Radius Guide
Hello, First time freeradius user.Any link to get radius start up and running. Dan Do you Yahoo!?vote.yahoo.com - Register online to vote today!
RE : Fail over mysql backend
I've tried to let the sql {} but it said rlm_sql_sql is not a valid sql driver or something like that. -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Alan DeKok Envoyé : lundi 20 septembre 2004 21:11 À : [EMAIL PROTECTED] Objet : Re: RE : Fail over mysql backend EROS [EMAIL PROTECTED] wrote: If you need redondant your sql1 and sql2 .conf must be : You should remove the sql { } Tis is what i've must done to make this working I *really* don't recommend doing that. If it works, it's an accident, and the server is NOT intended to work that way. Please follow the directions in doc/configurable_failover, and NOT the above instructions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dialup Admin accounting issues.
Hi All, I'm using FreeRadius-0.9.3 with MySQL and Dialup Admin configured on a Linux Red Hat 9.0 machine. How can I adjust the Subscription Analysis tables so that the daily limit hours reflect different User Group settings. For example, I have two groups, one called Dynamic and the other called Monthly. The Dynamic group is allotted 2 hours per day and the Monthly group has no daily limit restrictions but a total of 60 hrs per month. Which means, I would like the Monthly group user's Subscription Analysis to reflect a non Daily Limit restriction. At the moment both groups reflect the Dynamic group's settings, i.e. a Daily Limit description (2 hours per day) meant only for the Dynamic group still showing for the Monthly group. How can I adjust Dialup Admin's admin.conf to make the appropriate changes? Rgds, Shannon A life is not fully lived without mistakes, and therein lies knowledge that becomes wisdom, but only if you learn from your mistakes as your teacher of life's lessons. ~ Katherine .G. MacRae - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Expiration module
Title: Expiration module Hi, I would like to do the following: Using the unix shadow file for authentication. If a user password will expire send a message to the console telling him that he must change his password. If the user password has expired send a message to the console that his password has expired. Is this possible using the expiration module that is included in freeradius? Are there other ways to accomplish this behavior? Thanks Joris
Re: wrong 'statistic' in dialupadmin interface
On Tue, 21 Sep 2004, Flo4000 wrote: The SQL-String is OK! I get the result from sum(acctoctets). This seems good. But a user can not download 4344.00 MBs in 7,44 Minutes using a 56k Modem! This was my question! So check out the corresponding rows in the acounting table, any detail file you may have and try to find out why you get such numbers. There's no magic any of us can do to find out what's wrong. regards Florian - Original Message - From: Kostas Kalevras [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, September 20, 2004 10:08 PM Subject: Re: wrong 'statistic' in dialupadmin interface On Mon, 20 Sep 2004 [EMAIL PROTECTED] wrote: Hallo! The statistic page works but does not show correct values: This user was two times connected with 56k-Modem for 7,44 minutes . He was just logged in without any transfers of data. In this time he had 4344.00 MBs (???) download. This must be wrong!!! Any idea? 2004-09-16 2 100% 00:07:44 100% 4344.00 MBs 100% Connections 2 Online time 7 minutes 44 seconds Upload 3092.94 MBs Download 4344.00 MBs Average Time 3 minutes 52 seconds Average Upload 1546.47 MBs Average Download 2172.00 MBs So enable sql_debug to see the sql queries run and the corresponding results. Thanks Florian PS maybe bits and octets? -- [site=fnprod=chetoolskat=rubtbl=webmailppos=1TransactionID=109570442357 879rgtg=256] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialup Admin accounting issues.
