Freeradius Solaris installation
i have installed freeradius-snapshot-20050331 that i get from CVS directory. When i doing ./configuration it's seems ok until i make it, it's come out with this issues. It's semms that i have a problem with mysql driver. That's because of my mysql in solaris or somethig else?. Can anybody tells me ? libtool: install: `rlm_sql_mysql.la' is not a valid libtool archive Try `libtool --help --mode=install' for more information. make[11]: *** [install] Error 1 make[11]: Leaving directory `/tmp/freeradius-snapshot-20050331/src/modules/rlm_sql/drivers/rlm_sql_mysql' make[10]: *** [common] Error 1 make[10]: Leaving directory `/tmp/freeradius-snapshot-20050331/src/modules/rlm_sql/drivers' make[9]: *** [install] Error 2 make[9]: Leaving directory `/tmp/freeradius-snapshot-20050331/src/modules/rlm_sql/drivers' make[8]: *** [common] Error 1 make[8]: Leaving directory `/tmp/freeradius-snapshot-20050331/src/modules/rlm_sql' make[7]: *** [install-drivers] Error 2 make[7]: Leaving directory `/tmp/freeradius-snapshot-20050331/src/modules/rlm_sql' make[6]: *** [install] Error 2 make[6]: Leaving directory `/tmp/freeradius-snapshot-20050331/src/modules/rlm_sql' make[5]: *** [common] Error 1 make[5]: Leaving directory `/tmp/freeradius-snapshot-20050331/src/modules' make[4]: *** [install] Error 2 make[4]: Leaving directory `/tmp/freeradius-snapshot-20050331/src/modules' make[3]: *** [common] Error 1 make[3]: Leaving directory `/tmp/freeradius-snapshot-20050331/src' make[2]: *** [install] Error 2 make[2]: Leaving directory `/tmp/freeradius-snapshot-20050331/src' make[1]: *** [common] Error 1 make[1]: Leaving directory `/tmp/freeradius-snapshot-20050331' make: *** [install] Error 2
Solaris 8 and Freeradius
Hi everyone. I've installed Freeradius 0.9.* on solaris 8 OS and it's installed successfull. But when i tried to run it using debugginh mode, i've received this text printed at the end of the textprinted. rlm_eap: Loaded and initialized the type gtc rlm_eap: Invalid type name mschapv2 cannot be linked radiusd.conf[9]: eap: Module instantiation failed. Then, the server process stop without says "Ready to process request"..Can anybody tell me what's giong wrong ?..Did the running procees between Linux RedHat OS are different from Solaris ?. Thanks . Roime - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and MySQL+SSL
On Fri, Apr 01, 2005 at 01:34:37AM +0200, Wolfram Schlich wrote: > * Wolfram Schlich <[EMAIL PROTECTED]> [2005-03-19 13:11]: > > * Paul Hampson <[EMAIL PROTECTED]> [2005-03-19 04:56]: > > > On Sat, Mar 19, 2005 at 03:52:52AM +0100, Wolfram Schlich wrote: > > > > * Wolfram Schlich <[EMAIL PROTECTED]> [2005-03-17 00:55]: > > > > [ FreeRADIUS + MySQL + SSL ] > > > > Ok, I have sat down and hacked something together, with a little help > > > > from a friend. I probably did something wrong or suboptimal (as I > > > > said, I am not a C coder), but at a first glance, it seems to work fine. > > > > Here's the patch: > > > > > > > > > > > http://dev.gentoo.org/~wschlich/src/freeradius-1.0.2-mysql-ssl.patch > > > > > > [...] > > > I don't > > > give it much chance of getting into 1.0.3, especially since MySQL don't > > > distribute SSL-enabled binaries. > > > > What does the MySQL client distribution policy have to do > > with this?! *wonder* > > > > > They're apparently moving away from > > > OpenSSL in the server, but no indication that they're going to > > > un-OpenSSL the _client_ libraries. [1] [2] > > > > Well, OpenSSL or GnuTLS -- it doesn't matter as long as the > > MySQL protocol keeps supporting SSL'd connections... > > I have posted a comment to [2] in order to get some more information > > from that MySQL guy. > > There's some news: MySQL is going for yaSSL in the 5.0 tree: > > http://bugs.mysql.com/bug.php?id=8508&error=lp > > Anyway, it won't affect the mysql_ssl_set() function I guess. Hmm. For the record, [1] too. Yassl looks interesting. You're right though, as long as they don't change the libmysqlclient API, all the previous comments about protecting it with a #define based on a header function check are sufficient. [1] http://bugs.mysql.com/bug.php?id=6924 -- Paul "TBBle" Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Running radiusd as the nobody user
On Thu, Mar 31, 2005 at 04:29:28PM -0600, Dennis Comeaux wrote: > Our security team wants radiusd running as a secure user. I've > attempted to run it as nobody by editing radiusd.conf but I get a > bunch of permission denied errors: The debian build scripts (debian/rules and debian/*.postinst) install such that FreeRADIUS runs as user freerad, if that's any help for how to do it. Although there's a problem at the moment with dialupadmin trying to access things the www-data user hasn't permission for. -- Paul "TBBle" Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec: Wait=yes but no output defined
On Thu, Mar 31, 2005 at 11:33:00AM -0800, Rick Kunkel wrote: > Heya all, > I'm getting this warning when running. The longer version, in debuggin > mode, is this: > Module: Loaded exec > exec: wait = yes > exec: program = "(null)" > exec: input_pairs = "request" > exec: output_pairs = "(null)" > exec: packet_type = "(null)" > rlm_exec: Wait=yes but no output defined. Did you mean output=none? > This doesn't seem to be a section I'm using. Should I just comment it > out? Or maybe put "output = none" after "input_pairs = request"? It > seems a harmless error, but I figured I'd clean it up anyhow. That's a known bug (and harmless, as you say) in 1.0.2. The error message _should_ say "output_pairs=none" but if you put that, it will refuse to start because output_pairs is defined and wait=no are incompatible. FreeRADIUS 1.1's default for output_pairs is "none", so for wait=no you can leave it blank. (A null-program'd exec is a different case) Or at least I think it is... Gotta check that. > Is this the default setting? And if so, why not simply comment it out or > put that "output = none" in by default too? -- Paul "TBBle" Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Give 2 ip pools to the clients
