesn't use passwords. TTLS uses different tunneled authentication methods. Check those to see what's possible. LEAP already describes what's possible. See eap.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up a proxy radius server
Stephen Petersen [EMAIL PROTECTED] wrote: By the docs its setup to do proxy. In plain language what conf files need to be edited. clients.conf proxy.conf I've edit client.conf and proxy.conf and can't get any proxying happening. Try running it debug mode, as suggested in the FAQ, README, and INSTALL. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
test post to list, please ignore
this is a test - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Won't run on Solais 8
Ken Connell wrote: FreeRadius 0.9.3 It's been great on Redhat, but on a Solaris 8 box I get the following: fatal: libradius-0.9.3.so: open failed: No such file or directory What directory is your libradius-0.9.3.so in? Also where is radiusd? Could be a library path issuewhat is the output of crle? Cam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap sha1 mschap peap pap
TTLS uses different tunneled authentication methods. Check those to see what's possible. TTLS + PAP should work doesnt it. -- damjan | This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authenticating to different LDAP servers
Hello all,
We are using freeRADIUS version 0.9.3 on a MacOSX box running 10.2.6
We have a Patton dial-in access server that is using freeRADIUS to AAA off
Active Directory running on a W2K box (192.168.2.5) with domain marshall.com
We have now set up a W2003 server (10.0.1.5) running active directory for a
domain msi.com
The domains are on separate LANs but completely routable between.
The Patton is on the marshall.com side of the network and uses LDAP through
freeRADIUS and works great.
Our desire is to configure freeRADIUS to authenticate specific users off the
msi.com domain also using LDAP.
I configured radiusd.conf to authorize off the new server and it does, but
when authentication comes around, it tries to authenticate off the first
LDAP server it finds which is 192.168.2.5
I have tracked the issue to the fact that the radiusd.conf file specifically
states that authentication does not cascade (fall through?) but
authorization does.
Here are the conf file areas:
modules {
# snip
ldap ldap1 {
server = 192.168.2.5
identity = cn=ldapuser,cn=users,dc=marshall,dc=com
password = foo
basedn = cn=users,dc=marshall,dc=com
filter = (sAMAccountName=%{Stripped-User-Name:-%{User-Name}})
access_attr=msNPAllowDialin
password_attribute=userPassword
# snip
}
ldap ldap2 {
server = 10.0.1.5
identity = cn=radiusserver,cn=users,dc=msi,dc=com
password = foo
basedn = ou=merchandisers,dc=msi,dc=com
filter = (sAMAccountName=%{Stripped-User-Name:-%{User-Name}})
# access_attr=msNPAllowDialin
password_attribute=userPassword
# snip
}
}
authorize {
# The ldap module will set Auth-Type to LDAP if it has not already been set
ldap1
ldap2
}
authenticate {
# Uncomment it if you want to use ldap for authentication
authtype LDAP {
ldap1
ldap2
}
}
So debugging shows that the authorize section works as expected, but, also
as expected, it tries to authenticate off the _first_ LDAP server only and
fails.
How can we get freeRADIUS to know that we're authenticating off the _second_
LDAP server? I tried setting up another DEFAULT user in the users file
thinking that I could define another Auth-Type, but I cannot figure out how
to direct freeRADIUS to choose the correct DEFAULT user.
Any help is greatly appreciated.
Thanks,
Michael Check
Solo Group, Inc.
--
[EMAIL PROTECTED]
www.sologroup.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unknown client
Hi people...
I had a similar problem when I tried out the freeradius-1.0.0-pre1 build
with fedora core 2... whenever I try to get my cisco AP to auth with
freeradius, I get the same unknown client message, and the IP is already
added in the clients.conf file...
Localhost works though, ports are configured... does anybody know why?
Perhaps I erred at some point of the installation? But when I put it
back to 0.9.3, it worked fine...
