wifi / mac authentication
hello im using freeradius 1.02-4 (debian) if i have my access points set for mac address authentication via radius what settings do i require on the freeradius end? currently in my DB i have it setup as this groupname: Enabled Auth-Type :=Local Compression used: :=Van-Jacobsen-TCP-IP Service type: := Framed-User groupname: Disabled Auth-Type :=Reject Now when a wireless client trys to connect will the NAS sends the mac address and does it append the NAS password or do you supply a specific password for the mac address? when it authenticates the Wireless client will they have internet access (obtained ip/dhcp etc all thru the nas) or Rejected if in the disabled account (no internet access) Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
adding a nas via dialupadmin
Hello while adding a NAS thru dialupadmin i noticed that the changes dont take effect unless the freeradius process is restarted is this intended? or is something wrong with my config I.E. i added 192.168.0.1 /as a NAS but when i tried to authenticate with the nas , the debug showed it being as unreconized.. I stoped and restarted freeradius and then that nas was able to authenticate. Freeradius 1.02-4 (debian stable version) Thanks. Nick. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realm users authentication failure
On Wed, 2005-10-19 at 19:28 -0400, Alan DeKok wrote: +-+-+---+--++ | id | UserName| Attribute | Value| op | +-+-+---+--++ | 376 | [EMAIL PROTECTED] | User-Password | password | == | Use :=, not ==. Just for User-Password? thanks -- Luca Corti PGP Key ID 1F38C091 BOFH excuse of the moment: The static electricity routing is acting up... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wifi / mac authentication
Hi, Now when a wireless client trys to connect will the NAS sends the mac address and does it append the NAS password or do you supply a specific password for the mac address? when it authenticates the Wireless client will they have internet access (obtained ip/dhcp etc all thru the nas) or Rejected if in the disabled account (no internet access) the documentation clearly describes such a required setup - but if you run FR is debugging mode - ie radiusd -X - then you will also learn exactly what is being sent from your NAS etc. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realm users authentication failure
On Thu, 2005-10-20 at 09:17 +0200, Luca Corti wrote: On Wed, 2005-10-19 at 19:28 -0400, Alan DeKok wrote: +-+-+---+--++ | id | UserName| Attribute | Value| op | +-+-+---+--++ | 376 | [EMAIL PROTECTED] | User-Password | password | == | Use :=, not ==. Just for User-Password? This gives the same results, with or without Auth-Type set. Also note that users in the default stripped realm are authenticated with User-Password == password and without Auth-Type, while non stripped users are not, no matter which operator is used and with or without setting Auth-Type := Local and changing password operator to :=. thanks -- Luca Corti PGP Key ID 1F38C091 BOFH excuse of the moment: We need a licensed electrician to replace the light bulbs in the computer room. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RLM_IPPOOL bug?
my radiusd uses rlm_ippool. Sometimes ippool gives one ip for two different users simultaneously. here output of rlm_ippool_tool. # rlm_ippool_tool -va /etc/raddb/pools/db.pool-1-pool1* | grep X.Y.Z.170 NAS:192.168.0.1 port:0xde - ipaddr:X.Y.Z.170 active:1 cli:0 num:1 NAS:192.168.0.1 port:0xad - ipaddr:X.Y.Z.170 active:1 cli:0 num:1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
DB Server Advice
Hi all, We have very big voip traffic, and currently we were using mysql DB with the following server configurations, But we are getting lot of problems some time the devise are failed, some time the database is slow . Etc. The current configuration is: OS: Red Hat Enterprise Linux ES 3 PROCESSOR: Dual 3.2 GHz Intel Xeon MEMORY : 2GB DDR RAM Hard Drive: 2 x 36.4GB SCA Ultra 160 SCSI Hard Drive (RAID 1) RAID CONTROLLER CHASSIS: 2U BACKUP AGENT: Legato Managed Backup Agent NETWRK: Aggregate Bandwidth 100GB per Month (included) Now we want to re-configure our servers, some one suggest me about SUN. But i need your suggestions, which will driver our database server without any problem. Yours, Abdul Lateef Computer Programmer HATIF COM Mob: +974 - 5405022 Tel: +974 - 4883068 ICQ: 276994704 YM!: abdul_zu Fax: +974 - 4883063 Doha Qatar http://www.hatif.com __ Yahoo! Music Unlimited Access over 1 million songs. Try it free. http://music.yahoo.com/unlimited/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DB Server Advice