Hi, i get alocation 2 network of ip, the range is : 192.168.2.1 - 192.168.2.14 192.168.5.1 - 192.168.5.14 my conf : ippool pool1 { range-start = 192.168.2.1 range-stop = 192.168.2.14 netmask = 255.255.255.0 cache-size = 14 session-db = ${raddbdir}/db.ippool1 ip-index = ${raddbdir}/db.ipindex1 } ippool pool2 { range-start = 192.168.5.1 range-stop = 192.168.5.14 netmask = 255.255.255.0 cache-size = 14 session-db = ${raddbdir}/db.ippool2 ip-index = ${raddbdir}/db.ipindex2 } i want to give all ip alocation to all of clients. i have use just 1 network of ip but sometimes my clients couldn't get any more ip. is there any way to give 2 attribute pool-name (pool1 & pool2) ? best regards, eDoS
Re: FreeRADIUS and MySQL+SSL
* Wolfram Schlich <[EMAIL PROTECTED]> [2005-03-19 13:11]: > * Paul Hampson <[EMAIL PROTECTED]> [2005-03-19 04:56]: > > On Sat, Mar 19, 2005 at 03:52:52AM +0100, Wolfram Schlich wrote: > > > * Wolfram Schlich <[EMAIL PROTECTED]> [2005-03-17 00:55]: > > > [ FreeRADIUS + MySQL + SSL ] > > > Ok, I have sat down and hacked something together, with a little help > > > from a friend. I probably did something wrong or suboptimal (as I > > > said, I am not a C coder), but at a first glance, it seems to work fine. > > > Here's the patch: > > > > > http://dev.gentoo.org/~wschlich/src/freeradius-1.0.2-mysql-ssl.patch > > > > [...] > > I don't > > give it much chance of getting into 1.0.3, especially since MySQL don't > > distribute SSL-enabled binaries. > > What does the MySQL client distribution policy have to do > with this?! *wonder* > > > They're apparently moving away from > > OpenSSL in the server, but no indication that they're going to > > un-OpenSSL the _client_ libraries. [1] [2] > > Well, OpenSSL or GnuTLS -- it doesn't matter as long as the > MySQL protocol keeps supporting SSL'd connections... > I have posted a comment to [2] in order to get some more information > from that MySQL guy. There's some news: MySQL is going for yaSSL in the 5.0 tree: http://bugs.mysql.com/bug.php?id=8508&error=lp Anyway, it won't affect the mysql_ssl_set() function I guess. -- Wolfram Schlich - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Attach mac address to username
I have built a small hotspot at a hotel and have sucessfully found out all I needed by STF & STW so far. I must be using the wrong search phrases as I haven't come accross anything like what I am trying to do. Currently using freeradius 1.0.1 with chillispot on my nas with the following attributes in the mysql database. Simultaneous-Use Max-All-Session Idle-Timeout I would like to provide username/password combinations that allow 24 hour access only to the original mac address that sucessfully logged in. Is there a way to dynamically attach the mac of the users pc to the username who has logged in? This way I can stop people sharing the same username/password combination on different pc's. Is thas possible? Thanks Shane - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Running radiusd as the nobody user
Eric Gregory <[EMAIL PROTECTED]> wrote: > Am I right that he'll also need to make /var/log/radius.log writable by > nobody? Yes, though there's a bug in 1.0.2 that will make that difficult. > I'm far from the smartest guy on the list but I think that's what I > see in there. Yup. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Running radiusd as the nobody user
Am I right that he'll also need to make /var/log/radius.log writable by nobody? I'm far from the smartest guy on the list but I think that's what I see in there. Eric Alan DeKok wrote: Dennis Comeaux <[EMAIL PROTECTED]> wrote: I've even done chmod a+rwx on cacert.pem but the error still shows. Make sure that the RADIUS server can read all of the directories above cacert.pm. And DON'T do "chmod a+rwx", that's a very bad idea. $ cd /etc/raddb $ chown -R nobody . At which point the default permissions should be OK. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Running radiusd as the nobody user
Dennis Comeaux <[EMAIL PROTECTED]> wrote: > I've even done chmod a+rwx on cacert.pem but the error still shows. Make sure that the RADIUS server can read all of the directories above cacert.pm. And DON'T do "chmod a+rwx", that's a very bad idea. $ cd /etc/raddb $ chown -R nobody . At which point the default permissions should be OK. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Running radiusd as the nobody user
Help! Our security team wants radiusd running as a secure user. I've attempted to run it as nobody by editing radiusd.conf but I get a bunch of permission denied errors: [EMAIL PROTECTED] etc]# /etc/init.d/radiusd start Starting RADIUS server: Thu Mar 31 16:21:27 2005 : Info: Starting - reading configuration files ... radiusd: Couldn't open /var/log/radius/radius.log for logging: Permission denied (rlm_exec: Wait=yes but no output defined. Did you mean output=none?) 4778:error:0200100D:system library:fopen:Permission denied:bss_file.c:104:fopen('/etc/raddb/certs/demoCA/cacert.pem','r') 4778:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:109: 4778:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:by_file.c:279: radiusd: Couldn't open /var/log/radius/radius.log for logging: Permission denied (rlm_eap_tls: Error reading Trusted root CA list) radiusd: Couldn't open /var/log/radius/radius.log for logging: Permission denied (rlm_eap: Failed to initialize type tls) radiusd: Couldn't open /var/log/radius/radius.log for logging: Permission denied (radiusd.conf[9]: eap: Module instantiation failed. ) [FAILED] [EMAIL PROTECTED] etc]# I've attempted creating a radiusd user and assigning rights but then I get: 4785:error:0200100D:system library:fopen:Permission denied:bss_file.c:104:fopen('/etc/raddb/certs/demoCA/cacert.pem','r') 4785:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:109: 4785:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:by_file.c:279: I've even done chmod a+rwx on cacert.pem but the error still shows. Ideas? -d - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem compiling on s390x
