Re: Authorization via LDAP and Files, Authentication via LDAP
Alan DeKok aland[AT]ox.org wrote:
Michael Kopp michael.kopp[AT]gmx.net wrote:
radiusd.conf[1559] Unknown configuration directive ldap in authorize
section.
...
ldap{
Try putting a space in between ldap and {
Alan DeKok.
hmm, same error as before ,
...
ldap {
notfound = return
}
files
...
I also tested
ldap { notfound = return
}
files
and
ldap {notfound = return
}
files
and
ldap { notfound=return
}
files
and
ldap {notfound=return
}
files
all combinations are resulting in the same error :
radiusd.conf[1559] Unknown configuration directive ldap in authorize
section.
Between I`m using Freeradius 1.0.1
I tested this now on two different machine
Sparc Solaris 9 and Intel Debian Linux Sarge Installation
Regards
Michael
--
+++ GMX DSL Premiumtarife 3 Monate gratis* + WLAN-Router 0,- EUR* +++
Clevere DSL-Nutzer wechseln jetzt zu GMX: http://www.gmx.net/de/go/dsl
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unsubscribe
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sql group checks
Hi.
could anybody explain me what exactly FR does with group checks working with SQL
(Oracle in my case) ?
I see group_membership_query in sql.conf, but i do not see that FR uses it in debug:
rad_recv: Access-Request packet from host 127.0.0.1:50893, id=174, length=78
User-Name = [EMAIL PROTECTED]
User-Password = blahblah
Calling-Station-Id = 25009702749
Framed-Protocol = PPP
Service-Type = Framed-User
NAS-IP-Address = 212.119.97.86
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 29
modcall[authorize]: module preprocess returns ok for request 29
modcall[authorize]: module chap returns noop for request 29
rlm_realm: Looking up realm c for User-Name = [EMAIL PROTECTED]
rlm_realm: Found realm c
rlm_realm: Proxying request from user a to realm c
rlm_realm: Adding Realm = c
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module suffix returns noop for request 29
users: Matched DEFAULT at 73
modcall[authorize]: module files returns ok for request 29
WARNING: Attempt to use unknown xlat function, or non-existent attribute in
string %{DEFAULT}
radius_xlat: '[EMAIL PROTECTED]'
rlm_sql (sql): sql_set_user escaped user -- '[EMAIL PROTECTED]'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = '[EMAIL PROTECTED]' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 0
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE (usergroup.Username = '[EMAIL PROTECTED]' or
usergroup.CLID = '25009702749') AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = '[EMAIL PROTECTED]' ORDER BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE (usergroup.Username = '[EMAIL PROTECTED]' OR
usergroup.CLID = '25009702749') AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): No matching entry in the database for request from user [EMAIL PROTECTED]
rlm_sql (sql): Released sql socket id: 0
modcall[authorize]: module sql returns notfound for request 29
modcall[authorize]: module mschap returns noop for request 29
modcall: group authorize returns ok for request 29
rad_check_password: Found Auth-Type Accept
rad_check_password: Auth-Type = Accept, accepting the user
Second - what exactly will FR do if authorize_group_check_query returns several
groups' membership for the user (i've slightly modified query and usergroup
table to check CLID also):
SQL SELECT radgroupcheck.id, radgroupcheck.GroupName, radgroupcheck.Attribute,
radgroupcheck.Value, radgroupcheck.op FROM radgroupcheck, usergroup WHERE
(usergroup.Username = '[EMAIL PROTECTED]' or usergroup.CLID = '25009702749') AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id;
ID GROUPNAMEATTRIBUTE VALUE OP
10 cartaRealm c ==
11 cartaNAS-IP-Address 212.119.117.1 ==
19 blackholed Auth-Type Reject:=
In my case user is accepted though he is a member of blackholed group with
Auth-Type - Reject.
--
Sincerely Yours,
Alexander Serkin,
Skylink, Moscow
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Concurrent logins...
Hi everyone! Is it possible within freeradius and/or dialup_admin to define that open sessions (if any) of users who are a member of certain group get closed when a new one gets opened? We sometimes end up with more than one session for some users here, and that kinda screws up the administration... :-/ Regards, Evert Meulie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication erros on freeradius 1.0.1 on Solaris 9
Hi!
