Termination when there is no traffic
Hi there, I've got a little proiblem with my radius server. I use it for dial-in accounts via ISDN. I've the problem that connections are terminated automatically when no traffic is on the line. The authentification works without problems, but I do not know which parameter I have to change so that connections wont be terminated automatically anymore. Could anyone help me with this? Thank you! Regards, John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redundant ldap's bug?
Thanks Alan. Nevertheless I will try the solution of one CA for the two servers, if it's the same, it will probably work I will post the result later. Cheers. Alan DeKok wrote: Paulo Cabrita [EMAIL PROTECTED] wrote: ... See: http://www.openldap.org/devel/cvsweb.cgi/~checkout~/libraries/libldap/tls.c?rev=1.133hideattic=1sortbydate=0 ... static char *tls_opt_cacertfile = NULL; ... Yup. It's a bug in the OpenLDAP client library. They don't support multiple users of LDAP connections in the same program. I'll file a bug with the OpenLDAP project. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Atentamente, |Paulo Cabrita, Msc| |Director do Centro de Informática | |da Universidade Autónoma de Lisboa| |Tel: +351-213177635 | |Fax: +351-213533702 | |E-mail: [EMAIL PROTECTED]| - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius cannot find rlm_sql_postgresql driver!
lmyho wrote: I am trying to test the freeradius to work with postgresql database. Just installed freeradius 1.1.0 on debian system via 'aptitude install' command of debian. [...] Error: rlm_sql (sql): Could not link driver rlm_sql_postgresql: rlm_sql_postgresql.so: cannot open shared object file: No such file or directory The licenses of PostgreSQL and FreeRADIUS are incompatible, therefore Debian doesn't distribute a binary version of the PostgreSQL module. You could build a Debian package from source with the tarball of FreeRADIUS 1.1.1 from www.freeradius.org. The FAQ explains how to do this: http://wiki.freeradius.org/index.php/FreeRADIUS_Wiki:FAQ -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compiling freeradius 1.1.1 in FreeBSD 6.0 with mysql support
Mark Hennessy wrote: checking for mysql_init in -lmysqlclient_r (using mysql_config)... no checking for mysql_init in -lmysqlclient_r... no FreeRADIUS requires the thread-safe version of the MySQL client library, unless you configure it with the option --without-threads. It's not seeing mysql libraries, but they do indeed exist: # ls -al /usr/local/mysql/lib/mysql total 1974 drwxr-xr-x 2 root wheel 512 Apr 5 10:39 . drwxr-xr-x 3 root wheel 512 Apr 5 10:39 .. -rw-r--r-- 1 root wheel 14446 Apr 5 10:39 libdbug.a -rw-r--r-- 1 root wheel 41928 Apr 5 10:39 libheap.a -rw-r--r-- 1 root wheel 13640 Apr 5 10:39 libmerge.a -rw-r--r-- 1 root wheel 331488 Apr 5 10:39 libmyisam.a -rw-r--r-- 1 root wheel 24934 Apr 5 10:39 libmyisammrg.a -rw-r--r-- 1 root wheel 472466 Apr 5 10:39 libmysqlclient.a -rwxr-xr-x 1 root wheel 871 Apr 5 10:39 libmysqlclient.la lrwxr-xr-x 1 root wheel 20 Apr 5 10:39 libmysqlclient.so - libmysqlclient.so.14 -rwxr-xr-x 1 root wheel 387482 Apr 5 10:39 libmysqlclient.so.14 -rw-r--r-- 1 root wheel 237570 Apr 5 10:39 libmystrings.a -rw-r--r-- 1 root wheel 253852 Apr 5 10:39 libmysys.a -rw-r--r-- 1 root wheel 105640 Apr 5 10:39 libnisam.a -rw-r--r-- 1 root wheel5472 Apr 5 10:39 libvio.a I don't see the file libmysqlclient_r.so in your setup. Re-install MySQL with thread support, or configure FreeRADIUS without thread support. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Hi I think you have to try in this way (for example): TEST4 Cisco-AVPair == ssid=SSID1 , Auth-Type := EAP Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN DEFAULT Auth-Type := Reject if uou want a password: TEST4 Cisco-AVPair == ssid=SSID1 ,User-Password=, Auth-Type := EAP Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN DEFAULT Auth-Type := Reject Regards sergio Antonio Matera wrote: My goal is to have authenticate user only if the SSID is right! You know how can I do it? Thanks Antonio on 05/04/2006 17.33 Sergio Sagliocco said the following: Hello your goal is authenticate users only if the SSID is rght or to have different EAP Authentication method based on SSID? regards sergio Antonio Matera wrote: Hallo, thanks for the answer. With your solution my radius don't authenticate my users Is my configuration correct or I need other change in my radius files? Thanks bye on 05/04/2006 15.27 Sergio Sagliocco said the following: Hi I think you have to use == instead of := For example: DEFAULT Cisco-AVPair == ssid=testLEAP , EAP-Type := Cisco-LEAP Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Sergio SAGLIOCCO SecureLAB - http://www.securelab.it CSP s.c. a r.l. - http://www.csp.it __ Villa Gualino Viale Settimo Severo, 63 - 10133 Torino [IT] tel. +39 011 481 5140 - Mobile +39 348 6024078 fax +39 011 481 5001 __ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pre-proxy programme
I know, I know, I'm very tedious How can we programme the pre-proxy stage of a freeRADIUS proxy PC in order to reject the request if the domain of the user doesn't have quota (in a proxy's MySQL database table) ? I've been looking for two days the answer: a) rlm_exec module in a pre-proxy stage returning exit 1 if a local MySQL query doen't return positive quota. -- PROBLEM: No way of return a REPLY-Message with the termination cause b) our own module rlm_X from rlm_example -- PROBLEM: return to my C acknowledgements and back to compiling, buff ... c) Trying to do in some way a mapping between a realm and 2 authservs (1 is local mysql) and get the authentication from a AND function of both answers. Isn't there a better solution Please help us, we can't find much clear information about freeradius, neither in the Wiki! _ Un amor, una aventura, compañía para un viaje. Regístrate gratis en MSN Amor Amistad. http://match.msn.es/match/mt.cfm?pg=channeltcid=162349 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can Juniper router or firewall configured on Free radius
