freeradius 1.0.2 compilation: problem with libtool
Hello all, I try to compile freeradius 1.0.2-4 (debian sarge's source) and I got the error message below: rbtree.c:265: warning: assignment discards qualifiers from pointer target type rbtree.c:278: warning: assignment discards qualifiers from pointer target type /usr/bin/libtool --mode=link ld \ -module -static -Wall -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -D_LIBRADIUS -I../include -DHMAC_SHA1_DATA_PROBLEMS dict.o print.o radius.o valuepair.o token.o misc.o log.o filters.o missing.o md4.o md5.o sha1.o hmac.o hmacsha1.o snprintf.o isaac.o crypt.o udpfromto.o rbtree.o -o libradius.a libtool: link: unable to infer tagged configuration libtool: link: specify a tag with `--tag' make[5]: *** [libradius.a] Error 1 I tried to google but I could not find any issue. I found a related post in freeradius-users archive but it seems not been answered. So someone could tell me how to do? my libtool's version is 1.5.6-6. I can give other informations if necessary. Thanks in advance, Manou. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Expiration - my experiences and a partial solution
The rlm_expiration module in the latest CVS DOES include code to set the session-timeout and it actually works. Jaco van Tonder -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 20 June 2005 06:55 PM To: FreeRadius users mailing list Subject: Re: Expiration - my experiences and a partial solution "Tomas 'tt' krag" <[EMAIL PROTECTED]> wrote: > Unfortunately as Joachim Bloche pointed out in a mail "Session-Timeout > not set with pending Expiration" on this list, it seems that Freeradius > does NOT set the "Session-Timeout" based on an Expiration date in the > future. That's not good. I've fixed the CVS head, and will take a look into doing this in 1.0.x Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 1.0.4 has been released.
OK! That solves the problem! I'd compiled succesfully freeradius-1.0.4 on a FB 4.11 machine with the indicated diff. Thks a lot for the colaboration Andrew! On 6/20/05, Andrew Thompson <[EMAIL PROTECTED]> wrote: > On Mon, Jun 20, 2005 at 11:22:14AM -0400, Alan DeKok wrote: > > Andrew Thompson <[EMAIL PROTECTED]> wrote: > > > Are you using the port becuase that problem has been fixed. If not then > > > you will want the patch in: > > > > > > net/freeradius/files/patch-src-modules-rlm_attr_rewrite-rlm_attr_rewrite.c > > > > Is it something which can get pulled into FreeRADIUS? > > > > This problem only applies to FreeBSD 4.x and not the newer releases > (>5.0). It requires to be included before . > > --- src/modules/rlm_attr_rewrite/rlm_attr_rewrite.c.origSat Jun 18 > 14:29:43 2005 > +++ src/modules/rlm_attr_rewrite/rlm_attr_rewrite.c Sat Jun 18 14:31:48 > 2005 > @@ -27,6 +27,7 @@ > #include > #include > #include > +#include > #ifdef HAVE_REGEX_H > # include > #endif > > > Previously this was being pulled in from libradius.h, but that was > removed 7 weeks ago. I am happy to keep this as a local patch as it is > only a quirk of 4.x and the port properly patches it. > > > Andrew > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: disconnections
Alan DeKok wrote: > John Fawcett <[EMAIL PROTECTED]> wrote: > >>Although the connection is established it is disconnected after 4 >>minutes (sometimes 2 minutes or 6 minutes). I get entries like the >>following repeated every four minutes in the radius.log > > > What's the Session-Timeout set to? > > I have the following set in users steve User-Password == "testing" Framed-IP-Address = 192.168.1.67, Framed-IP-Netmask = 255.255.255.0, Service-Type = Framed-User, Session-Timeout = 7200, Idle-Timeout = 3600 >>I don't think the TLS_accept: error is serious. >>I cannot explain why there are two Auth Logins one from the NAS and one >>from localhost. > > > The first is the outer tunnel session, the second is the inner > tunnel session. > > >>Any help appreciated. I somehow get the impression that I'm probably not >>passing back the right attributes to the NAS: for testing I'm using the >>users file: > > > It should work. Unless anyone can see something obviously wrong or knows of attributes I should be passing back which aren't included, I'm inclined to believe that its a problem with the AP. I'll get in touch with the manufacturer. Thanks for the help. John > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter problem
I modified the users file and now it works, user is now like:
DEFAULT Simultaneous-Use := 1
Fall-Through = 1
cmartinez Max-Monthly-Session := 108000, Auth-Type := ldap
Service-Type = Framed-User,
Framed -Protocol = PPP
--
Thanks a lot to Roberto and Alan for their time and help.
Carlos Martínez-Troncoso Cera
Coordinador de Servicios Internet/Intranet
Universidad del Norte
Barranquilla, Colombia
Tel: 57 5 3509367
Carlos Martínez-Troncoso Cera wrote:
Thanks Roberto for your answer but I did the changes in
sqlcounter.conf and with my cisco, sqlcounter doesn´t work, with
NTRadping it works very well. I looked into the source code in
freeradius 1.0.4 but this module is the same for 1.0.2 version (I have
working 1.0.2)
What can I do?
