Re: Question on sql.conf - accounting_start_query - accounting_start_query_alt
Hello, I thought a second time about it and i guess it is an performance related decision, because it is most likely that no entry exits. / to prevent duplicate entries in the radacct table, shouldn't the // accounting_start_query be the UPDATE query and the / How are you going to UPDATE an entry that doesn't exist? Alan DeKok. As I understand the behavior of rlm_sql the update of a non existing entry will fail and the alternate accounting_start_query_alt(with insert) will be transmitted to sql-server. This is the case if a Start Record is missing for an incomming Stop-record for instance. But as i said above the benefit of non duplicate entries vs. performance would not be worth it, right. So now for me remains in which case won't an Insert work but the alternate Update, or what for is accounting_start_query_alt. Another question a little bit of another topic. In may you wrote, that the functions of radsqlrelay will be an integral part of an next freeradius version. You talked about a few weeks here radius server and sql server http://lists.freeradius.org/pipermail/freeradius-users/2005-May/043936.html. Ok it belongs to cvs head. Could you tell me the stand of development or where i can find the information? Sorry for my mistake on the meaning of string in RFC 2865 in articel Difference between dictionary and RFC 2865 for Attribute Class http://lists.freeradius.org/pipermail/freeradius-users/2005-July/045566.html. It was related to the wish of informational use of the Class Attribute. Thank you Andreas Andreas Engler wrote: Hello, to prevent duplicate entries in the radacct table, shouldn't the accounting_start_query be the UPDATE query and the accounting_start_query_alt be the INSERT into query as it is the case on stop and update. In which case would the accounting_start_query fail and the accounting_start_query_alt work? Could someone point me in the right direction? I know, that freeradius manages handled retransmitted Acct-Requests, so duplicate entries only would show up if at some point it wouldn't remember. I don't know if this is impossible. Thank you. Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Tunnel-Password fails proxy: tunnel password is too long for the attribute
I though you said that the backend server sent the attribute? How do you comment it out? i prevent the backend server from sending this particular Tunnel-Password attribute. t - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different Passwd Files on Different Servers
On 7/22/05, Alan DeKok [EMAIL PROTECTED] wrote:
Bryan Beronilla [EMAIL PROTECTED] wrote:
# Added by Barok for alternate password
passwd virtual_passwd {
filename = /home/virtual/domain.com/etc/passwd
format = *User-Name::LM-Password
authtype = MS-CHAP
...
DEFAULT Realm == domain.com
Autz-Type := virtual_passwd,
Auth-Type := unix,
I'll echo the previous response that this format is wrong.
But there's another problem, too. You've set Auth-Type TWICE. Once
via the passwd module, to MS-CHAP, and once via the users file to
unix.
Now, unless your unix is very different than every other one I've
seen, it won't know what to do with the LM-Password read from
/home/virtual/domain.com/etc/passwd, and it won't know what to do with
any MS-CHAP request.
Don't set Auth-Type to unix. It's completely wrong.
Alan DeKok.
Still getting the errors I got before about not setting an auth type.
Where should the auth type be set? I've tried the config Dusty
mentioned but still getting me nowhere...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
log activity
hello my answer i would like to file the url visited by the users of my radius server which file shall i modify thank's dom begin:vcard fn:dominique n:lambert;dominique org:sofibra;informatique adr:;;5 rue colbert;brest;;29280;france email;internet:[EMAIL PROTECTED] title:technicien tel;work:02988448785 url:http://www.hotel-sofibra.com version:2.1 end:vcard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: log activity
On Tue, 26 Jul 2005, Dominique Lambert wrote: hello my answer i would like to file the url visited by the users of my radius server which file shall i modify thank's dom You already asked this question a few days ago and it has already been answered by me and other list members that this isn't a radius issue. Setup a proxy server and force your users to use this proxy. Chris -- Christian Seitz [EMAIL PROTECTED] http://www.in-berlin.de/ Individual Network Berlin e.V. PGP Fingerprint: A9 17 03 0D 36 AB 07 4E D0 1E C3 8E 3F B0 66 9A - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: log activity
