reloading message
Hello list! met an interesting message in my radius.log file: Sat Feb 26 12:15:46 2005 : Info: Reloading configuration files. not so interesting in the logical mean but in the way it appeared. Before it there aren't any DB reloading or simi,ar messages, just simple authentication incorretness message. And after the above message apper my RADIUS server stoped to work. Any ideas? Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius with openldap
hello, i'm having problems when i try to authenticate an user using freeradius and ldap. i'm usind freeradius-1.0.1 and openldap-2.2.15 and i need someone to help me correctly configuring my radius server to authenticate against ldap database. thanks _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with characters in CallerStationId and CallingStationId
On Sat, 26 Feb 2005 [EMAIL PROTECTED] wrote: Hello to all, I use mssql.conf i don?t found the directive safe-characters. I have to do something in special. Copy the directive from sql.conf. mssql.conf was just not updated to include it. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with the AcctStartTime and AcctStopTime
On Fri, 25 Feb 2005 [EMAIL PROTECTED] wrote:
Now,can be included in future releases.
in the file mssql.conf
tested very good.
# accounting_start_query: Inserting of RadAcctId and AcctStopTime was
# removed. These fields are processing by a database
accounting_start_query = INSERT into ${acct_table1} (AcctSessionId,
AcctUniqueId, UserName, Realm,
GatewayId,CallType,CallOrigin,NASIPAddress, NASPort, NASPortType,
AcctStartTime, AcctStopTime,AcctSessionTime, AcctAuthentic,
ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets,
CalledStationId, CallingStationId, AcctTerminateCause, ServiceType,
FramedProtocol, FramedIPAddress, CiscoNASPort,CallId,AcctStartDelay,
AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}',
'%{Realm}','%{h323-gw-id}','%{h323-call-type}','%{h323-call-origin}','%{NAS-IP-Address}',
'%{NAS-Port-Id}',
'%{NAS-Port-Type}','%S',DATEADD(SECOND,CONVERT(INT,'+%{Acct-Session-Time}'),CONVERT(DATETIME,'%S',102)),
This is wrong, you are calculating acctstoptime on accounting-start!
'0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0',
'%{Called-Station-Id}', '%{Calling-Station-Id}',
'%{h323-disconnect-cause}', '%{Service-Type}', '%{h323-voice-quality}',
'%{h323-remote-address}','%{Cisco-NAS-Port}','%{h323-conf-id}'
,'%{Acct-Delay-Time}', '0')
# accounting_stop_query_alt
# Inserting of RadAcctId and AcctStartTime was
# removed. These fields are processing by a database
accounting_stop_query_alt = INSERT into ${acct_table2} (AcctSessionId,
AcctUniqueId, UserName, Realm, NASIPAddress, NASPort,
NASPortType,AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic,
ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets,
CalledStationId, CallingStationId,
GatewayId,CallType,CallOrigin,CiscoNASPort,AcctTerminateCause,
ServiceType, FramedProtocol, FramedIPAddress,CallId,AcctStartDelay,
AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port-Id}',
'%{NAS-Port-Type}',DATEADD(SECOND,CONVERT(INT,'-%{Acct-Session-Time}'),CONVERT(DATETIME,'%S',102)),'%S',
This is better, although you are not taking Acct-Delay-Time into account.
'%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}',
'%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}',
'%{Calling-Station-Id}','%{h323-gw-id}','%{h323-call-type}','%{h323-call-origin}','%{Cisco-NAS-Port}','%{h323-disconnect-cause}',
'%{Service-Type}', '%{h323-voice-quality}',
'%{h323-remote-address}','%{h323-conf-id}','0', '%{Acct-Delay-Time}')
}
Kostas
esto es mi aporte para futuras descargas, ya sale bien.
Please update the stop_query_alt to include Acct-Delay-Time and it will be added
in mssql.conf. The same thing for the update_query_alt would be really
appreciated. Please open an enhancement bug in bugs.freeradius.org and post the
queries there so nothing will get lost.
Vicente Barrientos Valdivia.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Insert to mysql if Group ==??
On Mon, 28 Feb 2005, Chan Min Wai wrote: Greeting, I wonder if there is anyway to do something like that. Insert into the radacct DB with the Group is equal to something. Not directly but you can send back a Class attribute in the authentication phase if the user is a member of that Group and use that attribute in the accounting section to decide about inserting into the radacct table. That can be insert into another DB also. Regards, Chan Min Wai -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Edwin Limachi está ausente de la oficina.
