Re: Question on sql.conf - accounting_start_query - accounting_start_query_alt
Hello, I thought a second time about it and i guess it is an performance related decision, because it is most likely that no entry exits. / to prevent duplicate entries in the radacct table, shouldn't the // accounting_start_query be the UPDATE query and the / How are you going to UPDATE an entry that doesn't exist? Alan DeKok. As I understand the behavior of rlm_sql the update of a non existing entry will fail and the alternate accounting_start_query_alt(with insert) will be transmitted to sql-server. This is the case if a Start Record is missing for an incomming Stop-record for instance. But as i said above the benefit of non duplicate entries vs. performance would not be worth it, right. So now for me remains in which case won't an Insert work but the alternate Update, or what for is accounting_start_query_alt. Another question a little bit of another topic. In may you wrote, that the functions of radsqlrelay will be an integral part of an next freeradius version. You talked about a few weeks here radius server and sql server http://lists.freeradius.org/pipermail/freeradius-users/2005-May/043936.html. Ok it belongs to cvs head. Could you tell me the stand of development or where i can find the information? Sorry for my mistake on the meaning of string in RFC 2865 in articel Difference between dictionary and RFC 2865 for Attribute Class http://lists.freeradius.org/pipermail/freeradius-users/2005-July/045566.html. It was related to the wish of informational use of the Class Attribute. Thank you Andreas Andreas Engler wrote: Hello, to prevent duplicate entries in the radacct table, shouldn't the accounting_start_query be the UPDATE query and the accounting_start_query_alt be the INSERT into query as it is the case on stop and update. In which case would the accounting_start_query fail and the accounting_start_query_alt work? Could someone point me in the right direction? I know, that freeradius manages handled retransmitted Acct-Requests, so duplicate entries only would show up if at some point it wouldn't remember. I don't know if this is impossible. Thank you. Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Tunnel-Password fails proxy: tunnel password is too long for the attribute
I though you said that the backend server sent the attribute? How do you comment it out? i prevent the backend server from sending this particular Tunnel-Password attribute. t - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different Passwd Files on Different Servers
On 7/22/05, Alan DeKok [EMAIL PROTECTED] wrote: Bryan Beronilla [EMAIL PROTECTED] wrote: # Added by Barok for alternate password passwd virtual_passwd { filename = /home/virtual/domain.com/etc/passwd format = *User-Name::LM-Password authtype = MS-CHAP ... DEFAULT Realm == domain.com Autz-Type := virtual_passwd, Auth-Type := unix, I'll echo the previous response that this format is wrong. But there's another problem, too. You've set Auth-Type TWICE. Once via the passwd module, to MS-CHAP, and once via the users file to unix. Now, unless your unix is very different than every other one I've seen, it won't know what to do with the LM-Password read from /home/virtual/domain.com/etc/passwd, and it won't know what to do with any MS-CHAP request. Don't set Auth-Type to unix. It's completely wrong. Alan DeKok. Still getting the errors I got before about not setting an auth type. Where should the auth type be set? I've tried the config Dusty mentioned but still getting me nowhere... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
log activity
hello my answer i would like to file the url visited by the users of my radius server which file shall i modify thank's dom begin:vcard fn:dominique n:lambert;dominique org:sofibra;informatique adr:;;5 rue colbert;brest;;29280;france email;internet:[EMAIL PROTECTED] title:technicien tel;work:02988448785 url:http://www.hotel-sofibra.com version:2.1 end:vcard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: log activity
On Tue, 26 Jul 2005, Dominique Lambert wrote: hello my answer i would like to file the url visited by the users of my radius server which file shall i modify thank's dom You already asked this question a few days ago and it has already been answered by me and other list members that this isn't a radius issue. Setup a proxy server and force your users to use this proxy. Chris -- Christian Seitz [EMAIL PROTECTED] http://www.in-berlin.de/ Individual Network Berlin e.V. PGP Fingerprint: A9 17 03 0D 36 AB 07 4E D0 1E C3 8E 3F B0 66 9A - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: log activity