Christian Seitz a écrit : On Tue, 26 Jul 2005, Dominique Lambert wrote: hello my answer i would like to file the url visited by the users of my radius server which file shall i modify thank's dom You already asked this question a few days ago and it has already been answered by me and other list members that this isn't a radius issue. Setup a proxy server and force your users to use this proxy. Chris hello chris tahnk's for your reponse i am a beginner with freeradius, can you help me to configure it to use a proxy best regards dom begin:vcard fn:dominique n:lambert;dominique org:sofibra;informatique adr:;;5 rue colbert;brest;;29280;france email;internet:[EMAIL PROTECTED] title:technicien tel;work:02988448785 url:http://www.hotel-sofibra.com version:2.1 end:vcard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: log activity
On Tue, 26 Jul 2005, Dominique Lambert wrote: On Tue, 26 Jul 2005, Dominique Lambert wrote: hello my answer i would like to file the url visited by the users of my radius server which file shall i modify thank's dom You already asked this question a few days ago and it has already been answered by me and other list members that this isn't a radius issue. Setup a proxy server and force your users to use this proxy. Chris hello chris tahnk's for your reponse i am a beginner with freeradius, can you help me to configure it to use a proxy best regards dom Again: It has nothing to do with freeradius. You can't configure freeradius to send something back to you nas that configures your clients browsers to use a proxy. Read www.squid-cache.org how to set up a proxy and configure your clients to use this proxy or configure your router to route all traffic to port 80 on the internet through the proxy. And again: It's not a radius issue. This is the wrong place for these questions. Chris -- Christian Seitz [EMAIL PROTECTED] http://www.in-berlin.de/ Individual Network Berlin e.V. PGP Fingerprint: A9 17 03 0D 36 AB 07 4E D0 1E C3 8E 3F B0 66 9A - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1X Port Authentication using unix user/pass
Hi, I've looked at the 802.1X Port-Based Authentication HOWTO guide, I have a few questions. The guide authenticates using a users file which is a formatted text file. I wish to use the users unix (linux) user name and passwords which I are in /etc/password and the /etc/shadow which has the encrypted string for the password. My Question is: Can I follow the guide and trivially make it do what I want? I have a feeling somehow what I want to achieve requires the password to be sent plain text (not CHAP) ... correct? BUT is the plain text encrypted anyway between the access point and the wireless node using OpenSSL or if the password was sent plain text can it be sniffed? To make life easy... I want WPA-EAP authentication working, but I want the authentication be against the Linux username and its password. Is this possible? Guides and tips welcome Cheers Sura - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with RadZap in version 1.0.4
Hi all
I am trying to zap users but for some reason it is giving an error Port
not found, i will paste all the necessary details below.
johny,johny,shell,S-2140143609,Tue 09:47,192.116.123.117,10.10.11.251
henry,henry,shell,S-2140143606,Tue 12:23,192.116.123.117,10.10.11.254
radzap -N 192.116.123.117 -P -2140143609 -u johny -x
192.116.123.115:1813 password
Sending Accounting-Request of id 113 to 192.116.123.115:1813
User-Name = johny
Acct-Session-Id = 8077
Acct-Status-Type = Stop
NAS-IP-Address = 192.116.123.117
rad_recv: Accounting-Response packet from host 192.116.123.115:1813,
id=113, length=20
Ready to process requests.
rad_recv: Accounting-Request packet from host 192.116.123.115:32813,
id=113, length=49
User-Name = johny
Acct-Session-Id = 8077
Acct-Status-Type = Stop
NAS-IP-Address = 192.116.123.117
Processing the preacct section of radiusd.conf
modcall: entering group preacct for request 0
modcall[preacct]: module preprocess returns noop for request 0
rlm_acct_unique: WARNING: Attribute NAS-Port was not found in request,
unique ID MAY be inconsistent
rlm_acct_unique: Hashing ',Client-IP-Address =
192.116.123.115,NAS-IP-Address = 192.116.123.117,Acct-Session-Id =
8077,User-Name = johny'
rlm_acct_unique: Acct-Unique-Session-ID = 40280b49c7d3093a.
modcall[preacct]: module acct_unique returns ok for request 0
rlm_realm: No '@' in User-Name = johny, looking up realm NULL
rlm_realm: No such realm NULL
modcall[preacct]: module suffix returns noop for request 0
modcall[preacct]: module files returns noop for request 0
modcall: group preacct returns ok for request 0
Processing the accounting section of radiusd.conf
modcall: entering group accounting for request 0
radius_xlat: '/var/log/radius/radacct/192.116.123.115/detail-20050726'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /var/log/radius/radacct/192.116.123.115/detail-20050726
modcall[accounting]: module detail returns ok for request 0
modcall[accounting]: module unix returns noop for request 0
radius_xlat: '/var/log/radius/radutmp'
radius_xlat: 'johny'
rlm_radutmp: No NAS-Port seen. Cannot do anything.