Hi, The current configuration is: OS: Red Hat Enterprise Linux ES 3 PROCESSOR: Dual 3.2 GHz Intel Xeon MEMORY : 2GB DDR RAM Hard Drive: 2 x 36.4GB SCA Ultra 160 SCSI Hard Drive (RAID 1) RAID CONTROLLER CHASSIS: 2U BACKUP AGENT: Legato Managed Backup Agent NETWRK: Aggregate Bandwidth 100GB per Month (included) Now we want to re-configure our servers, some one suggest me about SUN. But i need your suggestions, which will driver our database server without any problem. you dont say how many devices you have or what your concurrent requests are. your machine description above is a 'not bad beast' for doing MySQL on - I'm not sure what jumping platforms would acheive if the basics havent been looked at - ie your actual MySQL configuration and where the bottleneck really is. if you dont have a lovely /etc/my.cnf (or other) which has been tweaked according to your needs and your drive array hasnt been configured for database usage then your problem will move with you onto whatever server you use alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DB Server Advice
Abdul Lateef wrote: We have very big voip traffic, and currently we were using mysql DB with the following server configurations, But we are getting lot of problems some time the devise are failed, some time the database is slow . Etc. I don't think that buying expensive hardware is a long term solution. You don't describe what the problems are, as there're different cases. 1. If you have problems with authorize queries, try using the MySQL replication to share the load between several slaves. The auth queries are read-only, therefore it doesn't matter to run these queries on the slave databases. http://dev.mysql.com/doc/refman/4.1/en/replication.html http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/doc/load-balance.txt?rev=1.4 2. If you have problems with accouting queries, try using the module rlm_sql_log and the script radsqlrelay. Acct queries are buffered and inserted to the database according to the server capabilities. http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/man/man5/rlm_sql_log.5?rev=1.2 http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/man/man8/radsqlrelay.8?rev=1.1 -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth and machine authentication (workaround)
See the list postings from earlier in the day... If you grab the latest CVS snapshot, you don't have to use the Perl wrapper as the rlm_mschap module will do the name rewriting for you. --Mike Roy Hooper wrote: After spending a fair bit of time searching list archives and google results, I've managed to make ntlm_auth work for both users and machine accounts. This fix requires patching of Samba (thanks go to Mike McCauley of OSC/Radiator for the howto on the fix and to Matthew Alexander for pointing it out in samba's lists). This patch may break Samba for other purposes, as I have only tested it to verify ntlm_auth can do both user and account challenge/response authentication for MSCHAPv2 for PEAP. The second part to the fix is an ntlm_auth wrapper that deals with DOMAIN\\user format usernames and translates WinXP host/ machine names to NT machine usernames. ---BEGIN /usr/local/bin/ntlm_auth_hack--- #!/usr/bin/perl my $ARGS = join( ,@ARGV); if ($ARGS =~ m{--username=host/\S+}) { $ARGS =~ s{--username=host/([^\s.]+)\S+}{--username $1\$}; } else { $ARGS =~ s{--username=([^\\]+)}{--domain=$1 --username=}; } system(/usr/local/bin/ntlm_auth, split( , $ARGS)); ---END /usr/local/bin/ntlm_auth_hack--- And so the example is somewhere other than my head, The following returns the appropriate attributes to a Cisco AP to assign a particular vlan, in this case, vlan-266, when doing EAP. # Assign a VLAN to any user from this station DEFAULT Calling-Station-Id == 1234.1234.1234 Framed-Type = Framed, Tunnel-Type:1 = VLAN, Tunnel-Medium-Type:1 = IEEE-802, Tunnel-Private-Group-ID:1 = 100 And another fun one: # Assign a particular VLAN to a user from a particular station DOMAIN\\user Calling-Station-Id == 1234.1234.1234 Framed-Type = Framed, Tunnel-Type:1 = VLAN, Tunnel-Medium-Type:1 = IEEE-802, Tunnel-Private-Group-ID:1 = 200 Naturally the DEFAULT should come after the specific user match. begin 644 cli_netlogon.c.patch M+2TM(]R:6OV%M8F$M,RXP+C(P8B]S;W5R8V4OG!C7V-L:65N=]C;E? M;F5T;]G;[EMAIL PROTECTED](#$R(#$W.C`S.C(S(#(P,#4**RLK('!A=-H M960OV%M8F$M,RXP+C(P8B]S;W5R8V4OG!C7V-L:65N=]C;E?;F5T;]G M;VXN8PE4:'[EMAIL PROTECTED](#(P(#`R.C,Y.C(W(#(P,[EMAIL PROTECTED](LV.3DL M-R!