Re: Problems with hints file when i use freeradius-1.0.1
Am Dienstag, 4. Januar 2005 08:56 schrieb Helmut Tröbs: Hello, i want to upgrade from freeradius-0.8.1 to freeradius-1.0.1. My hints file: DEFAULT Prefix == t, Strip-User-Name = No Hint = TUM DEFAULT Prefix = t, Strip-User-Name = No Hint = TUM nur mit einem = nach Prefix? Thank you for the answer, but Prefix == t is correct, when i try only one = i get the message Invalid operator for item Prefix: reverting to '==' in debug output. When i try to use N instead of No: DEFAULT Prefix == t, Strip-User-Name = N Hint = TUM The Debug output looks better, but the proxied user-name is still wrong. rad_recv: Access-Request packet from host x.x.x.x:32770, id=171, length=56 User-Name = test User-Password = x NAS-IP-Address = 255.255.255.255 NAS-Port = 1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 hints: Matched DEFAULT at 48 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = test, looking up realm NULL rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = test rlm_realm: Proxying request from user test to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Preparing to proxy authentication request to realm NULL modcall[authorize]: module suffix returns updated for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched DEFAULT at 178 users: Matched DEFAULT at 385 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns updated for request 0 Sending Access-Request of id 0 to 10.156.10.42:1812 User-Name = est User-Password = x NAS-IP-Address = 255.255.255.255 NAS-Port = 1 Proxy-State = 0x313731 Any idea? regards Helmut Troebs - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with hints file when i use freeradius-1.0.1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Perhaps this helps: http://lists.cistron.nl/pipermail/freeradius-users/2004-February/027993.html perhaps the whole thread. - -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFB27/hqndXpO3Yl5sRAhrFAJwNmMfgm4mNXtuDhrwwNjOrXkiFfwCdGk4Z NIQ3i8lWGm60UOUVcvro5xQ= =PWb8 -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sqlcounter does not start
I have SIP server SER configured to route calls to PSTN over CISCO AS5300 gateway. I would like to restrict users to certain amount of time which they can use to make these calls. For this I've installed freeradius 1.0.1 with experimental module rlm_sqlcounter (everything is set up as described in doc/rlm_sqlcounter) and I'm using MySQL. I don't need authentication (it's done on SER server and only authenticated users are allowed to make calls to PSTN) just accounting and time restriction using sqlcounter. Radius is doing accounting. This works fine. I have in raddacct table data. But the sqlcounter does not work. When I run radiusd -X I get this output Module: Loaded SQL Counter sqlcounter: counter-name = Max-All-Session-Time sqlcounter: check-name = Max-All-Session sqlcounter: key = User-Name sqlcounter: sqlmod-inst = sql sqlcounter: query = SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}' sqlcounter: reset = never rlm_sqlcounter: Counter attribute Max-All-Session-Time is number 1671 rlm_sqlcounter: Check attribute Max-All-Session is number 1672 rlm_sqlcounter: Current Time: 1104920610 [2005-01-05 11:23:30], Next reset 0 [2005-01-05 11:00:00] rlm_sqlcounter: Current Time: 1104920610 [2005-01-05 11:23:30], Prev reset 0 [2005-01-05 11:00:00] Module: Instantiated sqlcounter (noresetcounter) This is so far OK. module is loaded. Now when I make a call I receive something like this: rad_recv: Accounting-Request packet from host 192.168.22.133:21645, id=60, length=536 Acct-Session-Id = 003D Cisco-AVPair = [EMAIL PROTECTED] Cisco-AVPair = iphop=count:1 Cisco-AVPair = iphop=hop1:192.168.22.55 h323-setup-time = h323-setup-time=12:02:14.185 UTC Wed Jan 5 2005 h323-gw-id = h323-gw-id=gateway2. h323-conf-id = h323-conf-id=78D1C91C 5E4811D9 8010BBC8 ACB832E9 h323-call-origin = h323-call-origin=answer h323-call-type = h323-call-type=VoIP Cisco-AVPair = h323-incoming-conf-id=78D1C91C 5E4811D9 8010BBC8 ACB832E9 Cisco-AVPair = subscriber=Unknown Cisco-AVPair = session-protocol=sipv2 Cisco-AVPair = gw-rxd-cdn=ton:0,npi:0,#:022 User-Name = 10 Acct-Status-Type = Start Calling-Station-Id = 10 Called-Station-Id = 022 Service-Type = Login-User NAS-IP-Address = 192.168.22.133 Acct-Delay-Time = 0 Processing the preacct section of radiusd.conf modcall: entering group preacct for request 0 Invalid operator for item Suffix: reverting to '==' Invalid operator for item Suffix: reverting to '==' Invalid operator for item Suffix: reverting to '==' modcall[preacct]: module preprocess