Mysql Accounting Data from freeradius.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello All, I'm using the default sql.conf for the Acount start/stop information that will be inserted into the SQL database. however I found some of the info was inserted into the SQL server. E.g NASPortType (I've sure the request have this) ConnectInfo_start ConnectInfo_stop CalledStationId (should be the NAS MAC) FramedProtocol (the Ipaddress from ippool?) FramedIPAddress (same as above but is subnet) Anyone can tell me why and how to make them work? Regards, -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFCJYMLV0p9slMZLW4RAhxBAJwKrgwV0lWIoZifvmwKL2T9k04iJwCgjcYk FE8A/k7rAVypQUzdnqj3cOs= =SaJJ -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Reload NAS table on freeradius after record update
Mmmhh... with a HUP signal the radius server reload the config data, but the server may drop a few authentication requests at that time... Other solutions ? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mitchell, Michael J Sent: mercoledì, 2. marzo 2005 08:55 To: freeradius-users@lists.freeradius.org Subject: RE: Reload NAS table on freeradius after record update Yes, you have to send the server a HUP. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Luca Lafranchi Sent: Wednesday, 2 March 2005 6:49 PM To: freeradius-users@lists.freeradius.org Subject: Reload NAS table on freeradius after record update Hi, The NAS table is read at freeradius startup. It's possible to reload this table when I change a record (update for example the nasname field with a new ip client) ? Thank you Luca - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to send SIGHUP signal to server ( radiusd )
Hi, I am starting with freeRADIUS! Can anyone help me how to send SIGHUP to server demon ( radiusd ) to let it know about changes to configuration files? Thanks, Murali. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to send SIGHUP signal to server ( radiusd )
Same way you would to any other process. $ kill -HUP process-id Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Murali Krishna G Sent: 02 March 2005 09:53 To: freeradius-users Subject: How to send SIGHUP signal to server ( radiusd ) Hi, I am starting with freeRADIUS! Can anyone help me how to send SIGHUP to server demon ( radiusd ) to let it know about changes to configuration files? Thanks, Murali. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This e-mail is private and may be confidential and is for the intended recipient only. If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed. If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it. We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free. You should undertake your own virus checking. The right to monitor e-mail communications through our network is reserved by us. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-SIM Proxy
Hello, Does everyone know if freeradius-0.9.1 supports eap-sim radius requests proxy? I am just concerned about freeradius proxy functionality, not acting as an end server. It seems to work with later versions like 1.0.2, but on 0.9.1 I get a bad authenticator message. Regards, Paulo Rolo
Re: post-auth
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dustin Doris wrote: On Mon, 28 Feb 2005, Chan Min Wai wrote: Greeting, For example, if you did exec test { wait = yes program = /pathto/somefile input_pairs = request output_pairs = reply packet_type = Access-Accept } Then in the script you should be able to get the environmental variable of nas-ip-address. In shell, it would be $NAS_IP_ADDRESS Check out doc/variables.txt, especially If you want to see the list of all of the variables, try adding a line 'printenv /tmp/exec-program-wait' to the script. Then look in the file for a complete list of variables. Oh this is working Great. Thank You. However I've one problem. About the input pair As what I've say before I need the value below, but 2 of them are in the reply and 2 are in request. Anyway I can pass them through somehow? Regards the variable for this script is 1) the NAS ip (the dhcp object class) 2) the Client MAC address 3) the ip address from ippool 4) the subnet from the ippool -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFCJZU3V0p9slMZLW4RAk6oAKCtsM8vc22kT3AF13sRFZ/fXt1zmwCfQd9m GdFUwFOJYOPVGC4uwBxBJF8= =epqa -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
about realm problem
Hi All : I have a big problem !! i have a radius server , and 10 clients how can i make some clients can use [EMAIL PROTECTED] and some clients just use account ? my radius server version is 0.9.3 example : 2 clients , one can use [EMAIL PROTECTED] the other just use user account //clients 100.100.100.100 norealm.com 100.100.1.2 realm.com //proxy.conf realm 100.100.100.100 { type=radius authhost=LOCAL accthost=LOCAL } realm DEFAULT { type= radius authhost= 100.100.111.10:1812 accthost= 100.100.111.10:1813 secret = gogorealm nostrip } than ?? anyone can help ?? thx a lot . == 3DSMAX http://edm-prg.epaper.com.tw/click.php?ad_code=398324 == SkypeOut 0.7/ 0.9/ http://skype.pchome.com.tw/skypeout.htm ==
Re: post-auth
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chan Min Wai wrote: Dustin Doris wrote: the variable for this script is 1) the NAS ip (the dhcp object class) 2) the Client MAC address 3) the ip address from ippool 4) the subnet from the ippool Strange ... I've it solved by this way... exec test { wait = yes program = /bin/bash /usr/local/bin/test %{Calling-Station-id} %{Nas-Ip-Address} input_pairs = reply output_pairs = reply } /usr/local/bin/test # !/usr/bin/bash #testing script printenv /tmp/exec-program-wait echo $FRAMED_IP_ADDRESS $FRAMED_IP_NETMASK /tmp/radtest echo $1 /tmp/radtest echo $2 /tmp/radtest exit cat /tmp/radtest 192.168.0.206 255.255.255.0 00-11-09-5f-a9-8b 192.168.0.16 Interesting :) Is this the right way? - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFCJZzzV0p9slMZLW4RAggkAJ4qMs7KfVPRnVuwgWty7eqwO1SeGwCeMs0F 8+azS1FxBCNDGQPkLKKYpek= =l8MF -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problém to produce certificates with CA.all
I would like to produce certificates with CA.all . when I produces them, I have an error on the certificate waiter Cert-svr. Certificate is to be certified until Mar 1 10:23:02 2009 GMT (1460 days) Sign the certificate? [y/n]:y failed to update database TXT_DB error number 2 + openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out cert-srv.p12 -clcerts -passin pass:whatever -passout pass:whatever No certificate matches private key + openssl pkcs12 -in cert-srv.p12 -out cert-srv.pem -passin pass:whatever -passout pass:whatever 19393:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:140: + openssl x509 -inform PEM -outform DER -in cert-srv.pem -out cert-srv.der unable to load certificate 19394:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:637:Expecting: TRUSTED CERTIFICATE + echo -e '\n\t\t##\n' What to make?? Help me please. Patrice - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius conf.
