RE: Several passwords for a user
The answer why I have several password for a same radius account is easy. I have two or more hotspot models (Nomadix, Mikrotik, Gemtek...) and I want to active successfully MAC authentication method of these kind od devices. While one hotspot accept blank password (see some previous entries in this foro), others can not eat blanks and these hotspots need no blank password such as 'mypasswordMAC'. Do you understand now??? *** From: Seferovic Edvin [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED],FreeRadius users mailing listfreeradius-users@lists.freeradius.org To: 'FreeRadius users mailing list' freeradius-users@lists.freeradius.org Subject: RE: Several passwords for a user Date: Thu, 11 May 2006 16:24:04 +0200 Hello, besides the comment of Alan D. I think you should have a damn good reason for entering more than one password for ONE user. Are you trying to make your system THAT complicated? Or are your users just stupid to remeber ( or even write down ) a given password? Regards, Edvin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of Alan DeKok Sent: Donnerstag, 11. Mai 2006 15:46 To: FreeRadius users mailing list Subject: Re: Several passwords for a user =?iso-8859-1?B?U2FudGlhZ28gQmFsYWd1ZXIgR2FyY+1h?= [EMAIL PROTECTED] wrote: I use freeradius-1.1.0. Where is any problem an account has two or more entries in radcheck table??? I use : 11:22:33:44:55:66 :='' 11:22:33:44:55:66 :=mypassword WHat are you trying to do? Those entries don't match anything in the FreeRADIUS documentation, and will *not* do anything useful. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Acepta el reto MSN Premium: Protección para tus hijos en internet. Descárgalo y pruébalo 2 meses gratis. http://join.msn.com?XAPID=1697DI=1055HL=Footer_mailsenviados_proteccioninfantil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Several passwords for a user
I made a mistake!! the correct 'op' attribute is '+=' instead of '==' or ':=' * [EMAIL PROTECTED] wrote: I use freeradius-1.1.0. Where is any problem an account has two or more entries in radcheck table??? I use : 11:22:33:44:55:66 :='' 11:22:33:44:55:66 :=mypassword WHat are you trying to do? Those entries don't match anything in the FreeRADIUS documentation, and will *not* do anything useful. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Acepta el reto MSN Premium: Correos más divertidos con fotos y textos increíbles en MSN Premium. Descárgalo y pruébalo 2 meses gratis. http://join.msn.com?XAPID=1697DI=1055HL=Footer_mailsenviados_correosmasdivertidos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No detail file created for accounting
Hi everyone, Here is my problem, I think I configured everything but the detail file is never created for accounting. I also use a mysql data base for accounting only and nothing is appended to the table radacct either. It is like accounting does not work at all. Here are some parts of my radiusd.conf. I have been trying to make it work for quite a while now this is why I am writing to this mailing list now. If anyone has an idea it would be really appreciated. prefix = /usr/local exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct # Location of config and logfiles. confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd # # The logging messages for the server are appended to the # tail of this file. # log_file = ${logdir}/radius.log log_auth = yes In the modules section : detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } and in the accounting section I put detail. Did I forget something? I have the right to write in this directory since the auth-detail file is created in the same place. Also if i put detail in the Authorize section, the file is created but with far too much information than what I need and it does not solve my problem concerning the mysql database. Thank you all in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wireless network: WindowsXP supplicant, EAP-TLS and computer certificates.