`0`H@(`@(`@(`@(`@(`@(%--0DY496YCGEP=AP87-S=V]R9P@ M8VAA;P@;]C86Q?;G1?F5S]NV4I.PH@B`@(`@(`@(`@(`@(`@ M:6YI=%]I9%]I;F9O,[EMAIL PROTECTED]@N:60R+!L%]W;W)K9W)O=7`H*2P@ MBT@(`@(`@(`@(`@(`@(`@(`@(`@(`@(`P+`O*B!P87)A;5]C M=')L(HOBL@(`@(`@(`@(`@(`@(`@(`@(`@(`@(`P[EMAIL PROTECTED],P@ M+RH@%R86U?8W1R;`J+PH@(`@(`@(`@(`@(`@(`@(`@(`@(`@ M(`@,'AD96%D+`P)E968L(\J($Q5240_(HOB`@(`@(`@(`@(`@ M(`@(`@(`@(`@(`@(!UV5R;[EMAIL PROTECTED];YT7VYA;65?VQA M[EMAIL PROTECTED](-H86PLB`@(`@(`@(`@(`@(`@(`@(`@(`@(`@(!L;V-A M;%]L;5]R97-P;VYS92P@,C0L(QO8V%L7VYT7W)EW!O;G-E+`R-D[D!` M(TX,#`L-R`K.#`P+#@0$`*(`@(`@([EMAIL PROTECTED]:71C:%]V86QU92`] M($Y%5%],3T=/3E]465!%.PH@B`):6YI=%]I9%]I;F9O,[EMAIL PROTECTED]@N M:60R+!D;VUA:6XLBT)2`@(`@(#`L(\J('!AF%M7V-T[EMAIL PROTECTED]) M(`@(`@,'@X,#`L(\J('!AF%M7V-T[EMAIL PROTECTED](`D)(`@(`@,'AD96%D M+`P)E968L(\J($Q5240_(HOB`)2`@(`@('5S97)N86UE+!W;W)K MW1A=EO;E]N86UE7W-L87-H+`H8V]N[EMAIL PROTECTED](J*6-H86PLB`)2`@ M(`@(QM7W)EW!O;G-E+F1A=$L(QM7W)EW!O;G-E+FQE;F=T:P@;G1? DF5S]NV4N9%T82P@;G1?F5S]NV4N;5N9W1H*3L* ` end - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
getting this in error log
Error: Invalid operator for item Password: reverting to '==' New setup using a text file for auth when doing a test login from the console with the radtest login seems to go ok. but when the nas is sending the users info I am getting entrys like above in the log file and not sure where to go look to fix this - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Many thanks
To all, Well, after months of trying to get this working and integrated into our system, guess what .. I've managed it with the help of you lovely people to finally get this working with the aide also of lots and lots of full strength coffee and severe lack of excercise. Many thanks to the likes of Alan, Emile, Nicolas and Michael to name a few. Nearly had a close call though with management thinking of dropping the project after months of work because they thought they had the original design wrong and only causing a slip of 5 weeks. I'll keep monitoring the site and boards and drop a line now and again. Seeya :-)~ Ian Davies {02476 564662} Internal (x740 4662) IMS-SIPAC Software Development Engineer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Vendor Specific Attributes
Hello, How do you get FreeRADIUS to stop ingoring VSAs? I have a box that's sending them and FreeRADIUS is simply ignoring them in rad_recv rad_recv: Accounting-Request packet from host 10.10.0.90:1068, id=0, length=58 NAS-Identifier = acme-sd Acct-Status-Type = Accounting-On NAS-IP-Address = 10.10.0.90 NAS-Port = 0 Acct-Session-Id = sd1#28249 I know there are more attributes being sent than that because I can see them in the RADIUS packet. Any help/advice is appriciated. Thanks. -Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Vendor Specific Attributes
Which VSAs are you sending in the accounting packet? Are they correctly enumerated in a dictionary file? Is the dictionary file referenced in the main dictionary file? Can you send us the accounting packet you're seeing? Rgds, Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Corbe Sent: 20 October 2005 15:52 To: FreeRadius users mailing list Subject: Vendor Specific Attributes Hello, How do you get FreeRADIUS to stop ingoring VSAs? I have a box that's sending them and FreeRADIUS is simply ignoring them in rad_recv rad_recv: Accounting-Request packet from host 10.10.0.90:1068, id=0, length=58 NAS-Identifier = acme-sd Acct-Status-Type = Accounting-On NAS-IP-Address = 10.10.0.90 NAS-Port = 0 Acct-Session-Id = sd1#28249 I know there are more attributes being sent than that because I can see them in the RADIUS packet. Any help/advice is appriciated. Thanks. -Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This e-mail is private and may be confidential and is for the intended recipient only. If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed. If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it. We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free. You should undertake your own virus checking. The right to monitor e-mail communications through our network is reserved by us. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting scripts ?