returns noop for request 0 rlm_acct_unique: WARNING: Attribute NAS-Port was not found in request, unique ID MAY be inconsistent rlm_acct_unique: Hashing ',Client-IP-Address = 192.168.22.133,NAS-IP-Address = 192.168.22.133,Acct-Session-Id = 003D,User-Name = 10' rlm_acct_unique: Acct-Unique-Session-ID = 39ff838efa44eab9. modcall[preacct]: module acct_unique returns ok for request 0 rlm_realm: No '@' in User-Name = 10, looking up realm NULL rlm_realm: No such realm NULL modcall[preacct]: module suffix returns noop for request 0 modcall: group preacct returns ok for request 0 Processing the accounting section of radiusd.conf modcall: entering group accounting for request 0 radius_xlat: '/var/log/radius/radacct/192.168.22.133/detail-20050105' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/192.168.22.133/detail-20050105 modcall[accounting]: module detail returns ok for request 0 radius_xlat: '/var/log/radius/radutmp' radius_xlat: '10' rlm_radutmp: No NAS-Port seen. Cannot do anything. rlm_radumtp: WARNING: checkrad will probably not work! modcall[accounting]: module radutmp returns noop for request 0 radius_xlat: '10' rlm_sql (sql): sql_set_user escaped user -- '10' radius_xlat: 'INSERT into radacct (RadAcctId, AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('', '003D', '39ff838efa44eab9', '10', '', '192.168.22.133', '', '', '2005-01-05 11:25:24', '0', '0', '', '', '', '0', '0', '022', '10', '', 'Login-User', '', '', '0', '0')' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Released sql socket id: 4 modcall[accounting]: module sql returns ok for request 0 modcall: group accounting returns ok for request 0 Sending Accounting-Response of id 60 to 192.168.22.133:21645 Finished request 0 Going to the next request It just processes start and stop accounting packets but never uses noresetcounter which was correctly loaded. MySQL
Re: FR/MySQL Auth/CHAP
[EMAIL PROTECTED] wrote: I just foudn out that one of my dialup providers is slowly adding NASs that only use CHAP. I have FR authing against MySQL with PAP, but now I have to figure out how to make it auth *either* PAP or CHAP. Do nothing. The default configuration allows either PAP or CHAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounter does not start
Igor Cahoj [EMAIL PROTECTED] wrote: Radius is doing accounting. This works fine. I have in raddacct table data. But the sqlcounter does not work. When I run radiusd -X I get this output Did you list it in the accounting section? It looks like you didn't. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounter does not start
Radius is doing accounting. This works fine. I have in raddacct table data. But the sqlcounter does not work. When I run radiusd -X I get this output Did you list it in the accounting section? It looks like you didn't. I tryed but when I add noresetcounter into accounting section of radiusd.conf I get this error: radiusd.conf: SQL Counter modules aren't allowed in 'accounting' sections -- they have no such method. That's why I have it only in authorization section. Igor Cahoj - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
users file debug info (similar to block group of ISDN)
I am seeing something interesting in freeradius parsing the users file. It appears that it is giving me a trailing comma error instead of the true error. I added similar to block group of ISDN in the subject, because this is related to that thread and it could be an innapproprate debug message. In my setup, I have defined an ldap configuration with the name of vpn1, using ldap vpn1 { ... } Then in my users file, I have only this line (I removed all other lines for testing). DEFAULT vpn1-Ldap-Group == disabled, Auth-Type := Reject With this, I can start radius fine. Debug shows this. Module: Loaded files files: usersfile = /usr/local/etc/raddb/users files: acctusersfile = /usr/local/etc/raddb/acct_users files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users files: compat = no Then, when I change it to use a different ldap-group, which does not actually exist, such as DEFAULT other-Ldap-Group == disabled, Auth-Type := Reject I then get this error message. Module: Loaded files files: usersfile = /usr/local/etc/raddb/users files: acctusersfile = /usr/local/etc/raddb/acct_users files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users files: compat = no /usr/local/etc/raddb/users[1]: Unexpected trailing comma in check item list for entry DEFAULT Errors reading /usr/local/etc/raddb/users radiusd.conf[90]: files: Module instantiation failed. So, it appears that freeradius isn't able to start because I am