Do you know how can I debug this module?
This is the message with radiusd -X -A (with Cisco):
rlm_ldap: user cmartinez authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 5
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
modcall[authorize]: module "monthlycounter" returns noop for request 5
modcall: group authorize returns ok for request 5
rad_check_password: Found Auth-Type ldap
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
-
with NTRadping:
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
rlm_sqlcounter: Entering module authorize code
sqlcounter_expand: 'SELECT SUM(AcctSessionTime - GREATEST((1117602000
- UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE
UserName='%{User-Name}' AND UNIX_TIMESTAMP(AcctStartTime) +
AcctSessionTime > '1117602000''
radius_xlat: 'SELECT SUM(AcctSessionTime - GREATEST((1117602000 -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE
UserName='cmartinez' AND UNIX_TIMESTAMP(AcctStartTime) +
AcctSessionTime > '1117602000''
sqlcounter_expand: '%{sql:SELECT SUM(AcctSessionTime -
GREATEST((1117602000 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM
radacct WHERE UserName='cmartinez' AND UNIX_TIMESTAMP(AcctStartTime) +
AcctSessionTime > '1117602000'}'
radius_xlat: Running registered xlat function of module sql for string
'SELECT SUM(AcctSessionTime - GREATEST((1117602000 -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE
UserName='cmartinez' AND UNIX_TIMESTAMP(AcctStartTime) +
AcctSessionTime > '1117602000''
rlm_sql (sql): - sql_xlat
radius_xlat: 'cmartinez'
rlm_sql (sql): sql_set_user escaped user --> 'cmartinez'
radius_xlat: 'SELECT SUM(AcctSessionTime - GREATEST((1117602000 -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE
UserName='cmartinez' AND UNIX_TIMESTAMP(AcctStartTime) +
AcctSessionTime > '1117602000''
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): - sql_xlat finished
rlm_sql (sql): Released sql socket id: 4
radius_xlat: '107853'
rlm_sqlcounter: (Check item - counter) is less than zero
rlm_sqlcounter: Rejected user cmartinez, check_item=10, counter=107853
Thanks for your help!
Carlos Martínez-Troncoso Cera
Coordinador de Servicios Internet/Intranet
Universidad del Norte
Barranquilla, Colombia
Tel: 57 5 3509367
Roberto Gonzalez Azevedo wrote:
sqlcounter noresetcounter {
## Look here
driver = "rlm_sqlcounter"
counter-name = Max-All-Session-Time
check-name = Max-All-Session
## Look here
check-item = Max-All-Session
sqlmod-inst = sql
key = User-Name
reset = never
query = "SELECT SUM(AcctSessionTime) FROM radacct
WHERE UserName='%{%k}'"
}
sqlcounter dailycounter {
driver = "rlm_sqlcounter"
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
## Look here
check-item = Max-Daily-Session
sqlmod-inst = sql
key = User-Name
reset = daily
query = "SELECT SUM(AcctSessionTime - GREATEST((%b -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE
UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime
> '%b'"
}
sqlcounter monthlycounter {
## Look here
driver = "rlm_sqlcounter"
counter-name = Monthly-Session-Time
check-name = Max-Monthly-Session
## Look here
check-item = Max-Monthly-Session
sqlmod-inst = sql
key = User-Name
reset = monthly
query = "SELECT SUM(AcctSessionTime - GREATEST((%b -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE
UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime
> '%b'"
}
thanks ...
-
Roberto Gonzalez Azevedo
Carlos Martínez-Troncoso Cera wrote:
ok Roberto:
sqlcounter noresetcounter {
counter-name =
Passing attributes from freeradius to Cisco VPN 3000
Is anyone using freeradius to authenticate users of a Cisco 3000 series VPN concentrator? If so, are you successfully passing attributes (such as "Framed-IP-Address") from freeradius to the 3000? If so, please contact me off-list. Thanks, - SLS Scott L. Stursa 850/644-2591 Network Security Analyst [EMAIL PROTECTED] OTI Enterprise Security Group Florida State University - No good deed goes unpunished - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait: plaintext:
--- Alan DeKok <[EMAIL PROTECTED]> wrote: > Put commas after the attribute values, like in the > "users" file. > > Alan DeKok. That did the trick, thanks Alan Yahoo! Sports Rekindle the Rivalries. Sign up for Fantasy Football http://football.fantasysports.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 1.0.4 has been released.
