Re: Authenticating CHAP-Password to Pam (Kerberos 5 to AD)
Phil Mayers <[EMAIL PROTECTED]> wrote: > Why would samba4 be any different that samba3 in that regard? Because Samba4 will be a full-fledged AD domain member. Samba3 is a second-class citizen of an AD domain, as it implements NT domains. > I assume we are talking about the same thing (samba as a member > server with a "real" microsoft PDC) in which case the code that > would need adding would be an API on the windows side - AD realms > (in fact NT domains all the way back to NT4 IIRC) can already store > the password in "reversibly encrypted" plaintext to support CHAP > (only via IAS and only running on the physical PDC) or Digest MD5 on > HTTP. Yes. And once Samba4 is a full-fledged member of an AD domain, the other AD servers will happily replicate data to it... including the clear-text password. Samba4 can then expose it in the userPassword field. The reason IAS works is that it does super-secret magic Microsoft calls that no one has figured out. If Samba4 is a member of the AD domain, it doesn't have to figure out those calls. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql_mysql search path Bug ?
Hello, I'm under FreeBSD 6.0 - Freeradius 1.0.5 I did an install from the port (/usr/ports/net/freeradius) with rlm_sql_mysql enabled. I set radiusd_enable="YES" in "rc.conf" But when I reboot, radius doesn't start and I got this in my "/var/log/radius.log": Sat Jan 28 00:39:55 2006 : Error: rlm_sql (sql): Could not link driver rlm_sql_mysql: Shared object "libmysqlclient.so.14" not found, required by "rlm_sql_mysql-1.0.5.so" Sat Jan 28 00:39:55 2006 : Error: rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search path of your system's ld. Sat Jan 28 00:39:55 2006 : Error: radiusd.conf[14]: sql: Module instantiation failed. Very curiously, if I did a "/usr/local/etc/rc.d/radiusd.sh start" then, everything goes fine... may I miss something to do ? Regards, Jeremy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating CHAP-Password to Pam (Kerberos 5 to AD)
Alan DeKok wrote: Phil Mayers <[EMAIL PROTECTED]> wrote: I'm confused - I and many people are doing MS-CHAP to an AD domain with samba3, winbind and the ntlm_auth helper - what are you referring to that doesn't work that samba4 would change? Yes, they're using the old-style NT4 logins. So MS-CHAP works. Ah I see. I had read the message differently - though the posters original question (and the subject line unhelpfully) was about CHAP his subsequent query referenced another thread and mentioned MS-CHAP. You're right that no current software can perform CHAP against AD except IAS running on a domain controller against accounts with reversible encryption enabled (see below). Samba4 *may* allow pulling clear-text passwords from AD, in which case CHAP will work, too. Why would samba4 be any different that samba3 in that regard? I assume we are talking about the same thing (samba as a member server with a "real" microsoft PDC) in which case the code that would need adding would be an API on the windows side - AD realms (in fact NT domains all the way back to NT4 IIRC) can already store the password in "reversibly encrypted" plaintext to support CHAP (only via IAS and only running on the physical PDC) or Digest MD5 on HTTP. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: R: SQL.conf new query
That is what I thought but wasn't sure, I don't think the original poster realized this though. I was directing this mostly toward him. Thanks! Alan DeKok wrote: Rich Marriner <[EMAIL PROTECTED]> wrote: Would seperating the queries with a semicolon work, but keeping both queries under postauth_query? SQL should distinguish it as a seperate query. I haven't tried this so I am not sure if it would work or not. That's what I thought I suggested earlier. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Assertion failed in request_list.c, line 1119
Both of these are if the queuing of the request failed; assertion should be true.no in log just "Wed Jan 25 02:05:16 2006 : Error: Assertion failed in request_list.c, line 1119 "and Freeradius is crash 'n down i'll try to gat some information by running in debug mode but in debug mode, everythink is OK. Is diferent proccess running di daemon mode and debug mode?Tanks..-- ~_|[]~ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error if running daemon
> > For now, run the server with "radiusd -s", which means no threads. > That should help. what's the efect if running the server with "radiusd -s" ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Capturing the inner authentication ID for Radius accounting
"CHui" <[EMAIL PROTECTED]> wrote: > Although it seems to work for me, I am not sure about the use of attribute > Class for tracking user ID would interfere with other operation (like the > one attribute Class was originally designed for)? It was designed for local sites to do whatever they wanted. So you're doing the right thing. > Also, the attribute Class is of type Octet. Does anyone know of a way to > convert it to text in SQL? Edit the dictionary, and change "octets" to "string". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating CHAP-Password to Pam (Kerberos 5 to AD)
Phil Mayers <[EMAIL PROTECTED]> wrote: > I'm confused - I and many people are doing MS-CHAP to an AD domain with > samba3, winbind and the ntlm_auth helper - what are you referring to > that doesn't work that samba4 would change? Yes, they're using the old-style NT4 logins. So MS-CHAP works. Samba4 *may* allow pulling clear-text passwords from AD, in which case CHAP will work, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating CHAP-Password to Pam (Kerberos 5 to AD)
Alan DeKok wrote: Patrick Bartkus <[EMAIL PROTECTED]> wrote: Does this mean that if I setup Samba on this box, get it to be a member of the domain exchanging Domain UIDs and passwords, I could then authenticate to Samba from my MS-CHAP-speaking NAS? Possible. If it's an NT domain. If it's an Active Directory domain, then no, it's still impossible. Maybe Samba4 (when it's done) will allow this. I'm confused - I and many people are doing MS-CHAP to an AD domain with samba3, winbind and the ntlm_auth helper - what are you referring to that doesn't work that samba4 would change? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP Machine Auth without NTLM or LDAP
Jérémy Cluzel wrote: Hello, I want to do machine auth with PEAP for my laptop before windows logon. I managed to do it with "ntlm_auth" before, but this time, I've another problem, there is no PDC. If there is no PDC, there's no domain, so there *is* no machine account. You could use a machine certificate and EAP-TLS, but limitations of the winxp built in supplicant mean you'd have to also use EAP-TLS for the users as well. So, is it possible to use the "users" file instead like this: "computer_name" User-Password == "" (As far as I remember it was impossible...) It is, because there is only a machine account if there is a domain (in which case there is a PDC) Any suggestions ? Regards, Jeremy Cluzel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Webserver System Hanging when trying to authenticate.