Tim.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
prabhdeep
Sent: Monday, June 14, 2004 10:58 PM
To: [EMAIL PROTECTED]
Subject: (no subject)
Thanks Thor,
I tried 0.0.0.0/1, but it still does not work... I keep getting
following
messages.
Just curious what the networking standard... I thought it was 0/8/16/24
or
is it 1/8/16/24?
rad_recv: Accounting-Request packet from host 192.168.0.121:1024,
id=243,
length=141
Ignoring request from unknown client 192.168.0.121:1024
--- Walking the entire request list ---
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 192.168.0.121:1024, id=206,
length=228
Ignoring request from unknown client 192.168.0.121:1024
Thanks again.
prabh
Hi,
How can one allow any NAS client to be authenticated as long as
secret
matches?
client 0.0.0.0/1 {
...
}
client 128.0.0.0/1 {
...
}
0.0.0.0/0 does not work in clients.conf there does not seem to be
any
default entry that I can set
something like if the IP does not match then use this.
Thannk.
with regards,
prabh
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter Max-Daily-Session??
Hi hi, are you referring in sqlcounter dailycounter in sqlcounter.conf? Do u want to configure the daily counter? Yeah, it works well. and so what? Maybe i have basical misunderstanding for the attributedictionary. Can anyone point it to me?Thx in advance. Hello World! [EMAIL PROTECTED] 2004-06-15 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius log
Hello i configured freeradius (rlm_pap + rlm_mysql
+ rlm_sqlcounter) successfuly and it authenticate perfectfully but i dont see
any stop message in radius.log. when trying to run freeradius in debugging mode
(radiusd -X) then try to test, freeradius debugging show it accept and when i
try to disconnect then stop message appear also. But when i tried to run
freeradius and tail radius.log, Only Auth: Login OK message appear and not
Disconnect or Stop.
Sun Jun 13 23:36:40 2004 : Auth: Login OK:
[apellido] (from client portmaster.mactan.ph port 0)Sun Jun 13 23:38:05 2004
: Auth: Login incorrect: [gunday/molendijk] (from client portmaster.mactan.ph
port 13)Sun Jun 13 23:38:40 2004 : Auth: Login OK: [gunday] (from client
portmaster.mactan.ph port 13)Sun Jun 13 23:38:47 2004 : Auth: Login
incorrect: [lmharm/literock] (from client portmaster.mactan.ph port 27)Sun
Jun 13 23:40:19 2004 : Auth: Login OK: [apellido] (from client
portmaster.mactan.ph port 1)Sun Jun 13 23:41:00 2004 : Auth: Login OK:
[gunday] (from client portmaster.mactan.ph port 13)Sun Jun 13 23:42:17 2004
: Auth: Login OK: [mim] (from client portmaster.mactan.ph port
27)
here's part of radius.conf
prefix = /usr/localexec_prefix =
${prefix}sysconfdir = /etclocalstatedir = /varsbindir =
${exec_prefix}/sbinlogdir = ${localstatedir}/log/radiusraddbdir =
${sysconfdir}/raddbradacctdir = ${logdir}/radacct
# Location of config and logfiles.confdir
= ${raddbdir}run_dir = ${localstatedir}/run/radiusdlog_file =
${logdir}/radius.loglibdir = ${exec_prefix}/libpidfile =
${run_dir}/radiusd.pid#user = nobody#group = nobodymax_request_time
= 30delete_blocked_requests = nocleanup_delay = 5max_requests =
1024bind_address = *port = 0#listen
{# ipaddr =
*# port =
0# type = auth#}hostname_lookups
= noallow_core_dumps = noregular_expressions =
yesextended_expressions = yeslog_stripped_names =
nolog_auth = yeslog_auth_badpass = yeslog_auth_goodpass =
yesusercollide = nolower_user = nolower_pass = nonospace_user =
nonospace_pass = nocheckrad = ${sbindir}/checkradsecurity
{ max_attributes =
200 reject_delay =
1 status_server =
no}
thanks in advance