telling it to use other-ldap-group, which does not exist. However, the debug message I get tells me that I have an unexpected comma. So, it looks to me that freeradius doesn't understand what other-ldap-group is, so it ignores that part and then that leaves the unexpected comma after it. You should be able to reproduce this by listing anything that freeradius won't understand. For example, put in DEFAULT NAS-IP-Address == 1.1.1.1, Auth-Type := Reject vs DEFAULT NAS-IPAddress == 1.1.1.1, Auth-Type := Reject You will see the same behavior. I wrote this to the users list before submitting a bug report. -Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Block group of ISDN connection
On Wed, 5 Jan 2005, Rohaizam Abu Bakar wrote: YES... it is on one line until Reject... just breaking up while pasting... DEFAULT NAS-Port-Type == ISDN ,Connection-Type == UNLIMITED, Auth-Type := Reject Reply-Message = Your account has been disabled. but still giving the same trailing coma problem.. /usr/local/etc/raddb/users[42]: Unexpected trailing comma in check item list for entry DEFAULT --haizam I believe the error you are receiving is because freeradius doesn't understand what Connection-Type is. I can't find connection-type in any of the dictionary files. Where did you define connection-type? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Huntgroup
Can I define the attributes in the users file and leave the actual users in the database.? So the database will authenticate with the user/pass scenario and they read the users file for the attributes to reply with? Thanx Cris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dustin Doris Sent: Wednesday, January 05, 2005 10:39 AM To: freeradius-users@lists.freeradius.org Subject: RE: Huntgroup I apologize about the plain text. This is what I have in the huntgroup file. Huntgroup1NAS-IP-ADDRESS == 1.2.3.4 Group = Dialup Slipstream-Auth = true, X-Ascend-Data-Filter == ip in forward tcp est, X-Ascend-Data-Filter == ip in forward dstip 1.2.5.4/32, X-Ascend-Data-Filter == ip in drop tcp dstport = 25, X-Ascend-Data-Filter == ip in forward, Huntgroup2NAS-IP-ADDRESS == 1.2.3.5 Group =Wireless RB-Context-Name = local, Fall-Through = yes, The Huntgroups file is where you list attributes that would match the huntgroup. The users file or sql table is where you will list the attributes you want to reply to the user with. My users file is empty because I use a Mysql database for the users names. The database is setup like this Username group password Joe Wirelesstest Bob Dialup test Currently the sql group table responds based on the group I put them in.. I want it not to be that way. I want it to respond based on the NAS device the users connects from.. Using huntgroups and users files you can do this. You could also store the reply attributes in a mysql group, but I've never done that, so can't help much on that. huntgroups group1 NAS-IP-Address == 1.1.1.1 group2 NAS-IP-Address == 2.2.2.2 users DEFAULT Huntgroup-Name == group1 X-Ascend-Data-Filter == ip in forward tcp est, Reply-Attribute2 = value, Reply-Attribute3 = value DEFAULT Huntgroup-Name == group2 Reply-Attribute = value So, when a user comes in it will search the users file. If it comes from 1.1.1.1 it will match huntgroup-name group1. Then it is told to send those particular reply attributes. If the user does not come in from huntgroup1, it won't match and will continue searching the users file until there is a match. I think you just need to simplify your setup. Hope that helps. Remember, in the huntgroups file you just define what matches a huntgroup. You have to define what reply attributes will be returned somewhere else, such as the users file, sql table, ldap, etc... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.6.8 - Release Date: 1/3/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.6.8 - Release Date: 1/3/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
build fails on Mac OSX