Hi All, Any one can help me juniper equiqments are configured on free radius? If so please help me out the server side configuration of users on Redhat. If there are any referral web links please do let me know. A quick response in this regard would be highly appreciated. Regards Venugopal __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Termination when there is no traffic
On Thursday 06 April 2006 04:29, Johnny wrote: I do not know which parameter I have to change so that connections wont be terminated automatically anymore. That's a function of the NAS and/or the user's PC. Read NAS docs on session timeout value. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User in Multiple Groups
Scott Reed wrote: I have searched the archive and came close to figuring this out, but I have not Don't start your query as part of another thread please. Configuration tables: 1 USERGROUP 2 80 sreed MS1-AP1 3 76 treed MS1-AP1 4 78 sreed Router-Admin 5 79 treed Router-Admin 6 81 dreed Router-Admin 7 8 RADCHECK 9 331 dreed User-Password == password 10 269 treed User-Password == password 11 267 sreed User-Password == password This should be := for User-Password. If the match is failing, that may be the issue. 12 13 RADGROUPCHECK 14 31 Router-AdminService-Type== Login-User 15 28 MS1-AP1 Service-Type== Framed-User 16 17 RADREPLY 18 33 sreed Fall-Through= yes 19 43 treed Fall-Through= yes 20 21 RADGROUPREPLY 22 33 MS1-AP1 Port-Limit= 128k15 23 34 Router-AdminMikrotik-Group = full10 24 39 Router-AdminFall-Through = Yes 10 25 37 MS1-AP1 Fall-Through = Yes 15 I don't think Fall-Through does anything in rlm_sql. What are you expecting it to do? rad_recv: Access-Request packet from host 192.168.100.13:1201, id=166, length=83 Service-Type = Login-User User-Name = treed User-Password = password Calling-Station-Id = 192.168.100.240 NAS-Identifier = HotSpot NAS-IP-Address = 192.168.100.13 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = treed, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 radius_xlat: 'treed' rlm_sql (sql): sql_set_user escaped user -- 'treed' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'treed' ORDER BY id rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'treed' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id What is the result of this query if you execute it directly against the database? rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'treed' ORDER BY id rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'treed' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.prio Again, what does this query give against the database? rlm_sql (sql): No matching entry in the database for request from user [treed] This error code is returned if the check items don't match the request. Possibly take a look in: src/modules/rlm_sql/rlm_sql.c ...around line 860 (depending on the version you're running) and uncomment these lines: /* * Uncomment these lines for debugging * Recompile, and run 'radiusd -X' */ /* DEBUG2(rlm_sql: check items); vp_listdebug(check_tmp); DEBUG2(rlm_sql: reply items); vp_listdebug(reply_tmp); */ ...then recompile and run again. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Hallo, If I set Cisco-AVPair == "ssid=SSID1" in my user authentication, the authentication Fail with any ssid and user. If I set Cisco-AVPair := "ssid=SSID1" my users are always authenticated. Is there any other configuration to set in the radius or in the access point? In my access request there is the AVPair attribute: rad_recv: Access-Request packet from host 192.168.9.104:1645, id=19, length=166 User-Name = "TEST4" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=VLAN3" Service-Type = Login-User Message-Authenticator = 0xb2a3f1fd52d9d6ff9702cc8f1f480f46 EAP-Message = 0x020600060d00 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "260" NAS-Port = 260 State = 0x0491685cf8ece3184d685dedfedbb3d4 NAS-IP-Address = 192.168.9.104 NAS-Identifier = "ap" but I don't understand if it works... Any idea? Thanks on 06/04/2006 11.39 Sergio Sagliocco said the following: Hi I think you have to try in this way (for example): TEST4 Cisco-AVPair == "ssid=SSID1" , Auth-Type := EAP Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN DEFAULT Auth-Type := Reject if uou want a password: TEST4 Cisco-AVPair == "ssid=SSID1" ,User-Password="", Auth-Type := EAP Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN DEFAULT Auth-Type := Reject Regards sergio Antonio Matera wrote: My goal is to have authenticate user only if the SSID is right! You know how can I do it? Thanks Antonio on 05/04/2006 17.33 Sergio Sagliocco said the following: Hello your goal is authenticate users only if the SSID is rght or to have different EAP Authentication method based on SSID? regards sergio Antonio Matera wrote: Hallo, thanks for the answer. With your solution my radius don't authenticate my users Is my configuration correct or I need other change in my radius files? Thanks bye on 05/04/2006 15.27 Sergio Sagliocco said the following: Hi I think you have to use == instead of := For example: DEFAULT Cisco-AVPair == "ssid=testLEAP" , EAP-Type := Cisco-LEAP Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Antonio Matera CREATE-NET Via Solteri, 38 - 38100 Trento e-mail: [EMAIL PROTECTED] phone: +39 0461 408400 ext. 305 fax: +39 0461 421157 www.create-net.org -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can Juniper router or firewall configured on Free radius
On Thursday 06 April 2006 06:56, Venu Gopal wrote: Hi All, Any one can help me juniper equiqments are configured on free radius? If so please help me out the server side configuration of users on Redhat. If there are any referral web links please do let me know. A quick response in this regard would be highly appreciated. Google 'Juniper radius configuration' or read the 'help topic system radius-server' from the router cli. Juniper specific attributes are listed there. On Juniper router: [edit system] radius-server server-address { port number; secret password; retry number; timeout seconds; } On freeRADIUS make entries for the router as you would for any NAS in clients.conf and user using any of the applicable attributes. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User in Multiple Groups