Hi, > I have seen this problems a few time. I setup a Fedora Core 4 - Freeradius > server with apache and when I try to login to the webserver it hangs the > webserver. Note in this case the web server and Freeradius are on the same > server. But I have also seen it where the web server and freeradius are on > two different systems and the web server hangs. I have gotten it to work in > the past by stopping the firewall on the radius server and authenticating and > then restarting the firewall. And everything works for some reason. Which > really seems strange. I am running Fedora Core Linux for the web servers. And > Redhat ES4 Linux for the radius servers. > > I am wondering if this is a known problem and what is the resolution to the > problem. a quick idea is that the default firewall config is DROPing packets rather than rejecting them - which means that if it is not configured correctly, Apache will wait a long time while trying to authenticate (it'll be in a stuck state) for that thread. the fact that 'stopping the firewall, then restarting it after authentication is okay' screams out at me that you havent got your firewall to allow the required ports through - eg 1812,1813 and 1814 UDP (*NOT* TCP) Alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error PROFIND request failed on'/' Error PROFIND of '/': 405 Method Not Allowed (http://192.168.1.75)
Hi When I try to open up the repository using TortoiseSVN Checkout I receive the following error messages: Error PROFIND request failed on'/' Error PROFIND of '/': 405 Method Not Allowed (http://192.168.1.75) What is causing the Error Message? and how do I correct it? Thank you, Frank Reiss - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Capturing the inner authentication ID for Radius accounting
I have been looking for a way to maintain accurate wireless access and usage information for security auditing purposes. The problem I have is that wireless network users may choose to provide an alternative identity by providing an outer identity in the supplicant software. Although the user still need a legitimate user id/password to pass the EAP TTLS authentication. So far I could not find a "standard" way to track the user identity via Radius accounting records. I do manage to configure the FreeRadius to send the inner authentication user ID to the Cisco Aironet Access point (IOS 12.3(7)JA) using the Radius attribute "Class" (ID 25). For example, in my users file, the following is configured for guest access: DEFAULT Hint == "guest" Auth-Type = sql, Class = "%{User-Name}", Session-Timeout = 3600, Fall-Through = No The actual user id used in the EAP-TTLS authentication is passed to the Cisco Aironet AP via the Class attribute. I have observed that both the Radius "start" and "stop" records sent by the Cisco Aironet AP contained the Class attribute with the actual user's ID. The reason I chose the Class attribute is that it is the only attribute honored by the Aironet AP in Access-Accept message and also included in the radius accounting send by the Aironet AP according to the Cisco IOS Software Config Guide for Aironet APs. Although it seems to work for me, I am not sure about the use of attribute Class for tracking user ID would interfere with other operation (like the one attribute Class was originally designed for)? Also, the attribute Class is of type Octet. Does anyone know of a way to convert it to text in SQL? I would like to convert it to text before writing it into the mySQL database, preferably by way of the accounting_xx_query in the sql.conf file. Thanks Cedric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Webserver System Hanging when trying to authenticate.