On Mon, Jun 20, 2005 at 11:22:14AM -0400, Alan DeKok wrote: > Andrew Thompson <[EMAIL PROTECTED]> wrote: > > Are you using the port becuase that problem has been fixed. If not then > > you will want the patch in: > > > > net/freeradius/files/patch-src-modules-rlm_attr_rewrite-rlm_attr_rewrite.c > > Is it something which can get pulled into FreeRADIUS? > This problem only applies to FreeBSD 4.x and not the newer releases (>5.0). It requires to be included before . --- src/modules/rlm_attr_rewrite/rlm_attr_rewrite.c.origSat Jun 18 14:29:43 2005 +++ src/modules/rlm_attr_rewrite/rlm_attr_rewrite.c Sat Jun 18 14:31:48 2005 @@ -27,6 +27,7 @@ #include #include #include +#include #ifdef HAVE_REGEX_H # include #endif Previously this was being pulled in from libradius.h, but that was removed 7 weeks ago. I am happy to keep this as a local patch as it is only a quirk of 4.x and the port properly patches it. Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait: plaintext:
Americatel Centroamerica <[EMAIL PROTECTED]> wrote: > Hi, i have two servers with diferent versions of > freeradius, one with 0.9 and another with 1.0.1. > I have an Exec-Program-Wait perl script configured to > add some attributes to the reply, all is working > flawlessly on the 0.9, but the same script doesnt work > on the 1.0 server, the output items of the script dont > appear on the reply items, this is the debug output on > the server with 1.0 Put commas after the attribute values, like in the "users" file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: hints and PPTP/MPPE
David Batterham <[EMAIL PROTECTED]> wrote: > Despite this, it still sends an Access-Accept (albeit with the > Reply-Message in the Reject). Huh? > My suspicion is that MS Windows is generating MPPE keys based on the > username with the suffix, and freeradius is correctly authenticating > against the system (SMBPASSWD file) without the suffix, but generating > MPPE responses also without the SUFFIX, therefore windows drops the > connection. This makes no sense to me. Can you post the debug log on a webstie somewhere? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 'authorize' module
Edgars Klavinskis <[EMAIL PROTECTED]> wrote: > ok, got it. Thanks. But it is still very unclear for me how to check > attributes coming from rlm_passwd files in configure_items array. > Any comments or example on this? The documentation? It says EXPLICITLY how to get attributes from the configuration items. Look for the word "configuration". I have NO diea why this is so hard. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding a custom attribute
Radoslav Kolev <[EMAIL PROTECTED]> wrote: > What I can figure out from the debug mode output is that my custom > attribute is actually added to the dictionary. The error about unknown > attribute that is reported before altering the dictionary file > disappears. The problem is that it is not appended in the access accept > packet, although I have added it in the reply section/table to either > mysql or users file with a ':=' operator. I have no idea why that would be happening. When I do the test with 1.0.4, it works for me. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Local (system) account creation
Haydur <[EMAIL PROTECTED]> wrote: > Is there a way to have remote FreeRadius only authentication on a > Linux box, and if successful, creation of a system / local account for > that user. Not really. There's pam_radius_auth, but that's only for usernames & passwors, as I could never figure out the PAM magic required to do UID, etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Authentication REALMS - I hope in Plain Text
"Shepherd, Dave" <[EMAIL PROTECTED]> wrote: >As I've now got it working for my standard config. Good. >However, I still seem to be getting the request marked as complete > after the authorize section:- ... > This only occurs when I match the following in my users file: > > # NexUS RAS > DEFAULT Called-Station-Id == "", Proxy-To-Realm := "sloxldap" > Fall-Through = No > > If I match on my other statements, the user authenticates as expected. Do you have proxying turned off? > I'm on version 0.9.3. Bleah. You should really upgrade. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use different ldap-modules?
Florian Prester <[EMAIL PROTECTED]> wrote:
> I configured 2 ldap modules, one using a clear-text password for
> PEAP-TLS with MS-CHAPv2 or only CHAP authentication,
> and one retrieving a Crypt-Password for using PAP-Authentication.
Why? Just use the clear-text password to do all of the
authentication. You're making work for yourself without any gain.
> group {
...
You're listing EAP in that group. DON'T.
> But it only takes the first entry, and if I switch the order of ldap-PAP
> and ldap-PEAP, so it should take ldap-PAP, therefore retrieve an
> Crypt-Password from the ldap-PAP-section it wants to use ldap for
> authentication!?!?!?
Yes.
> What do I wrong?
You've made massive changes to the configuration files.