I did not usurp a thread, I reposted my own. I changed radcheck to have := instead of ==. No change. First query returns: ++--+--+-++ | id | GroupName | Attribute | Value | op | ++--+--+-++ | 28 | MS1-AP1 | Service-Type | Framed-User | == | | 31 | Router-Admin | Service-Type | Login-User | == | ++--+--+-++ Second query returns ++--++---++ | id | GroupName | Attribute | Value | op | ++--++---++ | 34 | Router-Admin | Mikrotik-Group | full | = | | 39 | Router-Admin | Fall-Through | Yes | = | | 37 | MS1-AP1 | Fall-Through | Yes | = | | 33 | MS1-AP1 | Port-Limit | 128k | = | ++--++---++ I have a document from the FreeRadius WIKI (rlm_sql) that says, Processing continues to the next group IF: There was not a match for the last group's check items OR Fall-Through was set in the last group's reply items. If the user logs into a router, the request is for Login-User and they should get the Router-Admin replies. If they log in to an AP, the request is Framed-User and they should get the AP replies. Scott Reed Owner NewWays Wireless Networking Network Design, Installation and Administration www.nwwnet.net -- Original Message --- From: Phil Mayers [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thu, 06 Apr 2006 13:22:39 +0100 Subject: Re: User in Multiple Groups Scott Reed wrote: I have searched the archive and came close to figuring this out, but I have not Don't start your query as part of another thread please. Configuration tables: 1 USERGROUP 2 80 sreed MS1-AP1 3 76 treed MS1-AP1 4 78 sreed Router-Admin 5 79 treed Router-Admin 6 81 dreed Router-Admin 7 8 RADCHECK 9 331 dreed User-Password == password 10 269 treed User-Password == password 11 267 sreed User-Password == password This should be := for User-Password. If the match is failing, that may be the issue. 12 13 RADGROUPCHECK 14 31 Router-Admin Service-Type == Login-User 15 28 MS1-AP1 Service-Type == Framed-User 16 17 RADREPLY 18 33 sreed Fall-Through = yes 19 43 treed Fall-Through = yes 20 21 RADGROUPREPLY 22 33 MS1-AP1 Port-Limit = 128k 15 23 34 Router-Admin Mikrotik-Group = full 10 24 39 Router-Admin Fall-Through = Yes 10 25 37 MS1-AP1 Fall-Through = Yes 15 I don't think Fall-Through does anything in rlm_sql. What are you expecting it to do? rad_recv: Access-Request packet from host 192.168.100.13:1201, id=166, length=83 Service-Type = Login-User User-Name = treed User-Password = password Calling-Station-Id = 192.168.100.240 NAS-Identifier = HotSpot NAS-IP-Address = 192.168.100.13 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = treed, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 radius_xlat: 'treed' rlm_sql (sql): sql_set_user escaped user -- 'treed' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'treed' ORDER BY id rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'treed' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id What is the result of this query if you execute it directly against the database? rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'treed' ORDER BY id rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'treed' AND
Re: Problem with Cisco-AVPair
I don't think you should be setting the Auth-Type. Just let FreeRADIUS work that out. What are you doing with your Cisco AP? Are you doing PEAP/MS-CHAPv2? If so, then you must have a User-Password == foo in your user database and you *must not* set Auth-Type := EAP. You should do as Sergio says and use == in your Cisco-AVPair check item. This is a comparison. Rgds, Guy On 06/04/06, Antonio Matera [EMAIL PROTECTED] wrote: Hallo, If I set Cisco-AVPair == ssid=SSID1 in my user authentication, the authentication Fail with any ssid and user. If I set Cisco-AVPair := ssid=SSID1 my users are always authenticated. Is there any other configuration to set in the radius or in the access point? In my access request there is the AVPair attribute: rad_recv: Access-Request packet from host 192.168.9.104:1645, id=19, length=166 User-Name = TEST4 Framed-MTU = 1400 Called-Station-Id = 0012.dacb.8420 Calling-Station-Id = 000c.f135.f1ba Cisco-AVPair = ssid=VLAN3 Service-Type = Login-User Message-Authenticator = 0xb2a3f1fd52d9d6ff9702cc8f1f480f46 EAP-Message = 0x020600060d00 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = 260 NAS-Port = 260 State = 0x0491685cf8ece3184d685dedfedbb3d4 NAS-IP-Address = 192.168.9.104 NAS-Identifier = ap but I don't understand if it works... Any idea? Thanks on 06/04/2006 11.39 Sergio Sagliocco said the following: Hi I think you have to try in this way (for example): TEST4 Cisco-AVPair == ssid=SSID1 , Auth-Type := EAP Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN DEFAULT Auth-Type := Reject if uou want a password: TEST4 Cisco-AVPair == ssid=SSID1 ,User-Password=, Auth-Type := EAP Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN DEFAULT Auth-Type := Reject Regards sergio Antonio Matera wrote: My goal is to have authenticate user only if the SSID is right! You know how can I do it? Thanks Antonio on 05/04/2006 17.33 Sergio Sagliocco said the following: Hello your goal is authenticate users only if the SSID is rght or to have different EAP Authentication method based on SSID? regards sergio Antonio Matera wrote: Hallo, thanks for the answer. With your solution my radius don't authenticate my users Is my configuration correct or I need other change in my radius files? Thanks bye on 05/04/2006 15.27 Sergio Sagliocco said the following: Hi I think you have to use == instead of := For example: DEFAULT Cisco-AVPair == ssid=testLEAP , EAP-Type := Cisco-LEAP Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Antonio Matera CREATE-NET Via Solteri, 38 - 38100 Trento e-mail: [EMAIL PROTECTED] phone: +39 0461 408400 ext. 305 fax: +39 0461 421157 www.create-net.org -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can Juniper router or firewall configured on Free radius
