Re: EAP-TLS: check_cert_cn dows not work?
Thank you for your answers, Mike. Manuel Schmitz wrote: Can I re-enable certs as well (with CRLs)? It *can* be done, but it's generally not advised. If you need to temporarily disable a client, then the more appropriate way would be an explicit deny for that username in the users file and make sure check_cert_cn is enabled. How can I do exactly that. PEAP with additional username-check in raddb/users ??? check_cert_cn is already working properly according to my log. :-) --Manuel -- SMS bei wichtigen e-mails und Ihre Gedanken sind frei ... Alle Infos zur SMS-Benachrichtigung: http://www.gmx.net/de/go/sms - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Called-Station-Id value??
Abdul Lateef [EMAIL PROTECTED] wrote: Already i read the both files (variables.txt,Exec-Program-Wait) but i did not found any information about how to retrive the value of Called-Station-Id in perl file. Those documents describe how RADIUS attributes are put into environment variables. The Perl documentation describes how to access environment variables from a Perl program. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more detailed sql logging
Kris Efland [EMAIL PROTECTED] wrote: Clearly... As I said in my first email. There are no insert statements that coincide to what I am looking for and thus my original question about crafting my own sql statements. It's not just a matter of crafting your own SQL statements. The module is not generic, in that it expects to do certain queries in a certain order. So there is NO statement you can add to sql.conf to make the module do things in a different order. _I would like this information logged to sql instead, how do I do that?_ Source code modifications. The your NAS isn't sending accounting requests to the server. See the FAQ. The information is already at my disposal, hence the log file. Um... Access-Request packets are NOT accounting packets. You said that you listed sql in accounting, but the table had nothing in it. This is because the server is not receiving Accounting-Request packets. There is NO other explanation. I dont want to rely on the NAS to send the request or have to manage that in any way. Can I force the logging to SQL? I want to log ALL authentication requests to SQL, this seems like a pretty primitive feature. Thanks for the help. Source code modifications. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radsqlrelay for 1.0.2
Bart Van Daal wrote: Nicolas I'm currently using your radsqlrelay.c with the 1.0.2 release and I've patched the makefile. I'm very new to this whole patching and code-hacking thing. I'm getting the following error message while making radsqlrelay: thanks for any pointers how to compile radsqlrelay. The error messages below are related to libtool. Which version is installed on your system ? FreeRADIUS 1.0.2 is supposed to be built with libtool 1.4.x, I don't know what happens when using libtool = 1.5. gcc -march=pentium3 -O3 -pipe -fomit-frame-pointer -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG -I../include -DHOSTINFO=\\ -DRADIUSD_VERSION=\1.0.2\ -o xlat.o -c xlat.c gcc -march=pentium3 -O3 -pipe -fomit-frame-pointer -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG -I../include -DHOSTINFO=\\ -DRADIUSD_VERSION=\1.0.2\ -c valuepair.c gcc -march=pentium3 -O3 -pipe -fomit-frame-pointer -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG -I../include -DHOSTINFO=\\ -DRADIUSD_VERSION=\1.0.2\ -c timestr.c gcc -L../lib radsqlrelay.o mainconfig.o util.o nas.o client.o log.o conffile.o files.o xlat.o valuepair.o timestr.o ../lib/.libs/libradius.so -o radsqlrelay radsqlrelay.o(.text+0xf26): In function `init_sql': : undefined reference to `lt_preloaded_symbols' radsqlrelay.o(.text+0xf2d): In function `init_sql': : undefined reference to `lt_dlpreload_default' radsqlrelay.o(.text+0xf32): In function `init_sql': : undefined reference to `lt_dlinit' radsqlrelay.o(.text+0xf53): In function `init_sql': : undefined reference to `lt_dlopenext' radsqlrelay.o(.text+0xf5e): In function `init_sql': : undefined reference to `lt_dlerror' radsqlrelay.o(.text+0xfa9): In function `init_sql': : undefined reference to `lt_dlsym' radsqlrelay.o(.text+0x1027): In function `init_sql': : undefined reference to `lt_dlclose' radsqlrelay.o(.text+0x1051): In function `init_sql': : undefined reference to `lt_dlerror' radsqlrelay.o(.text+0x10a9): In function `init_sql': : undefined reference to `lt_dlsetsearchpath' radsqlrelay.o(.text+0x10b3): In function `init_sql': : undefined reference to `lt_dlerror' ../lib/.libs/libradius.so: undefined reference to `crypt' collect2: ld returned 1 exit status make: *** [radsqlrelay] Error 1 -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radsqlrelay for 1.0.2
Bart Van Daal wrote: is it possible to build it against the 1.0.2 tree or am I stuck with the cvs version. The libraries differ from the cvs version and the 1.0.2 version. Yes, it is possible. As reported in the mailing list, I'm building radsqlrelay in the 1.0.2 source tree. And Roy is doing the same, too. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: From Called-Station-ID Get Country Code??