Hello I'm searching for scripts that are able to parse the radacct/xxx.xxx.xxx.xxx/detail-xxx file to perform some simple statistics ? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
counter with Session Octet Limit
Hello, I am using freeRadius 1.0.2, and I would like to limit weekly bandwidth for my VPN ( pptp ) users. So Ive changed the example counter part in my radiusd.conf counter weekly_traffic { filename = ${raddbdir}/db.weekly key = User-Name count-attribute = Acct-Input-Octets reset = weekly counter-name = Weekly-Traffic check-name = Max-Weekly-Traffic allowed-servicetype = Framed-User } The counter works for it self It checks the Max-Weekly-Traffic attribute in my ldap tree for a specific user, calculates the rest, but then it tries to add Session-Timeout attribute to Access-Accept packet. This is not working / attribute is not being added, and besides it is the wrong attribute. Is it possible for the counter module to add the value, which is usualy added as Session-Timeout, as Session-Octets-Limit? Regards, Edvin Seferovic - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting scripts ?
Frank Bonnet [EMAIL PROTECTED] wrote: I'm searching for scripts that are able to parse the radacct/xxx.xxx.xxx.xxx/detail-xxx file to perform some simple statistics ? radiusreport. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting scripts ?
Frank Bonnet wrote: Hello I'm searching for scripts that are able to parse the radacct/xxx.xxx.xxx.xxx/detail-xxx file to perform some simple statistics ? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html what do you mean with parsing?, i got this, i call it summarize.pl, just change the attributes that you want to extract, the result is a csv file, the output is to your screen, so you have to redirecte it to a file, etc, with that csv file you can dump it to a db, or wharever. ej: for standar output: # ./summarize.pl name_of_detail_file for csv file: # ./summarize.pl name_of_detail_file name_of_csv_file ### BEGIN ### #!/usr/bin/perl # # define caracter de separacion para lineas $/ = \n\n; open(SUM,$ARGV[0]) or die No se encontro archivo detalle; print h323-call-origin,h323-call-type,out-intrfc-desc,h323-connect-time,; print Acct-Session-Time,h323-disconnect-time,h323-disconnect-cause,; print Cisco-NAS-Port,Calling-Station-Id,Called-Station-Id\n; while (SUM){ s/\t+//g; @campos = split(/\n/); foreach $c (@campos) { ($cpo, $vlr) = split(/ = /, $c); $vlr =~ s/^ |\//g; #print $cpo,$vlr,\n; if ($cpo eq h323-call-origin) {$h323_call_origin = $vlr;} if ($cpo eq h323-call-type) {$h323_call_type = $vlr;} if ($cpo eq Cisco-AVPair) { if ($vlr =~ /out-intrfc-desc/) { $out_intrfc_desc = (split(=,$vlr))[1]; } } if ($cpo eq h323-connect-time) {$h323_connect_time = $vlr;} if ($cpo eq Acct-Session-Time) {$Acct_Session_Time = $vlr;} if ($cpo eq h323-disconnect-time) {$h323_disconnect_time = $vlr;} if ($cpo eq h323-disconnect-cause) {$h323_disconnect_cause = $vlr;} if ($cpo eq Cisco-NAS-Port){$Cisco_NAS_Port = $vlr;} if ($cpo eq Calling-Station-Id){$Calling_Station_Id = $vlr;} if ($cpo eq Called-Station-Id) {$Called_Station_Id = $vlr;} } print $h323_call_origin,$h323_call_type,$out_intrfc_desc,$h323_connect_time,; print $Acct_Session_Time,$h323_disconnect_time,$h323_disconnect_cause,; print $Cisco_NAS_Port,$Calling_Station_Id,$Called_Station_Id\n; } close SUM; ### END ### - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Preside RADIUS Export
Hello, We have an older NT 4 server running an installation of Preside RADIUS with a multitude of users profiles. Ive exported the users to a .rif file is this something that can somehow be imported into a freeRADIUS install? Ill search for the how if it is possible. Many thanks! -Samson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and What's Up Gold Question
