Re: Radius accounting file scanning and upload to database
Actually I was told by the development of such thing ( ie decoupled SQL logging ) in the radius server some time ago, that is a good thing but I am currently using my own relay logging and it is already very stable and very fast ( using bulk insert ), it just suffers the limitation that it is one day late, and thus I have these questions :- The radius server method, I believe is also based on scanning a directory of files, how does it handle files which are still growing ( ie unfinished files ) ? Or it is assuming that the files have been completed ( ie there are no files which are still active ! ) ? Cheers - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Saturday, December 24, 2005 1:38 AM Subject: Re: Radius accounting file scanning and upload to database Ming-Ching Tiew [EMAIL PROTECTED] wrote: I am logging to MSSQL and I have tried in the past to do it directly, I find that the stability is POOR and reliability is NOT ACCEPTABLE. For example, the sql driver does not reconnect upon failure. I tried fixing it myself but I also faced other weird problems which are difficult to troubleshoot. See rlm_sql_log in the 1.1.0-pre0 image. It should help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Interesting EAP-TLS condition, any insights?
Michael Griego wrote: I'm very curious about the outcome of this as well. The AP is *supposed* to block all traffic except for EAP traffic pending the required EAP-Success from the Authentication Server. If the AP is allowing non-EAP traffic through, and, given that the client-AP traffic occurs unencrypted until the EAPoL Keys are sent, that could allow a total bypass of security on those APs. It only occurs during a session reauthentication forced by the AP; initial authentication works as expected. The traffic remains encrypted during the pending authentication, so I'm assuming that the previous session keys are still being used. And it only happens with XP as a client. It's at the least a partial bypass of security because part of the point of the forced reauthentication is to get new keys. Ick. I hope this doesn't turn out to be true for any other vendors... I'm pretty sure that it doesn't work that way for Proxim APs since I've seen the EAPoL exchange hang on those guys before and the client gives up and tries to communicate anyway to no avail... Unfortunately I don't have another AP to test at the moment. -- Tim smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
no response from server on other machines
I have installed Freeradius 1.0.5 on the Redhat 9 machine. When I type the command radtest test test localhost 0 testing123 to check ,the output is as the following: Sending Access-Request of id 252 to 127.0.0.1:1812 User-Name = test User-Password = test NAS-IP-Address = room129 NAS-Port = 0 Re-sending Access-Request of id 252 to 127.0.0.1:1812 User-Name = test User-Password = S\306\212Go'\3216?!w\025\377\251\320, NAS-IP-Address = room129 NAS-Port = 0rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=252, length=20 Is this a proof that the Radius Server runs correctly? Then I run NTRadPing(a handy tool to test Radius Server on clients machines)on other machine which has Windows server 2003 OS, only got the results as follows: sending authentication request to server 202.117.x.x:1812Transmitting packet ,code =1,id=2,length = 45 no response from server(time out),new attempt #1 no response from server(time out),new attempt #2 no response from server(time out),new attempt #3 could not recieve the response from the server I have configured /raddb/users and /raddb/clients.conf and had no effects. Then i configured /raddb/naslist, add winServer 2003 machines' ip and type as livingston, the problem is still not resolved. I don't know what difference between the types Unix,Cisco,Livingston and Slaveport. Can anyone explain the difference for me? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error in Radius.log
On Monday 26 December 2005 16:17, LeRoy DeVries wrote: On Monday 26 December 2005 16:02, Markus Krause wrote: i am not an expert but it seems that you (or some module) sets auth-type to local. what does your authorize and authenticate sections in radiusd.conf look like? Here is that portion authorize { preprocess chap mschap suffix sql noresetcounter } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } } the interface between the user and radius is done by a .cgi script I found the problem. It was a password error between the Web Server and ChilliSpot captive portal. All is working as designed. Thanks for EVERYONES help here. I have learned alot and I appreciate it very much. Happy New Year -- LeRoy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MD5 Authentication problem
On Mon, Dec 26, 2005 at 11:40:03AM -0500, Alan DeKok wrote: From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Mon, 26 Dec 2005 11:40:03 -0500 Subject: Re: EAP-MD5 Authentication problem Marco Spiga [EMAIL PROTECTED] wrote many, many, times: ... First, only one post to the list is necessary. Second: Excused but I am still fighting with a problem mail of mine provider. rlm_eap_md5: User-Password is required for EAP-MD5 authentication You didn't tell the server what the user's *correct* password was. How did you expect the server to be able to authenticate the user? But well, but my problem is that I exactly do not know coma to make. In the previous email I had sended the configuration and log files. Alan DeKok. - Marco List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can I set Autz-Type in hints file?
