Time to send a Access-Accept message
I want to know if freeradius v 1.0.0 need some millisecond to send an access- accept message by default. I have a script that needs only 67 ms and when i run it in Radius client test , i see that do more than 500ms to send me an access-accept message! Does anyone know if needs some ms to send me a message like access-reject message? Thanks in advance. I want to know if freeradius v 1.0.0 need some millisecond to send an access-accept message by default. I have a script that needs only 67 ms and when i run it in Radius client test , i see that do more than 500ms to send me an access-accept message! Does anyone know if needs some ms to send me a message like access-reject message? Thanks in advance.
radgroupreply
I've tried to change the request between user and group in sql.conf but
it doesn't work.
Somebody's some idea's ?
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De la part de EROS
Envoyé : jeudi 30 septembre 2004 23:03
À : [EMAIL PROTECTED]
Objet : radgroupreply
Yes I had it
rad_recv: Access-Request packet from host 192.168.200.1:4395, id=1,
length=48
User-Name = test001
CHAP-Password = 0xb9215f405119e840fdc14e628555747ff2
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
rlm_chap: Setting 'Auth-Type := CHAP'
modcall[authorize]: module chap returns ok for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = test001, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
modcall: entering group redundant for request 0
radius_xlat: 'test001'
rlm_sql (sql1): sql_set_user escaped user -- 'test001'
rlm_sql (sql1): Reserving sql socket id: 3
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'test001' ORDER BY id' rlm_sql (sql1): User found in radcheck
table
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = 'test001' ORDER BY id' rlm_sql (sql1): Released sql socket
id: 3
modcall[authorize]: module sql1 returns ok for request 0
modcall: group redundant returns ok for request 0
rlm_sqlcounter: Entering module authorize code
sqlcounter_expand: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE
UserName='%{User-Name}' GROUP BY UserName='%{User-Name}''
radius_xlat: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE
UserName='test001' GROUP BY UserName='test001''
sqlcounter_expand: '%{sql1:SELECT SUM(AcctSessionTime) FROM radacct
WHERE UserName='test001' GROUP BY UserName='test001'}'
radius_xlat: Running registered xlat function of module sql1 for string
'SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='test001' GROUP
BY UserName='test001'' rlm_sql (sql1): - sql_xlat
radius_xlat: 'test001'
rlm_sql (sql1): sql_set_user escaped user -- 'test001'
radius_xlat: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE
UserName='test001' GROUP BY UserName='test001'' rlm_sql (sql1):
Reserving sql socket id: 2 rlm_sql (sql1): - sql_xlat finished rlm_sql
(sql1): Released sql socket id: 2
radius_xlat: '24388'
rlm_sqlcounter: (Check item - counter) is greater than zero
rlm_sqlcounter: Authorized user test001, check_item=54000, counter=24388
rlm_sqlcounter: Sent Reply-Item for user test001, Type=Session-Timeout,
value=29612
modcall[authorize]: module noresetcounter returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type CHAP
auth: type CHAP
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_chap: login attempt by test001 with CHAP password
rlm_chap: Using clear text password test001 for user test001
authentication.
rlm_chap: chap user test001 authenticated succesfully
modcall[authenticate]: module chap returns ok for request 0
modcall: group Auth-Type returns ok for request 0
Processing the session section of radiusd.conf
modcall: entering group session for request 0
modcall: entering group redundant for request 0
modcall[session]: module sql1 returns noop for request 0
modcall: group redundant returns noop for request 0
modcall: group session returns noop for request 0
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 0
modcall: entering group redundant for request 0
rlm_sql (sql1): Processing sql_postauth
radius_xlat: 'test001'
rlm_sql (sql1): sql_set_user escaped user -- 'test001'
radius_xlat: 'INSERT into radpostauth (id, user, pass, reply, date)
values ('', 'test001', 'Chap-Password', 'Access-Accept', NOW())' rlm_sql
(sql1) in sql_postauth: query is INSERT into radpostauth (id, user,
pass, reply, date) values ('', 'test001', 'Chap-Password',
'Access-Accept', NOW()) rlm_sql (sql1): Reserving sql socket id: 1
rlm_sql (sql1): Released sql socket id: 1
modcall[post-auth]: module sql1 returns ok for request 0
modcall: group redundant returns ok for request 0
modcall: group post-auth returns ok for request 0
Sending Access-Accept of id 1 to 192.168.200.1:4395
Session-Timeout = 29612
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 3 seconds...
rad_recv: Access-Request packet from host 192.168.200.1:4395, id=1,
length=48 Sending duplicate reply to client Chillispot:4395 - ID: 1
Re-sending Access-Accept of id 1 to 192.168.200.1:4395 Waking up in 3
seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 1 with timestamp 415c71f8
Nothing to do. Sleeping until we see a request.