Hi everyone: I'm going to try to explain this as best I can. I'm using Freeradius 1.0.5 on a Linux Redhat 9 server. I have a network monitoring program on another computer called What's Up Gold. It is made by a company called Ipswitch. There is a setting in the WUG program that lets you monitor a radius server. This is how Ipswitch explainshow it works: "What we specified for a test is an INVALID test for the userid TEST as it not encoded using the secret key. Then what we expect back is a response telling us the userid doesn't exist. The main key for making it work on Radius servers is to ensure the requesting workstation has permissions to send Radius requests. This seems to be the most common error in implementation by users. You will have to include the Monitor station (that is, the computer running WUG) in the /etc./raddb/clients file on the Radius server." I completely understand what it is saying and I have done this. Now that I have given you some background on how this works, here is my actual situation and question: I keep getting false positives on my WUG telling me that freeradius is down even though it's not. This does not happen everytime WUG sends a request to the radius. It happens at random. When I search in the radius logs it shows that the request is being sent to freeradius from WUG and the user TEST is indeed being rejected just like it's suppose to. The request is sent to the radius every 20 minutes and it makes it there every time. Now, the way I see it, it can be one of two things... The first...I have my WUG set at 5 seconds as a time out. Could freeradius, at times,be taking more than 5 seconds to respond to a sent request? if this is the case, I figure it would take my customers a few times to dial up and get authenticated at times, which is not a good thing since I work for an ISP. We haven't had any customers calling tech support about this, but still we can't rule it out just yet. The second... does freeradius lock out users after a certain amount of bad requests and if so, is there a configuration change that I can make to avoid this? I have looked all over for an answer to this question and I haven't found it, so I thought I'd post it here with the hope that someone would know. I'm sorry about the huge post. I just wanted to give enough information for the person/people that may help me with this. Thank you and I look forward to any response. By the way, I just wanted to say thanks to everyone that has helped me in the past, especially Mr. DeKok who has had much patience with me. I love your freeradius program. It's the best radius server I have used yet. Thank you for giving it to us for free and for all of your support because I do realize that you don't need to give any support if you didn't want to. You are much appreciated. Linda PagilloDirector of Technical ServicesN2 The Net, LLC[EMAIL PROTECTED]931-372-9179 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wifi / mac authentication
Im quite aware of what is being sent and what is shown via debug mode. unfortunatly i dont have access to the specific NAS in question so i cant see what attributes are being sent so im restricted to testing from computer to computer instead of the actual NAS to radius. and My personal nas/router doesnt do mac address authentication via radius and hence my question. I can authenticate no problem by supplying a username/password combination from ntradping. My question still exists , does the NAS forward the wireless clients mac address to the radius server and does the CLIENT or the nas supply a/the password? Hi, the documentation clearly describes such a required setup - but if you run FR is debugging mode - ie radiusd -X - then you will also learn exactly what is being sent from your NAS etc. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and What's Up Gold Question
Linda Pagillo [EMAIL PROTECTED] wrote: This is how Ipswitch explains how it works: What we specified for a test is an INVALID test for the userid TEST as it not encoded using the secret key. Then what we expect back is a response telling us the userid doesn't exist. This isn't how RADIUS works. A reject is not the same as user doesn't exist. RADIUS has reject, not user doesn't exist. You will have to include the Monitor station (that is, the computer running WUG) in the /etc./raddb/clients file on the Radius server. And the shared secret. Now, the way I see it, it can be one of two things... The first... I have my WUG set at 5 seconds as a time out. Could freeradius, at times, be taking more than 5 seconds to respond to a sent request? Sure, but it should be rare. AND the WUG should re-transmit the packet, as is normally done by RADIUS clients. The second... does freeradius lock out users after a certain amount of bad requests No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAM radius client usage