Dear Recently I have installed freeradius ,i have some problem in password auth. i have created new user:pradeep with pass:123456 when i tried to test the auth. enabling Debug mod using command radtest pradeep 123456 localhost:1812 0 testing123 it generate following massage : rad_recv: Access-Request packet from host 127.0.0.1:32783, id=176, length=59 User-Name = pradeep User-Password = 123456 NAS-IP-Address = 255.255.255.255 NAS-Port = 0 modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module eap returns noop for request 1 rlm_realm: No '@' in User-Name = pradeep, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 1 modcall[authorize]: module mschap returns noop for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type System auth: type System modcall: entering group authenticate for request 1 rlm_unix: [pradeep]: invalid password modcall[authenticate]: module unix returns reject for request 1 modcall: group authenticate returns reject for request 1 auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 == Please help me where i have made mistake in conf. Regards Pradeep.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reload NAS table on freeradius after record update
Nope, thats it. There is no other way. The server should only be down for a couple of seconds... Luca Lafranchi wrote: Mmmhh... with a HUP signal the radius server reload the config data, but the server may drop a few authentication requests at that time... Other solutions ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Secondary SQL accounting instance needed
Before I go forth and break my radius and have a few thousand people looking for me I want to collect the current allocate IP address and username into a separate MySql table - if it (the user (=key)) exists - update the IP, if the user does not exist, add user and IP. I (think that I) understand that I need to have a second instance of 'sql'.. So, inside the default 'sql.conf' file - I need to change a line near the top of the file from sql { to something like sql sql_main { and then add another named section such as sql sql_catch_ip { driver = rlm_sql_mysql server = DBserver.mydomain.com login = radius-login password = radius-password radius_db = radius sqltrace = yes sqltracefile = ${logdir}/sqltrace_catch_ip.sql num_sql_socks = 5 connect_failure_retry_delay = 60 accounting_start_query = INSERT into ip-table (UserName, Realm, FramedIPAddress) values('%{Stripped-User-Name}', '%{Realm}', '%{Framed-IP-Address}') accounting_start_query_alt = UPDATE ip-table SET FramedIPAddress = '%{Framed-IP-Address}' WHERE UserName = '%{Stripped-User-Name}' } - Then... in radiusd.conf - where ever I currently have 'sql' - I change that to the (new) instance name sql_main , and in addition, in the accounting section, also add a line sql_catch_ip... Am I missing anything else -- . . ___. .__ Posix Systems - Sth Africa. e.164 VOIP ready /| /| / /__ [EMAIL PROTECTED] - Mark J Elkins, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Want to add details to MySQL
I want to put the contents of radius.log into a MySQL Database - in **real time**. ie - lines that read something like... Fri Feb 25 18:50:37 2005 : Auth: Login OK: [EMAIL PROTECTED] (from client adsl1 port 123456789) How do I do this? This is so various support type people can see when things go wrong... eg... Mon Feb 21 17:50:04 2005 : Auth: Login incorrect (rlm_pap: User password not available): [EMAIL PROTECTED]/testpass] (from client adsl1 port 123456789) ... and fix the problem. All my current interfaces are in web/php/apache - on different machines from where the flat file info is currently logged... -- . . ___. .__ Posix Systems - Sth Africa. e.164 VOIP ready /| /| / /__ [EMAIL PROTECTED] - Mark J Elkins, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Secondary SQL accounting instance needed
Hi Mark , yes, you can You dont need to log the stop ticket ? this could be usefull. Regards Thomas re I go forth and break my radius and have a few thousand people looking for me I want to collect the current allocate IP address and username into a separate MySql table - if it (the user (=key)) exists - update the IP, if the user does not exist, add user and IP. I (think that I) understand that I need to have a second instance of 'sql'.. So, inside the default 'sql.conf' file - I need to change a line near the top of the file from sql { to something like sql sql_main { and then add another named section such as sql sql_catch_ip { driver = rlm_sql_mysql server = DBserver.mydomain.com login = radius-login password = radius-password radius_db = radius sqltrace = yes sqltracefile = ${logdir}/sqltrace_catch_ip.sql num_sql_socks = 5 connect_failure_retry_delay = 60 accounting_start_query = INSERT into ip-table (UserName, Realm, FramedIPAddress) values('%{Stripped-User-Name}', '%{Realm}', '%{Framed-IP-Address}') accounting_start_query_alt = UPDATE ip-table SET FramedIPAddress = '%{Framed-IP-Address}' WHERE UserName = '%{Stripped-User-Name}' } - Then... in radiusd.conf - where ever I currently have 'sql' - I change that to the (new) instance name sql_main , and in addition, in the accounting section, also add a line sql_catch_ip... Am I missing anything else - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with DialupAdmin (blank page)