rlm_radumtp: WARNING: checkrad will probably not work!
modcall[accounting]: module radutmp returns noop for request 0
radius_xlat: 'johny'
rlm_sql (sql): sql_set_user escaped user -- 'johny'
radius_xlat: 'UPDATE radacct SET AcctStopTime = '2005-07-26 12:32:23',
AcctSessionTime = '', AcctInputOctets = '', AcctOutputOctets = '',
AcctTerminateCause = '', AcctStopDelay = '', ConnectInfo_stop = '' WHERE
AcctSessionId = '8077' AND UserName = 'johny' AND NASIPAddress =
'192.116.123.117''
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Released sql socket id: 4
modcall[accounting]: module sql returns ok for request 0
modcall: group accounting returns ok for request 0
Sending Accounting-Response of id 113 to 192.116.123.115:32813
Finished request 0
Going to the next request
--- Walking the entire request list ---
Cleaning up request 0 ID 113 with timestamp 42e61f47
Nothing to do. Sleeping until we see a request.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on sql.conf - accounting_start_query - accounting_start_query_alt
Andreas Engler wrote: So now for me remains in which case won't an Insert work but the alternate Update, or what for is accounting_start_query_alt. INSERT may fail if your SQL schema defines a unique index to prevent insertion of duplicate accounting records. With MySQL 4.1 you could use the ON DUPLICATE KEY UPDATE clause instead of an accounting_start_query_alt query. mysql INSERT INTO radacct [...] ON DUPLICATE KEY UPDATE [...]; Another question a little bit of another topic. In may you wrote, that the functions of radsqlrelay will be an integral part of an next freeradius version. You talked about a few weeks here radius server and sql server http://lists.freeradius.org/pipermail/freeradius-users/2005-May/043936.html. Ok it belongs to cvs head. Could you tell me the stand of development or where i can find the information? You'll find manpages in the CVS head. Please read rlm_sql_log(5) and radsqlrelay(8). -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Debug vs. Run mode
The freeradius server is running and the MySQL server is running. I can get
it to work in debug radiusd -X and then use NTRadPing and get an Accept
message back.
When I run /etc/init.d/radiusd start I get:
Starting RADIUS server:[ OK ]
But then freeradius will not talk to mysql
__
[root@ raddb]# radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/lib
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = yes
main: log_auth_goodpass = no
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = root
main: group = root
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = /etc/passwd
unix: shadow = /etc/shadow
unix: group = /etc/group
unix: radwtmp = /var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = md5
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /etc/raddb/huntgroups
preprocess: hints = /etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded SQL
sql: driver = rlm_sql_mysql
sql: server = localhost
sql: port = 3306
sql: login = root
sql: password = password
sql: radius_db = radius
sql: acct_table = radacct
sql: acct_table2 = radacct
sql: authcheck_table = radcheck
sql: authreply_table = radreply
sql: groupcheck_table = radgroupcheck
sql: groupreply_table = radgroupreply
sql: usergroup_table = usergroup
sql: nas_table = nas
sql: dict_table = dictionary
sql: sqltrace = yes
sql: sqltracefile = /var/log/radius/sqltrace.sql
sql: readclients = no
sql: deletestalesessions = yes
sql: num_sql_socks = 5
sql: sql_user_name = %{User-Name}
sql: default_user_profile =
sql: query_on_not_found = no
sql: authorize_check_query = SELECT id,UserName,Attribute,Value,op FROM
radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id
sql: authorize_reply_query = SELECT id,UserName,Attribute,Value,op FROM
radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id
sql: authorize_group_check_query = SELECT
session-time with incorrect calculations
Hi I am running FreeRadius 1.0.4 with Postgres. I have noticed that the sessiontime is sometimes calculated incorrectly in the radacct table. If you compare the acctsessionstart and the acctsessionend with the acctsessiontime it does not match. This is particularly true for connections ended with idle-timeout. When would session times generally be wrong and how can I stop this from happening ? Thanks Barry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius IPv6 Server
Team, I am looking for a free radius server with IPv6 support. Can anyone of you help me. -Thanks Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1X Port Authentication using unix user/pass