Stop using two LDAP instances. You don't need them. Use the
default configuration, with one LDAP module in the places shown by the
default configuration. It WILL work.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: disconnections
John Fawcett <[EMAIL PROTECTED]> wrote: > Although the connection is established it is disconnected after 4 > minutes (sometimes 2 minutes or 6 minutes). I get entries like the > following repeated every four minutes in the radius.log What's the Session-Timeout set to? > I don't think the TLS_accept: error is serious. > I cannot explain why there are two Auth Logins one from the NAS and one > from localhost. The first is the outer tunnel session, the second is the inner tunnel session. > Any help appreciated. I somehow get the impression that I'm probably not > passing back the right attributes to the NAS: for testing I'm using the > users file: It should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd sending output to stdout without -X flag
On Mon, Jun 20, 2005 at 09:09:42AM -0400, Ken Tyler wrote: > works fine. I have a question, the server is logging to stdout no matter > what I do. I am not running with -X flag. Any ideas? I have config setup > to log to syslog, tried file also, no luck. I believe that my recent post [Message-ID: <[EMAIL PROTECTED]>] refers to your question. -- NAME:Dinko.kreator.Korunic NOTE:Standard.disclaimer.applies URL:kreator.esa.fer.hr IRC:kre ICQ:16965294 PGP:0xea160d0b - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration - my experiences and a partial solution
"Tomas 'tt' krag" <[EMAIL PROTECTED]> wrote: > Unfortunately as Joachim Bloche pointed out in a mail "Session-Timeout > not set with pending Expiration" on this list, it seems that Freeradius > does NOT set the "Session-Timeout" based on an Expiration date in the > future. That's not good. I've fixed the CVS head, and will take a look into doing this in 1.0.x Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAM_RADIUS_AUTH.so refuses to work on some machines
Hi I have installed pam_radius_auth to work on Redhat 7.3 and it seems to work fine. I then installed (compiled) it on a Redhat 9 box and it seems to be behaving quite strange. My pam.d/sshd file looks like this #%PAM-1.0 auth sufficient pam_radius_auth.so debug auth required pam_stack.so service=system-auth auth required pam_nologin.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session sufficient pam_radius_auth.so debug session required pam_stack.so service=system-auth session required pam_limits.so session optional pam_console.so The session (accounting) part of pam_radius_auth seems to work fine. I can see packets going to the radius server when I do a tcpdump on the client machine. This only works when I hash out the first line "auth sufficient pam_radius_auth.so debug". When the first line is not hasshed the authentication kicks in and nothing happens when I enter a username and password. I set tcpdump to sniff for all packets going to the radius server but there is nothing. My logs look like this. Jun 20 17:12:01 finpapp01 sshd[6881]: pam_radius_auth: Got user name root Jun 20 17:12:23 finpapp01 sshd[6887]: pam_radius_auth: Got user name test Jun 20 17:14:00 finpapp01 sshd[7161]: pam_radius_auth: Got user name test Jun 20 17:18:14 finpapp01 sshd[7673]: Failed password for test from 172.31.1.101 port 2276 Jun 20 17:18:45 finpapp01 sshd[7780]: Accepted password for root from 172.31.1.101 port 2277 Jun 20 17:18:45 finpapp01 sshd[7780]: pam_radius_auth: DEBUG: getservbyname(radacct, udp) returned 1108551052. Jun 20 17:18:48 finpapp01 sshd[7780]: pam_radius_auth: RADIUS server 172.31.10.1 failed to respond Jun 20 17:18:48 finpapp01 sshd[7780]: pam_radius_auth: All RADIUS servers failed to respond. Jun 20 17:22:26 finpapp01 sshd[8216]: pam_radius_auth: Got user name test Jun 20 17:24:50 finpapp01 sshd[8541]: pam_radius_auth: Got user name root Jun 20 17:28:40 finpapp01 sshd[8978]: Accepted password for root from 172.31.1.120 port 1916 ssh2 When I try and log into the box, the only info that pam_radius_auth give to the log is the "Got user name " message. What would the right syntax be for a strace command to trace this? So far I have recompiled, copy bin from other machines but nothing seems to work. Kind Regarsd Christiaan Ehlers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 'authorize' module
ok, got it. Thanks. But it is still very unclear for me how to check attributes coming from rlm_passwd files in configure_items array. Any comments or example on this? Edgars Alan DeKok wrote: Edgars Klavinskis <[EMAIL PROTECTED]> wrote: any doc on rlm_policy? Have you tried the "man" page? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding a custom attribute
On Sun, 2005-06-19 at 17:55 -0400, Alan DeKok wrote: > Radoslav Kolev <[EMAIL PROTECTED]> wrote: > > I've tried it, with the same effect. Adding other reply attirutes work, > > but just the new one I defined in the dictionary file doesn't. > > > > Any ideas? > > Not really. There's nothing magic about the dictionaries. Adding > attributes should work, and does for the tests I've run. > What I can figure out from the debug mode output is that my custom attribute is actually added to the dictionary. The error about unknown attribute that is reported before altering the dictionary file disappears. The problem is that it is not appended in the access accept packet, although I have added it in the reply section/table to either mysql or users file with a ':=' operator. If thats relevant I'm using a default Fedora Core 3 install and freeradius if from the Fedora RPMs. Regards, RAdo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter problem
Thanks Roberto for your answer but
I did the changes in sqlcounter.conf and with my cisco, sqlcounter
doesn´t work, with NTRadping it works very well. I looked into the
source code in freeradius 1.0.4 but this module is the same for 1.0.2
version (I have working 1.0.2)
What can I do?
Do you know how can I debug this module?