There is no request on group it seems... So
Upgrade problem 0.9.3 - 1.0.1
Hi all,
I've hit a problem whilst upgrading from 0.9.3 - 1.0.1 on gentoo linux
using the package install.
All compiled ok and the server will start fine but by using radiusd -X
to start it's reported that:
auth: user supplied User-Password does NOT match local User-Password
I use the sql module against a mysql server and this is replicated to
another secondary server in our network running a backup radiusd
(0.9.3). The secondary is still running fine against the same database
information.
I have found there are differences in the syntax of the sql query sent
to the db but both the old and new format seem to return the same result.
+--+--++++
| id | UserName | Attribute | Value
| op |
+--+--++++
| 1160 | mb005| Crypt-Password | $1$hLFjleRC$mZJRYJRqMVS6S.iY6hsXx1
| := |
+--+--++++
Here is the debug output of a test.
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/lib
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = yes
main: log_file = /var/log/radius/radius.log
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = /var/run/radiusd/radiusd.pid
main: bind_address = 127.0.0.1 IP address [127.0.0.1]
main: user = (null)
main: group = (null)
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded SQL
sql: driver = rlm_sql_mysql
sql: server = localhost
sql: port = 3306
sql: login = radius
sql: password =
sql: radius_db = radius
sql: acct_table = radacct
sql: acct_table2 = radacct
sql: authcheck_table = radcheck
sql: authreply_table = radreply
sql: groupcheck_table = radgroupcheck
sql: groupreply_table = radgroupreply
sql: usergroup_table = usergroup
sql: nas_table = nas
sql: dict_table = dictionary
sql: sqltrace = no
sql: sqltracefile = /var/log/radius/sqltrace.sql
sql: readclients = no
sql: deletestalesessions = yes
sql: num_sql_socks = 5
sql: sql_user_name = %{User-Name}
sql: default_user_profile =
sql: query_on_not_found = no
sql: authorize_check_query = SELECT id,UserName,Attribute,Value,op
FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id
sql: authorize_reply_query = SELECT id,UserName,Attribute,Value,op
FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id
sql: authorize_group_check_query = SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username =
'%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName
ORDER BY radgroupcheck.id
sql: authorize_group_reply_query = SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username =
'%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName
ORDER BY radgroupreply.id
sql: accounting_onoff_query = UPDATE radacct SET AcctStopTime='%S',
AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime),
AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay =
'%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND
NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime = '%S'
sql: accounting_update_query = UPDATE radacct ? SET FramedIPAddress =
'%{Framed-IP-Address}', ? AcctSessionTime = '%{Acct-Session-Time}', ?
AcctInputOctets = '%{Acct-Input-Octets}', ? AcctOutputOctets =
Ntlm_auth how-to
Anybody got a step by step guide how to set up freeradius to work with authentication against a nt-domain? I have set up freeradius to work with authentication agains the users file, and that works fine, but now I wanted to test it against a NT-domain (that's what I really need it for) It seems to me that it should be enough just to un-comment a few lines in radiusd.conf, and provide the domain name, but how does the freeradius server know *where* to find the domain, for example? I will provide debug logs and everything i anyone is willing to help (or maybe anyone has already written a guide for this? :) Thanks, Øystein Gåsdal Norway - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: what attributes go in which SQL tables?