I'm trying to build freeradius 1.0.1 on a Mac OSX box (power mac). For some reason freeradius tries to build for an i386, which of course fails. I'm using the --disable-shared configuration option as noted in doc/MACOSX. Here's the relevant output: --- [EMAIL PROTECTED]:~/freeradius/src/freeradius-1.0.1$ uname -a Darwin core.cibernet.com 7.7.0 Darwin Kernel Version 7.7.0: Sun Nov 7 16:06:51 PST 2004; root:xnu/xnu-517.9.5.obj~1/RELEASE_PPC Power Macintosh powerpc [EMAIL PROTECTED]:~/freeradius/src/freeradius-1.0.1$ ./configure --disable-shared creating cache ./config.cache checking for gcc... gcc checking whether the C compiler (gcc ) works... yes checking whether the C compiler (gcc ) is a cross-compiler... no checking whether we are using GNU C... yes checking whether gcc accepts -g... yes checking how to run the C preprocessor... gcc -E ... cut ... [EMAIL PROTECTED]:~/freeradius/src/freeradius-1.0.1$ make Making all in src... Making all in include... make[4]: Nothing to be done for `all'. Making all in lib... gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -D_LIBRADIUS -I../include -DHMAC_SHA1_DATA_PROBLEMS -c dict.c -o dict.o ... cut ... mkdir .libs ar cru rlm_sql_iodbc.a sql_iodbc.o ranlib rlm_sql_iodbc.a Making static in rlm_sql_mysql... gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I../.. -I../../../../include -I/usr/include/mysql -O3 -fno-omit-frame-pointer -arch i386 -arch ppc -pipe -c sql_mysql.c -o sql_mysql.o gcc: cannot read specs file for arch `i386' make[10]: *** [sql_mysql.o] Error 1 make[9]: *** [common] Error 1 make[8]: *** [static] Error 2 make[7]: *** [common] Error 1 make[6]: *** [static] Error 2 make[5]: *** [common] Error 1 make[4]: *** [all] Error 2 make[3]: *** [common] Error 1 make[2]: *** [all] Error 2 make[1]: *** [common] Error 1 make: *** [all] Error 2 --- Anyone know why this would happen? Thanks. -Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Block group of ISDN connection
Rohaizam Abu Bakar wrote: YES... it is on one line until Reject... just breaking up while pasting... DEFAULT NAS-Port-Type == ISDN ,Connection-Type == UNLIMITED, ^ may be problem in extra space before comm? -- WBR, Dmitry Lebkov - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRadius, PEAP, MSCHAP, Segment Fault(coredump)
[EMAIL PROTECTED] wrote: This is my second try at this post; the first was too long. I read the archives and then attempted to configure freeRadius using PEAP MSCHAP. After some initial success I am stuck with a Segment Fault(coredump). Alan Dekok wrote: It's another stupid bug in libltdl. The fix is to do: $ configure --disable-shared $ make $ make install Alan DeKok. I tried the configure switch and got another Segment Fault(coredump). Is there other debug information that is useful for resolving this problem? Thanks, John Gauntt [EMAIL PROTECTED]
Re: build fails on Mac OSX
Go to http://home.sw.rr.com/jguidroz/radius.html I have an installer package created of an early December Snapshot. I'll try to get a more current snapshot added to the Installer today or tomorrow. Justin On Wed, 5 Jan 2005 10:48:03 -0500, Chris Riley [EMAIL PROTECTED] wrote: I'm trying to build freeradius 1.0.1 on a Mac OSX box (power mac). For some reason freeradius tries to build for an i386, which of course fails. I'm using the --disable-shared configuration option as noted in doc/MACOSX. Here's the relevant output: --- [EMAIL PROTECTED]:~/freeradius/src/freeradius-1.0.1$ uname -a Darwin core.cibernet.com 7.7.0 Darwin Kernel Version 7.7.0: Sun Nov 7 16:06:51 PST 2004; root:xnu/xnu-517.9.5.obj~1/RELEASE_PPC Power Macintosh powerpc [EMAIL PROTECTED]:~/freeradius/src/freeradius-1.0.1$ ./configure --disable-shared creating cache ./config.cache checking for gcc... gcc checking whether the C compiler (gcc ) works... yes checking whether the C compiler (gcc ) is a cross-compiler... no checking whether we are using GNU C... yes checking whether gcc accepts -g... yes checking how to run the C preprocessor... gcc -E ... cut ... [EMAIL PROTECTED]:~/freeradius/src/freeradius-1.0.1$ make Making all in src... Making all in include... make[4]: Nothing to be done for `all'. Making all in lib... gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -D_LIBRADIUS -I../include -DHMAC_SHA1_DATA_PROBLEMS -c dict.c -o dict.o ... cut ... mkdir .libs ar cru rlm_sql_iodbc.a sql_iodbc.o ranlib rlm_sql_iodbc.a Making static in rlm_sql_mysql... gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I../.. -I../../../../include -I/usr/include/mysql -O3 -fno-omit-frame-pointer -arch i386 -arch ppc -pipe -c sql_mysql.c -o sql_mysql.o gcc: cannot read specs file for arch `i386' make[10]: *** [sql_mysql.o] Error 1 make[9]: *** [common] Error 1 make[8]: *** [static] Error 2 make[7]: *** [common] Error 1 make[6]: *** [static] Error 2 make[5]: *** [common] Error 1 make[4]: *** [all] Error 2 make[3]: *** [common] Error 1 make[2]: *** [all] Error 2 make[1]: *** [common] Error 1 make: *** [all] Error 2 --- Anyone know why this would happen? Thanks. -Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Justin Guidroz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: build fails on Mac OSX