Hi, I have seen this problems a few time. I setup a Fedora Core 4 - Freeradius server with apache and when I try to login to the webserver it hangs the webserver. Note in this case the web server and Freeradius are on the same server. But I have also seen it where the web server and freeradius are on two different systems and the web server hangs. I have gotten it to work in the past by stopping the firewall on the radius server and authenticating and then restarting the firewall. And everything works for some reason. Which really seems strange. I am running Fedora Core Linux for the web servers. And Redhat ES4 Linux for the radius servers. I am wondering if this is a known problem and what is the resolution to the problem. Frank ReissImpeva Labs, Inc.Phone: 1-850-872-7099 COMPANY CONFIDENTIAL NOTICEThis electronic mail transmission and any accompanying documents containinformation belonging to the sender which may be company confidential and legallyprivileged. If you are not the intended recipient, any disclosure, copying,distribution or action taken in reliance on the message is strictlyprohibited. If you have received this message in error, please delete it.Thank You - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP Machine Auth without NTLM or LDAP
=?ISO-8859-1?Q?J=E9r=E9my_Cluzel?= <[EMAIL PROTECTED]> wrote: > I want to do machine auth with PEAP for my laptop before windows logon. > I managed to do it with "ntlm_auth" before, but this time, I've another > problem, there is no PDC. > So, is it possible to use the "users" file instead like this: > "computer_name" User-Password == "" It's impossible because you don't know what the password is. And AD won't tell you. And it changes randomly. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: R: SQL.conf new query
Rich Marriner <[EMAIL PROTECTED]> wrote: > Would seperating the queries with a semicolon work, but keeping both > queries under postauth_query? SQL should distinguish it as a seperate > query. I haven't tried this so I am not sure if it would work or not. That's what I thought I suggested earlier. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP Machine Auth without NTLM or LDAP
Hello, I want to do machine auth with PEAP for my laptop before windows logon. I managed to do it with "ntlm_auth" before, but this time, I've another problem, there is no PDC. So, is it possible to use the "users" file instead like this: "computer_name" User-Password == "" (As far as I remember it was impossible...) Any suggestions ? Regards, Jeremy Cluzel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: R: SQL.conf new query
Would seperating the queries with a semicolon work, but keeping both queries under postauth_query? SQL should distinguish it as a seperate query. I haven't tried this so I am not sure if it would work or not. How about something like this? postauth_query = "INSERT into ${postauth_table} (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW()) ; INSERT into ${authcheck_table} (UserName, Attribute, op, Value) VALUES ('%{SQL-User-Name}'', 'Calling-Station-Id', ':=', '%{Calling-Station-Id}')" It seems a lot easier than changing the source code and recompiling... Hope this helps! Richard Carlo Prestopino wrote: Thank you Alan for your reply. As written by Paolo, we simply added a query (postauth_mac_query) to sql.conf file that gives back user’s MAC address: ... ... postauth_query = "INSERT into ${postauth_table} (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW())" postauth_mac_query = "INSERT into ${authcheck_table} (UserName, Attribute, op, Value) VALUES ('%{SQL-User-Name}'', 'Calling-Station-Id', ':=', '%{Calling-Station-Id}')" The query was build on the model of the postauth_query one, so no problems should arise about its syntax. In fact, if we change the content of postauth_query with the one of post_mac_query, it works fine (MAC address is inserted into radcheck table). The problem is that it seems that freeRADIUS does not recognize the new defined query (postauth_mac_query) in fact, looking at debug output, we can see calls to all other queries but not to the new one. So the question is: how let freeRADIUS understand when to call each single query defined into sql.conf file? Any advice? Regadrs, Carlo -Messaggio originale- Da: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Per conto di Paolo Pellicori Inviato: venerdì 27 gennaio 2006 10.12 A: 'FreeRadius users mailing list' Oggetto: R: R: SQL.conf new query I have append the query to the existing ones, but without it turns out to you. postauth_mac_query = "INSERT into ${authcheck_table} (UserName, Attribute, op, Value) VALUES ('%{SQL-User-Name}'', 'Calling-Station-Id', ':=', '%{Calling-Station-Id}')" postauth_query = "INSERT into ${postauth_table} (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW())" in the log of start you come only loaded the postauth_query: sql: group_membership_query = "SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}'" sql: connect_failure_retry_delay = 60 sql: simul_count_query = "" sql: simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0" sql: postauth_table = "radpostauth" sql: postauth_query = "INSERT into radpostauth (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW())" it does not appear and consequently it does not work: ( Solutions? Regards Inviato: giovedì 26 gennaio 2006 18.41 A: FreeRadius users mailing list Oggetto: Re: R: SQL.conf new query I would like to build a new query to insert user's MAC address into radcheck table, as users log-out (accounting-stop packet). Just append the query to the existing ones. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ NOD32 1.1381 (20060126) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Richard Marriner IIMaingear.Net Sr. Network Consultant I.T. Consulting [EMAIL PROTECTED] www.maingear.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using stored procedures with freeradius
Murat Mığdısoğlu wrote: Hi all, I’m using freeradius with sybase using freetds and unixodbc. For some purposes, i had to use stored procedures and changed sql statements in sql.con to procedure calls like “EXEC -“. I have to question at this point 1) has anyone used this method before? 2) Examining my logs, i found that some sockets getting ‘Invalid cursor State’ error from unix-odbc driver in some cases and they don’t work anymore. What it can be? You should really address that on the db level. That is not a freeradius issue. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: simultaneous-use and stateless sessions in sql