Abdul Lateef wrote: Hi, I have one mySQL table contains Code, Country Name I want to get the code using Called-Station-ID matching with mySQL country list table using the perl file. If anyone can give me a little example really it will be great for me. Thank You __ Celebrate Yahoo!'s 10th Birthday! Yahoo! Netrospective: 100 Moments of the Web http://birthday.yahoo.com/netrospective/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html hmm radius's CalledStationId is the MAC address of the network device over which the radius login was done. In my case (I am using wlan routers with chillispot) it is the MAC of the wlan router to which to user who logged in was connected when logging in. Now I dunno if u can figure a country code outta a MAC Address but I suppose u can't since MAC is not country dependent. Its a unique hardware address. Now if u know where your login devices are (in wich countries) u could creade a table containing the MAC and a country code. And then use some inner join to select the CalledStationId and the Country. I'm doing something similar. I have a table that contains info on every wlan router that uses my radius server. It contains the MAC, ESSID and Name. Now for statistical listings I use the CalledStationId in the table radacct to select the Name of the router outta that table. U could something similar with countries. As I said: make a table containig MAC and Countrycode and use it. SQL Syntax is something like this: SELECT radacct.CalledStationId,Country.Country FROM radacct,Country,CountryMac WHERE (radacct.CalledStationId = CountryMac.MAC) AND (CountryMAC.Code = Country.Code) Country is your country list table CountryMac is the table that contains datasets with MAC and Countrycode raddacct is radius's accounting table (usually radacct) The table Country of course has to be in the radius DB! If u use that in a perl or php script or sth like that u could of course do this in several steps. e.g. 1. select the country code out of CountryMac via radacct.CalledStationId 2. select the country out of Country by that country code Hope it helps you... Greets from snowy germany Sebastian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radsqlrelay questions
hi all, i've tested radsqlrelay for moving big acct-logs (detail-file) into my database - and have read the comments about the code: 1. is it possibile to (log-)rotate the detail-file - when radsqlrelay is running - and read it ? 2. i've read about the .work file - but couldn't see it. will it only created, if the rlm_detail want write to the detail-file ? 3. if the radsqlrelay process dies (or i kill -9 it) - after restarting it - all the data in the detail-file will processed again what could be a solution for this problems ? thx4allinfos,joachim -- DSL Komplett von GMX +++ Supergünstig und stressfrei einsteigen! AKTION Kein Einrichtungspreis nutzen: http://www.gmx.net/de/go/dsl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radsqlrelay questions
On Sun, 6 Mar 2005 [EMAIL PROTECTED] wrote: hi all, i've tested radsqlrelay for moving big acct-logs (detail-file) into my database - and have read the comments about the code: 1. is it possibile to (log-)rotate the detail-file - when radsqlrelay is running - and read it ? Why? The idea is that the detail will not grow unless there is a problem in the receiving end. Even then radsqlrelay should be the one handling the problem not logrotate. 2. i've read about the .work file - but couldn't see it. will it only created, if the rlm_detail want write to the detail-file ? It will be created when radsqlrelay reaches the end of the detail file and still has outstanding accounting requests unacknowledged if i remember correctly. 3. if the radsqlrelay process dies (or i kill -9 it) - after restarting it - all the data in the detail-file will processed again what could be a solution for this problems ? None at this point. Usually there will only be detail.work to process and only new records in the detail file though. Maybe radsqlrelay could print out (or store in a file) the detail file offset it was working on before it ends (on a KILL signal). There's not much you can do on a -9 signal though, unless you write the file offset somewhere all the time. thx4allinfos,joachim -- DSL Komplett von GMX +++ Supergnstig und stressfrei einsteigen! AKTION Kein Einrichtungspreis nutzen: http://www.gmx.net/de/go/dsl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf
LDAP Profiles