Christian Seitz a écrit : On Tue, 26 Jul 2005, Dominique Lambert wrote: hello my answer i would like to file the url visited by the users of my radius server which file shall i modify thank's dom You already asked this question a few days ago and it has already been answered by me and other list members that this isn't a radius issue. Setup a proxy server and force your users to use this proxy. Chris hello chris tahnk's for your reponse i am a beginner with freeradius, can you help me to configure it to use a proxy best regards dom begin:vcard fn:dominique n:lambert;dominique org:sofibra;informatique adr:;;5 rue colbert;brest;;29280;france email;internet:[EMAIL PROTECTED] title:technicien tel;work:02988448785 url:http://www.hotel-sofibra.com version:2.1 end:vcard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: log activity
On Tue, 26 Jul 2005, Dominique Lambert wrote: On Tue, 26 Jul 2005, Dominique Lambert wrote: hello my answer i would like to file the url visited by the users of my radius server which file shall i modify thank's dom You already asked this question a few days ago and it has already been answered by me and other list members that this isn't a radius issue. Setup a proxy server and force your users to use this proxy. Chris hello chris tahnk's for your reponse i am a beginner with freeradius, can you help me to configure it to use a proxy best regards dom Again: It has nothing to do with freeradius. You can't configure freeradius to send something back to you nas that configures your clients browsers to use a proxy. Read www.squid-cache.org how to set up a proxy and configure your clients to use this proxy or configure your router to route all traffic to port 80 on the internet through the proxy. And again: It's not a radius issue. This is the wrong place for these questions. Chris -- Christian Seitz [EMAIL PROTECTED] http://www.in-berlin.de/ Individual Network Berlin e.V. PGP Fingerprint: A9 17 03 0D 36 AB 07 4E D0 1E C3 8E 3F B0 66 9A - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1X Port Authentication using unix user/pass
Hi, I've looked at the 802.1X Port-Based Authentication HOWTO guide, I have a few questions. The guide authenticates using a users file which is a formatted text file. I wish to use the users unix (linux) user name and passwords which I are in /etc/password and the /etc/shadow which has the encrypted string for the password. My Question is: Can I follow the guide and trivially make it do what I want? I have a feeling somehow what I want to achieve requires the password to be sent plain text (not CHAP) ... correct? BUT is the plain text encrypted anyway between the access point and the wireless node using OpenSSL or if the password was sent plain text can it be sniffed? To make life easy... I want WPA-EAP authentication working, but I want the authentication be against the Linux username and its password. Is this possible? Guides and tips welcome Cheers Sura - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with RadZap in version 1.0.4
Hi all I am trying to zap users but for some reason it is giving an error Port not found, i will paste all the necessary details below. johny,johny,shell,S-2140143609,Tue 09:47,192.116.123.117,10.10.11.251 henry,henry,shell,S-2140143606,Tue 12:23,192.116.123.117,10.10.11.254 radzap -N 192.116.123.117 -P -2140143609 -u johny -x 192.116.123.115:1813 password Sending Accounting-Request of id 113 to 192.116.123.115:1813 User-Name = johny Acct-Session-Id = 8077 Acct-Status-Type = Stop NAS-IP-Address = 192.116.123.117 rad_recv: Accounting-Response packet from host 192.116.123.115:1813, id=113, length=20 Ready to process requests. rad_recv: Accounting-Request packet from host 192.116.123.115:32813, id=113, length=49 User-Name = johny Acct-Session-Id = 8077 Acct-Status-Type = Stop NAS-IP-Address = 192.116.123.117 Processing the preacct section of radiusd.conf modcall: entering group preacct for request 0 modcall[preacct]: module preprocess returns noop for request 0 rlm_acct_unique: WARNING: Attribute NAS-Port was not found in request, unique ID MAY be inconsistent rlm_acct_unique: Hashing ',Client-IP-Address = 192.116.123.115,NAS-IP-Address = 192.116.123.117,Acct-Session-Id = 8077,User-Name = johny' rlm_acct_unique: Acct-Unique-Session-ID = 40280b49c7d3093a. modcall[preacct]: module acct_unique returns ok for request 0 rlm_realm: No '@' in User-Name = johny, looking up realm NULL rlm_realm: No such realm NULL modcall[preacct]: module suffix returns noop for request 0 modcall[preacct]: module files returns noop for request 0 modcall: group preacct returns ok for request 0 Processing the accounting section of radiusd.conf modcall: entering group accounting for request 0 radius_xlat: '/var/log/radius/radacct/192.116.123.115/detail-20050726' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/192.116.123.115/detail-20050726 modcall[accounting]: module detail returns ok for request 0 modcall[accounting]: module unix returns noop for request 0 radius_xlat: '/var/log/radius/radutmp' radius_xlat: 'johny' rlm_radutmp: No NAS-Port seen. Cannot do anything. rlm_radumtp: WARNING: checkrad will probably not work! modcall[accounting]: module radutmp returns noop for request 0 radius_xlat: 'johny' rlm_sql (sql): sql_set_user escaped user -- 'johny' radius_xlat: 'UPDATE radacct SET AcctStopTime = '2005-07-26 12:32:23', AcctSessionTime = '', AcctInputOctets = '', AcctOutputOctets = '', AcctTerminateCause = '', AcctStopDelay = '', ConnectInfo_stop = '' WHERE AcctSessionId = '8077' AND UserName = 'johny' AND NASIPAddress = '192.116.123.117'' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Released sql socket id: 4 modcall[accounting]: module sql returns ok for request 0 modcall: group accounting returns ok for request 0 Sending Accounting-Response of id 113 to 192.116.123.115:32813 Finished request 0 Going to the next request --- Walking the entire request list --- Cleaning up request 0 ID 113 with timestamp 42e61f47 Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on sql.conf - accounting_start_query - accounting_start_query_alt
Andreas Engler wrote: So now for me remains in which case won't an Insert work but the alternate Update, or what for is accounting_start_query_alt. INSERT may fail if your SQL schema defines a unique index to prevent insertion of duplicate accounting records. With MySQL 4.1 you could use the ON DUPLICATE KEY UPDATE clause instead of an accounting_start_query_alt query. mysql INSERT INTO radacct [...] ON DUPLICATE KEY UPDATE [...]; Another question a little bit of another topic. In may you wrote, that the functions of radsqlrelay will be an integral part of an next freeradius version. You talked about a few weeks here radius server and sql server http://lists.freeradius.org/pipermail/freeradius-users/2005-May/043936.html. Ok it belongs to cvs head. Could you tell me the stand of development or where i can find the information? You'll find manpages in the CVS head. Please read rlm_sql_log(5) and radsqlrelay(8). -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Debug vs. Run mode
The freeradius server is running and the MySQL server is running. I can get it to work in debug radiusd -X and then use NTRadPing and get an Accept message back. When I run /etc/init.d/radiusd start I get: Starting RADIUS server:[ OK ] But then freeradius will not talk to mysql __ [root@ raddb]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = yes main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = root main: group = root main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = /etc/passwd unix: shadow = /etc/shadow unix: group = /etc/group unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded SQL sql: driver = rlm_sql_mysql sql: server = localhost sql: port = 3306 sql: login = root sql: password = password sql: radius_db = radius sql: acct_table = radacct sql: acct_table2 = radacct sql: authcheck_table = radcheck sql: authreply_table = radreply sql: groupcheck_table = radgroupcheck sql: groupreply_table = radgroupreply sql: usergroup_table = usergroup sql: nas_table = nas sql: dict_table = dictionary sql: sqltrace = yes sql: sqltracefile = /var/log/radius/sqltrace.sql sql: readclients = no sql: deletestalesessions = yes sql: num_sql_socks = 5 sql: sql_user_name = %{User-Name} sql: default_user_profile = sql: query_on_not_found = no sql: authorize_check_query = SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id sql: authorize_reply_query = SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id sql: authorize_group_check_query = SELECT
session-time with incorrect calculations
Hi I am running FreeRadius 1.0.4 with Postgres. I have noticed that the sessiontime is sometimes calculated incorrectly in the radacct table. If you compare the acctsessionstart and the acctsessionend with the acctsessiontime it does not match. This is particularly true for connections ended with idle-timeout. When would session times generally be wrong and how can I stop this from happening ? Thanks Barry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius IPv6 Server