On Tue, 21 Sep 2004, Shannon Sariman wrote: Hi All, I'm using FreeRadius-0.9.3 with MySQL and Dialup Admin configured on a Linux Red Hat 9.0 machine. How can I adjust the Subscription Analysis tables so that the daily limit hours reflect different User Group settings. For example, I have two groups, one called Dynamic and the other called Monthly. The Dynamic group is allotted 2 hours per day and the Monthly group has no daily limit restrictions but a total of 60 hrs per month. Which means, I would like the Monthly group user's Subscription Analysis to reflect a non Daily Limit restriction. At the moment both groups reflect the Dynamic group's settings, i.e. a Daily Limit description (2 hours per day) meant only for the Dynamic group still showing for the Monthly group. How can I adjust Dialup Admin's admin.conf to make the appropriate changes? The counter_default_daily: 14400 counter_default_weekly: 72000 counter_default_monthly: none entries in admin.conf are used only to set the default values for the corresponding counters if no values were found in the user/group settings. Check conf/sql.attrmap in dialupadmin and set Max-{Daily,Monthly}-Session to your corresponding attributes in sql. Enable sql_debug to see what's going on exactly. Things should work after that. Rgds, Shannon A life is not fully lived without mistakes, and therein lies knowledge that becomes wisdom, but only if you learn from your mistakes as your teacher of life's lessons. ~ Katherine .G. MacRae - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration module
On Tue, 21 Sep 2004, Van Deuren Joris wrote: Hi, I would like to do the following: Using the unix shadow file for authentication. If a user password will expire send a message to the console telling him that he must change his password. If the user password has expired send a message to the console that his password has expired. Is this possible using the expiration module that is included in freeradius? The expiration module is not used for that. Are there other ways to accomplish this behavior? From a quick look at the code the unix module does not do that. It's a few lines patch though to get it done. Your other bet is to use the rlm_passwd module and do the check yourself through a perl script or an external program (see the perl and exec modules). Thanks Joris -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with eap-tls, eap-peap
Hi, I'm trying to get eap-tls and eap-peap to work so I can use wpa on my access point and client, but I'm getting this error when I try to authenticate: /usr/sbin/freeradius: relocation error: /usr/lib/freeradius/rlm_eap_peap-1.0.0.so: undefined symbol: eaptls_process I'm running this on a current debian unstable machine, compiled the 1.0.0.tar.gz from the official freeradius website. (the debian package doesn't contain the eap-tls module, so that's no use to me). Oh, I just saw that 1.0.1 is out, tried that version, but I get the same error. Does anybody know how to fix this? Thanks! Regards, Guus Houtzager -- Luna.nl B.V. Puntegaalstraat 109 * 3024 EB Rotterdam Postbus 63000 * 3002 JA Rotterdam T 010 7502000 * F 010 7502002 * www.luna.nl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another error in logs
Alan, there is nothing wrong in debug mode, everythings goes flawesly.But in radius logs there are a plenty of these. Approximately every 10 seconds: Tue Sep 21 15:02:34 2004 : Auth: Login OK: [edgars/edgars] (from client edgara_tests port 1483 cli 1.1.1.2) Tue Sep 21 15:03:09 2004 : Error: Discarding duplicate request from client edgara_tests:1036 - ID: 24 due to unfinished request 11 Tue Sep 21 15:03:16 2004 : Error: Dropping conflicting packet from client edgara_tests:1036 - ID: 24 due to unfinished request 11 .. it's probably the problem why accounting sometimes doesn't do what is should and user rarely can't even connect to the server (shows that Login OK,but can't connect for some while) :/ Edgars Alan DeKok wrote: Edgars [EMAIL PROTECTED] wrote: sorry to bother but how can i fight with this error which is appearing al the time an is 95% of all log content? Error: Dropping conflicting packet from client Hotspot:2461 - ID: 24 due to unfinished request 3186 Generally it's because something is stopping the server from responding to requests. Run it in debug mode to see where it slows down, and why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
please help with this