I write again, becausei didn't find solution my problem (I searched on Mail Archive). Hello All ! I have a problem. If I clicklinkNew User,New Group or Radius Clientsin Dialup Admin application then blank page is displayed. I work under Debian relase 3 with freeradius 1.0.1-2 (from package), mysql 3.23.49, php4 4.1.2, apache 1.3.26. This problemdoesn't appear underfreeradius version below 1.0. http://www.ziolek.piotrkow.pl/byzydury/Clipboard01.jpg Thanks for answers. --Tomasz Zieliski [EMAIL PROTECTED]
Re: Problem with DialupAdmin (blank page)
On Wed, 2 Mar 2005, Zet wrote: I write again, because i didn't find solution my problem (I searched on Mail Archive). Hello All ! I have a problem. If I click link New User, New Group or Radius Clients in Dialup Admin application then blank page is displayed. I work under Debian relase 3 with freeradius 1.0.1-2 (from package), mysql 3.23.49, php4 4.1.2, apache 1.3.26. This problem doesn't appear under freeradius version below 1.0. http://www.ziolek.piotrkow.pl/byzydury/Clipboard01.jpg You have not enabled mysql support in php. That's the most common reason for what you 're seeing. Thanks for answers. -- Tomasz Zieli?ski [EMAIL PROTECTED] -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: rlm_sql: unknown attribute Cisco-VSA
Hi, I tried as you told now there is nor error. But the call is not going to terminate after certain time. Here is attachtment of cisco AccessReqest DEMO 02.03.05 15:03:56, (2+) ,Recv 212.77.213.11:1812 Radius AccessAccept { session id = 3 Cisco VSA( 1): h323-credit-time = h323-credit-time=10 } __ Celebrate Yahoo!'s 10th Birthday! Yahoo! Netrospective: 100 Moments of the Web http://birthday.yahoo.com/netrospective/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Want to add details to MySQL
On Wed, 2 Mar 2005, Mark Elkins wrote: I want to put the contents of radius.log into a MySQL Database - in **real time**. ie - lines that read something like... Fri Feb 25 18:50:37 2005 : Auth: Login OK: [EMAIL PROTECTED] (from client adsl1 port 123456789) How do I do this? This is so various support type people can see when things go wrong... eg... Mon Feb 21 17:50:04 2005 : Auth: Login incorrect (rlm_pap: User password not available): [EMAIL PROTECTED]/testpass] (from client adsl1 port 123456789) ... and fix the problem. All my current interfaces are in web/php/apache - on different machines from where the flat file info is currently logged... For bad logins, see bin/log_badlogins in dialupadmin You can also use the postauth facility of rlm_sql. If we are talking about successful logins you don't need to do much, they will appear on the accounting table automatically (if you 've enabled mysql accounting). -- . . ___. .__ Posix Systems - Sth Africa. e.164 VOIP ready /| /| / /__ [EMAIL PROTECTED] - Mark J Elkins, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialup-Admin-badusers, mtotacct totacct table not filled.
On Tue, 1 Mar 2005, zack musa wrote: Hi, My problem is at the dialup admin. I'm using NoCat Gateway as the Client and a linux PC's for my FR server. These three tables inside my MySQL db seems not filled. I try to run the log_badlogins scripts but it there is an error saying that sql binary file could not be found. From the admin.conf, the path is correct. The error message state : ..sql binary file not found. make sure $sqlcmd variable points to right location. Make sure that sql_command points to the location of the mysql binary. How to make the server to use the related scripts and write it in totacct table, mtotacct table and the badusers table? Which other file do I need to change to make the table filled during accounting process? You need to run tot_stats for totacct, monthly_tot_stats for mtotacct and log_badlogins for logging bad logins. badusers is a helper table which can be used to store bad user history. It will usually remain empty. Please read doc/HOWTO in dialupadmin for more information. Thanks. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ip pool management
Hi, I've followed instructions in radiusd.conf : My users file looks like this: DEFAULT Service-Type == Framed-User Pool-Name := osiris-pool, Framed-Protocol = PPP, Framed-MTU = 576 And in my radiusd.conf I've: post-auth { # Get an address from the IP Pool. # main_pool osiris-pool ... } modules { ... ippool osiris-pool { range-start = 192.168.52.1 range-stop = 192.168.52.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex } } I get this error : rlm_ippool: could not find Pool-Name attribute And my client doesn't get back the IP. I surely miss something Could someone help me please ? Regards, -- Sebastien Cantos [EMAIL PROTECTED] Network / System Manager Neopost DIVA -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Alan DeKok Envoyé : mardi 1 mars 2005 18:50 À : freeradius-users@lists.freeradius.org Objet : Re: Ip pool management Sébastien Cantos [EMAIL PROTECTED] wrote: I would like to configure my radius to give the first available IP in the subnet 192.168.52.0/24 without carrying about the NAS modem number. Is there a way to configure this ? Read radiusd.conf. Look for ippool Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Password Learning?