Team, I am looking for a free radius server with IPv6 support. Can anyone of you help me. -Thanks Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1X Port Authentication using unix user/pass
[EMAIL PROTECTED] wrote: To make life easy... I want WPA-EAP authentication working, but I want the authentication be against the Linux username and its password. Is this possible? Guides and tips welcome It is possible however only with EAP-TTLS and PAP inner tunnel authentication. Set up EAP and TTLS then make sure your WPA clients are using TTLS+PAP. Here are directions on how to set up clients http://vuksan.com/linux/dot1x/wpa-client-config.html Vladimir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute User-Password is required forauthentication
melvin wrote: LDAP does provide some authentication -- through the 'BIND' statement. Incidentally, this is how the FreeRadius rlm_ldap module chooses to authenticate against an LDAP entry... it attempts to 'bind' to it, passing the username and password to LDAP. I have successfully integrated FreeRadius LDAP -- I can get you my config entries if you would like. It worked with OpenLDAP practically out-of-the-box. I have a write-up on FreeRADIUS and LDAP. It should apply to most configurations http://vuksan.com/linux/dot1x/802-1x-LDAP.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1X Port Authentication using unix user/pass
Quoting Vladimir Vuksan [EMAIL PROTECTED]: To make life easy... I want WPA-EAP authentication working, but I want the authentication be against the Linux username and its password. Is this possible? Guides and tips welcome It is possible however only with EAP-TTLS and PAP inner tunnel authentication. Set up EAP and TTLS then make sure your WPA clients are using TTLS+PAP. Here are directions on how to set up clients http://vuksan.com/linux/dot1x/wpa-client-config.html Thanks for that. Does the Dlink DWL-2100AP support this? It supports 801.X WPA Here's is a screenshot of what the WPA configuration section looks like (on the AP's config page) http://support.dlink.com/emulators/dwl2100ap/html/CfgWepParam.html I'm hoping that I can use WPA-EAP with this option, but notice under encryption it has AES, Auto, TKIP... which one? Sura - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Tunnel-Password fails proxy: tunnel password is too long for the attribute
Tariq Rashid [EMAIL PROTECTED] wrote: i prevent the backend server from sending this particular Tunnel-Password attribute. Ok... can you post sample packet traces containing that attribute, and use a known shared secret like testing123. That will let me validate the packets... The request/response to/from the backend server should be good enough. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with RadZap in version 1.0.4
Sarkis Gabriel [EMAIL PROTECTED] wrote: radzap -N 192.116.123.117 -P -2140143609 -u johny -x A negative number for the port? That isn't nice. Hmm... The numbers should be printed as unsigned int's, and the input to radzap should be unsigned int's. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius IPv6 Server
[EMAIL PROTECTED] wrote: I am looking for a free radius server with IPv6 support. Can anyone of you help me. See the CVS snapshot. It can have IPv6 clients, but it can't yet proxy to IPv6 home servers. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up freeradius to work with cisco aironet accesspoints in a custom environment
Hello, Am Montag, den 25.07.2005, 12:57 -0400 schrieb Alan DeKok: Mario Lipinski [EMAIL PROTECTED] wrote: Can i do LEAP with Samba-Passwords (which are also stored in the db)? Yes. I think this should work in general but not with the MSChapv2 implementation in FreeRadius. Is there any way? It works. It does, now. :) Needed to use the := operator and prepend 0x to the NT-Password value. Also got it configured to work with my database structure. OK. Thats all that my writing is about. I don't know how to really get away from the sample layout. For example how to distinguish between MAC-Address and EAP authentication requests. Read the debug log. You have the information in front of you. I don't have access to your system, so it wouild be inappropriate of me to guess. I am attaching two requests taken from the debug log. The first one is the request for the MAC-Address Authentication, the second one is the one