"Seferovic Edvin" <[EMAIL PROTECTED]> wrote: > but what if I "only" have session data in SQL? Write a shell script that runs SQL queries and builds the packets to send to radclient. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AD ldap bind works with 1.01, fails with 1.04
Stephen Walsh <[EMAIL PROTECTED]> wrote: > Thanks for the reply. We ended up reverting the production box to FC3 and > 1.01, only to have it fail with the same error! I'm not surprised. I don't think it *ever* worked in 1.0.1. > I also found an entry on a forum that referred to having to change the > hueristic search value on the AD DC, I've pasted it below in the hope it > may help someone in the future with the same problem. That helps a lot. I've added it to doc/rlm_ldap. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program
Priscilla B <[EMAIL PROTECTED]> wrote: > Do we have to make our own file for this Exec-Program Yes. It's a program, like a shell script. > Or if not, can someone give me an example of this > file? scripts/exec-program-wait Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: R: SQL.conf new query
"Carlo Prestopino" <[EMAIL PROTECTED]> wrote: > The problem is that it seems that freeRADIUS does not recognize the new > defined query (postauth_mac_query) in fact, looking at debug output, we > can > see calls to all other queries but not to the new one. The source code to the module contains the names of the queries it looks for in the configuration file. All other queries are ignored. If you want an additional query, edit the source code. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating CHAP-Password to Pam (Kerberos 5 to AD)
Patrick Bartkus <[EMAIL PROTECTED]> wrote: > Does this mean that if I setup Samba on this box, get it to be a member of > the domain exchanging Domain UIDs and passwords, I could then authenticate > to Samba from my MS-CHAP-speaking NAS? Possible. If it's an NT domain. If it's an Active Directory domain, then no, it's still impossible. Maybe Samba4 (when it's done) will allow this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating CHAP-Password to Pam (Kerberos 5 to AD)
Patrick Bartkus wrote: Phil, Thanks. In another thread I read, you wrote: --- The MS-CHAP module requires either the MD4-based NT password hash, the plaintext password from which it can derive the NT has, or callout to Samba & domain membership. --- Does this mean that if I setup Samba on this box, get it to be a member of the domain exchanging Domain UIDs and passwords, I could then authenticate to Samba from my MS-CHAP-speaking NAS? Yes. See the "ntlm_auth" option of the "mschap" module. You need winbind (and therefore Samba 3) but it's pretty trivial to setup. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating CHAP-Password to Pam (Kerberos 5 to AD)
Patrick Bartkus <[EMAIL PROTECTED]> wrote: > I'm trying to authenticate an Ascend MAX dial-up server back to Windows > Active Directory. If the Access-Request contains CHAP, it's impossible. CHAP requires a clear-text password, which AD doesn't supply. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating CHAP-Password to Pam (Kerberos 5 to AD)
Phil, Thanks.In another thread I read, you wrote:---The MS-CHAP module requires either the MD4-based NT password hash, theplaintext password from which it can derive the NT has, or callout toSamba & domain membership.---Does this mean that if I setup Samba on this box, get it to be a member of the domain exchanging Domain UIDs and passwords, I could then authenticate to Samba from my MS-CHAP-speaking NAS? BTW, for any non-native English speakers, if you want the definition of SOL, e-mail me privately and I'll explain.PatrickOn 1/27/06, Phil Mayers <[EMAIL PROTECTED]> wrote: Patrick Bartkus wrote:>> Has this been solved or am I SOL?It is not a code bug. It is a fundamental feature of the algorithm. It*cannot* be solved. You are, as you put it, SOL. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
using stored procedures with freeradius
Hi all, I’m using freeradius with sybase using freetds and unixodbc. For some purposes, i had to use stored procedures and changed sql statements in sql.con to procedure calls like “EXEC -“. I have to question at this point 1) has anyone used this method before? 2) Examining my logs, i found that some sockets getting ‘Invalid cursor State’ error from unix-odbc driver in some cases and they don’t work anymore. What it can be? Thanks in advance DISCLAIMER: Bu e-posta mesaji ve ekleri sadece gonderildigi kisi veya kuruma ozeldir. Eger dogru kisiye ulasmadigini dusunuyorsaniz, bu mesajin yonlendirilmesi, kopyalanmasi veya herhangi bir sekilde kullanilmasi yasaktir.Mesaj iceriginde bulunan fikir ve yorumlar, SUPERONLINE'a degil sadece gondericiye aittir. Bu mesaj bilinen tum viruslere karsi taranmistir.This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient you are hereby notified that any dissemination, copying or use of the information is prohibited. The opinions expressed in this message belong to sender alone. There is no implied endorsment by SUPERONLINE. This e-mail has been scanned for all known computer viruses. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
R: R: SQL.conf new query
Thank you Alan for your reply. As written by Paolo, we simply added a query (postauth_mac_query) to sql.conf file that gives back user’s MAC address: ... ... postauth_query = "INSERT into ${postauth_table} (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW())" postauth_mac_query = "INSERT into ${authcheck_table} (UserName, Attribute, op, Value) VALUES ('%{SQL-User-Name}'', 'Calling-Station-Id', ':=', '%{Calling-Station-Id}')" The query was build on the model of the postauth_query one, so no problems should arise about its syntax. In fact, if we change the content of postauth_query with the one of post_mac_query, it works fine (MAC address is inserted into radcheck table). The problem is that it seems that freeRADIUS does not recognize the new defined query (postauth_mac_query) in fact, looking at debug output, we can see calls to all other queries but not to the new one. So the question is: how let freeRADIUS understand when to call each single query defined into sql.conf file? Any advice? Regadrs, Carlo -Messaggio originale- Da: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Per conto di Paolo Pellicori Inviato: venerdì 27 gennaio 2006 10.12 A: 'FreeRadius users mailing list' Oggetto: R: R: SQL.conf new query I have append the query to the existing ones, but without it turns out to you. postauth_mac_query = "INSERT into ${authcheck_table} (UserName, Attribute, op, Value) VALUES ('%{SQL-User-Name}'', 'Calling-Station-Id', ':=', '%{Calling-Station-Id}')" postauth_query = "INSERT into ${postauth_table} (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW())" in the log of start you come only loaded the postauth_query: sql: group_membership_query = "SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}'" sql: connect_failure_retry_delay = 60 sql: simul_count_query = "" sql: simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0" sql: postauth_table = "radpostauth" sql: postauth_query = "INSERT into radpostauth (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW())" it does not appear and consequently it does not work: ( Solutions? Regards Inviato: giovedì 26 gennaio 2006 18.41 A: FreeRadius users mailing list Oggetto: Re: R: SQL.conf new query > I would like to build a new query to insert > user's MAC address into radcheck table, as users log-out (accounting-stop > packet). Just append the query to the existing ones. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ NOD32 1.1381 (20060126) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Assertion failed in request_list.c, line 1119
masetio wrote: I used FS freeradius-snapshot-20060119 in Debian Sarge, if FS running on daemon mode have error like : Wed Jan 25 00:51:34 2006 : Info: Ready to process requests. Wed Jan 25 02:05:16 2006 : Error: Assertion failed in request_list.c, line 1119 'n crash but if running in Debug mode (radiusd -X) work fine... plz i need help to solve that problem Well I'll reply again. You could comment out the assertion, but then you might get segfaults. You could replace the assertion with a if(...) return 0; That might only cause memory leaks. and since the only way you get to this assertion is if request->finished == TRUE; This gets set in a number of places ./src/main/request_list.c: request->finished = TRUE; This is after the proxied request is rejected. DO you see anything else in your logs? ./src/main/request_list.c: request->finished = TRUE; This is set only for over time limit requests AND only if you have mainconfig.kill_unresponsive_children which corresponds to delete_blocked_requests in radiusd.conf, so check that ./src/main/request_list.c: request->finished = TRUE; Set after we fail to proxy accounting requests. What do you see in your logs? ./src/main/request_process.c: request->finished = finished; /* do as the LAST thing before exiting */ Done only after setting child_pid, assertion should be true. Do you see anything else in your logs? ./src/main/threads.c: request->finished = TRUE; ./src/main/threads.c: request->finished = TRUE; Both of these are if the queuing of the request failed; assertion should be true. Do you see anything else in your logs? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating CHAP-Password to Pam (Kerberos 5 to AD)
Patrick Bartkus wrote: Please tell me someone has fixed this problem. I'm trying to authenticate an Ascend MAX dial-up server back to Windows Active Directory. I am using a local unix group for authorization. I have Pam set up on my system and it uses Kerberos 5 to authenticate to AD just fine. But I'm getting: auth: type "PAM" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_pam: Attribute "User-Password" is required for authentication. Cannot use "CHAP-Password". modcall[authenticate]: module "pam" returns invalid for request 0 I did some checking and found this posting from 2003 basically saying it can't be done: http://www.mail-archive.com/freeradius-users@lists.cistron.nl/msg19439.html I do have other options other than the Windows Domain authentication, but I was not wanting to pursue them unless I had to. Has this been solved or am I SOL? It is not a code bug. It is a fundamental feature of the algorithm. It *cannot* be solved. You are, as you put it, SOL. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SV: how to set crypted password in 'users' file?
Torkel Mathisen wrote: "Min Qiu" <[EMAIL PROTECTED]> wrote: However, cut and past the crypted password from /etc/shadow to the entry failed: mqiuAuth-Type := Local, User-Password == "$1$CWOjXm2v$dzjrc385t1iQXMN0" UseL Crypt-Password := "$1$CWOjXm... I'm using PEAP/MS-CHAPv2 for authentication. In the users file I only got the login name and a clear-text password. I really want to start using Crypt-Password, but didn't quite get that to work. You cannot use the unix crypt password value for the MS-CHAP algorithm. The MS-CHAP module requires either the MD4-based NT password hash, the plaintext password from which it can derive the NT has, or callout to Samba & domain membership. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian + Exec-Program = Zombie process
George Chelidze wrote: versions. Can I make some tests to narrow down the problem, or some other actions. Best Regards, George I suppose you could add some debug code to where you believe the calls to waitpid should be/are The way I read it, without threads it should be in src/main/radiusd.c:631 in cvs 20060124 Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and Subversion ???
http://www.freeradius.org/mod_auth_radius/ Frank Reiss wrote: > Hi > > I would like to setup subversion and tortoiseSVN to use freeradius and am > wondering ho to do this. > I currently have Subversion setup with apache for authentication. > > Thank You, > Frank Reiss > > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and Subversion ???
Hi I would like to setup subversion and tortoiseSVN to use freeradius and am wondering ho to do this. I currently have Subversion setup with apache for authentication. Thank You, Frank Reiss - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SV: how to set crypted password in 'users' file?
hi, the interesting part of the log posted is: rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 22 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for tom with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 22 modcall: group Auth-Type returns reject for request 22 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 22 modcall: group authenticate returns reject for request 22 auth: Failed to validate the user. this would suggest that you havent configured the mschapv2 part correctly or that you havent defined a password attribute for 'tom' correctly in your users.conf file. have you defined a Crypt-Local eg (and I'm not going to be 100% accurate here because I havent had a setup done this way for a long time) USER Auth-Type := Crypt-Local, Password == "CRYPTEDPASSWORD" Alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SV: how to set crypted password in 'users' file?