Hi, Does PAM radius client need shared library support to be able to work ? I could port successfully PAM radius client to Router platform which has shared library support. However I need to port the same PAM radius client to other router platforms which do not have shared library support. Has anybody had any experience using PAM radius client in an environment with no shared library support ? Please reply. Regards, Nagaraj - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and What's Up Gold Question
Thank you once again Mr.DeKok. I have already added the secret to my clients.conf entry. I also already checked into adding the shared secret to WUG and there is no way to do this, so i'm told. Is there another way around this problem? Perhaps i have my clients.conf entry incorrect. Here is what i have: client xx.xxx.xxx.xx { secret = mysecrethere shortname = shortnamehere } It is different for the entries i have for my NAS. Here is an example of of those: client xx.xxx.xxx.xxx { secret = mysecrethere shortname = shortnamehere nastype= nastypehere login = loginhere password = passwordhere } Am I missing something? Thanks again. - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, October 20, 2005 3:45 PM Subject: Re: Freeradius and What's Up Gold Question Linda Pagillo [EMAIL PROTECTED] wrote: This is how Ipswitch explains how it works: What we specified for a test is an INVALID test for the userid TEST as it not encoded using the secret key. Then what we expect back is a response telling us the userid doesn't exist. This isn't how RADIUS works. A reject is not the same as user doesn't exist. RADIUS has reject, not user doesn't exist. You will have to include the Monitor station (that is, the computer running WUG) in the /etc./raddb/clients file on the Radius server. And the shared secret. Now, the way I see it, it can be one of two things... The first... I have my WUG set at 5 seconds as a time out. Could freeradius, at times, be taking more than 5 seconds to respond to a sent request? Sure, but it should be rare. AND the WUG should re-transmit the packet, as is normally done by RADIUS clients. The second... does freeradius lock out users after a certain amount of bad requests No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and What's Up Gold Question
If you can't change the shared secret in WUG then change the secret in your clients.conf to match what is in WUG. Or better yet, abandon WUG and it's windows platform and use www.intermapper.com It is a MUCH better product and works just fine with freeradius, I'm doing so here. It also runs on linux. Duane Cox - Original Message - From: Linda Pagillo [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, October 20, 2005 5:08 PM Subject: Re: Freeradius and What's Up Gold Question Thank you once again Mr.DeKok. I have already added the secret to my clients.conf entry. I also already checked into adding the shared secret to WUG and there is no way to do this, so i'm told. Is there another way around this problem? Perhaps i have my clients.conf entry incorrect. Here is what i have: client xx.xxx.xxx.xx { secret = mysecrethere shortname = shortnamehere } It is different for the entries i have for my NAS. Here is an example of of those: client xx.xxx.xxx.xxx { secret = mysecrethere shortname = shortnamehere nastype= nastypehere login = loginhere password = passwordhere } Am I missing something? Thanks again. - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, October 20, 2005 3:45 PM Subject: Re: Freeradius and What's Up Gold Question Linda Pagillo [EMAIL PROTECTED] wrote: This is how Ipswitch explains how it works: What we specified for a test is an INVALID test for the userid TEST as it not encoded using the secret key. Then what we expect back is a response telling us the userid doesn't exist. This isn't how RADIUS works. A reject is not the same as user doesn't exist. RADIUS has reject, not user doesn't exist. You will have to include the Monitor station (that is, the computer running WUG) in the /etc./raddb/clients file on the Radius server. And the shared secret. Now, the way I see it, it can be one of two things... The first... I have my WUG set at 5 seconds as a time out. Could freeradius, at times, be taking more than 5 seconds to respond to a sent request? Sure, but it should be rare. AND the WUG should re-transmit the packet, as is normally done by RADIUS clients. The second... does freeradius lock out users after a certain amount of bad requests No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and What's Up Gold Question