[EMAIL PROTECTED] wrote: > I was wondering if this had anything to do with the problem. I found > this on the Novell SLES9 website: > > libiodbc has been Dropped > > People using FreeRADIUS now have to link against unixODBC as libiodbc > has been dropped. This has nothing to do with the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem compiling on s390x
[EMAIL PROTECTED] wrote: >> /home/ducprgg/rpms/BUILD/freeradius-1.0.2/libtool --mode=link gcc >> rlm_ippool_tool.o -lnsl -lresolv -lpthread -lcrypto -lssl -lgdbm -o >> rlm_ippool_tool >> gcc rlm_ippool_tool.o -o rlm_ippool_tool -lnsl -lresolv -lpthread >> -lcrypto -lssl /usr/lib/libgdbm.so >> /usr/lib/libgdbm.so: could not read symbols: Invalid operation >It's a bug in libtool. I have no clue how to work around >it. > Alan DeKok. I was wondering if this had anything to do with the problem. I found this on the Novell SLES9 website: libiodbc has been Dropped People using FreeRADIUS now have to link against unixODBC as libiodbc has been dropped. Sign up today for your Free E-mail at: http://www.canoe.ca/CanoeMail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fail_over
"Rangel, Luciano" <[EMAIL PROTECTED]> wrote: > What should I do to configure fail-over in my freeradius ? Pay someone to configure it for you. You appear to be unable to read the existing documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Fail_over
What should I do to configure fail-over in my freeradius ? Thanks -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Thursday, March 31, 2005 5:59 PM To: freeradius-users@lists.freeradius.org Subject: Re: Fail_over "Rangel, Luciano" <[EMAIL PROTECTED]> wrote: > How can I use the ldflag "fail_over" in my freeradius ?? Read proxy.conf > My proxy.conf ... You didn't configure fail-over. > When I stop my AAA01 the freeradius request is not send to > AAA02Why You didn't configure fail-over. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fail_over
"Rangel, Luciano" <[EMAIL PROTECTED]> wrote: > How can I use the ldflag "fail_over" in my freeradius ?? Read proxy.conf > My proxy.conf ... You didn't configure fail-over. > When I stop my AAA01 the freeradius request is not send to > AAA02Why You didn't configure fail-over. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fail_over
Hello, How can I use the ldflag "fail_over" in my freeradius ?? My proxy.conf realm NULL { type= radius authhost= AAA01:1645 accthost= AAA01:1646 secret = 0lh0viv0 nostrip } realm NULL { type= radius authhost= AAA02:1645 accthost= AAA02:1646 secret = 0lh0viv0 nostrip } When I stop my AAA01 the freeradius request is not send to AAA02Why Thanks your help... Luciano - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_exec: Wait=yes but no output defined
Heya all, I'm getting this warning when running. The longer version, in debuggin mode, is this: Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? The relevant bits from the radiusd.conf file (I think) are: # Execute external programs # # This module is useful only for 'xlat'. To use it, # put 'exec' into the 'instantiate' section. You can then # do dynamic translation of attributes like: # # Attribute-Name = `%{exec:/path/to/program args}` # # The value of the attribute will be replaced with the output # of the program which is executed. Due to RADIUS protocol # limitations, any output over 253 bytes will be ignored. # # The RADIUS attributes from the user request will be placed # into environment variables of the executed program, as # described in 'doc/variables.txt' # exec { wait = yes input_pairs = request } This doesn't seem to be a section I'm using. Should I just comment it out? Or maybe put "output = none" after "input_pairs = request"? It seems a harmless error, but I figured I'd clean it up anyhow. Is this the default setting? And if so, why not simply comment it out or put that "output = none" in by default too? Thanks much, Rick Kunkel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
username = diff local username
Any way to make radius check a diff system username than the one the request came in on? Thanks, Matthew Opoka
Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd
Artur Hecker <[EMAIL PROTECTED]> wrote: > > would you mind writing down a small doc with your experiences? > > i'm sure it would be nice to know for everyone. [snip] Actually, I had planned to do just that :). First I need to find out why my MS-WinXP Pro laptop is prepending "WindowsName\" to username, rather than, say, the workgroup name. Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd
would you mind writing down a small doc with your experiences? i'm sure it would be nice to know for everyone. Jim Seymour wrote: "Alan DeKok" <[EMAIL PROTECTED]> wrote: [EMAIL PROTECTED] (Jim Seymour) wrote: Clarification: Giving the server ADMINNB\jseymour works. Giving it just "jseymour" does not. Because the regex on the line above doesn't match. So, do: DEFAULT User-Name =~ blah My-Local-User-Name = "%{1}" DEFAULT My-Local-User-Name = "%{My-Local-User-Name:-%{User-Name}}" Boy, I sure am missing some of the more obvious ones, aren't I? Okay, that worked. Thanks for all the help, Alan. And all you others, too! Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd
"Alan DeKok" <[EMAIL PROTECTED]> wrote: > > [EMAIL PROTECTED] (Jim Seymour) wrote: > > Clarification: Giving the server ADMINNB\jseymour works. Giving it > > just "jseymour" does not. > > Because the regex on the line above doesn't match. So, do: > > DEFAULT User-Name =~ blah > My-Local-User-Name = "%{1}" > > DEFAULT > My-Local-User-Name = "%{My-Local-User-Name:-%{User-Name}}" > Boy, I sure am missing some of the more obvious ones, aren't I? Okay, that worked. Thanks for all the help, Alan. And all you others, too! Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout not set with pending Expiration
Joachim Bloche <[EMAIL PROTECTED]> wrote: > I'm sorry to post twice but as I'm not an english person I was > wondering wether what I asked was really clear. I'm not looking for a > complicated solution of any kind, but I'd like to know wether setting > an Expiration attribute in radcheck normally implies a Session-Timeout > to be added to the access-accept messages, or not. That's all :) Yes. If it doesn't work in SQL, try it in the "users" file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd
[EMAIL PROTECTED] (Jim Seymour) wrote: > Clarification: Giving the server ADMINNB\jseymour works. Giving it > just "jseymour" does not. Because the regex on the line above doesn't match. So, do: DEFAULT User-Name =~ blah My-Local-User-Name = "%{1}" DEFAULT My-Local-User-Name = "%{My-Local-User-Name:-%{User-Name}}" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating and Blocking per client
On Mar 31, 2005 11:49 AM, Jason Frisvold <[EMAIL PROTECTED]> wrote: > Is == correct, or should I be using := in the database (I tried both > and neither seems to have an effect) ... Nevermind... I changed the operator for the wrong item... :) This is working as expected now.. I'm off to drink more coffee now... Sorry for the noise.. -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd
[EMAIL PROTECTED] (Jim Seymour) wrote: > > "Alan DeKok" <[EMAIL PROTECTED]> wrote: > > > > [EMAIL PROTECTED] (Jim Seymour) wrote: > [snip] > > > > > Now, if possible, is there a way to persuade FreeRADIUS to try > > > My-Local-User-Name, if available, Stripped-User-Name it it's not, and > > > User-Name if Stripped-User-Name is not available? > > > > Sure. But you'll need another layer of indirection, because > > rlm_passwd takes an attribute name, not an "if/then/else" condition. > > > > e.g. Key-For-RLM-Passwd = > > "%{My-Local-User-Name:-%{Stripped-User-Name:-%{User-Name}}}" > > > > Where that goes, though, is a little more complex. It has to go > > after "preproces", and after "realms", but before "passwd". Find a > > module which can do that, and you're set... > > I tried putting that directly in the DEFAULT hint, following the > My-Local-User-Name setting. It doesn't appear to work. Or maybe > that's not a good place to put it? Clarification: Giving the server ADMINNB\jseymour works. Giving it just "jseymour" does not. Is it possible the Key-For-RLM-Passwd test is failing? That My-Local-User-Name is "set," even if empty, by the regexp? Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating and Blocking per client
On Mar 30, 2005 5:02 AM, Peter Nixon <[EMAIL PROTECTED]> wrote: > Yes. Huntgroups is exactly what you what... I'm trying to get this working now. Our current setup uses sql, so I created the Huntgroup in the /etc/raddb/huntgroups file, then specified Huntgroup-Name == testgroup in the radgroupcheck table of the radius database. Is this correct? I restarted radiusd and I'm still able to connect to the redback even though the user is pointed to huntrgroup that does not contain the NAS-IP-Address of the redback... Is == correct, or should I be using := in the database (I tried both and neither seems to have an effect) ... Here is the output from radiusd -X rad_recv: Access-Request packet from host 10.0.0.50:1812, id=6, length=102 User-Name = "testuser" User-Password = "testpass" NAS-Identifier = "agg0.example.com" NAS-IP-Address = 10.0.0.50 NAS-Real-Port = 402653185 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 3892314151 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 14 modcall[authorize]: module "preprocess" returns ok for request 14 modcall[authorize]: module "chap" returns noop for request 14 modcall[authorize]: module "mschap" returns noop for request 14 rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 14 rlm_realm: No '\' in User-Name = "testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "ntdomain" returns noop for request 14 radius_xlat: 'testuser' rlm_sql (sql): sql_set_user escaped user --> 'testuser' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'testuser' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 0 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'testuser' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'testuser' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'testuser' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 0 modcall[authorize]: module "sql" returns ok for request 14 modcall: group authorize returns ok for request 14 auth: type Crypt Processing the session section of radiusd.conf modcall: entering group session for request 14 modcall[session]: module "sql" returns noop for request 14 modcall: group session returns noop for request 14 Login OK: [testuser/testpass] (from client RedbackSMS port 3892314151) Sending Access-Accept of id 6 to 10.0.0.50:1812 Framed-IP-Address := 255.255.255.254 Finished request 14 > -- > > Peter Nixon > http://www.peternixon.net/ > PGP Key: http://www.peternixon.net/public.asc -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout not set with pending Expiration
