Re: Help!
Hello!If you just want to send reply attributes of type Session-Octets-Limit add this to your dictionaryfile (located probably in /usr/local/share/freeradius):# Limit session traffic ATTRIBUTE Session-Octets-Limit227 integer# What to assume as limit - 0 in+out, 1 in, 2 out, 3 max(in,out)ATTRIBUTE Octets-Direction228 integeri tried this and its not working can u please tell me what i doing wrong? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help!
Hi edvinsorry for asking too much but do i think i can add fieldsin sql radreply so i can make it works with mysql since i use radius + mysql? and if so how i do thatthanks a lot On 5/29/06, Seferovic Edvin [EMAIL PROTECTED] wrote: Hi, yes – the reply attributes should be in the dictionary file ! The freeradius should sent a value ( integer value = bytes count ) to your pppoe server which uses radius client. Look at the debug output of the freeradius server to see if those attributes are in the reply message ! Regards, Edvin From: Mordor Networks [mailto:[EMAIL PROTECTED]] Sent: Montag, 29. Mai 2006 10:14 To: [EMAIL PROTECTED]; freeradius-users@lists.freeradius.org Subject: Re: Help! Hello! If you just want to send reply attributes of type Session-Octets-Limit add this to your dictionary file (located probably in /usr/local/share/freeradius): # Limit session traffic ATTRIBUTE Session-Octets-Limit 227 integer # What to assume as limit - 0 in+out, 1 in, 2 out, 3 max(in,out) ATTRIBUTE Octets-Direction 228 integer i tried this and its not working can u please tell me what i doing wrong? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP and Freeradius Bind problem
Hello, I try to use Freeradius and OpenLDAP for authentification and I'be got some problems about binding. First of all OpenLDAP works well I'm able to connect to the database with anonymous connection and perform search in the database (no write access of course). freeRadius works well when the user and the password is directly inclued on the conf file clients but when i try radtest with a user wich is the LDAP database it doiesn't work here the command performed : radtest test 4886 localhost 1812 testing123 an user with uid=test and password is already created in LDAP database. here is the freeradius output : modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type LDAP auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by test with password 4886 radius_xlat: '(uid=test)' radius_xlat: 'dc=dist,dc=demo,dc=net' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as / to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=dist,dc=demo,dc=net, with filter (uid=test) rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: user DN: uid=test,ou=utilisateurs,dc=dist,dc=demo,dc=net rlm_ldap: (re)connect to localhost:389, authentication 1 rlm_ldap: bind as uid=test,ou=utilisateurs,dc=dist,dc=demo,dc=net/4886 to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials rlm_ldap: modcall[authenticate]: module ldap returns reject for request 0 modcall: leaving group LDAP (returns reject) for request 0 auth: Failed to validate the user. Login incorrect (rlm_ldap: Bind as user failed): [test/4886] (from client localhost port 1812) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 89 to 127.0.0.1 port 32768 Reply-Message = Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 89 with timestamp 447ad91a Nothing to do. Sleeping until we see a request. As you can the binding in anonymous mode works well and the search is performed and 1 result is found : test.utilisateurs.dist.demo.net But I don't understand why radius try to bind again with the LDAP server using account test.utilisateurs.demo.net Is there a mechanisme with LDAP authentification that I don't Understand ? According to me as soon as freeradius found in LDAP the user with the right password it should authorize acess. this is my radiusd.conf (samples) # Lightweight Directory Access Protocol (LDAP) # # This module definition allows you to use LDAP for # authorization and authentication (Auth-Type := LDAP) # # See doc/rlm_ldap for description of configuration options # and sample authorize{} and authenticate{} blocks ldap { server = localhost port = 389 # identity = cn=admin,dc=dist,dc=demo,dc=net # password = * basedn = dc=dist,dc=demo,dc=net # filter = (uid=%{Stripped-User-Name:-%{User-Name}}) # base_filter = (objectclass=radiusprofile) # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no # tls_cacertfile = /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = demand # default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA # profile_attribute = radiusProfileDn access_attr = uid # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 # # NOTICE: The password_header directive is NOT case insensitive # # password_header = {clear} # # Set: # password_attribute = nspmPassword # # to get the user's password from a Novell eDirectory # backend. This will work *only if* freeRADIUS is # configured to build with --with-edir option. # # # The server can usually figure this out on its own, and pull # the correct User-Password or NT-Password from the database. # # Note that NT-Passwords MUST be stored as a 32-digit hex # string, and MUST start off with 0x, such as: # # 0x000102030405060708090a0b0c0d0e0f # # Without the leading 0x, NT-Passwords will not work. # This goes for NT-Passwords stored in SQL, too. # # password_attribute = userPassword # # Un-comment the following
Re: LDAP and Freeradius Bind problem
In your previous mail you asked: But I don't understand why radius try to bind again with the LDAP server using account test.utilisateurs.demo.net Is there a mechanisme Because you told it to: # Uncomment it if you want to use ldap for authentication # # Note that this means check plain-text password against # the ldap database, which means that EAP won't work, # as it does not supply a plain-text password. Auth-Type LDAP { ldap } Read the comments. with LDAP authentification that I don't Understand ? According to me as soon as freeradius found in LDAP the user with the right password it should authorize acess. Authentication via LDAP can work one of two ways: 1. The LDAP server supplies a plaintext password or password hash to FreeRadius, and FreeRadius performs the authentication itself. This almost certainly won't work for you since you are binding to the LDAP server anonymously, and handing out passwords or password hashes to unauthenticated LDAP search clients would be very silly. 2. For PAP requests ONLY, the Radius server can perform an LDAP simple bind against the LDAP server to check the password. You have told it to do the latter. I suggest you read the documentation for rlm_ldap and configure it correctly for your needs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help!
