Re: Authenticating and Blocking per client
On Tuesday 29 March 2005 17:56, Jason Frisvold wrote: On Tue, 29 Mar 2005 07:51:41 -0700, Kenneth Grady [EMAIL PROTECTED] wrote: One way to do it is to add the users allowed to the huntgroups. Example: huntgroups... Ok, so now what happens when you start dealing with other devices like a redback? Can those be added into the huntgroups as well? Yes. Huntgroups is exactly what you what... -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: why my adsl-connect only keep 0.4 miniutes?
On Wednesday 30 March 2005 04:31, wrote: each time i connect to the server,the adsl-connect only keep 0.4 minutes,and then the modem hangup,and the auto reconnect. is there some attribute i didn't set a right value in mysql or other problem? thanks. We have no idea how you are using radius, why you are using radius or with what equipment you are using radius. If you give us some information about your setup we might be able to help you. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: why my adsl-connect only keep 0.4 miniutes?
Is there any particular reason why you think this problem is related to FreeRADIUS? Regards Peter On Wednesday 30 March 2005 13:26, wrote: there is three machine,A install the freeradius 1.0.2 and the mysql,B just install pppd+radiusclient and pppoe-server,C is my pc,i adsl-connect to the pppd on my pc.my connect just keep 0.4 minute,and then show me that modem hangup and adsl-connect reconnect ,and it work correctly 0.4 minutes. i don't known why From: Peter Nixon [EMAIL PROTECTED] Reply-To: freeradius-users@lists.freeradius.org To: freeradius-users@lists.freeradius.org Subject: Re: why my adsl-connect only keep 0.4 miniutes? Date: Wed, 30 Mar 2005 13:05:58 +0300 On Wednesday 30 March 2005 04:31, wrote: each time i connect to the server,the adsl-connect only keep 0.4 minutes,and then the modem hangup,and the auto reconnect. is there some attribute i didn't set a right value in mysql or other problem? thanks. We have no idea how you are using radius, why you are using radius or with what equipment you are using radius. If you give us some information about your setup we might be able to help you. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ MSN Hotmail http://www.hotmail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: why my adsl-connect only keep 0.4 miniutes?
one man said there is a option session-timeout have to set,but i do not known where to set... the other said only the nas can hangup your connect,but i can't found why From: Peter Nixon [EMAIL PROTECTED] Reply-To: freeradius-users@lists.freeradius.org To: freeradius-users@lists.freeradius.org Subject: Re: why my adsl-connect only keep 0.4 miniutes? Date: Wed, 30 Mar 2005 13:32:58 +0300 Is there any particular reason why you think this problem is related to FreeRADIUS? Regards Peter On Wednesday 30 March 2005 13:26, wrote: there is three machine,A install the freeradius 1.0.2 and the mysql,B just install pppd+radiusclient and pppoe-server,C is my pc,i adsl-connect to the pppd on my pc.my connect just keep 0.4 minute,and then show me that modem hangup and adsl-connect reconnect ,and it work correctly 0.4 minutes. i don't known why From: Peter Nixon [EMAIL PROTECTED] Reply-To: freeradius-users@lists.freeradius.org To: freeradius-users@lists.freeradius.org Subject: Re: why my adsl-connect only keep 0.4 miniutes? Date: Wed, 30 Mar 2005 13:05:58 +0300 On Wednesday 30 March 2005 04:31, wrote: each time i connect to the server,the adsl-connect only keep 0.4 minutes,and then the modem hangup,and the auto reconnect. is there some attribute i didn't set a right value in mysql or other problem? thanks. We have no idea how you are using radius, why you are using radius or with what equipment you are using radius. If you give us some information about your setup we might be able to help you. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ MSN Hotmail http://www.hotmail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ MSN Explorer: http://explorer.msn.com/lccn/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Redundant Radius with Dynamic Data
Title: Redundant Radius with Dynamic Data Hello Group, I am just about to set up a radius service and have managed to aquire 2 servers with a view to making the end product redundant. Just to give you a little background. The radius system will be used for DSL authentication. The user will authenticate (indirectly via a cisco device) with their [EMAIL PROTECTED] password. The server will then authorise the user and respond with a single attribute - their IP address. The IP addresses (depending on which domain they are in) will be dynamically allocated from a pool of IP addresses. So far so good. I don't intend to perform any load balancing of the traffic to the two radius servers. Therefore I was planning to use the features on the Cisco router to treat one server as primary and one as secondary (failover). I will most likely use rsync to syncronise the config from the primary to the secondary. My problem (and hence the reason for this post) is that the primary would be holding accounting information regarding which IP addresses have been allocated to each user from the pool - thus avoiding any IP conflict on the edge network. I do not understand how I would be able to configure the two servers so that if the Primary failed the secondary would know which IPs had been allocated and continue to allocate from the remaining pool. I have literally only just switched the servers on. I want to get this right from the start. If I cannot find a solution to this issue I have a back out plan that involves setting each user with a static IP, not ideal. Is an SQL backend the best method? Would a shared SQL backend maintain the integrity of the allocated IP pool? I have experience with Freeradius and would like to continue with this platform, but is it the best one for what I am attempting? I look forward to your responses to this question. Best Regards, Christopher Howarth RHCE Network Systems Development Consultant Equinox Converged Solutions Equinox Converged Solutions Tel: +44 (0)1252 405 600 www.equinoxsolutions.com Equinox Converged Solutions is a trading name of Synetrix Holdings Limited. IMPORTANT NOTICE: This message is intended solely for the use of the Individual or organisation to whom it is addressed. It may contain privileged or confidential information. If you have received this message in error, please notify the originator immediately. If you are not the intended recipient, you should not use, copy, alter, or disclose the contents of this message. All information or opinions expressed in this message and/or any attachments are those of the author and are not necessarily those of Synetrix Holdings Limited. Synetrix Holdings Limited accepts no responsibility for loss or damage arising from its use, including damage from virus.