This is the message with radiusd -X -A (with Cisco):
rlm_ldap: user cmartinez authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 5
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
modcall[authorize]: module "monthlycounter" returns noop for request 5
modcall: group authorize returns ok for request 5
rad_check_password: Found Auth-Type ldap
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
-
with NTRadping:
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
rlm_sqlcounter: Entering module authorize code
sqlcounter_expand: 'SELECT SUM(AcctSessionTime - GREATEST((1117602000
- UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE
UserName='%{User-Name}' AND UNIX_TIMESTAMP(AcctStartTime) +
AcctSessionTime > '1117602000''
radius_xlat: 'SELECT SUM(AcctSessionTime - GREATEST((1117602000 -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE
UserName='cmartinez' AND UNIX_TIMESTAMP(AcctStartTime) +
AcctSessionTime > '1117602000''
sqlcounter_expand: '%{sql:SELECT SUM(AcctSessionTime -
GREATEST((1117602000 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct
WHERE UserName='cmartinez' AND UNIX_TIMESTAMP(AcctStartTime) +
AcctSessionTime > '1117602000'}'
radius_xlat: Running registered xlat function of module sql for string
'SELECT SUM(AcctSessionTime - GREATEST((1117602000 -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE
UserName='cmartinez' AND UNIX_TIMESTAMP(AcctStartTime) +
AcctSessionTime > '1117602000''
rlm_sql (sql): - sql_xlat
radius_xlat: 'cmartinez'
rlm_sql (sql): sql_set_user escaped user --> 'cmartinez'
radius_xlat: 'SELECT SUM(AcctSessionTime - GREATEST((1117602000 -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE
UserName='cmartinez' AND UNIX_TIMESTAMP(AcctStartTime) +
AcctSessionTime > '1117602000''
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): - sql_xlat finished
rlm_sql (sql): Released sql socket id: 4
radius_xlat: '107853'
rlm_sqlcounter: (Check item - counter) is less than zero
rlm_sqlcounter: Rejected user cmartinez, check_item=10,
counter=107853
Thanks for your help!
Carlos Martínez-Troncoso Cera
Coordinador de Servicios Internet/Intranet
Universidad del Norte
Barranquilla, Colombia
Tel: 57 5 3509367
Roberto Gonzalez Azevedo wrote:
sqlcounter
noresetcounter {
## Look here
driver = "rlm_sqlcounter"
counter-name = Max-All-Session-Time
check-name = Max-All-Session
## Look here
check-item = Max-All-Session
sqlmod-inst = sql
key = User-Name
reset = never
query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE
UserName='%{%k}'"
}
sqlcounter dailycounter {
driver = "rlm_sqlcounter"
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
## Look here
check-item = Max-Daily-Session
sqlmod-inst = sql
key = User-Name
reset = daily
query = "SELECT SUM(AcctSessionTime - GREATEST((%b -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}'
AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
}
sqlcounter monthlycounter {
## Look here
driver = "rlm_sqlcounter"
counter-name = Monthly-Session-Time
check-name = Max-Monthly-Session
## Look here
check-item = Max-Monthly-Session
sqlmod-inst = sql
key = User-Name
reset = monthly
query = "SELECT SUM(AcctSessionTime - GREATEST((%b -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}'
AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
}
thanks ...
-
Roberto Gonzalez Azevedo
Carlos Martínez-Troncoso Cera wrote:
ok Roberto:
sqlcounter noresetcounter {
counter-name = Max-All-Session-Time
check-name = Max-All-Session
sqlmod-inst = sql
key = User-Name
reset = never
query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE
UserName='%{%k}'"
}
sqlcounter dailycounter {
driver = "rlm_sqlcounter"
count
Re: FreeRADIUS 1.0.4 has been released.
Andrew Thompson <[EMAIL PROTECTED]> wrote: > Are you using the port becuase that problem has been fixed. If not then > you will want the patch in: > > net/freeradius/files/patch-src-modules-rlm_attr_rewrite-rlm_attr_rewrite.c Is it something which can get pulled into FreeRADIUS? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 'authorize' module
Edgars Klavinskis <[EMAIL PROTECTED]> wrote: > any doc on rlm_policy? Have you tried the "man" page? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to solve alive user who actually has loged off
On Mon, 2005-06-20 at 18:54 +0800, ??? wrote:
> Hello everybody,
>
> I am using freeradius-1.0.4.
>
> In my situation, user "testuser" from domain "domain" logged from NAS
> 192.168.1.68,
>
> After a while,user "testuser" logged out,but the NAS did not send Accout-Stop
> packet(for some reason) and freeradius still
>
> thought that user "testuser" is alive,but Actually user "testuser" has
> logged off.
>
> I have set the Simulate-Use to 1 and now "testuser" can not log in any more
> from anywhere.
>
> I use radwho and it output as follows:
Rather than just telling you to read the Documentation...I had a problem
with this and feel the documentation could do with some refinement.
First: Look at:- /usr/src/freeradius-1.0.4/doc/Simultaneous-Use
With flat files:
logged-in users are in the 'radutmp' file (something
like /usr/local/var/log/radius/radutmp). 'radwho' prints the file.
If 'checkrad' is set up to run, it should 'snmp' (or however its been
told to run) the NAS where the user was last seen - and if the NAS says
the user is no longer there, clear the radutmp entry and allow login.
With MySQL (which I use):
logged-in users are determined by SQL asking the accounting table for
the user where the 'stoptime' is Zero (ie - no stop record received).