Hello all; I am tying to put together an openLDAP/FreeRadius implementation for a multitude of services we provide. We are currently providing high speed cable modem services, local dial-up, national dial-up, Motorola Canopy Wireless, DSL, ISDN, extended Ethernet, Ethernet over power and a few other ISP type services. Currently we have a different AAA platform for all of the different services we provide. I am doing some research and setting up a test lab to see if I can get everything to one AAA platform. I think I am close but am looking for some additional help with the connectivity between FreeRadius and openLDAP. I currently have FreeRadius communicating with openLDAP and authenticating the user. However, the LDAP server is giving the RADIUS server the wrong profile after authentication. I am not sure if I completely and correctly understand how this works. It looks as thought it is finds the first ldap-group in my users file and returns the ldap path to the profile. My problem is that if a user has more then one service, say dial-up and DSL, it does not return the right profile. It returns the first match in the users file. How do I get LDAP and FreeRadius to return to the NAS the correct profile for the type of service the user is trying to authenticate to? Below is my configuration information. openLDAP 2.2.23 freeRadius 1.0.2 Fedora Core 3 Current users file ---begin users DEFAULT Ldap-Group == disabled, Auth-Type := Reject Reply-Message = Account disabled. Please call the helpdesk. DEFAULT Ldap-Group == dial, User-Profile := uid=dial,ou=profiles,dc=multiband,dc=us Fall-Through = no DEFAULT Ldap-Group == isdn, User-Profile := uid=isdn,ou=profiles,dc=multiband,dc=us Fall-Through = no DEFAULT Ldap-Group == dsl-ip, User-Profile := uid=dsl-ip,ou=profiles,dc=multiband,dc=us Fall-Through = no DEFAULT Auth-Type := Reject Reply-Message = Please call the helpdesk. ---end users-- Thanks for any help. -- Jarred F. Cleem - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Profiles
On Sun, 6 Mar 2005, Jarred Cleem wrote: Hello all; I am tying to put together an openLDAP/FreeRadius implementation for a multitude of services we provide. We are currently providing high speed cable modem services, local dial-up, national dial-up, Motorola Canopy Wireless, DSL, ISDN, extended Ethernet, Ethernet over power and a few other ISP type services. Currently we have a different AAA platform for all of the different services we provide. I am doing some research and setting up a test lab to see if I can get everything to one AAA platform. I think I am close but am looking for some additional help with the connectivity between FreeRadius and openLDAP. I currently have FreeRadius communicating with openLDAP and authenticating the user. However, the LDAP server is giving the RADIUS server the wrong profile after authentication. I am not sure if I completely and correctly understand how this works. It looks as thought it is finds the first ldap-group in my users file and returns the ldap path to the profile. My problem is that if a user has more then one service, say dial-up and DSL, it does not return the right profile. It returns the first match in the users file. How do I get LDAP and FreeRadius to return to the NAS the correct profile for the type of service the user is trying to authenticate to? Below is my configuration information. openLDAP 2.2.23 freeRadius 1.0.2 Fedora Core 3 Current users file ---begin users DEFAULT Ldap-Group == disabled, Auth-Type := Reject Reply-Message = Account disabled. Please call the helpdesk. DEFAULT Ldap-Group == dial, User-Profile := uid=dial,ou=profiles,dc=multiband,dc=us Fall-Through = no DEFAULT Ldap-Group == isdn, User-Profile := uid=isdn,ou=profiles,dc=multiband,dc=us Fall-Through = no DEFAULT Ldap-Group == dsl-ip, User-Profile := uid=dsl-ip,ou=profiles,dc=multiband,dc=us Fall-Through = no DEFAULT Auth-Type := Reject Reply-Message = Please call the helpdesk. ---end users-- With the above configuration if a user is a member on more than one groups then the first one matched will be the *only* one that will be used. And that *is* correct behaviour. What i think you need is to also use incoming request attributes to differentiate services (which you aren't right now). Something like: DEFAULT NAS-Port-Type == ISDN, Ldap-Group == isdn, User-Profile := uid=isdn,ou=profiles,dc=multiband,dc=us Fall-Through = no DEFAULT NAS-Port-Type == Virtual, Ldap-Group == dsp-ip, User-Profile := uid=dsl-ip,ou=profiles,dc=multiband,dc=us Hope you get the idea. Thanks for any help. -- Jarred F. Cleem - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Frame-IP-Address in SQL?