RE: Authenticate users from freeradius to a Windows 2000 AD
Hi, Sorry about the late reply. I tried your suggestion, but without success. I don't know if I am using the right parameters in the users, the eap.conf and the radiusd.conf files. Have you any sample config? Or any suggested docs? Many thanks Vitor -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sandworm Sent: segunda-feira, 21 de Março de 2005 2:16 To: freeradius-users@lists.freeradius.org Subject: RE: Authenticate users from freeradius to a Windows 2000 AD -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vitor Paiva da Silva Sent: Saturday, 19 March 2005 2:58 AM To: freeradius-users@lists.freeradius.org Subject: Authenticate users from freeradius to a Windows 2000 AD rlm_ldap: ldap_search() failed: Operations error rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns fail for request 0 modcall: group authorize returns fail for request 0 This typically happens when AD referrals fail. In your LDAP configuration you need to turn off dereferencing and referrals. This is usually done by adding the following lines to /etc/openldap/ldap.conf on the FreeRadius box (which is the AD LDAP client in this case): deref never referrals no Regards -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.4 wkYEARECAAYFAkI+LlYACgkQmw4BJyaatJ3fagCfbSRQwv8i98MUNtwdF7xpGuoXezUA oKwTzeO131L0BZJ/9sf4oig7rVJ4 =oh86 -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS Performance
Hi, how many concurrent petitions (AuthRequest) can handle FreeRADIUS? This number can be changed? Depends of hardware? Thanks in advance German P. Santillan IT Admin DESETech - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type=EAP and other
On Wed, 30 Mar 2005 18:43:12 +0800, Chan Min Wai [EMAIL PROTECTED] wrote: Hello all, Anyone can help me configure the Auth-type EAP for NAS A,b,c,d,e plaintext for NAS h,i,j,k regards. extract from eap.conf # # Whatever you do, do NOT set 'Auth-Type := EAP'. The server # is smart enough to figure this out on its own. The most # common side effect of setting 'Auth-Type := EAP' is that the # users then cannot use ANY other authentication method. # # $Id: eap.conf,v 1.4 2004/04/15 18:34:41 aland Exp $ # - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redundant Radius with Dynamic Data
[EMAIL PROTECTED] said: Is an SQL backend the best method? Would a shared SQL backend maintain the integrity of the allocated IP pool? I have experience with Freeradius and would like to continue with this platform, but is it the best one for what I am attempting? An SQL backend is one way to do it. I ma using the MySQL 4.1.10-Max cluster version so any node can read or write. This gives you a true HA RADIUS model. I haven't implimented the multiple SQL server part in radiuks yet though. Still need to do that. -- Lewis Bergman Texas Communications 4309 Maple ST. Abilene, TX 79602 325-691-3301 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd
Stefan Winter [EMAIL PROTECTED] wrote: Hello! I've searched and searched, and tried every hint I could find, and cannot seem to make it work using the Windows login name and password. Is it possible? Make your users set a password for their login on the XP machine. That is the username/password combination XP will use for authentication when you check the box. Yes, I knew this. Users have been using Samba shares on my Unix/Linux servers for a number of years. Then list these users with the appropriate passwords in your radiusd backend (smbpasswd in your case). They're *all* aleady in there. (See above.) Then it should work. Not so far. I'm wondering if I'm missing something in FreeRADIUS' configuration? One thing I notice is the client PC sending WINNAME\username, instead of just username, if I tell it to use the Windows login info. [At least I think so; someone please correct me if I'm wrong] Who am I to say you're wrong? I've no idea what I'm doing ;). But it doesn't appear to be working. Thanks for the follow-up. Jim -- Note: My mail server employs *very* aggressive anti-spam filtering. If you reply to this email and your email is rejected, please accept my apologies and let me know via my web form at http://jimsun.linxnet.com/scform.php. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd
On Wed, 30 Mar 2005 06:50:37 -0500 (EST), Jim Seymour [EMAIL PROTECTED] wrote: Stefan Winter [EMAIL PROTECTED] wrote: Hello! I've searched and searched, and tried every hint I could find, and cannot seem to make it work using the Windows login name and password. Is it possible? Make your users set a password for their login on the XP machine. That is the username/password combination XP will use for authentication when you check the box. Yes, I knew this. Users have been using Samba shares on my Unix/Linux servers for a number of years. Then list these users with the appropriate passwords in your radiusd backend (smbpasswd in your case). They're *all* aleady in there. (See above.) Then it should work. Not so far. I'm wondering if I'm missing something in FreeRADIUS' configuration? One thing I notice is the client PC sending WINNAME\username, instead of just username, if I tell it to use the Windows login info. [At least I think so; someone please correct me if I'm wrong] I get [WI-1\\Willem Eradus/no User-Password attribute] # Windows sends us a username in the form of # DOMAIN\user, but sends the challenge response # based on only the user portion. This hack # corrects for that incorrect behavior. # #with_ntdomain_hack = no I believe the above should take care of the domain part, and some other attribute may hold a hash with the password. Did you try with -X enabled to see what attributes are being provided? Who am I to say you're wrong? I've no idea what I'm doing ;). But it doesn't appear to be working. Thanks for the follow-up. Jim -- Note: My mail server employs *very* aggressive anti-spam filtering. If you reply to this email and your email is rejected, please accept my apologies and let me know via my web form at http://jimsun.linxnet.com/scform.php. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd
Willem Eradus [EMAIL PROTECTED] wrote: On Wed, 30 Mar 2005 06:50:37 -0500 (EST), Jim Seymour [EMAIL PROTECTED] wrote: [snip] One thing I notice is the client PC sending WINNAME\username, instead of just username, if I tell it to use the Windows login info. [At least I think so; someone please correct me if I'm wrong] I get [WI-1\\Willem Eradus/no User-Password attribute] # Windows sends us a username in the form of # DOMAIN\user, but sends the challenge response # based on only the user portion. This hack # corrects for that incorrect behavior. # #with_ntdomain_hack = no I tried that. Made no discernable difference. Note, further down, in preprocess, this: # Windows NT machines often authenticate themselves as # NT_DOMAIN\username # # If this is set to 'yes', then the NT_DOMAIN portion # of the user-name is silently discarded. # # This configuration entry SHOULD NOT be used. # See the realms module for a better way to handle # NT domains. with_ntdomain_hack = no I'm not at all clear on realms or what I should be doing in that respect, if anything. I believe the above should take care of the domain part, and some other attribute may hold a hash with the password. Did you try with -X enabled to see what attributes are being provided? I've been running it in the foreground with -X. That *is* what the install docs say to do for testing, after all, and I do RTFM. Well... usually. I'm not yet grokking much of what I'm seeing. I'll keep plugging away. Hopefully, sooner-or-later, either I'll trip across the solution or somebody here will mention it. Thanks for the follow-up. Jim -- Note: My mail server employs *very* aggressive anti-spam filtering. If you reply to this email and your email is rejected, please accept my apologies and let me know via my web form at http://jimsun.linxnet.com/scform.php. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type=EAP and other