Chris Riley [EMAIL PROTECTED] wrote: gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I../.. -I../../../../include -I/usr/include/mysql -O3 -fno-omit-frame-pointer -arch i386 -arch ppc -pipe -c sql_mysql.c -o Why is gcc using -arch i386 AND -arch ppc? Delete the -arch i386 from everywhere it appears in the make files (Makefile, Make.inc, etc.) and re-build. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRadius, PEAP, MSCHAP, Segment Fault(coredump)
[EMAIL PROTECTED] wrote: I tried the configure switch and got another Segment Fault(coredump). If you look, you'll probably see the same problem. Delete ALL of the previously installed FreeRADIUS binaries and libraries. Then re-configure and re-make. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Huntgroup
On Wed, 5 Jan 2005, Cris Boisvert wrote: Can I define the attributes in the users file and leave the actual users in the database.? So the database will authenticate with the user/pass scenario and they read the users file for the attributes to reply with? Thanx Cris Yep, you should be able to do that. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dustin Doris Sent: Wednesday, January 05, 2005 10:39 AM To: freeradius-users@lists.freeradius.org Subject: RE: Huntgroup I apologize about the plain text. This is what I have in the huntgroup file. Huntgroup1NAS-IP-ADDRESS == 1.2.3.4 Group = Dialup Slipstream-Auth = true, X-Ascend-Data-Filter == ip in forward tcp est, X-Ascend-Data-Filter == ip in forward dstip 1.2.5.4/32, X-Ascend-Data-Filter == ip in drop tcp dstport = 25, X-Ascend-Data-Filter == ip in forward, Huntgroup2NAS-IP-ADDRESS == 1.2.3.5 Group =Wireless RB-Context-Name = local, Fall-Through = yes, The Huntgroups file is where you list attributes that would match the huntgroup. The users file or sql table is where you will list the attributes you want to reply to the user with. My users file is empty because I use a Mysql database for the users names. The database is setup like this Usernamegroup password Joe Wirelesstest Bob Dialup test Currently the sql group table responds based on the group I put them in.. I want it not to be that way. I want it to respond based on the NAS device the users connects from.. Using huntgroups and users files you can do this. You could also store the reply attributes in a mysql group, but I've never done that, so can't help much on that. huntgroups group1NAS-IP-Address == 1.1.1.1 group2 NAS-IP-Address == 2.2.2.2 users DEFAULT Huntgroup-Name == group1 X-Ascend-Data-Filter == ip in forward tcp est, Reply-Attribute2 = value, Reply-Attribute3 = value DEFAULT Huntgroup-Name == group2 Reply-Attribute = value So, when a user comes in it will search the users file. If it comes from 1.1.1.1 it will match huntgroup-name group1. Then it is told to send those particular reply attributes. If the user does not come in from huntgroup1, it won't match and will continue searching the users file until there is a match. I think you just need to simplify your setup. Hope that helps. Remember, in the huntgroups file you just define what matches a huntgroup. You have to define what reply attributes will be returned somewhere else, such as the users file, sql table, ldap, etc... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.6.8 - Release Date: 1/3/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.6.8 - Release Date: 1/3/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Confirmation of LDAP/CHAP and AD
Okay. Thanks. Now my next question is would storing the CHAP passwords in AD using reversible encryption help (I would guess not, since your other posts seem to indicate the problem being that AD will not even give the RADIUS server the password to manipulate). Also, would using NTLM_AUTH be a possible solution? If not, then proxy RADIUS to an IAS server seems to be the only possible solution. Thanks, Mark Capelle [EMAIL PROTECTED] wrote: I have FreeRADIUS doing password auth against AD via LDAP. I have a switch that allows port based security, but uses CHAP passwords. From my understanding, you can do this if the LDAP database has the passwords stored as clear-text passwords. You cannot do this with Active Directory since it does not store the passwords in clear-text. Exactly. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Confirmation of LDAP/CHAP and AD