> "Min Qiu" <[EMAIL PROTECTED]> wrote: > > However, cut and past the crypted password from /etc/shadow to > > the entry failed: > > > > mqiuAuth-Type := Local, User-Password == "$1$CWOjXm2v$dzjrc385t1iQXMN0" > > UseL Crypt-Password := "$1$CWOjXm... I'm using PEAP/MS-CHAPv2 for authentication. In the users file I only got the login name and a clear-text password. I really want to start using Crypt-Password, but didn't quite get that to work. Do I understand it correctly you only need to take you standard unix password from /etc/shadow and use that in users with Crypt-Password? # more /etc/shadow tom:jYyrl:13112:: In users file I got: tom Crypt-Password := " jYyrl" I didn't get that to work. What am I missing here? Couldn't really find much info on it out there. This is the debug log I got: rad_recv: Access-Request packet from host 192.168.2.4:21654, id=120, length=126 User-Name = "tom" Framed-MTU = 1400 Called-Station-Id = "000e.8401.cd50" Calling-Station-Id = "0015.0015.adaa" Message-Authenticator = 0xca4c7181b9338edb3e176297682f33f7 EAP-Message = 0x0201000801746f6d NAS-Port-Type = Wireless-802.11 NAS-Port = 268 Service-Type = Framed-User NAS-IP-Address = 192.168.2.4 NAS-Identifier = "AP1100-D2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 16 modcall[authorize]: module "preprocess" returns ok for request 16 modcall[authorize]: module "mschap" returns noop for request 16 rlm_realm: No '@' in User-Name = "tom", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 16 rlm_eap: EAP packet type response id 1 length 8 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 16 users: Matched entry tom at line 91 modcall[authorize]: module "files" returns ok for request 16 modcall: group authorize returns updated for request 16 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 16 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 16 modcall: group authenticate returns handled for request 16 Sending Access-Challenge of id 120 to 192.168.2.4:21654 EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0x01f769bbe79093c3c406a98a01294187 Finished request 16 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.2.4:21654, id=121, length=238 User-Name = "tom" Framed-MTU = 1400 Called-Station-Id = "000e.8401.cd50" Calling-Station-Id = "0015.0015.adaa" Message-Authenticator = 0xcccf1d38bc8d263feddbb303acbdcb41 EAP-Message = 0x020200661900160301005b0157030143da12d4d113043b760adb7ce542b365f5d8 806e659d5eb591e677044dd072b03000390038003500160013000a00330032002f00 66000500040065006400630062006000150012000900140011000800030100 NAS-Port-Type = Wireless-802.11 NAS-Port = 268 State = 0x01f769bbe79093c3c406a98a01294187 Service-Type = Framed-User NAS-IP-Address = 192.168.2.4 NAS-Identifier = "AP1100-D2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 17 modcall[authorize]: module "preprocess" returns ok for request 17 modcall[authorize]: module "mschap" returns noop for request 17 rlm_realm: No '@' in User-Name = "tom", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 17 rlm_eap: EAP packet type response id 2 length 102 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 17 users: Matched entry tom at line 91 modcall[authorize]: module "files" returns ok for request 17 modcall: group authorize returns updated for request 17 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 17 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 005b], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A
RLM_LDAP INSTALL
Hy all I am going to install the rlm_ldap module in order to make some easy and simple tests. I am using: FreeRadius 1.0.5 Solaris 9 ** Which version of openldap do you recommend me to install? ** Is it necessary to install OpenSSL in order to do simple tests (not SSL connections)? ** And Cyrus SASL? Thanks in advance, Susana __ LLama Gratis a cualquier PC del Mundo. Llamadas a fijos y móviles desde 1 céntimo por minuto. http://es.voice.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program
Hi, Hope someone can help me to give me a more detailed explanation about Exec-Program. I see this in the acct_users file. DEFAULT Acct-Status-Type == Start Exec-Program = "/path/to/exec/acct/start" Do we have to make our own file for this Exec-Program or is there already one provided in the basic package? Or if not, can someone give me an example of this file? Sorry if i ask stupid favor, since I am still newbie in this field. Thanks a lot Priscilla __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configuring free radius to use Active directory service
>1. How to configure the freeradius1.0.5 version, to support Active >directory service for user authentication. > For ldap .. we have rlm_ldap module to configure it. Same kind of >configuration is there for ADS also ?? Sumithra; that part is quite easy. Here's what I've just done; ldap { server = "" identity = " password = " basedn = "highest part of tree to start searching from" filter = "(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 } authorize { preprocess suffix auth_log ldap } authenticate { Auth-Type PAP { pap } Auth-Type LDAP { ldap } } If you're wanting to search multiple trees, that's another matter, but that should get you started. See my earlier post about problems with W2k3 trees and their behaviour with searches. VLAN's I'll leave to someone who understands that part of FR better. Regards Stephen Walsh [EMAIL PROTECTED] Client Support Officer (Technology) Australian Catholic University (Limited) PO Box 256, Dickson ACT 2602 Phone: +61 2 6209 1133 Fax: +61 2 6209 1179 Mobile: +61 419 496796 + CRICOS Registration: 4G, 00112C, 00873F, 00885B ABN 15 050 192 660 + - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: VSA Problem