I have freeradius 1.0.1 on Solaris 9. I have problems authenticating
users via Cisco NAS and via Cisco Access Points. The radius config
ran under freeradius 0.9.3 without any problem.
Here the debug outputs :
users file :
nutest1 Auth-Type:= Local, User-Password == geheim
Service-Type = Framed-User,
Framed-Protocol = PPP
clients.conf
client 1.1.1.1 {
secret = test123
shortname = test
nastype = cisco
}
First test is with radtest, the second test is via Cisco NAS.
Authentication via radtest is accepted, but authentication
via NAS is rejected, and I don't know why.
nuki02[admin] # radtest nutest1 geheim localhost:1812 1 testing123
Sending Access-Request of id 153 to 127.0.0.1:1812
User-Name = nutest1
User-Password = geheim
NAS-IP-Address = nuki02
NAS-Port = 1
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=153, length=32
Service-Type = Framed-User
Framed-Protocol = PPP
nuki02[admin] #
On Cisco NAS:
as5200-ranke01#test aaa group radius nutest1 geheim
Attempting authentication test to server-group radius using radius
User authentication request was rejected by server.
as5200-ranke01#
Here now the debug output from the radius server:
nuki02[admin] # /opt/NUfreeradius-1.0.1/sbin/radiusd -d /etc/raddb -a
/var/log/radius -x
Starting - reading configuration files ...
Using deprecated naslist file. Support for this will go away soon.
Module: Loaded exec
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
Module: Instantiated mschap (mschap)
Module: Loaded System
Module: Instantiated unix (unix)
Module: Loaded eap
rlm_eap: Loaded and initialized type leap
rlm_eap: Loaded and initialized type gtc
rlm_eap: Loaded and initialized type tls
rlm_eap: Loaded and initialized type ttls
rlm_eap: Loaded and initialized type peap
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
Module: Instantiated preprocess (preprocess)
Module: Loaded detail
Module: Instantiated detail (auth_log)
Module: Loaded realm
Module: Instantiated realm (suffix)
Module: Loaded files
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
Module: Instantiated acct_unique (acct_unique)
Module: Instantiated detail (detail)
Module: Loaded radutmp
Module: Instantiated radutmp (radutmp)
Module: Instantiated detail (reply_log)
Initializing the thread pool...
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:35513, id=153, length=49
User-Name = nutest1
User-Password = geheim
NAS-IP-Address = 255.255.255.255
NAS-Port = 1
Login OK: [nutest1] (from client localhost port 1)
Sending Access-Accept of id 153 to 127.0.0.1:35513
Service-Type = Framed-User
Framed-Protocol = PPP
rad_recv: Access-Request packet from host 193.98.110.136:1645, id=114,
length=59
NAS-IP-Address = 193.98.110.136
NAS-Port-Type = Async
User-Name = nutest1
User-Password = T\324\3701\212\023c\\\375m\211\2061'\312\320
Login incorrect: [nutest1] (from client ranke-test port 0)
rad_recv: Access-Request packet from host 193.98.110.136:1645, id=114,
length=59
Sending Access-Reject of id 114 to 193.98.110.136:1645
The difference between both acces-request is, which I can see, is
that the user-password is different. In the fist test
you see the password correctly, in the second something
strange.
When I increase the debugging level on the radius server, then
I see this output :
rad_recv: Access-Request packet from host 193.98.110.136:1645, id=113,
length=59
--- Walking the entire request list ---
Waking up in 31 seconds...
Threads: total/active/spare threads = 5/0/5
Thread 5 got semaphore
Thread 5 handling request 0, (1 handled so far)
NAS-IP-Address = 193.98.110.136
NAS-Port-Type = Async
User-Name = nutest1
User-Password = g\\\202\t\367\010}\215\255\255\225\257\t.G\267
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
radius_xlat: '/var/log/radius/ranke-test/auth-detail'
rlm_detail: /var/log/radius/%C/auth-detail expands to
/var/log/radius/ranke-test/auth-detail
modcall[authorize]: module auth_log returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = nutest1, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: No EAP-Message, not
Re: Concurrent logins...