Hi again, I'm sorry to post twice but as I'm not an english person I was wondering wether what I asked was really clear. I'm not looking for a complicated solution of any kind, but I'd like to know wether setting an Expiration attribute in radcheck normally implies a Session-Timeout to be added to the access-accept messages, or not. That's all :) Regards, Joachim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd
"Alan DeKok" <[EMAIL PROTECTED]> wrote: > > [EMAIL PROTECTED] (Jim Seymour) wrote: [snip] > > > Now, if possible, is there a way to persuade FreeRADIUS to try > > My-Local-User-Name, if available, Stripped-User-Name it it's not, and > > User-Name if Stripped-User-Name is not available? > > Sure. But you'll need another layer of indirection, because > rlm_passwd takes an attribute name, not an "if/then/else" condition. > > e.g. Key-For-RLM-Passwd = > "%{My-Local-User-Name:-%{Stripped-User-Name:-%{User-Name}}}" > > Where that goes, though, is a little more complex. It has to go > after "preproces", and after "realms", but before "passwd". Find a > module which can do that, and you're set... I tried putting that directly in the DEFAULT hint, following the My-Local-User-Name setting. It doesn't appear to work. Or maybe that's not a good place to put it? Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius documentation
> And how about freeradius configuration and function description? This remembers me the response of the CA-Tool TinyCA when klicking on the help-button - the following popup say "Your are kidding, are you??" ;-) There is none - why don't start something like a Wiki (such as mediawiki.org) for this purpose ? I set up one for my internal use becaus i'm doing a educational projekt like you with FreeRADIUS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem compiling on s390x
[EMAIL PROTECTED] wrote: > /home/ducprgg/rpms/BUILD/freeradius-1.0.2/libtool --mode=link gcc > rlm_ippool_tool.o -lnsl -lresolv -lpthread -lcrypto -lssl -lgdbm -o > rlm_ippool_tool > gcc rlm_ippool_tool.o -o rlm_ippool_tool -lnsl -lresolv -lpthread > -lcrypto -lssl /usr/lib/libgdbm.so > /usr/lib/libgdbm.so: could not read symbols: Invalid operation It's a bug in libtool. I have no clue how to work around it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with ip pools
"Sébastien Cantos" <[EMAIL PROTECTED]> wrote: > [EMAIL PROTECTED]:/usr/local/var/log/radius/radacct/192.168.10.8# cat > reply-detail-20050331 > Packet-Type = Access-Accept > Does this means that accounting is working ? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS with different APs
"Bilal Shahid" <[EMAIL PROTECTED]> wrote: > I was wondering if the FreeRADIUS Server only works with the NAS's listed or > the type of NAS doesn't matter? The NAS doesn't matter. > AP keeps on sending Request-ID to the Supplicant. Supplicant replies with > its ID, which the AP passes on to the FreeRADIUS Server. Server sends a > challenge to the Supplicant but the AP just never passes that chalenge on to > the Client. It sounds like the AP is broken. This isn't a RADIUS problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: attr_rewrite
Denis Shaposhnikov <[EMAIL PROTECTED]> wrote: > I'am trying to rewrite "--" to just "" with > radtest but got: > > Thu Mar 31 11:41:27 2005 : Auth: Login incorrect: [-/12345678] > (from client localhost port 0) It's a bug in attr_rewrite. It's fixed in the latest CVS snapshot. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd
[EMAIL PROTECTED] (Jim Seymour) wrote: > I should've thought of that! It's not like I haven't > been working with regexps for about a million years. That worked! > Thanks :). That's good to hear. > Now, if possible, is there a way to persuade FreeRADIUS to try > My-Local-User-Name, if available, Stripped-User-Name it it's not, and > User-Name if Stripped-User-Name is not available? Sure. But you'll need another layer of indirection, because rlm_passwd takes an attribute name, not an "if/then/else" condition. e.g. Key-For-RLM-Passwd = "%{My-Local-User-Name:-%{Stripped-User-Name:-%{User-Name}}}" Where that goes, though, is a little more complex. It has to go after "preproces", and after "realms", but before "passwd". Find a module which can do that, and you're set... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem compiling on s390x
I apologize if this is a double post, I was a non-member to the list previously: I am trying to compile freeradius-1.0.2 on a 64bit s390 running SLES9. I have done it successfully on SLES8 64bit, same machine. But I continually arrive at this error on 'make' on SLES9: gmake[6]: Entering directory `/home/ducprgg/rpms/BUILD/freeradius-1.0.2/src/modules/rlm_ippool' gcc -O2 -g -fsigned-char -fno-strict-aliasing -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I../../include -c rlm_ippool.c -o rlm_ippool.o /home/ducprgg/rpms/BUILD/freeradius-1.0.2/libtool --mode=link ld \ -module -static -O2 -g -fsigned-char -fno-strict-aliasing -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I../../include rlm_ippool.o -o rlm_ippool.a mkdir .libs ar cru rlm_ippool.a rlm_ippool.o ranlib rlm_ippool.a gcc -O2 -g -fsigned-char -fno-strict-aliasing -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I../../include -c rlm_ippool_tool.c -o rlm_ippool_tool.o /home/ducprgg/rpms/BUILD/freeradius-1.0.2/libtool --mode=link gcc rlm_ippool_tool.o -lnsl -lresolv -lpthread -lcrypto -lssl -lgdbm -o rlm_ippool_tool gcc rlm_ippool_tool.o -o rlm_ippool_tool -lnsl -lresolv -lpthread -lcrypto -lssl /usr/lib/libgdbm.so /usr/lib/libgdbm.so: could not read symbols: Invalid operation collect2: ld returned 1 exit status gmake[6]: *** [rlm_ippool_tool] Error 1 gmake[6]: Leaving directory `/home/ducprgg/rpms/BUILD/freeradius-1.0.2/src/modules/rlm_ippool' gmake[5]: *** [common] Error 1 gmake[5]: Leaving directory `/home/ducprgg/rpms/BUILD/freeradius-1.0.2/src/modules' gmake[4]: *** [all] Error 2 gmake[4]: Leaving directory `/home/ducprgg/rpms/BUILD/freeradius-1.0.2/src/modules' gmake[3]: *** [common] Error 1 gmake[3]: Leaving directory `/home/ducprgg/rpms/BUILD/freeradius-1.0.2/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/home/ducprgg/rpms/BUILD/freeradius-1.0.2/src' gmake[1]: *** [common] Error 1 gmake[1]: Leaving directory `/home/ducprgg/rpms/BUILD/freeradius-1.0.2' make: *** [all] Error 2 error: Bad exit status from /home/ducprgg/rpms/tmp/rpm-tmp.52071 (%build) Here is my configure options: CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing" ./configure \ --prefix=%{_prefix} \ --sysconfdir=%{_sysconfdir} \ --infodir=%{_infodir} \ --mandir=%{_mandir} \ --libdir=/usr/lib/freeradius \ --localstatedir=/var \ --with-threads \ --with-thread-pool \ --with-snmp \ --with-large-files \ --disable-ltdl-install \ --with-ltdl-lib=/usr/lib \ --with-ltdl-include=/usr/include \ --with-gnu-ld \ --enable-heimdal-krb5 \ --with-rlm-krb5-include-dir=/usr/include/heimdal/ \ --with-rlm-krb5-lib-dir=%{_libdir} \ --without-rlm_sql_postgresql \ --disable-shared \ --enable-strict-dependencies Any idea? Thanks. Sign up today for your Free E-mail at: http://www.canoe.ca/CanoeMail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd
Stefan Winter <[EMAIL PROTECTED]> wrote: > [snip] > > Hope you haven't given up yet. In a later message you write: Nah, I'm not that easy ;). > [snip] > > Which makes me think that both "suffix" and "ntdomain" are active in=20 > rlm_realms. Try turning off suffix, because suffix operates only on names=20 > formatted like [EMAIL PROTECTED] In your case I think it tries to find a=20 > suffix, doesn't, and then uses realm NONE because no realm delimiter is=20 > found. If you turn suffix off, the delimiter \ is found and the request is= > =20 > set to the DEFAULT realm. Hopefully. I removed Alan's fix', commented-out "suffix" and un-commented "ntdomain." No joy. Thanks for the suggestion, though. Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd
"Alan DeKok" <[EMAIL PROTECTED]> wrote: > > [EMAIL PROTECTED] (Jim Seymour) wrote: [snip] > > Hmm... the reason the "hints" thing didn't work is that the regex > function expects '\' to be escaped, too. This works for me: > > DEFAULTUser-Name =~ "(.*)$" >My-Local-User-Name = "%{1}" I should've thought of that! It's not like I haven't been working with regexps for about a million years. That worked! Thanks :). Now, if possible, is there a way to persuade FreeRADIUS to try My-Local-User-Name, if available, Stripped-User-Name it it's not, and User-Name if Stripped-User-Name is not available? > > > What rather astonishes me is that this either hasn't come up before, > > tho I have a private email that indicates something like it has, or > > that nobody's pursued it to the bitter end. One would almost think > > that Unix/Linux + Samba + Wireless + WPA + (Free)RADIUS was an unusual > > combination. > > No, but having the machine name in the User-Name attribute isn't > common. It's just plain ol' vanilla MS-WinXP Pro SP1, with updated MS support for the wireless stuff. The machine is *not* in a MS-Win2k domain, as I haven't yet got the servers upgraded to support those. So the 'doze PCs are all in plain old MS-Win workgroups for now. You'd have to ask Microsoft why 'doze does what it does. Personally, I've long- since given up trying to understand such things, and now simply try to find ways to work around Microsoft's brain-dead designs. Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to authenticate only via username
Stefan Winter <[EMAIL PROTECTED]> wrote: > > Hi! > > > Any suggestion, how to authenticate only by username? > > (any password should be valid). > > > > Any idea? > > Auth-Type := Accept Btw, a nit-pick: That's not "authentication." It's "identification," at best. And since it's not authenticated, it's not really even that. Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: how to authenticate only via username
Stefan, Don't specify a password in the "users" file for that user. If you are using MYSQL don't specify any password in the radcheck table. ie. (users file example) Before: -> test123 Password="test123" After: -> test123 In the above case (After:) any password would be allowed. Adrian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stefan Winter Sent: Thursday, March 31, 2005 08:31 To: freeradius-users@lists.freeradius.org Subject: Re: how to authenticate only via username Hi! > Any suggestion, how to authenticate only by username? > (any password should be valid). > > Any idea? Auth-Type := Accept -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingénieur réseau et système 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg email: [EMAIL PROTECTED] tél.: +352 424409-33 http://www.restena.lu fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to authenticate only via username
Hi! > Any suggestion, how to authenticate only by username? > (any password should be valid). > > Any idea? Auth-Type := Accept -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingénieur réseau et système 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg email: [EMAIL PROTECTED] tél.: +352 424409-33 http://www.restena.lu fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS and server hello.