Thanks Guy, it was my mistake. I update the dictionary and i see the correct parameters. Romao. -Mensagem original-De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]Em nome de Guy DaviesEnviada em: quinta-feira, 26 de janeiro de 2006 17:59Para: FreeRadius users mailing listAssunto: Re: VSA ProblemHi Romao,What are you using to view the packet? Many packet analysis and RADIUS check tools require their own dictionary (e.g. NTRadPing). If this is the case and you've not updated the dictionary for that tool, then that's exactly what I'd expect you to see. Rgds,Guy On 26/01/06, Romao Izumi Ito <[EMAIL PROTECTED]> wrote: Hello, I'm working with Nortel Network Passport and I'm trying to configure a new dictionary on the freeradius. In the vendors doc we have following VSA and Vendor-ID: VENDOR nortel 562 ATTRIBUTE Passport-Command-Scope 200 integer nortel ATTRIBUTE Passport-Command-Impact 201 integer nortel ATTRIBUTE Passport-Customer-Identifier 202 integer nortel ATTRIBUTE Passport-Allowed-Access 203 integer nortel ATTRIBUTE Passport-AllowedOut-Access 204 integer nortel ATTRIBUTE Passport-Login-Directory 205 string nortel ATTRIBUTE Passport-Timeout-Protocol 206 integer nortel ATTRIBUTE Passport-Role 207 string nortel ... I configure the file dictionary.nortel in /etc/raddb and include it in dictionary file. Also I tried it in /usr/share/freeradius/. I added this attributes in the users file but when I look at the radius packet I see: Vendor Specific(26), Vendor: Undefined(562) Unknown Type(200), Value: Unknown Value type What am I doing wrong? Thank you, Romao. -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authenticating CHAP-Password to Pam (Kerberos 5 to AD)
Please tell me someone has fixed this problem.I'm trying to authenticate an Ascend MAX dial-up server back to Windows Active Directory. I am using a local unix group for authorization.I have Pam set up on my system and it uses Kerberos 5 to authenticate to AD just fine. But I'm getting:auth: type "PAM" Processing the authenticate section of radiusd.confmodcall: entering group authenticate for request 0rlm_pam: Attribute "User-Password" is required for authentication. Cannot use "CHAP-Password". modcall[authenticate]: module "pam" returns invalid for request 0I did some checking and found this posting from 2003 basically saying it can't be done: http://www.mail-archive.com/freeradius-users@lists.cistron.nl/msg19439.htmlI do have other options other than the Windows Domain authentication, but I was not wanting to pursue them unless I had to.Has this been solved or am I SOL? Patrick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AD ldap bind works with 1.01, fails with 1.04
> I have no idea. I've looked, and can't see anything that would >affect that. > > Alan DeKok. Hi Alan Thanks for the reply. We ended up reverting the production box to FC3 and 1.01, only to have it fail with the same error! I've since written a ldap module for each student campus/ou specifying it down to ou to search in. ldap Canberra { basedn = "ou=students,ou=users,ou=signadou,dc=student(etc)" } and then added an entry for each in Authorize and Authenicate. Why my test box with FC3/1.01 works and nothing else does is beyond me, but this clunky option seems to work. It may be of interest to note that our Student tree is native w2k3, while our staff tree is w2k. I also found an entry on a forum that referred to having to change the hueristic search value on the AD DC, I've pasted it below in the hope it may help someone in the future with the same problem. dmeehan at flcancer dot com 12-Aug-2004 04:26 If your having problems running LDAP searches on the base DC against Active Directory 2k3, you need to set dsHeuristics to 002 in Active Directory. This allows searches to function similar to how they did in Active Directory 2k2. You can update dsHeuristics by launching ldp.exe goto 'connection' and create a new connection. Then goto bind and bind to your ldap server. Next select the 'Browse' menu and choose 'modify'. The DN *might* look like this: CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=mycompany,DC=com Attribute is: dsHeuristics Value is: 002 Set the operation to replace and you should be set. This solves the 'Operations error' error that happens when attempting to search without specifying an OU. -d - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to start a session
Hi Alan, thanks a lot for the input. I already have the book now. Santy --- Alan DeKok <[EMAIL PROTECTED]> wrote: > San <[EMAIL PROTECTED]> wrote: > > How can we measure the users usage. Where should I > put > > the attribute session start and how i use the > session > > stop. (what are the command?) > > But the O'Reilly RADIUS book and read it.. The > answer to your > question is too long to post here. > > > I really lost in this part. Every documents that I > can > > find only explain until authenticate and authorize > > between NAS and server. But after that I don't > have > > clue. > > Because you appear to be writing a NAS. The > documents don't tell > you how to implement a NAS. For that, read the > RFC's and the O'Reilly > book. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems System Auth with FreeRadius (/etc/shadow)