I try to use FreeRADIUS for building 801.1X EAP-TLS authorization. I want to use only computer certificates (not user ones) on WinXP. such certificates contains FQDN of client in `commonName' field. But WinXP/SP2 sent `User-Name' in such case as `host/FQDN'. And checking of commonName fails. How can re-map such `User-Names'? I've tried to create realm with LOCAL mapping, but it doesn't help much :( It seems, that eap-tls `xlat' user-name before check, but xlat is not well-documented :( -- // Lev Serebryakov - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco Command Accounting..? [Virus checked]
Hi, sorry if I come up with this question here, since it is not a problem of freeradius by itself, but maybe someone could help me I want to use freeradius also for authenticating our network-admins when they login to our network-devices (e.g. Cisco boxes) Authentication/Authorizsation works fine Accounting (Start/Stop of Login Session) also what I want to do in addition is to log admins activities (commands they enter on the devices) I know that this works for TACACS+, but it doesnt seem to when using Radius-Protocol I've searched already this mailing-list and the web, and it seems that Cisco does not support this feature? Has anyone experience with this or could give me a hint on how to accomplish this? thank you thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql Segmentation Fault
Ok, I am going insane. This is the story: I have two IDENTICAL servers, HP DL320, Intel P4 I have Fedora Core 5 installed on both with IDENTICAL packages. I downloaded, extracted the freeradius-1.1.1.tar.gz and proceeded to configure with the exact same configure statement. I installed IDENTICAL perl modules on both servers. I use IDENTICAL radius.conf, sql.conf etc. configuration files. Server 1 works fine. No problems what so ever. Server 2 throws a seg fault when loading the rlm_sql module. I have: - enabled and disabled shared modules and packages - make clean, make distclean, manually remove every freeradius file - re-loaded the server from scratch - changed the processor from a P4 to a XEON to a P4 FreeRadius works just fine, right up until I load the rlm_sql module. Setup: Linux rad2. .net 2.6.15-1.2054_FC5smp #1 SMP Tue Mar 14 16:05:46 EST 2006 i686 i686 i386 GNU/Linux mysql-5.0.18-2.1 ./configure --with-logdir=/var/log --with-radacctdir=/var/log --with-raddbdir=/etc/raddb --enable-developer Debug: ... ... Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded SQL sql: driver = rlm_sql_mysql sql: server = 192.168.0.8 sql: port = sql: login = root sql: password = mysql sql: radius_db = radius sql: acct_table = radacct sql: acct_table2 = radacct ... ... ... sql: group_membership_query = SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}' sql: connect_failure_retry_delay = 60 sql: simul_count_query = sql: simul_verify_query = SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0 sql: postauth_table = radpostauth sql: postauth_query = INSERT into radpostauth (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW()) sql: safe-characters = @abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: / Segmentation fault (core dumped) Core dump: Reading symbols from /usr/local/lib/rlm_eap_mschapv2-1.1.1.so...done. Loaded symbols for /usr/local/lib/rlm_eap_mschapv2-1.1.1.so Reading symbols from /usr/local/lib/rlm_sql-1.1.1.so...done. Loaded symbols for /usr/local/lib/rlm_sql-1.1.1.so #0 0x00d789c9 in lt_dlsym (handle=0x88de758, symbol=0x88dd158 rlm_sql_mysql) at ltdl.c:3330 3330 lensym = LT_STRLEN (symbol) + LT_STRLEN (handle-loader-sym_prefix) (gdb) bt #0 0x00d789c9 in lt_dlsym (handle=0x88de758, symbol=0x88dd158 rlm_sql_mysql) at ltdl.c:3330 #1 0x00fb65fa in rlm_sql_instantiate (conf=0x88307e0, instance=0x88dcb40) at rlm_sql.c:696 #2 0x0805303b in find_module_instance (instname=0x88339c8 sql) at modules.c:358 #3 0x08053e1a in do_compile_modsingle (component=0, ci=0x88339a8, filename=0x805e931 radiusd.conf, grouptype=0, modname=0xbf835314) at modcall.c:1005 #4 0x080536f3 in setup_modules () at modules.c:570 #5 0x080566db in main (argc=2, argv=0xbf8365a4) at radiusd.c:960 Does anybody out there have any ideas? Shawn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Check the subject and issuer in the EAP-TLS