The SQL looks like:
"SELECT COUNT(*) FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}'
AND AcctStopTime = 0"
If 'checkrad' is programmed to run, It runs the SQL:
"SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId,
FramedIPAddress, CallingStationId, FramedPr
otocol FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND
AcctStopTime = 0"
...
which gives it the NAS to go and ask.
Whether you use radutmp or SQL for checking Simultaneous-Use is also
determined by the setting for 'session' in 'radiusd.conf'. Mine looks
like:
session {
# radutmp<-- commented out.
sql
}
--
. . ___. .__ Posix Systems - Sth Africa. e.164 VOIP ready
/| /| / /__ [EMAIL PROTECTED] - Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reid Canavan/FortErie is on Vacation
I will be out of the office starting Mon 06/20/2005 and will not return until Mon 06/27/2005. I will respond to your message when I return. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Local (system) account creation
Hi there, Is there a way to have remote FreeRadius only authentication on a Linux box, and if successful, creation of a system / local account for that user. Thanks, Neod - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with LDAP group searches
> >> rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=mem > >> users,dc=mem-ins,dc=com' radius_xlat: > >> '(|(&(objectClass=GroupOfNames)(member=CN=Rgraham,OU=Columbia,OU=MEM > >> Users,DC=mem-ins,DC=com))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN=Rgraham,OU=Columbia,OU=MEM > >> Users,DC=mem-ins,DC=com)))' rlm_ldap: ldap_get_conn: Checking Id: 0 > >> rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=mem > >> users,dc=mem-ins,dc=com, with filter > >> (&(cn=MEMVPNFlex)(|(&(objectClass=GroupOfNames)(member=CN=Rgraham,OU=Columbia,OU=MEM > >> Users,DC=mem-ins,DC=com))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN=Rgraham,OU=Columbia,OU=MEM > >> Users,DC=mem-ins,DC=com rlm_ldap: object not found or got ambiguous > >> search result rlm_ldap: ldap_release_conn: Release Id: 0 > >> rlm_ldap::ldap_groupcmp: Group MEMVPNFlex not found or user is not a > >> member. > >> users: Matched DEFAULT at 166 > > > >The user was not found in that group, based on the lookup above. > > The user is a member of the MEMVPNFlex group in AD > Above is what your ldapsearch looks like and it didn't find the user in that group. You need to modify the group search syntax to the point where it will find your user in the group. Or if the user you are binding with doesn't have read access on the groups, you need to assign it to that user. For example, if you were using ldapsearch from the command line, how would you search for group members? Does running that search above from the command line, binding with the same user, find the user in the group? I don't have access to an AD directory right now to get a view into their ldap implementation and see what groups look like. But you should view the AD directory with some kind of ldap viewer and take a look at the groups. Perhaps the objectclass is wrong and AD doesn't use GroupOfNames? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (no subject)
On Fri, 17 Jun 2005, Graham, Robert wrote: > Dustin, > > Thanks for the response. I was kind of wondering if the location of the > group in Active Directory was an issue. But that brings up another > question. Doesn't a ldapsearch use the basedn as a starting point? If > instance, I have the basedn set as follows in radiusd.conf: > > basedn = "ou=mem users,dc=mem-ins,dc=com" > > And the structure of our AD is: > > MEM-INS.COM > | > | > |_MEM Users > | > | > | > | Where are the groups at? Are they under ou=mem users? If so, you are correct, you should be able to find it in your search. > > > And why is it that it can find the user "rgraham" but not the group. > Either the ldap search query you have setup in radiusd.conf is incorrect, or perhaps the user you are binding with doesn't have permissions to search the groups? Can you post an example, of what a group member would look like in AD? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radiusd sending output to stdout without -X flag
Hi all, I have downloaded, compiled, configured the latest CVS snapshot and it works fine. I have a question, the server is logging to stdout no matter what I do. I am not running with –X flag. Any ideas? I have config setup to log to syslog, tried file also, no luck. Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Multiple Authentication REALMS - I hope in Plain Text
Alan,
Thanks for the advice;
"As always, start with the default configuration: it works"
As I've now got it working for my standard config.
However, I still seem to be getting the request marked as complete
after the authorize section:-
Thread 1 handling request 0, (1 handled so far)
Waking up in 5 seconds...