for LEAP authentication (works, eap messages were cut since they might contain real user information, dunno). For the MAC-Address stuff i need to lookup the things in another database. I know i can define different sql spaces with sql name in the configs. But how to decide, which table use for the lookup. Both requests are of the type Login-User. The only difference is, that the MAC-Address authentication request contains the User-Password attribute. I read much about comparing the values of the attributes, but how to check for their existence? If there is no better way, i might use a regex matching [0-9a-f]{12} - should work? How do i write it in the config to use sql a when the regex matches and to use sql b if not? I hope i provided all information needed to get a quick and clear answer this time. Thanks, -- Mario Lipinski VOIP: +49 511 696045510 SystemadministrationFax: +49 721 151-207196 Gymnasium Salzgitter-BadE-Mail: [EMAIL PROTECTED] Internet: http://www.gymszbad.de rad_recv: Access-Request packet from host 172.21.1.3:1645, id=111, length=114 User-Name = 000e352af0fd User-Password = 000e352af0fd Called-Station-Id = 0011.92f8.9c10 Calling-Station-Id = 000e.352a.f0fd Service-Type = Login-User NAS-Port-Type = Wireless-802.11 NAS-Port = 294 NAS-IP-Address = 172.21.1.3 NAS-Identifier = ap03 [...] Login incorrect: [000e352af0fd] (from client ap port 294 cli 000e.352a.f0fd) rad_recv: Access-Request packet from host 172.21.1.3:1645, id=112, length=121 User-Name = law Framed-MTU = 1400 Called-Station-Id = 0011.92f8.9c10 Calling-Station-Id = 000e.352a.f0fd Service-Type = Login-User Message-Authenticator = 0xdeadbeef08151337... EAP-Message = 0x0815deadbeef1337... NAS-Port-Type = Wireless-802.11 NAS-Port = 294 NAS-IP-Address = 172.21.1.3 NAS-Identifier = ap03 signature.asc Description: This is a digitally signed message part - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: session-time with incorrect calculations
Barry [EMAIL PROTECTED] wrote: If you compare the acctsessionstart and the acctsessionend with the acctsessiontime it does not match. ... When would session times generally be wrong and how can I stop this from happening ? As a general principle, FreeRADIUS logs what it receives. If the session time is wrong, then it's because the NAS sent the data. The only solution to bad data is to fix the NAS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1X Port Authentication using unix user/pass
[EMAIL PROTECTED] wrote: Does the Dlink DWL-2100AP support this? It supports 801.X WPA Here's is a screenshot of what the WPA configuration section looks like (on the AP's config page) http://support.dlink.com/emulators/dwl2100ap/html/CfgWepParam.html It appears it does. WPA-PSK is WPA with pre-shared key. It is akin to WEP key ie. there is a single key for all sessions. Thus use WPA-EAP. I'm hoping that I can use WPA-EAP with this option, but notice under encryption it has AES, Auto, TKIP... which one? I would go for Auto. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: session-time with incorrect calculations
Barry wrote: I am running FreeRadius 1.0.4 with Postgres. I have noticed that the sessiontime is sometimes calculated incorrectly in the radacct table. If you compare the acctsessionstart and the acctsessionend with the acctsessiontime it does not match. This is particularly true for connections ended with idle-timeout. When would session times generally be wrong and how can I stop this from happening ? Could be a feature of the NAS to distract the idle time from the session time so as not to bill the user for unused time. Check your NAS features/configuration. -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: session-time with incorrect calculations
Hi I am running FreeRadius 1.0.4 with Postgres. I have noticed that the sessiontime is sometimes calculated incorrectly in the radacct table. If you compare the acctsessionstart and the acctsessionend with the acctsessiontime it does not match. This is particularly true for connections ended with idle-timeout. When would session times generally be wrong and how can I stop this from happening ? Thanks Barry Freeradius just logs what is sent over. Are you using radrelay? We get session delays sometimes when using radrelay when our sql server is overwhelmed. Check for acctstartdelay and acctstopdelay. If you find it, subtract acctstartdelay from the session time and see if that makes sense. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS and MYSQL