Hi againI added this to radcheckinsert into radcheck (UserName, Attribute, Op, Value) values ('user','Session-Octets-Limit',':=','100');but when i start radius -X it says rlm_sql : Failed to creat the pair unknow attributes Session-Octets-Limitrlm_sql : error getting data from database..!On 5/29/06, Mordor Networks [EMAIL PROTECTED] wrote:Hi edvinsorry for asking too much but do i think i can add fieldsin sql radreply so i can make it works with mysql since i use radius + mysql? and if so how i do that thanks a lot On 5/29/06, Seferovic Edvin [EMAIL PROTECTED] wrote: Hi, yes – the reply attributes should be in the dictionary file ! The freeradius should sent a value ( integer value = bytes count ) to your pppoe server which uses radius client. Look at the debug output of the freeradius server to see if those attributes are in the reply message ! Regards, Edvin From: Mordor Networks [mailto:[EMAIL PROTECTED]] Sent: Montag, 29. Mai 2006 10:14 To: [EMAIL PROTECTED]; freeradius-users@lists.freeradius.org Subject: Re: Help! Hello! If you just want to send reply attributes of type Session-Octets-Limit add this to your dictionary file (located probably in /usr/local/share/freeradius): # Limit session traffic ATTRIBUTE Session-Octets-Limit 227 integer # What to assume as limit - 0 in+out, 1 in, 2 out, 3 max(in,out) ATTRIBUTE Octets-Direction 228 integer i tried this and its not working can u please tell me what i doing wrong? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OSX rlm_sql_mysql problem
Hi, I am trying to compile FreeRadius 1.1.1 on Mac OSX. The ./configure script works well and without errors (as far as I can see) First, when I do make, it finishes good but shows an error: *** Warning: This library needs some functionality provided by -lmysqlclient_r. *** I have the capability to make that library automatically link in when *** you link to this library. But I can only do this if you have a *** shared version of the library, which you do not appear to have. *** Warning: libtool could not satisfy all declared inter-library *** dependencies of module rlm_sql_mysql. Therefore, libtool will create *** a static module, that should work as long as the dlopening *** application is linked with the -dlopen flag. Then, starting freeradius: Fri May 26 13:16:13 2006 : Info: Starting - reading configuration files ... Fri May 26 13:16:14 2006 : Info: Using deprecated naslist file. Support for this will go away soon. Fri May 26 13:16:15 2006 : Error: rlm_sql (sql): Could not link driver rlm_sql_mysql: dlcompat: invalid handle Fri May 26 13:16:15 2006 : Error: rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search path of your system's ld. Fri May 26 13:16:15 2006 : Error: radiusd.conf[14]: sql: Module instantiation failed. Fri May 26 13:16:15 2006 : Error: radiusd.conf[1585] Unknown module sql. The mysql libs and headers are in: /usr/local/mysql-max-5.0.21-osx10.3-powerpc/lib/ /usr/local/mysql-max-5.0.21-osx10.3-powerpc/include/ mysql_config: --cflags [-I/usr/local/mysql-max-5.0.21-osx10.3-powerpc/include -O -fno-common] --include [-I/usr/local/mysql-max-5.0.21-osx10.3-powerpc/include] --libs [-L/usr/local/mysql-max-5.0.21-osx10.3-powerpc/lib -lmysqlclient -lz -lm] --libs_r [-L/usr/local/mysql-max-5.0.21-osx10.3-powerpc/lib -lmysqlclient_r -lz -lm] --socket [/tmp/mysql.sock] --port [3306] --version[5.20.21] --libmysqld-libs [-L/usr/local/mysql-max-5.0.21-osx10.3-powerpc/lib -lmysqld -lz -lm] I also tired to copy, link, move various files but it didn't help. Any ideas?? Thanks for your help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OSX rlm_sql_mysql problem
Hi, I am trying to compile FreeRadius 1.1.1 on Mac OSX. 1) use 1.1.2 - this is the latest release 2) it looks like you cannot link against your mysql...have you tried it as a static build? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OSX rlm_sql_mysql problem
Benedikt Baer [EMAIL PROTECTED] wrote: First, when I do make, it finishes good but shows an error: *** Warning: This library needs some functionality provided by -lmysqlclient_r. *** I have the capability to make that library automatically link in when *** you link to this library. But I can only do this if you have a *** shared version of the library, which you do not appear to have. So build a shared version of the MysQL library. Or, build FreeRADIUS without support for shared libraries. See the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to specify multiple values for Called-Station-Id (checkval)
