Time to send a Access-Accept message
I want to know if freeradius v 1.0.0 need some millisecond to send an access- accept message by default. I have a script that needs only 67 ms and when i run it in Radius client test , i see that do more than 500ms to send me an access-accept message! Does anyone know if needs some ms to send me a message like access-reject message? Thanks in advance. I want to know if freeradius v 1.0.0 need some millisecond to send an access-accept message by default. I have a script that needs only 67 ms and when i run it in Radius client test , i see that do more than 500ms to send me an access-accept message! Does anyone know if needs some ms to send me a message like access-reject message? Thanks in advance.
radgroupreply
I've tried to change the request between user and group in sql.conf but it doesn't work. Somebody's some idea's ? -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de EROS Envoyé : jeudi 30 septembre 2004 23:03 À : [EMAIL PROTECTED] Objet : radgroupreply Yes I had it rad_recv: Access-Request packet from host 192.168.200.1:4395, id=1, length=48 User-Name = test001 CHAP-Password = 0xb9215f405119e840fdc14e628555747ff2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module chap returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = test001, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 modcall: entering group redundant for request 0 radius_xlat: 'test001' rlm_sql (sql1): sql_set_user escaped user -- 'test001' rlm_sql (sql1): Reserving sql socket id: 3 radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'test001' ORDER BY id' rlm_sql (sql1): User found in radcheck table radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'test001' ORDER BY id' rlm_sql (sql1): Released sql socket id: 3 modcall[authorize]: module sql1 returns ok for request 0 modcall: group redundant returns ok for request 0 rlm_sqlcounter: Entering module authorize code sqlcounter_expand: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{User-Name}' GROUP BY UserName='%{User-Name}'' radius_xlat: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='test001' GROUP BY UserName='test001'' sqlcounter_expand: '%{sql1:SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='test001' GROUP BY UserName='test001'}' radius_xlat: Running registered xlat function of module sql1 for string 'SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='test001' GROUP BY UserName='test001'' rlm_sql (sql1): - sql_xlat radius_xlat: 'test001' rlm_sql (sql1): sql_set_user escaped user -- 'test001' radius_xlat: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='test001' GROUP BY UserName='test001'' rlm_sql (sql1): Reserving sql socket id: 2 rlm_sql (sql1): - sql_xlat finished rlm_sql (sql1): Released sql socket id: 2 radius_xlat: '24388' rlm_sqlcounter: (Check item - counter) is greater than zero rlm_sqlcounter: Authorized user test001, check_item=54000, counter=24388 rlm_sqlcounter: Sent Reply-Item for user test001, Type=Session-Timeout, value=29612 modcall[authorize]: module noresetcounter returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type CHAP auth: type CHAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_chap: login attempt by test001 with CHAP password rlm_chap: Using clear text password test001 for user test001 authentication. rlm_chap: chap user test001 authenticated succesfully modcall[authenticate]: module chap returns ok for request 0 modcall: group Auth-Type returns ok for request 0 Processing the session section of radiusd.conf modcall: entering group session for request 0 modcall: entering group redundant for request 0 modcall[session]: module sql1 returns noop for request 0 modcall: group redundant returns noop for request 0 modcall: group session returns noop for request 0 Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 0 modcall: entering group redundant for request 0 rlm_sql (sql1): Processing sql_postauth radius_xlat: 'test001' rlm_sql (sql1): sql_set_user escaped user -- 'test001' radius_xlat: 'INSERT into radpostauth (id, user, pass, reply, date) values ('', 'test001', 'Chap-Password', 'Access-Accept', NOW())' rlm_sql (sql1) in sql_postauth: query is INSERT into radpostauth (id, user, pass, reply, date) values ('', 'test001', 'Chap-Password', 'Access-Accept', NOW()) rlm_sql (sql1): Reserving sql socket id: 1 rlm_sql (sql1): Released sql socket id: 1 modcall[post-auth]: module sql1 returns ok for request 0 modcall: group redundant returns ok for request 0 modcall: group post-auth returns ok for request 0 Sending Access-Accept of id 1 to 192.168.200.1:4395 Session-Timeout = 29612 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 3 seconds... rad_recv: Access-Request packet from host 192.168.200.1:4395, id=1, length=48 Sending duplicate reply to client Chillispot:4395 - ID: 1 Re-sending Access-Accept of id 1 to 192.168.200.1:4395 Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 1 with timestamp 415c71f8 Nothing to do. Sleeping until we see a request. There is no request on group it seems... So
Upgrade problem 0.9.3 - 1.0.1
Hi all, I've hit a problem whilst upgrading from 0.9.3 - 1.0.1 on gentoo linux using the package install. All compiled ok and the server will start fine but by using radiusd -X to start it's reported that: auth: user supplied User-Password does NOT match local User-Password I use the sql module against a mysql server and this is replicated to another secondary server in our network running a backup radiusd (0.9.3). The secondary is still running fine against the same database information. I have found there are differences in the syntax of the sql query sent to the db but both the old and new format seem to return the same result. +--+--++++ | id | UserName | Attribute | Value | op | +--+--++++ | 1160 | mb005| Crypt-Password | $1$hLFjleRC$mZJRYJRqMVS6S.iY6hsXx1 | := | +--+--++++ Here is the debug output of a test. Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = /var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = /var/run/radiusd/radiusd.pid main: bind_address = 127.0.0.1 IP address [127.0.0.1] main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded SQL sql: driver = rlm_sql_mysql sql: server = localhost sql: port = 3306 sql: login = radius sql: password = sql: radius_db = radius sql: acct_table = radacct sql: acct_table2 = radacct sql: authcheck_table = radcheck sql: authreply_table = radreply sql: groupcheck_table = radgroupcheck sql: groupreply_table = radgroupreply sql: usergroup_table = usergroup sql: nas_table = nas sql: dict_table = dictionary sql: sqltrace = no sql: sqltracefile = /var/log/radius/sqltrace.sql sql: readclients = no sql: deletestalesessions = yes sql: num_sql_socks = 5 sql: sql_user_name = %{User-Name} sql: default_user_profile = sql: query_on_not_found = no sql: authorize_check_query = SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id sql: authorize_reply_query = SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id sql: authorize_group_check_query = SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id sql: authorize_group_reply_query = SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id sql: accounting_onoff_query = UPDATE radacct SET AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime), AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime = '%S' sql: accounting_update_query = UPDATE radacct ? SET FramedIPAddress = '%{Framed-IP-Address}', ? AcctSessionTime = '%{Acct-Session-Time}', ? AcctInputOctets = '%{Acct-Input-Octets}', ? AcctOutputOctets =
Ntlm_auth how-to
Anybody got a step by step guide how to set up freeradius to work with authentication against a nt-domain? I have set up freeradius to work with authentication agains the users file, and that works fine, but now I wanted to test it against a NT-domain (that's what I really need it for) It seems to me that it should be enough just to un-comment a few lines in radiusd.conf, and provide the domain name, but how does the freeradius server know *where* to find the domain, for example? I will provide debug logs and everything i anyone is willing to help (or maybe anyone has already written a guide for this? :) Thanks, Øystein Gåsdal Norway - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: what attributes go in which SQL tables?