On Fri, 15 Oct 2004, Evert Meulie wrote: Hi everyone! Is it possible within freeradius and/or dialup_admin to define that open sessions (if any) of users who are a member of certain group get closed when a new one gets opened? We sometimes end up with more than one session for some users here, and that kinda screws up the administration... :-/ See doc/Simultaneous-Use You could set it on per group basis. Regards, Evert Meulie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql group checks
On Fri, 15 Oct 2004, Alexander Serkin wrote:
Hi.
could anybody explain me what exactly FR does with group checks working with SQL
(Oracle in my case) ?
I see group_membership_query in sql.conf, but i do not see that FR uses it in debug:
rad_recv: Access-Request packet from host 127.0.0.1:50893, id=174, length=78
User-Name = [EMAIL PROTECTED]
User-Password = blahblah
Calling-Station-Id = 25009702749
Framed-Protocol = PPP
Service-Type = Framed-User
NAS-IP-Address = 212.119.97.86
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 29
modcall[authorize]: module preprocess returns ok for request 29
modcall[authorize]: module chap returns noop for request 29
rlm_realm: Looking up realm c for User-Name = [EMAIL PROTECTED]
rlm_realm: Found realm c
rlm_realm: Proxying request from user a to realm c
rlm_realm: Adding Realm = c
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module suffix returns noop for request 29
users: Matched DEFAULT at 73
modcall[authorize]: module files returns ok for request 29
WARNING: Attempt to use unknown xlat function, or non-existent attribute in
string %{DEFAULT}
radius_xlat: '[EMAIL PROTECTED]'
rlm_sql (sql): sql_set_user escaped user -- '[EMAIL PROTECTED]'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = '[EMAIL PROTECTED]' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 0
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE (usergroup.Username = '[EMAIL PROTECTED]' or
usergroup.CLID = '25009702749') AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = '[EMAIL PROTECTED]' ORDER BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE (usergroup.Username = '[EMAIL PROTECTED]' OR
usergroup.CLID = '25009702749') AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): No matching entry in the database for request from user [EMAIL
PROTECTED]
rlm_sql (sql): Released sql socket id: 0
modcall[authorize]: module sql returns notfound for request 29
modcall[authorize]: module mschap returns noop for request 29
modcall: group authorize returns ok for request 29
rad_check_password: Found Auth-Type Accept
rad_check_password: Auth-Type = Accept, accepting the user
Second - what exactly will FR do if authorize_group_check_query returns several
groups' membership for the user (i've slightly modified query and usergroup
table to check CLID also):
SQL SELECT radgroupcheck.id, radgroupcheck.GroupName, radgroupcheck.Attribute,
radgroupcheck.Value, radgroupcheck.op FROM radgroupcheck, usergroup WHERE
(usergroup.Username = '[EMAIL PROTECTED]' or usergroup.CLID = '25009702749') AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id;
ID GROUPNAME ATTRIBUTE VALUE OP
10 carta Realm c ==
11 carta NAS-IP-Address 212.119.117.1 ==
19 blackholed Auth-Type Reject:=
In my case user is accepted though he is a member of blackholed group with
Auth-Type - Reject.
--
Sincerely Yours,
Alexander Serkin,
Skylink, Moscow
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Concurrent logins...
Kostas Kalevras wrote: On Fri, 15 Oct 2004, Evert Meulie wrote: Hi everyone! Is it possible within freeradius and/or dialup_admin to define that open sessions (if any) of users who are a member of certain group get closed when a new one gets opened? We sometimes end up with more than one session for some users here, and that kinda screws up the administration... :-/ See doc/Simultaneous-Use You could set it on per group basis. But wouldn't that prevent new sessions from being created, instead of that it deletes the existent session and 'replaces' it with the new one? Regards, Evert Meulie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication erros on freeradius 1.0.1 on Solaris 9
Here's two hints: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user The authorize section didn't find the user anywhere (eg in etc/raddb/users file), or anything else to tell it what authentication method to use for the user. And: Login incorrect: [nutest1] (from client ranke-test port 0) WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! So, check that the shared secret between the server and the NAS are the same (etc/raddb/clients.conf file). And run the server with the -X (capital X) option to get all the debugging output... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication erros on freeradius 1.0.1 on Solaris 9