hi guys I'm using Freeradius as an authenticator point that a user has to authenticate against it and it works just like charm i need that user to browse the Internet i believe i can make use of SQUID I'm wondering if there is any other kind of application that does the same thing as SQUID does please any advice thank you very much indeed __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with eap-tls, eap-peap
Guus Houtzager - Luna.nl [EMAIL PROTECTED] wrote: I'm trying to get eap-tls and eap-peap to work so I can use wpa on my access point and client, but I'm getting this error when I try to authenticate: /usr/sbin/freeradius: relocation error: /usr/lib/freeradius/rlm_eap_peap-1.0.0.so: undefined symbol: eaptls_process Is the rlm_eap_tls module on your system? Have you configured the tls{} sub-section of eap{} ? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: gateway IP address
Milver S. Nisay [EMAIL PROTECTED] wrote: would it be possible for freeradius to specify the gateway IP address , for the dialup clients (after authenticating) ? http://www.freeradius.org/rfc/attributes.html Look for the word route Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reg freeradius support with WPA
Phani Kumar [EMAIL PROTECTED] wrote: Can anyone suggest me how to reduce the authencation time? Run it in debug mode to see when it slows down, and where. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another error in logs
Edgars [EMAIL PROTECTED] wrote: there is nothing wrong in debug mode, everythings goes flawesly. sigh That's not the point. The question I asked was: Is it *slow*. The response of the server should be nearly instantaneous, even in debugging mode. If you see pauses in the debug messages, that means something is locking up. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating but no access
Saunders, Shawn [EMAIL PROTECTED] wrote: I have Freeradius 1.0 port on FreeBSD 4.10. I'm using it to authenticate our VPN connections from a PIX 525. The radius server is located inside of our internal network, and it is authenticating (per the logs) fine, Debug mode will show you more information. Trying to figure out what the server is doing by reading radius.log is a bad idea. but when the VPN tunnel using Cisco VPN 4.60 is connected, the remote client cannot see, or connect to any internal machine, either in our DMZ or Internal Subnet. So... what attributes is your VPN client expecting to receive from the RADIUS server, in order to set up the users VPN connection? This is where the VPN documenttion may come in handy. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with eap-tls, eap-peap
On Tue, 2004-09-21 at 16:24, Alan DeKok wrote: Guus Houtzager - Luna.nl [EMAIL PROTECTED] wrote: I'm trying to get eap-tls and eap-peap to work so I can use wpa on my access point and client, but I'm getting this error when I try to authenticate: /usr/sbin/freeradius: relocation error: /usr/lib/freeradius/rlm_eap_peap-1.0.0.so: undefined symbol: eaptls_process Is the rlm_eap_tls module on your system? This is with freeradius 1.0.1, exact same relocation error. $ ls -l /usr/lib/freeradius/rlm_eap_tls* lrwxrwxrwx 1 root root 14 Sep 20 14:36 /usr/lib/freeradius/rlm_eap_tls-1.0.1.la - rlm_eap_tls.la -rw-r--r-- 1 root root 28048 Sep 20 14:36 /usr/lib/freeradius/rlm_eap_tls-1.0.1.so -rw-r--r-- 1 root root 512244 Sep 20 14:35 /usr/lib/freeradius/rlm_eap_tls.a -rw-r--r-- 1 root root801 Sep 20 14:35 /usr/lib/freeradius/rlm_eap_tls.la lrwxrwxrwx 1 root root 20 Sep 20 14:36 /usr/lib/freeradius/rlm_eap_tls.so - rlm_eap_tls-1.0.1.so Have you configured the tls{} sub-section of eap{} ? tls { private_key_password = secret private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/wpa/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes } All the files named (.pem stuff etc) exist. Alan DeKok. Thanks! Regards, Guus -- Luna.nl B.V. Puntegaalstraat 109 * 3024 EB Rotterdam Postbus 63000 * 3002 JA Rotterdam T 010 7502000 * F 010 7502002 * www.luna.nl signature.asc Description: This is a digitally signed message part
RE: VPN to PIX Authenticating but no access