[EMAIL PROTECTED] wrote: To make life easy... I want WPA-EAP authentication working, but I want the authentication be against the Linux username and its password. Is this possible? Guides and tips welcome It is possible however only with EAP-TTLS and PAP inner tunnel authentication. Set up EAP and TTLS then make sure your WPA clients are using TTLS+PAP. Here are directions on how to set up clients http://vuksan.com/linux/dot1x/wpa-client-config.html Vladimir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute User-Password is required forauthentication
melvin wrote: LDAP does provide some authentication -- through the 'BIND' statement. Incidentally, this is how the FreeRadius rlm_ldap module chooses to authenticate against an LDAP entry... it attempts to 'bind' to it, passing the username and password to LDAP. I have successfully integrated FreeRadius LDAP -- I can get you my config entries if you would like. It worked with OpenLDAP practically out-of-the-box. I have a write-up on FreeRADIUS and LDAP. It should apply to most configurations http://vuksan.com/linux/dot1x/802-1x-LDAP.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1X Port Authentication using unix user/pass
Quoting Vladimir Vuksan [EMAIL PROTECTED]: To make life easy... I want WPA-EAP authentication working, but I want the authentication be against the Linux username and its password. Is this possible? Guides and tips welcome It is possible however only with EAP-TTLS and PAP inner tunnel authentication. Set up EAP and TTLS then make sure your WPA clients are using TTLS+PAP. Here are directions on how to set up clients http://vuksan.com/linux/dot1x/wpa-client-config.html Thanks for that. Does the Dlink DWL-2100AP support this? It supports 801.X WPA Here's is a screenshot of what the WPA configuration section looks like (on the AP's config page) http://support.dlink.com/emulators/dwl2100ap/html/CfgWepParam.html I'm hoping that I can use WPA-EAP with this option, but notice under encryption it has AES, Auto, TKIP... which one? Sura - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Tunnel-Password fails proxy: tunnel password is too long for the attribute
Tariq Rashid [EMAIL PROTECTED] wrote: i prevent the backend server from sending this particular Tunnel-Password attribute. Ok... can you post sample packet traces containing that attribute, and use a known shared secret like testing123. That will let me validate the packets... The request/response to/from the backend server should be good enough. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with RadZap in version 1.0.4
Sarkis Gabriel [EMAIL PROTECTED] wrote: radzap -N 192.116.123.117 -P -2140143609 -u johny -x A negative number for the port? That isn't nice. Hmm... The numbers should be printed as unsigned int's, and the input to radzap should be unsigned int's. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius IPv6 Server
[EMAIL PROTECTED] wrote: I am looking for a free radius server with IPv6 support. Can anyone of you help me. See the CVS snapshot. It can have IPv6 clients, but it can't yet proxy to IPv6 home servers. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up freeradius to work with cisco aironet accesspoints in a custom environment
Hello,
Am Montag, den 25.07.2005, 12:57 -0400 schrieb Alan DeKok:
Mario Lipinski [EMAIL PROTECTED] wrote:
Can i do LEAP with Samba-Passwords (which are also stored in the db)?
Yes.
I think this should work in general but not with the MSChapv2
implementation in FreeRadius. Is there any way?
It works.
It does, now. :)
Needed to use the := operator and prepend 0x to the NT-Password
value. Also got it configured to work with my database structure.
OK. Thats all that my writing is about. I don't know how to really get
away from the sample layout. For example how to distinguish between
MAC-Address and EAP authentication requests.
Read the debug log. You have the information in front of you. I
don't have access to your system, so it wouild be inappropriate of me
to guess.
I am attaching two requests taken from the debug log.
The first one is the request for the MAC-Address Authentication, the
second one is the one for LEAP authentication (works, eap messages were
cut since they might contain real user information, dunno).
For the MAC-Address stuff i need to lookup the things in another
database. I know i can define different sql spaces with sql name in
the configs. But how to decide, which table use for the lookup.
Both requests are of the type Login-User. The only difference is, that
the MAC-Address authentication request contains the User-Password
attribute. I read much about comparing the values of the attributes, but
how to check for their existence? If there is no better way, i might use
a regex matching [0-9a-f]{12} - should work?
How do i write it in the config to use sql a when the regex matches
and to use sql b if not?
I hope i provided all information needed to get a quick and clear answer
this time.