User-Name = "unextest20"
User-Password = "*"
Called-Station-Id = "**"
rad_lowerpair: User-Name now 'unextest20'
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
users: Matched DEFAULT at 21
modcall[authorize]: module "files" returns ok for request 0
radius_xlat: 'unextest20'
rlm_sql (sql): sql_set_user escaped user --> 'unextest20'
radius_xlat: 'SELECT id, UserName, Attribute, Value, Op ??FROM radcheck
??WHERE Username = 'unextest20' ??ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 9
rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op
??FROM radcheck ??WHERE Username = 'unextest20' ??ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
radius_xlat: 'SELECT radgroupcheck.id, radgroupcheck.GroupName,
??radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op ??FROM
radgroupcheck, usergroup ??WHERE usergroup.Username = 'unextest20' AND
usergroup.GroupName = radgroupcheck.GroupName ??ORDER BY
radgroupcheck.id'
rlm_sql_postgresql: query: SELECT radgroupcheck.id,
radgroupcheck.GroupName, ??radgroupcheck.Attribute,
radgroupcheck.Value,radgroupcheck.Op ??FROM radgroupcheck, usergroup
??WHERE usergroup.Username = 'unextest20' AND usergroup.GroupName =
radgroupcheck.GroupName ??ORDER BY radgroupcheck.id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
radius_xlat: 'SELECT id, UserName, Attribute, Value, Op ??FROM radreply
??WHERE Username = 'unextest20' ??ORDER BY id'
rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op
??FROM radreply ??WHERE Username = 'unextest20' ??ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
radius_xlat: 'SELECT radgroupreply.id, radgroupreply.GroupName,
radgroupreply.Attribute, ??radgroupreply.Value, radgroupreply.Op ??FROM
radgroupreply,usergroup ??WHERE usergroup.Username = 'unextest20' AND
usergroup.GroupName = radgroupreply.GroupName ??ORDER BY
radgroupreply.id'
rlm_sql_postgresql: query: SELECT radgroupreply.id,
radgroupreply.GroupName, radgroupreply.Attribute, ??radgroupreply.Value,
radgroupreply.Op ??FROM radgroupreply,usergroup ??WHERE
usergroup.Username = 'unextest20' AND usergroup.GroupName =
radgroupreply.GroupName ??ORDER BY radgroupreply.id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
rlm_sql (sql): Released sql socket id: 9
modcall[authorize]: module "sql" returns ok for request 0
modcall: group authorize returns ok for request 0
Finished request 0
This only occurs when I match the following in my users file:
# NexUS RAS
DEFAULT Called-Station-Id == "", Proxy-To-Realm := "sloxldap"
Fall-Through = No
If I match on my other statements, the user authenticates as expected.
Any thoughts as to why this might be happening.
I'm on version 0.9.3.
TIA
Dave Shepherd
> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:freeradius-
> [EMAIL PROTECTED] On Behalf Of Alan DeKok
> Sent: 14 June 2005 18:33
> To: FreeRadius users mailing list
> Subject: Re: Multiple Authentication REALMS - I hope in Plain Text
>
> "Shepherd, Dave" <[EMAIL PROTECTED]> wrote:
> > realm SPECIAL {
> > type= radius
> > authhost= LOCAL
> > accthost= LOCAL
> > }
>
> In the latest versions, this is realm "LOCAL", but that doesn't make
> too much difference.
>
> > Auth-Type {
> > mschap
> > }
>
> Are you sure? How about "Auth-Type mschap {" ...
>
> > modcall: group authorize returns updated for request 14
> > Finished request 14
>
> Hmm... something is marking the request as done, without calling the
> "authenticate" section. I have no idea why, and I don't recall ever
> seeing anything like that.
>
> > If one of you guys has had to do something similar, or can see any
> > glaring omissions in my config (which I seem to think there is)
could
> > you please point me in the right direction.
>
> As always, start with the default configuration: it works.
>
> Then, gradually add your edits, testing after every edit, to be sure
> that it still works. Once you're done, you should have your local
> configuration , and it should still work.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to solve alive user who actually has loged off
On Mon, Jun 20, 2005 at 06:54:45PM +0800, ??? wrote: > I want to do something to make freeradius to believe that user > "testuser" is not alive,but do not konw how to do.Is there a way to > solve the problem? Have a look at Simultaneous-Use in the docs directory. -- Paul "TBBle" Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to use different ldap-modules?
Hi
I configured 2 ldap modules, one using a clear-text password for
PEAP-TLS with MS-CHAPv2 or only CHAP authentication,
and one retrieving a Crypt-Password for using PAP-Authentication.
radiusd.conf:
ldap ldap-PEAP {
server = "ip"
port = 400
identity =
"cn=florian,ou=allro,ou=AAAdsadm,o=Universitaet Erlangen-Nuernberg,c=DE"
password = xx
basedn = "ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE"
filter = "(Userid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
access_attr = "uid"
#The mapping-file for PEAP: -> retrieves the cleartext-Password
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = "User-Password"
timeout = 24
timelimit = 23
net_timeout = 1
ldap_debug = 5
}
ldap ldap-PAP {
server = "ip"
port = 400
identity =
"cn=florian,ou=allro,ou=AAAdsadm,o=Universitaet Erlangen-Nuernberg,c=DE"
password =
basedn = "ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE"
filter = "(Userid=%{Stripped-User-Name:-%{User-Name}})"
access_attr = "uid"
#The mapping-file for PAP: -> retrieves the User-Password
dictionary_mapping = ${raddbdir}/ldap.attrmap.pap
ldap_connections_number = 5
password_attribute = "User-Password"
timeout = 24
timelimit = 23
net_timeout = 1
ldap_debug = 5
}
In the authorize-section I have added "group", as told in
configurable_failover:
authorize {
preprocess
suffix
chap
mschap
group {
ldap-PAP { #first try ldap-PAP, only return if it succeeds
notfound = 1
noop = 2
updated = 3
fail = 4
reject = 5
userlock = 6
invalid = 7
handled = 8
ok = return
}
ldap-PEAP{#then ldap-PEAP
notfound = 1
noop = 2
updated = 3
fail = 4
reject = 5
userlock = 6
invalid = 7
handled = 8
ok = return
}
eap{ #then EAP
notfound = 1
noop = 2
updated = 3
fail = 4
reject = 5
userlock = 6
invalid = 7
handled = 8
ok = return
}
files{#then files
notfound = 1
noop = 2
updated = 3
fail = 4
reject = 5
userlock = 6
invalid = 7
handled = 8
ok = return
}
}
But it only takes the first entry, and if I switch the order of ldap-PAP
and ldap-PEAP, so it should take ldap-PAP, therefore retrieve an
Crypt-Password from the ldap-PAP-section it wants to use ldap for
authentication!?!?!?