On Tue, 2005-03-01 at 17:26, Alan DeKok wrote: Nick Bright [EMAIL PROTECTED] wrote: My question is this: Can FreeRADIUS *learn* passwords, if a user has no password set? What I mean is that when it queries the database, if it finds a NULL password, it would *SET* the password to whatever was submitted? If you run an external script, yes. Could you be a little more specific? I don't see how to do that right off. If you could point me in the right direction, I think I could figure it out. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - Nick Bright Terraworld, Inc 888-332-1616 x315 http://home.terraworld.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_chap problem
Mahmud Jami [EMAIL PROTECTED] wrote: I told the server the correct password, but the server fails to authenticate. It shows the same rlm_chap error. shrug The CHAP module doesn't know what the correct password is. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Want to add details to MySQL
Mark Elkins wrote: I want to put the contents of radius.log into a MySQL Database - in **real time**. ie - lines that read something like... Fri Feb 25 18:50:37 2005 : Auth: Login OK: [EMAIL PROTECTED] (from client adsl1 port 123456789) How do I do this? Easy. You need to write a script ie. PHP or Perl that tails the radius.log and inserts data into a database ie. tail radius.log | perl someperlscript.pl In someperlscript you simply do an infinite loop that reads from STDIN and inserts it into a proper SQL database. Vladimir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate Accounting Records with V92 Modems
Stephen D. Bechard [EMAIL PROTECTED] wrote: It appears that anyone authenticating with a V92 modem that is submitting a Acct_multi_session_id is being logged into the rad_acct table and the detail file with duplicate entries. Then the NAS is sending the packets twice. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reload NAS table on freeradius after record update
Luca Lafranchi [EMAIL PROTECTED] wrote: Mmmhh... with a HUP signal the radius server reload the config data, but the server may drop a few authentication requests at that time... No, it won't. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to send SIGHUP signal to server ( radiusd )
Murali Krishna G wrote: Hi, I am starting with freeRADIUS! Can anyone help me how to send SIGHUP to server demon ( radiusd ) to let it know about changes to configuration files? SIGHUP is signal -1 for kill so find the process id (pid) of the radiusd process and sending the -1 signal ie. kill -1 pid Vladimir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM Proxy
Paulo Rolo [EMAIL PROTECTED] wrote: Does everyone know if freeradius-0.9.1 supports eap-sim radius requests proxy? I am just concerned about freeradius proxy functionality, not acting as an end server. It seems to work with later versions like 1.0.2, but on 0.9.1 I get a bad authenticator message. You shouldn't be running 0.9.1 at all. But it *should* be able to blindly proxy any packet containing EAP-Message. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ip pool management
Sébastien Cantos [EMAIL PROTECTED] wrote: I've followed instructions in radiusd.conf : My users file looks like this: DEFAULT Service-Type == Framed-User Pool-Name := osiris-pool, You did not follow the instructions in radiusd.conf. The Pool-Name attribute should go on the first line. If you had run the server in debugging mode, the server would have told you this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Want to add details to MySQL
Mark Elkins wrote: I want to put the contents of radius.log into a MySQL Database - in **real time**. How do I do this? See http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/doc/Post-Auth-Type?rev=1.4 -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to send SIGHUP signal to server ( radiusd )
SIGHUP is signal -1 for kill so find the process id (pid) of the radiusd process and sending the -1 signal ie. kill -1 pid Vladimir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html kill -HUP pid works too!! Regards, Pete Peter P. Benac, CCNA Emacolet Networking Services, Inc Providing Network and Systems Project Management and Installation and Web Hosting. Phone: 919-618-2557 Web: http://www.emacolet.com Need quick reliable Systems or Network Management advice visit http://www.nmsusers.org To have principles... First have courage.. With principles comes integrity!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Password Learning?
Nick Bright [EMAIL PROTECTED] wrote: Could you be a little more specific? I don't see how to do that right off. If you could point me in the right direction, I think I could figure it out. My suggestion would be to run a script if the user fails authentication, to check if the password is in the SQL database, and add it, if not. This means that the users first request will be rejected, but the second one will be OK. There is NO facility within the server do to complex updates like this, because those updates are not normally part of authenticating the user. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with FreeRadius starting up
Hello All: I'm running FreeRadius 0.9.3 on a serverwhich usesLinux Redhat 9. Here is the problem. When i first installed FreeRadius about 8 months ago, i addedthe rc.radiusd script to my Linux startup.Lately, whenI reboot my server, my Linux startup screen shows that FreeRadius has started upwith no errors as it always has, but when i do a ps -aux from the Linux command line, it shows that it is not in the list of things running. I have to actually cd to /usr/local/sbin and start radiusd from there before FreeRadius will work correctly again. The weird thing is, this has not always been an on-going problem. It just started about 2 months ago. I thought for a while that it was my Linux server, but everything else on the server starts normallywhen i reboot. The only thing that does not start is FreeRadius. Again, Linux is showing that it is starting, but in reality, it's not. Any help would be appreciated. Thank you. Linda PagilloDirector of Technical ServicesN2 The Net
IP Pool management into MySQL
Hello, I'm working in a failover scenario where a NAS has two freeradius servers configured and in case of fail of the current radius active it will forward the querys to the backup radius. This is working fine with no problem. The problem is that if I'm using DHCP I have to manage the pool in the NAS because freeradius stores the status of the pool locally. Is there a way to move ip pool mgmt into MySQL so in case of failure of the active, the backup radius can get the status of the pool? Thanks in advance. Regards -- David Manchado - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with FreeRadius starting up