Hi! The authorize section didn't find the user anywhere (eg in etc/raddb/users file), or anything else to tell it what authentication method to use for the user. The problem is not the authorize section. The user got an reject, because in the user-password stand something strange and not the password: User-Password = g\\\202\t\367\010}\215\255\255\225\257\t.G\267 Perhaps the radius Server is not able to decode the password correctly ? So, check that the shared secret between the server and the NAS are the same (etc/raddb/clients.conf file). And run the server with the -X (capital X) option to get all the debugging output... Believe me, I checked the shared secret one hundred time. The shared secret is correct. I still believe that there is a problem to decode the send password. Regards, Ahmad -- Ahmad Cheikh-Moussa NetUSE AG Dr.-Hell-Straße, 24107 Kiel, Germany Telefon: +49 431 2390 400 -- Telefax: +49 431 2390 499 Service: [EMAIL PROTECTED] -- http://NetUSE.DE/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
user lost connectivity
Hello, is there anyway how to write acctstoptime when the user is loosing connectivity with his NAS? After this happens the user is promted to login again but the previous acctstoptime stays blank. Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user lost connectivity
This is a problem i don't know if there is a way to fix this but I suggest in radacct table to insert a field to get the disconnect cause, so if you haven't AcctStopTime you will know why. Or check for how long your cdr is without an AcctStopTime. Kyriaki Gali, IT Applications Specialist Kinetix Tele.com Support Center, Tel Fax: +30 2310 256140 GSM: +30 6947 723737 http://www.kinetix.gr e-mail: [EMAIL PROTECTED] - Original Message - From: Edgars [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 15, 2004 1:15 PM Subject: user lost connectivity Hello, is there anyway how to write acctstoptime when the user is loosing connectivity with his NAS? After this happens the user is promted to login again but the previous acctstoptime stays blank. Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[Fwd: Re: user lost connectivity]
i already have such a filed in radacct and it's staying to NULL value if this happens. Edgars Kyriaki Gali wrote: This is a problem i don't know if there is a way to fix this but I suggest in radacct table to insert a field to get the disconnect cause, so if you haven't AcctStopTime you will know why. Or check for how long your cdr is without an AcctStopTime. Kyriaki Gali, IT Applications Specialist Kinetix Tele.com Support Center, Tel Fax: +30 2310 256140 GSM: +30 6947 723737 http://www.kinetix.gr e-mail: [EMAIL PROTECTED] - Original Message - From: Edgars [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 15, 2004 1:15 PM Subject: user lost connectivity Hello, is there anyway how to write acctstoptime when the user is loosing connectivity with his NAS? After this happens the user is promted to login again but the previous acctstoptime stays blank. Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: user lost connectivity]
yes i know it is a problem and i don't know if we can do something else. I have the same problem also so if you find anything please let me know. regards, Kyriaki Gali, IT Applications Specialist Kinetix Tele.com Support Center, Tel Fax: +30 2310 256140 GSM: +30 6947 723737 http://www.kinetix.gr e-mail: [EMAIL PROTECTED] - Original Message - From: Edgars [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 15, 2004 1:39 PM Subject: [Fwd: Re: user lost connectivity] i already have such a filed in radacct and it's staying to NULL value if this happens. Edgars Kyriaki Gali wrote: This is a problem i don't know if there is a way to fix this but I suggest in radacct table to insert a field to get the disconnect cause, so if you haven't AcctStopTime you will know why. Or check for how long your cdr is without an AcctStopTime. Kyriaki Gali, IT Applications Specialist Kinetix Tele.com Support Center, Tel Fax: +30 2310 256140 GSM: +30 6947 723737 http://www.kinetix.gr e-mail: [EMAIL PROTECTED] - Original Message - From: Edgars [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 15, 2004 1:15 PM Subject: user lost connectivity Hello, is there anyway how to write acctstoptime when the user is loosing connectivity with his NAS? After this happens the user is promted to login again but the previous acctstoptime stays blank. Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication erros on freeradius 1.0.1 on Solaris 9
Ahmad Cheikh Moussa schrieb: Believe me, I checked the shared secret one hundred time. The shared secret is correct. I still believe that there is a problem to decode the send password. Which still hints at a bad secret... I don't really know how sensitive your cisco box or even freeradius are in this respect, but checking for whitespace or a bad linebreak (the infamous windows-like \r\n vs. unix-like \n ) at the end of the secret _might_ be an idea. Regards, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication erros on freeradius 1.0.1 on Solaris 9
Ahmad Cheikh Moussa schrieb: Believe me, I checked the shared secret one hundred time. The shared secret is correct. I still believe that there is a problem to decode the send password. Which still hints at a bad secret... I don't really know how sensitive your cisco box or even freeradius are in this respect, but checking for whitespace or a bad linebreak (the infamous windows-like \r\n vs. unix-like \n ) at the end of the secret _might_ be an idea. Regards, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Concurrent logins...