Kostas Kalevras wrote: As i said before you should just add more attribute/value pairs. It works. What does your radgroupcheck table look like when you add more than one number? Could someone please help me with this? I am stumped, is there a bug in the rlm_checkval module? --- Well, it does not in my case. Here is the table: +++---+++ | id | GroupName | Attribute | op | Value | +++---+++ | 11 | restricted | Called-Station-Id | := | 4166231473 | | 16 | restricted | Called-Station-Id | := | 4166231474 | | 17 | restricted | Called-Station-Id | := | 4166231475 | | 18 | restricted | Called-Station-Id | := | 4168489499 | I dial in to 4168489499 and this is what happens: Fri May 26 10:26:12 2006 : Auth: Invalid user (rlm_checkval: This Called-Station-Id is not allowed for the user): [mikej/xxx] (from client xxx port 1487 cli xxx) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OSX rlm_sql_mysql problem
I can't do that. The compilation then fails with another strange error. I'll try with an updated verion of Freeradius. 2006/5/29, Alan DeKok [EMAIL PROTECTED]: Benedikt Baer [EMAIL PROTECTED] wrote: First, when I do make, it finishes good but shows an error: *** Warning: This library needs some functionality provided by -lmysqlclient_r. *** I have the capability to make that library automatically link in when *** you link to this library. But I can only do this if you have a *** shared version of the library, which you do not appear to have. So build a shared version of the MysQL library. Or, build FreeRADIUS without support for shared libraries. See the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius Tutorial
Hi, I'm a complete newbie to Radius. Just curious if anyone out there knows of a good tutorial or on-line course to help get me started. I've read the beginning chapters of O'Reilly's RADIUS book, but would like additional information on it. We are hoping to setup a pair of servers and hook it into our Sun LDAP server. So information on that would be useful too. Thanks, Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Tutorial
Am Montag, 29. Mai 2006 19:37 schrieb Michael Jewett: Hi, I'm a complete newbie to Radius. Just curious if anyone out there knows of a good tutorial or on-line course to help get me started. I've read the beginning chapters of O'Reilly's RADIUS book, but would like additional information on it. We are hoping to setup a pair of servers and hook it into our Sun LDAP server. So information on that would be useful too. Thanks, Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Read the Doku under doc/ Look through the sample files. Good comments in there. For LDAP espescially: rlm_ldap Michael Schwartzkopff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to specify multiple values for Called-Station-Id (checkval)
Mike Jakubik [EMAIL PROTECTED] wrote: Well, it does not in my case. Here is the table: +++---+++ | id | GroupName | Attribute | op | Value | +++---+++ | 11 | restricted | Called-Station-Id | := | 4166231473 | | 16 | restricted | Called-Station-Id | := | 4166231474 | What you're trying to do is to OR the different entries. The SQL module doesn't do that, unfortunately. You'll have to have one entry a regular expression for it to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to specify multiple values for Called-Station-Id (checkval)
Alan DeKok wrote: Mike Jakubik [EMAIL PROTECTED] wrote: Well, it does not in my case. Here is the table: +++---+++ | id | GroupName | Attribute | op | Value | +++---+++ | 11 | restricted | Called-Station-Id | := | 4166231473 | | 16 | restricted | Called-Station-Id | := | 4166231474 | What you're trying to do is to OR the different entries. The SQL module doesn't do that, unfortunately. You'll have to have one entry a regular expression for it to work. Thanks for clarifying that shortcoming. I guess i should just disable the checkval module then and just use regexp. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to upgrade Freeradius?