Thanks,
--
Mario Lipinski VOIP: +49 511 696045510
SystemadministrationFax: +49 721 151-207196
Gymnasium Salzgitter-BadE-Mail: [EMAIL PROTECTED]
Internet: http://www.gymszbad.de
rad_recv: Access-Request packet from host 172.21.1.3:1645, id=111, length=114
User-Name = 000e352af0fd
User-Password = 000e352af0fd
Called-Station-Id = 0011.92f8.9c10
Calling-Station-Id = 000e.352a.f0fd
Service-Type = Login-User
NAS-Port-Type = Wireless-802.11
NAS-Port = 294
NAS-IP-Address = 172.21.1.3
NAS-Identifier = ap03
[...]
Login incorrect: [000e352af0fd] (from client ap port 294 cli 000e.352a.f0fd)
rad_recv: Access-Request packet from host 172.21.1.3:1645, id=112, length=121
User-Name = law
Framed-MTU = 1400
Called-Station-Id = 0011.92f8.9c10
Calling-Station-Id = 000e.352a.f0fd
Service-Type = Login-User
Message-Authenticator = 0xdeadbeef08151337...
EAP-Message = 0x0815deadbeef1337...
NAS-Port-Type = Wireless-802.11
NAS-Port = 294
NAS-IP-Address = 172.21.1.3
NAS-Identifier = ap03
signature.asc
Description: This is a digitally signed message part
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: session-time with incorrect calculations
Barry [EMAIL PROTECTED] wrote: If you compare the acctsessionstart and the acctsessionend with the acctsessiontime it does not match. ... When would session times generally be wrong and how can I stop this from happening ? As a general principle, FreeRADIUS logs what it receives. If the session time is wrong, then it's because the NAS sent the data. The only solution to bad data is to fix the NAS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1X Port Authentication using unix user/pass
[EMAIL PROTECTED] wrote: Does the Dlink DWL-2100AP support this? It supports 801.X WPA Here's is a screenshot of what the WPA configuration section looks like (on the AP's config page) http://support.dlink.com/emulators/dwl2100ap/html/CfgWepParam.html It appears it does. WPA-PSK is WPA with pre-shared key. It is akin to WEP key ie. there is a single key for all sessions. Thus use WPA-EAP. I'm hoping that I can use WPA-EAP with this option, but notice under encryption it has AES, Auto, TKIP... which one? I would go for Auto. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: session-time with incorrect calculations
Barry wrote: I am running FreeRadius 1.0.4 with Postgres. I have noticed that the sessiontime is sometimes calculated incorrectly in the radacct table. If you compare the acctsessionstart and the acctsessionend with the acctsessiontime it does not match. This is particularly true for connections ended with idle-timeout. When would session times generally be wrong and how can I stop this from happening ? Could be a feature of the NAS to distract the idle time from the session time so as not to bill the user for unused time. Check your NAS features/configuration. -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: session-time with incorrect calculations
Hi I am running FreeRadius 1.0.4 with Postgres. I have noticed that the sessiontime is sometimes calculated incorrectly in the radacct table. If you compare the acctsessionstart and the acctsessionend with the acctsessiontime it does not match. This is particularly true for connections ended with idle-timeout. When would session times generally be wrong and how can I stop this from happening ? Thanks Barry Freeradius just logs what is sent over. Are you using radrelay? We get session delays sometimes when using radrelay when our sql server is overwhelmed. Check for acctstartdelay and acctstopdelay. If you find it, subtract acctstartdelay from the session time and see if that makes sense. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS and MYSQL
I'm using Freeradius in EAP-TLS and I'm trying to use dialupadmin/mysql. Although the supplicant is not in my database, the NAS receives an Access-Accept. Is this normal ? #file is commented in my radiusd.conf. thanks for your help. Stephane Rossi rlm_sql (sql): User testwifi not found in radgroupcheckrlm_sql (sql): User not foundrlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module "sql" returns notfound for request 6modcall: group authorize returns updated for request 6 rad_check_password: Found Auth-Type EAPauth: type "EAP" Processing the authenticate section of radiusd.confmodcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLSrlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 6modcall: group authenticate returns ok for request 6Login OK: [testwifi/no User-Password attribute] (from client Cisco Aironet 1200 port 354 cli 0090.4b77.99a6)Sending Access-Accept of id 162 to 192.168.2.220:21646 MS-MPPE-Recv-Key = 0x910fdf897f8f042be203a7bcb10a1b89969b996f693ec40fd58d6172f55dee26 MS-MPPE-Send-Key = 0x5bbe978c153970cf7fb7f7fb7863caf4c9525fedb850f85d1a02985a585544e0 EAP-Message = 0x03080004 Message-Authenticator = 0x User-Name = "testwifi"Finished request 6 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with RadZap in version 1.0.4
Hi Alan I do not know what to do with it, it is coming as a negative number the Nas Type is a Mikrotik and when radwho -r is issued i get this. johny,johny,shell,S-2140143609,Tue 09:47,192.116.123.117,10.10.11.251 Any idea why it is giving a negative number? Thanks sarky Alan DeKok wrote: Sarkis Gabriel [EMAIL PROTECTED] wrote: radzap -N 192.116.123.117 -P -2140143609 -u johny -x A negative number for the port? That isn't nice. Hmm... The numbers should be printed as unsigned int's, and the input to radzap should be unsigned int's. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