Thanks a lot for the reply, i got this link for configuring radius, but wonder is there any modification to be done apart from cisco devices. Regards Venu --- Zoltan A. Ori [EMAIL PROTECTED] wrote: On Thursday 06 April 2006 06:56, Venu Gopal wrote: Hi All, Any one can help me juniper equiqments are configured on free radius? If so please help me out the server side configuration of users on Redhat. If there are any referral web links please do let me know. A quick response in this regard would be highly appreciated. Google 'Juniper radius configuration' or read the 'help topic system radius-server' from the router cli. Juniper specific attributes are listed there. On Juniper router: [edit system] radius-server server-address { port number; secret password; retry number; timeout seconds; } On freeRADIUS make entries for the router as you would for any NAS in clients.conf and user using any of the applicable attributes. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Hallo, I tried with EAP-TLS and PEAP/MS-CHAPv2. With the last, I have this user: vlan3 Cisco-AVPair == "ssid=VLAN3", User-Password == "test" Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 3, Tunnel-Type = VLAN If I insert the check == in the Cisco-AVPair attribute, I have this log: rad_recv: Access-Request packet from host 192.168.9.104:1645, id=21, length=240 User-Name = "vlan3" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=VLAN3" Service-Type = Login-User Message-Authenticator = 0x57cbe83313e35c36a3878a5151361c44 EAP-Message = 0x020900501900170301002029a86e41268c925e584b0924c058e045487523e0b2181541f520fe517e5fa67c1703010020ebe4e512af90e916f41fc666e138157bd279a6ed7f1ab44243f67e72d18ce012 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "260" NAS-Port = 260 State = 0xbb09e1038e24af4dc9f4002adb7d6b0a NAS-IP-Address = 192.168.9.104 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 modcall[authorize]: module "mschap" returns noop for request 8 rlm_realm: No '@' in User-Name = "vlan3", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 8 rlm_eap: EAP packet type response id 9 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 users: Matched entry vlan3 at line 24 modcall[authorize]: module "files" returns ok for request 8 modcall: leaving group authorize (returns updated) for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 8 modcall: leaving group authenticate (returns invalid) for request 8 auth: Failed to validate the user. Login incorrect: [vlan3/no User-Password attribute] (from client ap-test port 260 cli 000c.f135.f1ba) Delaying request 8 for 1 seconds Finished request 8 The radius don't authenticate my user, but the SSID is correct! I don't understand what is wrong. Thanks a lot for your support... Antonio on 06/04/2006 14.59 Guy Davies said the following: I don't think you should be setting the Auth-Type. Just let FreeRADIUS work that out. What are you doing with your Cisco AP? Are you doing PEAP/MS-CHAPv2? If so, then you must have a User-Password == "foo" in your user database and you *must not* set Auth-Type := EAP. You should do as Sergio says and use == in your Cisco-AVPair check item. This is a comparison. Rgds, Guy On 06/04/06, Antonio Matera [EMAIL PROTECTED] wrote: Hallo, If I set Cisco-AVPair == "ssid=SSID1" in my user authentication, the authentication Fail with any ssid and user. If I set Cisco-AVPair := "ssid=SSID1" my users are always authenticated. Is there any other configuration to set in the radius or in the access point? In my access request there is the AVPair attribute: rad_recv: Access-Request packet from host 192.168.9.104:1645, id=19, length=166 User-Name = "TEST4" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=VLAN3" Service-Type = Login-User Message-Authenticator = 0xb2a3f1fd52d9d6ff9702cc8f1f480f46 EAP-Message = 0x020600060d00 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "260" NAS-Port = 260 State = 0x0491685cf8ece3184d685dedfedbb3d4 NAS-IP-Address = 192.168.9.104 NAS-Identifier = "ap" but I don't understand if it works... Any idea? Thanks on 06/04/2006 11.39 Sergio Sagliocco said the following: Hi I think you have to try in this way (for example): TEST4 Cisco-AVPair == "ssid=SSID1" , Auth-Type := EAP Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN DEFAULT Auth-Type := Reject if uou want a password: TEST4 Cisco-AVPair == "ssid=SSID1" ,User-Password="", Auth-Type := EAP Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN DEFAULT Auth-Type := Reject Regards sergio Antonio Matera wrote: My goal is to have authenticate user only if the SSID is
Re: dialup admin ippool administraton
We have developed a new sqlippool module which exclusively uses SQL (Tested with Postgresql) and doesn't require configuration in radiusd.conf (at least no more than the existing sql module) We are currently load testing this for stability and will be rolling it into production tomorrow if all goes well. At that point we will also commit it to FR cvs. I suggest you wait a few days before you do too much more coding :-) Cheers Peter On Wed 29 Mar 2006 12:28, Olaf Schäfer wrote: the sqlippool module in cvs does this.. This module sounds interesting - something I haven't take into my considerations keeping the dynamic ippool data in the sql-db, too. And it's obvious to do it this way using a primary and a backup server. But the configuration information like range-start etc. is still stored in the radiusd.conf. My idea was to put these configuration information for each ippool into the mysql-db. Some background information for better understanding :) My task is to migrate from MS-IAS to freeradius. Thus people are used to do administration tasks with a GUI. :) At least normal production administration tasks should be integrated within a GUI. Putting configuration information into a db would save the parsing and editing the radius.conf by dialup-admin scripts. best regards, Olaf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpZU1V4Zaem7.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redundant ldap's bug?