If you can't change the shared secret in WUG then change the secret in your clients.conf to match what is in WUG. Or better yet, abandon WUG and it's windows platform and use www.intermapper.com It is a MUCH better product and works just fine with freeradius, I'm doing so here. It also runs on linux. Duane Cox - Original Message - From: Linda Pagillo [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, October 20, 2005 5:08 PM Subject: Re: Freeradius and What's Up Gold Question Thank you once again Mr.DeKok. I have already added the secret to my clients.conf entry. I also already checked into adding the shared secret to WUG and there is no way to do this, so i'm told. Is there another way around this problem? Perhaps i have my clients.conf entry incorrect. Here is what i have: client xx.xxx.xxx.xx { secret = mysecrethere shortname = shortnamehere } It is different for the entries i have for my NAS. Here is an example of of those: client xx.xxx.xxx.xxx { secret = mysecrethere shortname = shortnamehere nastype= nastypehere login = loginhere password = passwordhere } Am I missing something? Thanks again. - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, October 20, 2005 3:45 PM Subject: Re: Freeradius and What's Up Gold Question Linda Pagillo [EMAIL PROTECTED] wrote: This is how Ipswitch explains how it works: What we specified for a test is an INVALID test for the userid TEST as it not encoded using the secret key. Then what we expect back is a response telling us the userid doesn't exist. This isn't how RADIUS works. A reject is not the same as user doesn't exist. RADIUS has reject, not user doesn't exist. You will have to include the Monitor station (that is, the computer running WUG) in the /etc./raddb/clients file on the Radius server. And the shared secret. Now, the way I see it, it can be one of two things... The first... I have my WUG set at 5 seconds as a time out. Could freeradius, at times, be taking more than 5 seconds to respond to a sent request? Sure, but it should be rare. AND the WUG should re-transmit the packet, as is normally done by RADIUS clients. The second... does freeradius lock out users after a certain amount of bad requests No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wifi / mac authentication
Nick B [EMAIL PROTECTED] wrote: Im quite aware of what is being sent and what is shown via debug mode. unfortunatly i dont have access to the specific NAS in question so i cant see what attributes are being sent Uh, no. Debug mode shows you what attributes are being sent. My question still exists , does the NAS forward the wireless clients mac address to the radius server Yes. You can see this for yourself by running the server in debugging mode. and does the CLIENT or the nas supply a/the password? The user supplies the password. The NAS doesn't. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: wifi / mac authentication
I know with the AP-600 the password is the same as the NAS password. Edward -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Thursday, October 20, 2005 8:01 PM To: FreeRadius users mailing list Subject: Re: wifi / mac authentication Nick B [EMAIL PROTECTED] wrote: Im quite aware of what is being sent and what is shown via debug mode. unfortunatly i dont have access to the specific NAS in question so i cant see what attributes are being sent Uh, no. Debug mode shows you what attributes are being sent. My question still exists , does the NAS forward the wireless clients mac address to the radius server Yes. You can see this for yourself by running the server in debugging mode. and does the CLIENT or the nas supply a/the password? The user supplies the password. The NAS doesn't. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
return ALL the AVPs for a username that belongs multiple groups
Hello list, I have a user that belongs to multiple groups, lets say in the usergroup table, I have username Paul_S that belongs to Group1, Group2 and Group3 (using a different row for each group membership). In the radgroupreply table, I have multiple different attributes for each group. When I do radius authentication for that username, it only returns the AVPs for the first group match in the radgroupreply table, instead of returning ALL the AVPs that match ALL the groups that the user belongs to. How can I make this happen? Im using freeradius 1.0.5 and using mysql as the database. Thanks Lenir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html