limited accounts
Hi, I'm trying to setup a system which allow users to login for a specific period (1 month, or 1 week, it depends on the type of the account) since their first connection. I manage to do this by a cron script which removes them from database, but it's (really) crap... Is there any proper way to do this ? counter module ? I think this could better by modifying sql queries in sql.conf to calculate remaining time (until the end of this period) and send it as Max-All-Session attribute to the NAS, but I don't know if it's possible... Moreover, I wish to use a max consecutive time too, which allow me to create user account valid for a limited period (1 month for ex.), with limited session time (3 hours max), and with a maximum duration time (10 hours). Is there any specific module to do this ? Finally, if I want to limit access depending on the day of the week, or the hour, what's the best approach ? Sorry for all these questions, I don't expect a complete solution from this forum (it's my work to find one), but simply some advices (or clues) on how it could (would ?) be done. Regards, Jeremy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different Passwd Files on Different Servers
Bryan Beronilla [EMAIL PROTECTED] wrote: Still getting the errors I got before about not setting an auth type. Where should the auth type be set? The server figures it out. I've tried the config Dusty mentioned but still getting me nowhere... Try one thing at a time. The default config works. You can start from there, and add new features one by one. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and MYSQL
Stephane Rossi [EMAIL PROTECTED] wrote: I'm using Freeradius in EAP-TLS and I'm trying to use dialupadmin/mysql. Although the supplicant is not in my database, the NAS receives an Access-Accept. Is this normal ? Yes. The client certificate means that they're a valid user. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: limited accounts
=?ISO-8859-1?Q?J=E9r=E9my_Cluzel?= [EMAIL PROTECTED] wrote: I manage to do this by a cron script which removes them from database, but it's (really) crap... Is there any proper way to do this ? counter module ? Yes. Moreover, I wish to use a max consecutive time too, which allow me to create user account valid for a limited period (1 month for ex.), with limited session time (3 hours max), and with a maximum duration time (10 hours). Is there any specific module to do this ? No. That's just Session-Timeout Finally, if I want to limit access depending on the day of the week, or the hour, what's the best approach ? Login-Time. See the README. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy/Not Proxy based on dialed number?
I have a MAX TNT that will be doing dialin service. Is it possible to selectively proxy based on the DNIS? My user accounts are stored in a postgres database that I have working fine for PPPoA termination already. Thanks for any help dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and Windows 2003 Active Directory Authentication
I am having trouble getting my radius setup to authenticate to windows
2003 active directory.
when using the following string
radiusd.conf
module configureation section
ldap {
server = gtds-domcon.gtdsolutions.org
basedn = dc=gtdsolutions,dc=org
filter = (sAMAccountName=%u)
password_attribute = userPassword
identity = cn=administrator,cn=Users,dc=gtdsolutions,dc=org
password = pantera
authorize section
ldap
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and Windows 2003 Active Directory Authentication (2)
Previous post sent before I was done, here is the full post:
I am having trouble getting my radius setup to authenticate to windows
2003 active directory.
when using the following string radtest administrator password
localhost 2 radiussecret
rad_recv: Access-Request packet from host 127.0.0.1:32775, id=240, length=65
User-Name = administrator
User-Password = password
NAS-IP-Address = 255.255.255.255
NAS-Port = 2
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = administrator, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
users: Matched entry DEFAULT at line 152
modcall[authorize]: module files returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for administrator
radius_xlat: '(sAMAccountName=administrator)'
radius_xlat: 'dc=company,dc=org'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to gtds-domcon.gtdsolutions.org:389, authentication 0
rlm_ldap: bind as cn=administrator,cn=Users,dc=company,dc=org/password
to domcon.company.org:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=company,dc=org, with filter
(sAMAccountName=administrator)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user administrator authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type System
auth: type System
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
modcall[authenticate]: module unix returns notfound for request 0
modcall: group authenticate returns notfound for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
radiusd.conf - I didn't find a system or System auth type, did I
miss something?