[EMAIL PROTECTED] wrote: I thought that your private reply was condescending in the extreme, My reply told you how to educate yourself so as to find out the information you needed to solve your problem. If you find that condescending, then it would appear that you are unwilling to be educated. I do not believe I am capable of helping you solve your problems. If you're upset that something you typed got posted on the Internet I respectfully suggest that you not type things like that. The issue is one of privacy. Posting private messages in a public forum is a public statement by you that your behavior is inappropriate. Although I'm quite sure that you know much more about this subject than I, it occurs to me that there may be documentation somewhere not in your possession, or, shocker, that someone else may know something that you do not. That may be naive of me, perhaps you actually do know everything, but to the group, I offered, Alan doesn't have the docs, does anyone else? Pride cometh, my man... What documentation exists is either included with the server, on the web page, or pointed to from the web page. To imply that some additional documentation exists is to imply that the developers of the server have secret documentation which they show only to the people who ask. You are stating that our behavior is unethical and unprofessional. That's rude. Hence my response. You're unwilling to acknowledge your behavior, hence your shock that anyone would be insulted by your insulting insinuations. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap_tls, no response from server
Lara Adianto [EMAIL PROTECTED] wrote: I did run the server in debugging mode. What I meant by the log is the debugging statement from running /radiusd -X -A. I'm sorry. You posted ONE line out of the debug log, which showed that the authentication failed. The reason WHY it failed is contained elsewhere in the debug log. Read the rest of the debug log to see why it failed, or post the ENTIRE debug log to the list. Reading only one debug message out of 1000's is a guaranteed way to not have the information you need to solve the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Time to send a Access-Accept message
Kyriaki Gali [EMAIL PROTECTED] wrote: I have a script that needs only 67 ms and when i run it in Radius client test , i see that do more than 500ms to send me an access-accept message! Running the external script may take time. Does anyone know if needs some ms to send me a message like access-reject message? The server delays Access-Reject messages. See reject_delay in radiusd.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ntlm_auth how-to
=?iso-8859-1?Q?=D8ystein_G=E5sdal?= [EMAIL PROTECTED] wrote: Anybody got a step by step guide how to set up freeradius to work with authentication against a nt-domain? raddb/radiusd.conf, see ntlm_auth. Or, if your users are only using PAP passwords, not MS-CHAP, see rlm_smb, and experimental.conf. It should take only a few minutes to set up rlm_smb, it's pretty simple. It seems to me that it should be enough just to un-comment a few lines = in radiusd.conf, and provide the domain name, but how does the freeradius server know *where* to find the domain, for example? It's often in the User-Name attribute. I will provide debug logs and everything i anyone is willing to help (or maybe anyone has already written a guide for this? :) There are very few guides for the server. Most configuration is documented in the configuration files, leaving the administrator to figure it out for himself. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Time to send a Access-Accept message
ok i have solve my problem with rlm_perl. Does anyone know how can i get enviroment variables in example.pl Before i use rlm_pel i get that like this $username = $ENV{USER_NAME}; Now what can i do to get $username from the accounting_stop packet? Kyriaki Gali, IT Applications Specialist Kinetix Tele.com Support Center, Tel Fax: +30 2310 256140 GSM: +30 6947 723737 http://www.kinetix.gr e-mail: [EMAIL PROTECTED] - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 01, 2004 5:34 PM Subject: Re: Time to send a Access-Accept message Kyriaki Gali [EMAIL PROTECTED] wrote: I have a script that needs only 67 ms and when i run it in Radius client test , i see that do more than 500ms to send me an access-accept message! Running the external script may take time. Does anyone know if needs some ms to send me a message like access-reject message? The server delays Access-Reject messages. See reject_delay in radiusd.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrade problem 0.9.3 - 1.0.1