Mine can't if EAP was not set in the Autz-type it will fail to Auth and say userpassword required... -Original Message- From: Willem Eradus [EMAIL PROTECTED] Subj: Re: Auth-Type=EAP and other Date: Wed 30 Mar 2005 19:45 Size: 625 bytes To: freeradius-users@lists.freeradius.org On Wed, 30 Mar 2005 18:43:12 +0800, Chan Min Wai [EMAIL PROTECTED] wrote: Hello all, Anyone can help me configure the Auth-type EAP for NAS A,b,c,d,e plaintext for NAS h,i,j,k regards. extract from eap.conf # # Whatever you do, do NOT set 'Auth-Type := EAP'. The server # is smart enough to figure this out on its own. The most # common side effect of setting 'Auth-Type := EAP' is that the # users then cannot use ANY other authentication method. # # $Id: eap.conf,v 1.4 2004/04/15 18:34:41 aland Exp $ # - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Profiles
On Tue, 29 Mar 2005, Jarred Cleem wrote: Thanks Dustin Doris for your reply. I seem to be missing something because I can not get it to work like you mentioned. Let me provide some data and config info in hopes that you might be able to help further. What I am hoping for is that it will send the profile info and the info for the user. For example, I am hoping to see the return attributes for jcleem/dial to be: radiusClientIPAddress: 172.18.5.1 radiusFramedIPNetmask: 255.255.255.0 radiusFramedProtocol: PPP radiusFramedRouting: None radiusServiceType: Framed-User radiusFramedCompression: Van-Jacobson-TCP-IP But I only get (does not include radiusClientIPAddress): The radiusClientIPAddress attribute is a check and not a reply item. It is normally not included in raddb/ldap.attrmap and i don't think you wanted to use that in the first place. What you need to use is the radiusFramedIPAddress attribute: radiusFramedIPAddress: 172.18.5.1 -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS Performance
On Wednesday 30 March 2005 14:40, DESETech - German P. Santillan wrote: Hi, how many concurrent petitions (AuthRequest) can handle FreeRADIUS? This number can be changed? Depends of hardware? Its depends completely on hardware, thread settings and operating system settings, however I expect a fully tuned FR server on any type of decent (current) hardware without the extra overhead of SQL etc would handle a few hundred thousand Auth requests per second withtout any trouble. I personally have never managed to put FreeRADIUS itself under load.. (Except when I ran it on a 486) I have however managed to blow up a number of backend database servers with load generated BY FreeRADIUS! cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd
Michael Griego [EMAIL PROTECTED] wrote: You should be Jim Seymour wrote: Willem Eradus [EMAIL PROTECTED] wrote: # #with_ntdomain_hack = no I tried that. Made no discernable difference. Be sure you're using the with_ntdomain_hack in the mschap module configuration, NOT the one in the preprocess module configuration. Tried one, the other, and both. Using separate creds in 'doze, I get this in the -X output: rlm_passwd: Added LM-Password: 'users LM password' to config_items rlm_passwd: Added NT-Password: 'users NT password' to config_items rlm_passwd: Added SMB-Account-CTRL-TEXT: '[U ]' to config_items rlm_passwd: Adding Auth-Type = MS-CHAP modcall[authorize]: module etc_smbpasswd returns ok for request 0 Using WinXP's login info, I see none of that. Instead I get: modcall[authorize]: module etc_smbpasswd returns notfound for request 0 Next test: I reconfigured the XP box for separate, manually-entered creds again, entered a correct username, but invalid password. Again I got: rlm_passwd: Added LM-Password: 'users LM password' to config_items rlm_passwd: Added NT-Password: 'users NT password' to config_items rlm_passwd: Added SMB-Account-CTRL-TEXT: '[U ]' to config_items rlm_passwd: Adding Auth-Type = MS-CHAP modcall[authorize]: module etc_smbpasswd returns ok for request 0 So clearly that output indicates a successful username match, and just as clearly, setting with_ntdomain_hack = yes in the mschap module does not strip the leading GARBAGE\ stuff. Ghod I just love 'doze :/ Jim -- Note: My mail server employs *very* aggressive anti-spam filtering. If you reply to this email and your email is rejected, please accept my apologies and let me know via my web form at http://jimsun.linxnet.com/scform.php. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Radius
Does someone have a good howto on setting up Radius to make use of an LDAP group. I read the ldap docs at freeradius.org and that seemed like overkill I just want to have a group and put the user in the group to give them access? Say you have two groups, one that has access to dial and one that has access to adsl. Some users can be in both groups. You have a NAS from 1.1.1.1 for dial and 2.2.2.2 for adsl. -dialonly user dn: uid=dialuser,ou=radius,dc=yourdomain,dc=com objectclass: radiusprofile uid: dialuser userpassword: somepass radiusgroupname: dial -adslonly user dn: uid=adsluser,... objectclass: radiusprofile uid: adsluser userpassword: pass radiusgroupname: adsl -adsl and dial user dn: uid=both,... objectclass: radiusprofile uid: both userpassword: pass radiusgroupname: dial radiusgroupname: adsl In your users file DEFAULT NAS-IP-Address == 1.1.1.1, Ldap-Group == dial DEFAULT NAS-IP-Address == 2.2.2.2, Ldap-Group == adsl DEFAULT Auth-Type := Reject Packet comes from dial NAS, checks to see if user has radiusgroupname dial, if so it will match and then authenticate the user. User doesn't have dial, it will fall-through to Reject. Packet comes from adsl NAS, checks to see if user has radiusgroupname adsl, ... Hope that helps, Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Profiles
On Tue, 29 Mar 2005, Jarred Cleem wrote: Thanks Dustin Doris for your reply. I seem to be missing something because I can not get it to work like you mentioned. Let me provide some data and config info in hopes that you might be able to help further. What I am hoping for is that it will send the profile info and the info for the user. For example, I am hoping to see the return attributes for jcleem/dial to be: radiusClientIPAddress: 172.18.5.1 radiusFramedIPNetmask: 255.255.255.0 radiusFramedProtocol: PPP radiusFramedRouting: None radiusServiceType: Framed-User radiusFramedCompression: Van-Jacobson-TCP-IP But I only get (does not include radiusClientIPAddress): The radiusClientIPAddress attribute is a check and not a reply item. It is normally not included in raddb/ldap.attrmap and i don't think you wanted to use that in the first place. What you need to use is the radiusFramedIPAddress attribute: radiusFramedIPAddress: 172.18.5.1 -- Kostas is correct, but if you really need to use Client-IP-Address for some reason, then add it to ldap.attrmap as a reply item. replyItem Client-IP-Address radiusClientIPAddress -Dusty - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: why my adsl-connect only keep 0.4 miniutes?