module configureation section
ldap {
server = domcon.company.org
basedn = dc=company,dc=org
filter = (sAMAccountName=%u)
password_attribute = userPassword
identity = cn=administrator,cn=Users,dc=company,dc=org
password = password
authorize section
ldap# this is enabled
authenticate sectoin
Auth-Type LDAP {
ldap
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and Windows 2003 Active Directory Authentication (2)
Tim P [EMAIL PROTECTED] wrote: I am having trouble getting my radius setup to authenticate to windows 2003 active directory. That will work only for PAP, if that's all you need. radiusd.conf - I didn't find a system or System auth type, did I miss something? See the users file: users: Matched entry DEFAULT at line 152 Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with RadZap in version 1.0.4
Sarkis Gabriel [EMAIL PROTECTED] wrote: johny,johny,shell,S-2140143609,Tue 09:47,192.116.123.117,10.10.11.251 Any idea why it is giving a negative number? It looks like a bug in radwho. It will be fixed in 1.0.5 (if and when it gets released) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with RadZap in version 1.0.4
Thanks alan for the reply just wondering if there is any workaround to kill those connections? if there is no workaround are all Freeradius 1.0.0 have that bug in radwho? Thanks again Sarky Alan DeKok wrote: Sarkis Gabriel [EMAIL PROTECTED] wrote: johny,johny,shell,S-2140143609,Tue 09:47,192.116.123.117,10.10.11.251 Any idea why it is giving a negative number? It looks like a bug in radwho. It will be fixed in 1.0.5 (if and when it gets released) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP and FreeRadius Authentication - One user, multiple groups
I have freeradius and LDAP authenticating nicely. The problem I am running into is that when I id a user, it only shows the primary group that user is a member of. How can I get FreeRadius to report the other groups that the user belongs to? Mark Litchfield Sorry I don't understand. Can you explain what you mean by only shows the primary group and report the other groups. Report to what? Perhaps some radiusd -X output and an explanation of what you are trying to do would help. Using the following tree in LDAP: dc: treeroot |_ou: accounts | |_ou: domain1 | | |_uid: joe | | mail: [EMAIL PROTECTED] | | uid: 10001 | | gid: 11000 | |_ou: domain2 | |_uid: joe |mail: [EMAIL PROTECTED] |uid: 10002 |gid: 11001 |_ou: groups |_cn: group1 | uniqueMember: uid=joe,ou=domain1,ou=accounts,dc=treeroot | gid: 11000 |_cn: group2 | uniqueMember: uid=joe,ou=domain2,ou=accounts,dc=treeroot | gid: 11001 |_cn: group3 uniqueMember: uid=joe,ou=domain1,ou=accounts,dc=treeroot uniqueMember: uid=joe,ou=domain2,ou=accounts,dc=treeroot gid: 11002 When I su in as [EMAIL PROTECTED] and run id from the prompt I get: joe(10001), group1(11000) When I should get joe(10001), group1(11000), group3(11002) The overall desired effect: 1. System will support multiple domains. 2. Duplicate user names cannot exist within the same domain. (i.e. there can be only one username joe per domain, but each domain can have a username joe.) 3. Users can be members of several groups. Cross-domain group membership may be supported. ([EMAIL PROTECTED] is a member of group1 and [EMAIL PROTECTED] is a member of group2. Both of them are members of group3) 4. User / group authorization must be available to the filesystem / OS. I am trying to replace the use of /etc/passwd and /etc/group for filesystem permissions, login , etc. Please anyone, tell me if I am insane for attempting this, if this is even possible or if there is an opensource alternative that will do all this and work with postfix and apache for user AAA. I would much rather get this to work in LDAP with FreeRadius. On a side note, same topic... I have been looking for a way to do nested groups in LDAP with FreeRadius. Is this possible and how? BTW, I was unable to grab the radiusd -X output. The machine is not availble to me for a few days. Taking a short break before I snap. Thanks Mark Litchfield - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