Estaré ausente de la oficina desde el 28/02/2005 y no volveré hasta el 04/03/2005. Podré atender sus mensajes únicamente al final de la tarde. Para emergencias envie un mensaje a mi teléfono celular. Agradezco su comprensión. Exito para el Nuevo Año. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with openldap
Send me your configuration. On Mon, 28 Feb 2005, helder martins wrote: hello, i'm having problems when i try to authenticate an user using freeradius and ldap. i'm usind freeradius-1.0.1 and openldap-2.2.15 and i need someone to help me correctly configuring my radius server to authenticate against ldap database. thanks _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Packet of Disconnect
Hello, Does FreeRadius supports Packet of Disconnect Proxy? I have used successfully radclient (v1.72.2) to generate PoD packets to NAS, but I was unable to understand if Freeradius supports to proxy this packets from radclient to NAS? It seems that FR server ignores this requests: rad_recv: Disconnect-Request packet from host 192.168.78.36:33057, id=97, length=47 Unknown packet code 40 from client naskilt:33057 - ID 97 : IGNORED Regards, Paulo Rolo
Re: Error: SSL_new in -lssl...no
Well, I spent the better part of two days beating around on this one. Turns out there was a good patch posted back in November of 2003: http://lists.cistron.nl/pipermail/freeradius-users/2003-November/025419.html I found it easier to just edit the configure scripts that used that test, about 5 or 6 of them IIRC. Bob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multilink PPP with mysql
Hi I have configured freeradius-0.9.3 and mysql reading http://www.frontios.com/freeradius.html and it works! I am currently looking into using multilink ppp authentication. How to configure my database mysql for multilink ppp authentication? Thanx! Monica Messa - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: Cisco WDS, WLSE and FreeRADIUS
Hi, has someone ever ask Cisco about that issue ?! If yes what was the answer? Buy Cisco ASC server ? Regards Holger -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeffrey C. Ollie Sent: Monday, February 14, 2005 5:34 PM To: freeradius-users@lists.freeradius.org Subject: Re: Cisco WDS, WLSE and FreeRADIUS On Mon, 2005-02-14 at 13:55 +0100, Richard Timsit wrote: On Fri, 2005-02-11 at 22:43, Jeffrey C. Ollie wrote: However, I am still unable to get the WLSE to talk properly with the APs. I have recompiled with the patches mentioned above and the WDS AP shows that the WLSE is authenticated but things still aren't working properly (WLSE reports faults and is unable to control the APs). Once the patch applied, see the log an find such lines : rlm_eap_leap: Stage 6 rlm_eap: RT Modif EAP-Type = 17 EAP-LENGTH = XX If XX not equal to 30, modify the test of the patch eap.c accordingly. Freeradius authenticate the WLSE with this patch, not only on my campus... Ok... I'm getting further now... The access points show SECURITY KEYS SETUP when you run show wlccp wnm status. I had to change the length test to 31 in my copy of the patch (BTW, I'm running WLSE 2.9.1 and 12.3 (2)JA2 on my 1200 access points). Now I'll have to start doing some more playing around to see if everything is working. Jeff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Packet of Disconnect
Hi Paulo, Freeradius doesn't support it ... However, I've got a version of freeRADIUS that I patched/hacked to do it. If you, or anyone are interested, I can provide some patches, unsupported basis that are specific to my requirements... However don't expect this to be something that is ever included in the freeRADIUS source... so you'd have to support it yourself... or pay someone ( like me ;-) ) to do maintenance or further development... Contact me off-list if you're interested in these patches, as this doesn't really belong here. Of course if Alan is interested in adding this functionality to freeRADIUS (I think you've expressed reluctance in the past?) then I'm happy to clean my work up and supply some more formal patches. regards, Mike Paulo Rolo wrote: Hello, Does FreeRadius supports Packet of Disconnect Proxy? I have used successfully radclient (v1.72.2) to generate PoD packets to NAS, but I was unable to understand if Freeradius supports to proxy this packets from radclient to NAS? It seems that FR server ignores this requests: rad_recv: Disconnect-Request packet from host 192.168.78.36:33057, id=97, length=47 Unknown packet code 40 from client naskilt:33057 - ID 97 : IGNORED Regards, Paulo Rolo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging accounting details in LDAP