On Fri, 15 Oct 2004, Evert Meulie wrote: Kostas Kalevras wrote: On Fri, 15 Oct 2004, Evert Meulie wrote: Hi everyone! Is it possible within freeradius and/or dialup_admin to define that open sessions (if any) of users who are a member of certain group get closed when a new one gets opened? We sometimes end up with more than one session for some users here, and that kinda screws up the administration... :-/ See doc/Simultaneous-Use You could set it on per group basis. But wouldn't that prevent new sessions from being created, instead of that it deletes the existent session and 'replaces' it with the new one? I don't think that something like this is supported (out of the box anyway). Deleting a session is also NAS specific. You can probably achieve something like that through rlm_perl or server patches. Regards, Evert Meulie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql group checks
On Fri, 15 Oct 2004, Alexander Serkin wrote: Hi. could anybody explain me what exactly FR does with group checks working with SQL (Oracle in my case) ? I see group_membership_query in sql.conf, but i do not see that FR uses it in debug: group_membership_query is used for Sql-Group attribute checking. Second - what exactly will FR do if authorize_group_check_query returns several groups' membership for the user (i've slightly modified query and usergroup table to check CLID also): SQL SELECT radgroupcheck.id, radgroupcheck.GroupName, radgroupcheck.Attribute, radgroupcheck.Value, radgroupcheck.op FROM radgroupcheck, usergroup WHERE (usergroup.Username = '[EMAIL PROTECTED]' or usergroup.CLID = '25009702749') AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id; ID GROUPNAME ATTRIBUTE VALUE OP 10 carta Realm c == 11 carta NAS-IP-Address 212.119.117.1 == 19 blackholed Auth-Type Reject:= In my case user is accepted though he is a member of blackholed group with Auth-Type - Reject. -- Sincerely Yours, Alexander Serkin, Skylink, Moscow - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication erros on freeradius 1.0.1 on Solaris 9
Hi! The shared secret is test123. I don't think that this password is a problem. All radius files are edited via vi editor. The same config with freeradius 0.9.3 runs without any problems. I don't think that suddenly the Cisco NAS do something other than before with freeradius 0.9.3. Regards, Ahmad [EMAIL PROTECTED] wrote: Ahmad Cheikh Moussa schrieb: Believe me, I checked the shared secret one hundred time. The shared secret is correct. I still believe that there is a problem to decode the send password. Which still hints at a bad secret... I don't really know how sensitive your cisco box or even freeradius are in this respect, but checking for whitespace or a bad linebreak (the infamous windows-like \r\n vs. unix-like \n ) at the end of the secret _might_ be an idea. Regards, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Ahmad Cheikh-Moussa NetUSE AG Dr.-Hell-Straße, 24107 Kiel, Germany Telefon: +49 431 2390 400 -- Telefax: +49 431 2390 499 Service: [EMAIL PROTECTED] -- http://NetUSE.DE/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql group checks
Kostas Kalevras wrote: On Fri, 15 Oct 2004, Alexander Serkin wrote: Hi. could anybody explain me what exactly FR does with group checks working with SQL (Oracle in my case) ? I see group_membership_query in sql.conf, but i do not see that FR uses it in debug: group_membership_query is used for Sql-Group attribute checking. Thanks. It's clean now. One more question - what is PRIORITY column in patched usergroup table for? Is it used somehow by code? I mean if my user appears in two groups and one group has Auth-Type:=Accept and another has Auth-Type:=Reject will the PRIORITY help radius to make decision what to do? Second - what exactly will FR do if authorize_group_check_query returns several groups' membership for the user (i've slightly modified query and usergroup table to check CLID also): SQL SELECT radgroupcheck.id, radgroupcheck.GroupName, radgroupcheck.Attribute, radgroupcheck.Value, radgroupcheck.op FROM radgroupcheck, usergroup WHERE (usergroup.Username = '[EMAIL PROTECTED]' or usergroup.CLID = '25009702749') AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id; ID GROUPNAMEATTRIBUTE VALUE OP 10 cartaRealm c == 11 cartaNAS-IP-Address 212.119.117.1 == 19 blackholed Auth-Type Reject:= In my case user is accepted though he is a member of blackholed group with Auth-Type - Reject. -- Sincerely Yours, Alexander Serkin, Skylink, Moscow - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Sincerely Yours, Alexander Serkin, Skylink, Moscow, ph. +7(095)7952089 fa. +7(095)7952084 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql group checks