Hi, (f'up to freeradius-users, -devel is the wrong place) > Is there a program which can test RADIUS with EAP TLS and TTLS from the > unix command line. I've read about Xsupplicant but I don't think that > it is really what I'm looking for. XSupplicant can speak TLS, TTLS and lots of others. But you would also need a device to perform the role of "Authenticator", that is an Access Point or Switch that can speak 802.1X. Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingénieur réseau et système 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg email: [EMAIL PROTECTED] tél.: +352 424409-33 http://www.restena.lu fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to authenticate only via username
Any suggestion, how to authenticate only by username? (any password should be valid). I want to migrate from "internal base" to Radius. There is no any possibilities to retrive passwords, only by "auth_log", but I want it to be transparent to users. Any idea? -- Zbigniew Zych - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with ip pools
Still no luck. I made a connection, the disconnect but the IP it is always in the databases. I would like to understand if accounting is working well. Only thing I know is that files in [EMAIL PROTECTED]:/usr/local/var/log/radius/radacct/192.168.10.8 are being fullfiled. (192.168.10.8 is a cisco router which acts as a NAS forwarding NAS requests). [EMAIL PROTECTED]:/usr/local/var/log/radius/radacct/192.168.10.8# cat auth-detail-20050331 Packet-Type = Access-Request Thu Mar 31 14:31:55 2005 Framed-Protocol = PPP User-Name = "" CHAP-Password = NAS-Port-Type = Virtual NAS-Port = 135 Calling-Station-Id = "" Called-Station-Id = "" Service-Type = Framed-User NAS-IP-Address = 192.168.10.8 Client-IP-Address = 192.168.10.8 CHAP-Challenge = [EMAIL PROTECTED]:/usr/local/var/log/radius/radacct/192.168.10.8# cat reply-detail-20050331 Packet-Type = Access-Accept Thu Mar 31 14:31:55 2005 Framed-Protocol = PPP Framed-MTU = 576 Framed-IP-Address = 192.168.52.79 Framed-IP-Netmask = 255.255.255.0 Does this means that accounting is working ? Regards, -- Sebastien Cantos <[EMAIL PROTECTED]> Network / System Manager Neopost DIVA > -Message d'origine- > De : [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] De la > part de Sébastien Cantos > Envoyé : jeudi 31 mars 2005 14:26 > À : freeradius-users@lists.freeradius.org > Objet : RE: Problem with ip pools > > Hi, > > The main_pool line in the accounting section of the > radiusd.conf file was commented ... Maybe that was my mistake. > Ok for the rlm_ippool_tool I'm gonna use it to see if my > modification of radiusd.conf is working or not. I was not > using accounting at all so I forgot about it but it seems > that I will have to configure it well to get the ip_pool working. > Thank for answering. > > Best regards, > -- > Sebastien Cantos <[EMAIL PROTECTED]> > Network / System Manager > Neopost DIVA > > > -Message d'origine- > > De : [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] De la > > part de Kostas Kalevras > > Envoyé : jeudi 31 mars 2005 13:47 > > À : freeradius-users@lists.freeradius.org > > Objet : Re: Problem with ip pools > > > > On Thu, 31 Mar 2005, S?bastien Cantos wrote: > > > > > Hi, > > > > > > I'm using ip pools to manage my client ips from the radius side. > > > Here's my conf: > > > * users file : > > > DEFAULT Service-Type == Framed-User, Pool-Name := "main_pool" > > >Framed-Protocol = PPP, > > >Framed-MTU = 576 > > > > > > * radiusd.conf file: > > >ippool main_pool { > > >range-start = 192.168.52.2 > > >range-stop = 192.168.52.254 > > >netmask = 255.255.255.0 > > >cache-size = 800 > > >session-db = ${raddbdir}/db.ippool > > >ip-index = ${raddbdir}/db.ipindex > > >} > > > > > > Everything is working well for some days then my clients > > could not get > > > anymore ips from the radius. I've found a way to correct > > this by deletinf > > > the db.ip* files and restarting the radius but this is > not *clean*. > > > Is there a way to dump the content of the ippool database ? > > > I want to understand how ips are freed from the pool > > because I think that > > > there's a problem when a client disconnects. It seems that > > ips stay in the > > > pool as used even if the client has disconnected. > > > Thanks in advance for your help. > > > > There's rlm_ippool_tool which might help you in > > src/modules/rlm_ippool. > > rlm_ippool depends on accounting working ok. If it is not > > working then you might > > get into problems. The module *does* have a few more methods > > of finding out > > stale records and deleting them: > > 1. maximum-timeout directive. You can set that to the maximum > > session time > > expected in your network (if that can be calculated) in order > > to make sure no ip > > remains active for more time than maximum-timeout. > > 2. Each time an authentication request is performed from a > > nas ip/port pair > > which has already an ip allocated that ip is cleaned up. That > > means that as long > > as your ip pool is as large as your nas ports number it will > > be difficult to run > > out of available ip's. > > > > My
RE: Problem with ip pools
Hi, The main_pool line in the accounting section of the radiusd.conf file was commented ... Maybe that was my mistake. Ok for the rlm_ippool_tool I'm gonna use it to see if my modification of radiusd.conf is working or not. I was not using accounting at all so I forgot about it but it seems that I will have to configure it well to get the ip_pool working. Thank for answering. Best regards, -- Sebastien Cantos <[EMAIL PROTECTED]> Network / System Manager Neopost DIVA > -Message d'origine- > De : [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] De la > part de Kostas Kalevras > Envoyà : jeudi 31 mars 2005 13:47 > à : freeradius-users@lists.freeradius.org > Objet : Re: Problem with ip pools > > On Thu, 31 Mar 2005, SÎbastien Cantos wrote: > > > Hi, > > > > I'm using ip pools to manage my client ips from the radius side. > > Here's my conf: > > * users file : > > DEFAULT Service-Type == Framed-User, Pool-Name := "main_pool" > >Framed-Protocol = PPP, > >Framed-MTU = 576 > > > > * radiusd.conf file: > >ippool main_pool { > >range-start = 192.168.52.2 > >range-stop = 192.168.52.254 > >netmask = 255.255.255.0 > >cache-size = 800 > >session-db = ${raddbdir}/db.ippool > >ip-index = ${raddbdir}/db.ipindex > >} > > > > Everything is working well for some days then my clients > could not get > > anymore ips from the radius. I've found a way to correct > this by deletinf > > the db.ip* files and restarting the radius but this is not *clean*. > > Is there a way to dump the content of the ippool database ? > > I want to understand how ips are freed from the pool > because I think that > > there's a problem when a client disconnects. It seems that > ips stay in the > > pool as used even if the client has disconnected. > > Thanks in advance for your help. > > There's rlm_ippool_tool which might help you in > src/modules/rlm_ippool. > rlm_ippool depends on accounting working ok. If it is not > working then you