Hi Alan, I saw the code a little closer and I think it's not worthy to try to have one CA and two certificate for each server. The LDAP client only support the data for one connection... static char *tls_opt_certfile = NULL; static char *tls_opt_keyfile = NULL; static char *tls_opt_dhfile = NULL; static char *tls_opt_cacertfile = NULL; static char *tls_opt_cacertdir = NULL; What do you think? Alan DeKok wrote: Paulo Cabrita [EMAIL PROTECTED] wrote: ... See: http://www.openldap.org/devel/cvsweb.cgi/~checkout~/libraries/libldap/tls.c?rev=1.133hideattic=1sortbydate=0 ... static char *tls_opt_cacertfile = NULL; ... Yup. It's a bug in the OpenLDAP client library. They don't support multiple users of LDAP connections in the same program. I'll file a bug with the OpenLDAP project. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Atentamente, |Paulo Cabrita, Msc| |Director do Centro de Informática | |da Universidade Autónoma de Lisboa| |Tel: +351-213177635 | |Fax: +351-213533702 | |E-mail: [EMAIL PROTECTED]| - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius cannot find rlm_sql_postgresql driver!
On Thu 06 Apr 2006 11:58, Nicolas Baradakis wrote: lmyho wrote: I am trying to test the freeradius to work with postgresql database. Just installed freeradius 1.1.0 on debian system via 'aptitude install' command of debian. [...] Error: rlm_sql (sql): Could not link driver rlm_sql_postgresql: rlm_sql_postgresql.so: cannot open shared object file: No such file or directory The licenses of PostgreSQL and FreeRADIUS are incompatible, therefore Debian doesn't distribute a binary version of the PostgreSQL module. Since when is the BSD license incompatible with the GPL?? -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpWWdtdzfP4Y.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql-devel??
On Thu 06 Apr 2006 06:43, Pelusa Vali wrote: hi list, now i'd like to compile freeradius and later use dialup-admin, it needs mysql and in book RADIUS Jonathan Hassell says it's necessary have at least mysql-devel, but i use debian etch and cann't find such package, may be it's not necessary for debian or new mysql versions don't use it any more?? and, by the way, how may i uninstall freeradius?? thanks for your help. If you plan to use freeradius+mysql on debian I suggest you just install the packages that come with it. It's not really necessary to compile it yourself.. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpPIycTQtQn4.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius cannot find rlm_sql_postgresql driver!
--- Nicolas Baradakis [EMAIL PROTECTED] wrote: lmyho wrote: I am trying to test the freeradius to work with postgresql database. Just installed freeradius 1.1.0 on debian system via 'aptitude install' command of debian. [...] Error: rlm_sql (sql): Could not link driver rlm_sql_postgresql: rlm_sql_postgresql.so: cannot open shared object file: No such file or directory The licenses of PostgreSQL and FreeRADIUS are incompatible, therefore Debian doesn't distribute a binary version of the PostgreSQL module. You could build a Debian package from source with the tarball of FreeRADIUS 1.1.1 from www.freeradius.org. The FAQ explains how to do this: http://wiki.freeradius.org/index.php/FreeRADIUS_Wiki:FAQ Hi Nicolas, Thanks very much for telling me this! I built the pkgs from tarball-1.1.1... But I got tons of warnings in the building process, tons of them! Just list a few below. Just want to know: with so many warnings, do the pkgs I built still usable? Thanks a lot for advising!! Please see the list (only picked a few) below: radius.c: In function 'make_secret': radius.c:167: warning: pointer targets in passing argument 2 of 'librad_MD5Update' differ in signedness radius.c: In function 'make_passwd': radius.c:205: warning: pointer targets in passing argument 2 of 'librad_MD5Update' differ in signedness radius.c: In function 'make_tunnel_passwd': radius.c:294: warning: pointer targets in passing argument 2 of 'librad_MD5Update' differ in signedness rlm_passwd.c: In function 'build_hash_table': rlm_passwd.c:218: warning: pointer targets in passing argument 1 of 'hash' differ in signedness rlm_passwd.c:232: warning: pointer targets in passing argument 1 of 'hash' differ in signedness rlm_passwd.c: In function 'get_pw_nam': rlm_passwd.c:299: warning: pointer targets in passing argument 1 of 'hash' differ in signedness rlm_passwd.c: In function 'passwd_authorize': rlm_passwd.c:536: warning: pointer targets in assignment differ in signedness rlm_preprocess.c: In function 'cisco_vsa_hack': rlm_preprocess.c:126: warning: pointer targets in passing argument 1 of '__builtin_strchr' differ in signedness rlm_preprocess.c:144: warning: pointer targets in assignment differ in signedness rlm_preprocess.c: In function 'rad_mangle': rlm_preprocess.c:203: warning: pointer targets in passing argument 1 of '__builtin_strchr' differ in signedness rlm_preprocess.c:206: warning: pointer targets in passing argument 1 of 'strcpy' differ in signedness rlm_preprocess.c: In function 'huntgroup_access': rlm_preprocess.c:375: warning: pointer targets in passing argument 1 of 'strNcpy' differ in signedness rlm_preprocess.c:376: warning: pointer targets in passing argument 1 of 'strlen' differ in signedness rlm_preprocess.c: In function 'add_nas_attr': rlm_preprocess.c:404: warning: pointer targets in passing argument 1 of 'ip_hostname' differ in signedness rlm_preprocess.c:425: warning: pointer targets in passing argument 1 of 'ip_hostname' differ in signedness rlm_radutmp.c: In function 'radutmp_checksimul': rlm_radutmp.c:658: warning: pointer targets in assignment differ in signedness rlm_realm.c: In function 'check_for_realm': rlm_realm.c:209: warning: pointer targets in passing argument 1 of 'strcpy' differ in signedness rlm_sql.c: In function 'sql_groupcmp': rlm_sql.c:564: warning: pointer targets in passing argument 1 of 'strlen' differ in signedness rlm_sql.c:564: warning: pointer targets in passing argument 2 of '__builtin_strcmp' differ in signedness rlm_sql.c:564: warning: pointer targets in passing argument 2 of '__builtin_strcmp' differ in signedness rlm_sql.c:564: warning: pointer targets in passing argument 1 of 'strlen' differ in signedness rlm_sql.c:564: warning: pointer targets in passing argument 2 of '__builtin_strcmp' differ in signedness rlm_sql.c:564: warning: pointer targets in passing argument 2 of '__builtin_strcmp' differ in signedness rlm_sql.c: In function 'rlm_sql_authorize': rlm_sql.c:824: warning: pointer targets in assignment differ in signedness rlm_sql.c: In function 'rlm_sql_checksimul': rlm_sql.c:1227: warning: pointer targets in assignment differ in signedness __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compiling freeradius 1.1.1 in FreeBSD 6.0 with mysql support
On Wed, 2006-05-04 at 13:08 -0400, Alan DeKok wrote: Mark Hennessy [EMAIL PROTECTED] wrote: I'm trying to build freeradius 1.1.1 on a FreeBSD 6.0 system with MySQL 4.1.15 Doesn't the ports system work? That exactly what I was thinking. The port was updated on Mar. 28 checking for mysql_init in -lmysqlclient_r (using mysql_config)... no See the config.log for details. Maybe libmysqlclient_r needs additional libraries for it to work. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can Juniper router or firewall configured on Free radius
On Thursday 06 April 2006 09:37, Venu Gopal wrote: Thanks a lot for the reply, i got this link for configuring radius, but wonder is there any modification to be done apart from cisco devices. I'm not sure what you mean. You have Cisco authenticating and want to have the same for Juniper? You probably need to define exactly what you are trying to accomplish and what you are working with. On the assumption that you have Cisco working and want Juniper, too: Decide what reply attributes you need and how you will differentiate the sources of the access request. Read about huntgroups. Or, you might include both Juniper and Cisco replies in the same users entry since the devices should ignore attributes they don't understand. I won't guarantee that will work as I've not done it myself. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius cannot find rlm_sql_postgresql driver!
Peter Nixon wrote: The licenses of PostgreSQL and FreeRADIUS are incompatible, therefore Debian doesn't distribute a binary version of the PostgreSQL module. Since when is the BSD license incompatible with the GPL?? The old / original BSD license is not compatible. http://www.gnu.org/licenses/license-list.html#GPLIncompatibleLicenses -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql-devel??
Pelusa Vali wrote: i use debian etch and cann't find such package, may be it's not necessary for debian or new mysql versions don't use it any more?? In Debian etch the MySQL client headers are in package libmysqlclient15-dev. However as Peter said you should just install a binary version from Debian with apt-get. # apt-get install freeradius-mysql freeradius-dialupadmin If you really want to recompile FreeRADIUS yourself, search in the FAQ how to build a Debian package from sources. and, by the way, how may i uninstall freeradius?? Like any other Debian package: # apt-get remove freeradius -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Termination when there is no traffic
Johnny [EMAIL PROTECTED] wrote: I've got a little proiblem with my radius server. I use it for dial-in accounts via ISDN. I've the problem that connections are terminated automatically when no traffic is on the line. The authentification works without problems, but I do not know which parameter I have to change so that connections wont be terminated automatically anymore. Could anyone help me with this? Thank you! http://www.freeradius.org/rfc/attributes.html See Idle-Timeout Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pre-proxy programme
Mark Supersonik [EMAIL PROTECTED] wrote: How can we programme the pre-proxy stage of a freeRADIUS proxy PC in order to reject the request if the domain of the user doesn't have quota (in a proxy's MySQL database table) ? Why are you doing this in the preproxy stage? Why not make the server avoid proxying completely if the user is over quota? Look at he place in your configuration where it tells the server to proxy the request, and then add AND the quota is OK. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql-devel??