If you are setting session-timeout to .4 minutes, then the NAS will disconnect the user at that time. However, you'd probably know if you set that up. If you don't send a session-timeout, then the problem is either your NAS is disconnecting the user for some reason, or the modem is dropping train. That isn't related to radius, as the radius server just records what is sent to it. I'd troubleshoot the NAS, Modem, phone line/pots/dslam/etc... On Wed, 30 Mar 2005, [gb2312] wrote: one man said there is a option session-timeout have to set,but i do not known where to set... the other said only the nas can hangup your connect,but i can't found why From: Peter Nixon [EMAIL PROTECTED] Reply-To: freeradius-users@lists.freeradius.org To: freeradius-users@lists.freeradius.org Subject: Re: why my adsl-connect only keep 0.4 miniutes? Date: Wed, 30 Mar 2005 13:32:58 +0300 Is there any particular reason why you think this problem is related to FreeRADIUS? Regards Peter On Wednesday 30 March 2005 13:26, wrote: there is three machine,A install the freeradius 1.0.2 and the mysql,B just install pppd+radiusclient and pppoe-server,C is my pc,i adsl-connect to the pppd on my pc.my connect just keep 0.4 minute,and then show me that modem hangup and adsl-connect reconnect ,and it work correctly 0.4 minutes. i don't known why From: Peter Nixon [EMAIL PROTECTED] Reply-To: freeradius-users@lists.freeradius.org To: freeradius-users@lists.freeradius.org Subject: Re: why my adsl-connect only keep 0.4 miniutes? Date: Wed, 30 Mar 2005 13:05:58 +0300 On Wednesday 30 March 2005 04:31, wrote: each time i connect to the server,the adsl-connect only keep 0.4 minutes,and then the modem hangup,and the auto reconnect. is there some attribute i didn't set a right value in mysql or other problem? thanks. We have no idea how you are using radius, why you are using radius or with what equipment you are using radius. If you give us some information about your setup we might be able to help you. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ MSN Hotmail http://www.hotmail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ MSN Explorer: http://explorer.msn.com/lccn/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Profiles
Dustin Doris [EMAIL PROTECTED] wrote: Kostas is correct, but if you really need to use Client-IP-Address for some reason, then add it to ldap.attrmap as a reply item. Where it will do *nothing*. Absolutely and totally *nothing*. It's not a real RADIUS attribute, so it will never go into a packet. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Number of Simultaneous Requests from FreeRadius
Jamal Taweel [EMAIL PROTECTED] wrote: Could any one tell us how many users/requests can be connected/transferred to FreeRADIUS at the same time through NASs for different issues (Authentication, Authorization, and Accounting purposes). As many as you have disk space, CPU time, and memory to handle. As many as your back-end database can handle. Without knowing the details of your system, the only possible answer is lots. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redundant Radius with Dynamic Data
[EMAIL PROTECTED] wrote: I will most likely use rsync to syncronise the config from the primary to the secondary. My problem (and hence the reason for this post) is that the primary would be holding accounting information regarding which IP addresses have been allocated to each user from the pool - thus avoiding any IP conflict on the edge network. I do not understand how I would be able to configure the two servers so that if the Primary failed the secondary would know which IPs had been allocated and continue to allocate from the remaining pool. See rlm_sqlippool. Search the list archives, it's not in the server. Is an SQL backend the best method? Would a shared SQL backend maintain the integrity of the allocated IP pool? Yes, but then you're back to a single point of failure. Why not just run one radius server? I have experience with Freeradius and would like to continue with this platform, but is it the best one for what I am attempting? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type=EAP and other
Willem Eradus [EMAIL PROTECTED] wrote: Anyone can help me configure the Auth-type EAP for NAS A,b,c,d,e plaintext for NAS h,i,j,k ... extract from eap.conf # # Whatever you do, do NOT set 'Auth-Type := EAP'. The server That's because most people get it wrong. There are SOME situations where setting it may be useful. But even in those situations, you probably want to *reject* a particular kind of message, and not force one kind of authentication. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd
Michael Griego [EMAIL PROTECTED] wrote: Jim Seymour wrote: So clearly that output indicates a successful username match, and just as clearly, setting with_ntdomain_hack = yes in the mschap module does not strip the leading GARBAGE\ stuff. You'll have to look quite a bit further down in the debugging output to see that. Please set with_ntodomain_hack in the mschap module to yes, then post the FULL debugging output. It's too hard to guess what you've got your server setup to do. Okay, here you go: http://jimsun.linxnet.com/misc/radiusd.out-login_creds_w_hack.txt ADMINNB is the laptop's Windows name. The username should be pretty apparent ;). Thanks for your help! Jim -- Note: My mail server employs *very* aggressive anti-spam filtering. If you reply to this email and your email is rejected, please accept my apologies and let me know via my web form at http://jimsun.linxnet.com/scform.php. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd
rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for jseymour with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 6 Above is where you're failing. It looks like you had the passwd module called in your authorize block in one of your previous emails and removed it before you ran this debug, so it's no longer finding your users and adding their passwords to the request. You need to add this back in then grab another debug output to if the problem continues and where it is. --Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd
I think I see what your problem is... You need to reenable the ntdomain realm module that is preconfigured in the server and be sure its called before your etc_smbpasswd module in your authorize section. You seem to have removed it, and, because of that, it can't find the correct username in your smbpasswd file. --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas Jim Seymour wrote: Michael Griego [EMAIL PROTECTED] wrote: rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for jseymour with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 6 Above is where you're failing. It looks like you had the passwd module called in your authorize block in one of your previous emails and removed it before you ran this debug, [snip] Nope. The only differences are: 1. Changed 'doze config back to use login stuff 2. Un-commented the ntdomain hack in mschap Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd
Michael Griego [EMAIL PROTECTED] wrote: I think I see what your problem is... You need to reenable the ntdomain realm module that is preconfigured in the server and be sure its called before your etc_smbpasswd module in your authorize section. You seem to have removed it, and, because of that, it can't find the correct username in your smbpasswd file. Nope. I removed nothing. I neither disabled not de-configured anything. I'm guessing that maybe what was missing was this bit? authorize { ... # # If you are using multiple kinds of realms, you probably # want to set ignore_null = yes for all of them. # Otherwise, when the first style of realm doesn't match, # the other styles won't be checked. # suffix # ntdomain ... # # If you are using /etc/smbpasswd, and are also doing # mschap authentication, the un-comment this line, and # configure the 'etc_smbpasswd' module, above. etc_smbpasswd ... } I un-commented ntdomain. No change. The -X output can be seen at: http://jimsun.linxnet.com/misc/radiusd.out-login_creds_w_hack+ntdomain_realm.txt I even tried ignore_null = yes in the realm ntdomain config. No difference, either. (And yes: I'm saving the config file(s) and starting radiusd anew for each test :).) Jim -- Note: My mail server employs *very* aggressive anti-spam filtering. If you reply to this email and your email is rejected, please accept my apologies and let me know via my web form at http://jimsun.linxnet.com/scform.php. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd
[EMAIL PROTECTED] (Jim Seymour) wrote: http://jimsun.linxnet.com/misc/radiusd.out-login_creds_w_hack+ntdomain_realm.txt ... modcall[authorize]: module etc_smbpasswd returns notfound for request 0 The password isn't being added because the user ADMINNB\jseymour isn't being found in the smb passwd file. That's the root cause of the problem. I suggest: a) adding ADMINNB\jseymour as a user in the smb passwd file or b) setting up realms, and using Stripped-User-Name as the key to smb_passwd. ... rlm_realm: Looking up realm ADMINNB for User-Name = ADMINNB\jseymour rlm_realm: No such realm ADMINNB And therefore no Stripped-User-Name. If you want to use jseymour as a key for the smb passwd file, convince the server to use that string, and not any other. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius documentation
I'm computer science student and I'm working in the my graduated project. This project is about freeradius and strong authentication. I Would to know about some documentation for freeradius (code flow design, description library, description project, etc). There is something about? Where do i get? Thanks -- Atenciosamente Helder Fábio Santos Lima linux User 372369 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Profiles
Dustin Doris [EMAIL PROTECTED] wrote: Kostas is correct, but if you really need to use Client-IP-Address for some reason, then add it to ldap.attrmap as a reply item. Where it will do *nothing*. Absolutely and totally *nothing*. It's not a real RADIUS attribute, so it will never go into a packet. Alan DeKok. Good point. Not enought coffee this morning, I guess. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd
Alan DeKok [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] (Jim Seymour) wrote: http://jimsun.linxnet.com/misc/radiusd.out-login_creds_w_hack+ntdomain_realm.txt ... modcall[authorize]: module etc_smbpasswd returns notfound for request 0 The password isn't being added because the user ADMINNB\jseymour isn't being found in the smb passwd file. That's the root cause of the problem. I rather figured that. I suggest: a) adding ADMINNB\jseymour as a user in the smb passwd file That's not practical. ADMINNB is that specific laptops NETBIOS name. I'd have to have duplicated smbpasswd entries for every laptop each user might choose to use--for every user. Be far easier to do what people seem to always do in my situation: Tell the end-users they'll have to auth to the WLAN separately. or b) setting up realms, and using Stripped-User-Name as the key to smb_passwd. ... rlm_realm: Looking up realm ADMINNB for User-Name = ADMINNB\jseymour rlm_realm: No such realm ADMINNB And therefore no Stripped-User-Name. Separate realms for every laptop in the building would likewise be impractical. If you want to use jseymour as a key for the smb passwd file, convince the server to use that string, and not any other. Is there a way I can do it irrespective of the supposed domain? Thanks for the follow-up, Alan. Jim -- Note: My mail server employs *very* aggressive anti-spam filtering. If you reply to this email and your email is rejected, please accept my apologies and let me know via my web form at http://jimsun.linxnet.com/scform.php. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius documentation
Helder Lima [EMAIL PROTECTED] wrote: I'm computer science student and I'm working in the my graduated project. This project is about freeradius and strong authentication. I Would to know about some documentation for freeradius (code flow design, description library, description project, etc). There is something about? There's no real documentation for how the server works internally. If you do write some, submit it, and we'll include it in the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd
[EMAIL PROTECTED] (Jim Seymour) wrote: a) adding ADMINNB\jseymour as a user in the smb passwd file That's not practical. ADMINNB is that specific laptops NETBIOS name. testing != deployment First, get it to work. Then, get it to work in a real deployment. If you want to use jseymour as a key for the smb passwd file, convince the server to use that string, and not any other. Is there a way I can do it irrespective of the supposed domain? In hints: DEFAULT User-Name =~ \\(.*)$ My-Local-User-Name = %{1} Then, in smb_passwd, use My-Local-User-Name as the key. You will have to define it in the dictionaries, too. That should work, I think. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd
Alan DeKok [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] (Jim Seymour) wrote: a) adding ADMINNB\jseymour as a user in the smb passwd file That's not practical. ADMINNB is that specific laptops NETBIOS name. testing != deployment First, get it to work. Then, get it to work in a real deployment. Valid point :). Okay, if I pre-pend ADMINNB\ to my username in smbpasswd, it works like a champ. If you want to use jseymour as a key for the smb passwd file, convince the server to use that string, and not any other. Is there a way I can do it irrespective of the supposed domain? In hints: DEFAULT User-Name =~ \\(.*)$ My-Local-User-Name = %{1} Then, in smb_passwd, use My-Local-User-Name as the key. You will have to define it in the dictionaries, too. That should work, I think. Nope. Failure mode identical. Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd
Michael Griego [EMAIL PROTECTED] wrote: Or you could make sure your DEFAULT realm is set up. Your current configuration should work if you have a DEFAULT realm in your proxy.conf. If it doesn't work using the default realm, change your etc_smbpasswd line to use the Stripped-User-Name, but I think it should already attempt to use it if its present. It's not present, though, because no realm is found. The DEFAULT realm will catch all realm instances that aren't specifically set up. I did this in proxy.conf: # # This realm is for ALL OTHER requests. # realm DEFAULT { type= radius authhost= LOCAL accthost= LOCAL } I did this in radiusd.conf: passwd etc_smbpasswd { filename = /usr/local/samba/private/smbpasswd format = *Stripped-User-Name::LM-Password:... No joy. Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd
Michael Griego [EMAIL PROTECTED] wrote: Or you could make sure your DEFAULT realm is set up. Actually, a NULL realm was what I think you meant. Your current configuration should work if you have a DEFAULT realm in your proxy.conf. If it doesn't work using the default realm, change your etc_smbpasswd line to use the Stripped-User-Name, but I think it should already attempt to use it if its present. It's not present, though, because no realm is found. The DEFAULT realm will catch all realm instances that aren't specifically set up. The NULL realm caught it, but the Stripped-User-Name is not stripped of the stupid 'doze garbage pre-pended to it :(. Observe: modcall[authorize]: module mschap returns noop for request 6 rlm_realm: No '@' in User-Name = ADMINNB\jseymour, looking up realm NULL rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = ADMINNB\jseymour rlm_realm: Proxying request from user ADMINNB\jseymour to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Authentication realm is LOCAL. *sigh* I hate 'doze. What rather astonishes me is that this either hasn't come up before, tho I have a private email that indicates something like it has, or that nobody's pursued it to the bitter end. One would almost think that Unix/Linux + Samba + Wireless + WPA + (Free)RADIUS was an unusual combination. Or maybe it is... (That might explain a *lot*.) Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accouting Problems
Hi. I'm working an wireless network for our local city. I'm using freeRadius 1.0.1 on a Debian server and Alchemy 6.0 with ChilliSpot on Linksys accesspoints. Everything's working fine but I've a little problem with the accouting function on freeRadius. Everything (including the radacct) is stored in a MySQL database. Every user is in a group with following attributes in radgroupreply: Session-Timeout := 10800 Idle-Timeout := 900 Now I've following problem. If a user disconnects without loggin off from the system over the CilliSpot Logoff-URL the user will be kept online (AcctStopTime = 0) in the radacct. Even the Session-Timeout seems not to work properly. May it be I've forgotten a special setting or an another attribute? But I had an interesting experience. A Session-Timeout about 5-10 minutes seems to work, but the current Session-Timeout doesn't work. Perhaps someone can help me out...that would be fine. If you need more information please ask for them, I'll give it to you. Thankyou, Sebastian Steinhauer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accouting Problems
sorry for this response but the failure in that specific scenario is very unlikely to be on the server. the Session-Timeout value and the Accounting events have to be respected/generated at the client. so, if you don't have the Accounting Stop for a disconnected user, then the client is no good. if the client does not follow the Session-Timeout which it has previously received in the Access Accept, then, once again, it's the fault of the client. try to ask ChilliSpot or Linksys people - wherever you are sending the Accept to. ciao artur Sebastian Steinhauer wrote: Hi. I'm working an wireless network for our local city. I'm using freeRadius 1.0.1 on a Debian server and Alchemy 6.0 with ChilliSpot on Linksys accesspoints. Everything's working fine but I've a little problem with the accouting function on freeRadius. Everything (including the radacct) is stored in a MySQL database. Every user is in a group with following attributes in radgroupreply: Session-Timeout := 10800 Idle-Timeout := 900 Now I've following problem. If a user disconnects without loggin off from the system over the CilliSpot Logoff-URL the user will be kept online (AcctStopTime = 0) in the radacct. Even the Session-Timeout seems not to work properly. May it be I've forgotten a special setting or an another attribute? But I had an interesting experience. A Session-Timeout about 5-10 minutes seems to work, but the current Session-Timeout doesn't work. Perhaps someone can help me out...that would be fine. If you need more information please ask for them, I'll give it to you. Thankyou, Sebastian Steinhauer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd
[EMAIL PROTECTED] (Jim Seymour) wrote: The NULL realm caught it, but the Stripped-User-Name is not stripped of the stupid 'doze garbage pre-pended to it :(. Observe: The DEFAULT realm *should* do this. The NULL realm is don't do realms, which isn't what you want. Hmm... the reason the hints thing didn't work is that the regex function expects '\' to be escaped, too. This works for me: DEFAULT User-Name =~ (.*)$ My-Local-User-Name = %{1} What rather astonishes me is that this either hasn't come up before, tho I have a private email that indicates something like it has, or that nobody's pursued it to the bitter end. One would almost think that Unix/Linux + Samba + Wireless + WPA + (Free)RADIUS was an unusual combination. No, but having the machine name in the User-Name attribute isn't common. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + LDAP + Segmentation Fault
Helo, Im using Freeradius 1.0.2, and when I tray tu radtest configuration it breaks down logs shows taht autenticacion was made, and it says : auth... correct then, next line, Segmentation Fault I have configurate only LDAP, get rid of EAP, UNIX, PAM, CHAP, CHAPv2, PAP some sugestion, Now, I working with PAM (that is authenticate with LDAP) but Im loossing capabilities. Sugestions? LD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: why my adsl-connect only keep 0.4 miniutes?