On Mon, 28 Feb 2005, guest01 wrote: I know it's not a good idea to log data in a directory, but is it possible? I can store user data in the LDAP, but accounting data? I know that I can log the accounting stuff in a sql database LDAP is **NOT** for that. It's a hierarchical database designed mainly for static user data. It's not designed for a low read/write ratio nor does it provide the functionality provided by relational databases (Sql). In other words it's not possible, nor will it ever be provided. You can always create a perl script (using rlm_perl) which will do exactly that if you want. thxs for helping! best regards peda - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reloading message
Edgars [EMAIL PROTECTED] wrote: met an interesting message in my radius.log file: Sat Feb 26 12:15:46 2005 : Info: Reloading configuration files. not so interesting in the logical mean but in the way it appeared. You sent a HUP signal to the server. Before it there aren't any DB reloading or simi,ar messages, just simple authentication incorretness message. And after the above message apper my RADIUS server stoped to work. Any ideas? What version are you running? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Packet of Disconnect
Michael Mitchell [EMAIL PROTECTED] wrote: Of course if Alan is interested in adding this functionality to freeRADIUS (I think you've expressed reluctance in the past?) then I'm happy to clean my work up and supply some more formal patches. I've been reluctant to have the server decide to send PoD packets on its own. If your patches provide a way for a proxying server to receive PoD packets from a home server, and forward them to the NAS, then that can go in. Most of the questions in the past about disconnects have been how do I get the server to disconnect users. And the answer is you don't. You run an external script, like radclient with PoD packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: post-auth
On Mon, 28 Feb 2005, Chan Min Wai wrote:
Greeting,
If any of you can remember, I do say that once, would like to user
omshell + freeradius so that freeradius can control the dhcp server to
control the ip address allocation and release.
I know the place to put such shell script is in post auth for
allocation, what is the place for release?
Release will come with an accounting stop query, so you will call the
script in accounting to do a release.
how should I pass the variable on?
If you call an external script those variables will be available within
the script as environmental variables.
For example, if you did
exec test {
wait = yes
program = /pathto/somefile
input_pairs = request
output_pairs = reply
packet_type = Access-Accept
}
Then in the script you should be able to get the environmental variable of
nas-ip-address. In shell, it would be
$NAS_IP_ADDRESS
Check out doc/variables.txt, especially
If you want to see the list of all of the variables, try adding a
line 'printenv /tmp/exec-program-wait' to the script. Then look in
the file for a complete list of variables.
let named the script as dhcpctrl
the variable for this script is
1) the NAS ip (the dhcp object class)
2) the Client MAC address
3) the ip address from ippool
Can anyone know how to get this variable to the program?
And hints on how to insert it into the radius.conf?
Define your external scripts using exec and then place the name of that in
your various sections, such as auth, accounting, or wherever you need it.
Check out the echo example in radiusd.conf.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multilink PPP with mysql
How to configure my database mysql for multilink ppp authentication? I'll try this configuration: In radcheck: ++---+++--+ | id | UserName | Attribute | op | Value| ++---+++--+ | 5 | test | CHAP-Password | == | test | | 17 | test | Calling-Station-Id | == | 390804671212 | ++---+++--+ In radreplay: ++---+---++---+ | id | UserName | Attribute | op | Value | ++---+---++---+ | 3 | test | Framed-IP-Address | := | 192.168.2.129 | | 5 | test | Port-Limit| := | 2 | | 6 | test | Service-Type | := | Framed-User | | 7 | test | Framed-Protocol | := | PPP | ++---+---++---+ Is there a diferent/better way to do this? regards, Monica - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: SSL_new in -lssl...no - went thru the docs and faq and google already before posting....
Michael Mitchell [EMAIL PROTECTED] wrote: Oh, and I'm sure Alan wouldn't say no to patches if you already have some fixes... ;-) The configure scripts in CVS have all of the SSL checks centralized in one place, so any fixes become much easier. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reloading message
met an interesting message in my radius.log file: Sat Feb 26 12:15:46 2005 : Info: Reloading configuration files. not so interesting in the logical mean but in the way it appeared. You sent a HUP signal to the server. yes, i sent HUP to reload the configuration files. Before it there aren't any DB reloading or simi,ar messages, just simple authentication incorretness message. And after the above message apper my RADIUS server stoped to work. Any ideas? What version are you running? 1.0.0 Edgars Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Advertisement: SUPER CENA! Tikai 183 Ls 166 Ls !! LG A klases velas mashiina! 800 apgriezieni!!!