samba -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, January 05, 2005 11:24 AM To: freeradius-users@lists.freeradius.org Subject: Re: Confirmation of LDAP/CHAP and AD Okay. Thanks. Now my next question is would storing the CHAP passwords in AD using reversible encryption help (I would guess not, since your other posts seem to indicate the problem being that AD will not even give the RADIUS server the password to manipulate). Also, would using NTLM_AUTH be a possible solution? If not, then proxy RADIUS to an IAS server seems to be the only possible solution. Thanks, Mark Capelle [EMAIL PROTECTED] wrote: I have FreeRADIUS doing password auth against AD via LDAP. I have a switch that allows port based security, but uses CHAP passwords. From my understanding, you can do this if the LDAP database has the passwords stored as clear-text passwords. You cannot do this with Active Directory since it does not store the passwords in clear-text. Exactly. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Confirmation of LDAP/CHAP and AD
Proxy to IAS will work too. Ron. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, January 05, 2005 10:24 AM To: freeradius-users@lists.freeradius.org Subject: Re: Confirmation of LDAP/CHAP and AD Okay. Thanks. Now my next question is would storing the CHAP passwords in AD using reversible encryption help (I would guess not, since your other posts seem to indicate the problem being that AD will not even give the RADIUS server the password to manipulate). Also, would using NTLM_AUTH be a possible solution? If not, then proxy RADIUS to an IAS server seems to be the only possible solution. Thanks, Mark Capelle [EMAIL PROTECTED] wrote: I have FreeRADIUS doing password auth against AD via LDAP. I have a switch that allows port based security, but uses CHAP passwords. From my understanding, you can do this if the LDAP database has the passwords stored as clear-text passwords. You cannot do this with Active Directory since it does not store the passwords in clear-text. Exactly. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
B2BUA + RADIUS: Authenticate fail
Hi all Im trying to use the B2bua with Radius but some problems is happening here. When I send a INVITE from the SER to the B2bua, it try authenticate, but it doesnt work. The text below is the log of the Radius: radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE STRCMP(UserName, '16004') = 0 ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE STRCMP(UserName, '16000') = 0 ORDER BY id radius_xlat: '' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE STRCMP(UserName, '16000') = 0 ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE STRCMP(UserName, '16000') = 0 ORDER BY id radius_xlat: '' rlm_sql (sql): No matching entry in the database for request from user [16000] rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module sql returns notfound for request 6 modcall: group authorize returns ok for request 6 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. At the last lines, we can see something about the method Auth-Type. The table radcheck already have the data about that user 16000. id UserName Attributeop Value 1 16000 User-Password== 123456 2 16000 Auth-Type:= Digest 3 16000 Session-Timeout == 10 Ok. It is the problem: I cant authenticate. Do you know something that I can do? I didnt find any solution at the forum. Thanks a lot. Bruno Machado ___ Yahoo! Acesso Grátis - Instale o discador do Yahoo! agora. http://br.acesso.yahoo.com/ - Internet rápida e grátis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: B2BUA + RADIUS: Authenticate fail
On Jan 5, 2005, at 12:45 PM, Bruno Machado wrote: Hi all Im trying to use the B2bua with Radius but some problems is happening here. When I send a INVITE from the SER to the B2bua, it try authenticate, but it doesnt work. The text below is the log of the Radius: radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE STRCMP(UserName, '16004') = 0 ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE STRCMP(UserName, '16000') = 0 ORDER BY id What do you get when you run this query by hand? -Chris -- \\\|||/// \ StarNet - A US LEC Company \ Chris Parker \ ~ ~ / \ Wholesale Internet\ Director, Engineering | @ @ |\ http://www.megapop.net \ (847) 963-0116 x321 oOo---(_)---oOo--\-- VoiceEclipse, The Fresh Alternative http://www.voiceeclipse.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: B2BUA + RADIUS: Authenticate fail