i found the reason,in the /etc/sysconfig/network-scripts/ifcfg-ppp0 ,there are two options PPPOE_TIMEOUT and CONNECT_TIMEOUT,both i set 0,now it works fine From: Peter Nixon [EMAIL PROTECTED] Reply-To: freeradius-users@lists.freeradius.org To: freeradius-users@lists.freeradius.org Subject: Re: why my adsl-connect only keep 0.4 miniutes? Date: Wed, 30 Mar 2005 13:32:58 +0300 Is there any particular reason why you think this problem is related to FreeRADIUS? Regards Peter On Wednesday 30 March 2005 13:26, wrote: there is three machine,A install the freeradius 1.0.2 and the mysql,B just install pppd+radiusclient and pppoe-server,C is my pc,i adsl-connect to the pppd on my pc.my connect just keep 0.4 minute,and then show me that modem hangup and adsl-connect reconnect ,and it work correctly 0.4 minutes. i don't known why From: Peter Nixon [EMAIL PROTECTED] Reply-To: freeradius-users@lists.freeradius.org To: freeradius-users@lists.freeradius.org Subject: Re: why my adsl-connect only keep 0.4 miniutes? Date: Wed, 30 Mar 2005 13:05:58 +0300 On Wednesday 30 March 2005 04:31, wrote: each time i connect to the server,the adsl-connect only keep 0.4 minutes,and then the modem hangup,and the auto reconnect. is there some attribute i didn't set a right value in mysql or other problem? thanks. We have no idea how you are using radius, why you are using radius or with what equipment you are using radius. If you give us some information about your setup we might be able to help you. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ MSN Hotmail http://www.hotmail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ MSN Hotmail http://www.hotmail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No FreeRADIUS on Debian in the future ?
On Wed, Mar 30, 2005 at 06:28:46PM +, Mark Wasmer wrote: Today i've read the Debian-Weekly-News March 29th, 2005 and got worried : Build-Dependency against libtool 1.4. Andrew Pollock noticed that five packages still declare a build-dependency against libtool 1.4 which is orphaned and will be removed. Frank Lichtenheld proposed to open bug reports against packages that use libtool 1.4 files to upgrade to version 1.5 which was considered a good idea. Henrique de Moraes Holschuh also suggested to force the use of newer libtool, autoconf and gettext utilities. FreeRADIUS depends on this package - can someone tell me what this means to me in the future as i like to use FreeRADIUS on Debian Sarge ? There is already a bug report open against FreeRADIUS in Debian about libtool 1.4. The decision the release managers and myself came to was that forward-porting FreeRADIUS 1.0 to autoconf2.5/libtool1.5 was not feasable, and we do not want a non-released (CVS pull) FreeRADIUS in Debian/stable (ie. Sarge when its released). Post-sarge, I'm expecting FreeRADIUS 1.1 will be out, and we can get rid of libtool1.4. I didn't read the Debian Weekly News article, and unless this thread appeared on Debian-Devel in the last couple of days, it's not been discussed anywhere I'm party to. So it's a bit of a surprise to me. In short, I think this is an issue that was dealt with last year, and I full expect Sarge will include libtool1.4, as agreed previously. Of course, if FreeRADIUS 1.1 is out before Sarge ships, I will consider trying to get it into Sarge. But that is not to my mind very likely to occur. We'll burn that bridge when we come to it. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd
Hi, authorize { ... # # If you are using multiple kinds of realms, you probably # want to set ignore_null = yes for all of them. # Otherwise, when the first style of realm doesn't match, # the other styles won't be checked. # suffix # ntdomain ... # # If you are using /etc/smbpasswd, and are also doing # mschap authentication, the un-comment this line, and # configure the 'etc_smbpasswd' module, above. etc_smbpasswd ... } I un-commented ntdomain. No change. The -X output can be seen at: Hope you haven't given up yet. In a later message you write: modcall[authorize]: module mschap returns noop for request 6 rlm_realm: No '@' in User-Name = ADMINNB\jseymour, looking up realm NULL rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = ADMINNB\jseymour rlm_realm: Proxying request from user ADMINNB\jseymour to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Authentication realm is LOCAL. Which makes me think that both suffix and ntdomain are active in rlm_realms. Try turning off suffix, because suffix operates only on names formatted like [EMAIL PROTECTED] In your case I think it tries to find a suffix, doesn't, and then uses realm NONE because no realm delimiter is found. If you turn suffix off, the delimiter \ is found and the request is set to the DEFAULT realm. Hopefully. Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Rseau Tlinformatique de l'Education Nationale et de la Recherche Ingnieur rseau et systme 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg email: [EMAIL PROTECTED] tl.: +352 424409-33 http://www.restena.lu fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
attr_rewrite
Hi! I try to use attr_rewrite and a little confused. From my radiusd.conf: modules { ... attr_rewrite normalize_card { attribute = User-Name searchin = packet searchfor = .{4}-([0-9]{8})-.{4} replacewith = %{1} ignore_case = yes new_attribute = no max_matches = 1 append= no } ... } authorize { preprocess normalize_card ... } preacct { preprocess normalize_card ... } I'am trying to rewrite -- to just with radtest but got: Thu Mar 31 11:41:27 2005 : Auth: Login incorrect: [-/12345678] (from client localhost port 0) Don't worry about Login incorrect it doesn't matter, look at username. It's - instead of just . I can't undestand what's wrong? -- DSS5-RIPE DSS-RIPN 2:550/[EMAIL PROTECTED] 2:550/[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] http://neva.vlink.ru/~dsh/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Redundant Radius with Dynamic Data