Send us your start up script. here it runs like this : # Start the Radius daemon: if [ -f /usr/local/sbin/radiusd ]; then echo -n Starting radius /usr/local/sbin/radiusd -y fi []'s On Wed, 2 Mar 2005, Linda Pagillo wrote: Date: Wed, 2 Mar 2005 12:58:20 -0600 From: Linda Pagillo [EMAIL PROTECTED] Reply-To: freeradius-users@lists.freeradius.org To: FreeRadius Maillist freeradius-users@lists.freeradius.org Subject: Problem with FreeRadius starting up Hello All: I'm running FreeRadius 0.9.3 on a server which uses Linux Redhat 9. Here is the problem. When i first installed FreeRadius about 8 months ago, i added the rc.radiusd script to my Linux startup. Lately, when I reboot my server, my Linux startup screen shows that FreeRadius has started up with no errors as it always has, but when i do a ps -aux from the Linux command line, it shows that it is not in the list of things running. I have to actually cd to /usr/local/sbin and start radiusd from there before FreeRadius will work correctly again. The weird thing is, this has not always been an on-going problem. It just started about 2 months ago. I thought for a while that it was my Linux server, but everything else on the server starts normally when i reboot. The only thing that does not start is FreeRadius. Again, Linux is showing that it is starting, but in reality, it's not. Any help would be appreciated. Thank you. Linda Pagillo Director of Technical Services N2 The Net Hamilton Vera - Linux Powered - Anti Spam Policy int Administrator (char Network[],char ComputationalSystems[]); Seven Internet http://lib.seven.com.br Linux User #338927 Google is my shepherd, no want shall I know - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with FreeRadius starting up
That warm fuzzy status indicator as thus: [ OK ] is just that. It can be fooled. If I recall right, there's an init script and a .spec file for building rpms in the tarball. Enjoy, Scott Edwards -- Daxal Communications - http://www.daxal.com Surf the USA - http://www.surfthe.us On Wed, 2 Mar 2005 12:58:20 -0600, Linda Pagillo [EMAIL PROTECTED] wrote: Hello All: I'm running FreeRadius 0.9.3 on a server which uses Linux Redhat 9. Here is the problem. When i first installed FreeRadius about 8 months ago, i added the rc.radiusd script to my Linux startup. Lately, when I reboot my server, my Linux startup screen shows that FreeRadius has started up with no errors as it always has, but when i do a ps -aux from the Linux command line, it shows that it is not in the list of things running. I have to actually cd to /usr/local/sbin and start radiusd from there before FreeRadius will work correctly again. The weird thing is, this has not always been an on-going problem. It just started about 2 months ago. I thought for a while that it was my Linux server, but everything else on the server starts normally when i reboot. The only thing that does not start is FreeRadius. Again, Linux is showing that it is starting, but in reality, it's not. Any help would be appreciated. Thank you. Linda Pagillo Director of Technical Services N2 The Net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with FreeRadius starting up
Make sure that the rc.radiusd script (probably /etc/init.d/radiusd) is looking for the correct files. It just stops if it doesn't find them. On Wed, 2005-03-02 at 11:58, Linda Pagillo wrote: Hello All: I'm running FreeRadius 0.9.3 on a server which uses Linux Redhat 9. Here is the problem. When i first installed FreeRadius about 8 months ago, i added the rc.radiusd script to my Linux startup. Lately, when I reboot my server, my Linux startup screen shows that FreeRadius has started up with no errors as it always has, but when i do a ps -aux from the Linux command line, it shows that it is not in the list of things running. I have to actually cd to /usr/local/sbin and start radiusd from there before FreeRadius will work correctly again. The weird thing is, this has not always been an on-going problem. It just started about 2 months ago. I thought for a while that it was my Linux server, but everything else on the server starts normally when i reboot. The only thing that does not start is FreeRadius. Again, Linux is showing that it is starting, but in reality, it's not. Any help would be appreciated. Thank you. Linda Pagillo Director of Technical Services N2 The Net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
L2TP accounting
Hello, it seems freeradius does not support L2TP accounting for Tunnel-Start and Tunnel-Stop, it is not a problem because it works but I would like to know if there is any way to add support to account them. It's freeradius 1.0.1-2 (from debian/testing package) on a Debian box. Wed Mar 2 20:44:04 2005 : Info: rlm_sql (sql): Unsupported Acct-Status-Type = 9 Wed Mar 2 20:44:19 2005 : Error: rlm_radutmp: NAS racceso4 port 0 unknown packet type 10) Wed Mar 2 20:44:19 2005 : Info: rlm_sql (sql): Unsupported Acct-Status-Type = 10 Wed Mar 2 20:44:19 2005 : Error: rlm_radutmp: NAS racceso4 port 0 unknown packet type 10) Wed Mar 2 20:44:19 2005 : Info: rlm_sql (sql): Unsupported Acct-Status-Type = 10 Thanks in advance, regards -- David Manchado - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP with Active Directory
Hi all, I've got a freeradius 1.0.1 server running fine with OpenLDAP and now I would like to authenticate against an Active Directory server. I can do it with TLS, but when I try to do it with PEAP, it doesn works. I read about it and found out that should be put on radiusd.conf something with ntlm_auth On my mschap section I have: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain =%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00} --nt-response=%{msc hap:NT-Response:-00} And my log is attached(sorry if too long). Does anybody know what should I do? It is possible to do what I want to? I apologize in advance if it is very simple. Thanks for any help! __ Este mensaje, y en su caso, cualquier fichero anexo al mismo, puede contener informacion clasificada por su emisor como confidencial en el marco de su Sistema de Gestion de Seguridad de la Informacion siendo para uso exclusivo del destinatario, quedando prohibida su divulgacion copia o distribucion a terceros sin la autorizacion expresa del remitente. Si Vd. ha recibido este mensaje erroneamente, se ruega lo notifique al remitente y proceda a su borrado. Gracias por su colaboracion. __ This message including any attachments may contain confidential information, according to our Information Security Management System, and intended solely for a specific individual to whom they are addressed. Any unauthorised copy, disclosure or distribution of this message is strictly forbidden. If you have received this transmission in error, please notify the sender immediately and delete it. __ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius and LDAP
I am in the process of setting up a Samba PDC. All user info is stored in LDAP. All users also have a matching SHAA hashed UNIX password that is also stored in LDAP. I have all of that set up and it's working fine. The other thing that I want to do is allow users to use this username and password for VPN access. It is currently configured to use PAP (in a test scenario) and seems to work well, however I am concerned about password encryption between the RADIUS client and RADIUS server and was hoping someone could offer an alternaitve or advice. Our current setup consists of our main firewall running l2tpd and openswan. RADIUS, LDAP, and Samba are all running on a seperate server. When using PAP, the password is sent in clear text. The password is sent through the VPN to the firewall, so it's never exposed to the internet but passwords must be encrypted even when sent inside our LAN. I would like to use mschap v2, but it seems that it will not work with LDAP, is this correct? If I cannot use mschap v2, is there another way to encrypt the passwords or use some sort of challenge authentication? Thanks, Thomas -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.5.7 - Release Date: 3/1/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Password Learning?