and looking at the source of rlm_files.c, check_pairs is config_items. It's a bit confusing to use different words for the same thing. So submit patches. This isn't a commerical product where people get paid money to do copy editing, so you have to expect some level of problems. And I'll be honest, people who complain about free software really *do* have the choice of paying for commercial software, with fancy copy-edited documentation. No one here is getting paid to listen to complaints about how crappy the product is. I didn't complain, and I'm willing to submit patches to the documentation, (actually I've done some simple editing in the WiKi). Of course I don't have the knowledge you have about freeradius, so I still have to ask you (or some other of the knowledgeable people here) :) Anyway, freeradius is great software (never said it was crappy), keep up the good work. -- damjan | дамјан This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Interesting EAP-TLS condition, any insights?
Timothy J. Miller [EMAIL PROTECTED] wrote: I'm not sure how to fix that, to be honest. There's little you can do on the RADIUS server to make the AP work. An abort followed by Access-Reject in rlm_eap_tls might work. Only if you do it *before* the supplicant stops responding. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: confused on attrs file entries
Chuck [EMAIL PROTECTED] wrote: I would like to, if the value is over, set the max value and send my reply instead of theirs still giving them the ability to send replies of less value to be passed.. i am confused how to do this. Source code patches. It's a good idea. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius accounting file scanning and upload to database
Ming-Ching Tiew [EMAIL PROTECTED] wrote: The radius server method, I believe is also based on scanning a directory No. of files, how does it handle files which are still growing ( ie unfinished files ) ? Or it is assuming that the files have been completed ( ie there are no files which are still active ! ) ? No. The server radsqlrelay program co-operate with locking to ensure that growing files are handled. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: no response from server on other machines
yao guoxian [EMAIL PROTECTED] wrote: I have installed Freeradius 1.0.5 on the Redhat 9 machine. When I type the command radtest test test localhost 0 testing123 to check ,the output is as the following: ... If the server doesn't respond on localhost, then either it isn't running, or you edited the configuration files to break it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Experimental bleeding edge patched debian packages available
I have made my local customized debian apt-get repository available online. http://apt-repo.ttec.com Found there are freeradius packages -- they are generally unstable CVS and contain patches that I run with. These should not in any way be construed as any actual release by the freeRADIUS team or by any offical Debian maintainers. I dont expect anyone to actually install the binaries. I expect most people who actually use it (if any) to merely obtain the source. No guarantees or warranties made in any way shape or form for anything. In particular, the latest package(s) there is suspected to core-dump infrequently after HUP. I want to thank Paul Hampson and all those who have contributed to Freeradius development, and for this instance, in particular the debian packaging. It was done in such a way as to make maintaining a customized package that parallels offical releases and code trivial. (##from memory its something like . mkdir cvs- cd cvs-XXX cvs co radiusd cd .. mkdir debian cd debian apt-get source freeradius cd freeradius-* diff -urN ../../cvs-XXX/radiusd/debian debian | less #use your head vi debian/changelog mv debian .. #carefull here rm -rf * cp -R ../../cvs-XXX/radiusd/* . mv ../debian . dpkg-buildpackage -rfakeroot ) Thank You! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Adding multiple realms