Hi all, Found the answer in the archives, sorry for wasting your time. Many thanks, Matt Matthew Baker wrote: Hi all, I've hit a problem whilst upgrading from 0.9.3 - 1.0.1 on gentoo linux using the package install. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Time to send a Access-Accept message
Kyriaki Gali [EMAIL PROTECTED] wrote: Does anyone know how can i get enviroment variables in example.pl You don't. Before i use rlm_pel i get that like this $username = $ENV{USER_NAME}; Now what can i do to get $username from the accounting_stop packet? example.pl contains documentation which describes how to access attributes in the packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap-ttls on OS X
Hello, As per the suggestion made by Andreas Wolf, I picked up a set of prebuilt binaries based on freeradius-snapshot-20040607 and an (experimental) OpenDirectory module for OS X server. After following all of the instructions in Setting up a simple WPA Enterprise Infrastructure with MacOS X, AirPort Extreme and freeRadius I cannot seem to get the radius server to authenticate against OpenDirectory. Instead it seems to insist on trying to authenticate against eap_unix as evidenced (I think, please correct me if I'm wrong) in the debug listing below. Is there somewhere I've gone wrong or misconfigured? Thanks, Phil Fri Oct 1 19:09:37 2004 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 5 Fri Oct 1 19:09:37 2004 : Debug: rlm_eap: Request found, released from the list Fri Oct 1 19:09:37 2004 : Debug: rlm_eap: EAP/ttls Fri Oct 1 19:09:37 2004 : Debug: rlm_eap: processing type ttls Fri Oct 1 19:09:37 2004 : Debug: rlm_eap_ttls: Authenticate Fri Oct 1 19:09:37 2004 : Debug: rlm_eap_tls: processing TLS Fri Oct 1 19:09:37 2004 : Info: rlm_eap_tls: Length Included Fri Oct 1 19:09:37 2004 : Debug: eaptls_verify returned 11 Fri Oct 1 19:09:37 2004 : Debug: eaptls_process returned 7 Fri Oct 1 19:09:37 2004 : Debug: rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. TTLS tunnel data in : 00 00 00 01 00 00 00 0f 65 72 73 68 6c 65 72 00 TTLS tunnel data in 0010: 00 00 00 02 00 00 00 18 62 79 74 6d 69 6e 65 32 TTLS tunnel data in 0020: 00 00 00 00 00 00 00 00 TTLS: Got tunneled request User-Name = ershler User-Password = myTestPassword FreeRADIUS-Proxied-To = 127.0.0.1 TTLS: Sending tunneled request User-Name = ershler User-Password = myTestPassword FreeRADIUS-Proxied-To = 127.0.0.1 Fri Oct 1 19:09:37 2004 : Debug: Processing the authorize section of radiusd.conf Fri Oct 1 19:09:37 2004 : Debug: modcall: entering group authorize for request 5 Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 5 Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 5 Fri Oct 1 19:09:37 2004 : Debug: modcall[authorize]: module preprocess returns ok for request 5 Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 5 Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 5 Fri Oct 1 19:09:37 2004 : Debug: modcall[authorize]: module chap returns noop for request 5 Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 5 Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 5 Fri Oct 1 19:09:37 2004 : Debug: modcall[authorize]: module mschap returns noop for request 5 Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 5 Fri Oct 1 19:09:37 2004 : Debug: rlm_realm: No '@' in User-Name = ershler, looking up realm NULL Fri Oct 1 19:09:37 2004 : Debug: rlm_realm: No such realm NULL Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 5 Fri Oct 1 19:09:37 2004 : Debug: modcall[authorize]: module suffix returns noop for request 5 Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 5 Fri Oct 1 19:09:37 2004 : Debug: rlm_eap: No EAP-Message, not doing EAP Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 5 Fri Oct 1 19:09:37 2004 : Debug: modcall[authorize]: module eap returns noop for request 5 Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: calling files (rlm_files) for request 5 Fri Oct 1 19:09:37 2004 : Debug: users: Matched DEFAULT at 152 Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 5 Fri Oct 1 19:09:37 2004 : Debug: modcall[authorize]: module files returns ok for request 5 Fri Oct 1 19:09:37 2004 : Debug: modcall: group authorize returns ok for request 5 Fri Oct 1 19:09:37 2004 : Debug: rad_check_password: Found Auth-Type System Fri Oct 1 19:09:37 2004 : Debug: auth: type System Fri Oct 1 19:09:37 2004 : Debug: Processing the authenticate section of radiusd.conf Fri Oct 1 19:09:37 2004 : Debug: modcall: entering group authenticate for request 5 Fri Oct 1 19:09:37 2004 : Debug: modsingle[authenticate]: calling unix (rlm_unix) for request 5 Fri Oct 1 19:09:37 2004 : Auth: rlm_unix: [ershler]: invalid shell [] Fri Oct 1 19:09:37 2004 : Debug: modsingle[authenticate]: returned from unix (rlm_unix) for request 5 Fri Oct 1 19:09:37 2004 : Debug: modcall[authenticate]: module unix returns reject for request 5 Fri Oct 1 19:09:37 2004 : Debug: modcall: group authenticate returns