Re: Raadrelay and coredumps...
*sigh* okay, first off, shoot me...i didn't read /doc/bugs right and i hadn't recompiled with the --enable-developer so, i did that...same output from the core (Couldn't find general-purpose registers in core file) recompiled it a couple times... once with just --disable-shared still cores... once with --enable-developer (without --disable-shared) still cores, no change in output inside gdb once with --enable-developer with --disable-shared still cores, no change in output inside gdb one thing though, while in the make process with --enable-developer i received lots of warnings (mostly from md4.c) but no errors. is this normal when compiling with --enable-developer? also...any other ideas? -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Raadrelay and coredumps...
Terry J Fike Jr [EMAIL PROTECTED] wrote: so, i did that...same output from the core (Couldn't find general-purpose registers in core file) That's very strange. once with just --disable-shared still cores... Did you do that after deleting *all* files installed by the server? If one of your previous builds is broken, then any new build MAY end up using that. You MUST start from a clean system in order to verify that the new build is OK. I haven't seen any similar problems with Solaris. I suggest trying with a different Solaris box. one thing though, while in the make process with --enable-developer i received lots of warnings (mostly from md4.c) but no errors. is this normal when compiling with --enable-developer? Yes. Developers want to see more warnings than others. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error: SSL_new in -lssl...no - went thru the docs and faq and google already before posting....
Thanks Paul, Do we have an ETA for 1.1.0? I'd be happy to do a bit of testing of configure scripts, etc, on Solaris 9 if you need someone... Regards, Mike I'm happy to look at patches for 1.0.2 (everyone's talking about 1.0.1 here, I'm not taking patches for _that_) to fix this, unless we already did so between 1.0.1 and 1.0.2. But unless they're obviously safe, I'll need a hand testing them on various interesting implementations to be sure everything still works no worse than 1.0.2. And if we're lucky, there won't be a pressing need for 1.0.3 before 1.1.0 ships. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-MD5 + LDAP problem
/auth-detail-20050228'
rlm_detail:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/64.106.20.21/auth-detail-20050228
modcall[authorize]: module auth_log returns ok for request 1
modcall[authorize]: module chap returns noop for request 1
modcall[authorize]: module mschap returns noop for request 1
rlm_realm: No '@' in User-Name = oberon, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 1
rlm_eap: EAP packet type response id 63 length 28
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 1
users: Matched DEFAULT at 154
modcall[authorize]: module files returns ok for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for oberon
radius_xlat: '(uid=oberon)'
radius_xlat: 'cn=dot1x,dc=domain,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in cn=dot1x,dc=domain,dc=com, with filter
(uid=oberon)
rlm_ldap: checking if remote access for oberon is allowed by radiusFilterId
rlm_ldap: Added password risfylFZSeXVT7IrjtlVdQ== in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as User-Password, value { op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusFilterId as Filter-Id, value
Enterasys:version=1:policy=Enterprise User op=11
rlm_ldap: user oberon authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap_1x returns ok for request 1
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP/md5
rlm_eap: processing type md5
rlm_eap: Freeing handler
modcall[authenticate]: module eap returns reject for request 1
modcall: group authenticate returns reject for request 1
auth: Failed to validate the user.
Delaying request 1 for 1 seconds
Finished request 1
Going to the next request
Waking up in 6 seconds...
---
If I get this going I promise to write up a HOWTO :-).
Thanks,
Vladimir
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Raadrelay and coredumps...
I did amake distclean before ./configure each time and i ran the radrelay from inside src/main (i didn't do make install on any of these runs) with the exception of the radiusd.conf file, i've been using pretty much the same config files since 0.8.3 (though i think i changed to the new clients.conf in 1.0.0 and copied that into 1.0.2) the radiusd.conf i edit from scratch with each new version based on the conf file from the previous version. unfortunetly, i'm doing this in a production environment, so swapping servers isn't going to be easy, but i'll see what i can do. (i have a lot of things :( tied into the same ip as radius) -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Raadrelay and coredumps...