[EMAIL PROTECTED] wrote: I thought that your private reply was condescending in the extreme, My reply told you how to educate yourself so as to find out the information you needed to solve your problem. If you find that condescending, then it would appear that you are unwilling to be educated. I do not believe I am capable of helping you solve your problems. If you're upset that something you typed got posted on the Internet I respectfully suggest that you not type things like that. The issue is one of privacy. Posting private messages in a public forum is a public statement by you that your behavior is inappropriate. Although I'm quite sure that you know much more about this subject than I, it occurs to me that there may be documentation somewhere not in your possession, or, shocker, that someone else may know something that you do not. That may be naive of me, perhaps you actually do know everything, but to the group, I offered, Alan doesn't have the docs, does anyone else? Pride cometh, my man... What documentation exists is either included with the server, on the web page, or pointed to from the web page. To imply that some additional documentation exists is to imply that the developers of the server have secret documentation which they show only to the people who ask. You are stating that our behavior is unethical and unprofessional. That's rude. Hence my response. You're unwilling to acknowledge your behavior, hence your shock that anyone would be insulted by your insulting insinuations. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap_tls, no response from server
Lara Adianto [EMAIL PROTECTED] wrote: I did run the server in debugging mode. What I meant by the log is the debugging statement from running /radiusd -X -A. I'm sorry. You posted ONE line out of the debug log, which showed that the authentication failed. The reason WHY it failed is contained elsewhere in the debug log. Read the rest of the debug log to see why it failed, or post the ENTIRE debug log to the list. Reading only one debug message out of 1000's is a guaranteed way to not have the information you need to solve the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Time to send a Access-Accept message
Kyriaki Gali [EMAIL PROTECTED] wrote: I have a script that needs only 67 ms and when i run it in Radius client test , i see that do more than 500ms to send me an access-accept message! Running the external script may take time. Does anyone know if needs some ms to send me a message like access-reject message? The server delays Access-Reject messages. See reject_delay in radiusd.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ntlm_auth how-to
=?iso-8859-1?Q?=D8ystein_G=E5sdal?= [EMAIL PROTECTED] wrote: Anybody got a step by step guide how to set up freeradius to work with authentication against a nt-domain? raddb/radiusd.conf, see ntlm_auth. Or, if your users are only using PAP passwords, not MS-CHAP, see rlm_smb, and experimental.conf. It should take only a few minutes to set up rlm_smb, it's pretty simple. It seems to me that it should be enough just to un-comment a few lines = in radiusd.conf, and provide the domain name, but how does the freeradius server know *where* to find the domain, for example? It's often in the User-Name attribute. I will provide debug logs and everything i anyone is willing to help (or maybe anyone has already written a guide for this? :) There are very few guides for the server. Most configuration is documented in the configuration files, leaving the administrator to figure it out for himself. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Time to send a Access-Accept message
ok i have solve my problem with rlm_perl.
Does anyone know how can i get enviroment variables in example.pl
Before i use rlm_pel i get that like this
$username = $ENV{USER_NAME};
Now what can i do to get $username from the accounting_stop packet?
Kyriaki Gali,
IT Applications Specialist
Kinetix Tele.com Support Center,
Tel Fax: +30 2310 256140
GSM: +30 6947 723737
http://www.kinetix.gr
e-mail: [EMAIL PROTECTED]
- Original Message -
From: Alan DeKok [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, October 01, 2004 5:34 PM
Subject: Re: Time to send a Access-Accept message
Kyriaki Gali [EMAIL PROTECTED] wrote:
I have a script that needs only 67 ms and when i run it in Radius
client test , i see that do more than 500ms to send me an
access-accept message!
Running the external script may take time.
Does anyone know if needs some ms to send me a message like
access-reject message?
The server delays Access-Reject messages. See reject_delay in
radiusd.conf.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrade problem 0.9.3 - 1.0.1
Hi all, Found the answer in the archives, sorry for wasting your time. Many thanks, Matt Matthew Baker wrote: Hi all, I've hit a problem whilst upgrading from 0.9.3 - 1.0.1 on gentoo linux using the package install. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Time to send a Access-Accept message
Kyriaki Gali [EMAIL PROTECTED] wrote:
Does anyone know how can i get enviroment variables in example.pl
You don't.