What version of FR are you using? If you are using a current CVS snapshot, then the group_membership_query is actually used to determine group membership during SQL authorization as well. With a modified group_membership_query using the PRIORITY column to sort the results (as can be seen in the basic sql.conf file), you can decide what happens to a user based on that ordering. FR will run through each of the groups until one matches (just like the users file). --Mike On Fri, 2004-10-15 at 06:14, Alexander Serkin wrote: One more question - what is PRIORITY column in patched usergroup table for? Is it used somehow by code? I mean if my user appears in two groups and one group has Auth-Type:=Accept and another has Auth-Type:=Reject will the PRIORITY help radius to make decision what to do? -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
DSLAM equipment
looking for anybody who has DSLAM experience at any level who could answer a few questions? I'm after example AAA data in order to understand how ADSL auths to the DSLAM equipment ; and if I purchase a VPC from, say British Telecom, will they update every DSLAM with the new VPC details? I ask this because I'm guessing that ADSL (like isdn and dialup) requires an associated VPC in the auth response? or is this something related to a virtual pop on the Telecoms equipment Using: free-radius-1.0.1, fedora core2 and postgresql - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: setting User-Name to 'modified' mac address
Jose Guevarra [EMAIL PROTECTED] wrote: I have freeradius authenticating mac addresses listed in a MySQL database. It works! But, the mac address passed by the client(hp 2650) is in the form 00-00-00-00-00-00. I set the 'user name' to the 'calling station id' in the 'hints' file like so User-Name := %i Is it possible to filter out the - or : or put it into any format I like? Yes. Use regular expressions. See doc/variables.txt Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Installing freeRadius on RH Linux 9.0
Gene Rouse [EMAIL PROTECTED] wrote: When I run make on freeRADIUS 1.0.1 I get all kinds of missing attribute warnings. Are you willing to post the exact errors, or do you want to make us guess? I've never seen any kind of errors like the ones you're talking about. The make program eventually finishes with a list of directories listed as 'leaving'. Yes... leaving as in returning from, not leaving in place. This is part of the normal make process. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization via LDAP and Files, Authentication via LDAP
Michael Kopp [EMAIL PROTECTED] wrote:
Try putting a space in between ldap and {
hmm, same error as before ,
Weird. It's supposed to work. I'll take a look at it.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication erros on freeradius 1.0.1 on Solaris 9
Ahmad Cheikh Moussa [EMAIL PROTECTED] wrote: The shared secret is test123. I don't think that this password is a problem. All radius files are edited via vi editor. The same config with freeradius 0.9.3 runs without any problems. I don't think that suddenly the Cisco NAS do something other than before with freeradius 0.9.3. If the User-Password is decrypted to be garbage, then either the shared secret is wrong, or there's a bug in the servers MD5 routines. Try it on another platform, like x86. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Installing freeRadius on RH Linux 9.0