The first and the second queries return that small table: id UserName Attributeop Value 1 16000 User-Password== 123456 2 16000 Auth-Type:= Digest 3 16000 Session-Timeout == 10 The third query returns: id UserName Attribute Value op 116004 Reply-Message Authenticated = 216004 Sip-Rpid 16004 = Bruno Machado --- Chris Parker [EMAIL PROTECTED] escreveu: On Jan 5, 2005, at 12:45 PM, Bruno Machado wrote: Hi all Im trying to use the B2bua with Radius but some problems is happening here. When I send a INVITE from the SER to the B2bua, it try authenticate, but it doesnt work. The text below is the log of the Radius: radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE STRCMP(UserName, '16000') = 0 ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE STRCMP(UserName, '16000') = 0 ORDER BY id What do you get when you run this query by hand? -Chris -- \\\|||/// \ StarNet - A US LEC Company \ Chris Parker \ ~ ~ / \ Wholesale Internet\ Director, Engineering | @ @ |\ http://www.megapop.net \ (847) 963-0116 x321 oOo---(_)---oOo--\-- VoiceEclipse, The Fresh Alternative http://www.voiceeclipse.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ___ Yahoo! Acesso Grátis - Instale o discador do Yahoo! agora. http://br.acesso.yahoo.com/ - Internet rápida e grátis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: B2BUA + RADIUS: Authenticate fail
Sorry friends The number that is showed at the tables is 16000! Forget the 16004. --- Chris Parker [EMAIL PROTECTED] escreveu: On Jan 5, 2005, at 12:45 PM, Bruno Machado wrote: Hi all Im trying to use the B2bua with Radius but some problems is happening here. When I send a INVITE from the SER to the B2bua, it try authenticate, but it doesnt work. The text below is the log of the Radius: radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE STRCMP(UserName, '16000') = 0 ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE STRCMP(UserName, '16000') = 0 ORDER BY id What do you get when you run this query by hand? -Chris -- \\\|||/// \ StarNet - A US LEC Company \ Chris Parker \ ~ ~ / \ Wholesale Internet\ Director, Engineering | @ @ |\ http://www.megapop.net \ (847) 963-0116 x321 oOo---(_)---oOo--\-- VoiceEclipse, The Fresh Alternative http://www.voiceeclipse.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ___ Yahoo! Acesso Grátis - Instale o discador do Yahoo! agora. http://br.acesso.yahoo.com/ - Internet rápida e grátis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
DHCP clients with radius
Hi, I am using freeradius version 0.9.3 on mandrake with mysql. My radius NAS units are static IP clients and DHCP clients. All the static IPs are added in clients.conf, and the setup works fine. My question is how and where do I add DHCP client entries for radius to authenticate? Thanks. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP clients with radius
Hi, I am using freeradius version 0.9.3 on mandrake with mysql. My radius NAS units are static IP clients and DHCP clients. All the static IPs are added in clients.conf, and the setup works fine. My question is how and where do I add DHCP client entries for radius to authenticate? Thanks. If you can change your NAS units that use DHCP to have static, that would be a better method. Otherwise, if you can at least hand out a block of IPs only for these NASes, then you can use networks in clients.conf, at least in freeradius 1.x. I'm not sure when it was added, so I can't tell you if it works in .9. client 10.1.1.0/24 { secret = secret shortname = dhcp-nas nastype = cisco } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Block group of ISDN connection
define in ldap.attrmap.. define as check item... checkItem Connection-Type radiusConnectionType The situation is I've to check both attribute.. one from RAS (NAS-Port-Type) .. and one from LDAP (Connection-Type) before i can reject it.. As suggested by Kostas... I've to map the Connection-Type (my-own) attribute... and put files that reading users file after LDAP in authorize section... --haizam - Original Message - From: Dustin Doris [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Wednesday, January 05, 2005 23:15 Subject: Re: Block group of ISDN connection On Wed, 5 Jan 2005, Rohaizam Abu Bakar wrote: YES... it is on one line until Reject... just breaking up while pasting... DEFAULT NAS-Port-Type == ISDN ,Connection-Type == UNLIMITED, Auth-Type := Reject Reply-Message = Your account has been disabled. but still giving the same trailing coma problem.. /usr/local/etc/raddb/users[42]: Unexpected trailing comma in check item list for entry DEFAULT --haizam I believe the error you are receiving is because freeradius doesn't understand what Connection-Type is. I can't find connection-type in any of the dictionary files. Where did you define connection-type? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html [ Scanned by JARING E-Mail Virus Scanner ( http://www.jaring.my ) ] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Block group of ISDN connection