On Wed, 2005-03-02 at 11:51, Alan DeKok wrote: Nick Bright [EMAIL PROTECTED] wrote: Could you be a little more specific? I don't see how to do that right off. If you could point me in the right direction, I think I could figure it out. My suggestion would be to run a script if the user fails authentication, to check if the password is in the SQL database, and add it, if not. I'll look in the documentation to see how to do this, thanks. This means that the users first request will be rejected, but the second one will be OK. Whatever it takes :) There is NO facility within the server do to complex updates like this, because those updates are not normally part of authenticating the user. Yeah, and it really /shouldn't/ need to be. This is more of a custom kludge to solve a specific problem. . . though perhaps that might be a nifty module to have in the software? Something someone in my situation could enable to allow migration from one server to another when passwords are encrypted. Although I just had a thought. I can put the unix Crypt()'d password in the database if I use Password-Crypt (I think that's the flag, I'll look in the docs, I know I've seen it). Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - Nick Bright Terraworld, Inc 888-332-1616 x315 http://home.terraworld.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP with Active Directory
Sorry the log file was not attached, here it goes. Hi all, I've got a freeradius 1.0.1 server running fine with OpenLDAP and now I would like to authenticate against an Active Directory server. I can do it with TLS, but when I try to do it with PEAP, it doesn works. I read about it and found out that should be put on radiusd.conf something with ntlm_auth On my mschap section I have: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain =%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00} --nt-response=%{msc hap:NT-Response:-00} And my log is attached(sorry if too long). Does anybody know what should I do? It is possible to do what I want to? I apologize in advance if it is very simple. Thanks for any help! __ Este mensaje, y en su caso, cualquier fichero anexo al mismo, puede contener informacion clasificada por su emisor como confidencial en el marco de su Sistema de Gestion de Seguridad de la Informacion siendo para uso exclusivo del destinatario, quedando prohibida su divulgacion copia o distribucion a terceros sin la autorizacion expresa del remitente. Si Vd. ha recibido este mensaje erroneamente, se ruega lo notifique al remitente y proceda a su borrado. Gracias por su colaboracion. __ This message including any attachments may contain confidential information, according to our Information Security Management System, and intended solely for a specific individual to whom they are addressed. Any unauthorised copy, disclosure or distribution of this message is strictly forbidden. If you have received this transmission in error, please notify the sender immediately and delete it. __ rad.log Description: Binary data
Re: Radrealay and coredumps...
Okay, i'm about 90% certain i've blown away everthing before rebuilding. (i guess this is what i get for having four different versions on the machine in the last couple years...) both were built with the environment variables CC opt/csw/gcc3/bin/gcc -m64 PATH=/usr/bin:/sbin:/usr/sbin:/opt/oracle/products/9.2.0/bin: /usr/local/bin:/usr/local/sbin:/tools/scripts:/tools/scripts/radius: /opt/sfw/bin:/opt/sfw/sbin:/opt/csw/bin:/opt/csw/sbin:/usr/ccs/bin: /usr/openwin/bin:/usr/ucb:/etc:. CLASSPATH=/usr/local/jdk1.4/lib/ojdbc14.jar:/usr/local/jdk1.4/lib/tools.jar: /usr/local/jdk1.4/jre/lib/rt.jar:. the first one (without --disable-shared) also had: ORACLE_BASE=/opt/oracle ORACLE_HOME=/opt/oracle/products/9.2.0 ORACLE_SID=RADIUS the second one (with --disable-shared) didn't link in a required library from oracle so i rebuilt it without the oracle info. (it was just quicker that way) gcc version 3.3.2 make is gmake 3.80 rebuilt once with ./configure --prefix=/usr/local --with-rlm--dbm=/opt/csw/bdb4 --enable-developer make make install run radrelay on the data from the pdsn, still cores with: warning: Couldn't find general-purpose registers in core file. blow everything away and build with ./configure --prefix=/usr/local --with-rlm-dbm=/opt/csw/bdb4 --disable-shared --enable-developer make make install run radrelay on the data from the pdsn and still cores with warning: Couldn't find general-purpose registers in core file. (this is from inside gdb) p.s. i took a couple days to do this to ensure the data i was getting off the pdsn would be from the current build without the extra modules -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unsafe character in username make a radiusd segmentation fault ?