I'm using Freeradius in EAP-TLS and I'm trying to use dialupadmin/mysql. Although the supplicant is not in my database, the NAS receives an Access-Accept. Is this normal ? #file is commented in my radiusd.conf. thanks for your help. Stephane Rossi rlm_sql (sql): User testwifi not found in radgroupcheckrlm_sql (sql): User not foundrlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module "sql" returns notfound for request 6modcall: group authorize returns updated for request 6 rad_check_password: Found Auth-Type EAPauth: type "EAP" Processing the authenticate section of radiusd.confmodcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLSrlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 6modcall: group authenticate returns ok for request 6Login OK: [testwifi/no User-Password attribute] (from client Cisco Aironet 1200 port 354 cli 0090.4b77.99a6)Sending Access-Accept of id 162 to 192.168.2.220:21646 MS-MPPE-Recv-Key = 0x910fdf897f8f042be203a7bcb10a1b89969b996f693ec40fd58d6172f55dee26 MS-MPPE-Send-Key = 0x5bbe978c153970cf7fb7f7fb7863caf4c9525fedb850f85d1a02985a585544e0 EAP-Message = 0x03080004 Message-Authenticator = 0x User-Name = "testwifi"Finished request 6 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with RadZap in version 1.0.4
Hi Alan I do not know what to do with it, it is coming as a negative number the Nas Type is a Mikrotik and when radwho -r is issued i get this. johny,johny,shell,S-2140143609,Tue 09:47,192.116.123.117,10.10.11.251 Any idea why it is giving a negative number? Thanks sarky Alan DeKok wrote: Sarkis Gabriel [EMAIL PROTECTED] wrote: radzap -N 192.116.123.117 -P -2140143609 -u johny -x A negative number for the port? That isn't nice. Hmm... The numbers should be printed as unsigned int's, and the input to radzap should be unsigned int's. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
limited accounts
Hi, I'm trying to setup a system which allow users to login for a specific period (1 month, or 1 week, it depends on the type of the account) since their first connection. I manage to do this by a cron script which removes them from database, but it's (really) crap... Is there any proper way to do this ? counter module ? I think this could better by modifying sql queries in sql.conf to calculate remaining time (until the end of this period) and send it as Max-All-Session attribute to the NAS, but I don't know if it's possible... Moreover, I wish to use a max consecutive time too, which allow me to create user account valid for a limited period (1 month for ex.), with limited session time (3 hours max), and with a maximum duration time (10 hours). Is there any specific module to do this ? Finally, if I want to limit access depending on the day of the week, or the hour, what's the best approach ? Sorry for all these questions, I don't expect a complete solution from this forum (it's my work to find one), but simply some advices (or clues) on how it could (would ?) be done. Regards, Jeremy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different Passwd Files on Different Servers
Bryan Beronilla [EMAIL PROTECTED] wrote: Still getting the errors I got before about not setting an auth type. Where should the auth type be set? The server figures it out. I've tried the config Dusty mentioned but still getting me nowhere... Try one thing at a time. The default config works. You can start from there, and add new features one by one. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and MYSQL
Stephane Rossi [EMAIL PROTECTED] wrote: I'm using Freeradius in EAP-TLS and I'm trying to use dialupadmin/mysql. Although the supplicant is not in my database, the NAS receives an Access-Accept. Is this normal ? Yes. The client certificate means that they're a valid user. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: limited accounts
=?ISO-8859-1?Q?J=E9r=E9my_Cluzel?= [EMAIL PROTECTED] wrote: I manage to do this by a cron script which removes them from database, but it's (really) crap... Is there any proper way to do this ? counter module ? Yes. Moreover, I wish to use a max consecutive time too, which allow me to create user account valid for a limited period (1 month for ex.), with limited session time (3 hours max), and with a maximum duration time (10 hours). Is there any specific module to do this ? No. That's just Session-Timeout Finally, if I want to limit access depending on the day of the week, or the hour, what's the best approach ? Login-Time. See the README. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy/Not Proxy based on dialed number?