Greeting, I've the freeradius, ippool with mysql running however in the database this fields is always blank. Is that my configuration problem or there is some special requirement to get this working? I'm using the default sql.conf came with freeradius. Anyone have any idea? Regards, Chan Min Wai - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Frame-IP-Address in SQL?
Chan Min Wai [EMAIL PROTECTED] wrote: I've the freeradius, ippool with mysql running however in the database this fields is always blank. WHAT fields? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius logging lots of duplicates?
Scott Baker [EMAIL PROTECTED] wrote: So I'm guessing it's never hearing back I got your Accounting packet even though the server is logging it. Do the accounting packets require an acknowledge? Yes. If the NAS doesn't like the ACK (wrong source IP, etc), it will ignore it, and send another Accounting-Request, with an updated Acct-Delay-Time. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more detailed sql logging
Score! Exactly the information I needed. Thank you. For clarification,sinceI havent written a module before...For example: If i had the following block in radiusd.conf post-auth{ Post-Auth-Type REJECT { log_rejected_users } } In the modules block in radiusd.conf... Can I enter raw sql syntax similar to those found in the sql.conf file? (blah = "INSERT INTO ...") Granted this isnt the greatest place to put this, but as long as the sql.conf include is before my module def all of the sql server information should already be in-line... do I have that right? Or can you do something clever in the sql.conf file? Thanks again, Kris Nicolas Baradakis [EMAIL PROTECTED] wrote: Kris Efland wrote: Packet-Type = Access-Request Sat Mar 5 15:04:02 2005 User-Name = "user" User-Password = "password" NAS-IP-Address = 1.2.3.4 Client-IP-Address = 1.3.4.5 Module-Failure-Message = "rlm_ldap: User not found" _I would like this information logged to sql instead, how do I do that?_See http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/doc/Post-Auth-Type?rev=1.4You can run a postauth query before the server sends an Accept-Reject,too. Modify the "radpostauth" table and the "postauth query" to log asmany attributes as you wish.-- Nicolas Baradakis
Password entry in dialup admin
Hi. When I entering the value for some user, with the admin.conf set to crypt, the value inserted in the db are encrypted. So when that new user try to login to the network, he get deny access message. so how can the ecryption can be a help avoiding the data to be exposed,at the same time allowing him to get the network access? How is the crypt,md5,clear in the dialup admin admin.conf file is set when we want the process of sending the data secured at the same time only particular or specified administrator responsible for that user can view and change the password at any time, and still secured? __ Celebrate Yahoo!'s 10th Birthday! Yahoo! Netrospective: 100 Moments of the Web http://birthday.yahoo.com/netrospective/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius + pptp
hi everyone, Firstly, radiusd: FreeRADIUS Version 1.0.2, for host , built on Mar 3 2005 at 08:50:02 Not sure if these will help, rpm -qa|grep pp kernel_ppp_mppe-0.0.5-2dkms pptpd-1.2.1-1 ppp-2.4.3-4.rhel3 I'm testing by connecting from XP and part of what appears in /var/log/messages is this: Mar 7 08:50:55 scorpio pptpd[19620]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Mar 7 08:50:55 scorpio pppd[19621]: rc_avpair_new: unknown attribute 11 Mar 7 08:50:55 scorpio pppd[19621]: rc_avpair_new: unknown attribute 25 Mar 7 08:50:57 scorpio pppd[19621]: Peer root failed CHAP authentication Mar 7 08:50:57 scorpio pppd[19621]: Connection terminated. Mar 7 08:50:57 scorpio pppd[19621]: Exit. Mar 7 08:50:57 scorpio pptpd[19620]: CTRL: Client 172.168.0.53 control connection finished Mar 7 08:50:57 scorpio /etc/hotplug/net.agent: NET unregister event not supported This appears after I've included plugin radius.so in my /etc/ppp/options.pptpd. Can someone give me some clues on rc_avpair_new: unknown attribute 11 and 25? Cheers, Mervyn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + pptp