hi recently we are getting too much freeradius faults (more than 5 per day), each fault make the radiusd terminate :-( , we have an script to restart it but ... that is not the solution today we decided that we should take the time and look more closely no matter how more downtime we had because the service is already _bad_ we found a user that keep sending her username with a newline character plus a lot of blank spaces and when radiusd get that request it makes a segmentation fault and die, here is the output of the radiusd in debug mode: modcall[authorize]: module sql2 returns ok for request 839 modcall: group redundant returns ok for request 839 rlm_sqlcounter: Entering module authorize code sqlcounter_expand: 'SELECT SUM(AcctSessionTime - GREATEST((1109653200 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{User-Name}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '1109653200'' radius_xlat: 'SELECT SUM(AcctSessionTime - GREATEST((1109653200 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE Us erName='negri ' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '1109653200'' sqlcounter_expand: '%{sql1:SELECT SUM(AcctSessionTime - GREATEST((1109653200 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM rad acct WHERE UserName='negri ' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '1109653200'}' radius_xlat: Running registered xlat function of module sql1 for string 'SELECT SUM(AcctSessionTime - GREATEST((1109653200 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='negri ' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '1109653200'' rlm_sql (sql1): - sql_xlat radius_xlat: 'negri ' rlm_sql (sql1): sql_set_user escaped user -- 'negri ' radius_xlat: 'SELECT SUM(AcctSessionTime - GREATEST((1109653200 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='negri ' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '1109653200'' rlm_sql (sql1): Reserving sql socket id: 8 rlm_sql (sql1): - sql_xlat finished rlm_sql (sql1): Released sql socket id: 8 we test the mysql query using the mysql standard client and if a new line character is send the query return a NULL value, ie not a string formed by digits (a number ?) I mention that because in the line 355 of the file src/modules/rlm_sqlcounter/rlm_sqlcounter.c the function atoi() is used counter = atoi(querystr); and i'm not sure what will happen if querystr does not have digits ( for example a NULL result for the query) we change that line for this one: if( ( counter = strtol( querystr, (char **)NULL, 10) ) == 0 ) { return 0; }; but we couldn't test it because the user also fix her dialer client :-( and we don't know how to send a break line in the user name attribute :-( we are using : Freeradius-1.0.1 ( from the sources released from RHEL3 but compiled by ourseft because we need the sqlcounter module) centOS-3.4 (with all the updates apply) we really appreciate any hint or help in this subject thanks roger PD: the previus output is taken from a file generated from this command line: radiusd -xx 21 debug.txt , in this case i could not get the newline character but if i get the sql query from the stdout (using the mouse) i will get the newline character . -- Nodo central de la red Infomed (http://www.sld.cu) Usuario linux: 97152 (http://counter.li.org) Miembro del grupo de coordinacion de LinuxCuba (http://www.linux.cu) Whatever you do will be insignificant, but it is very important that you do it. Gandhi -- - Este mensaje fue enviado usando el servicio de correo en web de Infomed http://webmail.sld.cu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(no subject)
[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Q: PPTP + PPP + Freeradius + LDAP
hello, do you think it is possible to make vpn (MPPE + mschapv2) with poptop that auth with freeradius on a LDAP server ? CLIENT - INTERNET Server PPTP + Radius --- LAN LDAP thanks sharky - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: L2TP accounting
David Manchado [EMAIL PROTECTED] wrote: it seems freeradius does not support L2TP accounting for Tunnel-Start and Tunnel-Stop, it is not a problem because it works but I would like to know if there is any way to add support to account them. Edit src/modules/rlm_sql/* to have an SQL query for that status type, and then do something with it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and LDAP
Thomas Simmons [EMAIL PROTECTED] wrote: When using PAP, the password is sent in clear text. Sent in what protocol? RADIUS does no such thing. The password is sent through the VPN to the firewall, so it's never exposed to the internet but passwords must be encrypted even when sent inside our LAN. RADIUS does that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radrealay and coredumps...
Terry J Fike Jr [EMAIL PROTECTED] wrote: run radrelay on the data from the pdsn and still cores with warning: Couldn't find general-purpose registers in core file. (this is from inside gdb) I'm not sure what else to suggest. It really looks like the compiler tools on your system don't produce usable binaries. I've *never* seen this problem on Solaris, but I've always used GCC. Alan DeKok. ] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PPTP + PPP + Freeradius + LDAP
Yes, but you will have to be more specific so someone can help you ! Regards, Edvin Seferovic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shark Sent: Mittwoch, 02. Mrz 2005 22:16 To: freeradius-users@lists.freeradius.org Subject: Q: PPTP + PPP + Freeradius + LDAP hello, do you think it is possible to make vpn (MPPE + mschapv2) with poptop that auth with freeradius on a LDAP server ? CLIENT - INTERNET Server PPTP + Radius --- LAN LDAP thanks sharky - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PPTP + PPP + Freeradius + LDAP
Oki, i though because i wanted MS-Chap V2 i was forced to do Auth-Type = Local,... but i have no tried yet the Auth-Type = LDAP with my users configurations. do you think it should work ? On Wed, 2005-03-02 at 22:31, Seferovic Edvin wrote: Yes, but you will have to be more specific so someone can help you ! Regards, Edvin Seferovic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shark Sent: Mittwoch, 02. März 2005 22:16 To: freeradius-users@lists.freeradius.org Subject: Q: PPTP + PPP + Freeradius + LDAP hello, do you think it is possible to make vpn (MPPE + mschapv2) with poptop that auth with freeradius on a LDAP server ? CLIENT - INTERNET Server PPTP + Radius --- LAN LDAP thanks sharky - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Radrealay and coredumps...
I'm not sure what else to suggest. It really looks like the compiler tools on your system don't produce usable binaries. I've *never* seen this problem on Solaris, but I've always used GCC. Alan DeKok Yea, i've used gcc to compile pretty much everything, and the wierd thing is that this only breaks for the one NAS device. For everything else, radrelay works just fine. It goes through and reads all the dictionary files, and at the time it opens the detail file for relaying is the point it cores. And it only does it from the PDSN *shrug* Everything else works just fine...all my users authenticate just like normal...even from the pdsn, i get my accounting data just fine...even from the pdsn...*shrug* this just is not making any sense... -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Radrealay and coredumps...