Hello everyone! I am serious newbie and I apologize for my poor netiquette. I am such a newbie that I cannot tell you what version of free radius that I am running for I know not where to look. It is running on red hat 9 box with mysql. Currently we resell dial-up access; we have to provide the provider with a realm. We currently have only one realm but we need 2. I do not want to keep the users separate; in other words I want the users that are in there now to be able to use both realms with their user name; i.e. [EMAIL PROTECTED] and [EMAIL PROTECTED] only one entry for both realms in the dialup admin. I also already have all the IPs entered for the access provider as they were left over from the initial configuration. So far I have checked in radius.conf: proxy_requests = yes $INCLUDE ${confdir}/proxy.conf Proxy.conf has: ### # # Configuration for the proxy realms. # # The information given here is used in conjunction with the 'realms' # file. This format is preferred, as it is more flexible. The realms # listed here take priority over those listed in the 'realms' file. # #this one works realm oldrealm.com { type= radius authhost= LOCAL accthost= LOCAL # nostrip } #this is the second realm that I added #it does not work; nothing comes across the log script that I use #but the error the customer sees is invalid username realm newrealm.com { type= radius authhost= LOCAL accthost= LOCAL # nostrip } At the bottom it has default realm DEFAULT { type= radius authhost= localhost:1812 accthost= localhost:1813 secret = sharedsecret } cd /var/www/dialup_admin/conf admin.conf: general_base_dir: /var/www/dialup_admin general_radiusd_base_dir: /usr/local general_domain: old_domain.com #here it has the old domain; is there a way #to add a second or am I just completely lost. Sorry to be so general; I #would really appreciate any help. Thanks, J.D. See you @ AppState.Net's Wireless Technology Open House - Boone NC Jan. 26 Covering Watauga County with Broadband for Everyone 828-265-3773 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.7/214 - Release Date: 12/23/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed to link to module 'rlm_eap': ... : No such file or directory
thanks Alan for your advice. If any other one has this issue, I found a simple suse 9.2 FR 1.0.5 package for peap+ldap at: ( http://www.whitemiceconsulting.com/node/61 ) from which it's possible to extract the libraries that suse forgot (?) to install: rlm_eap.so and rlm_eap_peap.so (cd dump; rpm2cpio ../freeradius-1.0.5-2.1.suse92.i586.rpm | cpio -id) bye -- Message: 11 Date: Mon, 26 Dec 2005 11:42:02 -0500 From: Alan DeKok [EMAIL PROTECTED] Subject: Re: Failed to link to module 'rlm_eap': ... : No such file or directory To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Roberto S. G. [EMAIL PROTECTED] wrote: I can see that previous package had rlm_eap.so, and that the last one doesn't, and apparently has delete the previous one... What can I do? Either install a package that has rlm_eap.so, or re-build the server completely from source. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration of users file
Mike Cisar [EMAIL PROTECTED] wrote: But beyond that, how can I then skip over the 20 or so poola/poolb checks which do not apply for accelleration requests? Maybe there's a cleaner way of doing this? The users file isn't really mean for complex processing like that. You're running into it's limitations, which are pretty severe. So essentially what I need to do is an initial determination of whether the request is dialup, accelleration, or NNTP (well basically if it's accelleration or nntp, with dialup being the default path if it's neither of the former). My suggestion is to use rlm_passwd. Define server-side attributes like Where-From with values like dialup, acceleration, and nntp. Use rlm_passwd to match the client IP's to Where-From. Go down a particular branch of processing depending on which of the three flavors of request it is, and then drop back out of those checks into a common branch The users file can do that. P.S. Is there a syntax by which I can specify something like... DEFAULT Client-IP-Address == (207.102.99.65 or 207.102.99.66 or 207.102.99.67), Group != poolb, Auth-Type :=Reject Nope. or somehow pre-define a group of NAS' to use in place such as... clientpoola = 207.102.99.65, 207.102.99.66, 207.102.99.67 DEFAULT Client-IP-Address == clientpoola, Group != poolb, Auth-Type :=Reject rather than specifiying a separate stanza for each Client-IP-Address as I have in my existing config? rlm_passwd. Map the client IP's to a common where-from, and key off of that in the users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding multiple realms
You should probably look into the strip realms config item since you only want a single username for all realms. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR caching problem