Min, I have instaled FreeRadius from a RPM. I amd running FreeRadius as user radiusd and group root. Att, Nataniel Klug - Original Message - From: "Min Qiu" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Thursday, January 26, 2006 7:16 PM Subject: RE: Problems System Auth with FreeRadius (/etc/shadow) > You may read the doc wrong. The group you should look for is > "radiusd". When you create user "radiusd", the group "radiusd" > should also be created if you use adduser command to do the job. > You don't what user "radiusd" belong to group "root". Do > "chgrp radiusd /etc/shadow". > > Min > > > -Original Message- > > From: > > [EMAIL PROTECTED] > > freeradius.org > > [mailto:freeradius-users-bounces+mqiu=globalinternetworking.co > > [EMAIL PROTECTED] On Behalf Of Nataniel Klug > > Sent: Thursday, January 26, 2006 3:57 PM > > To: FreeRadius users mailing list > > Subject: Re: Problems System Auth with FreeRadius (/etc/shadow) > > > > > > Alan, > > > > Now you have gived me a tip... At my Fedora there is no group > > shadow, so I > > put radius to run as group "root" so it could read > > /etc/shadow only if I set > > +r to group at shadow files. > > > > Att, > > > > Nataniel Klug > > > > - Original Message - > > From: "Alan DeKok" <[EMAIL PROTECTED]> > > To: "FreeRadius users mailing list" > > > > Sent: Thursday, January 26, 2006 3:37 PM > > Subject: Re: Problems System Auth with FreeRadius (/etc/shadow) > > > > > > > "Nataniel Klug" <[EMAIL PROTECTED]> wrote: > > > > I just have installed the package from Fedora Core 3, > > nothing else. > > > > > > Then look at the configuration file. See how it's different from > > > what is shipped with FreeRADIUS. > > > > > > And setting "a+rw" on /etc/passwd and /etc/shadow is probaby the > > > single worst thing you can do to your system. EVER. Rather than > > > doing that, read raddb/radiusd.conf, it talks about issues with > > > reading /etc/shadow, and describes suggested fixes won't > > destroy your > > > system. > > > > > > Honestly, I don't understand why it's so hard to read the > > > configuration files. > > > > > > Alan DeKok. > > > - > > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems System Auth with FreeRadius (/etc/shadow)
Alan, The server is running as user radiusd and group root. Att, Nataniel Klug - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Thursday, January 26, 2006 8:26 PM Subject: Re: Problems System Auth with FreeRadius (/etc/shadow) > "Nataniel Klug" <[EMAIL PROTECTED]> wrote: > > Now you have gived me a tip... At my Fedora there is no group shadow > > $ vi /etc/group > > add "shadow" ?? > > > so I put radius to run as group "root" so it could read /etc/shadow > > only if I set +r to group at shadow files. > > It's usually better to *not* run the server as root. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
cisco nopassword username
hello, I'm working with Cisco 3745 router, and I'm trying to move local AAA to radius. Local username database looks like this: username user_a nopassword noescape username user_a autocommand connect hostname.. In radius I did this: user_a Auth-Type = Accept cisco-avpair = "shell:autocmd=connect hostname.", Fall-Through = 0 But it's no good. I need the router not to ask for password at all ! Is it possible with Cisco and freeradius ? regards Kuba - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SV: radkill and a small question about radwho
> "Torkel Mathisen" <[EMAIL PROTECTED]> wrote: > > I read about the radkill program in the FAQ. However the link doesn't > > work so I was wondering if anyone had a new link to that program? > > google? Tried that. No luck. None of the links I found worked. Not the link in FAQ, not freshmeat.net and thats all i found. > > Also I got a simple question about radwho. It doesnt seem to output the > > last part of the AP ip-address: > > Because there's only so much room in that column. Ok. So its normal then. Just looked a bit strange to me. Couldn't see the whole ip-address. Guess I'll stick to radwho -r then. Regards, Torkel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
R: R: SQL.conf new query
I have append the query to the existing ones, but without it turns out to you. postauth_mac_query = "INSERT into ${authcheck_table} (UserName, Attribute, op, Value) VALUES ('%{SQL-User-Name}'', 'Calling-Station-Id', ':=', '%{Calling-Station-Id}')" postauth_query = "INSERT into ${postauth_table} (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW())" in the log of start you come only loaded the postauth_query: sql: group_membership_query = "SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}'" sql: connect_failure_retry_delay = 60 sql: simul_count_query = "" sql: simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0" sql: postauth_table = "radpostauth" sql: postauth_query = "INSERT into radpostauth (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW())" it does not appear and consequently it does not work: ( Solutions? Regards Inviato: giovedì 26 gennaio 2006 18.41 A: FreeRadius users mailing list Oggetto: Re: R: SQL.conf new query > I would like to build a new query to insert > user's MAC address into radcheck table, as users log-out (accounting-stop > packet). Just append the query to the existing ones. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to modify attribute by rlm_exec
Dear All, I want to set NAS-Port=100 to proxy request packet. In my test, if the receive packet has not NAS-Port attribute, It will successful. If it have, it will fail. The value will not modify. Can anyone told me how to modify attribute by rlm_exec module? Regards, Roger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html