Arg...okay, yea, it has got to be something funky with the machine i've been compiling on... As per some advice you gave earlier, i compiled this on a different sol9 box (never had freeradius on it before) copied the detail file from current radius server, and used the radrelay on the new box...sent just fine. i guess it is time to build me a new radius box... -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radrealay and coredumps...
Terry J Fike Jr [EMAIL PROTECTED] wrote: As per some advice you gave earlier, i compiled this on a different sol9 box (never had freeradius on it before) copied the detail file from current radius server, and used the radrelay on the new box...sent just fine. g When in doubt, blame the machine. FreeRADIUS is fine! Honest, it's fine! Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Packet of Disconnect
On Tue, Mar 01, 2005 at 12:52:52PM +1100, Mitchell, Michael J wrote: The information is in the PoD request. Kind of. From the NAS's perspecitive, the PoD only needs to contains the Acct-Session-Id. However obviously in order to proxy a request we at least need the NAS-IP-Address. I use this to map back to a Realm or a NAS which will ultimately handle the PoD. To ensure that bad things don't happen, the PoD *should* be treated sort of like an Access-Accept, and the server should see where the packet is proxied to. IF the home server is where the PoD request came from, then it's a real PoD request, and is sent to the NAS. Otherwise, it's dropped. I must admit, my solution is not that comprehensive, and I'm not sure if it would even be possible. A PoD doesn't REQUIRE a User-Name attribute, so it would be difficult in that instance to map a PoD back to an appropriate home server for the specified session (NAS-IP-Address Acct-Session-Id). The only attributes that are guaranteed (in my case) are NAS-IP-Address and Acct-Session-Id. My solution met my needs at the time as I had very specific requirements, and using freeRADIUS was the quickest way to a solution, as freeRADIUS obviously already has all the proxy and RADIUS packet handling logic, and is nice and modular, so its easy to add this stuff quickly (even if its not the best solution). I also haven't tried proxying directly to a NAS. Should be easy enough to set this up in our test lab though. Alan would be disgusted at my current butcher job ;-). However, I'll review what I have done (it was several months ago now) and report back as soon as I can (may take a few days though) - hopefully with something a little more elegant than I have currently. I'm also thinking about multi-level proxies... For the setup I'm using, the NAS talks to a pool of RADIUS proxies, which talk to my RADIUS server, which may then (based on realm) proxy to _another_ RADIUS server. I can't talk directly to the NAS (or at least, I doubt I can) so I can generate PoD and send them to the proxy server pool attached to the NAS, but if the one I'm proxying to wants to PoD, then I need some kind of reverse-realm map so I can determine where the PoD has to go, as unlike an Access-Accept, there's no Access-Request structure sitting in memory describing where to reply to. In my case, the reverse map can key by either NAS-IP-Address or Realm... I look forward to whatever you come up with. ^_^ Maybe an extension of the clients.conf? Your NAS or PoD next hop should be in there already... ^_^ There's also _another_ NAS + proxy pool that proxies to me, but they don't do PoD. (They have a webpage, but I've not been game to set up a wget-of-death). -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius conf.
Dear i haven't solved my problem please help me out.. pradeep.. Dear Recently I have installed freeradius (freeradius-0.9.3-1.i386.rpm),i have some problem in password auth. i have created new user:pradeep with pass:123456 when i tried to test the auth. enabling Debug mod. using command radtest pradeep 123456 localhost:1812 0 testing123 it generate following massage : rad_recv: Access-Request packet from host 127.0.0.1:32783, id=176, length=59 User-Name = pradeep User-Password = 123456 NAS-IP-Address = 255.255.255.255 NAS-Port = 0 modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module eap returns noop for request 1 rlm_realm: No '@' in User-Name = pradeep, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 1 modcall[authorize]: module mschap returns noop for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type System auth: type System modcall: entering group authenticate for request 1 rlm_unix: [pradeep]: invalid password modcall[authenticate]: module unix returns reject for request 1 modcall: group authenticate returns reject for request 1 auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 == Please help me where i have made mistake in conf. Regards Pradeep.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius conf.
rad_check_password: Found Auth-Type System rlm_unix: [pradeep]: invalid password You are configured for Unix password validatation and the password you gave is not the one the system has for that user id. On Mar 2, 2005, at 23:10, Pradeep Nevatia wrote: Dear i haven't solved my problem please help me out.. pradeep.. Dear Recently I have installed freeradius (freeradius-0.9.3-1.i386.rpm),i have some problem in password auth. i have created new user:pradeep with pass:123456 when i tried to test the auth. enabling Debug mod. using command radtest pradeep 123456 localhost:1812 0 testing123 it generate following massage : rad_recv: Access-Request packet from host 127.0.0.1:32783, id=176, length=59 User-Name = pradeep User-Password = 123456 NAS-IP-Address = 255.255.255.255 NAS-Port = 0 modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module eap returns noop for request 1 rlm_realm: No '@' in User-Name = pradeep, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 1 modcall[authorize]: module mschap returns noop for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type System auth: type System modcall: entering group authenticate for request 1 rlm_unix: [pradeep]: invalid password modcall[authenticate]: module unix returns reject for request 1 modcall: group authenticate returns reject for request 1 auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 == Please help me where i have made mistake in conf. Regards Pradeep.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html