FreeRADIUS v.1.0.5 I am trying to enable caching on line 623 in radiusd.conf. When I turn on caching and reload, I get the following error: Info: Reloading configuration files. Info: Using deprecated naslist file. Support for this will go away soon. Info: HASH: Reinitializing hash structures and lists for caching... Error: rlm_unix: You MUST specify a shadow password file! Error: HASH: unable to create user hash table. disable caching and run debugs Error: radiusd.conf[605]: unix: Module instantiation failed. When I turn caching back off and reload, FreeRadius starts just fine: Info: Using deprecated naslist file. Support for this will go away soon. Info: Ready to process requests. I am using the /etc/passwd and /etc/group for authentication. I am not using /etc/shadow. Does FR require an /etc/shadow path even if it is not used? Any thoughts or suggestions? thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Adding multiple realms
In dialupadmin/ admin.conf: # Realm setup # # Set general_strip_realms to yes in order to stip realms from usernames. # By default realms are not striped #general_strip_realms : yes Should the above line not be commented out? Thanks for your help; J.D. See you @ AppState.Net's Wireless Technology Open House - Boone NC Jan. 26 Covering Watauga County with Broadband for Everyone 828-265-3773 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lewis Bergman Sent: Tuesday, December 27, 2005 4:02 PM To: FreeRadius users mailing list Subject: Re: Adding multiple realms You should probably look into the strip realms config item since you only want a single username for all realms. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.7/214 - Release Date: 12/23/2005 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.7/214 - Release Date: 12/23/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR caching problem
Lemaster, Rob [EMAIL PROTECTED] wrote: Error: rlm_unix: You MUST specify a shadow password file! This error occurs because your system has /etc/shadow, and getspwent(). I am using the /etc/passwd and /etc/group for authentication. I am not using /etc/shadow. Does FR require an /etc/shadow path even if it is not used? No. It requires /etc/shadow only if it's being used. And in general, caching in rlm_unix is a bad idea. See the comments in radiusd.conf. Any thoughts or suggestions? Use rlm_passwd for caching. Use rlm_unix for non-caching systems. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fw: segmentation fault on solaris,unable to call modules
Hi developers, this is the output from gdb. i was trying to run freeradius-1.0.5 on Solaris 8. pls kindly assist. thanks in advance. Rgds, QZ (gdb) bt #0 0xff324878 in lt_dlsym (handle=0x81cd8, symbol=0xffbee4b8 rlm_ldap) at ltdl.c:3330 #1 0x1c9a4 in linkto_module (module_name=0xffbee628 rlm_ldap, cffilename=0x276c8 radiusd.conf, cflineno=724) at modules.c:230 #2 0x1cc14 in find_module_instance (instname=0x4ef90 ldap) at modules.c:347 #3 0x1e024 in do_compile_modsingle (component=1, ci=0x4f3b8, filename=0x276c8 radiusd.conf, grouptype=0, modname=0xffbee87c) at modcall.c:814 #4 0x1e090 in compile_modsingle (component=1, ci=0x4f3b8, filename=0x276c8 radiusd.conf, modname=0xffbee87c) at modcall.c:830 #5 0x1d0d0 in load_component_section (cs=0x4f2a0, comp=1, filename=0x276c8 radiusd.conf) at modules.c:568 #6 0x1d57c in setup_modules () at modules.c:858 #7 0x147e0 in main (argc=2, argv=0xffbefa84) at radiusd.c:960 - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, December 21, 2005 12:27 AM Subject: Re: segmentation fault on solaris,unable to call modules Qin Zhen [EMAIL PROTECTED] wrote: havent figured out how to solve the segmentation fault problem yet. any suggestion? or anybody encountered the similar problem as me? Read doc/bugs Alan DeKok. - Qin Zhen [EMAIL PROTECTED] wrote: Hi All, installing freeradius on Solaris is already a big headache, afterwards i encountered Segmentation fault as well. i am using Freeradius-1.0.5 if i commend up those modules called in radiusd.conf (e.g. files, preprocess,ldap, prefix under 'Authorize'), there is no segmentation fault error. so seems that it is not able to call any of the modules inside radiusd.conf. this configuration is able to work for freeradius-0.8 on solaris, as well as freeradius-1.0.5 on debian. pls advise. thanks in advance. List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html