If you plan to use freeradius+mysql on debian I suggest you just install the packages that come with it. It's not really necessary to compile it yourself.. Thanks Peter, now my question is, i wan to use it to add security to a wlan and use hostapd and driver madwifi, so, it is not necessary to compile freeradius??, i use openssl to create certificates (use eap-peap). Second, do you know any way to uninstall freeradius in debian?? thanks again. ___ What major city is located on the mouth of the Pasig river and the head of a bay with the same name as the city? postmaster.co.uk http://www.postmaster.co.uk/cgi-bin/meme/quiz.pl?id=169 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: object not found
Thanks Sayantan it works! Marc Delisle Sayantan Bhowmick a écrit : HI, Change the filter configuration in ldap section of radiusd.conf to the following: filter = (cn=%{Stripped-User-Name:-%{User-Name}}) -Sayantan On Wed, Apr 5, 2006 at 1:53 am, in message [EMAIL PROTECTED], Marc Delisle [EMAIL PROTECTED] wrote: Hi, thanks to those who answered me for my previous post. It turned out to be a certificate problem. Now, freeradius binds to LDAP on Netware, but does not find any object: rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in o=college, with filter (uid=delislma) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed Thanks, Marc Delisle - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pre-proxy programme
Please, look at the fact that we speak about DOMAINS quota, but not users quota. The roaming users are authenticated by the authserv oh his domain (WISP). So, apart from the users quota (which doesn't affect us because the remote authserv does this work for us), there is a WISP quota, WISPs prepay to proxy a volume of resources, and we, the setlement part (proxy), must detemrine if before all want to permite this authorization [access WISP]--[PROXY]--[Home WISP] | (user from Home WISP) From: Alan DeKok [EMAIL PROTECTED] Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: pre-proxy programme Date: Thu, 06 Apr 2006 12:02:36 -0400 Mark Supersonik [EMAIL PROTECTED] wrote: How can we programme the pre-proxy stage of a freeRADIUS proxy PC in order to reject the request if the domain of the user doesn't have quota (in a proxy's MySQL database table) ? Why are you doing this in the preproxy stage? Why not make the server avoid proxying completely if the user is over quota? Look at he place in your configuration where it tells the server to proxy the request, and then add AND the quota is OK. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ ¿Estás pensando en cambiar de coche? Todas los modelos de serie y extras en MSN Motor. http://motor.msn.es/researchcentre/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql replication vs. radrelay
hello, I have a redundant radius server setup with two radius servers. On each of the servers freeradius 1.1.1 and mysql is running. If the primary server goes down the AC falls back to the secondary server. To keep the databases (except the radacct table) synchronised I use MySQL replication. But I'm not sure which is the best way to replicate the accounting information: using radrelay or mysql-replication, too? Besides the man page for radrelay says The functions of radrelay have been added to radiusd. I couldn't find any documentation about this feature. Any hints? regards, olaf -- Olaf Schäfer [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
On Thursday 06 April 2006 08:24, Antonio Matera wrote: !DOCTYPE html PUBLIC -//W3C//DTD HTML 4.01 Transitional//EN Please stop using HTML when posting your messages. You just might get a few more useful responses from people who don't bother to read html-only messages. Kevin Bonner pgpIqhmYWA5QQ.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to make FR reset the logs
On Thu, 2006-06-04 at 14:12 -0400, Dennis Skinner wrote: Guy Fraser wrote: vacuum; This is not a MySQL command. You probably want to look at CHECK TABLE, REPAIR TABLE, and OPTIMIZE TABLE. But we are getting off topic here I will note that FreeRADIUS performance had significant improvements once the tables were changed to InnoDB from MyISAM, especially the radacct table as that fills up quick if you don't archive regularly. I said : I don't use MySQL very often so do not know for sure if this would work, but here goes a simple example : select * into radacct_old from radacct where AcctStopTime '2006-04-01 00:00:00' ; delete from radacct where AcctStopTime '2006-04-01 00:00:00' ; vacuum; If you intend on using MySQL you will need to learn how to use it. There are many functions and some may help you do what you want. I prefer PostgreSQL, which is SQL92 compliant and does support the SQL VACUUM command. MySQL database maintenance is of little interest to me, because I do not think it is good for anything but text and blob storage, and I don't need that very often. Since nobody else had attempted to answer the posters question I suggested a possible method he could try, and suggested he learn how to maintain MySQL if he intends on using it. I REALLY do NOT want to get into a flame war over the differences between MySQL and PostgreSQL. I based my sample on SQL standard commands hoping that MySQL would support them, but having suggested that they may not work without specifying why, may have left it open for interpretation. I am sure that for those who know MySQL well it works very well for them, but I don't care to spend the time learning how to do things the MySQL way. I have provided some assistance ensuring that the MySQL and PostgreSQL drivers had the same functionality, and have a MySQL db on the RD machine for that purpose, but do not have any intention on using it for production. The PostgreSQL db I use for my custom Cistron server has operated flawlessly and at high efficiency since it was installed over 5 years ago. Since the Software and Hardware are long in the tooth, I will be upgrading them in the near future. I have been helping with the development of FreeRadius for a couple years, in preparation for this long anticipated upgrade. Once I have a good Management interface I will upgrade. I have spent a few days building some functions and others have been spending considerable time on similar projects, and some of us have agreed to share, our work in order to move this along, so I am hoping to have a new server in place by years end. Good luck, and have a great day. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql replication vs. radrelay