Perhaps I should include this information as well, from radiusd -X rad_recv: Access-Request packet from host 127.0.0.1:32769, id=175, length=64 Service-Type = Framed-User Framed-Protocol = PPP User-Name = root Calling-Station-Id = 172.168.0.53 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = root, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 users: Matched entry DEFAULT at line 183 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_unix: Attribute User-Password is required for authentication. modcall[authenticate]: module unix returns invalid for request 0 modcall: group authenticate returns invalid for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 175 to 127.0.0.1:32769 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 175 with timestamp 422bab84 Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Frame-IP-Address in SQL?
Alan DeKok wrote: Chan Min Wai [EMAIL PROTECTED] wrote: I've the freeradius, ippool with mysql running however in the database this fields is always blank. WHAT fields? Frame-IP-Address (this is more important) NASPortType (I've sure the request have this) CalledStationId (should be the NAS MAC) FramedProtocol (the Ipaddress from ippool?) These are the fields that have no information at all. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Checking user accounts
Hello everyone, I have a wireless network in which access points are getting authenticated by freeradius running on solaris box. I want to add user authentication and thinking of having a mysql database for that. But for time being, Im thinking of using users file for couple of users. Now my question is, where the users needs to key in their username and password if they have windows xp machines and want to use my wireless network. Future I have the plans for captive portal like Chillipot but right now for testing purposes I want to know how the users will be authenticated with the freeradius if I use windows xp machine and username and password in users file. I would appreciate any help on this. Thx in advance. Regards, Janakan Rajendran
Re: Frame-IP-Address in SQL?
Chan Min Wai [EMAIL PROTECTED] wrote: ... These are the fields that have no information at all. Please read the FAQ. The server can only log what the NAS sends. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + pptp
Mervyn Yeo [EMAIL PROTECTED] wrote: This appears after I've included plugin radius.so in my /etc/ppp/options.pptpd. Can someone give me some clues on rc_avpair_new: unknown attribute 11 and 25? Read the dictionary file for the names of attributes 11 and 25. As for why pptpd doesn't understand them, ask pptpd. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Frame-IP-Address in SQL?
Alan DeKok wrote: Chan Min Wai [EMAIL PROTECTED] wrote: ... These are the fields that have no information at all. Please read the FAQ. The server can only log what the NAS sends. Alan DeKok. What about the info that provided by the freeradius? When we are using ippool which meant that the ipaddress actually came from us. So we should be able to log them right? I do try %{reply:FRAME-IP-ADDRESS} in the sql.conf but that isn't working. Regards, Chan Min Wai - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Duplicate Accounting logging desired
Hello, I'd like to log accounting packets on our local (proxying) FR-1.0.2 server but as well send them to the realm server that is configured for them in proxy.conf. That is, let A be an accounting packet that arrives at tour server. Then - log A locally (plain text detail-like file suffices) - forward A to the home server I tried to put a detail into preacct, which doesn't work as detail modules aren't allowed there. I thought of setting acct handling to LOCAL generally and then use radrelay to do the forwarding part, but there are many realms and I don't know if radrelay can be configured to forward selectively to multiple destinations. Finally, my idea was to put a detail module into pre-proxy, but I don't know how to only log accounting packets. Does anyone have an idea? Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingénieur réseau et système 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg email: [EMAIL PROTECTED] tél.: +352 424409-33 http://www.restena.lu fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html