Before i use rlm_pel i get that like this
$username = $ENV{USER_NAME};
Now what can i do to get $username from the accounting_stop packet?
example.pl contains documentation which describes how to access
attributes in the packets.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap-ttls on OS X
Hello, As per the suggestion made by Andreas Wolf, I picked up a set of prebuilt binaries based on freeradius-snapshot-20040607 and an (experimental) OpenDirectory module for OS X server. After following all of the instructions in Setting up a simple WPA Enterprise Infrastructure with MacOS X, AirPort Extreme and freeRadius I cannot seem to get the radius server to authenticate against OpenDirectory. Instead it seems to insist on trying to authenticate against eap_unix as evidenced (I think, please correct me if I'm wrong) in the debug listing below. Is there somewhere I've gone wrong or misconfigured? Thanks, Phil Fri Oct 1 19:09:37 2004 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 5 Fri Oct 1 19:09:37 2004 : Debug: rlm_eap: Request found, released from the list Fri Oct 1 19:09:37 2004 : Debug: rlm_eap: EAP/ttls Fri Oct 1 19:09:37 2004 : Debug: rlm_eap: processing type ttls Fri Oct 1 19:09:37 2004 : Debug: rlm_eap_ttls: Authenticate Fri Oct 1 19:09:37 2004 : Debug: rlm_eap_tls: processing TLS Fri Oct 1 19:09:37 2004 : Info: rlm_eap_tls: Length Included Fri Oct 1 19:09:37 2004 : Debug: eaptls_verify returned 11 Fri Oct 1 19:09:37 2004 : Debug: eaptls_process returned 7 Fri Oct 1 19:09:37 2004 : Debug: rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. TTLS tunnel data in : 00 00 00 01 00 00 00 0f 65 72 73 68 6c 65 72 00 TTLS tunnel data in 0010: 00 00 00 02 00 00 00 18 62 79 74 6d 69 6e 65 32 TTLS tunnel data in 0020: 00 00 00 00 00 00 00 00 TTLS: Got tunneled request User-Name = ershler User-Password = myTestPassword FreeRADIUS-Proxied-To = 127.0.0.1 TTLS: Sending tunneled request User-Name = ershler User-Password = myTestPassword FreeRADIUS-Proxied-To = 127.0.0.1 Fri Oct 1 19:09:37 2004 : Debug: Processing the authorize section of radiusd.conf Fri Oct 1 19:09:37 2004 : Debug: modcall: entering group authorize for request 5 Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 5 Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 5 Fri Oct 1 19:09:37 2004 : Debug: modcall[authorize]: module preprocess returns ok for request 5 Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 5 Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 5 Fri Oct 1 19:09:37 2004 : Debug: modcall[authorize]: module chap returns noop for request 5 Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 5 Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 5 Fri Oct 1 19:09:37 2004 : Debug: modcall[authorize]: module mschap returns noop for request 5 Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 5 Fri Oct 1 19:09:37 2004 : Debug: rlm_realm: No '@' in User-Name = ershler, looking up realm NULL Fri Oct 1 19:09:37 2004 : Debug: rlm_realm: No such realm NULL Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 5 Fri Oct 1 19:09:37 2004 : Debug: modcall[authorize]: module suffix returns noop for request 5 Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 5 Fri Oct 1 19:09:37 2004 : Debug: rlm_eap: No EAP-Message, not doing EAP Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 5 Fri Oct 1 19:09:37 2004 : Debug: modcall[authorize]: module eap returns noop for request 5 Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: calling files (rlm_files) for request 5 Fri Oct 1 19:09:37 2004 : Debug: users: Matched DEFAULT at 152 Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 5 Fri Oct 1 19:09:37 2004 : Debug: modcall[authorize]: module files returns ok for request 5 Fri Oct 1 19:09:37 2004 : Debug: modcall: group authorize returns ok for request 5 Fri Oct 1 19:09:37 2004 : Debug: rad_check_password: Found Auth-Type System Fri Oct 1 19:09:37 2004 : Debug: auth: type System Fri Oct 1 19:09:37 2004 : Debug: Processing the authenticate section of radiusd.conf Fri Oct 1 19:09:37 2004 : Debug: modcall: entering group authenticate for request 5 Fri Oct 1 19:09:37 2004 : Debug: modsingle[authenticate]: calling unix (rlm_unix) for request 5 Fri Oct 1 19:09:37 2004 : Auth: rlm_unix: [ershler]: invalid shell [] Fri Oct 1 19:09:37 2004 : Debug: modsingle[authenticate]: returned from unix (rlm_unix) for request 5 Fri Oct 1 19:09:37 2004 : Debug: modcall[authenticate]: module unix returns reject for request 5 Fri Oct 1 19:09:37 2004 : Debug: modcall: group authenticate returns