Below I have included the error messages. I get. gmake[11]: Entering directory `/root/freeradius-1.0.1/src/modules/rlm_sql/drivers/rlm_sql_mysql' [ xrlm_sql_mysql = x ] || /root/freeradius-1.0.1/libtool --mode=install /root/freeradius-1.0.1/install-sh -c -c rlm_sql_mysql.la /usr/local/lib/rlm_sql_mysql.la libtool: install: `rlm_sql_mysql.la' is not a valid libtool archive Try `libtool --help --mode=install' for more information. gmake[11]: *** [install] Error 1 gmake[11]: Leaving directory `/root/freeradius-1.0.1/src/modules/rlm_sql/drivers/rlm_sql_mysql' gmake[10]: *** [common] Error 1 gmake[10]: Leaving directory `/root/freeradius-1.0.1/src/modules/rlm_sql/drivers' gmake[9]: *** [install] Error 2 gmake[9]: Leaving directory `/root/freeradius-1.0.1/src/modules/rlm_sql/drivers' gmake[8]: *** [common] Error 1 gmake[8]: Leaving directory `/root/freeradius-1.0.1/src/modules/rlm_sql' gmake[7]: *** [install-drivers] Error 2 gmake[7]: Leaving directory `/root/freeradius-1.0.1/src/modules/rlm_sql' gmake[6]: *** [install] Error 2 gmake[6]: Leaving directory `/root/freeradius-1.0.1/src/modules/rlm_sql' gmake[5]: *** [common] Error 1 gmake[5]: Leaving directory `/root/freeradius-1.0.1/src/modules' gmake[4]: *** [install] Error 2 gmake[4]: Leaving directory `/root/freeradius-1.0.1/src/modules' gmake[3]: *** [common] Error 1 gmake[3]: Leaving directory `/root/freeradius-1.0.1/src' gmake[2]: *** [install] Error 2 gmake[2]: Leaving directory `/root/freeradius-1.0.1/src' gmake[1]: *** [common] Error 1 gmake[1]: Leaving directory `/root/freeradius-1.0.1' make: *** [install] Error 2 -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Gene Rouse Sent: Thursday, October 14, 2004 10:49 PM To: [EMAIL PROTECTED] Subject: Installing freeRadius on RH Linux 9.0 When I run make on freeRADIUS 1.0.1 I get all kinds of missing attribute warnings. The make program eventually finishes with a list of directories listed as 'leaving'. I followed the install instructions, but now I'm stumped. As you have already guessed I am new to freeRADIUS. My partner and I have started a WISP and want to control users by their MAC address. In addition our billing software (Optigold ISP) can export client account information to radius. I really want to use freeRADIUS rather than pay several thousand dollars for a 'boxed' product. If I have to spend any money I would rather pay an individual to help me make this project a success. Thanks in advance. Gene Rouse Wireless Cyberspace, LLC - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Installing freeRadius on RH Linux 9.0
Title: RE: Installing freeRadius on RH Linux 9.0 Gene .. I had the same type errors until I made sure the mysql_devel RPM was installed .. Even then my make process completed with messages such as sql_mysql.o sql_mysql.c:39:20: errmsg.h: No such file or directory sql_mysql.c:40:19: mysql.h: No such file or directory sql_mysql.c:47: parse error before MYSQL sql_mysql.c:47: warning: no semicolon at end of struct or union sql_mysql.c:48: warning: type defaults to `int' in declaration of sock' sql_mysql.c:48: warning: data definition has no type or storage class sql_mysql.c:49: parse error before '*' token sql_mysql.c:49: warning: type defaults to `int' in declaration of result' sql_mysql.c:49: warning: data definition has no type or storage class sql_mysql.c:51: parse error before '}' token sql_mysql.c:51: warning: type defaults to `int' in declaration of `rlm_sql_mysql_sock' sql_mysql.c:51: warning: data definition has no type or storage class sql_mysql.c: In function `sql_init_socket': My testing looks to be working but I am just not getting the other .conf files tailored. Brent Berry -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Alan DeKok Sent: Friday, October 15, 2004 3:04 PM To: [EMAIL PROTECTED] Subject: Re: Installing freeRadius on RH Linux 9.0 Gene Rouse [EMAIL PROTECTED] wrote: Below I have included the error messages. I get. gmake[11]: Entering directory `/root/freeradius-1.0.1/src/modules/rlm_sql/drivers/rlm_sql_mysql' [ xrlm_sql_mysql = x ] || /root/freeradius-1.0.1/libtool --mode=install /root/freeradius-1.0.1/install-sh -c -c rlm_sql_mysql.la /usr/local/lib/rlm_sql_mysql.la libtool: install: `rlm_sql_mysql.la' is not a valid libtool archive Did the make process succeeed? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html * Mueller Industries, Inc. - CONFIDENTIAL INFORMATION This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom it is addressed. This communication may contain privileged material. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing, or copying of this e-mail and any file attachments is not authorized by the sender of this e-mail or Mueller Industries, Inc. If you have received this e-mail in error, please immediately notify us by telephone at 1-800-348-8464 (or 901-753-3200) or reply by e-mail to the sender. If you are not the intended recipient, please destroy the original transmission and its contents.