On Thu, 2006-06-04 at 23:01 +0200, Olaf Schäfer wrote: hello, I have a redundant radius server setup with two radius servers. On each of the servers freeradius 1.1.1 and mysql is running. If the primary server goes down the AC falls back to the secondary server. To keep the databases (except the radacct table) synchronised I use MySQL replication. But I'm not sure which is the best way to replicate the accounting information: using radrelay or mysql-replication, too? Besides the man page for radrelay says The functions of radrelay have been added to radiusd. I couldn't find any documentation about this feature. Any hints? regards, olaf There are many schools of thought on that. Some prefer SQL replication, others suggest it is better to build it into the management system. If you have lots of people managing the accounts and you may need a different method, than someone with only a few people maintaining accounts, since table locking and connection load balancing could become an issue. In some cases batch processing is acceptable, in other cases it can be detrimental. Can you give us an idea, about how many people will be changing user info and at what rate you would be expecting additions, modifications and removals? It would be helpful for those of us designing management systems, so we can test for possible conflicts and performance issues. I am not yet working on the SQL maintenance portion of my project but it would be helpful for me to have that information in order to do some preliminary planning. Some replication methods scale better than others, but have their own drawbacks and difficulties. PS Have you had a chance to try my PHP radiusd.conf configuration parser ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to make FR reset the logs
Hello Thank you all for your replies , i fixed my issue using some scripts that comes with dialup_admin, /bin/ dir , it is working for know , thank you Guy Fraser.My question know , is it possible to send any attribute using dialup_admin to disconnect a user, i have a some handmade bash scripts to do that but it would be great if it can be done with dialup_adim - radius - pppd/pppoe-servers Thanks again - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User in Multiple Groups
Someone posted that many readers of this list don't have HTML mail readers, so I cleaned up the spacing on the tables and am reposting this in text so all can read it. Scott Reed Owner NewWays Wireless Networking Network Design, Installation and Administration www.nwwnet.net -- Original Message --- From: Scott Reed [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thu, 6 Apr 2006 07:54:08 -0500 Subject: Re: User in Multiple Groups I did not usurp a thread, I reposted my own. I changed radcheck to have := instead of ==. No change. First query returns: ++--+--+-++ | id | GroupName| Attribute| Value | op | ++--+--+-++ | 28 | MS1-AP1 | Service-Type | Framed-User | == | | 31 | Router-Admin | Service-Type | Login-User | == | ++--+--+-++ Second query returns ++--+---+---++ | id | GroupName| Attribute | Value | op | ++--+---+---++ | 34 | Router-Admin | Mikrotik-Group| full | = | | 39 | Router-Admin | Fall-Through | Yes | = | | 37 | MS1-AP1 | Fall-Through | Yes | = | | 33 | MS1-AP1 | Port-Limit| 128k | = | ++--+---+---++ I have a document from the FreeRadius WIKI (rlm_sql) that says, Processing continues to the next group IF: There was not a match for the last group's check items OR Fall-Through was set in the last group's reply items. If the user logs into a router, the request is for Login-User and they should get the Router-Admin replies. If they log in to an AP, the request is Framed-User and they should get the AP replies. Scott Reed Owner NewWays Wireless Networking Network Design, Installation and Administration www.nwwnet.net -- Original Message --- From: Phil Mayers [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thu, 06 Apr 2006 13:22:39 +0100 Subject: Re: User in Multiple Groups Scott Reed wrote: I have searched the archive and came close to figuring this out, but I have not Don't start your query as part of another thread please. Configuration tables: 1 USERGROUP 2 80 sreed MS1-AP1 3 76 treed MS1-AP1 4 78 sreed Router-Admin 5 79 treed Router-Admin 6 81 dreed Router-Admin 7 8 RADCHECK 9 331 dreed User-Password == password 10 269 treed User-Password == password 11 267 sreed User-Password == password This should be := for User-Password. If the match is failing, that may be the issue. 12 13 RADGROUPCHECK 14 31 Router-Admin Service-Type == Login-User 15 28 MS1-AP1 Service-Type == Framed-User 16 17 RADREPLY 18 33 sreed Fall-Through = yes 19 43 treed Fall-Through = yes 20 21 RADGROUPREPLY 22 33 MS1-AP1 Port-Limit = 128k 15 23 34 Router-Admin Mikrotik-Group = full 10 24 39 Router-Admin Fall-Through = Yes 10 25 37 MS1-AP1 Fall-Through = Yes 15 I don't think Fall-Through does anything in rlm_sql. What are you expecting it to do? rad_recv: Access-Request packet from host 192.168.100.13:1201, id=166, length=83 Service-Type = Login-User User-Name = treed User-Password = password Calling-Station-Id = 192.168.100.240 NAS-Identifier = HotSpot NAS-IP-Address = 192.168.100.13 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = treed, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 radius_xlat: 'treed' rlm_sql (sql): sql_set_user escaped user -- 'treed' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'treed' ORDER BY id rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'treed' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id What is the result of this query if you execute it directly against the database? rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'treed' ORDER BY id rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
RADIUS stops responding after a while
Ive got strange behavior on y FR, need to find the way to prevent it, and find out what caused it. Ive just went to my radius server and found out that it doesnt want to handle requests. I restarted it in debug and it told me that SQL module is unknown (was working fine for 1 month) I restarted again in debug and now it went OK and works fine, but this thing is not acceptable in the field So does any one knows what could cause such a behavior (not accepting requests, due to module malfunction) and more importantly is there any way to monitor the server functionality? Lets say something like send testing request each 30min or something and if server doesnt reply send email notification? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html