Hello, as I have noticed there is no possibility to check the subject and issuer of the client certificate. My idea is to use EAP-TLS authN, but allow only some of certificates issued by concrete CA. Two options which are available in EAP-TLS config are not suitable for me. I don't want to revoke the certs and the RE cannot be also used. That's why I created small patch to the freeradius 1.1.0. I've added new option check_script in config of EAP-TLS, where can be defined path to the script or application which is executed after successuf TLS authentication. The script/application will recieve in environ variables request packet with two new value pairs: X509_SUBJECT and X509_ISSUER. The EAP-TLS module decide on the returned value of the script/app if the request will be discarded or allowed. I'm open for every remark and enhancement of this patch. I'm runnig patched freeradius in our organization and till now it works good. Patch is attached if anyone is interested. Best regards, Michal -- Michal Prochazka // [EMAIL PROTECTED] Supercomputing Center Brno Institute of Computer Science Masaryk University Botanicka 68a, 60200 Brno, CZ CESNET z.s.p.o. Zikova 4, 16200 Praha 6, CZ Index: raddb/eap.conf === RCS file: /cvs/meta/freeradius-tls/raddb/eap.conf,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -I\$Id: -u -r1.1.1.1 -r1.2 --- raddb/eap.conf 11 May 2006 12:22:57 - 1.1.1.1 +++ raddb/eap.conf 11 May 2006 13:14:52 - 1.2 @@ -176,7 +176,16 @@ # will fail rejecting the user. # # check_cert_cn = %{User-Name} - #} + +# Check the subject and issuer of the client certificate by +# the script. Script is invoked after successful TLS +# authentication. X509_SUBJECT and X509_ISSUER environ +# variables are passed to the script. Return value of the +# script decide if the request is discarded (return 0) or +# allowed (return != 0) +# +# check_script = /usr/local/etc/raddb/check_script +#} # The TTLS module implements the EAP-TTLS protocol, # which can be described as EAP inside of Diameter, Index: share/dictionary.freeradius.internal === RCS file: /cvs/meta/freeradius-tls/share/dictionary.freeradius.internal,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -I\$Id: -u -r1.1.1.1 -r1.2 --- share/dictionary.freeradius.internal 11 May 2006 12:22:57 - 1.1.1.1 +++ share/dictionary.freeradius.internal 11 May 2006 12:46:10 - 1.2 @@ -126,6 +126,8 @@ ATTRIBUTE Packet-Src-IPv6-Address 1097 ipv6addr ATTRIBUTE Packet-Dst-IPv6-Address 1098 ipv6addr ATTRIBUTE Server-Identity1099 string +ATTRIBUTE X509-Subject1100 string +ATTRIBUTE X509-Issuer1101 string # # Range: 1200-1279 Index: src/include/radius.h === RCS file: /cvs/meta/freeradius-tls/src/include/radius.h,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -I\$Id: -u -r1.1.1.1 -r1.2 --- src/include/radius.h 11 May 2006 12:22:57 - 1.1.1.1 +++ src/include/radius.h 11 May 2006 12:46:10 - 1.2 @@ -187,6 +187,12 @@ #define PW_MS_CHAP_USE_NTLM_AUTH 1082 /* + * X509 client Subject and Issuer + */ +#define PW_X509_SUBJECT 1100 +#define PW_X509_ISSUER 1101 + +/* * Integer Translations */ Index: src/modules/rlm_eap/types/rlm_eap_tls/Makefile.in === RCS file: /cvs/meta/freeradius-tls/src/modules/rlm_eap/types/rlm_eap_tls/Makefile.in,v retrieving revision 1.1.1.1 retrieving revision 1.3 diff -I\$Id: -u -r1.1.1.1 -r1.3 --- src/modules/rlm_eap/types/rlm_eap_tls/Makefile.in 11 May 2006 12:22:57 - 1.1.1.1 +++ src/modules/rlm_eap/types/rlm_eap_tls/Makefile.in 12 May 2006 07:25:00 - 1.3 @@ -2,7 +2,7 @@ SRCS= rlm_eap_tls.c eap_tls.c cb.c tls.c mppe_keys.c RLM_CFLAGS = $(INCLTDL) [EMAIL PROTECTED]@/../.. [EMAIL PROTECTED]@/../../libeap @eap_tls_cflags@ -DOPENSSL_NO_KRB5 HEADERS = rlm_eap_tls.h eap_tls.h ../../eap.h ../../rlm_eap.h -RLM_INSTALL = +RLM_INSTALL = install-scripts RLM_LIBS+= @eap_tls_ldflags@ $(STATIC_OBJS): $(HEADERS) @@ -11,3 +11,6 @@ RLM_DIR=../../ include ${RLM_DIR}../rules.mak + +install-scripts: + $(INSTALL) -m 755 check_script $(R)$(raddbdir) Index: src/modules/rlm_eap/types/rlm_eap_tls/check_script === RCS file: src/modules/rlm_eap/types/rlm_eap_tls/check_script diff -N src/modules/rlm_eap/types/rlm_eap_tls/check_script --- /dev/null 1 Jan 1970 00:00:00 - +++ src/modules/rlm_eap/types/rlm_eap_tls/check_script 12 May 2006 08:36:14 - 1.3 @@ -0,0 +1,27 @@ +#!/bin/sh + +# File containing subjects + issuers which are allowed
Re: Check the subject and issuer in the EAP-TLS
Michal Prochazka wrote: I'm open for every remark and enhancement of this patch. IMHO, it is very breakable script: it compare only strings (issuer name, subject, etc), which can be forged easily. IMHO, we need to check sha1/md5 signatures of CA certificates, not strings. -- // Lev Serebryakov - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Check the subject and issuer in the EAP-TLS