RE: PEAP with MSCHAPV2 (windows xp remembers the username/passwor d in cache)
Thanks alot Peter, it worked for me. I really appreciate your help. Regards Khurram --- Peter Hicks [EMAIL PROTECTED] wrote: No it is not possible, according to MS at least. Their article is at http://support.microsoft.com/default.aspx?scid=kb;en-us;823731 You could create a login script that resets the registry everytime someone logs in. You could also provide your users with a NAL object or some other deployed mechanism to do this if they want to change credentials. An easy way to clear the username on the fly (especially for testing) is to use a .reg file. Create a file called UserEapInfo.reg file and paste in the following information: REGEDIT4 [-HKEY_CURRENT_USER\Software\Microsoft\Eapol\UserEapInfo] Now double click on the file to merge it. This will delete the existing info and you will be prompted again. I got this solution came from www.jsiinc.com and it works a treat. Peter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Khurram Jahangir Sent: Friday, 15 October 2004 12:14 AM To: [EMAIL PROTECTED] Subject: PEAP with MSCHAPV2 (windows xp remembers the username/password in cache) Hi All, I have set up freeradius server 1.0.1 and I am using windows XP 802.1x client. The authenticator is an HP 2524 switch. I have test the setup with PEAP using MSCHAP V2 and it worked fine for me. My problem is that I want to use this mechanism for VLAN selection so that depending on the username/password, the user gets the VLAN from the freeradius server. Now the problem here is that windows xp stores the username and password in the cache and in case user wants to get reauthenticated to and get assigned to another vlan, the username/password should be entered again. I can go in registry and delete the file and in that case, when I reconnect the client, I will be asked to enter the username/password. I wonder if it is possible to tell windows not to store the username/password in the cache. May be any of you knows about this. I dont know may be I can set some parameter in radisu configuration that trigers the windows xp 802.1x client to enter the username and password everytime the user connects the computer to the network. Probably someone knows about an open source 802.1x client which works for windows and linux both. I will really appreciate any kind of help regarding this. Best Regards Khurram __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ___ Do you Yahoo!? Express yourself with Y! Messenger! Free. Download now. http://messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization via LDAP and Files, Authentication via LDAP
Hi all,
I installed Freeradius 0.9.3 on the same box, and did a test for the
notfound=return
and it worked in that version, in Version 1.0.1 it is not working, could
somebody ackknowledge that ?
If it is a bug, could somebody fix it, (maybe for FR 1.0.2) or give me some
hints at which files I have to look in order to fix it (I`m not very
expirienced in programming )
Regards
Michael
Alan DeKok aland[AT]ox.org wrote:
Michael Kopp michael.kopp[AT]gmx.net wrote:
radiusd.conf[1559] Unknown configuration directive ldap in authorize
section.
...
ldap{
Try putting a space in between ldap and {
Alan DeKok.
hmm, same error as before ,
...
ldap {
notfound = return
}
files
...
I also tested
ldap { notfound = return
}
files
and
ldap {notfound = return
}
files
and
ldap { notfound=return
}
files
and
ldap {notfound=return
}
files
all combinations are resulting in the same error :
radiusd.conf[1559] Unknown configuration directive ldap in authorize
section.
Between I`m using Freeradius 1.0.1
I tested this now on two different machine
Sparc Solaris 9 and Intel Debian Linux Sarge Installation
Regards
Michael
--
GMX ProMail mit bestem Virenschutz http://www.gmx.net/de/go/mail
+++ Empfehlung der Redaktion +++ Internet Professionell 10/04 +++
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Installing freeRadius on RH Linux 9.0
No. -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, October 15, 2004 4:04 PM To: [EMAIL PROTECTED] Subject: Re: Installing freeRadius on RH Linux 9.0 Gene Rouse [EMAIL PROTECTED] wrote: Below I have included the error messages. I get. gmake[11]: Entering directory `/root/freeradius-1.0.1/src/modules/rlm_sql/drivers/rlm_sql_mysql' [ xrlm_sql_mysql = x ] || /root/freeradius-1.0.1/libtool -- mode=install /root/freeradius-1.0.1/install-sh -c -c rlm_sql_mysql.la /usr/local/lib/rlm_sql_mysql.la libtool: install: `rlm_sql_mysql.la' is not a valid libtool archive Did the make process succeeed? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