Terry J Fike Jr [EMAIL PROTECTED] wrote: I did amake distclean before ./configure each time The *installed* files may be causing problems. and i ran the radrelay from inside src/main (i didn't do make install on any of these runs) Hmm... I can't recall any issues with radrelay. with the exception of the radiusd.conf file, i've been using pretty much the same config files since 0.8.3 (though i think i changed to the new clients.conf in 1.0.0 and copied that into 1.0.2) That shouldn't be a problem. radrelay doesn't read most of the configuration files. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MD5 + LDAP problem
Vladimir [EMAIL PROTECTED] wrote:
rlm_ldap: Added password risfylFZSeXVT7IrjtlVdQ== in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as User-Password, value { op=21
That doesn't look right.
Try the latest CVS snapshot, it has some changes which may help.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Packet of Disconnect
[EMAIL PROTECTED] (Paul Hampson) wrote: I haven't looked at the PoD support too closely, but how does FreeRADIUS know where the PoD is to be proxied to? The information is in the PoD request. To ensure that bad things don't happen, the PoD *should* be treated sort of like an Access-Accept, and the server should see where the packet is proxied to. IF the home server is where the PoD request came from, then it's a real PoD request, and is sent to the NAS. Otherwise, it's dropped. Yuck, and double-yuck. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MD5 + LDAP problem
Alan DeKok wrote:
Vladimir [EMAIL PROTECTED] wrote:
rlm_ldap: Added password risfylFZSeXVT7IrjtlVdQ== in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as User-Password, value { op=21
That doesn't look right.
Try the latest CVS snapshot, it has some changes which may help.
I downloaded the 20050228 snapshot. Compiled it andI get identical
behavior :-( ie.
rlm_ldap: performing search in cn=dot1x,dc=domain,dc=com, with filter
(uid=oberon)
rlm_ldap: checking if remote access for oberon is allowed by radiusFilterId
rlm_ldap: Added password risfylFZSeXVT7IrjtlVdQ== in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as User-Password, value { op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusFilterId as Filter-Id, value
Enterasys:version=1:policy=Enterprise User op=11
rlm_ldap: user oberon authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap_1x returns ok for request 1
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP/md5
rlm_eap: processing type md5
rlm_eap: Freeing handler
modcall[authenticate]: module eap returns reject for request 1
modcall: group authenticate returns reject for request 1
auth: Failed to validate the user.
Delaying request 1 for 1 seconds
Finished request 1
Going to the next request
Waking up in 6 seconds...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Raadrelay and coredumps...
Terry J Fike Jr [EMAIL PROTECTED] wrote: I did amake distclean before ./configure each time The *installed* files may be causing problems. even if i'm telling a different prefix each time? (i ask because i have 1.0.2 in /usr/local and 1.0.0 in /opt) as i make new versions i just change the prefix so i can leave the old version running. 1.0.0-pre3 used to be in /usr/local but i deleted all those files before compiling 1.0.2 -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MD5 + LDAP problem
Vladimir wrote: I am trying to get 802.1x authentication going for wired clients on our LAN. I have been successul in using local password database to authenticate 802.1x users however I haven't been able to get it going with LDAP. Version of FreeRadius is Debian packaged 1.0.1-2. These are I believe relevant snipets Now I know how to answer this question :) Password stored in LDAP have to be CLEAR TEXT Remove the MD5 on the configure. EAP denoted that Clear password need to be on the Server site. Regards, signature.asc Description: OpenPGP digital signature
Re: Raadrelay and coredumps..
Terry J Fike Jr [EMAIL PROTECTED] wrote: could there be issues on this because of compiling it 64bit instead of 32 bit? Most of my older versions were 32 bit, but since getting oracle installed 64 bit finally, i installed the newer (1.0.0 and 1.0.2) 64bit? That certainly could be the cause. If you have 32-bit 64-bit FreeRADIUS modules on the same machine, there will most likely be problems. Ensure that only ONE kind of module is on the machine, anywhere. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Raadrelay and coredumps...