Michal Prochazka wrote: I'm open for every remark and enhancement of this patch. BTW, here is `CA_file' parameter in `tls' module, so CA certificate know to us. And we can check this CA without any external script -- // Lev Serebryakov - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Check the subject and issuer in the EAP-TLS
IMHO, it is very breakable script: it compare only strings (issuer name, subject, etc), which can be forged easily. IMHO, we need to check sha1/md5 signatures of CA certificates, not strings. I don't agree with you. Freeradius checks that the certificate is issued by one of the CA defined in config of EAP-TLS. And then this script compare the subject, you cannot forged it. And of course this patch can be easily enhanced to export sha1/md5 signatures. This patch is made directly for our needs. We have autogenerated file which contains the subject names of allowed certificates. Our CA is part of EUGridPMA and their policy is that there cannot be two certificates with the same subject. -- Michal Prochazka // [EMAIL PROTECTED] Supercomputing Center Brno Institute of Computer Science Masaryk University Botanicka 68a, 60200 Brno, CZ CESNET z.s.p.o. Zikova 4, 16200 Praha 6, CZ smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Check the subject and issuer in the EAP-TLS
BTW, here is `CA_file' parameter in `tls' module, so CA certificate know to us. And we can check this CA without any external script I don't understand what are you meaning with this? This patch doesn't check the CA. The check script is run after the successuf TLS authentication. -- Michal Prochazka // [EMAIL PROTECTED] Supercomputing Center Brno Institute of Computer Science Masaryk University Botanicka 68a, 60200 Brno, CZ CESNET z.s.p.o. Zikova 4, 16200 Praha 6, CZ smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Check the subject and issuer in the EAP-TLS
Michal Prochazka wrote: I don't agree with you. Freeradius checks that the certificate is issued by one of the CA defined in config of EAP-TLS. And then this script compare the subject, you cannot forged it. And of course this patch can be easily enhanced to export sha1/md5 signatures. Oh, I've missed your point, sorry. This patch is against using some (for example, e-mail signing) certificate (issued by proper CA!) as wireless client's one, am I right on second try? :) -- // Lev Serebryakov - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql Segmentation Fault
Configure probably isn't finding the mysql libraries and/or header files and isn't compiling the rlm_sql module properly. I'm not sure why this is happening if everything is identical like you say, but its my bet. Look in your freeradius-1.1.1/lib/ directory for the rlm_sql module files. If they are not there, that is definitely your problem. Watch the configure closely. Try to point it where the mysql stuff is. Good luck. Chris Carver Shawn Hamman wrote: Ok, I am going insane. This is the story: I have two IDENTICAL servers, HP DL320, Intel P4 I have Fedora Core 5 installed on both with IDENTICAL packages. I downloaded, extracted the freeradius-1.1.1.tar.gz and proceeded to configure with the exact same configure statement. I installed IDENTICAL perl modules on both servers. I use IDENTICAL radius.conf, sql.conf etc. configuration files. Server 1 works fine. No problems what so ever. Server 2 throws a seg fault when loading the rlm_sql module. I have: - enabled and disabled shared modules and packages - make clean, make distclean, manually remove every freeradius file - re-loaded the server from scratch - changed the processor from a P4 to a XEON to a P4 FreeRadius works just fine, right up until I load the rlm_sql module. Setup: Linux rad2. .net 2.6.15-1.2054_FC5smp #1 SMP Tue Mar 14 16:05:46 EST 2006 i686 i686 i386 GNU/Linux mysql-5.0.18-2.1 ./configure --with-logdir=/var/log --with-radacctdir=/var/log --with-raddbdir=/etc/raddb --enable-developer Debug: ... ... Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded SQL sql: driver = rlm_sql_mysql sql: server = 192.168.0.8 sql: port = sql: login = root sql: password = mysql sql: radius_db = radius sql: acct_table = radacct sql: acct_table2 = radacct ... ... ... sql: group_membership_query = SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}' sql: connect_failure_retry_delay = 60 sql: simul_count_query = sql: simul_verify_query = SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0 sql: postauth_table = radpostauth sql: postauth_query = INSERT into radpostauth (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW()) sql: safe-characters = @abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: / Segmentation fault (core dumped) Core dump: Reading symbols from /usr/local/lib/rlm_eap_mschapv2-1.1.1.so...done. Loaded symbols for /usr/local/lib/rlm_eap_mschapv2-1.1.1.so Reading symbols from /usr/local/lib/rlm_sql-1.1.1.so...done. Loaded symbols for /usr/local/lib/rlm_sql-1.1.1.so #0 0x00d789c9 in lt_dlsym (handle=0x88de758, symbol=0x88dd158 rlm_sql_mysql) at ltdl.c:3330 3330 lensym = LT_STRLEN (symbol) + LT_STRLEN (handle-loader-sym_prefix) (gdb) bt #0 0x00d789c9 in lt_dlsym (handle=0x88de758, symbol=0x88dd158 rlm_sql_mysql) at ltdl.c:3330 #1 0x00fb65fa in rlm_sql_instantiate (conf=0x88307e0, instance=0x88dcb40) at rlm_sql.c:696 #2 0x0805303b in find_module_instance (instname=0x88339c8 sql) at modules.c:358 #3 0x08053e1a in do_compile_modsingle (component=0, ci=0x88339a8, filename=0x805e931 radiusd.conf, grouptype=0, modname=0xbf835314) at modcall.c:1005 #4 0x080536f3 in setup_modules () at modules.c:570 #5 0x080566db in main (argc=2, argv=0xbf8365a4) at radiusd.c:960 Does anybody out there have any ideas? Shawn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql Segmentation Fault
Shawn Hamman wrote: Ok, I am going insane. This is the story: I have two IDENTICAL servers, HP DL320, Intel P4 I have Fedora Core 5 installed on both with IDENTICAL packages. I downloaded, extracted the freeradius-1.1.1.tar.gz and proceeded to configure with the exact same configure statement. I installed IDENTICAL perl modules on both servers. I use IDENTICAL radius.conf, sql.conf etc. configuration files. Server 1 works fine. No problems what so ever. Server 2 throws a seg fault when loading the rlm_sql module. I have: - enabled and disabled shared modules and packages - make clean, make distclean, manually remove every freeradius file - re-loaded the server from scratch - changed the processor from a P4 to a XEON to a P4 FreeRadius works just fine, right up until I load the rlm_sql module. Setup: Linux rad2. .net 2.6.15-1.2054_FC5smp #1 SMP Tue Mar 14 16:05:46 EST 2006 i686 i686 i386 GNU/Linux mysql-5.0.18-2.1 ./configure --with-logdir=/var/log --with-radacctdir=/var/log --with-raddbdir=/etc/raddb --enable-developer I just saw this. Do --with-mysql - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: Regular expression - Trying to rewrite User-Name
It is difficult to see what your machine is doing since you are giving us bits and pieces of the problem and out of order. Damian Porter wrote: thanks for all you input so far, and i am still looking, trying to use the hint and huntgroup file for a work around so success yet. By the way i should mention the code worked perfectly well with redhat 9. [00-0423-236767-676752-6752-52] What is that number? Is that the resulting username after your regex? the first and the last octet works, its just {2} - {5} that acting up. additional information my auth-log file Packet-Type = Access-Request Thu May 11 18:33:02 2006 NAS-IP-Address = 1.5.1.32 http://1.5.1.32 User-Name = 00042367672f User-Password = 00042367672f Calling-Station-Id = 00042367672F Called-Station-Id = 000B8602DD80 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 Vendor-14823-Attr-5 = 0x4e5355 Vendor-14823-Attr-6 = 0x302e302e30 Client-IP-Address = 1.5.1.3 http://1.5.1.3 Is that a different username than the munged one above? Can you make sure to provide details from the same username, so it is easier to follow and see what exactly is wrong? Debug output There appears to be another RADIUS server running on the authentication port 1814 One of two things is happening. Either there is a radius server already running and it has been running all the time and any changes you are making are not being seen. Or you forgot to stop the radius daemon before trying to run it in debug mode. Try this: killall -9 radiusd radiusd -X Now, leave that running and send it an access request. Send us everything from where you typed radiusd -X to the *end* of the request (presumably a reject statement). radiusd -X should not release back to a prompt, it should sit there waiting for a request. If you get a prompt back, then there is either still something running on that port or something else caused it to error out. *After* you send a request and it gets rejected, Control-C will get your prompt back and terminate the radiusd -X. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: No detail file created for accounting