might > get into problems. The module *does* have a few more methods > of finding out > stale records and deleting them: > 1. maximum-timeout directive. You can set that to the maximum > session time > expected in your network (if that can be calculated) in order > to make sure no ip > remains active for more time than maximum-timeout. > 2. Each time an authentication request is performed from a > nas ip/port pair > which has already an ip allocated that ip is cleaned up. That > means that as long > as your ip pool is as large as your nas ports number it will > be difficult to run > out of available ip's. > > My suggestion is to make sure you don't run an old version of > the module (older > version did have problems) and to take a closer look at how > well your accounting > works. > > > > > Regargs, > > -- > > Sebastien Cantos <[EMAIL PROTECTED]> > > Network / System Manager > > Neopost DIVA > > > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > -- > Kostas Kalevras Network Operations Center > [EMAIL PROTECTED] National Technical University of Athens, Greece > Work Phone: +30 210 7721861 > 'Go back to the shadow' Gandalf > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with ip pools
On Thu, 31 Mar 2005, Sιbastien Cantos wrote: Hi, I'm using ip pools to manage my client ips from the radius side. Here's my conf: * users file : DEFAULT Service-Type == Framed-User, Pool-Name := "main_pool" Framed-Protocol = PPP, Framed-MTU = 576 * radiusd.conf file: ippool main_pool { range-start = 192.168.52.2 range-stop = 192.168.52.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex } Everything is working well for some days then my clients could not get anymore ips from the radius. I've found a way to correct this by deletinf the db.ip* files and restarting the radius but this is not *clean*. Is there a way to dump the content of the ippool database ? I want to understand how ips are freed from the pool because I think that there's a problem when a client disconnects. It seems that ips stay in the pool as used even if the client has disconnected. Thanks in advance for your help. There's rlm_ippool_tool which might help you in src/modules/rlm_ippool. rlm_ippool depends on accounting working ok. If it is not working then you might get into problems. The module *does* have a few more methods of finding out stale records and deleting them: 1. maximum-timeout directive. You can set that to the maximum session time expected in your network (if that can be calculated) in order to make sure no ip remains active for more time than maximum-timeout. 2. Each time an authentication request is performed from a nas ip/port pair which has already an ip allocated that ip is cleaned up. That means that as long as your ip pool is as large as your nas ports number it will be difficult to run out of available ip's. My suggestion is to make sure you don't run an old version of the module (older version did have problems) and to take a closer look at how well your accounting works. Regargs, -- Sebastien Cantos <[EMAIL PROTECTED]> Network / System Manager Neopost DIVA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf
Problem with ip pools
Hi, I'm using ip pools to manage my client ips from the radius side. Here's my conf: * users file : DEFAULT Service-Type == Framed-User, Pool-Name := "main_pool" Framed-Protocol = PPP, Framed-MTU = 576 * radiusd.conf file: ippool main_pool { range-start = 192.168.52.2 range-stop = 192.168.52.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex } Everything is working well for some days then my clients could not get anymore ips from the radius. I've found a way to correct this by deletinf the db.ip* files and restarting the radius but this is not *clean*. Is there a way to dump the content of the ippool database ? I want to understand how ips are freed from the pool because I think that there's a problem when a client disconnects. It seems that ips stay in the pool as used even if the client has disconnected. Thanks in advance for your help. Regargs, -- Sebastien Cantos <[EMAIL PROTECTED]> Network / System Manager Neopost DIVA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS with different APs
The NAS list in the FreeRADIUS shows some typical NAS's like Cisco, Portslave etc with which the FreeRADIUS works. I was wondering if the FreeRADIUS Server only works with the NAS's listed or the type of NAS doesn't matter? I ask this because I am having problems getting my 802.1X Supplicant Re-authenticated with the Proxim Orinoco AP600. First time authentication goes on alright but subsequent attempts at "re-authentication" fail. AP keeps on sending Request-ID to the Supplicant. Supplicant replies with its ID, which the AP passes on to the FreeRADIUS Server. Server sends a challenge to the Supplicant but the AP just never passes that chalenge on to the Client. Can someone help be me here? Thanks, Bilal _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Redundant Radius with Dynamic Data
> here is another suggestion: > > dont use ippools on radius, use it on the nacs. Then you let the radius decide wich ippool to use on the nac by name. > The bad thing is you have to care about pools on nacs, the good one is you haven't to care about pool snyc. That is an excellent suggestion, unfortunately (I should have mentioned this earlier) the sites that will require authentication to our DSL service will be geographically dispersed and yet will share the same pools, so more than one router will be involved. Radius will have to control the IP Pools (as it should). I will start by setting up the architecture as described in my ascii diagram below (hopefully my exchange server won't convert it to html :) Cisco DSL Router .. | . | . V V Radius 1 Radius 2 (Primary) (Secondary) | | V V Local Mysql Db 1 <- replication -> Local Mysql Db 2 Once I have got this working I will investigate how to use rlm_sqlippool to dynamically allocate Ips in SQL as previously mentioned by Alan. I think this is the right path to go down, doubtless I will have more questions as I go, your feedback is welcome. Regards, Christopher Howarth RHCE Network & Systems Development Consultant Equinox Converged Solutions -- Equinox Converged Solutions Tel: +44 (0)1252 405 600 http://www.equinoxsolutions.com Equinox Converged Solutions is a trading name of Synetrix Holdings Limited. IMPORTANT NOTICE: This message is intended solely for the use of the Individual or organisation to whom it is addressed. It may contain privileged or confidential information. If you have received this message in error, please notify the originator immediately. If you are not the intended recipient, you should not use, copy, alter, or disclose the contents of this message. All information or opinions expressed in this message and/or any attachments are those of the author and are not necessarily those of Synetrix Holdings Limited. Synetrix Holdings Limited accepts no responsibility for loss or damage arising from its use, including damage from virus. --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html