Terry J Fike Jr [EMAIL PROTECTED] wrote: The *installed* files may be causing problems. even if i'm telling a different prefix each time? Yes. If the dynamic linker knows to find the modules under one prefix, it may find those modules when building another version of the server on the same machine. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Packet of Disconnect
The information is in the PoD request. Kind of. From the NAS's perspecitive, the PoD only needs to contains the Acct-Session-Id. However obviously in order to proxy a request we at least need the NAS-IP-Address. I use this to map back to a Realm or a NAS which will ultimately handle the PoD. To ensure that bad things don't happen, the PoD *should* be treated sort of like an Access-Accept, and the server should see where the packet is proxied to. IF the home server is where the PoD request came from, then it's a real PoD request, and is sent to the NAS. Otherwise, it's dropped. I must admit, my solution is not that comprehensive, and I'm not sure if it would even be possible. A PoD doesn't REQUIRE a User-Name attribute, so it would be difficult in that instance to map a PoD back to an appropriate home server for the specified session (NAS-IP-Address Acct-Session-Id). The only attributes that are guaranteed (in my case) are NAS-IP-Address and Acct-Session-Id. My solution met my needs at the time as I had very specific requirements, and using freeRADIUS was the quickest way to a solution, as freeRADIUS obviously already has all the proxy and RADIUS packet handling logic, and is nice and modular, so its easy to add this stuff quickly (even if its not the best solution). I also haven't tried proxying directly to a NAS. Should be easy enough to set this up in our test lab though. Alan would be disgusted at my current butcher job ;-). However, I'll review what I have done (it was several months ago now) and report back as soon as I can (may take a few days though) - hopefully with something a little more elegant than I have currently. Regards, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Authorization
Hi All What resources, and how will you recognize the two classes of users? Answer those two questions via RADIUS attributes, and you have what you want. Sorry for the incomplete mail. I have a mail server and a couple of application servers inside my network. The RAS and VPN user ID and passwords are same. I want to restrict the user, once he is connected to VPN, to only use the mail and only one application server. Rest of the network must be denied to the user. Regards Thanks Mahesh S Kudva --- Robosoft Technologies - Partners in Product Development - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
that -lssl problem
Hi Stefan Michael, Thanks for all your help. The modification to the configure.in file provided by Stefan made everything compile ok :) LIBS=-L/usr/local/openssl/lib -lssl -lcrypto ./configure -- prefix=/usr/local/radius --with-openssl- includes=/usr/local/openssl/include/ --disable-shared (btw, you forgot the leading but i managed to find out where that went :) ) Out of curiosity, how can you tell that it was being swapped around that was giving the problem? I'm no expert in debugging so anything you can enlighten me on will help me avoid cluttering up lists in the future :) Many many thanks! J.Ho - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_chap problem
Hello,
I configure freeradius with gnugk and postgresql. When I try to register any end-point to gnugk it shows registration reject and Radius Authentication failed. Here is below my freeradius log information,
rad_recv: Access-Request packet from host 127.0.0.1:24380, id=246, length=128 User-Name = "jami" CHAP-Password = 0xd68721ca21575f8477c961d285266f920c CHAP-Challenge = 0x422418c6 NAS-IP-Address = 69.88.15.250 NAS-Identifier = "OpenH323GK" NAS-Port-Type = Virtual Service-Type = Login-User Framed-IP-Address = 69.88.15.244 Cisco-AVPair = "h323-ivr-out=terminal-alias:jami;" rlm_chap: Setting 'Auth-Type := CHAP' rlm_chap: login attempt by "jami" with CHAP password rlm_chap: Could not find clear text password for user jamiSending Access-Reject of
id 246 to 127.0.0.1:24380
And here is below gnugk log information,
2005/03/01 13:24:19.015 3 radproto.cxx(2118) RADIUS Receive response from RADIUS server failed (id:246)2005/03/01 13:24:19.016 2 radauth.cxx(317) RADAUTH RadAuth RRQ auth failed: could not receive or decode response from RADIUS2005/03/01 13:24:19.016 3 gkauth.cxx(984) GKAUTH RadAuth RRQ check failed2005/03/01 13:24:19.016 2 RasSrv.cxx(373) RRJ|69.88.15.244|jami:h323_ID|terminal|undefinedReason;2005/03/01 13:24:19.017 3 RasSrv.cxx(219) RAS Send to 69.88.15.244:2814registrationReject { requestSeqNum =
18293 protocolIdentifier = 0.0.8.2250.0.4 rejectReason = undefinedReason null gatekeeperIdentifier = 10 characters { 004f 0070 0065 006e 0048 0033 0032 0033 OpenH323 0047 004b GK } }2005/03/01 13:24:19.017 5 RasSrv.cxx(233) RAS Sent Successful2005/03/01 13:24:19.018 5 job.cxx(423) JOB Job RRQ deleted2005/03/01 13:24:19.018
5 job.cxx(412) JOB Worker threads: 6 total - 5 busy, 1 idle
Please help me.
Jami
Do you Yahoo!?
Read only the mail you want - Yahoo! Mail SpamGuard.