Is your NAS sending accounting records? -- Mike Ockenga -Original Message- From: [EMAIL PROTECTED] us.org [mailto:[EMAIL PROTECTED] freeradius.org] On Behalf Of Axel Seguin Sent: Friday, May 12, 2006 3:08 AM To: FreeRadius users mailing list Subject: No detail file created for accounting Hi everyone, Here is my problem, I think I configured everything but the detail file is never created for accounting. I also use a mysql data base for accounting only and nothing is appended to the table radacct either. It is like accounting does not work at all. Here are some parts of my radiusd.conf. I have been trying to make it work for quite a while now this is why I am writing to this mailing list now. If anyone has an idea it would be really appreciated. prefix = /usr/local exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct # Location of config and logfiles. confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd # # The logging messages for the server are appended to the # tail of this file. # log_file = ${logdir}/radius.log log_auth = yes In the modules section : detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } and in the accounting section I put detail. Did I forget something? I have the right to write in this directory since the auth-detail file is created in the same place. Also if i put detail in the Authorize section, the file is created but with far too much information than what I need and it does not solve my problem concerning the mysql database. Thank you all in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Check the subject and issuer in the EAP-TLS
Michal Prochazka wrote: I'm open for every remark and enhancement of this patch. Have you considered instead having the eap-tls module add a server-private config attribute e.g. EAP-TLS-Client-Cert-Subject EAP-TLS-Client-Cert-Issuer ...which would be a bit more general. If you wanted to run an external script then, you could do something like: authorize { preprocess eap files } and in /etc/raddb/users: DEFAULT EAP-TLS-Client-Cert-Subject *= ANY Exec-Program = somescript ...the script will then receive the attribute as an environment variable The major difficulty I can see with that is the cert isn't available until a few packets into the EAP exchange - that is, the first few packets won't have gone far enough into the TLS setup to have obtained the cert. Also, the EAP module doesn't actually *process* any data until the authenticate section, so if you had: Access-Request EAP-TLS client hello series of Access-Challenge EAP-TLS fragmented(server hello, server cert) Access-Request EAP-TLS send more series of Access-Request EAP-TLS fragmented(client cert, handshake) Access-Challenge EAP-TLS send more Access-Challenge EAP-TLS change cipher Access-Request EAP-TLS zero data Access-Accept ...only that last Access-Challenge would have a meaningful client cert CN/issuer and could thus be matched on. I don't know enough about TLS and EAP-TLS to be sure if we can guarantee there'll always be one packet which that attribute can match on. I suppose another option would be to have EAP-TLS to generate a fake inner request which is passed through the radius server much like PEAPs inner requests are, with User-Name as the CN and another attribute for Issuer. That would remove the ambiguity and provide a very flexible way for the server to do policy checks on all manner of cert attributes. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(no subject)
Hello all, i have allready freeradius installed and working well, but i can see resentlly its became very slow to replay the DataBase wich is MySQL, could any one send me the formal configuration file for one freeradius witch is allreay running well and acting good with MySql Database? best Regards Yasir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (no subject)
Yasir Elhaggaz wrote: Hello all, i have allready freeradius installed and working well, but i can see resentlly its became very slow to replay the DataBase wich is MySQL, could any one send me the formal configuration file for one freeradius witch is allreay running well and acting good with MySql Database? If it is working, there isn't much you can do to FreeRADIUS to make it work faster, the slowdown is coming from MySQL. If your tables are large, change them from MyISAM to InnoDB (table vs. row locking makes all the difference). Also make sure they are properly indexed. We also have a replication setup and do this in authorize: redundant { sql-slave sql-master } and this in accounting: sql-master to separate the reads and writes. Be aware that changing the engine on mysql tables, causes them to lock and large tables take a long time to change, so you will be unable to write to them during that time. Reads will also be quite slow (if it responds at all). I took our radius servers offline during the change at like 4am. Archiving old accounting data will help too. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql Segmentation Fault