What do I wrong?
Thanks
in advance
Flo
--
--
Dipl. Inf. Florian Prester
Network Administration
Regionales RechenZentrum Erlangen
Universitaet Erlangen-Nuernberg
Germany
Tel.: +499131 8527813
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to solve alive user who actually has loged off
Hello everybody, I am using freeradius-1.0.4. In my situation, user "testuser" from domain "domain" logged from NAS 192.168.1.68, After a while,user "testuser" logged out,but the NAS did not send Accout-Stop packet(for some reason) and freeradius still thought that user "testuser" is alive,but Actually user "testuser" has logged off. I have set the Simulate-Use to 1 and now "testuser" can not log in any more from anywhere. I use radwho and it output as follows: # ./radwho -R User-Name = "[EMAIL PROTECTED]" Acct-Session-Id = "02022911" NAS-IP-Address = 192.168.1.68 NAS-Port = 98335 Service-type = Login-User Framed-IP-Address = 0.0.0.0 Acct-Session-Time = 4112 Calling-Station-Id = "00d0-5926-e3fb" I want to do something to make freeradius to believe that user "testuser" is not alive,but do not konw how to do.Is there a way to solve the problem? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 'authorize' module
any doc on rlm_policy? Edgars Alan DeKok wrote: Edgars Klavinskis <[EMAIL PROTECTED]> wrote: it not required for me to check this in authenticate section, i just though it is the only place where I could check these passwd attributes. Can you please tell me how to check them in authorize section assuming that they are added to config_items? In the CVS head, rlm_policy. In 1.0.x, you can't. You also can't check them in the authenticate section in 1.0.x. It's a rare enough request that the server doesn't do it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Current CVS logging issue
Hi. I believe that it might be a bug in current CVS. I've encountered an
issue that FreeRADIUS does not log nor into files, nor into syslog, no
matter what the configuration says [always dumps on stdout/stderr]. I've
tried to track down the cause, and it might be this:
arwen:~/work/cvs/radiusd-cvs/src/main# cvs diff -u mainconfig.c
Index: mainconfig.c
===
RCS file: /source/radiusd/src/main/mainconfig.c,v
retrieving revision 1.63
diff -u -r1.63 mainconfig.c
--- mainconfig.c26 May 2005 21:26:29 - 1.63
+++ mainconfig.c20 Jun 2005 09:17:45 -
@@ -945,8 +945,8 @@
*
* This really is a hack, but it works...
*/
- if ((debug_flag < 2) &&
- (mainconfig.radlog_dest != RADLOG_STDOUT)) {
+ if (debug_flag < 2)
+ {
mainconfig.radlog_dest = lrad_str2int(str2dest, radlog_dest,
RADLOG_NULL);
if (mainconfig.radlog_dest == RADLOG_NULL) {
fprintf(stderr, "radiusd: Error: Unknown
log_destination %s\n",
I believe that mainconfig.radlog_dest doesn't get initialised, since local
radlog_dest is used:
static char *radlog_dest = NULL;
as well as:
{ "log_destination", PW_TYPE_STRING_PTR, -1, &radlog_dest, "files" },
That would mean that (mainconfig.radlog_dest != RADLOG_STDOUT) is
obviously a bogus check, since it should check radlog_dest, rather than
mainconfig.radlog_dest.
--
NAME:Dinko.kreator.Korunic NOTE:Standard.disclaimer.applies
URL:kreator.esa.fer.hr IRC:kre ICQ:16965294 PGP:0xea160d0b
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 1.0.4 has been released.
not using ports... I'll try the patch.. thanks.. --haizam - Original Message - From: "Andrew Thompson" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Monday, June 20, 2005 11:30 Subject: Re: FreeRADIUS 1.0.4 has been released. On Mon, Jun 20, 2005 at 11:20:19AM +0800, Rohaizam Abu Bakar wrote: What is the function of rlm_attr_rewrite?? Becoz I'm havng the same problem compiling 1.0.3/1.0.4 on my FB 4.11 machine.. Are you using the port becuase that problem has been fixed. If not then you will want the patch in: net/freeradius/files/patch-src-modules-rlm_attr_rewrite-rlm_attr_rewrite.c Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