I can only tell about the VPN3000 and IOS ezvpn but it should be similar: The only thing that is needed is an appropriate services type (006) and Framed-Routing=Listen. PIX is nasty sometimes, try with service-type Administrative first and then lock down further. But when the connection succeeds, i.e. the VPN-client says it's connected the problem lies somewhere else beyond radius.. Either one of the stupid PIX-coduit statements (called sthg else now), (wrong) split tunnel or similar. as soon as you're connected look into the PIX-debugs.. Michael -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Tuesday, September 21, 2004 4:33 PM To: [EMAIL PROTECTED] Subject: Re: Authenticating but no access Saunders, Shawn [EMAIL PROTECTED] wrote: I have Freeradius 1.0 port on FreeBSD 4.10. I'm using it to authenticate our VPN connections from a PIX 525. The radius server is located inside of our internal network, and it is authenticating (per the logs) fine, Debug mode will show you more information. Trying to figure out what the server is doing by reading radius.log is a bad idea. but when the VPN tunnel using Cisco VPN 4.60 is connected, the remote client cannot see, or connect to any internal machine, either in our DMZ or Internal Subnet. So... what attributes is your VPN client expecting to receive from the RADIUS server, in order to set up the users VPN connection? This is where the VPN documenttion may come in handy. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Multiple Accounting Stop packet and rlm_sql (on Mysql)
and a second thing, if you have multiple radius-servers running remove Client-IP from rlm_unique so that AcctUniqueId is consitent over the machines. but I just made AcctUniqueId a primary key in the DB, works also for me.. Michael -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ugur GUNCER Sent: Monday, September 20, 2004 11:57 PM To: [EMAIL PROTECTED] Subject: RE: Multiple Accounting Stop packet and rlm_sql (on Mysql) I have a same problem but i fixed You can fix this problem with addingAcctSessionId = '%{AcctSessionId} and AcctUniqueId='%{ AcctUniqueId} to WHERE segment at your sql query Iyi Calismalar Saygilarimla Ugur GUNCER Sistem Yoneticisi Telebizz Tel. ve Int. Hizm. Office= +90 212 347 6959 Gsm = +90 544 535 9737 Fax = +90 212 347 6949 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of emy emy Sent: Monday, September 20, 2004 6:26 PM To: [EMAIL PROTECTED] Subject: Multiple Accounting Stop packet and rlm_sql (on Mysql) Hi, i'm using freeradius with rlm_sql module, and all work correctly except when Our NAS send multiple accountig stop packets to radius reguarding the same session. This couse problem because AcctStopTime was updated every time a stop packet arrives, and i must save only AcctStopTime sended the first Time. I have tryed to change acct_stop_query adding to WHERE condition this: accounting_stop_query = UPDATE ${acct_table} SET AcctStopTime = '%S', \ AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}', \ AcctOutputOctets = '%{Acct-Output-Octets}', AcctTerminateCause = '%{Acct-Terminate-Cause}', \ AcctStopDelay = '%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' \ WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}'\ AND NASIPAddress = '%{NAS-IP-Address}' and AcctStopTime = 0 Adding control for acctstoptime=0, but with this condition all acct-stop packet recived after the first ,execute the accounting_stop_query_alt query, and create on radacct duplicate session (no good). Any Ideas? Thanks to all Amy _ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- auto-converted to plaintext by ELAB4 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with eap-tls, eap-peap
Guus Houtzager - Luna.nl [EMAIL PROTECTED] wrote: Is the rlm_eap_tls module on your system? This is with freeradius 1.0.1, exact same relocation error. At this point, I'd say to do: $ ./configure --disable-shared Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
group attributes not in access-accept
Hi all, Recently set up FreeRADIUS 1.0.0 with MySQL. The server auths correctly but the reply and check items from group memberships are not returned with the Access-Accept packet. In fact, no attribute-value pairs are returned at all, just a vanilla Access-Accept. What is required for check and reply items in the radgroupcheck and radgroupreply tables to be returned for a user associate with a group in radgroup? Thanks, --Scott! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ip pools question
Hello, I want to use the freeradius ip pools. I just wonder something though ever ip pool name I define should be included in the accounting and post-auth sections? Its kind of confusing, whats the point of defining the Pool-Name attribute in users file and then define the same name in accounting and post-auth sections? Thanks, Evren - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius WPA support