I have a MAX TNT that will be doing dialin service. Is it possible to selectively proxy based on the DNIS? My user accounts are stored in a postgres database that I have working fine for PPPoA termination already. Thanks for any help dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and Windows 2003 Active Directory Authentication
I am having trouble getting my radius setup to authenticate to windows 2003 active directory. when using the following string radiusd.conf module configureation section ldap { server = gtds-domcon.gtdsolutions.org basedn = dc=gtdsolutions,dc=org filter = (sAMAccountName=%u) password_attribute = userPassword identity = cn=administrator,cn=Users,dc=gtdsolutions,dc=org password = pantera authorize section ldap - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and Windows 2003 Active Directory Authentication (2)
Previous post sent before I was done, here is the full post: I am having trouble getting my radius setup to authenticate to windows 2003 active directory. when using the following string radtest administrator password localhost 2 radiussecret rad_recv: Access-Request packet from host 127.0.0.1:32775, id=240, length=65 User-Name = administrator User-Password = password NAS-IP-Address = 255.255.255.255 NAS-Port = 2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = administrator, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for administrator radius_xlat: '(sAMAccountName=administrator)' radius_xlat: 'dc=company,dc=org' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to gtds-domcon.gtdsolutions.org:389, authentication 0 rlm_ldap: bind as cn=administrator,cn=Users,dc=company,dc=org/password to domcon.company.org:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=company,dc=org, with filter (sAMAccountName=administrator) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user administrator authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module unix returns notfound for request 0 modcall: group authenticate returns notfound for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 radiusd.conf - I didn't find a system or System auth type, did I miss something? module configureation section ldap { server = domcon.company.org basedn = dc=company,dc=org filter = (sAMAccountName=%u) password_attribute = userPassword identity = cn=administrator,cn=Users,dc=company,dc=org password = password authorize section ldap# this is enabled authenticate sectoin Auth-Type LDAP { ldap } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and Windows 2003 Active Directory Authentication (2)
Tim P [EMAIL PROTECTED] wrote: I am having trouble getting my radius setup to authenticate to windows 2003 active directory. That will work only for PAP, if that's all you need. radiusd.conf - I didn't find a system or System auth type, did I miss something? See the users file: users: Matched entry DEFAULT at line 152 Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with RadZap in version 1.0.4
Sarkis Gabriel [EMAIL PROTECTED] wrote: johny,johny,shell,S-2140143609,Tue 09:47,192.116.123.117,10.10.11.251 Any idea why it is giving a negative number? It looks like a bug in radwho. It will be fixed in 1.0.5 (if and when it gets released) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with RadZap in version 1.0.4
Thanks alan for the reply just wondering if there is any workaround to kill those connections? if there is no workaround are all Freeradius 1.0.0 have that bug in radwho? Thanks again Sarky Alan DeKok wrote: Sarkis Gabriel [EMAIL PROTECTED] wrote: johny,johny,shell,S-2140143609,Tue 09:47,192.116.123.117,10.10.11.251 Any idea why it is giving a negative number? It looks like a bug in radwho. It will be fixed in 1.0.5 (if and when it gets released) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP and FreeRadius Authentication - One user, multiple groups
I have freeradius and LDAP authenticating nicely. The problem I am running into is that when I id a user, it only shows the primary group that user is a member of. How can I get FreeRadius to report the other groups that the user belongs to? Mark Litchfield Sorry I don't understand. Can you explain what you mean by only shows the primary group and report the other groups. Report to what? Perhaps some radiusd -X output and an explanation of what you are trying to do would help. Using the following tree in LDAP: dc: treeroot |_ou: accounts | |_ou: domain1 | | |_uid: joe | | mail: [EMAIL PROTECTED] | | uid: 10001 | | gid: 11000 | |_ou: domain2 | |_uid: joe |mail: [EMAIL PROTECTED] |uid: 10002 |gid: 11001 |_ou: groups |_cn: group1 | uniqueMember: uid=joe,ou=domain1,ou=accounts,dc=treeroot | gid: 11000 |_cn: group2 | uniqueMember: uid=joe,ou=domain2,ou=accounts,dc=treeroot | gid: 11001 |_cn: group3 uniqueMember: uid=joe,ou=domain1,ou=accounts,dc=treeroot uniqueMember: uid=joe,ou=domain2,ou=accounts,dc=treeroot gid: 11002 When I su in as [EMAIL PROTECTED] and run id from the prompt I get: joe(10001), group1(11000) When I should get joe(10001), group1(11000), group3(11002) The overall desired effect: 1. System will support multiple domains. 2. Duplicate user names cannot exist within the same domain. (i.e. there can be only one username joe per domain, but each domain can have a username joe.) 3. Users can be members of several groups. Cross-domain group membership may be supported. ([EMAIL PROTECTED] is a member of group1 and [EMAIL PROTECTED] is a member of group2. Both of them are members of group3) 4. User / group authorization must be available to the filesystem / OS. I am trying to replace the use of /etc/passwd and /etc/group for filesystem permissions, login , etc. Please anyone, tell me if I am insane for attempting this, if this is even possible or if there is an opensource alternative that will do all this and work with postfix and apache for user AAA. I would much rather get this to work in LDAP with FreeRadius. On a side note, same topic... I have been looking for a way to do nested groups in LDAP with FreeRadius. Is this possible and how? BTW, I was unable to grab the radiusd -X output. The machine is not availble to me for a few days. Taking a short break before I snap. Thanks Mark Litchfield - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html