Dear list: I don´t have experience installing and uninstalling applications as freeradius from source code. I´d like to upgrade my freeradius version from 1.1.1 to 1.1.2, however I don´t know what steps have I to do. I´ll be very grateful with your guide becauase I have fear to erase some files or damage my actual installation. Thank you. Edu.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to specify multiple values for Called-Station-Id (checkval)
On Mon, 29 May 2006, Mike Jakubik wrote: Kostas Kalevras wrote: As i said before you should just add more attribute/value pairs. It works. What does your radgroupcheck table look like when you add more than one number? Could someone please help me with this? I am stumped, is there a bug in the rlm_checkval module? --- Well, it does not in my case. Here is the table: +++---+++ | id | GroupName | Attribute | op | Value | +++---+++ | 11 | restricted | Called-Station-Id | := | 4166231473 | | 16 | restricted | Called-Station-Id | := | 4166231474 | | 17 | restricted | Called-Station-Id | := | 4166231475 | | 18 | restricted | Called-Station-Id | := | 4168489499 | I dial in to 4168489499 and this is what happens: Fri May 26 10:26:12 2006 : Auth: Invalid user (rlm_checkval: This Called-Station-Id is not allowed for the user): [mikej/xxx] (from client xxx port 1487 cli xxx) You r using the := operator. That way u ll be overwriting the Called-Station-Id value. Use the += operator instead. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to specify multiple values for Called-Station-Id (checkval)
Kostas Kalevras wrote: Well, it does not in my case. Here is the table: +++---+++ | id | GroupName | Attribute | op | Value | +++---+++ | 11 | restricted | Called-Station-Id | := | 4166231473 | | 16 | restricted | Called-Station-Id | := | 4166231474 | | 17 | restricted | Called-Station-Id | := | 4166231475 | | 18 | restricted | Called-Station-Id | := | 4168489499 | I dial in to 4168489499 and this is what happens: Fri May 26 10:26:12 2006 : Auth: Invalid user (rlm_checkval: This Called-Station-Id is not allowed for the user): [mikej/xxx] (from client xxx port 1487 cli xxx) You r using the := operator. That way u ll be overwriting the Called-Station-Id value. Use the += operator instead. Ahh, finally!!! Thanks for that, this seems to do it. Do you by any chance know if there is a way to do a logical NOT on the numbers? I.e. I want to specify that the users can not call a list of specified numbers. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Connection problem after client windows reboot
Hi there, I've got a problem, probably with my radius, using TTLS-PAP to authenticate. WHen my AP is just after restart everyting works fine. Client gets authenticated which is shown in logs. Diconnecting and connecting done without a client restart still result in keeping a connection. Problem arises when it goes to restart. After the restart I cant reconnect. I got response: Unauthorised. I dont know wheter it is my AP problm or the radius problem, which maybe caches some of the data and after reboot does not allow acces? I dont know. I hope sb will be able to help me. I use AP MINITAR Realtek 8186 54Mb.s and Intel 3945ABG Regards Greg Wybierz tani kredyt walutowy i płać małą ratę za mieszkanie! Tylko 345 zł miesięcznie! Prawda, że proste: http://klik.wp.pl/?adr=http%3A%2F%2Fadv.reklama.wp.pl%2Fas%2F2905.htmlsid=775 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to upgrade Freeradius?
[EMAIL PROTECTED] wrote: I don't have experience installing and uninstalling applications as freeradius from source code. I=B4d like to upgrade my freeradius version from 1.1.1 to 1.1.2, however I don=B4t know what steps have I to do. $ ./configure ... $ make $ make install I'll be very grateful with your guide becauase I have fear to erase some files or damage my actual installation. The make install stage doesn't change any of the configuration files you have. This is a deliberate choice. I've used software that destroyed configuration files on upgrade. Once. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OSX rlm_sql_mysql problem
Will 1.1.2 work on Mac OS X? 1.1.1 didn't, so had to go back to 1.0.5 which works fine. /L Den 29/05/2006 kl. 17.40 skrev [EMAIL PROTECTED]: Hi, I am trying to compile FreeRadius 1.1.1 on Mac OSX. 1) use 1.1.2 - this is the latest release 2) it looks like you cannot link against your mysql...have you tried it as a static build? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html