Hi, I have configured freeradius with WPA support using Redhat9.1 Using Windowss Xp machine i could successfully authenticate. The problem is that it takes nearly 5-6 minutes to authenticate. Can anyone suggest me how to reduce the authencation time? Phani - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pools question
On Wed, Sep 22, 2004 at 04:20:23AM -0700, Evren Yurtesen wrote: Hello, I want to use the freeradius ip pools. I just wonder something though ever ip pool name I define should be included in the accounting and post-auth sections? Its kind of confusing, whats the point of defining the Pool-Name attribute in users file and then define the same name in accounting and post-auth sections? The Pool-Name attribute is attached to a RADIUS request, and is checked by the rlm_ippool module before any action is taken. Its existance does not depend on the rlm_ippool module, but nothing else (to my knowledge) uses it. Putting the pool name into the sections of the config file triggers the instance of the rlm_ipool module to act upon the current request, as it passes through that stage of processing. rlm_ippool allocates IP addresses when called from post-auth, and marks IP addresses as free again when called from accounting. I hope that clarifies things. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VPN to PIX Authenticating but no access
i user pix 515e and user vpn client is good .this my config : aaa-server 1.1.1.1 protocol radius aaa-server 1.1.1.1 (inside) host radius cisco timeout 10 crypto map outside_map client authentication 1.1.1.1 On Tue, 21 Sep 2004 18:55:22 +0200, Michael Markstaller [EMAIL PROTECTED] wrote: I can only tell about the VPN3000 and IOS ezvpn but it should be similar: The only thing that is needed is an appropriate services type (006) and Framed-Routing=Listen. PIX is nasty sometimes, try with service-type Administrative first and then lock down further. But when the connection succeeds, i.e. the VPN-client says it's connected the problem lies somewhere else beyond radius.. Either one of the stupid PIX-coduit statements (called sthg else now), (wrong) split tunnel or similar. as soon as you're connected look into the PIX-debugs.. Michael -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Tuesday, September 21, 2004 4:33 PM To: [EMAIL PROTECTED] Subject: Re: Authenticating but no access Saunders, Shawn [EMAIL PROTECTED] wrote: I have Freeradius 1.0 port on FreeBSD 4.10. I'm using it to authenticate our VPN connections from a PIX 525. The radius server is located inside of our internal network, and it is authenticating (per the logs) fine, Debug mode will show you more information. Trying to figure out what the server is doing by reading radius.log is a bad idea. but when the VPN tunnel using Cisco VPN 4.60 is connected, the remote client cannot see, or connect to any internal machine, either in our DMZ or Internal Subnet. So... what attributes is your VPN client expecting to receive from the RADIUS server, in order to set up the users VPN connection? This is where the VPN documenttion may come in handy. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with eap-tls, eap-peap
chown -R root:root ./freeradius-1.0.0 cd freeradius-1.0.0 ./configure \ --prefix=/usr/local/radius \ --with-openssl-includes=/usr/local/ssl/include \ --with-openssl-libraries=/usr/local/ssl/lib \ --without-rlm_krb5 make make install this runing redhat linux AS3 On Tue, 21 Sep 2004 09:54:07 +0200, Guus Houtzager - Luna.nl [EMAIL PROTECTED] wrote: Hi, I'm trying to get eap-tls and eap-peap to work so I can use wpa on my access point and client, but I'm getting this error when I try to authenticate: /usr/sbin/freeradius: relocation error: /usr/lib/freeradius/rlm_eap_peap-1.0.0.so: undefined symbol: eaptls_process I'm running this on a current debian unstable machine, compiled the 1.0.0.tar.gz from the official freeradius website. (the debian package doesn't contain the eap-tls module, so that's no use to me). Oh, I just saw that 1.0.1 is out, tried that version, but I get the same error. Does anybody know how to fix this? Thanks! Regards, Guus Houtzager -- Luna.nl B.V. Puntegaalstraat 109 * 3024 EB Rotterdam Postbus 63000 * 3002 JA Rotterdam T 010 7502000 * F 010 7502002 * www.luna.nl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html