That is the problem. Connection-Type isn't a radius attribute. You use that file, ldap.attrmap to map a Radius Attribute to an LDAP Attribute. However, Connection-Type is not a valid radius attribute. So, freeradius is failing because it doesn't recognize Connection-Type. If you want to check to see if the user has radiusConnectionType unlimited in ldap, then modify the radiusd.conf ldap section with this groupname_attribute = radiusConnectionType groupmembership_filter = ((uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile)) Then change your users file to this DEFAULT NAS-Port-Type == ISDN, Ldap-Group == UNLIMITED, Auth-Type := Reject Reply-Message = Your account has been disabled. That will tell freeradius that if the NAS-Port-Type is ISDN, then do a lookup to ldap for radiusConnectionType = Unlimited. If those two match, then it will add Auth-Type = Reject to it. Hope that helps. Dusty Doris On Thu, 6 Jan 2005, Rohaizam Abu Bakar wrote: define in ldap.attrmap.. define as check item... checkItem Connection-Type radiusConnectionType The situation is I've to check both attribute.. one from RAS (NAS-Port-Type) .. and one from LDAP (Connection-Type) before i can reject it.. As suggested by Kostas... I've to map the Connection-Type (my-own) attribute... and put files that reading users file after LDAP in authorize section... --haizam - Original Message - From: Dustin Doris [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Wednesday, January 05, 2005 23:15 Subject: Re: Block group of ISDN connection On Wed, 5 Jan 2005, Rohaizam Abu Bakar wrote: YES... it is on one line until Reject... just breaking up while pasting... DEFAULT NAS-Port-Type == ISDN ,Connection-Type == UNLIMITED, Auth-Type := Reject Reply-Message = Your account has been disabled. but still giving the same trailing coma problem.. /usr/local/etc/raddb/users[42]: Unexpected trailing comma in check item list for entry DEFAULT --haizam I believe the error you are receiving is because freeradius doesn't understand what Connection-Type is. I can't find connection-type in any of the dictionary files. Where did you define connection-type? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html [ Scanned by JARING E-Mail Virus Scanner ( http://www.jaring.my ) ] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR/MySQL Auth/CHAP
[EMAIL PROTECTED] wrote: I'm using Crypt-Password in the MySQL table. This won't work with CHAP, no? See the FAQ. Unix/crypt-passwords don't work with CHAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
reading other radius server's radutmp instead of using radrelay
OS: FreeBSD 4.9p4 + Freeradius 1.0.1 Objective: to control single login in distributed enviroment. I've tested radrelay to centralised accounting to all my radius servers .. All radius servers will replicate accounting to others... So there will be a few radrelay running in each radius server. But it's not really working well... A lot of locking problem... not replicated properly.. and quite hard to monitor and manage.. So what i plan to do is to have only one centralied accounting server... (maybe All NAS will point accounting to this server)and in order to perform single login check.. each radius server will check radutmp in centralised accounting... Is it possible? thanks.. --haizam
rapid question on PEAP version
hi i just looked in the doc directory, the source code and a bit on the web and could not find any recent info on which version of EAP-PEAP is supported by freeradius. from what i've found till now, only PEAPv0 with MS-CHAPv2 is supported (this however dates back to June 2004). has it by any chance been updated since? most notably, is the so-called cryptobinding (PEAPv2) already implemented? and when we are already in there, perhaps somebody knows the same answers for TTLS (cryptobinding has been recently added to the I-D) and the clients: xsupplicant, XP SP2, Alfa-Ariss, etc. moreover, for the tunneled methods, it would be nice to know client- and server-side inner method limitations. a small summary would be just perfect. thanks artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unknown attribute Frame-Protocol
I am using FreeRadius1.0.1 in Linux Fedora2. And I install mysql4.1.8 also. When I use root login and test the FreeRadius server by NTRadPing software, That can be authorized. However, I try to use the username in Mysql. it cannot be authorized. I find the log as follow: Error: rlm_sql: Unknown attritbute Frame-Protocol Error: rlm_sql (sql): Error getting data from database Do I have a wrong config? please advice! I just follow the book example O'RELLY RADIUS rex _ FREE Pocket Business English, ACT NOW! http://go.msnserver.com/HK/46165.asp - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html