Title: Nachricht Hello Christopher, here is another suggestion: dont use ippools on radius, use it on the nacs. Then you let the radius decide wich ippool to use on the nac by name. The bad thing is you have to care about pools on nacs, the good one is you haven't to care about pool snyc. It works because you can name pools on nacs an the radius can tell the nac wich pool to use. Hope that helps. Best Regards, Markus -Ursprüngliche Nachricht-Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von [EMAIL PROTECTED]Gesendet: Mittwoch, 30. März 2005 12:46An: freeradius-users@lists.freeradius.orgBetreff: Redundant Radius with Dynamic Data Hello Group,I am just about to set up a radius service and have managed to aquire 2 servers with a view to making the end product redundant.Just to give you a little background. The radius system will be used for DSL authentication. The user will authenticate (indirectly via a cisco device) with their [EMAIL PROTECTED] password. The server will then authorise the user and respond with a single attribute - their IP address.The IP addresses (depending on which domain they are in) will be dynamically allocated from a pool of IP addresses. So far so good.I don't intend to perform any load balancing of the traffic to the two radius servers. Therefore I was planning to use the features on the Cisco router to treat one server as primary and one as secondary (failover).I will most likely use rsync to syncronise the config from the primary to the secondary. My problem (and hence the reason for this post) is that the primary would be holding accounting information regarding which IP addresses have been allocated to each user from the "pool" - thus avoiding any IP conflict on the edge network. I do not understand how I would be able to configure the two servers so that if the Primary failed the secondary would know which IPs had been allocated and continue to allocate from the remaining pool.I have literally only just switched the servers on. I want to get this right from the start. If I cannot find a solution to this issue I have a back out plan that involves setting each user with a static IP, not ideal.Is an SQL backend the best method? Would a shared SQL backend maintain the integrity of the allocated IP pool? I have experience with Freeradius and would like to continue with this platform, but is it the best one for what I am attempting?I look forward to your responses to this question.Best Regards,Christopher Howarth RHCENetwork Systems Development ConsultantEquinox Converged Solutions Equinox Converged SolutionsTel: +44 (0)1252 405 600www.equinoxsolutions.comEquinox Converged Solutions is a trading name of Synetrix Holdings Limited. IMPORTANT NOTICE:This message is intended solely for the use of the Individual or organisation to whom it is addressed. It may contain privileged or confidential information. If you have received this message in error, please notify the originator immediately. If you are not the intended recipient, you should not use, copy, alter, or disclose the contents of this message. All information or opinions expressed in this message and/or any attachments are those of the author and are not necessarily those of Synetrix Holdings Limited. Synetrix Holdings Limited accepts no responsibility for loss or damage arising from its use, including damage from virus.
Re: Accouting Problems
Sebastian Steinhauer [EMAIL PROTECTED] wrote: Now I've following problem. If a user disconnects without loggin off from the system over the CilliSpot Logoff-URL the user will be kept online (AcctStopTime = 0) in the radacct. See the FAQ. The server can only log information if the NAS sends it. If the NAS isn't sending logout information, then FreeRADIUS will not be able to put that information into MySQl. But I had an interesting experience. A Session-Timeout about 5-10 minutes seems to work, but the current Session-Timeout doesn't work. Ask Linksys why the Session-Timeout attribute is being ignored. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: why my adsl-connect only keep 0.4 miniutes?
i didn't known where to set the session-timeout.i didn't do this... From: Dustin Doris [EMAIL PROTECTED] Reply-To: freeradius-users@lists.freeradius.org To: freeradius-users@lists.freeradius.org Subject: Re: why my adsl-connect only keep 0.4 miniutes? Date: Wed, 30 Mar 2005 10:02:46 -0500 (EST) If you are setting session-timeout to .4 minutes, then the NAS will disconnect the user at that time. However, you'd probably know if you set that up. If you don't send a session-timeout, then the problem is either your NAS is disconnecting the user for some reason, or the modem is dropping train. That isn't related to radius, as the radius server just records what is sent to it. I'd troubleshoot the NAS, Modem, phone line/pots/dslam/etc... On Wed, 30 Mar 2005, [gb2312] wrote: one man said there is a option session-timeout have to set,but i do not known where to set... the other said only the nas can hangup your connect,but i can't found why From: Peter Nixon [EMAIL PROTECTED] Reply-To: freeradius-users@lists.freeradius.org To: freeradius-users@lists.freeradius.org Subject: Re: why my adsl-connect only keep 0.4 miniutes? Date: Wed, 30 Mar 2005 13:32:58 +0300 Is there any particular reason why you think this problem is related to FreeRADIUS? Regards Peter On Wednesday 30 March 2005 13:26, wrote: there is three machine,A install the freeradius 1.0.2 and the mysql,B just install pppd+radiusclient and pppoe-server,C is my pc,i adsl-connect to the pppd on my pc.my connect just keep 0.4 minute,and then show me that modem hangup and adsl-connect reconnect ,and it work correctly 0.4 minutes. i don't known why From: Peter Nixon [EMAIL PROTECTED] Reply-To: freeradius-users@lists.freeradius.org To: freeradius-users@lists.freeradius.org Subject: Re: why my adsl-connect only keep 0.4 miniutes? Date: Wed, 30 Mar 2005 13:05:58 +0300 On Wednesday 30 March 2005 04:31, wrote: each time i connect to the server,the adsl-connect only keep 0.4 minutes,and then the modem hangup,and the auto reconnect. is there some attribute i didn't set a right value in mysql or other problem? thanks. We have no idea how you are using radius, why you are using radius or with what equipment you are using radius. If you give us some information about your setup we might be able to help you. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ MSN Hotmail http://www.hotmail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ MSN Explorer: http://explorer.msn.com/lccn/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ MSN Explorer: http://explorer.msn.com/lccn/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html