Shawn Hamman wrote: (gdb) bt #0 0x00d789c9 in lt_dlsym (handle=0x88de758, symbol=0x88dd158 rlm_sql_mysql) at ltdl.c:3330 #1 0x00fb65fa in rlm_sql_instantiate (conf=0x88307e0, instance=0x88dcb40) at rlm_sql.c:696 #2 0x0805303b in find_module_instance (instname=0x88339c8 sql) at modules.c:358 #3 0x08053e1a in do_compile_modsingle (component=0, ci=0x88339a8, filename=0x805e931 radiusd.conf, grouptype=0, modname=0xbf835314) at modcall.c:1005 #4 0x080536f3 in setup_modules () at modules.c:570 #5 0x080566db in main (argc=2, argv=0xbf8365a4) at radiusd.c:960 Does anybody out there have any ideas? It looks like bug #98. http://bugs.freeradius.org/show_bug.cgi?id=98 -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco and RADIUS
Hello all I am new to RADIUS. I am using Cisco IP IP gw as NAS and RADIUS. I have few doubts regarding the interaction between CISCO and RADIUS Whenever the request for authentication comes, for all authenticated users I wish to send some extra details like Billing model, credit time etc. If I make changes in the authentication query to return these values, how will the nas understand that which one is billing model or which one is credit time. Do I have to make any changes in the Dictionary or RADIUS. I tried to search for the same in CISCO site but hard luck couldn't find it. Please guys help me out Thanks in advance Vignesh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: trouble with getting user accepted with Mysql
On 5/12/06, Jeremy ohara [EMAIL PROTECTED] wrote: Hi there i been able to get the radius to working. but the problem i'm having is. when i try to do a test login it keeps being rejected. i've setup groups, etc and using dialupadmin for administration. i've attached the radiusd.conf and mysql.conf and the output files, etc.i got from the radius debug. hope someone can help and THIS is enough info for yous! Also i'm using the lates fedora5 and using freeradius 1.0.5 Do you use dialup admin to create your users?In its config file you can choose how the passwords are stored (plain text, encrypted,...) Are you sure your passwords have the right attribute? Look at this post from me, i had the same problem.http://www.m0n0.ch/wall/list/showmsg.php?id=260/58 Alan pointed me in the right direction there. The attribute needed to be Crypt-Password instead of User-passwordGood luck Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: trouble with getting user accepted with Mysql
Hi there i kinda get what you mean.ive tried both clear and crypt and both send up the same way. i reset the password before try a login test and both failedi've attached the admin.conf file from dialupadmincan y ou see any problmes in itjeremy -Original Message- From: YvesDM [EMAIL PROTECTED] To: "FreeRadius users mailing list" freeradius-users@lists.freeradius.org Date: Fri, 12 May 2006 22:45:24 +0200 Subject: Re: trouble with getting user accepted with Mysql On 5/12/06, Jeremy ohara [EMAIL PROTECTED] wrote: Hi there i been able to get the radius to working. but the problem i'm having is. when i try to do a test login it keeps being rejected. i've setup groups, etc and using dialupadmin for administration. i've attached the radiusd.conf and mysql.conf and the output files, etc.i got from the radius debug. hope someone can help and THIS is enough info for yous! Also i'm using the lates fedora5 and using freeradius 1.0.5 Do you use dialup admin to create your users? In its config file you can choose how the passwords are stored (plain text, encrypted,...) Are you sure your passwords have the right attribute? Look at this post from me, i had the same problem. http://www.m0n0.ch/wall/list/showmsg.php?id=260/58 Alan pointed me in the right direction there. The attribute needed to be Crypt-Password instead of User-passwordGood luck Yves This email has been scanned for Virus by MDaemon AntiVirus part of MDaemon. Updated daily to keep up-to-date with all new and old viruses. admin.conf Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html